Guia Switch v2

247
CCNP Guía SWITCH v2.0 Topología.................................................... 2 DTP.......................................................... 3 Creación y Administración de VLANs..........................13 Asignación VLANs TRUNK...................................... 16 VTP I....................................................... 20 VTP II Problema con el número Configuration Revision en VTP. 24 Private VLANs único Switch.................................. 35 Private-VLANs pruebas de conectividad.......................38 Port Protected.............................................. 41 EtherChannel I PAgP (Port Aggregation Protocol).............45 EtherChannel II sin negociación.............................49 EtherChannel III modo Desirable.............................53 EtherChannel III Link Aggregation Control Protocol LACP.....56 EtherChannel IV Load-Shared.................................59 EtherChannel V Prioridad LACP...............................61 EtherChannel Layer 3........................................ 65 STP Comportamiento por defecto..............................69 STP Configuración........................................... 77 STP BPDU Guard.............................................. 85 FLEX Link................................................... 86 MSTP Multiple Spanning Tree MST 802.1s......................91 InterVLAN Routing utilizando SW L3.........................101 InterVLAN Routing entre switches L2/L3.....................106 IP DHCP.................................................... 114 InterVLAN Routing con HSRP en Switchs L3...................118 HSRP utilizando Routers.................................... 130 HSRP Balanceo.............................................. 143 VRRP utilizando Routers.................................... 150 VLANs ACLs v/s Seguridad en sesiones Telnet................158 SSH........................................................ 163 SPAN....................................................... 164 Remote SPAN (RSPAN)........................................ 170 Syslog..................................................... 172 Port-Security utilizando MACROs............................175 Blocking UNICAST/MULTICAST.................................176 Filtro MAC................................................. 177 DHCP Snooping.............................................. 178 @ 2013 1

Transcript of Guia Switch v2

Page 1: Guia Switch v2

CCNP Guía SWITCH v2.0

Topología...................................................................................................................................2DTP............................................................................................................................................3Creación y Administración de VLANs....................................................................................13Asignación VLANs TRUNK...................................................................................................16VTP I........................................................................................................................................20VTP II Problema con el número Configuration Revision en VTP..........................................24Private VLANs único Switch...................................................................................................35Private-VLANs pruebas de conectividad.................................................................................38Port Protected...........................................................................................................................41EtherChannel I PAgP (Port Aggregation Protocol).................................................................45EtherChannel II sin negociación..............................................................................................49EtherChannel III modo Desirable............................................................................................53EtherChannel III Link Aggregation Control Protocol LACP..................................................56EtherChannel IV Load-Shared.................................................................................................59EtherChannel V Prioridad LACP.............................................................................................61EtherChannel Layer 3..............................................................................................................65STP Comportamiento por defecto...........................................................................................69STP Configuración...................................................................................................................77STP BPDU Guard....................................................................................................................85FLEX Link...............................................................................................................................86MSTP Multiple Spanning Tree MST 802.1s...........................................................................91InterVLAN Routing utilizando SW L3..................................................................................101InterVLAN Routing entre switches L2/L3............................................................................106IP DHCP................................................................................................................................114InterVLAN Routing con HSRP en Switchs L3.....................................................................118HSRP utilizando Routers.......................................................................................................130HSRP Balanceo......................................................................................................................143VRRP utilizando Routers.......................................................................................................150VLANs ACLs v/s Seguridad en sesiones Telnet...................................................................158SSH........................................................................................................................................163SPAN.....................................................................................................................................164Remote SPAN (RSPAN).......................................................................................................170Syslog.....................................................................................................................................172Port-Security utilizando MACROs........................................................................................175Blocking UNICAST/MULTICAST.......................................................................................176Filtro MAC.............................................................................................................................177DHCP Snooping.....................................................................................................................178

@ 20131

Page 2: Guia Switch v2

CCNP Guía SWITCH v2.0

Topología

@ 20132

Page 3: Guia Switch v2

CCNP Guía SWITCH v2.0

DTPPermite la negociación de un trunk. Las posibles opciones según el modo de puerto configurado son:

Dynamic Auto

Dynamic Desirable Trunk Access

Dynamic Auto Access Trunk Trunk Access

Dynamic Desirable Trunk Trunk Trunk Access

Trunk Trunk Trunk Trunk Conectividad Limitada

Access Access Access Conectividad Limitada Access

Recordemos que los modos posibles modos de un puerto son:Access: Puerto de usuario asociado a una VLAN.Trunk: Pone el puerto en permanente trunk y negocia el estado del mismo.Non-Negotiate: Desactiva DTP.Dynamic-Desirable: El puerto intenta activamente convertir el enlace en trunk al otro extremo del enlace. Si vemos la tabla anterior podremos notar que se formará un trunk si el otro extremo del enlace es dynamic-auto, dynamic-desirable o trunk.Dynamic Auto (modo por defecto): Modo pasivo, el puerto solo formará trunk si el otro extremo del enlace es , dynamic-desirable o trunk.

Configure ISL trunk entre DLS1 y DLS2 cumpliendo las siguientes políticas: DLS1 FastEthernet0/6 en modo trunk permanente intentando negociación constante con el extremo

FastEthernet0/6 de DLS2. DLS2 FastEthernet0/6 modo dynamic auto.

Bajo este escenario no es necesario configurar la interface f0/6 de DSL2 puesto que por defecto tiene el modo dynamic auto. Antes de la configuración comprobamos el modo del puerto en DLS1.

Al final del laboratorio explique:- Ventajas de ISL.- Estructura de ISL, (cada uno de sus campos y utilidad)

DLS1#sh interfaces fastEthernet 0/6 switchportName: Fa0/6Switchport: EnabledAdministrative Mode: dynamic autoOperational Mode: static accessAdministrative Trunking Encapsulation: negotiateOperational Trunking Encapsulation: nativeNegotiation of Trunking: On

DLS1#show interfaces trunkNo se ha formado el trunk

DLS1 interface FastEthernet0/6 switchport trunk encapsulation isl switchport mode trunk

@ 20133

Page 4: Guia Switch v2

CCNP Guía SWITCH v2.0

@ 20134

Page 5: Guia Switch v2

CCNP Guía SWITCH v2.0

DLS1#show interfaces fastEthernet 0/11 switchportName: Fa0/11Switchport: EnabledAdministrative Mode: trunkOperational Mode: trunkAdministrative Trunking Encapsulation: islOperational Trunking Encapsulation: isl

DLS2#show interfaces fastEthernet 0/6 switchportName: Fa0/6Switchport: EnabledAdministrative Mode: dynamic autoOperational Mode: trunkAdministrative Trunking Encapsulation: negotiateOperational Trunking Encapsulation: islNegotiation of Trunking: OnAccess Mode VLAN: 1 (default)Trunking Native Mode VLAN: 1 (default)Administrative Native VLAN tagging: enabledVoice VLAN: noneAdministrative private-vlan host-association: noneAdministrative private-vlan mapping: noneAdministrative private-vlan trunk native VLAN: noneAdministrative private-vlan trunk Native VLAN tagging: enabledAdministrative private-vlan trunk encapsulation: dot1qAdministrative private-vlan trunk normal VLANs: noneAdministrative private-vlan trunk associations: noneAdministrative private-vlan trunk mappings: noneOperational private-vlan: noneTrunking VLANs Enabled: ALLPruning VLANs Enabled: 2-1001Capture Mode DisabledCapture VLANs Allowed: ALL

Protected: falseUnknown unicast blocked: disabledUnknown multicast blocked: disabledAppliance trust: none

DLS2#show interfaces trunk

Port Mode Encapsulation Status Native vlanFa0/6 auto n-isl trunking 1Port Vlans allowed on trunkFa0/6 1-4094Port Vlans allowed and active in management domainFa0/6 1Port Vlans in spanning tree forwarding state and not prunedFa0/6 1

@ 2013

n-isl= uso de DTP.

5

Page 6: Guia Switch v2

CCNP Guía SWITCH v2.0

Configure ISL trunk entre DLS1 y DLS2 cumpliendo las siguientes políticas: DLS1 FastEthernet0/7 debe negociar activamente la formación del trunk con extremo del enlace. El puerto

FastEthernet0/7 de DLS2 debe estar en modo pasivo en espera de formar el trunk.Nota. Como en la caso anterior verifique el modo del puerto.

Al final del laboratorio indique:- Ventajas y desventajas de DTP. ¿Que recomienda Cisco respecto a DTP?- Al utilizar el comando "sh interfaces fastEthernet 0/7 switchport" indique el significado de

Administrative Trunking Encapsulation: negotiate

DLS1#sh interfaces fastEthernet 0/7 switchportName: Fa0/7Switchport: EnabledAdministrative Mode: dynamic autoOperational Mode: static accessAdministrative Trunking Encapsulation: negotiateOperational Trunking Encapsulation: nativeNegotiation of Trunking: OnAccess Mode VLAN: 1 (default)Trunking Native Mode VLAN: 1 (default)

DLS1interface FastEthernet0/7 switchport mode dynamic desirable

DLS1#show interfaces fastEthernet 0/7 switchportName: Fa0/7Switchport: EnabledAdministrative Mode: dynamic desirableOperational Mode: trunkAdministrative Trunking Encapsulation: negotiateOperational Trunking Encapsulation: islNegotiation of Trunking: OnAccess Mode VLAN: 1 (default)

DLS1#sh interfaces fastEthernet 0/7 trunk

Port Mode Encapsulation Status Native vlanFa0/7 desirable n-isl trunking 1Port Vlans allowed on trunkFa0/7 1-4094Port Vlans allowed and active in management domainFa0/7 1Port Vlans in spanning tree forwarding state and not prunedFa0/7 none

@ 20136

Page 7: Guia Switch v2

CCNP Guía SWITCH v2.0

DLS2#show interfaces trunk

Port Mode Encapsulation Status Native vlanFa0/6 auto n-isl trunking 1Fa0/7 auto n-isl trunking 1Port Vlans allowed on trunkFa0/6 1-4094Fa0/7 1-4094Port Vlans allowed and active in management domainFa0/6 1Fa0/7 1Port Vlans in spanning tree forwarding state and not prunedFa0/6 1Fa0/7 1

Configure ISL entre DLS1 y DLS2. Desactive DTP. En ambos switchs remueva cualquier configuración existente (interfaces fastEthernet 0/6 y fastEthernet

0/7). Al final del laboratorio indique:

- Diferencias entre la encapsulación isl y n-isl que muestra el comando "sh interfaces trunk"

DLS1default interface range fastEthernet 0/6-7

DLS1#sh interfaces trunkEl trunk existente se pierde luego de establecer las interfaces a sus valores por defecto.DLS1#

DLS1interface FastEthernet0/6 switchport trunk encapsulation isl switchport mode trunk switchport nonegotiate

interface FastEthernet0/7 switchport trunk encapsulation isl switchport mode trunk switchport nonegotiate

DLS1#sh interfaces trunkPort Mode Encapsulation Status Native vlanFa0/6 on isl trunking 1Fa0/7 on isl trunking 1Port Vlans allowed on trunkFa0/6 1-4094Fa0/7 1-4094Port Vlans allowed and active in management domainFa0/6 1Fa0/7 1Port Vlans in spanning tree forwarding state and not prunedFa0/6 noneFa0/7 none

@ 20137

Page 8: Guia Switch v2

CCNP Guía SWITCH v2.0

DLS2#show interfaces trunk

Port Mode Encapsulation Status Native vlanFa0/6 auto n-isl trunking 1Fa0/7 auto n-isl trunking 1Port Vlans allowed on trunkFa0/6 1-4094Fa0/7 1-4094Port Vlans allowed and active in management domainFa0/6 1Fa0/7 1Port Vlans in spanning tree forwarding state and not prunedFa0/6 1Fa0/7 1

DLS2#show interfaces fastEthernet 0/6 switchport | include Mode|OpeAdministrative Mode: dynamic autoOperational Mode: trunkOperational Trunking Encapsulation: islAccess Mode VLAN: 1 (default)Trunking Native Mode VLAN: 1 (default)Operational private-vlan: noneCapture Mode Disabled

DLS2interface FastEthernet0/6 switchport trunk encapsulation isl switchport mode trunk switchport nonegotiate

interface FastEthernet0/7 switchport trunk encapsulation isl switchport mode trunk switchport nonegotiate

DLS2#show interfaces trunk

Port Mode Encapsulation Status Native vlanFa0/6 on isl trunking 1Fa0/7 on isl trunking 1Port Vlans allowed on trunkFa0/6 1-4094Fa0/7 1-4094Port Vlans allowed and active in management domainFa0/6 1Fa0/7 1Port Vlans in spanning tree forwarding state and not prunedFa0/6 noneFa0/7 none

@ 20138

Page 9: Guia Switch v2

CCNP Guía SWITCH v2.0

DLS2#show interfaces fastEthernet 0/6 switchportName: Fa0/6Switchport: EnabledAdministrative Mode: trunkOperational Mode: trunkAdministrative Trunking Encapsulation: islOperational Trunking Encapsulation: islNegotiation of Trunking: Off

De acuerdo a la topología mostrada, configure 802.1q entre los enlaces DLS1-ALS1, DLS1-ALS2, DLS2-ALS1, y DLS2-ALS2. Los switchs de acceso (ALS1 y ALS2) deben crear dinámicamente el trunk. Los switchs de distribución deben estar en un permanente estado de trunk.

Al final del laboratorio explique:- Ventajas de 802.1q.- Estructura de 802.1q, (cada uno de sus campos y utilidad)

DLS1default interface range fastEthernet 0/2-7

DLS2default interface range fastEthernet 0/2-7

DLS1interface range fastEthernet 0/2-5 switchport trunk encapsulation dot1q switchport mode trunk

@ 20139

Page 10: Guia Switch v2

CCNP Guía SWITCH v2.0

DLS1#sh interfaces trunkPort Mode Encapsulation Status Native vlanFa0/2 on 802.1q trunking 1Fa0/3 on 802.1q trunking 1Fa0/4 on 802.1q trunking 1Fa0/5 on 802.1q trunking 1Port Vlans allowed on trunkFa0/2 1-4094Fa0/3 1-4094Fa0/4 1-4094Fa0/5 1-4094Port Vlans allowed and active in management domainFa0/2 1Fa0/3 1Fa0/4 1Fa0/5 1Port Vlans in spanning tree forwarding state and not prunedFa0/2 noneFa0/3 noneFa0/4 1Port Vlans in spanning tree forwarding state and not prunedFa0/5 none

ALS1#show interfaces fastEthernet 0/2 switchportName: Fa0/2Switchport: EnabledAdministrative Mode: dynamic autoOperational Mode: trunkAdministrative Trunking Encapsulation: dot1qOperational Trunking Encapsulation: dot1qNegotiation of Trunking: On

ALS1#show interfaces trunkPort Mode Encapsulation Status Native vlanFa0/2 auto 802.1q trunking 1Fa0/3 auto 802.1q trunking 1Port Vlans allowed on trunkFa0/2 1-4094Fa0/3 1-4094Port Vlans allowed and active in management domainFa0/2 1Fa0/3 1Port Vlans in spanning tree forwarding state and not prunedFa0/2 1Fa0/3 1

DLS2interface range fastEthernet 0/2-5 switchport trunk encapsulation dot1q switchport mode trunk

@ 2013

Como podemos observar, los switchs L2 2960 en estado dynamic auto forman el trunk dinámicamente (DTP) utilizando 802.1q (no reconocen ISL). Solo necesitamos configurar los switchs DLSx.

10

Page 11: Guia Switch v2

CCNP Guía SWITCH v2.0

DLS2#show interfaces trunkPort Mode Encapsulation Status Native vlanFa0/2 on 802.1q trunking 1Fa0/3 on 802.1q trunking 1Fa0/4 on 802.1q trunking 1Fa0/5 on 802.1q trunking 1Port Vlans allowed on trunkFa0/2 1-4094Fa0/3 1-4094Fa0/4 1-4094Fa0/5 1-4094Port Vlans allowed and active in management domainFa0/2 1Fa0/3 1Fa0/4 1Fa0/5 1Port Vlans in spanning tree forwarding state and not prunedFa0/2 noneFa0/3 noneFa0/4 nonePort Vlans in spanning tree forwarding state and not prunedFa0/5 none

ALS2#show interfaces trunkPort Mode Encapsulation Status Native vlanFa0/2 auto 802.1q trunking 1Fa0/3 auto 802.1q trunking 1Fa0/4 auto 802.1q trunking 1Fa0/5 auto 802.1q trunking 1Port Vlans allowed on trunkFa0/2 1-4094Fa0/3 1-4094Fa0/4 1-4094Fa0/5 1-4094Port Vlans allowed and active in management domainFa0/2 1Fa0/3 1Fa0/4 1Fa0/5 1Port Vlans in spanning tree forwarding state and not prunedFa0/2 1Fa0/3 1Fa0/4 1Port Vlans in spanning tree forwarding state and not prunedFa0/5 1

@ 201311

Page 12: Guia Switch v2

CCNP Guía SWITCH v2.0

ALS1 y ALS2 deben formar trunk utilizando 802.1q. No se permite DTP entre estos Switches.Nota: el/los puertos deben estar en modo trunk antes de desactivar DTP.

ALS1default interface range fastEthernet 0/2-7

ALS2default interface range fastEthernet 0/2-7

ALS1interface range fastEthernet 0/2-7 switchport mode trunk switchport nonegotiate

ALS2interface range fastEthernet 0/2-7 switchport mode trunk switchport nonegotiate

ALS2#show interfaces trunkPort Mode Encapsulation Status Native vlanFa0/2 on 802.1q trunking 1Fa0/3 on 802.1q trunking 1Fa0/4 on 802.1q trunking 1Fa0/5 on 802.1q trunking 1Fa0/6 on 802.1q trunking 1Fa0/7 on 802.1q trunking 1Port Vlans allowed on trunkFa0/2 1-4094Fa0/3 1-4094Fa0/4 1-4094Fa0/5 1-4094Fa0/6 1-4094Fa0/7 1-4094Port Vlans allowed and active in management domainFa0/2 1Fa0/3 1Fa0/4 1Fa0/5 1Fa0/6 1Port Vlans allowed and active in management domainFa0/7 1Port Vlans in spanning tree forwarding state and not prunedFa0/2 1Fa0/3 1Fa0/4 1Fa0/5 1Fa0/6 1Fa0/7 1

@ 201312

Page 13: Guia Switch v2

CCNP Guía SWITCH v2.0

ALS1#show interfaces fastEthernet 0/6 trunkPort Mode Encapsulation Status Native vlanFa0/6 on 802.1q trunking 1Port Vlans allowed on trunkFa0/6 1-4094Port Vlans allowed and active in management domainFa0/6 1Port Vlans in spanning tree forwarding state and not prunedFa0/6 1

ALS1#show interfaces fastEthernet 0/6 switchportName: Fa0/6Switchport: EnabledAdministrative Mode: trunkOperational Mode: trunkAdministrative Trunking Encapsulation: dot1qOperational Trunking Encapsulation: dot1qNegotiation of Trunking: Off

Configure 802.1q en las interfaces FastEthernet0/6 y FastEthernet0/7 de DLS1 y DLS2. Estos switchs deben negociar activamente la formación del trunk.

DLS1interface range fastEthernet 0/6-7switchport mode dynamic desirable

DLS1#sh interfaces fastEthernet 0/6 switchportName: Fa0/6Switchport: EnabledAdministrative Mode: dynamic desirableOperational Mode: trunkAdministrative Trunking Encapsulation: negotiateOperational Trunking Encapsulation: islNegotiation of Trunking: On

DLS2interface range fastEthernet 0/6-7switchport mode dynamic desirable

DLS2#show interfaces fastEthernet 0/6 trunkPort Mode Encapsulation Status Native vlanFa0/6 desirable n-isl trunking 1Port Vlans allowed on trunkFa0/6 1-4094Port Vlans allowed and active in management domainFa0/6 1Port Vlans in spanning tree forwarding state and not prunedFa0/6 1

@ 201313

Page 14: Guia Switch v2

CCNP Guía SWITCH v2.0

Creación y Administración de VLANs Cree las siguientes vlans en DLS1 y verifique que se propagan dentro de todo el dominio:

- 10, 20, 30, 100-105- La VLAN 10 debe ser nativa.

Nota: Compruebe que la version del protocolo VTP sea consistente en todos los switchs Al final del laboratorio explique:

- Que es la VLAN nativa? Que información puede transportar? Si la VLAN nativa no coincide en ambos extremos que sucede y que protocolo reconoce este comportamiento? (native vlan).

DLS1vlan 10,20,30,100-105

DLS1#sh vlan brief | exclude unsupVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/8, Fa0/9, Fa0/10 Fa0/11, Fa0/12, Fa0/13, Fa0/14 Fa0/15, Fa0/16, Fa0/17, Fa0/18 Fa0/19, Fa0/20, Fa0/21, Fa0/22 Fa0/23, Fa0/24, Gi0/1, Gi0/210 VLAN0010 active20 VLAN0020 active30 VLAN0030 active100 VLAN0100 active101 VLAN0101 active102 VLAN0102 active103 VLAN0103 active104 VLAN0104 active105 VLAN0105 active1000 VLAN1000 active

DLS2#show vlan brief | exclude unsupVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/8, Fa0/9, Fa0/10 Fa0/11, Fa0/12, Fa0/13, Fa0/14 Fa0/15, Fa0/16, Fa0/17, Fa0/18 Fa0/19, Fa0/20, Fa0/21, Fa0/22 Fa0/23, Fa0/24, Gi0/1, Gi0/2

DLS2#show vlan brief | exclude unsupVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/8, Fa0/9, Fa0/10 Fa0/11, Fa0/12, Fa0/13, Fa0/14 Fa0/15, Fa0/16, Fa0/17, Fa0/18 Fa0/19, Fa0/20, Fa0/21, Fa0/22 Fa0/23, Fa0/24, Gi0/1, Gi0/210 VLAN0010 active20 VLAN0020 active30 VLAN0030 active100 VLAN0100 active101 VLAN0101 active

@ 201314

Page 15: Guia Switch v2

CCNP Guía SWITCH v2.0

102 VLAN0102 active103 VLAN0103 active104 VLAN0104 active105 VLAN0105 active1000 VLAN1000 active

ALS1#show vlan brief | exclude unsupVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/8, Fa0/9, Fa0/10 Fa0/11, Fa0/12, Fa0/13, Fa0/14 Fa0/15, Fa0/16, Fa0/17, Fa0/18 Fa0/19, Fa0/20, Fa0/21, Fa0/22 Fa0/23, Fa0/24, Gi0/1, Gi0/210 VLAN0010 active20 VLAN0020 active30 VLAN0030 active100 VLAN0100 active101 VLAN0101 active102 VLAN0102 active103 VLAN0103 active104 VLAN0104 active105 VLAN0105 active

ALS2#show vlan brief | exclude unsupVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/8, Fa0/9, Fa0/10 Fa0/11, Fa0/12, Fa0/13, Fa0/14 Fa0/15, Fa0/16, Fa0/17, Fa0/18 Fa0/19, Fa0/20, Fa0/21, Fa0/22 Fa0/23, Fa0/24, Gi0/1, Gi0/210 VLAN0010 active20 VLAN0020 active30 VLAN0030 active100 VLAN0100 active101 VLAN0101 active102 VLAN0102 active103 VLAN0103 active104 VLAN0104 active105 VLAN0105 active

Para crear la VLAN nativa la designamos directamente en la/las interfaces que participan en el trunk. Si el trunk está correctamente configurado deberíamos poder ver las VLANs creadas por DLS1.

DLS1interface range fastEthernet 0/2-7 switchport trunk native vlan 10

@ 201315

Page 16: Guia Switch v2

CCNP Guía SWITCH v2.0

DLS2interface range fastEthernet 0/2-7 switchport trunk native vlan 10

ALS1interface range fastEthernet 0/2-7 switchport trunk native vlan 10

ALS2interface range fastEthernet 0/2-7 switchport trunk native vlan 10

DLS1#sh interfaces fastEthernet 0/2 switchport | i NativeTrunking Native Mode VLAN: 10 (VLAN0010)Administrative Native VLAN tagging: enabledAdministrative private-vlan trunk Native VLAN tagging: enabled

DLS2#sh interfaces fastEthernet 0/2 switchport | i NativeTrunking Native Mode VLAN: 10 (VLAN0010)Administrative Native VLAN tagging: enabledAdministrative private-vlan trunk Native VLAN tagging: enabled

ALS1#sh interfaces fastEthernet 0/2 switchport | i NativeTrunking Native Mode VLAN: 10 (VLAN0010)Administrative Native VLAN tagging: enabledAdministrative private-vlan trunk Native VLAN tagging: enabled

ALS2#sh interfaces fastEthernet 0/2 switchport | i NativeTrunking Native Mode VLAN: 10 (VLAN0010)Administrative Native VLAN tagging: enabledAdministrative private-vlan trunk Native VLAN tagging: enabled

@ 201316

Page 17: Guia Switch v2

CCNP Guía SWITCH v2.0

Asignación VLANs TRUNK En el trunk asigne (permita) VLANs según la siguiente tabla:

Interface Switchs VLANsFastEthernet 0/6 DLS1↔DLS2 1,10,20,30,100FastEthernet 0/2 DLS2↔ALS2 1,10,20,30,101FastEthernet 0/6 ALS1↔ALS2 1,10,20,30,102FastEthernet 0/2 DLS1↔ALS1 1,10,20,30,103FastEthernet 0/4 DLS1↔ALS2 1,10,20,30,104FastEthernet 0/4 DLS2↔ALS1 1,10,20,30,105

Las interfaces que no participan en el trunk deben ser desactivadas.

Nota: Antes de comenzar el laboratorio es importante conocer que VLANs están asociadas a los trunks utilizando el comando show interface trunk.

Al finalizar el laboratorio explique el significado del siguiente log:- %SW_VLAN-4-VLAN_CREATE_FAIL: Failed to create VLANs 4094: extended VLAN(s) not allowed in current VTP mode- Cree y agregue en todos los trunks las VLANs 31,32 y 33, y elimine la VLAN 30 del mismo.

DLS1#sh interfaces fastEthernet 0/6 trunkPort Mode Encapsulation Status Native vlanFa0/6 desirable n-isl trunking 10Port Vlans allowed on trunkFa0/6 1-4094Port Vlans allowed and active in management domainFa0/6 1,10,20,30,100-105Port Vlans in spanning tree forwarding state and not prunedFa0/6 none

DLS1interface range fastEthernet 0/7 , fastEthernet 0/5 , fastEthernet 0/3 shutdown

DLS2interface range fastEthernet 0/7 , fastEthernet 0/5 , fastEthernet 0/3 shutdown

ALS1interface range fastEthernet 0/7 , fastEthernet 0/5 , fastEthernet 0/3 shutdown

ALS2interface range fastEthernet 0/7 , fastEthernet 0/5 , fastEthernet 0/3 shutdown

@ 201317

Page 18: Guia Switch v2

CCNP Guía SWITCH v2.0

ALS2#show interfaces trunkPort Mode Encapsulation Status Native vlanFa0/2 on 802.1q trunking 10Fa0/4 on 802.1q trunking 10Fa0/6 on 802.1q trunking 10Port Vlans allowed on trunkFa0/2 1-4094Fa0/4 1-4094Fa0/6 1-4094Port Vlans allowed and active in management domainFa0/2 1,10,20,30,100-105Fa0/4 1,10,20,30,100-105Fa0/6 1,10,20,30,100-105Port Vlans in spanning tree forwarding state and not prunedFa0/2 1,10,20,30,100-105Fa0/4 1,10,20,30,100-105Fa0/6 1,10,20,30,100-105

DLS1↔DLS2

DLS1interface FastEthernet0/6 switchport trunk allowed vlan 1,10,20,30,100

DLS2interface FastEthernet0/6 switchport trunk allowed vlan 1,10,20,30,100

DLS2#show interfaces fastEthernet 0/6 trunkPort Mode Encapsulation Status Native vlanFa0/6 desirable n-isl trunking 10Port Vlans allowed on trunkFa0/6 1,10,20,30,100Port Vlans allowed and active in management domainFa0/6 1,10,20,30,100Port Vlans in spanning tree forwarding state and not prunedFa0/6 1,10,20,30,100

DLS2↔ALS2

DLS2interface FastEthernet0/2 switchport trunk allowed vlan 1,10,20,30,101

ALS2interface FastEthernet0/2 switchport trunk allowed vlan 1,10,20,30,101

ALS2#show interfaces fastEthernet 0/2 trunkPort Mode Encapsulation Status Native vlanFa0/2 on 802.1q trunking 10Port Vlans allowed on trunkFa0/2 1,10,20,30,101Port Vlans allowed and active in management domain

@ 201318

Page 19: Guia Switch v2

CCNP Guía SWITCH v2.0

Fa0/2 1,10,20,30,101Port Vlans in spanning tree forwarding state and not prunedFa0/2 1,10,20,30,101

ALS1↔ALS2

ALS1interface FastEthernet0/6 switchport trunk allowed vlan 1,10,20,30,102

ALS2interface FastEthernet0/6 switchport trunk allowed vlan 1,10,20,30,102

ALS2#show interfaces fastEthernet 0/6 trunkPort Mode Encapsulation Status Native vlanFa0/6 on 802.1q trunking 10Port Vlans allowed on trunkFa0/6 1,10,20,30,102Port Vlans allowed and active in management domainFa0/6 1,10,20,30,102Port Vlans in spanning tree forwarding state and not prunedFa0/6 1,10,20,30,102

DLS1↔ALS1

DLS1interface FastEthernet0/2 switchport trunk allowed vlan 1,10,20,30,103

ALS1interface FastEthernet0/2 switchport trunk allowed vlan 1,10,20,30,103

ALS1#show interfaces fastEthernet 0/2 trunkPort Mode Encapsulation Status Native vlanFa0/2 on 802.1q trunking 10Port Vlans allowed on trunkFa0/2 1,10,20,30,103Port Vlans allowed and active in management domainFa0/2 1,10,20,30,103Port Vlans in spanning tree forwarding state and not prunedFa0/2 1,10,20,30,103

DLS1↔ALS2

DLS1interface FastEthernet0/4 switchport trunk allowed vlan 1,10,20,30,104

ALS2interface FastEthernet0/4 switchport trunk allowed vlan 1,10,20,30,104

@ 201319

Page 20: Guia Switch v2

CCNP Guía SWITCH v2.0

ALS2#show interfaces fastEthernet 0/4 trunkPort Mode Encapsulation Status Native vlanFa0/4 on 802.1q trunking 10Port Vlans allowed on trunkFa0/4 1,10,20,30,104Port Vlans allowed and active in management domainFa0/4 1,10,20,30,104Port Vlans in spanning tree forwarding state and not prunedFa0/4 1,10,20,30,104

DLS2↔ALS1

DLS2interface FastEthernet0/4 switchport trunk allowed vlan 1,10,20,30,105

ALS1interface FastEthernet0/4 switchport trunk allowed vlan 1,10,20,30,105

DLS2#show interfaces fastEthernet 0/4 trunkPort Mode Encapsulation Status Native vlanFa0/4 on 802.1q trunking 10Port Vlans allowed on trunkFa0/4 1,10,20,30,105Port Vlans allowed and active in management domainFa0/4 1,10,20,30,105Port Vlans in spanning tree forwarding state and not prunedFa0/4 none

@ 201320

Page 21: Guia Switch v2

CCNP Guía SWITCH v2.0

VTP I

Setup: borre toda la información de configuración y reinicie el/los switches (elimine archivo vlan.dat y configuración)

Configurar trunk 802.1q entre DLS1 y DLS2 a través de la interface fastethernet 0/6. Configure VTP usando dominio DUOC entre DLS1 y DLS2, versión 2, modo server, password duoc. En DLS1 cree las VLANs 10 (ENG), 20 (RRHH) y 30 (NATIVA). Permita en el trunk las VLANs recién creadas

más la VLAN 1. La VLAN 30 debe permitir información CDP, VTP, PAgP. Desactive DTP.

Al finalizar el laboratorio indique:- Que rol VTP permite que se guarde la configuración en el archivo vlan.dat de la flash.- Que plataformas soportan la version VTP 3.- Que puede suceder en caso que un switch en modo server con un numero de revisión

DLS1vtp version 2vtp domain DUOCvtp password duoc

interface FastEthernet0/6 switchport trunk encapsulation dot1q switchport trunk native vlan 30 switchport trunk allowed vlan 1,10,20,30 switchport mode trunk switchport nonegotiate

DLS2vtp version 2vtp domain DUOCvtp password duoc

interface FastEthernet0/6 switchport trunk encapsulation dot1q switchport trunk native vlan 30 switchport trunk allowed vlan 1,10,20,30 switchport mode trunk switchport nonegotiate

@ 201321

Page 22: Guia Switch v2

CCNP Guía SWITCH v2.0

DLS1vlan 10 name ENG

vlan 20 name RRHH

vlan 30 name NATIVA

DLS1#sh vlan brief | exclude unsupVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/7, Fa0/8, Fa0/9 Fa0/10, Fa0/11, Fa0/12, Fa0/13 Fa0/14, Fa0/15, Fa0/16, Fa0/17 Fa0/18, Fa0/19, Fa0/20, Fa0/21 Fa0/22, Fa0/23, Fa0/24, Gi0/1 Gi0/210 ENG active20 RRHH active30 NATIVA active

DLS2#sh vlan brief | exclude unsupVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/7, Fa0/8, Fa0/9 Fa0/10, Fa0/11, Fa0/12, Fa0/13 Fa0/14, Fa0/15, Fa0/16, Fa0/17 Fa0/18, Fa0/19, Fa0/20, Fa0/21 Fa0/22, Fa0/23, Fa0/24, Gi0/1 Gi0/210 ENG active20 RRHH active30 NATIVA active

DLS2#show vtp statusVTP Version : running VTP2Configuration Revision : 4Maximum VLANs supported locally : 1005Number of existing VLANs : 8VTP Operating Mode : ServerVTP Domain Name : DUOCVTP Pruning Mode : DisabledVTP V2 Mode : EnabledVTP Traps Generation : DisabledMD5 digest : 0x67 0x85 0x53 0x48 0xD9 0xED 0x06 0xC6Configuration last modified by 1.1.1.1 at 3-1-93 00:43:10Local updater ID is 1.1.1.2 on interface Vl1 (lowest numbered VLAN interface found)

@ 201322

Page 23: Guia Switch v2

CCNP Guía SWITCH v2.0

DLS1#sh vtp statusVTP Version : running VTP2Configuration Revision : 4Maximum VLANs supported locally : 1005Number of existing VLANs : 8VTP Operating Mode : ServerVTP Domain Name : DUOCVTP Pruning Mode : DisabledVTP V2 Mode : EnabledVTP Traps Generation : DisabledMD5 digest : 0x67 0x85 0x53 0x48 0xD9 0xED 0x06 0xC6Configuration last modified by 1.1.1.1 at 3-1-93 00:43:10Local updater ID is 1.1.1.1 on interface Vl1 (lowest numbered VLAN interface found)

Cree la VLAN 50 (nombre DATOS) y agréguela al trunk.

DLS1#show running-config interface fastEthernet 0/6Building configuration...

Current configuration : 193 bytes!interface FastEthernet0/6 switchport trunk encapsulation dot1q switchport trunk native vlan 30 switchport trunk allowed vlan 1,10,20,30 switchport mode trunk switchport nonegotiate

DLS1vlan 50 name DATOS

interface FastEthernet0/6switchport trunk allowed vlan add 50

DLS1#show running-config interface fastEthernet 0/6Building configuration...

Current configuration : 196 bytes!interface FastEthernet0/6 switchport trunk encapsulation dot1q switchport trunk native vlan 30 switchport trunk allowed vlan 1,10,20,30,50 switchport mode trunk switchport nonegotiate

@ 201323

Page 24: Guia Switch v2

CCNP Guía SWITCH v2.0

DLS2#show running-config interface fastEthernet 0/6Building configuration...

Current configuration : 193 bytes!interface FastEthernet0/6 switchport trunk encapsulation dot1q switchport trunk native vlan 30 switchport trunk allowed vlan 1,10,20,30 switchport mode trunk switchport nonegotiateend

DLS2interface FastEthernet0/6switchport trunk allowed vlan add 50

DLS2#show running-config interface fastEthernet 0/6Building configuration...

Current configuration : 196 bytes!interface FastEthernet0/6 switchport trunk encapsulation dot1q switchport trunk native vlan 30 switchport trunk allowed vlan 1,10,20,30,50 switchport mode trunk switchport nonegotiate

DLS2#show vlan brief | exclude unsupVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/7, Fa0/8, Fa0/9 Fa0/10, Fa0/11, Fa0/12, Fa0/13 Fa0/14, Fa0/15, Fa0/16, Fa0/17 Fa0/18, Fa0/19, Fa0/20, Fa0/21 Fa0/22, Fa0/23, Fa0/24, Gi0/1 Gi0/210 ENG active20 RRHH active30 NATIVA active50 DATOS active

@ 201324

Page 25: Guia Switch v2

CCNP Guía SWITCH v2.0

VTP II Problema con el número Configuration Revision en VTPVTP puede presentar problemas graves si no se toman ciertas precauciones. El siguiente escenario nos presenta un problerma habitual que sucede cuando se conecta un switch Catalyst con un número VTP revisión mayor que el que presenta el server VTP, este nuevo switch sobreescribirá toda la información respecto a las VLANs y su propagación puesto que un numero mayor se considera información mas actualizada.

Borre toda la configuración anterior. Deshabilite todas las interfaces de todos los switches (nos permite tener mayor control en lo que se refiere

a la seguridad). Configurar trunk 802.1q con la siguientes disposición:

- DLS1↔ DLS2 (fastethernet 0/6). - DLS1↔ ALS1 (fastethernet 0/2). - DLS1↔ ALS2 (fastethernet 0/4). - DLS2↔ ALS1 (fastethernet 0/4). - DLS2↔ ALS2 (fastethernet 0/2). - ALS1↔ ALS2 (fastethernet 0/6). - Habilite las interfaces que participan en el trunk.

En el trunk permita las VLANs 1, 10-20 excluyendo la VLAN 19. Deshabilite DTP.

DLS1interface range fastEthernet 0/1-24 shutdown

DLS2interface range fastEthernet 0/1-24 shutdown

ALS1interface range fastEthernet 0/1-24 shutdown

ALS2interface range fastEthernet 0/1-24 shutdownALS2#show interfaces statusPort Name Status Vlan Duplex Speed TypeFa0/1 disabled 1 auto auto 10/100BaseTXFa0/2 disabled 1 auto auto 10/100BaseTXFa0/3 disabled 1 auto auto 10/100BaseTX

@ 201325

Page 26: Guia Switch v2

CCNP Guía SWITCH v2.0

Fa0/4 disabled 1 auto auto 10/100BaseTXFa0/5 disabled 1 auto auto 10/100BaseTXFa0/6 disabled 1 auto auto 10/100BaseTXFa0/7 disabled 1 auto auto 10/100BaseTXFa0/8 disabled 1 auto auto 10/100BaseTXFa0/9 disabled 1 auto auto 10/100BaseTXFa0/10 disabled 1 auto auto 10/100BaseTXFa0/11 disabled 1 auto auto 10/100BaseTXFa0/12 disabled 1 auto auto 10/100BaseTXFa0/13 disabled 1 auto auto 10/100BaseTXFa0/14 disabled 1 auto auto 10/100BaseTXFa0/15 disabled 1 auto auto 10/100BaseTXFa0/16 disabled 1 auto auto 10/100BaseTXFa0/17 disabled 1 auto auto 10/100BaseTXFa0/18 disabled 1 auto auto 10/100BaseTXFa0/19 disabled 1 auto auto 10/100BaseTXFa0/20 disabled 1 auto auto 10/100BaseTXFa0/21 disabled 1 auto auto 10/100BaseTX

Port Name Status Vlan Duplex Speed TypeFa0/22 disabled 1 auto auto 10/100BaseTXFa0/23 disabled 1 auto auto 10/100BaseTXFa0/24 disabled 1 auto auto 10/100BaseTX

DLS1↔ DLS2 (fastethernet 0/6)

DLS1interface FastEthernet0/6 switchport trunk encapsulation dot1q switchport mode trunk switchport nonegotiate switchport trunk allowed vlan 10-20 switchport trunk allowed vlan remove 19 switchport trunk allowed vlan add 1 no shutdown

DLS1#show running-config interface fastEthernet 0/6Building configuration...

Current configuration : 158 bytes!interface FastEthernet0/6switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,10-18,20 switchport mode trunk switchport nonegotiate

@ 201326

Page 27: Guia Switch v2

CCNP Guía SWITCH v2.0

DLS2interface FastEthernet0/6 switchport trunk encapsulation dot1q switchport mode trunk switchport nonegotiate switchport trunk allowed vlan 10-20 switchport trunk allowed vlan remove 19 switchport trunk allowed vlan add 1 no shutdown

DLS2#show running-config interface fastEthernet 0/6Building configuration...

Current configuration : 160 bytes!interface FastEthernet0/6 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,10-18,20 switchport mode trunk switchport nonegotiateend

DLS2#show interfaces trunkPort Mode Encapsulation Status Native vlanFa0/6 on 802.1q trunking 1Port Vlans allowed on trunkFa0/6 1,10-18,20Port Vlans allowed and active in management domainFa0/6 1Port Vlans in spanning tree forwarding state and not prunedFa0/6 1

DLS1↔ ALS1 (fastethernet 0/2)

DLS1interface FastEthernet0/2 switchport trunk encapsulation dot1q switchport mode trunk switchport nonegotiate switchport trunk allowed vlan 10-20 switchport trunk allowed vlan remove 19 switchport trunk allowed vlan add 1 no shutdown

ALS1interface FastEthernet0/2 switchport mode trunk switchport nonegotiate switchport trunk allowed vlan 10-20 switchport trunk allowed vlan remove 19 switchport trunk allowed vlan add 1 no shutdown

@ 201327

Page 28: Guia Switch v2

CCNP Guía SWITCH v2.0

DLS1↔ ALS2 (fastethernet 0/4)

DLS1interface FastEthernet0/4 switchport trunk encapsulation dot1q switchport mode trunk switchport nonegotiate switchport trunk allowed vlan 10-20 switchport trunk allowed vlan remove 19 switchport trunk allowed vlan add 1 no shutdown

ALS2interface FastEthernet0/4 switchport mode trunk switchport nonegotiate switchport trunk allowed vlan 10-20 switchport trunk allowed vlan remove 19 switchport trunk allowed vlan add 1 no shutdown

DLS2↔ ALS1 (fastethernet 0/4)

DLS2interface FastEthernet0/4 switchport trunk encapsulation dot1q switchport mode trunk switchport nonegotiate switchport trunk allowed vlan 10-20 switchport trunk allowed vlan remove 19 switchport trunk allowed vlan add 1 no shutdown

ALS1interface FastEthernet0/4 switchport mode trunk switchport nonegotiate switchport trunk allowed vlan 10-20 switchport trunk allowed vlan remove 19 switchport trunk allowed vlan add 1 no shutdown

ALS1#show interfaces fastEthernet 0/4 trunkPort Mode Encapsulation Status Native vlanFa0/4 on 802.1q trunking 1Port Vlans allowed on trunkFa0/4 1,10-18,20Port Vlans allowed and active in management domainFa0/4 1Port Vlans in spanning tree forwarding state and not prunedFa0/4 1

@ 201328

Page 29: Guia Switch v2

CCNP Guía SWITCH v2.0

DLS2↔ ALS2 (fastethernet 0/2)

DLS2interface FastEthernet0/2 switchport trunk encapsulation dot1q switchport mode trunk switchport nonegotiate switchport trunk allowed vlan 10-20 switchport trunk allowed vlan remove 19 switchport trunk allowed vlan add 1 no shutdown

ALS2interface FastEthernet0/2 switchport mode trunk switchport nonegotiate switchport trunk allowed vlan 10-20 switchport trunk allowed vlan remove 19 switchport trunk allowed vlan add 1 no shutdown

ALS1↔ ALS2 (fastethernet 0/6)

ALS1interface FastEthernet0/6 switchport mode trunk switchport nonegotiate switchport trunk allowed vlan 10-20 switchport trunk allowed vlan remove 19 switchport trunk allowed vlan add 1 no shutdown

ALS2interface FastEthernet0/6 switchport mode trunk switchport nonegotiate switchport trunk allowed vlan 10-20 switchport trunk allowed vlan remove 19 switchport trunk allowed vlan add 1 no shutdown

ALS2#show interfaces trunkPort Mode Encapsulation Status Native vlanFa0/2 on 802.1q trunking 1Fa0/4 on 802.1q trunking 1Fa0/6 on 802.1q trunking 1Port Vlans allowed on trunkFa0/2 1,10-18,20Fa0/4 1,10-18,20Fa0/6 1,10-18,20Port Vlans allowed and active in management domainFa0/2 1Fa0/4 1Fa0/6 1

@ 201329

Page 30: Guia Switch v2

CCNP Guía SWITCH v2.0

Port Vlans in spanning tree forwarding state and not prunedFa0/2 1Fa0/4 1Fa0/6 1

DLS1#sh interfaces trunkPort Mode Encapsulation Status Native vlanFa0/2 on 802.1q trunking 1Fa0/4 on 802.1q trunking 1Fa0/6 on 802.1q trunking 1Port Vlans allowed on trunkFa0/2 1,10-18,20Fa0/4 1,10-18,20Fa0/6 1,10-18,20Port Vlans allowed and active in management domainFa0/2 1Fa0/4 1Fa0/6 1Port Vlans in spanning tree forwarding state and not prunedFa0/2 noneFa0/4 1Fa0/6 none

DLS2#show interfaces trunkPort Mode Encapsulation Status Native vlanFa0/2 on 802.1q trunking 1Fa0/4 on 802.1q trunking 1Fa0/6 on 802.1q trunking 1Port Vlans allowed on trunkFa0/2 1,10-18,20Fa0/4 1,10-18,20Fa0/6 1,10-18,20Port Vlans allowed and active in management domainFa0/2 1Fa0/4 1Fa0/6 1Port Vlans in spanning tree forwarding state and not prunedFa0/2 1Fa0/4 noneFa0/6 1

@ 201330

Page 31: Guia Switch v2

CCNP Guía SWITCH v2.0

Configure VTP usando dominio DUOC, versión 2, modo server, password duoc en todos los switchs. Cree la loopback0 en cada Switch para utilizarlas como ID en sesiones VTP con la siguiente disposición:

- DLS1 loopback0 → 10.1.1.1/32- DLS2 loopback0 → 10.2.2.2/32- ALS1 loopback0 → 10.3.3.3/32- ALS2 loopback0 → 10.4.4.4/32

En DLS1 cree las VLANs 10 a 20. Verificar que se han propagado. Recordemos que la VLAN 19 debe estar excluida en el trunk, pero no localmente en DLS1.

DLS1vlan 10-120interface Loopback0 ip address 10.1.1.1 255.255.255.255

vtp version 2vtp mode servervtp domain DUOCvtp password duocvtp interface Loopback0

DLS2interface Loopback0 ip address 10.2.2.2 255.255.255.255

vtp version 2vtp mode servervtp domain DUOCvtp password duocvtp interface Loopback0

ALS1interface Loopback0 ip address 10.3.3.3 255.255.255.255

vtp version 2vtp mode servervtp domain DUOCvtp password duocvtp interface Loopback0

ALS2interface Loopback0 ip address 10.4.4.4 255.255.255.255

vtp version 2vtp mode servervtp domain DUOCvtp password duocvtp interface Loopback0

@ 201331

Page 32: Guia Switch v2

CCNP Guía SWITCH v2.0

DLS1#sh vlan brief | exclude unsupVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/3, Fa0/5, Fa0/7 Fa0/8, Fa0/9, Fa0/10, Fa0/11 Fa0/12, Fa0/13, Fa0/14, Fa0/15 Fa0/16, Fa0/17, Fa0/18, Fa0/19 Fa0/20, Fa0/21, Fa0/22, Fa0/23 Fa0/24, Gi0/1, Gi0/210 VLAN0010 active11 VLAN0011 active12 VLAN0012 active13 VLAN0013 active14 VLAN0014 active15 VLAN0015 active16 VLAN0016 active17 VLAN0017 active18 VLAN0018 active19 VLAN0019 active20 VLAN0020 active

ALS2#sh vlan brief | exclude unsupVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/3, Fa0/5, Fa0/7 Fa0/8, Fa0/9, Fa0/10, Fa0/11 Fa0/12, Fa0/13, Fa0/14, Fa0/15 Fa0/16, Fa0/17, Fa0/18, Fa0/19 Fa0/20, Fa0/21, Fa0/22, Fa0/23 Fa0/24, Gi0/1, Gi0/210 VLAN0010 active11 VLAN0011 active12 VLAN0012 active13 VLAN0013 active14 VLAN0014 active15 VLAN0015 active16 VLAN0016 active17 VLAN0017 active18 VLAN0018 active19 VLAN0019 active20 VLAN0020 active

ALS1#show vlan brief | exclude unsupVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/3, Fa0/5, Fa0/7 Fa0/8, Fa0/9, Fa0/10, Fa0/11 Fa0/12, Fa0/13, Fa0/14, Fa0/15 Fa0/16, Fa0/17, Fa0/18, Fa0/19 Fa0/20, Fa0/21, Fa0/22, Fa0/23 Fa0/24, Gi0/1, Gi0/210 VLAN0010 active11 VLAN0011 active12 VLAN0012 active

@ 201332

Page 33: Guia Switch v2

CCNP Guía SWITCH v2.0

13 VLAN0013 active14 VLAN0014 active15 VLAN0015 active16 VLAN0016 active17 VLAN0017 active18 VLAN0018 active19 VLAN0019 active20 VLAN0020 active999 VLAN0999 active

DLS2#show vl brief | exclude unsupVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/3, Fa0/5, Fa0/7 Fa0/8, Fa0/9, Fa0/10, Fa0/11 Fa0/12, Fa0/13, Fa0/14, Fa0/15 Fa0/16, Fa0/17, Fa0/18, Fa0/19 Fa0/20, Fa0/21, Fa0/22, Fa0/23 Fa0/24, Gi0/1, Gi0/210 VLAN0010 active11 VLAN0011 active12 VLAN0012 active13 VLAN0013 active14 VLAN0014 active15 VLAN0015 active16 VLAN0016 active17 VLAN0017 active18 VLAN0018 active19 VLAN0019 active20 VLAN0020 active

DLS1#sh vtp statusVTP Version : running VTP2Configuration Revision : 8Maximum VLANs supported locally : 1005Number of existing VLANs : 16VTP Operating Mode : ServerVTP Domain Name : DUOCVTP Pruning Mode : DisabledVTP V2 Mode : EnabledVTP Traps Generation : DisabledMD5 digest : 0xAE 0xB8 0xA3 0xDF 0x7E 0xA7 0x83 0x5AConfiguration last modified by 10.2.2.2 at 3-1-93 01:49:42Local updater ID is 10.1.1.1 on interface Lo0 (preferred interface)Preferred interface name is Loopback0

En número de revisión es el 8, es decir, junto con el 8 se entregó la información más actualizada. Ahora bien, vamos a suponer que ALS2 aún no se une a la red, pero tiene el mismo nombre de dominio y el número de revisión 8. Puesto que ALS2 está configurado como VTP server (valor por defecto) la información la guarda en el archivo vlan.dat en la flash.Podemos borrar las vlan 10 a 20 en ALS2 y el número de revisión se incrementará a 9 como podemos ver en el siguiente ejemplo. Esto producirá información "mas actualizada" para VTP y eliminará de las bases de datos las VLAN creadas por DLS1.

@ 201333

Page 34: Guia Switch v2

CCNP Guía SWITCH v2.0

ALS2#show vtp statusVTP Version : 2Configuration Revision : 8Maximum VLANs supported locally : 255Number of existing VLANs : 16VTP Operating Mode : ServerVTP Domain Name : DUOCVTP Pruning Mode : DisabledVTP V2 Mode : EnabledVTP Traps Generation : DisabledMD5 digest : 0xAE 0xB8 0xA3 0xDF 0x7E 0xA7 0x83 0x5AConfiguration last modified by 10.2.2.2 at 3-1-93 01:49:42Local updater ID is 10.4.4.4 on interface Lo0 (preferred interface)Preferred interface name is Loopback0

ALS2 interface range fastEthernet 0/2 , fastEthernet 0/4 , fastEthernet 0/6 shutdown

no vlan 10-20

ALS2#show vtp statusVTP Version : 2Configuration Revision : 9Maximum VLANs supported locally : 255Number of existing VLANs : 6VTP Operating Mode : ServerVTP Domain Name : DUOCVTP Pruning Mode : DisabledVTP V2 Mode : EnabledVTP Traps Generation : DisabledMD5 digest : 0x75 0x25 0xD6 0x97 0x64 0xEF 0x6F 0x29Configuration last modified by 10.4.4.4 at 3-1-93 01:57:08Local updater ID is 10.4.4.4 on interface Lo0 (preferred interface)Preferred interface name is Loopback0

ALS2#show vlan brief | exclude unsupVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/11, Fa0/12 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Fa0/23, Fa0/24 Gi0/1, Gi0/2

@ 201334

Page 35: Guia Switch v2

CCNP Guía SWITCH v2.0

Levantamos las interfaces y vemos los resultados en los demás switchs. Nos hemos cargado todas las VLAN que creó DLS1!!!!!!!

ALS2 interface range fastEthernet 0/2 , fastEthernet 0/4 , fastEthernet 0/6 no shutdown

DLS1#sh vlan brief | exclude unsupVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/3, Fa0/5, Fa0/7 Fa0/8, Fa0/9, Fa0/10, Fa0/11 Fa0/12, Fa0/13, Fa0/14, Fa0/15 Fa0/16, Fa0/17, Fa0/18, Fa0/19 Fa0/20, Fa0/21, Fa0/22, Fa0/23 Fa0/24, Gi0/1, Gi0/2

DLS2#sh vlan brief | exclude unsupVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/3, Fa0/5, Fa0/7 Fa0/8, Fa0/9, Fa0/10, Fa0/11 Fa0/12, Fa0/13, Fa0/14, Fa0/15 Fa0/16, Fa0/17, Fa0/18, Fa0/19 Fa0/20, Fa0/21, Fa0/22, Fa0/23 Fa0/24, Gi0/1, Gi0/2

ALS1#sh vlan brief | exclude unsupVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/3, Fa0/5, Fa0/7 Fa0/8, Fa0/9, Fa0/10, Fa0/11 Fa0/12, Fa0/13, Fa0/14, Fa0/15 Fa0/16, Fa0/17, Fa0/18, Fa0/19 Fa0/20, Fa0/21, Fa0/22, Fa0/23 Fa0/24, Gi0/1, Gi0/2

Como podemos notar, utilizar VTP puede ahorrarnos tiempo de configuración pero debe haber un plan de diseño y configuración muy depurado de otra manera podríamos dejar una red completa sin conectividad.

De acuerdo al ejemplo recién explicado, que solución recomendaría para evitar este grave problema

@ 201335

Page 36: Guia Switch v2

CCNP Guía SWITCH v2.0

Private VLANs único Switch

Arme la siguiente topología:

Asígneles el siguiente direccionamiento:PC IP

PC1 10.1.1.1/24PC2 10.1.1.2/24PC3 10.1.1.3/24

Comprueba que exista comunicación entre todos los PCs. Nota: puesto que los switches se encuentran si configuración anterior utilizarán la VLAN 1 como dominio de broadcast. Desactivar el FW en los PCs.

PC3C:\>ping 10.1.1.1Haciendo ping a 10.1.1.1 con 32 bytes de datos:Respuesta desde 10.1.1.1: bytes=32 tiempo<1m TTL=255Respuesta desde 10.1.1.1: bytes=32 tiempo=2ms TTL=255Respuesta desde 10.1.1.1: bytes=32 tiempo=1ms TTL=255Respuesta desde 10.1.1.1: bytes=32 tiempo=1ms TTL=255

Estadísticas de ping para 10.1.1.1: Paquetes: enviados = 4, recibidos = 4, perdidos = 0 (0% perdidos),Tiempos aproximados de ida y vuelta en milisegundos: Mínimo = 0ms, Máximo = 2ms, Media = 1ms

C:\>ping 10.1.1.2Haciendo ping a 10.1.1.2 con 32 bytes de datos:Respuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128Respuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128Respuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128Respuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128

@ 201336

Page 37: Guia Switch v2

CCNP Guía SWITCH v2.0

Estadísticas de ping para 10.1.1.2: Paquetes: enviados = 4, recibidos = 4, perdidos = 0 (0% perdidos),Tiempos aproximados de ida y vuelta en milisegundos: Mínimo = 0ms, Máximo = 0ms, Media = 0ms

DLS1#ping 10.1.1.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms

DLS1#ping 10.1.1.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

DLS1#ping 10.1.1.3Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms

Configure Private VLANs basándose en la siguiente tabla:Dispositivo VLAN-Type VLAN-IDRouter Primary 100PC1 Community 200PC2 Community 200PC3 Isolated 300

Private VLANs requieren una serie de pasos. Configure el switch en modo vtp transparent Cree la Primary VLAN Defina las Secondary VLANs Asocie la Secondary VLANs la Primary VLAN.

DLS1vtp mode transparent

DLS1#sh vtp statusVTP Version : running VTP1 (VTP2 capable)Configuration Revision : 0Maximum VLANs supported locally : 1005Number of existing VLANs : 5VTP Operating Mode : TransparentVTP Domain Name :VTP Pruning Mode : DisabledVTP V2 Mode : DisabledVTP Traps Generation : Disabled

@ 201337

Page 38: Guia Switch v2

CCNP Guía SWITCH v2.0

MD5 digest : 0x57 0xCD 0x40 0x65 0x63 0x59 0x47 0xBDConfiguration last modified by 0.0.0.0 at 0-0-00 00:00:00

DLS1vlan 100 name VLAN_PRIMARIA private-vlan primary private-vlan association 411,421,431

vlan 200 private-vlan communityvlan 300 private-vlan isolated

DLS1#sh vlan private-vlanPrimary Secondary Type Ports------- --------- ----------------- ------------------------------------------100 primary 200 community 300 isolated

DLS1vlan 100 private-vlan association add 200,300

DLS1#sh vlan private-vlanPrimary Secondary Type Ports------- --------- ----------------- ------------------------------------------100 200 community100 300 isolated

El siguiente paso consiste en configurar la interface fastethernet 0/4 (que se conecta con el Router) en modo promiscuo y hacer mapeo de VLAN Primaria con Secundarias.

DLS1interface FastEthernet0/4 switchport private-vlan mapping 100 200,300 switchport mode private-vlan promiscuous

DLS1#sh vlan private-vlanPrimary Secondary Type Ports------- --------- ----------------- ------------------------------------------100 200 community Fa0/4100 300 isolated Fa0/4

En los puertos que conectan los hosts crear la asociación y definirlos en modo host.

DLS1interface FastEthernet0/1 switchport private-vlan host-association 100 200

@ 201338

Page 39: Guia Switch v2

CCNP Guía SWITCH v2.0

switchport mode private-vlan host spanning-tree portfast

interface FastEthernet0/2 switchport private-vlan host-association 100 200 switchport mode private-vlan host spanning-tree portfast

interface FastEthernet0/3 switchport private-vlan host-association 100 300 switchport mode private-vlan host spanning-tree portfast

DLS1#sh interfaces fastEthernet 0/4 switchportName: Fa0/4Switchport: EnabledAdministrative Mode: private-vlan promiscuousOperational Mode: downAdministrative Trunking Encapsulation: negotiateNegotiation of Trunking: OffAccess Mode VLAN: 1 (default)Trunking Native Mode VLAN: 1 (default)Administrative Native VLAN tagging: enabledVoice VLAN: noneAdministrative private-vlan host-association: noneAdministrative private-vlan mapping: 100 (VLAN_PRIMARIA) 200 (VLAN0200) 300 (VLAN0300)Administrative private-vlan trunk native VLAN: noneAdministrative private-vlan trunk Native VLAN tagging: enabledAdministrative private-vlan trunk encapsulation: dot1qAdministrative private-vlan trunk normal VLANs: noneAdministrative private-vlan trunk associations: noneAdministrative private-vlan trunk mappings: noneOperational private-vlan: noneTrunking VLANs Enabled: ALLPruning VLANs Enabled: 2-1001Capture Mode DisabledCapture VLANs Allowed: ALLProtected: falseUnknown unicast blocked: disabledUnknown multicast blocked: disabledAppliance trust: none

DLS1#sh vlan private-vlanPrimary Secondary Type Ports------- --------- ----------------- ------------------------------------------100 200 community Fa0/1, Fa0/2, Fa0/4100 300 isolated Fa0/3, Fa0/4

Private-VLANs pruebas de conectividad.Según lo que hemos estudiado PC1 y PC2 deben tener conectividad junto con el Router que se encuentra en modo promiscuo.

@ 2013

Asociación entre puertos hosts y promiscuous

39

Page 40: Guia Switch v2

CCNP Guía SWITCH v2.0

PC2C:\>ping 10.1.1.1Haciendo ping a 10.1.1.1 con 32 bytes de datos:Respuesta desde 10.1.1.1: bytes=32 tiempo<1m TTL=128Respuesta desde 10.1.1.1: bytes=32 tiempo<1m TTL=128Respuesta desde 10.1.1.1: bytes=32 tiempo<1m TTL=128Respuesta desde 10.1.1.1: bytes=32 tiempo<1m TTL=128Estadísticas de ping para 10.1.1.1: Paquetes: enviados = 4, recibidos = 4, perdidos = 0 (0% perdidos),Tiempos aproximados de ida y vuelta en milisegundos: Mínimo = 0ms, Máximo = 0ms, Media = 0ms

C:\>ping 10.1.1.100Haciendo ping a 10.1.1.100 con 32 bytes de datos:Respuesta desde 10.1.1.100: bytes=32 tiempo=38ms TTL=255Respuesta desde 10.1.1.100: bytes=32 tiempo=15ms TTL=255Respuesta desde 10.1.1.100: bytes=32 tiempo=16ms TTL=255Respuesta desde 10.1.1.100: bytes=32 tiempo=31ms TTL=255Estadísticas de ping para 10.1.1.100: Paquetes: enviados = 4, recibidos = 4, perdidos = 0 (0% perdidos),Tiempos aproximados de ida y vuelta en milisegundos: Mínimo = 15ms, Máximo = 38ms, Media = 25ms

PC3C:\>ping 10.1.1.1Haciendo ping a 10.1.1.1 con 32 bytes de datos:Tiempo de espera agotado para esta solicitud.Tiempo de espera agotado para esta solicitud.Tiempo de espera agotado para esta solicitud.Tiempo de espera agotado para esta solicitud.Estadísticas de ping para 10.1.1.1: Paquetes: enviados = 4, recibidos = 0, perdidos = 4 (100% perdidos),

C:\>ping 10.1.1.100Haciendo ping a 10.1.1.100 con 32 bytes de datos:Respuesta desde 10.1.1.100: bytes=32 tiempo=23ms TTL=255Respuesta desde 10.1.1.100: bytes=32 tiempo=16ms TTL=255Respuesta desde 10.1.1.100: bytes=32 tiempo=31ms TTL=255Respuesta desde 10.1.1.100: bytes=32 tiempo=15ms TTL=255Estadísticas de ping para 10.1.1.100: Paquetes: enviados = 4, recibidos = 4, perdidos = 0 (0% perdidos),Tiempos aproximados de ida y vuelta en milisegundos: Mínimo = 15ms, Máximo = 31ms, Media = 21ms

Mientras el Router que se encuentra en estado promiscuo tiene conectividad con todos los hosts como podemos observar en las siguientes pruebas:

@ 201340

Page 41: Guia Switch v2

CCNP Guía SWITCH v2.0

R1#ping 10.1.1.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 8/19/32 ms

R1#ping 10.1.1.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 4/20/44 ms

R1#ping 10.1.1.3Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.1.1.3, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 4/17/36 ms

@ 201341

Page 42: Guia Switch v2

CCNP Guía SWITCH v2.0

Port Protected

Crear la VLAN 10 en ALS1. Configurar como puertos de acceso las interfaces Fa0/10 y Fa0/11 como muestra la figura. Probar si existe

conectividad entre los PCs . Luego habilitar port protect. Comprobar que los PCs pueden comunicarse con el Router pero no entre ellos.

Nota: Ambos puertos deben estar en modo protected para que estén aislados el uno del otro.

ALS1vlan 111 name PORT-PROTECTED

interface FastEthernet0/10 switchport access vlan 111 switchport mode access spanning-tree portfast

interface FastEthernet0/11 switchport access vlan 111 switchport mode access spanning-tree portfast

PC1C:\>ping 10.1.12.2 -tHaciendo ping a 10.1.12.2 con 32 bytes de datos:Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128

@ 201342

Page 43: Guia Switch v2

CCNP Guía SWITCH v2.0

Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128

ALS1interface FastEthernet0/10 switchport protected

interface FastEthernet0/11 switchport protected

Tiempo de espera agotado para esta solicitud.Tiempo de espera agotado para esta solicitud.Tiempo de espera agotado para esta solicitud.Tiempo de espera agotado para esta solicitud.Tiempo de espera agotado para esta solicitud.Tiempo de espera agotado para esta solicitud.

Estadísticas de ping para 10.1.12.2: Paquetes: enviados = 33, recibidos = 27, perdidos = 6 (18% perdidos),Tiempos aproximados de ida y vuelta en milisegundos: Mínimo = 0ms, Máximo = 0ms, Media = 0msControl-C

La salida anterior nos muestra que existe conectividad entre los PCs hasta que se habilita port-protected

Configurar puerto de acceso para la VLAN 111 en Fa0/9 que conecta al Router. Habilitar la interfaces del Router con la IP 10.1.12.100/24.

R1interface FastEthernet0/0 ip address 10.1.12.100 255.255.255.0

@ 201343

Page 44: Guia Switch v2

CCNP Guía SWITCH v2.0

no shutALS1interface FastEthernet0/9 switchport access vlan 111 switchport mode access spanning-tree portfast

ALS1#show interfaces fastEthernet 0/10 switchportName: Fa0/10Switchport: EnabledAdministrative Mode: static accessOperational Mode: downAdministrative Trunking Encapsulation: dot1qNegotiation of Trunking: OffAccess Mode VLAN: 111 (PORT-PROTECTED)Trunking Native Mode VLAN: 1 (default)Administrative Native VLAN tagging: enabledVoice VLAN: noneAdministrative private-vlan host-association: noneAdministrative private-vlan mapping: noneAdministrative private-vlan trunk native VLAN: noneAdministrative private-vlan trunk Native VLAN tagging: enabledAdministrative private-vlan trunk encapsulation: dot1qAdministrative private-vlan trunk normal VLANs: noneAdministrative private-vlan trunk private VLANs: noneOperational private-vlan: noneTrunking VLANs Enabled: ALLPruning VLANs Enabled: 2-1001Capture Mode DisabledCapture VLANs Allowed: ALL

Protected: trueUnknown unicast blocked: disabledUnknown multicast blocked: disabledAppliance trust: none

R1#ping 10.1.12.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.1.12.2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 4/20/40 ms

@ 201344

Page 45: Guia Switch v2

CCNP Guía SWITCH v2.0

PC2

@ 201345

Page 46: Guia Switch v2

CCNP Guía SWITCH v2.0

EtherChannel I PAgP (Port Aggregation Protocol)

Crear trunking configurando las interfaces f0/6 y f0/7 de DLS1 y DLS2. Utilice protocolo standard de la industria. Como resultado deberíamos ver un solo enlace para STP. Si un enlace falla no debería haber interrupción del tráfico. DLS1 solo debe responder si se inicia una negociación desde el otro extremo, debe adoptar modo pasivo. DLS2 debe intentarformar un etherchannel en forma activa.

PortChannelSW1 Configurado con SW2 Configurado con Etherchannel?Desirable (PAgP Cisco) Desirable SíDesirable (PAgP Cisco) Auto SíAuto Auto No

Modos PAgP:On: No existe negociación PAgP. En el otro extremo debe estar en modo ON igualmente.Auto (default): Responde a mensajes PAgP pero no inicia la negociación. Se creará el portchannel siempre que en el otro extremo este en modo Desirable. Desirable: El puerto intenta activamente formar un etherchannel. Para que sea se forme el PortChannel en el otro extremo debe estar configurado en modo Auto o Desirable.

Proceso recomendado:1. Utilice default interface para dejar la interface sin configuración (valores por defecto)2. Crear un channel-group en la interface física (asignar un número identificativo), se creará un portchannel

automáticamente.3. (Muy importante) definir el trunk dentro del portchannel (encapsulation, mode, …)

Al finalizar el laboratorio explique:- Finalidad del modo non-silent en conjunto con auto y desirable.- Que información entrega el comando show pagp internal.

------------------------------------------------------------------------------------------------------------------------Ejemplo de tipos de etherchannels PAgP

DLS1(config)#interface range fastEthernet 0/6-7DLS1(config-if-range)#channel-group 1 mode ? active Enable LACP unconditionally auto Enable PAgP only if a PAgP device is detected desirable Enable PAgP unconditionally on Enable Etherchannel only passive Enable LACP only if a LACP device is detected------------------------------------------------------------------------------------------------------------------------

@ 201346

Page 47: Guia Switch v2

CCNP Guía SWITCH v2.0

DLS1default interface range fastEthernet 0/6-7

interface FastEthernet0/6 channel-group 1 mode auto non-silent

interface FastEthernet0/7 channel-group 1 mode auto non-silent

interface Port-channel1 switchport trunk encapsulation dot1q switchport mode trunk

DLS2default interface range fastEthernet 0/6-7

interface FastEthernet0/6 channel-group 1 mode desirable non-silent

interface FastEthernet0/7 channel-group 1 mode desirable non-silent

interface Port-channel1 switchport trunk encapsulation dot1q switchport mode trunk

DLS2#show pagp neighborFlags: S - Device is sending Slow hello. C - Device is in Consistent state. A - Device is in Auto mode. P - Device learns on physical port.

Channel group 1 neighbors Partner Partner Partner Partner GroupPort Name Device ID Port Age Flags Cap.Fa0/6 DLS1 e8ba.70cb.f600 Fa0/6 21s SAC 10001Fa0/7 DLS1 e8ba.70cb.f600 Fa0/7 21s SAC 10001

DLS2#show pagp internalFlags: S - Device is sending Slow hello. C - Device is in Consistent state. A - Device is in Auto mode. d - PAgP is downTimers: H - Hello timer is running. Q - Quit timer is running. S - Switching timer is running. I - Interface timer is running.

Channel group 1 Hello Partner PAgP Learning GroupPort Flags State Timers Interval Count Priority Method IfindexFa0/6 SC U6/S7 H 30s 1 128 Any 5001Fa0/7 SC U6/S7 H 30s 1 128 Any 5001

@ 201347

Page 48: Guia Switch v2

CCNP Guía SWITCH v2.0

DLS2#show interfaces trunkPort Mode Encapsulation Status Native vlanPo1 on 802.1q trunking 1Port Vlans allowed on trunkPo1 1-4094Port Vlans allowed and active in management domainPo1 1Port Vlans in spanning tree forwarding state and not prunedPo1 1

DLS2#show interfaces fastEthernet 0/6 switchport | include ModeAdministrative Mode: trunkOperational Mode: trunk (member of bundle Po1)Access Mode VLAN: 1 (default)Trunking Native Mode VLAN: 1 (default)Capture Mode Disabled

DLS1#show interfaces fastEthernet 0/6 switchport | include ModeAdministrative Mode: trunkOperational Mode: trunk (member of bundle Po1)Access Mode VLAN: 1 (default)Trunking Native Mode VLAN: 1 (default)Capture Mode Disabled

En terminos de trunk el PortChannel está operativo, sin embargo debemos comprobar que el enlace aparezca como uno solo desde el punto de vista de Spanning Tree. Naturalmente no hemos creado VLANs y nos basaremos en la VLAN por defecto. En la siguiente salida podemos observar que para STP solo aparece un enlace: el PortChannel.

DLS2#show spanning-tree vlan 1

VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 32769 Address 0022.5688.7900 Cost 31 Port 56 (Port-channel1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 3037.a6eb.d580 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 15

Interface Role Sts Cost Prio.Nbr Type------------------- ---- --- --------- -------- --------------------------------Po1 Root FWD 12 128.56 P2p

@ 201348

Page 49: Guia Switch v2

CCNP Guía SWITCH v2.0

DLS1#sh spanning-tree vlan 1VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 32769 Address e8ba.70cb.f600 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address e8ba.70cb.f600 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 15 secInterface Role Sts Cost Prio.Nbr Type------------------- ---- --- --------- -------- --------------------------------Po1 Desg FWD 12 128.56 P2p

@ 201349

Page 50: Guia Switch v2

CCNP Guía SWITCH v2.0

EtherChannel II sin negociación

Configure trunk entre DLS1 y ALS1 como muestra la figura (utilice protocolo estándar 802.1q). Como resultado deberíamos ver un solo enlace para STP. Si un enlace falla no debería haber interrupción del tráfico. No se permite el uso de ningún protocolo etherchannel de negociación. Utilice el número de Portchannel 2.

PortChannelSW1 Configurado con SW2 Configurado con Etherchannel?On On Sí

Nota: No podemos utilizar PAgP ni LACP. Como buena práctica tener en cuenta el proceso recomendado de configuración.

Al final del laboratorio indique:- Las ventajas y desventajas de PAgP y LACP.- Cuantos PortChannel pueden configurarse en los Catalyst 3560 y 2960.

@ 201350

Page 51: Guia Switch v2

CCNP Guía SWITCH v2.0

DLS1default interface range fastEthernet 0/2-3

interface FastEthernet0/2 channel-group 2 mode on no shut

interface FastEthernet0/3 channel-group 2 mode on no shut

interface Port-channel2 switchport trunk encapsulation dot1q switchport mode trunk

ALS1default interface range fastEthernet 0/2-3

interface FastEthernet0/2 channel-group 2 mode on no shut

interface FastEthernet0/3 channel-group 2 mode on no shut

interface Port-channel2 switchport mode trunk

DLS1#sh interfaces trunkPort Mode Encapsulation Status Native vlanPo1 on 802.1q trunking 1Po2 on 802.1q trunking 1Port Vlans allowed on trunkPo1 1-4094Po2 1-4094Port Vlans allowed and active in management domainPo1 1Po2 1Port Vlans in spanning tree forwarding state and not prunedPo1 1Po2 1

ALS1#show interfaces trunkPort Mode Encapsulation Status Native vlanPo2 on 802.1q trunking 1Port Vlans allowed on trunkPo2 1-4094Port Vlans allowed and active in management domainPo2 1Port Vlans in spanning tree forwarding state and not prunedPo2 1

@ 201351

Page 52: Guia Switch v2

CCNP Guía SWITCH v2.0

ALS1#show etherchannel summaryFlags: D - down P - in port-channel I - stand-alone s - suspended H - Hot-standby (LACP only) R - Layer3 S - Layer2 U - in use f - failed to allocate aggregator u - unsuitable for bundling w - waiting to be aggregated d - default port

Number of channel-groups in use: 1Number of aggregators: 1

Group Port-channel Protocol Ports------+-------------+-----------+-----------------------------------------------2 Po2(SU) - Fa0/2(P) Fa0/3(P)

DLS1#sh etherchannel summaryFlags: D - down P - bundled in port-channel I - stand-alone s - suspended H - Hot-standby (LACP only) R - Layer3 S - Layer2 U - in use f - failed to allocate aggregator

M - not in use, minimum links not met u - unsuitable for bundling w - waiting to be aggregated d - default port

Number of channel-groups in use: 2Number of aggregators: 2

Group Port-channel Protocol Ports------+-------------+-----------+-----------------------------------------------1 Po1(SU) PAgP Fa0/6(P) Fa0/7(P)2 Po2(SU) - Fa0/2(P) Fa0/3(P)

DLS1#sh etherchannel protocol Channel-group listing: ----------------------Group: 1----------Protocol: PAgPGroup: 2----------Protocol: - (Mode ON)

@ 201352

Page 53: Guia Switch v2

CCNP Guía SWITCH v2.0

ALS1#show etherchannel protocol Channel-group listing: ----------------------Group: 2----------Protocol: - (Mode ON)

ALS1#show spanning-tree interface port-channel 2Vlan Role Sts Cost Prio.Nbr Type---------------- ---- --- --------- -------- --------------------------------VLAN0001 Desg FWD 12 128.64 P2p

DLS1#sh spanning-tree interface port-channel 2Vlan Role Sts Cost Prio.Nbr Type------------------- ---- --- --------- -------- --------------------------------VLAN0001 Root FWD 12 128.64 P2p

@ 201353

Page 54: Guia Switch v2

CCNP Guía SWITCH v2.0

EtherChannel III modo Desirable

Configure trunk entre DLS2 y ALS2 como muestra la figura. Como resultado deberíamos ver un solo enlace para STP. Si un enlace falla no debería haber interrupción del tráfico. En ambos switches utilizar negocioación PAgP constante.

PortChannel PAgPSW1 Configurado con SW2 Configurado con Etherchannel?Desirable (PAgP Cisco) Desirable SíDesirable (PAgP Cisco) Auto SíAuto Auto No

Este escenario requiere qque ambos extremos intenten formar un ehterchannel activamente. Esto nos da una pista importante si analizamos la tabla anterior, en modo desirable en ambos lados obtendremos el resultado esperado.

DLS2default interface range fastEthernet 0/2-3

interface range FastEthernet0/2-3 channel-group 2 mode desirable no shut

interface Port-channel2 switchport trunk encapsulation dot1q switchport mode trunk

ALS2default interface range fastEthernet 0/2-3

interface range FastEthernet0/2-3 channel-group 2 mode desirable no shut exit

interface Port-channel2 switchport mode trunkALS2#show etherchannel summaryFlags: D - down P - in port-channel I - stand-alone s - suspended

@ 201354

Page 55: Guia Switch v2

CCNP Guía SWITCH v2.0

H - Hot-standby (LACP only) R - Layer3 S - Layer2 U - in use f - failed to allocate aggregator u - unsuitable for bundling w - waiting to be aggregated d - default port

Number of channel-groups in use: 1Number of aggregators: 1

Group Port-channel Protocol Ports------+-------------+-----------+-----------------------------------------------2 Po2(SU) PAgP Fa0/2(P) Fa0/3(P)

DLS2#show etherchannel summaryFlags: D - down P - bundled in port-channel I - stand-alone s - suspended H - Hot-standby (LACP only) R - Layer3 S - Layer2 U - in use f - failed to allocate aggregator

M - not in use, minimum links not met u - unsuitable for bundling w - waiting to be aggregated d - default port

Number of channel-groups in use: 2Number of aggregators: 2

Group Port-channel Protocol Ports------+-------------+-----------+-----------------------------------------------1 Po1(SU) PAgP Fa0/6(P) Fa0/7(P)2 Po2(SU) PAgP Fa0/2(P) Fa0/3(P)

DLS2#show interfaces trunkPort Mode Encapsulation Status Native vlanPo1 on 802.1q trunking 1Po2 on 802.1q trunking 1Port Vlans allowed on trunkPo1 1-4094Po2 1-4094Port Vlans allowed and active in management domainPo1 1Po2 1Port Vlans in spanning tree forwarding state and not prunedPo1 1Po2 1

ALS2#show interfaces trunkPort Mode Encapsulation Status Native vlanPo2 on 802.1q trunking 1

@ 201355

Page 56: Guia Switch v2

CCNP Guía SWITCH v2.0

Port Vlans allowed on trunkPo2 1-4094Port Vlans allowed and active in management domainPo2 1Port Vlans in spanning tree forwarding state and not prunedPo2 1

ALS2#show etherchannel protocol Channel-group listing: ----------------------Group: 2----------Protocol: PAgP

DLS2#show etherchannel protocol Channel-group listing: ----------------------Group: 1----------Protocol: PAgP

Group: 2----------Protocol: PAgP

Otro comando útil para verificar el PortChannel es el show interface etherchannel. Explique cada campo del comando.

DLS2#show interfaces fastEthernet 0/2 etherchannelPort state = Up Mstr In-BndlChannel group = 2 Mode = Desirable-Sl Gcchange = 0Port-channel = Po2 GC = 0x00020001 Pseudo port-channel = Po2Port index = 0 Load = 0x00 Protocol = PAgPFlags: S - Device is sending Slow hello. C - Device is in Consistent state. A - Device is in Auto mode. P - Device learns on physical port. d - PAgP is down.Timers: H - Hello timer is running. Q - Quit timer is running. S - Switching timer is running. I - Interface timer is running.Local information: Hello Partner PAgP Learning GroupPort Flags State Timers Interval Count Priority Method IfindexFa0/2 SC U6/S7 H 30s 1 128 Any 5002Partner's information: Partner Partner Partner Partner GroupPort Name Device ID Port Age Flags Cap.Fa0/2 ALS2 0022.5688.7900 Fa0/2 21s SC 20001Age of the port in the current state: 0d:00h:06m:28s

@ 201356

Page 57: Guia Switch v2

CCNP Guía SWITCH v2.0

EtherChannel III Link Aggregation Control Protocol LACP

Configure trunk entre ALS1 y ALS2 como muestra la figura. Como resultado deberíamos ver un solo enlace para STP. Si un enlace falla no debería haber interrupción del tráfico. Configurar LACP. ALS1 debe estar en modo pasivo. ALS2 debe intentar activamente formar un etherchannel.

PortChannel LACPSW1 Configurado con SW2 Configurado con Etherchannel?Active Active SíActive Passive SíPassive Passive No

ALS1default interface range fastEthernet 0/6-7

interface range fastEthernet 0/6-7 channel-group 1 mode passive

interface Port-channel1 switchport mode trunk

ALS2default interface range fastEthernet 0/6-7

interface range fastEthernet 0/6-7 channel-group 1 mode active

interface Port-channel1 switchport mode trunk

@ 201357

Page 58: Guia Switch v2

CCNP Guía SWITCH v2.0

ALS1#show etherchannel summaryFlags: D - down P - in port-channel I - stand-alone s - suspended H - Hot-standby (LACP only) R - Layer3 S - Layer2 U - in use f - failed to allocate aggregator u - unsuitable for bundling w - waiting to be aggregated d - default port

Number of channel-groups in use: 2Number of aggregators: 2

Group Port-channel Protocol Ports------+-------------+-----------+-----------------------------------------------1 Po1(SU) LACP Fa0/6(P) Fa0/7(P)2 Po2(SU) - Fa0/2(P) Fa0/3(P)

ALS2#show etherchannel summaryFlags: D - down P - in port-channel I - stand-alone s - suspended H - Hot-standby (LACP only) R - Layer3 S - Layer2 U - in use f - failed to allocate aggregator u - unsuitable for bundling w - waiting to be aggregated d - default port

Number of channel-groups in use: 2Number of aggregators: 2

Group Port-channel Protocol Ports------+-------------+-----------+-----------------------------------------------1 Po1(SU) LACP Fa0/6(P) Fa0/7(P)2 Po2(SU) PAgP Fa0/2(P) Fa0/3(P)

ALS2#show interfaces trunkPort Mode Encapsulation Status Native vlanPo1 on 802.1q trunking 1Po2 on 802.1q trunking 1Port Vlans allowed on trunkPo1 1-4094Po2 1-4094Port Vlans allowed and active in management domainPo1 1Po2 1Port Vlans in spanning tree forwarding state and not prunedPo1 1Po2 1

@ 201358

Page 59: Guia Switch v2

CCNP Guía SWITCH v2.0

ALS2#show lacp neighborFlags: S - Device is requesting Slow LACPDUs F - Device is requesting Fast LACPDUs A - Device is in Active mode P - Device is in Passive mode

Channel group 1 neighbors

Partner's information:

LACP port Oper Port PortPort Flags Priority Dev ID Age Key Number StateFa0/6 SP 32768 0022.5689.5d80 17s 0x1 0x6 0x3CFa0/7 SP 32768 0022.5689.5d80 16s 0x1 0x7 0x3C

@ 201359

Page 60: Guia Switch v2

CCNP Guía SWITCH v2.0

EtherChannel IV Load-Shared Configure el switch DLS1 de manera que todo el tráfico generado localmente sea distribuido en el

Etherchannel en base a la dirección MAC destino.

Nota: Dependiendo del modelo los distintos criterios utilizados para distribuir la carga (load-shared) variarán. Comprobemos que tipo de load-sharing está activada por defecto (source-mac). Podemos verificar esto utilizando el comando show etherchannel load-balance.

Al finalizar el laboratorio determine:- Cual es el modo de balanceo por defecto en la plataforma Catalyst 3560, 3750, 4550 y C6500 para

agregación L2 y L3.

DLS1#sh etherchannel load-balanceEtherChannel Load-Balancing Configuration: src-mac

EtherChannel Load-Balancing Addresses Used Per-Protocol:Non-IP: Source MAC address IPv4: Source MAC address IPv6: Source MAC address

DLS1port-channel load-balance dst-mac

DLS1#sh etherchannel load-balanceEtherChannel Load-Balancing Configuration: dst-mac

EtherChannel Load-Balancing Addresses Used Per-Protocol:Non-IP: Destination MAC address IPv4: Destination MAC address IPv6: Destination MAC address

Los Etherchannel creados en DLS2 deben distribuir la carga (load-shared) cumpliendo las siguientes políticas:

Para tráfico no IP, MAC destino Para tráfico IPv4, IP destino Para tráfico IPv6, IP destino Configurar todos los modos de load-sharing y comprobar resultados.

Nota: según la forma de configurar tendremos distintos resultados, en este punto podríamos probar las opciones de load-balanced que se nos presenta y comprobar los cambios con el comando etherchannel load-balance. Tiene sentido por el hecho que no podemos modificar el comportamiento directamente para el tráfico IPv6, este se ajusta en base a la configuración que hayamos efectuado para IPv4.

DLS2port-channel load-balance dst-ip

@ 201360

Page 61: Guia Switch v2

CCNP Guía SWITCH v2.0

DLS2#show etherchannel load-balanceEtherChannel Load-Balancing Configuration: dst-ipEtherChannel Load-Balancing Addresses Used Per-Protocol:Non-IP: Destination MAC address IPv4: Destination IP address IPv6: Destination IP address

@ 201361

Page 62: Guia Switch v2

CCNP Guía SWITCH v2.0

EtherChannel V Prioridad LACP

Agregar al Etherchannel Po2 de DLS2 y ALS2 las interfaces Fa0/13 a Fa0/18. Los puertos Fa0/15 y Fa0/18 deben quedar en estado StandBy. Utilice la prioridad adecuada.

Al finalar el laboratorio indique:- Cual método utiliza PAgP para mantener el mismo comportamiento, es decir, puertos de respaldo

dentro de un PortChannel.

DLS2default interface range fastEthernet 0/2-3 , fastEthernet 0/13-20

interface range fastEthernet 0/2-3 , fastEthernet 0/13-20 channel-group 2 mode active

interface Port-channel2 switchport trunk encapsulation dot1q switchport mode trunk

ALS2default interface range fastEthernet 0/2-3 , fastEthernet 0/13-20

interface range fastEthernet 0/2-3 , fastEthernet 0/13-20 channel-group 2 mode active

interface Port-channel2 switchport mode trunk

@ 201362

Page 63: Guia Switch v2

CCNP Guía SWITCH v2.0

ALS2#show etherchannel summaryFlags: D - down P - in port-channel I - stand-alone s - suspended H - Hot-standby (LACP only) R - Layer3 S - Layer2 U - in use f - failed to allocate aggregator u - unsuitable for bundling w - waiting to be aggregated d - default port

Number of channel-groups in use: 2Number of aggregators: 2

Group Port-channel Protocol Ports------+-------------+-----------+-----------------------------------------------1 Po1(SU) LACP Fa0/6(P) Fa0/7(P)2 Po2(SU) LACP Fa0/2(P) Fa0/3(P) Fa0/13(P) Fa0/14(P) Fa0/15(P) Fa0/16(P) Fa0/17(P) Fa0/18(P) Fa0/19(H) Fa0/20(H)

La salida anterior nos muestra que el protocolo estándar LACP o IEEE 802.2ad puede crear un portchannel utilizando hasta 16 puertos, pero solo quedarán activos 8, el resto actúan como respaldo. En este caso, sin configuración adicional, el proceso LACP se encarga de escoger cuales puertos estarán activos y cuales standby. En este laboratorio se pide que los puertos que actuarán como respaldo deben ser Fa0/13 a Fa0/18. Debemos tener presente que el switch con menor lacp sys-id es quién define que enlaces físicos serán primarios y secundarios. En este caso debería ser ALS2. Este dato es importante puesto que la configuración de la prioridad la debemos hacer en el Catalyst que tenga menor prioridad.

ALS2#show lacp sys-id32768, 0022.5688.7900

DLS2#show lacp sys-id32768, 3037.a6eb.d580

ALS2lacp system-priority 100

interface range fa0/2 - 3 , fa0/13 - 20channel-protocol lacp

interface range fa0/2 - 3 , fa0/14 - 17 , f0/19-20lacp port-priority 100

@ 201363

Page 64: Guia Switch v2

CCNP Guía SWITCH v2.0

ALS2#show etherchannel summaryFlags: D - down P - in port-channel I - stand-alone s - suspended H - Hot-standby (LACP only) R - Layer3 S - Layer2 U - in use f - failed to allocate aggregator u - unsuitable for bundling w - waiting to be aggregated d - default portNumber of channel-groups in use: 2Number of aggregators: 2Group Port-channel Protocol Ports------+-------------+-----------+-----------------------------------------------1 Po1(SU) LACP Fa0/6(P) Fa0/7(P)2 Po2(SU) LACP Fa0/2(P) Fa0/3(P) Fa0/13(H) Fa0/14(P) Fa0/15(P) Fa0/16(P) Fa0/17(P) Fa0/18(H) Fa0/19(P) Fa0/20(P)

ALS2#show interfaces fastEthernet 0/18 etherchannelPort state = Up Mstr Assoc Hot-stdby Not-in-BndlChannel group = 2 Mode = Active Gcchange = -Port-channel = null GC = - Pseudo port-channel = Po2Port index = 0 Load = 0x00 Protocol = LACPFlags: S - Device is sending Slow LACPDUs F - Device is sending fast LACPDUs. A - Device is in active mode. P - Device is in passive mode.Local information: LACP port Admin Oper Port PortPort Flags State Priority Key Key Number StateFa0/18 SA hot-sby 32768 0x2 0x2 0x12 0x5Partner's information: LACP port Oper Port PortPort Flags Priority Dev ID Age Key Number StateFa0/18 SA 32768 3037.a6eb.d580 3s 0x2 0x14 0x5Age of the port in the current state: 0d:00h:07m:23s

ALS2#show interfaces fastEthernet 0/13 etherchannelPort state = Up Mstr Assoc Hot-stdby Not-in-BndlChannel group = 2 Mode = Active Gcchange = -Port-channel = null GC = - Pseudo port-channel = Po2Port index = 0 Load = 0x00 Protocol = LACPFlags: S - Device is sending Slow LACPDUs F - Device is sending fast LACPDUs. A - Device is in active mode. P - Device is in passive mode.Local information: LACP port Admin Oper Port PortPort Flags State Priority Key Key Number StateFa0/13 SA hot-sby 32768 0x2 0x2 0xD 0x5Partner's information: LACP port Oper Port PortPort Flags Priority Dev ID Age Key Number StateFa0/13 SA 32768 3037.a6eb.d580 22s 0x2 0xF 0x5Age of the port in the current state: 0d:00h:08m:01s

@ 201364

Page 65: Guia Switch v2

CCNP Guía SWITCH v2.0

ALS2#show spanning-tree interface port-channel 2

Vlan Role Sts Cost Prio.Nbr Type---------------- ---- --- --------- -------- --------------------------------VLAN0001 Desg FWD 5 128.64 P2p

DLS2#show spanning-tree vlan 1VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 32769 Address 0022.5688.7900 Cost 5 Port 64 (Port-channel2) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 3037.a6eb.d580 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300Interface Role Sts Cost Prio.Nbr Type------------------- ---- --- --------- -------- --------------------------------Po1 Desg FWD 12 128.56 P2pPo2 Root FWD 5 128.64 P2p

DLS2#show etherchannel port-channel | begin Group: 2Group: 2---------- Port-channels in the group: ---------------------------Port-channel: Po2 (Primary Aggregator)------------Age of the Port-channel = 0d:00h:24m:19sLogical slot/port = 2/2 Number of ports = 8HotStandBy port = Fa0/18 Fa0/13Port state = Port-channel Ag-InuseProtocol = LACPPort security = Disabled

Ports in the Port-channel:Index Load Port EC state No of bits------+------+------+------------------+----------- 0 00 Fa0/2 Active 0 0 00 Fa0/3 Active 0 0 00 Fa0/14 Active 0 0 00 Fa0/15 Active 0 0 00 Fa0/16 Active 0 0 00 Fa0/17 Active 0 0 00 Fa0/19 Active 0 0 00 Fa0/20 Active 0Time since last port bundled: 0d:00h:12m:30s Fa0/20Time since last port Un-bundled: 0d:00h:12m:32s Fa0/13

@ 201365

Page 66: Guia Switch v2

CCNP Guía SWITCH v2.0

EtherChannel Layer 3

Setup: Borrar configuraciónes anteriores de ambos Switches.

Configurar los puertos FastEthernet0/6 al FastEthernet0/7 de DLS1 y DLS2 como muestra la figura. Estos enlaces se deben ver como uno solo. Configurar direccionamiento IP mostrado. En la creación del Portchannel 12 no debe existir negociación.

Configure OSPF y forme adyacencia entre los dos switchs 3560. Cree la loopback0 con la siguiente disposición:

- DLS1→10.1.1.1/24- DLS2→10.2.2.2/24

Publique esta interfaces con sus máscaras correctas. Habilite telnet en DLS2 Catalyst, utilice los siguientes datos:

- usuario admin password cisco- Autentificar en función de base de datos local utilizando AAA.- Solo se permite la loopback0 como dirección de origen (10.1.1.1/24), en caso contrario se debe

bloquear la conexión y enviar un log a la consola.

DLS1ip routingdefault interface range fastEthernet 0/6-7

interface Port-channel12 no switchport ip address 10.1.12.1 255.255.255.0

interface range fastEthernet 0/6-7 no switchport channel-group 12 mode on

DLS2default interface range fastEthernet 0/6-7

interface Port-channel12 no switchport ip address 10.1.12.2 255.255.255.0

interface range fastEthernet 0/6-7 no switchport channel-group 12 mode on

@ 201366

Page 67: Guia Switch v2

CCNP Guía SWITCH v2.0

DLS2#show etherchannel summaryFlags: D - down P - bundled in port-channel I - stand-alone s - suspended H - Hot-standby (LACP only) R - Layer3 S - Layer2 U - in use f - failed to allocate aggregator M - not in use, minimum links not met u - unsuitable for bundling w - waiting to be aggregated d - default portNumber of channel-groups in use: 1Number of aggregators: 1Group Port-channel Protocol Ports------+-------------+-----------+-----------------------------------------------12 Po12(RU) - Fa0/6(P) Fa0/7(P)

DLS2#show etherchannel summaryFlags: D - down P - bundled in port-channel I - stand-alone s - suspended H - Hot-standby (LACP only) R - Layer3 S - Layer2 U - in use f - failed to allocate aggregator

M - not in use, minimum links not met u - unsuitable for bundling w - waiting to be aggregated d - default portNumber of channel-groups in use: 1Number of aggregators: 1Group Port-channel Protocol Ports------+-------------+-----------+-----------------------------------------------12 Po12(RU) - Fa0/6(D) Fa0/7(P)

Pruebas Etherchanel L3

DLS2#ping 10.1.12.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.1.12.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms

DLS2access-list 100 permit ip host 10.1.12.2 host 10.1.12.1

DLS2#debug ip packet 100IP packet debugging is on for access list 100

DLS2#ping 10.1.12.1 source 10.1.12.2 repeat 1Type escape sequence to abort.Sending 1, 100-byte ICMP Echos to 10.1.12.1, timeout is 2 seconds:Packet sent with a source address of 10.1.12.2!

@ 201367

Page 68: Guia Switch v2

CCNP Guía SWITCH v2.0

IP: tableid=0, s=10.1.12.2 (local), d=10.1.12.1 (Port-channel12), routed via FIBIP: s=10.1.12.2 (local), d=10.1.12.1 (Port-channel12), len 100, sendingIP: s=10.1.12.2 (local), d=10.1.12.1 (Port-channel12), len 100, output feature, Check hwidb(63), rtype 1, forus FALSE, sendself FALSE, mtu 0IP: s=10.1.12.2 (local), d=10.1.12.1 (Port-channel12), len 100, sending full packet

DLS2interface Loopback0 ip address 10.2.2.2 255.255.255.0 ip ospf network point-to-point ip ospf 1 area 0

interface Port-channel12 ip ospf 1 area 0

DLS1interface Loopback0 ip address 10.1.1.1 255.255.255.0 ip ospf network point-to-point

interface Port-channel12 ip ospf 1 area 0

DLS2#show ip ospf neighbor detail Neighbor 10.1.1.1, interface address 10.1.12.1 In the area 0 via interface Port-channel12 Neighbor priority is 1, State is FULL, 6 state changes DR is 10.1.12.1 BDR is 10.1.12.2 Options is 0x52 LLS Options is 0x1 (LR) Dead timer due in 00:00:37 Neighbor is up for 00:00:50 Index 1/1, retransmission queue length 0, number of retransmission 0 First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0) Last retransmission scan length is 0, maximum is 0 Last retransmission scan time is 0 msec, maximum is 0 msec

DLS2username admin password ciscoaaa authentication login TELNET local none

access-list 10 permit 10.1.1.1access-list 10 deny any log

line vty 0 4 access-class 10 in login authentication TELNET

DLS1#telnet 10.2.2.2 /source-interface loopback 0Trying 10.2.2.2 ... OpenUser Access Verification

Username: adminPassword:cisco

@ 201368

Page 69: Guia Switch v2

CCNP Guía SWITCH v2.0

DLS1#telnet 10.2.2.2Trying 10.2.2.2 ...% Connection refused by remote host

DLS2#%SEC-6-IPACCESSLOGS: list 10 denied 10.1.12.1 1 packet

@ 201369

Page 70: Guia Switch v2

CCNP Guía SWITCH v2.0

STP Comportamiento por defecto

Deshabilitar las interfaces que no participan en la topología.¿Como podemos determinar el comportamiento de STP en este ejemplo? Iremos paso a paso explicando este proceso. Para este ejemplo utilizaremos la VLAN 1 como referencia. La manera más efectiva y sencilla de determinar los roles STP es el siguiente:

1. Determinar el costo de cada enlace. Para eso nos resultará útil la siguiente tabla (podemos verificar que los datos sean efectivamente los que aparecen utilizando show interface):

BW del enlace

Costo STP

4 Mbps 25010 Mbps 10016 Mbps 6245 Mbps 39100 Mbps 19155 Mbps 14622 Mbps 61 Gbps 410 Gbps 2

- Bridge ID: Bridge priority: Bridge MAC address.DLS1#show spanning-tree bridge idVLAN0001 8001.e8ba.70cb.f600DLS2#show spanning-tree bridge idVLAN0001 8001.3037.a6eb.d580ALS1#show spanning-tree bridge idVLAN0001 8001.0022.5689.5d80ALS2#show spanning-tree bridge idVLAN0001 8001.0022.5688.7900

@ 201370

Page 71: Guia Switch v2

CCNP Guía SWITCH v2.0

2. Identificar el Root BridgeEsto requiere que investiguemos que MAC está utilizando el switch (suponiendo que la prioridad es la misma para todos los switches del dominio). Para esto determinamos la MAC con el comando show versión como veremos a continuación:

DLS1#sh version | include BaseBase ethernet MAC Address : E8:BA:70:CB:F6:00

DLS2#sh version | include BaseBase ethernet MAC Address : 30:37:A6:EB:D5:80

ALS1#sh version | include BaseBase ethernet MAC Address : 00:22:56:89:5D:80

ALS2#sh version | include BaseBase ethernet MAC Address : 00:22:56:88:79:00

Si observamos las salidas anteriores podemos darnos cuenta que ningún switch L3 será elegido Root Bridge porque el valor menor es considerado, por tanto debemos determinar cuál de los dos switches ALS1 o ALS2 obtendrá el título de Root Bridge.El comando show spanning-tree nos mostrará quién es el Root Bridge. Nota: Obviamente estos resultados pueden variar entre distintos equipos puesto que tienen diferentes MACs.

ALS1 → 00:22:56:89:5D:80ALS1 → 0x002256895D80 (Hex)ALS1 → 147480731008 (decimal)

ALS2 → 00:22:56:88:79:00ALS2 → 0x002256887900 (Hex)ALS2 → 147480672512 (decimal) //Menor Valor por lo tanto debe ser el Root Bridge.

ALS2#show spanning-treeVLAN0001 Spanning tree enabled protocol ieee

@ 201371

Page 72: Guia Switch v2

CCNP Guía SWITCH v2.0

Root ID Priority 32769 Address 0022.5688.7900 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

DLS1#sh spanning-tree vlan 1VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 32769 Address 0022.5688.7900 Cost 19 Port 6 (FastEthernet0/4) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

@ 201372

Page 73: Guia Switch v2

CCNP Guía SWITCH v2.0

3. Seleccionar el ROOT PORT (solo uno en cada noroot bridge). Este puerto corresponde al bridge (o switch) que tiene el mejor camino al Root Bridge, es decir, el costo menor.DLS1 el RP es la interface fastethernet 0/4 (costo 19).DLS2 el RP es la interface fastethernet 0/2 (costo 19).ALS1 el RP es la interface fastethernet 0/6 (costo 19).ALS2 es el ROOT BRIDGE. No aplica.

DLS1#sh spanning-tree root portVLAN0001 FastEthernet0/9

DLS2#sh spanning-tree root portVLAN0001 FastEthernet0/7

ALS1#sh spanning-tree root portVLAN0001 FastEthernet0/11

4. Selección de Designated Port DP. Cada enlace debe seleccionar el puerto que tenga menor costo al Root Bridge. Este último también participa, y como es lógico todos sus puertos son designados. En caso de que los valores sean los mismos debemos utilizar un método de desempate.

@ 201373

Page 74: Guia Switch v2

CCNP Guía SWITCH v2.0

- Menor root bridge ID- Menor costo hacia el root bridge- Menor ID del Sender Bridge- Menor ID de Sender por ID

Nota: la mayoría de los parámetros se pueden obtener utilizando el comando show spanning-tree interface detail.

ALS2#show spanning-tree interface fastEthernet 0/2 detail Port 2 (FastEthernet0/2) of VLAN0001 is forwarding Port path cost 19, Port priority 128, Port Identifier 128.2. Designated root has priority 32769, address 0022.5688.7900 Designated bridge has priority 32769, address 0022.5688.7900 Designated port id is 128.2, designated path cost 0 Timers: message age 0, forward delay 0, hold 0 Number of transitions to forwarding state: 1 Link type is point-to-point by default BPDU: sent 4002, received 2

Enlace DLS1 ↔ DLS2: el costo de ambas interfaces es el mismo al Root Bridge. Debemos comprobar otros criterios. El valor de Root Bridge ID de DLS1 es mayor que el valor de DLS2.

DLS1#sh spanning-tree bridge idVLAN0001 8001.e8ba.70cb.f600

DLS2#show spanning-tree bridge idVLAN0001 8001.3037.a6eb.d580

DLS1#sh spanning-tree vlan 1 interface fastEthernet 0/6Vlan Role Sts Cost Prio.Nbr Type------------------- ---- --- --------- -------- --------------------------------VLAN0001 Altn BLK 19 128.8 P2p

DLS2#sh spanning-tree vlan 1 interface fastEthernet 0/6Vlan Role Sts Cost Prio.Nbr Type------------------- ---- --- --------- -------- --------------------------------VLAN0001 Desg FWD 19 128.8 P2p

@ 201374

Page 75: Guia Switch v2

CCNP Guía SWITCH v2.0

Enlace DLS1 ↔ ALS2. ALS2 es el Root, de manera que el mejor camino al Root es sencillamente el puerto de ALS2 fastethernet 0/4. Lo mismo aplica para DLS2 ↔ ALS2 y ALS1 ↔ ALS2.

ALS2#show spanning-tree vlan 1 interface fastEthernet 0/2Vlan Role Sts Cost Prio.Nbr Type---------------- ---- --- --------- -------- --------------------------------VLAN0001 Desg FWD 19 128.2 P2p

ALS2#show spanning-tree vlan 1 interface fastEthernet 0/4Vlan Role Sts Cost Prio.Nbr Type---------------- ---- --- --------- -------- --------------------------------VLAN0001 Desg FWD 19 128.4 P2p

ALS2#show spanning-tree vlan 1 interface fastEthernet 0/6Vlan Role Sts Cost Prio.Nbr Type---------------- ---- --- --------- -------- --------------------------------VLAN0001 Desg FWD 19 128.6 P2p

Enlace DLS2↔ALS1. Verificamos que existe el mismo costo para alcanzar el Root Bridge por lo tanto determinamos cual es el Bridge con el menor ID, en este caso la prioridad menor la tiene ALS1 por lo tanto el puerto designado (DP) es la interface fastethernet 0/4 de ALS1.DLS2#sh spanning-tree bridge idVLAN0001 8001.3037.a6eb.d580

ALS1#sh spanning-tree bridge idVLAN0001 8001.0022.5689.5d80

ALS1#show spanning-tree interface fastEthernet 0/4Vlan Role Sts Cost Prio.Nbr Type---------------- ---- --- --------- -------- --------------------------------VLAN0001 Desg FWD 19 128.4 P2p

DLS2#show spanning-tree interface fastEthernet 0/4Vlan Role Sts Cost Prio.Nbr Type------------------- ---- --- --------- -------- --------------------------------VLAN0001 Altn BLK 19 128.6 P2p

Enlace DLS1↔ALS1. Verificamos que existe el mismo costo para alcanzar el Root Bridge por lo tanto determinamos cual es el Bridge con el menor ID, en este caso la prioridad menor la tiene ALS1 por lo tanto el puerto designado (DP) es la interface fastethernet 0/4 de ALS1.

ALS1#sh spanning-tree bridge idVLAN0001 8001.0022.5689.5d80

DLS1#show spanning-tree bridge idVLAN0001 8001.e8ba.70cb.f600

DLS1#sh spanning-tree interface fastEthernet 0/2Vlan Role Sts Cost Prio.Nbr Type------------------- ---- --- --------- -------- --------------------------------VLAN0001 Altn BLK 19 128.4 P2p

@ 201375

Page 76: Guia Switch v2

CCNP Guía SWITCH v2.0

Finalmente habiendo determinado el Root Bridge, los Root Ports y Designated Ports tenemos la siguiente disposición.

5. Identificar los puertos bloqueados. Esta tarea es rápida, si un puerto no es RP o DP sencillamente es un puerto bloqueado. La imagen entonces debería quedar de la siguiente manera:

Comprobamos que la elección de STP corresponde con la determinada mediante el proceso teórico. Voilà!

DLS1#sh spanning-tree vlan 1 | begin InterfaceInterface Role Sts Cost Prio.Nbr Type------------------- ---- --- --------- -------- --------------------------------Fa0/2 Altn BLK 19 128.4 P2pFa0/4 Root FWD 19 128.6 P2pFa0/6 Altn BLK 19 128.8 P2p

DLS2#sh spanning-tree vlan 1 | begin InterfaceInterface Role Sts Cost Prio.Nbr Type------------------- ---- --- --------- -------- --------------------------------Fa0/2 Root FWD 19 128.4 P2pFa0/4 Altn BLK 19 128.6 P2pFa0/6 Desg FWD 19 128.8 P2p

@ 201376

Page 77: Guia Switch v2

CCNP Guía SWITCH v2.0

ALS1#sh spanning-tree vlan 1 | begin InterfaceInterface Role Sts Cost Prio.Nbr Type---------------- ---- --- --------- -------- --------------------------------Fa0/2 Desg FWD 19 128.2 P2pFa0/4 Desg FWD 19 128.4 P2pFa0/6 Root FWD 19 128.6 P2p

ALS2#sh spanning-tree vlan 1 | begin InterfaceInterface Role Sts Cost Prio.Nbr Type---------------- ---- --- --------- -------- --------------------------------Fa0/2 Desg FWD 19 128.2 P2pFa0/4 Desg FWD 19 128.4 P2pFa0/6 Desg FWD 19 128.6 P2p

@ 201377

Page 78: Guia Switch v2

CCNP Guía SWITCH v2.0

STP Configuración.

Prelab: Borrar configuraciónes anteriores.

Configurar Etherchannel entre DLS1 y DLS2 (Fa0/6 y Fa0/7). Utilizar LACP. Para el trunk configure ISL entre DLS1 y DLS2. No utilizar DTP.

Al final del laboratorio indique:- La utilidad del comando no-isl-entries enable.- Que utilidad tiene el comando debug spanning-tree switch state.

DLS1default interface range fastEthernet 0/6-7

interface range fastEthernet 0/6-7 channel-group 12 mode active

interface Port-channel12 switchport trunk encapsulation isl switchport mode trunk switchport nonegotiate

DLS2default interface range fastEthernet 0/6-7

interface range fastEthernet 0/6-7 channel-group 12 mode active

interface Port-channel12 switchport trunk encapsulation isl switchport mode trunk switchport nonegotiate

@ 201378

Page 79: Guia Switch v2

CCNP Guía SWITCH v2.0

DLS1#sh etherchannel summaryFlags: D - down P - bundled in port-channel I - stand-alone s - suspended H - Hot-standby (LACP only) R - Layer3 S - Layer2 U - in use f - failed to allocate aggregator

M - not in use, minimum links not met u - unsuitable for bundling w - waiting to be aggregated d - default portNumber of channel-groups in use: 1Number of aggregators: 1Group Port-channel Protocol Ports------+-------------+-----------+-----------------------------------------------12 Po12(SU) LACP Fa0/6(P) Fa0/7(P)

DLS2#sh etherchannel summaryFlags: D - down P - bundled in port-channel I - stand-alone s - suspended H - Hot-standby (LACP only) R - Layer3 S - Layer2 U - in use f - failed to allocate aggregator M - not in use, minimum links not met u - unsuitable for bundling w - waiting to be aggregated d - default portNumber of channel-groups in use: 1Number of aggregators: 1Group Port-channel Protocol Ports------+-------------+-----------+-----------------------------------------------12 Po12(SU) LACP Fa0/6(P) Fa0/7(P)

DLS2#show interfaces trunkPort Mode Encapsulation Status Native vlanPo12 on isl trunking 1Port Vlans allowed on trunkPo12 1-4094Port Vlans allowed and active in management domainPo12 1Port Vlans in spanning tree forwarding state and not prunedPo12 1

DLS2#show spanning-tree vlan 1 interface port-channel 12Vlan Role Sts Cost Prio.Nbr Type------------------- ---- --- --------- -------- --------------------------------VLAN0001 Desg FWD 12 128.144 P2p

DLS1#show spanning-tree vlan 1 interface port-channel 12Vlan Role Sts Cost Prio.Nbr Type------------------- ---- --- --------- -------- --------------------------------VLAN0001 Altn BLK 12 128.144 P2p

@ 201379

Page 80: Guia Switch v2

CCNP Guía SWITCH v2.0

Configurar 802.1q en el resto de enlaces como muestra la figura. Las interfaces que no participan en el laboratroio deben deshabilitarse.

Al final de esta sección indique que método de pathcost es usado.

DLS1#show interfaces status | include disabledFa0/3 disabled 1 auto auto 10/100BaseTXFa0/5 disabled 1 auto auto 10/100BaseTX

DLS1default interface range fastEthernet 0/2 , fastEthernet 0/4interface range fastEthernet 0/2 , fastEthernet 0/4switchport trunk encapsulation dot1q switchport mode trunk switchport nonegotiate

DLS2default interface range fastEthernet 0/2 , fastEthernet 0/4interface range fastEthernet 0/2 , fastEthernet 0/4switchport trunk encapsulation dot1q switchport mode trunk switchport nonegotiate

ALS1default interface range fastEthernet 0/2 , fastEthernet 0/4 , fastEthernet 0/6interface range fastEthernet 0/2 , fastEthernet 0/4 , fastEthernet 0/6 switchport mode trunk switchport nonegotiate

ALS2default interface range fastEthernet 0/2 , fastEthernet 0/4 , fastEthernet 0/6interface range fastEthernet 0/2 , fastEthernet 0/4 , fastEthernet 0/6 switchport mode trunk switchport nonegotiate

DLS1#sh interfaces trunkPort Mode Encapsulation Status Native vlanFa0/2 on 802.1q trunking 1Fa0/4 on 802.1q trunking 1Po12 on isl trunking 1Port Vlans allowed on trunkFa0/2 1-4094Fa0/4 1-4094Po12 1-4094Port Vlans allowed and active in management domainFa0/2 1Fa0/4 1Po12 1Port Vlans in spanning tree forwarding state and not prunedFa0/2 noneFa0/4 1Po12 none

@ 201380

Page 81: Guia Switch v2

CCNP Guía SWITCH v2.0

DLS2#show interfaces trunkPort Mode Encapsulation Status Native vlanFa0/2 on 802.1q trunking 1Fa0/4 on 802.1q trunking 1Po12 on isl trunking 1Port Vlans allowed on trunkFa0/2 1-4094Fa0/4 1-4094Po12 1-4094Port Vlans allowed and active in management domainFa0/2 1Fa0/4 1Po12 1Port Vlans in spanning tree forwarding state and not prunedFa0/2 1Fa0/4 nonePo12 1

ALS1#show interfaces trunkPort Mode Encapsulation Status Native vlanFa0/2 on 802.1q trunking 1Fa0/4 on 802.1q trunking 1Fa0/6 on 802.1q trunking 1Port Vlans allowed on trunkFa0/2 1-4094Fa0/4 1-4094Fa0/6 1-4094Port Vlans allowed and active in management domainFa0/2 1Fa0/4 1Fa0/6 1Port Vlans in spanning tree forwarding state and not prunedFa0/2 1Fa0/4 1Fa0/6 1

ALS2#show interfaces trunkPort Mode Encapsulation Status Native vlanFa0/2 on 802.1q trunking 1Fa0/4 on 802.1q trunking 1Fa0/6 on 802.1q trunking 1Port Vlans allowed on trunkFa0/2 1-4094Fa0/4 1-4094Fa0/6 1-4094Port Vlans allowed and active in management domainFa0/2 1Fa0/4 1Fa0/6 1Port Vlans in spanning tree forwarding state and not prunedFa0/2 1Fa0/4 1Fa0/6 1

@ 201381

Page 82: Guia Switch v2

CCNP Guía SWITCH v2.0

Como observamos, ASL2 será siempre el Root Bridge, puesto que tiene la MAC menor. Esto provoca que todos los puertos de ALS2 se encuentren en estado FWD (Forwarding) como podemos ver en la siguiente salida.

Indique la utilidad de los temporizadores hello, forward delay y Max Age en el envío de BDPUs.

ALS2#show spanning-treeVLAN0001 Spanning tree enabled protocol ieee Root ID Priority 32769 Address 0022.5688.7900 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address 0022.5688.7900 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300

Interface Role Sts Cost Prio.Nbr Type---------------- ---- --- --------- -------- --------------------------------Fa0/2 Desg FWD 19 128.2 P2pFa0/4 Desg FWD 19 128.4 P2pFa0/6 Desg FWD 19 128.6 P2p

Configure VTP con la siguiente disposición:- DLS1 VTP Server, versión 2, domain DUOC, password cisco- DLS2 VTP Client, versión 2, domain DUOC, password cisco- ALS1 VTP Client, versión 2, domain DUOC, password cisco- ALS2 VTP Client, versión 2, domain DUOC, password cisco

DLS1vtp domain DUOCvtp password ciscovtp mode server

DLS2vtp domain DUOCvtp password ciscovtp mode client

ALS1vtp domain DUOCvtp password ciscovtp mode client

ALS2vtp domain DUOCvtp password ciscovtp mode client

@ 201382

Page 83: Guia Switch v2

CCNP Guía SWITCH v2.0

En DLS1 crear la VLAN 2, 3, 4, 5, 6, 7, 8, 9, 10. Comprobar que estas VLANs se hayan instalado en los switchs VTP client.

Donde guardan las VLANs los switchs con el rol de VTP client?

DLS1vlan 2-10

DLS1#sh vl brief | exclude unsupVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/3, Fa0/5, Fa0/8 Fa0/9, Fa0/10, Fa0/11, Fa0/12 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Fa0/23, Fa0/24 Gi0/1, Gi0/22 VLAN0002 active3 VLAN0003 active4 VLAN0004 active5 VLAN0005 active6 VLAN0006 active7 VLAN0007 active8 VLAN0008 active9 VLAN0009 active10 VLAN0010 active

DLS2#sh vl brief | exclude unsupVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/3, Fa0/5, Fa0/8 Fa0/9, Fa0/10, Fa0/11, Fa0/12 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Fa0/23, Fa0/24 Gi0/1, Gi0/22 VLAN0002 active3 VLAN0003 active4 VLAN0004 active5 VLAN0005 active6 VLAN0006 active7 VLAN0007 active8 VLAN0008 active9 VLAN0009 active10 VLAN0010 active

@ 201383

Page 84: Guia Switch v2

CCNP Guía SWITCH v2.0

ALS1#show vl brief | exclude unsupVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/3, Fa0/5, Fa0/7 Fa0/8, Fa0/9, Fa0/10, Fa0/11 Fa0/12, Fa0/13, Fa0/14, Fa0/15 Fa0/16, Fa0/17, Fa0/18, Fa0/19 Fa0/20, Fa0/21, Fa0/22, Fa0/23 Fa0/24, Gi0/1, Gi0/22 VLAN0002 active3 VLAN0003 active4 VLAN0004 active5 VLAN0005 active6 VLAN0006 active7 VLAN0007 active8 VLAN0008 active9 VLAN0009 active10 VLAN0010 active

ALS2#show vl brief | exclude unsupVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/3, Fa0/5, Fa0/7 Fa0/8, Fa0/9, Fa0/10, Fa0/11 Fa0/12, Fa0/13, Fa0/14, Fa0/15 Fa0/16, Fa0/17, Fa0/18, Fa0/19 Fa0/20, Fa0/21, Fa0/22, Fa0/23 Fa0/24, Gi0/1, Gi0/22 VLAN0002 active3 VLAN0003 active4 VLAN0004 active5 VLAN0005 active6 VLAN0006 active7 VLAN0007 active8 VLAN0008 active9 VLAN0009 active10 VLAN0010 active

@ 201384

Page 85: Guia Switch v2

CCNP Guía SWITCH v2.0

DLS1 debe ser Root Bridge para las VLANs 1, 2, 3, 4, y Bridge de respaldo para las VLANs 5, 6, 7, 8, 9, 10. DLS2 debe ser Root Bridge para las VLANs 5, 6, 7, 8, 9, 10, y Bridge de respaldo para las VLANs 1,2,3,4.

Notemos en algunos detalles. ALS2 (poner atención, en los equipos de cada POD el resultado puede ser distinto, trabajamos con valores por defecto) es el Root Bridge para todas las VLANs.

ALS2#show version | include BaseBase ethernet MAC Address : 00:22:56:88:79:00

ALS2#show spanning-tree bridge Hello Max FwdVlan Bridge ID Time Age Dly Protocol---------------- --------------------------------- ----- --- --- --------VLAN0001 32769 (32768, 1) 0022.5688.7900 2 20 15 ieeeVLAN0002 32770 (32768, 2) 0022.5688.7900 2 20 15 ieeeVLAN0003 32771 (32768, 3) 0022.5688.7900 2 20 15 ieeeVLAN0004 32772 (32768, 4) 0022.5688.7900 2 20 15 ieeeVLAN0005 32773 (32768, 5) 0022.5688.7900 2 20 15 ieeeVLAN0006 32774 (32768, 6) 0022.5688.7900 2 20 15 ieeeVLAN0007 32775 (32768, 7) 0022.5688.7900 2 20 15 ieeeVLAN0008 32776 (32768, 8) 0022.5688.7900 2 20 15 ieeeVLAN0009 32777 (32768, 9) 0022.5688.7900 2 20 15 ieeeVLAN0010 32778 (32768, 10) 0022.5688.7900 2 20 15 ieee

DLS1#sho spanning-tree root idVLAN0001 8001.0022.5688.7900VLAN0002 8002.0022.5688.7900VLAN0003 8003.0022.5688.7900VLAN0004 8004.0022.5688.7900VLAN0005 8005.0022.5688.7900VLAN0006 8006.0022.5688.7900VLAN0007 8007.0022.5688.7900VLAN0008 8008.0022.5688.7900VLAN0009 8009.0022.5688.7900VLAN0010 800A.0022.5688.7900

En la siguiente salida podemos observar la BridgeID de DLS1. Cuando le asignemos el rol primario para las VLANs 1, 2, 3, 4 veremos que la BridgeID coincide con el de DLS1.

DLS1#show version | include BaseBase ethernet MAC Address : E8:BA:70:CB:F6:00

ALS2#show spanning-tree root Root Hello Max FwdVlan Root ID Cost Time Age Dly Root Port---------------- -------------------- --------- ----- --- --- ------------VLAN0001 32769 0022.5688.7900 0 2 20 15VLAN0002 32770 0022.5688.7900 0 2 20 15VLAN0003 32771 0022.5688.7900 0 2 20 15VLAN0004 32772 0022.5688.7900 0 2 20 15VLAN0005 32773 0022.5688.7900 0 2 20 15VLAN0006 32774 0022.5688.7900 0 2 20 15

@ 2013

DLS1 reconoce que el root para todas las VLANs creadas y VLAN 1 es el switch que tiene el Bridge-ID 8001.0022.5688.7900, es decir, ALS2. La misma comprobación debemos hacerla en cada switch no root.

85

Page 86: Guia Switch v2

CCNP Guía SWITCH v2.0

VLAN0007 32775 0022.5688.7900 0 2 20 15VLAN0008 32776 0022.5688.7900 0 2 20 15VLAN0009 32777 0022.5688.7900 0 2 20 15VLAN0010 32778 0022.5688.7900 0 2 20 15

DLS1spanning-tree vlan 1,2,3,4 root primaryspanning-tree vlan 5-10 root secondary

DLS1 es ahora el root para las VLAN 1,2,3,4. Utilizando el comando show spanning-tree root vemos el BridgeID 24577 e8ba.70cb.f600 correspondiente a la VLAN 1.

En que casos el proceso STP baja la prioridad 4096? Porque DLS1 asume el rol de Root para todas las VLANs siendo que se configuró para que sea primario para

las VLANs 1 a la 4?

ALS2#show spanning-tree root Root Hello Max FwdVlan Root ID Cost Time Age Dly Root Port---------------- -------------------- --------- ----- --- --- ------------VLAN0001 24577 e8ba.70cb.f600 19 2 20 15 Fa0/4VLAN0002 24578 e8ba.70cb.f600 19 2 20 15 Fa0/4VLAN0003 24579 e8ba.70cb.f600 19 2 20 15 Fa0/4VLAN0004 24580 e8ba.70cb.f600 19 2 20 15 Fa0/4VLAN0005 28677 e8ba.70cb.f600 19 2 20 15 Fa0/4VLAN0006 28678 e8ba.70cb.f600 19 2 20 15 Fa0/4VLAN0007 28679 e8ba.70cb.f600 19 2 20 15 Fa0/4VLAN0008 28680 e8ba.70cb.f600 19 2 20 15 Fa0/4VLAN0009 28681 e8ba.70cb.f600 19 2 20 15 Fa0/4VLAN0010 28682 e8ba.70cb.f600 19 2 20 15 Fa0/4

DLS1#sh spanning-tree root Root Hello Max FwdVlan Root ID Cost Time Age Dly Root Port---------------- -------------------- --------- ----- --- --- ------------VLAN0001 24577 e8ba.70cb.f600 0 2 20 15VLAN0002 24578 e8ba.70cb.f600 0 2 20 15VLAN0003 24579 e8ba.70cb.f600 0 2 20 15VLAN0004 24580 e8ba.70cb.f600 0 2 20 15VLAN0005 28677 e8ba.70cb.f600 0 2 20 15VLAN0006 28678 e8ba.70cb.f600 0 2 20 15VLAN0007 28679 e8ba.70cb.f600 0 2 20 15VLAN0008 28680 e8ba.70cb.f600 0 2 20 15VLAN0009 28681 e8ba.70cb.f600 0 2 20 15VLAN0010 28682 e8ba.70cb.f600 0 2 20 15

@ 2013

Sabemos que la prioridad STP por defecto es de 32768. Notemos además que se suma el número de la VLAN a cada prioridad, es decir, si se trata de la VLAN 10 el valor de la prioridad será de 32768 + 10→32778. Si un switch le asignamos el rol de root para ciertas o todas las VLANs por medio de la configuración, STP baja la prioridad 8192 + el valor de la VLAN. Si vemos el ejemplo la VLAN 4 tenemos que 32768 + 4 →32772 - 8192 = 24580.

86

Page 87: Guia Switch v2

CCNP Guía SWITCH v2.0

Configuramos la segunda tarea.

DLS2spanning-tree vlan 5,6,7,8,9,10 root primaryspanning-tree vlan 1-4 root secondary

DLS2#show spanning-tree root Root Hello Max FwdVlan Root ID Cost Time Age Dly Root Port---------------- -------------------- --------- ----- --- --- ------------VLAN0001 24577 e8ba.70cb.f600 12 2 20 15 Po12VLAN0002 24578 e8ba.70cb.f600 12 2 20 15 Po12VLAN0003 24579 e8ba.70cb.f600 12 2 20 15 Po12VLAN0004 24580 e8ba.70cb.f600 12 2 20 15 Po12VLAN0005 24581 3037.a6eb.d580 0 2 20 15VLAN0006 24582 3037.a6eb.d580 0 2 20 15VLAN0007 24583 3037.a6eb.d580 0 2 20 15VLAN0008 24584 3037.a6eb.d580 0 2 20 15VLAN0009 24585 3037.a6eb.d580 0 2 20 15VLAN0010 24586 3037.a6eb.d580 0 2 20 15

DLS1#sh spanning-tree root Root Hello Max FwdVlan Root ID Cost Time Age Dly Root Port---------------- -------------------- --------- ----- --- --- ------------VLAN0001 24577 e8ba.70cb.f600 0 2 20 15VLAN0002 24578 e8ba.70cb.f600 0 2 20 15VLAN0003 24579 e8ba.70cb.f600 0 2 20 15VLAN0004 24580 e8ba.70cb.f600 0 2 20 15VLAN0005 24581 3037.a6eb.d580 12 2 20 15 Po12VLAN0006 24582 3037.a6eb.d580 12 2 20 15 Po12VLAN0007 24583 3037.a6eb.d580 12 2 20 15 Po12VLAN0008 24584 3037.a6eb.d580 12 2 20 15 Po12VLAN0009 24585 3037.a6eb.d580 12 2 20 15 Po12VLAN0010 24586 3037.a6eb.d580 12 2 20 15 Po12

@ 201387

Page 88: Guia Switch v2

CCNP Guía SWITCH v2.0

STP BPDU Guard La interface fastethernet0/2 de ALS2 debe pertenecer a la VLAN 10. Próximamente se conectará un PC.

Evitar que el proceso STP transite por los estados listening/learning. En caso que la interface reciba algún paquete BPDU deberá quedar en estado errdisable que tendrá una duración de 30 segundos.

ALS2interface FastEthernet0/2 switchport access vlan 10 switchport mode access spanning-tree portfast

ALS2#show interfaces fastEthernet 0/1 switchportName: Fa0/1Switchport: EnabledAdministrative Mode: static accessOperational Mode: downAdministrative Trunking Encapsulation: dot1qNegotiation of Trunking: OffAccess Mode VLAN: 10 (VLAN0010)

ALS2spanning-tree portfast bpduguard defaulterrdisable recovery interval 30

Si conectamos algún dispositivo que envíe BPDUs (ejemplo un Switch) obtendremos los siguientes resultados:

04:27:48: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/7, changed state to down04:27:49: %LINK-3-UPDOWN: Interface FastEthernet0/7, changed state to down04:27:50: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port FastEthernet0/2 with BPDU Guard enabled. Disabling port.ALS2#04:27:50: %PM-4-ERR_DISABLE: bpduguard error detected on Fa0/2, putting Fa0/2 in err-disable state

ALS2#show interfaces fastEthernet 0/2 status err-disabledPort Name Status ReasonFa0/2 err-disabled bpduguard

FLEX Link

@ 201388

Page 89: Guia Switch v2

CCNP Guía SWITCH v2.0

Crear trunk utilizando Fa0/7 y Fa0/8 de ambos switches utilizando un protocolo estándar. DLS1 VTP Server ALS1 VTP Client DLS1 debe crear las VLANs 100, 200, 300 y 400. DLS1 debe ser root de todas las VLANs Comprueba que ALS1 posee las VLANs

El enlace Flex (Flex link) es una característica que se encuentra disponible en capa 2 y puede coexistir con STP. Esta mejora permite que el tiempo de convergencia sea menor a 50 milisegundos, en resumen este tiempo se mantiene constante independientemente del número de VLAN o dirección MAC configuradas en el switch. Este enlace consta de un par de interfaces de capa 2 que pueden estar configuradas como switchports o port channels, y funcionan como respaldo para otro enlace. También ofrece una solución alternativa al protocolo Spanning Tree (STP), permitiendo a los usuarios su desactivación y todavía proporcionar un enlace redundante.

DLS1interface FastEthernet0/7 switchport trunk encapsulation dot1q switchport mode trunk

interface FastEthernet0/8 switchport trunk encapsulation dot1q switchport mode trunk

@ 201389

Page 90: Guia Switch v2

CCNP Guía SWITCH v2.0

ALS1interface FastEthernet0/7 switchport mode trunk

interface FastEthernet0/8 switchport mode trunk

DLS1vtp mode servervtp domain duocvtp version 2vlan 100,200,300,400spanning-tree vlan 100,200,300,400 root primary

ALS1vtp mode clientvtp domain duocvtp version 2

ALS1#show vlan brief | exclude unsupVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/9, Fa0/10 Fa0/11, Fa0/12, Fa0/13, Fa0/14 Fa0/15, Fa0/16, Fa0/17, Fa0/18 Fa0/19, Fa0/20, Fa0/21, Fa0/22 Fa0/23, Fa0/24, Gi0/1, Gi0/2100 VLAN0100 active200 VLAN0200 active300 VLAN0300 active400 VLAN0400 active

@ 201390

Page 91: Guia Switch v2

CCNP Guía SWITCH v2.0

DLS1#sh spanning-tree vlan 100VLAN0100 Spanning tree enabled protocol ieee Root ID Priority 24676 Address e8ba.70cb.f600 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 24676 (priority 24576 sys-id-ext 100) Address e8ba.70cb.f600 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 15 sec

Interface Role Sts Cost Prio.Nbr Type------------------- ---- --- --------- -------- --------------------------------Fa0/7 Desg FWD 19 128.9 P2pFa0/8 Desg FWD 19 128.10 P2p

ALS1#show spanning-tree vlan 100VLAN0100 Spanning tree enabled protocol ieee Root ID Priority 24676 Address e8ba.70cb.f600 Cost 19 Port 7 (FastEthernet0/7) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32868 (priority 32768 sys-id-ext 100) Address 0022.5689.5d80 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300

Interface Role Sts Cost Prio.Nbr Type---------------- ---- --- --------- -------- --------------------------------Fa0/7 Root FWD 19 128.7 P2pFa0/8 Altn BLK 19 128.8 P2p

Configurar FlexLink con las siguientes políticas. ALS1 fa0/7 backup Conectar PCs a algún puerto de acceso de DLS1 y ALS1 (misma VLAN y probar conectividad entre ellos). Desactivar enlace activo y esperar comprobar el tiempo de activación.

Hacer balanceo de carga usandoel comando de interface switchport backup interface fastEthernet 0/3 prefer vlan 101…..

ALS1interface FastEthernet0/8 switchport mode trunk switchport backup interface Fa0/7

@ 201391

Page 92: Guia Switch v2

CCNP Guía SWITCH v2.0

ALS1#show interfaces switchport backupSwitch Backup Interface Pairs:Active Interface Backup Interface State------------------------------------------------------------------------FastEthernet0/8 FastEthernet0/7 Active Up/Backup Standby

DLS1interface FastEthernet0/1 switchport access vlan 100 switchport mode access spanning-tree portfast

ALS1interface FastEthernet0/1 switchport access vlan 100 switchport mode access spanning-tree portfast

Pruebas de conectividad Flex LinkPC1 → 10.1.1.1/24 conectado a la Fa0/1 de DLS1PC2 → 10.1.1.2/24 conectado a la Fa0/1 de ALS1Deberíamos tener conectividad a través de ping.Fa0/8 actúa activamente en el tráfico, si deshabilitamos la interface no existe interrumpción de tráfico.

ALS1(config)#interface fastEthernet 0/8ALS1(conig-if)#shutdown

ALS1#show interfaces switchport backupSwitch Backup Interface Pairs:Active Interface Backup Interface State------------------------------------------------------------------------FastEthernet0/8 FastEthernet0/7 Active Down/Backup Up

PC1 ping 10.1.1.2 -tRespuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128Respuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128Respuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128Respuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128Respuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128Respuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128Respuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128Respuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128Respuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128Respuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128Respuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128Respuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128Respuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128Respuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128Respuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128

ALS1(config)#interface fastEthernet 0/8ALS1(config-if)#no shutdown

@ 201392

Page 93: Guia Switch v2

CCNP Guía SWITCH v2.0

ALS1#show interfaces switchport backupSwitch Backup Interface Pairs:Active Interface Backup Interface State------------------------------------------------------------------------FastEthernet0/8 FastEthernet0/7 Active Standby/Backup Up

Como vemos en la salida anterior la interface fa0/8 no vuelva al estado activo por defecto. En otras palabras no se apropia del puesto que dejó. Para esto debemos establecer explícitamente que lo haga.

Fastethernet 0/8 debe vovler a su estado UP en 4 segundos luego de restablecer el enlace.

ALS1interface FastEthernet0/8 switchport backup interface Fa0/7 preemption delay 4 switchport backup interface Fa0/7 preemption mode forced //Si no incluimos forced el proceso no lo considera

01:14:35: %BACKUP_INTERFACE-5-PREEMPT: Preempting interface Fa0/7 in backup pair (Fa0/8, Fa0/7), preemption mode is forced

ALS1#show interfaces switchport backup detailSwitch Backup Interface Pairs:Active Interface Backup Interface State------------------------------------------------------------------------FastEthernet0/8 FastEthernet0/7 Active Up/Backup Standby

Interface Pair : Fa0/8, Fa0/7Preemption Mode : forcedPreemption Delay : 4 secondsBandwidth : 100000 Kbit (Fa0/8), 100000 Kbit (Fa0/7)Mac Address Move Update Vlan : auto

@ 201393

Page 94: Guia Switch v2

CCNP Guía SWITCH v2.0

MSTP Multiple Spanning Tree MST 802.1s

Configure ambos switches en modo trunk. Utilice 802.1q.

DLS1interface range fastEthernet 0/11-12 switchport trunk encapsulation dot1q switchport mode trunk

DLS2interface range fastEthernet 0/11-12 switchport trunk encapsulation dot1q switchport mode trunk

DLS2#show interfaces trunkPort Mode Encapsulation Status Native vlanFa0/11 on 802.1q trunking 1Fa0/12 on 802.1q trunking 1Port Vlans allowed on trunkFa0/11 1-4094Fa0/12 1-4094Port Vlans allowed and active in management domainFa0/11 1Fa0/12 1Port Vlans in spanning tree forwarding state and not prunedFa0/11 1Fa0/12 1

VTP. DLS1 debe ser server VTP, DLS2 client VTP. Utilizar domain VTP DUOC, VTP versión 2. En DLS1 crear las VLANs 2-10. Comprobar que estas VLANs se propaguen a DLS2.

DLS1vtp mode servervtp domain DUOCvtp version 2DLS2vtp mode clientvtp domain DUOCvtp version 2

DLS1#sh vtp statusVTP Version : running VTP2

@ 201394

Page 95: Guia Switch v2

CCNP Guía SWITCH v2.0

Configuration Revision : 1Maximum VLANs supported locally : 1005Number of existing VLANs : 5VTP Operating Mode : ServerVTP Domain Name : DUOCVTP Pruning Mode : DisabledVTP V2 Mode : EnabledVTP Traps Generation : DisabledMD5 digest : 0xDC 0x3F 0x3A 0xBD 0x10 0x27 0xB2 0xDDConfiguration last modified by 10.1.1.1 at 3-1-93 00:06:43Local updater ID is 10.1.1.1 on interface Vl1 (lowest numbered VLAN interface found)

DLS2#show vtp statusVTP Version : 2Configuration Revision : 1Maximum VLANs supported locally : 1005Number of existing VLANs : 5VTP Operating Mode : ClientVTP Domain Name : DUOCVTP Pruning Mode : DisabledVTP V2 Mode : EnabledVTP Traps Generation : DisabledMD5 digest : 0xDC 0x3F 0x3A 0xBD 0x10 0x27 0xB2 0xDDConfiguration last modified by 10.1.1.1 at 3-1-93 00:06:43

DLS1vlan 2-10

DLS1#sh vlan brief | exclude unsupVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/13, Fa0/14 Fa0/15, Fa0/16, Fa0/17, Fa0/18 Fa0/19, Fa0/20, Fa0/21, Fa0/22 Fa0/23, Fa0/24, Gi0/1, Gi0/22 VLAN0002 active3 VLAN0003 active4 VLAN0004 active5 VLAN0005 active6 VLAN0006 active7 VLAN0007 active8 VLAN0008 active9 VLAN0009 active10 VLAN0010 active

@ 201395

Page 96: Guia Switch v2

CCNP Guía SWITCH v2.0

DLS2#show vlan briefVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/13, Fa0/14 Fa0/15, Fa0/16, Fa0/17, Fa0/18 Fa0/19, Fa0/20, Fa0/21, Fa0/22 Fa0/23, Fa0/24, Gi0/1, Gi0/22 VLAN0002 active3 VLAN0003 active4 VLAN0004 active5 VLAN0005 active6 VLAN0006 active7 VLAN0007 active8 VLAN0008 active9 VLAN0009 active10 VLAN0010 active

Configure MST siguiendo las siguientes políticas: Crear dos instancias STP: instancia1, instancia2. El el numero de revisión (revision number) debe ser 1. El nombre MST debe ser DUOC A la instancia1 le corresponden las VLANs 1-5 A la instancia2 le corresponde la VLANs 6-8 Las siguientes VLANs serán parte de la instancia0. Instacia1 → fastethernet0/11 Instacia2 → fastethernet0/12 DLS1 debe ser Root Bridge para instancia1 DLS2 debe ser Root Bridge para instancia2

La ventaja de MST es que puede mapear multiples VLANs que tengan los mismos requerimientos (mismo tráfico) y generar una sola instancia de STP, lo que se traduce en una menor utilización de la CPU.

Verifiquemos cuantas instancias existen. Para eso utilizaremos el comando show spanning-tree. Podemos observar que tenemos 9 instancias más la VLAN 1. 10 Instancias en total.

DLS1#sh spanning-tree

VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 32769 Address 3037.a6eb.d580 Cost 19 Port 13 (FastEthernet0/11) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address e8ba.70cb.f600 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec

@ 201396

Page 97: Guia Switch v2

CCNP Guía SWITCH v2.0

Interface Role Sts Cost Prio.Nbr Type------------------- ---- --- --------- -------- --------------------------------Fa0/11 Root FWD 19 128.13 P2pFa0/12 Altn BLK 19 128.14 P2p

VLAN0002 Spanning tree enabled protocol ieee Root ID Priority 32770 Address 3037.a6eb.d580 Cost 19 Port 13 (FastEthernet0/11) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32770 (priority 32768 sys-id-ext 2) Address e8ba.70cb.f600 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type------------------- ---- --- --------- -------- --------------------------------Fa0/11 Root FWD 19 128.13 P2pFa0/12 Altn BLK 19 128.14 P2p

.

.

.

.

VLAN0010 Spanning tree enabled protocol ieee Root ID Priority 32778 Address 3037.a6eb.d580 Cost 19 Port 13 (FastEthernet0/11) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32778 (priority 32768 sys-id-ext 10) Address e8ba.70cb.f600 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type------------------- ---- --- --------- -------- --------------------------------Fa0/11 Root FWD 19 128.13 P2pFa0/12 Altn BLK 19 128.14 P2p

@ 201397

Page 98: Guia Switch v2

CCNP Guía SWITCH v2.0

Como vemos en la salida anterior STP está corriendo una instancia distinta para cada VLAN, asumiendo que cada instancia tiene un camino distinto o flujo distinto, aun cuando siguen misma topología física. DLS1 y DLS2 podrán utilizar MST si ambos tienen identica:

Región name Revision number VLAN-to-instance assignments

Para configuirar MST debemos seguir los siguientes pasos:1. Configurar MST globalmente:

DLS1spanning-tree mode mst

DLS2spanning-tree mode mst

DLS2#show spanning-treeMST0 Spanning tree enabled protocol mstp Root ID Priority 32768 Address 3037.a6eb.d580 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32768 (priority 32768 sys-id-ext 0) Address 3037.a6eb.d580 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Interface Role Sts Cost Prio.Nbr Type---------------- ---- --- --------- -------- --------------------------------Fa0/11 Desg FWD 200000 128.13 P2pFa0/12 Desg FWD 200000 128.14 P2p

DLS1#sh spanning-treeMST0 Spanning tree enabled protocol mstp Root ID Priority 32768 Address 3037.a6eb.d580 Cost 0 Port 13 (FastEthernet0/11) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32768 (priority 32768 sys-id-ext 0) Address e8ba.70cb.f600 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Interface Role Sts Cost Prio.Nbr Type------------------- ---- --- --------- -------- --------------------------------Fa0/11 Root FWD 200000 128.13 P2pFa0/12 Altn BLK 200000 128.14 P2p

@ 201398

Page 99: Guia Switch v2

CCNP Guía SWITCH v2.0

Si no se define, todas las instancias quedan en instancia 0.

DLS1#sh spanning-tree mst configurationName []Revision 0 Instances configured 1

Instance Vlans mapped-------- ---------------------------------------------------------------------0 1-4094-------------------------------------------------------------------------------

2. Entrar en el modo de configuración MST con el comando spanning-tree mst configuration.3. Establecer el numero de revisión4. Nombre de región5. Crear las instancias y asignarles las VLANs

DLS1spanning-tree mst configuration revision 1 name DUOC instance 1 vlan 1-5 instance 2 vlan 6-8

DLS2spanning-tree mst configuration revision 1 name DUOC instance 1 vlan 1-5 instance 2 vlan 6-8

DLS2#show spanning-tree mst configurationName [DUOC]Revision 1 Instances configured 3

Instance Vlans mapped-------- ---------------------------------------------------------------------0 9-40941 1-52 6-8-------------------------------------------------------------------------------

@ 201399

Page 100: Guia Switch v2

CCNP Guía SWITCH v2.0

DLS1#sh spanning-tree mst configurationName [DUOC]Revision 1 Instances configured 3

Instance Vlans mapped-------- ---------------------------------------------------------------------0 9-40941 1-52 6-8-------------------------------------------------------------------------------

DLS1#sh spanning-treeMST0 Spanning tree enabled protocol mstp Root ID Priority 32768 Address 3037.a6eb.d580 Cost 0 Port 13 (FastEthernet0/11) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32768 (priority 32768 sys-id-ext 0) Address e8ba.70cb.f600 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Interface Role Sts Cost Prio.Nbr Type------------------- ---- --- --------- -------- --------------------------------Fa0/11 Root FWD 200000 128.13 P2pFa0/12 Altn BLK 200000 128.14 P2p

MST1 Spanning tree enabled protocol mstp Root ID Priority 32769 Address 3037.a6eb.d580 Cost 200000 Port 13 (FastEthernet0/11) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1) Address e8ba.70cb.f600 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Interface Role Sts Cost Prio.Nbr Type------------------- ---- --- --------- -------- --------------------------------Fa0/11 Root FWD 200000 128.13 P2pFa0/12 Altn BLK 200000 128.14 P2p

MST2 Spanning tree enabled protocol mstp Root ID Priority 32770 Address 3037.a6eb.d580 Cost 200000 Port 13 (FastEthernet0/11) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

@ 2013100

Page 101: Guia Switch v2

CCNP Guía SWITCH v2.0

Bridge ID Priority 32770 (priority 32768 sys-id-ext 2) Address e8ba.70cb.f600 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Interface Role Sts Cost Prio.Nbr Type------------------- ---- --- --------- -------- --------------------------------Fa0/11 Root FWD 200000 128.13 P2pFa0/12 Altn BLK 200000 128.14 P2p

Podemos notar que existe un BID por cada instancia, a 32768 se le suma el número de la instancia haciendo del BID único

DLS1#sh spanning-tree bridge Hello Max FwdMST Instance Bridge ID Time Age Dly Protocol---------------- --------------------------------- ----- --- --- --------MST0 32768 (32768, 0) e8ba.70cb.f600 2 20 15 mstpMST1 32769 (32768, 1) e8ba.70cb.f600 2 20 15 mstpMST2 32770 (32768, 2) e8ba.70cb.f600 2 20 15 mstp

DLS2#show spanning-tree root Root Hello Max FwdMST Instance Root ID Cost Time Age Dly Root Port---------------- -------------------- --------- ----- --- --- ------------MST0 32768 3037.a6eb.d580 0 2 20 15MST1 32769 3037.a6eb.d580 0 2 20 15MST2 32770 3037.a6eb.d580 0 2 20 15

DLS2#show version | include BaseBase ethernet MAC Address : 30:37:A6:EB:D5:80

DLS1 debe ser Root Bridge para instancia1 DLS2 debe ser Root Bridge para instancia2

Ya podemos establecer prioridades trabajando con VLANs empaquetadas, como una sola entidad, instancia 1 e instancia 2. Para esto debemos utilizar el comando

DLS1(config)#spanning-tree mst 1 priority ? <0-61440> bridge priority in increments of 4096

DLS1(config)#spanning-tree mst 1 priority 0DLS1(config)#spanning-tree mst 2 priority 4096

DLS2spanning-tree mst 1 priority 4096spanning-tree mst 2 priority 0

@ 2013101

Page 102: Guia Switch v2

CCNP Guía SWITCH v2.0

DLS2#show version | include BaseBase ethernet MAC Address : 30:37:A6:EB:D5:80

DLS2#show spanning-tree root Root Hello Max FwdMST Instance Root ID Cost Time Age Dly Root Port---------------- -------------------- --------- ----- --- --- ------------MST0 32768 3037.a6eb.d580 0 2 20 15MST1 1 e8ba.70cb.f600 200000 2 20 15 Fa0/11MST2 2 3037.a6eb.d580 0 2 20 15

La salida anterior nos muestra que DLS2 es Root Bridge para instancia 0 y 1. Para instancia 1 tenemos otro BID (de DLS1) que podemos identificar porque tiene un Root Port (Fa0/11).

DLS1#sh version | include BaseBase ethernet MAC Address : E8:BA:70:CB:F6:00

DLS1#sh spanning-tree root Root Hello Max FwdMST Instance Root ID Cost Time Age Dly Root Port---------------- -------------------- --------- ----- --- --- ------------MST0 32768 3037.a6eb.d580 0 2 20 15 Fa0/11MST1 1 e8ba.70cb.f600 0 2 20 15MST2 2 3037.a6eb.d580 200000 2 20 15 Fa0/11

DLS1#sh spanning-tree interface fastEthernet 0/11Mst Instance Role Sts Cost Prio.Nbr Type------------------- ---- --- --------- -------- --------------------------------MST0 Root FWD 200000 128.13 P2pMST1 Desg FWD 200000 128.13 P2pMST2 Root FWD 200000 128.13 P2p

DLS1#sh spanning-tree interface fastEthernet 0/12Mst Instance Role Sts Cost Prio.Nbr Type------------------- ---- --- --------- -------- --------------------------------MST0 Altn BLK 200000 128.14 P2pMST1 Desg FWD 200000 128.14 P2pMST2 Altn BLK 200000 128.14 P2p

DLS2#show spanning-tree interface fastEthernet 0/11Mst Instance Role Sts Cost Prio.Nbr Type---------------- ---- --- --------- -------- --------------------------------MST0 Desg FWD 200000 128.13 P2pMST1 Root FWD 200000 128.13 P2pMST2 Desg FWD 200000 128.13 P2p

@ 2013102

Page 103: Guia Switch v2

CCNP Guía SWITCH v2.0

DLS2#show spanning-tree interface fastEthernet 0/12Mst Instance Role Sts Cost Prio.Nbr Type---------------- ---- --- --------- -------- --------------------------------MST0 Desg FWD 200000 128.14 P2pMST1 Altn BLK 200000 128.14 P2pMST2 Desg FWD 200000 128.14 P2p

Queremos que el tráfico de la instancia 1 utilice la Fa0/11 y la instancia 2 la Fa0/12Nota: Menor valor mayor prioridad.

DLS1interface FastEthernet0/11 spanning-tree mst 1 port-priority 0 spanning-tree mst 2 port-priority 240

interface FastEthernet0/12 spanning-tree mst 1 port-priority 240 spanning-tree mst 2 port-priority 0

DLS2interface FastEthernet0/11 spanning-tree mst 1 port-priority 0 spanning-tree mst 2 port-priority 240

interface FastEthernet0/12 spanning-tree mst 1 port-priority 240 spanning-tree mst 2 port-priority 0

Notemos que instancia 1 utiliza la interface Fa0/11 y la instancia 2 la Fa0/12.

DLS2#show spanning-tree interface fastEthernet 0/11Mst Instance Role Sts Cost Prio.Nbr Type---------------- ---- --- --------- -------- --------------------------------MST0 Desg FWD 200000 128.13 P2pMST1 Root FWD 200000 0.13 P2pMST2 Desg FWD 200000 240.13 P2p

DLS2#show spanning-tree interface fastEthernet 0/12Mst Instance Role Sts Cost Prio.Nbr Type---------------- ---- --- --------- -------- --------------------------------MST0 Desg FWD 200000 128.14 P2pMST1 Altn BLK 200000 240.14 P2pMST2 Desg FWD 200000 0.14 P2p

@ 2013103

Page 104: Guia Switch v2

CCNP Guía SWITCH v2.0

InterVLAN Routing utilizando SW L3

En DLS1 crear las VLANs 10 y 20. Posteriormente cree la interface VLAN (SVI) correspondiente a las VLANs creadas.

Asignar las VLANs de acceso como muestra la figura. Evitar que el proceso STP transite por los estados listening/learning en los puertos de acceso Fa0/1 y Fa0/8.

Configurar los PCs como muestra la figura y establecer como Default Gateway la SVI. Comprobar conectividad.

DLS1vlan 10,20

interface Vlan10 ip address 10.0.0.1 255.255.255.0 no shut

interface Vlan20 ip address 20.0.0.1 255.255.255.0 no shut

DLS1#sh vlan brief | exclude unsup

VLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/6, Fa0/7, Fa0/8 Fa0/9, Fa0/10, Fa0/11, Fa0/12 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Fa0/23, Fa0/24 Gi0/1, Gi0/210 VLAN0010 active20 VLAN0020 active

@ 2013104

Page 105: Guia Switch v2

CCNP Guía SWITCH v2.0

Asignar las VLANs de acceso como muestra la figura. Evitar que el proceso STP transite por los estados listening/learning en los puertos de acceso Fa0/1 y Fa0/8.

DLS1interface FastEthernet0/1 description ***a PC1*** switchport access vlan 10 switchport mode access spanning-tree portfast no shutdown

interface FastEthernet0/8 description ***a PC2*** switchport access vlan 20 switchport mode access spanning-tree portfast no shutdown

DLS1#ping 10.0.0.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms

DLS1#ping 20.0.0.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 20.0.0.2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms

PC1C:\>ping 10.0.0.1Haciendo ping a 10.0.0.1 con 32 bytes de datos:

Respuesta desde 10.0.0.1: bytes=32 tiempo=3ms TTL=255Respuesta desde 10.0.0.1: bytes=32 tiempo=1ms TTL=255Respuesta desde 10.0.0.1: bytes=32 tiempo=1ms TTL=255Respuesta desde 10.0.0.1: bytes=32 tiempo<1m TTL=255

Estadísticas de ping para 10.0.0.1: Paquetes: enviados = 4, recibidos = 4, perdidos = 0 (0% perdidos),Tiempos aproximados de ida y vuelta en milisegundos: Mínimo = 0ms, Máximo = 3ms, Media = 1ms

@ 2013105

Page 106: Guia Switch v2

CCNP Guía SWITCH v2.0

PC2C:\>ping 20.0.0.1

Haciendo ping a 20.0.0.1 con 32 bytes de datos:

Respuesta desde 20.0.0.1: bytes=32 tiempo=28ms TTL=255Respuesta desde 20.0.0.1: bytes=32 tiempo=2ms TTL=255Respuesta desde 20.0.0.1: bytes=32 tiempo=2ms TTL=255Respuesta desde 20.0.0.1: bytes=32 tiempo=1ms TTL=255

Estadísticas de ping para 20.0.0.1: Paquetes: enviados = 4, recibidos = 4, perdidos = 0 (0% perdidos),Tiempos aproximados de ida y vuelta en milisegundos: Mínimo = 1ms, Máximo = 28ms, Media = 8ms

Habilitar ruteo en el switch.

DLS1ip routing

DLS1#sh ip routeCodes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

20.0.0.0/24 is subnetted, 1 subnetsC 20.0.0.0 is directly connected, Vlan20 10.0.0.0/24 is subnetted, 1 subnetsC 10.0.0.0 is directly connected, Vlan10

Creamos una ruta por defecto en los PCs.

Comprobamos que tenemos conectividad entre PC1 (VLAN 10) y PC2(VLAN 20)

PC1C:\>route add 0.0.0.0 mask 0.0.0.0 10.0.0.1

PC2C:\>route add 0.0.0.0 mask 0.0.0.0 20.0.0.1

@ 2013106

Page 107: Guia Switch v2

CCNP Guía SWITCH v2.0

PC1C:\>route print===========================================================================ILista de interfaces0x1 ........................... MS TCP Loopback interface0x2 ...00 24 8c cd 2a 2a ...... SiS191 Ethernet Controller - Minipuerto del administrador de paquetes0x3 ...08 00 27 00 f0 c5 ...... VirtualBox Host-Only Ethernet Adapter - Minipuerto del administrador de paquetes======================================================================================================================================================Rutas activas:Destino de red Máscara de red Puerta de acceso Interfaz Métrica 0.0.0.0 0.0.0.0 10.0.0.1 10.0.0.2 1

PC2C:\>route print===========================================================================ILista de interfaces0x1 ........................... MS TCP Loopback interface0x2 ...0c ee e6 a0 33 43 ...... Adaptador de red Broadcom 802.11g - Minipuerto del administrador de paquetes0x10004 ...00 26 22 70 6d df ...... Atheros AR8132 PCI-E Fast Ethernet Controller - Minipuerto del administrador de paquetes======================================================================================================================================================Rutas activas:Destino de red Máscara de red Puerta de acceso Interfaz Métrica 0.0.0.0 0.0.0.0 20.0.0.1 20.0.0.2 1

PC1C:\>ping 20.0.0.2

Haciendo ping a 20.0.0.2 con 32 bytes de datos:

Respuesta desde 20.0.0.2: bytes=32 tiempo=1ms TTL=127Respuesta desde 20.0.0.2: bytes=32 tiempo<1m TTL=127Respuesta desde 20.0.0.2: bytes=32 tiempo<1m TTL=127Respuesta desde 20.0.0.2: bytes=32 tiempo<1m TTL=127

Estadísticas de ping para 20.0.0.2: Paquetes: enviados = 4, recibidos = 4, perdidos = 0 (0% perdidos),Tiempos aproximados de ida y vuelta en milisegundos: Mínimo = 0ms, Máximo = 1ms, Media = 0ms

@ 2013107

Page 108: Guia Switch v2

CCNP Guía SWITCH v2.0

PC2C:\>ping 10.0.0.2

Haciendo ping a 10.0.0.2 con 32 bytes de datos:

Respuesta desde 10.0.0.2: bytes=32 tiempo<1m TTL=127Respuesta desde 10.0.0.2: bytes=32 tiempo<1m TTL=127Respuesta desde 10.0.0.2: bytes=32 tiempo<1m TTL=127Respuesta desde 10.0.0.2: bytes=32 tiempo<1m TTL=127

Estadísticas de ping para 10.0.0.2: Paquetes: enviados = 4, recibidos = 4, perdidos = 0 (0% perdidos),Tiempos aproximados de ida y vuelta en milisegundos: Mínimo = 0ms, Máximo = 0ms, Media = 0ms

@ 2013108

Page 109: Guia Switch v2

CCNP Guía SWITCH v2.0

InterVLAN Routing entre switches L2/L3.

Configurar los cuatro switchs basado en los siquientes requerimientos::- VTP domain duoc - VTP versión 2

- DLS1 → VTP Server, DLS2 → VTP Client, ALS2 → VTP Client, ALS1 → VTP Client- Domain duoc

Configurar Link Aggregation como muestra la figura, no utilice negociación en los portchannels, salvo en Po1 DLS2-ALS2. Configurar trunk utilizando encapsulación 802.1q.

DLS1 debe crear las VLANs 10 y 20.Comprobar que estas VLANs mas la default sean “visibles” por los demás switchs (DLS2, ALS1 y ALS2)

@ 2013109

Page 110: Guia Switch v2

CCNP Guía SWITCH v2.0

Configurar los puertos de acceso en los switchs L2 como muestra la figura asignando la VLAN correspondiente. Evitar que el proceso STP transite por los estados listening/learning.

Crear las SVI en cada switch L3. Habilitar routing.

En los PC asignar direccionamiento mostrados. Adicionalmente crear una ruta por defecto apuntando al DG.

Comprobamos que tenemos conectividad entre PC1 (VLAN 10) y PC2(VLAN 20).

Configurar los PCs como muestra la figura y establecer como Default Gateway la IP de la interface VLAN. Comprobar conectividad.

@ 2013110

Page 111: Guia Switch v2

CCNP Guía SWITCH v2.0

Configurar los cuatro switchs basado en los siquientes requerimientos::- VTP domain i29 - VTP versión 2- DLS1 → VTP Server, DLS2 → VTP Client, ALS2 → VTP Client, ALS1 → VTP Client.

Configurar Link Aggregation como muestra la figura, no utilice negociación en los portchannels, salvo en Po1 DLS2-ALS2. Configurar trunk utilizando encapsulación 802.1q. Solo se permiten las VLANs defaul, 10 y 20.

DLS1vtp mode servervtp domain i29vtp version 2

DLS2vtp mode clientvtp domain i29vtp version 2

ALS1vtp mode clientvtp domain i29vtp version 2

ALS2vtp mode clientvtp domain i29vtp version 2

DLS1default interface range fastEthernet 0/2-3 , fastEthernet 0/6-7

interface range fastEthernet 0/2-3 channel-group 1 mode on

interface Port-channel1 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,10,20 switchport mode trunk switchport nonegotiate

interface range fastEthernet 0/6-7 channel-group 1 mode on

interface Port-channel12 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,10,20 switchport mode trunk switchport nonegotiate

DLS2default interface range fastEthernet 0/2-3 , fastEthernet 0/6-7 , fastEthernet 0/13-20

@ 2013111

Page 112: Guia Switch v2

CCNP Guía SWITCH v2.0

interface range fastEthernet 0/2-3 , fastEthernet 0/13-20 channel-group 2 mode active

interface Port-channel2 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,10,20 switchport mode trunk switchport nonegotiate

interface range fastEthernet 0/6-7 channel-group 12 mode on

interface Port-channel12 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,10,20 switchport mode trunk switchport nonegotiate

DLS2#show etherchannel 12 summaryFlags: D - down P - in port-channel I - stand-alone s - suspended H - Hot-standby (LACP only) R - Layer3 S - Layer2 U - in use f - failed to allocate aggregator u - unsuitable for bundling w - waiting to be aggregated d - default port

Number of channel-groups in use: 2Number of aggregators: 2

Group Port-channel Protocol Ports------+-------------+-----------+-----------------------------------------------12 Po12(SU) - Fa0/6(P) Fa0/7(P)ALS1default interface range fastEthernet 0/2-3

interface range fastEthernet 0/2-3 channel-group 1 mode on

interface Port-channel1 switchport trunk allowed vlan 1,10,20 switchport mode trunk switchport nonegotiate

DLS1#sh etherchannel 1 summaryFlags: D - down P - bundled in port-channel I - stand-alone s - suspended H - Hot-standby (LACP only) R - Layer3 S - Layer2 U - in use f - failed to allocate aggregator

@ 2013112

Page 113: Guia Switch v2

CCNP Guía SWITCH v2.0

M - not in use, minimum links not met u - unsuitable for bundling w - waiting to be aggregated d - default port

Number of channel-groups in use: 2Number of aggregators: 2

Group Port-channel Protocol Ports------+-------------+-----------+-----------------------------------------------1 Po1(SU) - Fa0/2(P) Fa0/3(P)

ALS2default interface range fastEthernet 0/2-3 , fastEthernet 0/13-20

interface range fastEthernet 0/2-3 , fastEthernet 0/13-20 channel-group 2 mode active

interface Port-channel2 switchport trunk allowed vlan 1,10,20 switchport mode trunk switchport nonegotiate

ALS2#show etherchannel summaryFlags: D - down P - in port-channel I - stand-alone s - suspended H - Hot-standby (LACP only) R - Layer3 S - Layer2 U - in use f - failed to allocate aggregator u - unsuitable for bundling w - waiting to be aggregated d - default port

Number of channel-groups in use: 1Number of aggregators: 1

Group Port-channel Protocol Ports------+-------------+-----------+-----------------------------------------------2 Po2(SU) LACP Fa0/2(P) Fa0/3(P) Fa0/13(P) Fa0/14(P) Fa0/15(P) Fa0/16(P) Fa0/17(P) Fa0/18(P) Fa0/19(H) Fa0/20(H)

DLS1 debe crear las VLANs 10 y 20.Comprobar que estas VLANs mas la default sean “visibles” por los demás switchs (DLS2, ALS1 y ALS2)

Configurar los puertos de acceso en los switchs L2 como muestra la figura asignando la VLAN correspondiente. Evitar que el proceso STP transite por los estados listening/learning.

DLS1

@ 2013113

Page 114: Guia Switch v2

CCNP Guía SWITCH v2.0

vlan 10,20

DLS1#sh vlan brief | exclude unsupVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/4, Fa0/5, Fa0/8 Fa0/9, Fa0/10, Fa0/11, Fa0/12 Fa0/13, Fa0/14, Fa0/15, Fa0/16 Fa0/17, Fa0/18, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Fa0/23, Fa0/24 Gi0/1, Gi0/210 VLAN0010 active20 VLAN0020 active

DLS2#sh vlan brief | exclude unsupVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/4, Fa0/5, Fa0/8 Fa0/9, Fa0/10, Fa0/11, Fa0/12 Fa0/19, Fa0/20, Fa0/21, Fa0/22 Fa0/23, Fa0/24, Gi0/1, Gi0/210 VLAN0010 active20 VLAN0020 active

ALS1interface FastEthernet0/23 switchport access vlan 10 switchport mode access spanning-tree portfast

ALS1#show vlan brief | exclude unsupVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/4, Fa0/5, Fa0/6 Fa0/7, Fa0/8, Fa0/9, Fa0/10 Fa0/11, Fa0/12, Fa0/13, Fa0/14 Fa0/15, Fa0/16, Fa0/17, Fa0/18 Fa0/19, Fa0/20, Fa0/21, Fa0/22 Fa0/24, Gi0/1, Gi0/210 VLAN0010 active Fa0/2320 VLAN0020 active

ALS2interface FastEthernet0/23 switchport access vlan 20 switchport mode access spanning-tree portfast

ALS2#show vlan brief | exclude unsupVLAN Name Status Ports---- -------------------------------- --------- -------------------------------

@ 2013114

Page 115: Guia Switch v2

CCNP Guía SWITCH v2.0

1 default active Fa0/1, Fa0/4, Fa0/5, Fa0/6 Fa0/7, Fa0/8, Fa0/9, Fa0/10 Fa0/11, Fa0/12, Fa0/19, Fa0/20 Fa0/21, Fa0/22, Fa0/24, Gi0/1 Gi0/210 VLAN0010 active20 VLAN0020 active Fa0/23

Crear las SVI en cada switch L3 (ver figura). Habilitar routing.

En los PC asignar direccionamiento mostrados.

DLS1interface Vlan10 ip address 10.0.0.1 255.255.255.0

interface Vlan20 ip address 20.0.0.1 255.255.255.0

DLS2interface Vlan10 ip address 10.0.0.2 255.255.255.0

interface Vlan20 ip address 20.0.0.2 255.255.255.0

DLS2#ping 10.0.0.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms

DLS2#ping 20.0.0.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 20.0.0.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms

DLS1ip routing

DLS2ip routing

PC1C:\>ping 20.0.0.10

Haciendo ping a 20.0.0.10 con 32 bytes de datos:

Respuesta desde 20.0.0.10: bytes=32 tiempo<1m TTL=127

@ 2013115

Page 116: Guia Switch v2

CCNP Guía SWITCH v2.0

Respuesta desde 20.0.0.10: bytes=32 tiempo<1m TTL=127Respuesta desde 20.0.0.10: bytes=32 tiempo<1m TTL=127Respuesta desde 20.0.0.10: bytes=32 tiempo<1m TTL=127

Estadísticas de ping para 20.0.0.10: Paquetes: enviados = 4, recibidos = 4, perdidos = 0 (0% perdidos),Tiempos aproximados de ida y vuelta en milisegundos: Mínimo = 0ms, Máximo = 0ms, Media = 0ms

@ 2013116

Page 117: Guia Switch v2

CCNP Guía SWITCH v2.0

IP DHCP

Continuación laboratorio anterior. Deshabilitar Po12

En DLS1 crear la VLAN 100 más la SVI 100 utilizando la IP address 100.1.1.1/24. Debe ser permitida en el Po1 DLS1/ALS1.

Configurar DHCP en DLS1 con las siguientes características:- Pool ABCD 100.1.1.0/24 - Default Router 100.1.1.1- Arriendo indefinido.- Se debe excluir el rango 100.1.1.1 a 100.1.1.20

En ALS1 asignar al puerto Fa0/23 la VLAN 100 (puerto de acceso).

@ 2013117

Page 118: Guia Switch v2

CCNP Guía SWITCH v2.0

DLS1vlan 100

interface Vlan100 ip address 100.1.1.1 255.255.255.0

ip dhcp excluded-address 100.1.1.1 100.1.1.20

ip dhcp pool ABCD network 100.1.1.0 255.255.255.0 default-router 100.1.1.1 lease infinite

interface port-channel 1 switchport trunk allowed vlan add 100

DLS1#sh running-config interface port-channel 1Building configuration...

Current configuration : 159 bytes!interface Port-channel1 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,10,20,100 switchport mode trunk switchport nonegotiate

ALS1interface port-channel 1 switchport trunk allowed vlan add 100

ALS1#sh running-config interface port-channel 1Building configuration...

Current configuration : 121 bytes!interface Port-channel1 switchport trunk allowed vlan 1,10,20,100 switchport mode trunk switchport nonegotiate

ALS1#show vlan brief | exclude unsupVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/4, Fa0/5, Fa0/6 Fa0/7, Fa0/8, Fa0/9, Fa0/10 Fa0/11, Fa0/12, Fa0/13, Fa0/14 Fa0/15, Fa0/16, Fa0/17, Fa0/18 Fa0/19, Fa0/20, Fa0/21, Fa0/22 Fa0/24, Gi0/1, Gi0/210 VLAN0010 active Fa0/2320 VLAN0020 active

@ 2013118

Page 119: Guia Switch v2

CCNP Guía SWITCH v2.0

100 VLAN0100 active

ALS1default interface fastEthernet 0/23

interface FastEthernet0/23 switchport access vlan 100 switchport mode access spanning-tree portfast

Conectamos PC1 a puerto Fa0/23 y utilizamos el comando debug ip dhcp server packet para verificar la negociación DHCP entre cliente y servidor.

DLS1#debug ip dhcp server packetDHCP server packet debugging is on.

*Mar 1 01:25:03.142: DHCPD: Reload workspace interface Vlan100 tableid 0.*Mar 1 01:25:03.142: DHCPD: tableid for 100.1.1.1 on Vlan100 is 0*Mar 1 01:25:03.142: DHCPD: client's VPN is .*Mar 1 01:25:03.142: DHCPD: DHCPREQUEST received from client 0100.248c.cd2a.2a.*Mar 1 01:25:03.142: DHCPD: client has moved to a new subnet.*Mar 1 01:25:03.142: DHCPD: Sending DHCPNAK to client 0100.248c.cd2a.2a.*Mar 1 01:25:03.142: DHCPD: broadcasting BOOTREPLY to client 0024.8ccd.2a2a.*Mar 1 01:25:04.DLS1#140: DHCPD: Reload workspace interface Vlan100 tableid 0.*Mar 1 01:25:04.140: DHCPD: tableid for 100.1.1.1 on Vlan100 is 0*Mar 1 01:25:04.140: DHCPD: client's VPN is .*Mar 1 01:25:04.140: DHCPD: using received relay info.*Mar 1 01:25:04.140: DHCPD: DHCPDISCOVER received from client 0100.248c.cd2a.2a on interface Vlan100.*Mar 1 01:25:04.140: DHCPD: using received relay info.DLS1#*Mar 1 01:25:06.153: DHCPD: Sending DHCPOFFER to client 0100.248c.cd2a.2a (100.1.1.21).*Mar 1 01:25:06.153: DHCPD: Check for IPe on Vlan100*Mar 1 01:25:06.153: DHCPD: creating ARP entry (100.1.1.21, 0024.8ccd.2a2a).*Mar 1 01:25:06.153: DHCPD: unicasting BOOTREPLY to client 0024.8ccd.2a2a (100.1.1.21).*Mar 1 01:25:06.162: DHCPD: Reload workspace interface Vlan100 tableid 0.*Mar 1 01:25:06.162: DHCPD: tableid for 100.1.1.1 on Vlan100 is 0*Mar 1 01:25:06.162: DHCPD: client's VPN is .*MaDLS1#r 1 01:25:06.162: DHCPD: DHCPREQUEST received from client 0100.248c.cd2a.2a.*Mar 1 01:25:06.162: DHCPD: Sending DHCPACK to client 0100.248c.cd2a.2a (100.1.1.21).*Mar 1 01:25:06.162: DHCPD: Check for IPe on Vlan100*Mar 1 01:25:06.162: DHCPD: creating ARP entry (100.1.1.21, 0024.8ccd.2a2a).*Mar 1 01:25:06.162: DHCPD: unicasting BOOTREPLY to client 0024.8ccd.2a2a (100.1.1.21).

@ 2013119

Page 120: Guia Switch v2

CCNP Guía SWITCH v2.0

@ 2013120

Page 121: Guia Switch v2

CCNP Guía SWITCH v2.0

InterVLAN Routing con HSRP en Switchs L3

Objetivos:Configurar InterVLAN routing utilizando HSRP para redundancia y tolerante a fallas (en DG).

VLAN HSRP GW Address1 1.1.1.1/24

10 10.0.0.1/2420 20.0.0.1/2430 30.0.0.1/2440 40.0.0.0/24

Configure Etherchannel como muestra la figura. Utilice LACP. Utilice 802.1q como protocolo de trunking.

DLS1default interface range fastEthernet 0/2-7

interface range fastEthernet 0/2-3 channel-group 1 mode active

interface Port-channel1 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,10,20,30,40 switchport mode trunk

interface range fastEthernet 0/4-5 channel-group 2 mode active

@ 2013121

Page 122: Guia Switch v2

CCNP Guía SWITCH v2.0

interface Port-channel2 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,10,20,30,40 switchport mode trunk

interface range fastEthernet 0/6-7 channel-group 3 mode active

interface Port-channel3 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,10,20,30,40 switchport mode trunk

DLS2default interface range fastEthernet 0/2-7

interface range fastEthernet 0/2-3 channel-group 1 mode active

interface Port-channel1 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,10,20,30,40 switchport mode trunk

interface range fastEthernet 0/4-5 channel-group 2 mode active

interface Port-channel2 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,10,20,30,40 switchport mode trunk

interface range fastEthernet 0/6-7 channel-group 3 mode active

interface Port-channel3 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,10,20,30,40 switchport mode trunk

DLS2#show etherchannel 3 summaryFlags: D - down P - in port-channel I - stand-alone s - suspended H - Hot-standby (LACP only) R - Layer3 S - Layer2 U - in use f - failed to allocate aggregator u - unsuitable for bundling w - waiting to be aggregated d - default portNumber of channel-groups in use: 3Number of aggregators: 3

Group Port-channel Protocol Ports------+-------------+-----------+-----------------------------------------------

@ 2013122

Page 123: Guia Switch v2

CCNP Guía SWITCH v2.0

3 Po3(SU) LACP Fa0/6(P) Fa0/7(P)

ALS1default interface range fastEthernet 0/2-7

interface range fastEthernet 0/2-3 channel-group 1 mode active

interface Port-channel1 switchport trunk allowed vlan 1,10,20,30,40 switchport mode trunk

interface range fastEthernet 0/4-5 channel-group 2 mode active

interface Port-channel2 switchport trunk allowed vlan 1,10,20,30,40 switchport mode trunk

interface range fastEthernet 0/6-7 channel-group 3 mode active

interface Port-channel3 switchport trunk allowed vlan 1,10,20,30,40 switchport mode trunk

ALS1#show etherchannel summaryFlags: D - down P - in port-channel I - stand-alone s - suspended H - Hot-standby (LACP only) R - Layer3 S - Layer2 U - in use f - failed to allocate aggregator u - unsuitable for bundling w - waiting to be aggregated d - default portNumber of channel-groups in use: 3Number of aggregators: 3Group Port-channel Protocol Ports------+-------------+-----------+-----------------------------------------------1 Po1(SU) LACP Fa0/2(P) Fa0/3(P)2 Po2(SU) LACP Fa0/4(P) Fa0/5(P)3 Po3(SD) LACP Fa0/6(I) Fa0/7(I)

ALS2default interface range fastEthernet 0/2-7

interface range fastEthernet 0/2-3 channel-group 1 mode active

interface Port-channel1 switchport trunk allowed vlan 1,10,20,30,40 switchport mode trunk

@ 2013123

Page 124: Guia Switch v2

CCNP Guía SWITCH v2.0

interface range fastEthernet 0/4-5 channel-group 2 mode active

interface Port-channel2 switchport trunk allowed vlan 1,10,20,30,40 switchport mode trunk

interface range fastEthernet 0/6-7 channel-group 3 mode active

interface Port-channel3 switchport trunk allowed vlan 1,10,20,30,40 switchport mode trunk

ALS2#show etherchannel summaryFlags: D - down P - in port-channel I - stand-alone s - suspended H - Hot-standby (LACP only) R - Layer3 S - Layer2 U - in use f - failed to allocate aggregator u - unsuitable for bundling w - waiting to be aggregated d - default portNumber of channel-groups in use: 3Number of aggregators: 3Group Port-channel Protocol Ports------+-------------+-----------+-----------------------------------------------1 Po1(SU) LACP Fa0/2(P) Fa0/3(P)2 Po2(SU) LACP Fa0/4(P) Fa0/5(P)3 Po3(SU) LACP Fa0/6(P) Fa0/7(P)

DLS1#sh interfaces trunkPort Mode Encapsulation Status Native vlanPo1 on 802.1q trunking 1Po2 on 802.1q trunking 1Po3 on 802.1q trunking 1

Port Vlans allowed on trunkPo1 1,10,20,30,40Po2 1,10,20,30,40Po3 1,10,20,30,40

Port Vlans allowed and active in management domainPo1 1Po2 1Po3 1

Port Vlans in spanning tree forwarding state and not prunedPo1 nonePo2 1Po3 none

Confiure DLS2,ALS1 y ALS2 en modo cliente VTP.

@ 2013124

Page 125: Guia Switch v2

CCNP Guía SWITCH v2.0

En DLS1 utilice el domino VTP duoc.cl, además cree las VLANs que muestra la figura con sus nombres correspondientes. Compruebe que todas las VLANs sean visibles en todos los switches.

DLS2vtp mode client

ALS1vtp mode client

ALS2vtp mode client

ALS2#show vtp statusVTP Version : 2Configuration Revision : 0Maximum VLANs supported locally : 255Number of existing VLANs : 5VTP Operating Mode : ClientVTP Domain Name :VTP Pruning Mode : DisabledVTP V2 Mode : DisabledVTP Traps Generation : DisabledMD5 digest : 0x57 0xCD 0x40 0x65 0x63 0x59 0x47 0xBDConfiguration last modified by 0.0.0.0 at 0-0-00 00:00:00

DLS1vtp domain duoc.cl

vlan 10 name CONTROL

vlan 20 name RRHH

vlan 30 name SMTP

vlan 40 name WWW

DLS1#sh vlan brief | exclude unsupVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/8, Fa0/9, Fa0/10 Fa0/11, Fa0/12, Fa0/13, Fa0/14 Fa0/15, Fa0/16, Fa0/17, Fa0/18 Fa0/19, Fa0/20, Fa0/21, Fa0/22 Fa0/23, Fa0/24, Gi0/1, Gi0/210 CONTROL active20 RRHH active30 SMTP active40 WWW active

@ 2013125

Page 126: Guia Switch v2

CCNP Guía SWITCH v2.0

ALS2#sh vlan brief | exclude unsupVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/8, Fa0/9, Fa0/10 Fa0/11, Fa0/12, Fa0/13, Fa0/14 Fa0/15, Fa0/16, Fa0/17, Fa0/18 Fa0/19, Fa0/20, Fa0/21, Fa0/22 Fa0/23, Fa0/24, Gi0/1, Gi0/210 CONTROL active20 RRHH active30 SMTP active40 WWW active

ALS1#show vlan brief | exclude unsupVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/8, Fa0/9, Fa0/10 Fa0/11, Fa0/12, Fa0/13, Fa0/14 Fa0/15, Fa0/16, Fa0/17, Fa0/18 Fa0/19, Fa0/20, Fa0/21, Fa0/22 Fa0/23, Fa0/24, Gi0/1, Gi0/210 CONTROL active20 RRHH active30 SMTP active40 WWW active

DLS2#show vlan brief | exclude unsupVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/8, Fa0/9, Fa0/10 Fa0/11, Fa0/12, Fa0/13, Fa0/14 Fa0/15, Fa0/16, Fa0/17, Fa0/18 Fa0/19, Fa0/20, Fa0/21, Fa0/22 Fa0/23, Fa0/24, Gi0/1, Gi0/210 CONTROL active20 RRHH active30 SMTP active40 WWW active

Configure los puertos de acceso en cada switch con su VLAN correspondiente. Estos puertos no deben transitar en los estados de STP (Listening, Learning..).

DLS1interface FastEthernet0/1 switchport access vlan 30 switchport mode access spanning-tree portfast

@ 2013126

Page 127: Guia Switch v2

CCNP Guía SWITCH v2.0

DLS2interface FastEthernet0/1 switchport access vlan 40 switchport mode access spanning-tree portfast

ALS1interface FastEthernet0/1 switchport access vlan 10 switchport mode access spanning-tree portfast

ALS2interface FastEthernet0/1 switchport access vlan 20 switchport mode access spanning-tree portfast

Configure los hosts de acuerdo al direccionamiento mostrado. En el ejemplo siguiente solo se incluyen dos ejemplos, puerto de acceso VLAN 10 y puerto acceso VLAN 40.

@ 2013127

Page 128: Guia Switch v2

CCNP Guía SWITCH v2.0

InterVLANsProvea conectividad extremo a extremo entre VLANs. Crear SVI que serán utilizadas como D-GW

DLS1ip routing

interface Vlan10 ip address 10.0.0.1 255.255.255.0

interface Vlan20 ip address 20.0.0.1 255.255.255.0

interface Vlan30 ip address 30.0.0.1 255.255.255.0

interface Vlan40 ip address 40.0.0.1 255.255.255.0

DLS2ip routing

interface Vlan10 ip address 10.0.0.2 255.255.255.0

interface Vlan20 ip address 20.0.0.2 255.255.255.0

interface Vlan30 ip address 30.0.0.2 255.255.255.0

interface Vlan40 ip address 40.0.0.2 255.255.255.0

Probar conectividad con las interfaces SVI y luego entre sitios.Deshabilitar FW en los PCs o crear una excepción.

Server WWWC:\>ipconfig

Configuración IP de Windows

Adaptador Ethernet Conexión de área local :

Estado de los medios. . . .: medios desconectados

Adaptador Ethernet Conexión de área local : Sufijo de conexión específica DNS : Dirección IP. . . . . . . . . . . : 40.0.0.10 Máscara de subred . . . . . . . . : 255.255.255.0 Puerta de enlace predeterminada : 40.0.0.1

@ 2013128

Page 129: Guia Switch v2

CCNP Guía SWITCH v2.0

C:\>ping 10.0.0.1Haciendo ping a 10.0.0.1 con 32 bytes de datos:Respuesta desde 10.0.0.1: bytes=32 tiempo=23ms TTL=255Respuesta desde 10.0.0.1: bytes=32 tiempo=1ms TTL=255Respuesta desde 10.0.0.1: bytes=32 tiempo=2ms TTL=255Respuesta desde 10.0.0.1: bytes=32 tiempo=6ms TTL=255Estadísticas de ping para 10.0.0.1: Paquetes: enviados = 4, recibidos = 4, perdidos = 0 (0% perdidos),Tiempos aproximados de ida y vuelta en milisegundos: Mínimo = 1ms, Máximo = 23ms, Media = 8ms

C:\>ping 20.0.0.1Haciendo ping a 20.0.0.1 con 32 bytes de datos:Respuesta desde 20.0.0.1: bytes=32 tiempo=1ms TTL=255Respuesta desde 20.0.0.1: bytes=32 tiempo=2ms TTL=255Respuesta desde 20.0.0.1: bytes=32 tiempo<1m TTL=255Respuesta desde 20.0.0.1: bytes=32 tiempo=2ms TTL=255Estadísticas de ping para 20.0.0.1: Paquetes: enviados = 4, recibidos = 4, perdidos = 0 (0% perdidos),Tiempos aproximados de ida y vuelta en milisegundos: Mínimo = 0ms, Máximo = 2ms, Media = 1ms

C:\>ping 30.0.0.1Haciendo ping a 30.0.0.1 con 32 bytes de datos:Respuesta desde 30.0.0.1: bytes=32 tiempo=2ms TTL=255Respuesta desde 30.0.0.1: bytes=32 tiempo=2ms TTL=255Respuesta desde 30.0.0.1: bytes=32 tiempo=1ms TTL=255Respuesta desde 30.0.0.1: bytes=32 tiempo=6ms TTL=255Estadísticas de ping para 30.0.0.1: Paquetes: enviados = 4, recibidos = 4, perdidos = 0 (0% perdidos),Tiempos aproximados de ida y vuelta en milisegundos: Mínimo = 1ms, Máximo = 6ms, Media = 2ms

C:\>ping 40.0.0.1Haciendo ping a 40.0.0.1 con 32 bytes de datos:Respuesta desde 40.0.0.1: bytes=32 tiempo=1ms TTL=255Respuesta desde 40.0.0.1: bytes=32 tiempo=2ms TTL=255Respuesta desde 40.0.0.1: bytes=32 tiempo<1m TTL=255Respuesta desde 40.0.0.1: bytes=32 tiempo=1ms TTL=255Estadísticas de ping para 40.0.0.1: Paquetes: enviados = 4, recibidos = 4, perdidos = 0 (0% perdidos),Tiempos aproximados de ida y vuelta en milisegundos: Mínimo = 0ms, Máximo = 2ms, Media = 1ms

@ 2013129

Page 130: Guia Switch v2

CCNP Guía SWITCH v2.0

PC CONTROLC:\>ipconfigConfiguración IP de WindowsAdaptador Ethernet Conexión de área local : Estado de los medios. . . .: medios desconectadosAdaptador Ethernet Conexión de área local : Sufijo de conexión específica DNS : Dirección IP. . . . . . . . . . . : 10.0.0.10 Máscara de subred . . . . . . . . : 255.255.255.0 Puerta de enlace predeterminada : 10.0.0.1

C:\>ping 10.0.0.10 -tHaciendo ping a 10.0.0.10 con 32 bytes de datos:Respuesta desde 10.0.0.10: bytes=32 tiempo=1ms TTL=127Respuesta desde 10.0.0.10: bytes=32 tiempo<1m TTL=127Respuesta desde 10.0.0.10: bytes=32 tiempo<1m TTL=127Respuesta desde 10.0.0.10: bytes=32 tiempo<1m TTL=127Respuesta desde 10.0.0.10: bytes=32 tiempo<1m TTL=127Respuesta desde 10.0.0.10: bytes=32 tiempo<1m TTL=127Respuesta desde 10.0.0.10: bytes=32 tiempo<1m TTL=127Respuesta desde 10.0.0.10: bytes=32 tiempo<1m TTL=127

HSRP DLS1 debe tener el rol activo HSRP para las VLANs 1, 10 y 20. Modificar prioridad HSRP en las interfaces

que corresponda. Cada IP Virtual HSRP debe utilizar su cuarto octeto con el número.100/24. DLS2 debe tener el rol activo HSRP para las VLANs 30 y 40. Modificar prioridad HSRP en las interfaces que

corresponda. Cada IP Virtual HSRP debe utilizar su cuarto octeto con el número.100/24.

DLS1interface Vlan1 ip address 1.1.1.1 255.255.255.0 standby 1 ip 1.1.1.100 standby 1 priority 101 standby 1 preempt

interface Vlan10 ip address 10.0.0.1 255.255.255.0 standby 1 ip 10.0.0.100 standby 1 priority 101 standby 1 preempt

interface Vlan20 ip address 20.0.0.1 255.255.255.0 standby 1 ip 20.0.0.100 standby 1 priority 101 standby 1 preempt

interface Vlan30 ip address 30.0.0.1 255.255.255.0 standby 1 ip 30.0.0.100 standby 1 priority 100 standby 1 preempt

@ 2013130

Page 131: Guia Switch v2

CCNP Guía SWITCH v2.0

interface Vlan40 ip address 40.0.0.1 255.255.255.0 standby 1 ip 40.0.0.100 standby 1 priority 100 standby 1 preempt

DLS1#sh standby brief P indicates configured to preempt. |Interface Grp Pri P State Active Standby Virtual IPVl1 1 101 P Active local unknown 1.1.1.100Vl10 1 101 P Active local unknown 10.0.0.100Vl20 1 101 P Active local unknown 20.0.0.100Vl30 1 100 P Active local unknown 30.0.0.100Vl40 1 100 P Active local unknown 40.0.0.100

DLS2interface Vlan1 standby 1 ip 1.1.1.100 standby 1 priority 100 standby 1 preempt

interface Vlan10 standby 1 ip 10.0.0.100 standby 1 priority 100 standby 1 preempt

interface Vlan20 standby 1 ip 20.0.0.100 standby 1 priority 100 standby 1 preempt

interface Vlan30 standby 1 ip 30.0.0.100 standby 1 priority 101 standby 1 preempt

interface Vlan40 standby 1 ip 40.0.0.100 standby 1 priority 101 standby 1 preempt

DLS1*Mar 1 05:59:39.701: %HSRP-5-STATECHANGE: Vlan30 Grp 1 state Active -> Speak*Mar 1 05:59:39.919: %HSRP-5-STATECHANGE: Vlan40 Grp 1 state Active -> Speak*Mar 1 05:59:50.581: %HSRP-5-STATECHANGE: Vlan40 Grp 1 state Speak -> Standby*Mar 1 05:59:50.883: %HSRP-5-STATECHANGE: Vlan30 Grp 1 state Speak -> Standby

@ 2013131

Page 132: Guia Switch v2

CCNP Guía SWITCH v2.0

DLS1#show standby brief P indicates configured to preempt. |Interface Grp Pri P State Active Standby Virtual IPVl1 1 101 P Active local 1.1.1.2 1.1.1.100Vl10 1 101 P Active local 10.0.0.2 10.0.0.100Vl20 1 101 P Active local 20.0.0.2 20.0.0.100Vl30 1 100 P Standby 30.0.0.2 local 30.0.0.100Vl40 1 100 P Standby 40.0.0.2 local 40.0.0.100

DLS1#sh standbyVlan1 - Group 1 State is Active 2 state changes, last state change 00:24:00 Virtual IP address is 1.1.1.100 Active virtual MAC address is 0000.0c07.ac01 Local virtual MAC address is 0000.0c07.ac01 (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 2.048 secs Preemption enabled Active router is local Standby router is 1.1.1.2, priority 100 (expires in 10.112 sec) Priority 101 (configured 101) Group name is "hsrp-Vl1-1" (default)Vlan10 - Group 1 State is Active 2 state changes, last state change 00:20:47 Virtual IP address is 10.0.0.100 Active virtual MAC address is 0000.0c07.ac01 Local virtual MAC address is 0000.0c07.ac01 (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 0.416 secs Preemption enabled Active router is local Standby router is 10.0.0.2, priority 100 (expires in 9.664 sec) Priority 101 (configured 101) Group name is "hsrp-Vl10-1" (default)Vlan20 - Group 1 State is Active 2 state changes, last state change 00:20:48 Virtual IP address is 20.0.0.100 Active virtual MAC address is 0000.0c07.ac01 Local virtual MAC address is 0000.0c07.ac01 (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 0.368 secs Preemption enabled Active router is local Standby router is 20.0.0.2, priority 100 (expires in 8.144 sec) Priority 101 (configured 101) Group name is "hsrp-Vl20-1" (default)Vlan30 - Group 1 State is Standby 4 state changes, last state change 00:11:23 Virtual IP address is 30.0.0.100

@ 2013132

Page 133: Guia Switch v2

CCNP Guía SWITCH v2.0

Active virtual MAC address is 0000.0c07.ac01 Local virtual MAC address is 0000.0c07.ac01 (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 1.664 secs Preemption enabled Active router is 30.0.0.2, priority 101 (expires in 9.888 sec) Standby router is local Priority 100 (default 100) Group name is "hsrp-Vl30-1" (default)Vlan40 - Group 1 State is Standby 4 state changes, last state change 00:11:24 Virtual IP address is 40.0.0.100 Active virtual MAC address is 0000.0c07.ac01 Local virtual MAC address is 0000.0c07.ac01 (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 2.464 secs Preemption enabled Active router is 40.0.0.2, priority 101 (expires in 8.576 sec) Standby router is local Priority 100 (default 100) Group name is "hsrp-Vl40-1" (default)

HSRP utilizando Routers

Pre LABConstruir el laboratorio mostrado en el diagrama.

@ 2013133

Page 134: Guia Switch v2

CCNP Guía SWITCH v2.0

Las configuraciones base/iniciales deben cargarse antes de continuar con el laboratorio.

Formar conectividad entre sitios utilizando enrutamiento estático. R1 debe apuntar a la puerta de enlace 172.16.1.100 (IP Virtual) R6 debe apuntar a la puerta de enlace 172.16.2.100 (IP Virtual)

Sitio1

R1ip route 0.0.0.0 0.0.0.0 172.16.1.100

R2ip route 100.1.1.1 255.255.255.255 172.16.1.1ip route 172.16.2.0 255.255.255.0 10.1.24.4ip route 100.6.6.6 255.255.255.255 10.1.24.4

R3ip route 100.1.1.1 255.255.255.255 172.16.1.1ip route 172.16.2.0 255.255.255.0 10.1.35.5ip route 100.6.6.6 255.255.255.255 10.1.35.5

Sitio2

R6ip route 0.0.0.0 0.0.0.0 172.16.2.100

R4ip route 100.6.6.6 255.255.255.255 172.16.2.6ip route 172.16.1.0 255.255.255.0 10.1.24.2ip route 100.1.1.1 255.255.255.255 10.1.24.2

R5ip route 100.6.6.6 255.255.255.255 172.16.2.6ip route 172.16.1.0 255.255.255.0 10.1.35.3ip route 100.1.1.1 255.255.255.255 10.1.35.3

R2#sh ip route static 100.0.0.0/32 is subnetted, 2 subnetsS 100.6.6.6 [1/0] via 10.1.24.4S 100.1.1.1 [1/0] via 172.16.1.1 172.16.0.0/24 is subnetted, 2 subnetsS 172.16.2.0 [1/0] via 10.1.24.4

Configurar R2 como router activo HSRP y R3 backup (STANDBY). Configurar R4 como router activo HSRP y R5 backup (STANDBY).

Un router de respaldo debe tomar el rol activo si: El enlace Frame-Relay en el router activo no presenta señal de linea (L2) El router activo deja de funcionar.

Sitio1

@ 2013134

Page 135: Guia Switch v2

CCNP Guía SWITCH v2.0

En los routers HSRP definimos la dirección que será usada como puerta de enlace por R1. Modificamos la prioridad tanto en R2 como en R3, lo importante es que R2 siempre tenga un número de prioridad mayor, la prioridad define los roles en un dominio HSRP.

Debemos tener en cuenta que HSRP soporta preempt , esto quiere decir que si un router HSRP con una prioridad mayor se conecta al segmento de red éste dispositivo adoptará el papel de activo, aunque ya exista otro cumpliendo ese papel.

R2interface FastEthernet0/0 standby 10 ip 172.16.1.100 standby 10 priority 101 standby 10 preempt

R3interface FastEthernet0/0 standby 10 ip 172.16.1.100 standby 10 priority 95 standby 10 preempt

R3#debug standby eventsHSRP Events debugging is on*May 16 17:43:10.843: HSRP: Fa0/0 Interface up*May 16 17:43:10.847: HSRP: Fa0/0 Starting minimum interface delay (1 secs)*May 16 17:43:11.847: HSRP: Fa0/0 Interface min delay expired*May 16 17:43:11.847: HSRP: Fa0/0 Grp 10 Init: a/HSRP enabled*May 16 17:43:11.851: HSRP: Fa0/0 Grp 10 Init -> Listen*May 16 17:43:11.855: HSRP: Fa0/0 Grp 10 Redundancy "hsrp-Fa0/0-10" state Init -> Backup*May 16 17:43:21.851: HSRP: Fa0/0 Grp 10 Listen: c/Active timer expired (unknown)*May 16 17:43:21.855: HSRP: Fa0/0 Grp 10 Listen -> Speak*May 16 17:43:21.855: HSRP: Fa0/0 Grp 10 Redundancy "hsrp-Fa0/0-10" state Backup -> Speak*May 16 17:43:22.779: HSRP: Fa0/0 Grp 10 Speak: f/Hello rcvd from higher pri Speak router (101/172.16.1.2)*May 16 17:43:22.783: HSRP: Fa0/0 Grp 10 Speak -> Listen*May 16 17:43:22.787: HSRP: Fa0/0 Grp 10 Redundancy "hsrp-Fa0/0-10" state Speak -> Backup

Verificamos que R2 sea el router activo y R3 el respaldo:

R2#show standbyFastEthernet0/0 - Group 10 State is Active 2 state changes, last state change 00:55:27 Virtual IP address is 172.16.1.100 Active virtual MAC address is 0000.0c07.ac0a Local virtual MAC address is 0000.0c07.ac0a (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 1.744 secs Preemption enabled Active router is local Standby router is 172.16.1.3, priority 95 (expires in 10.112 sec) Priority 101 (configured 101) Group name is "hsrp-Fa0/0-10" (default)

@ 2013135

Page 136: Guia Switch v2

CCNP Guía SWITCH v2.0

R3#show standbyFastEthernet0/0 - Group 10 State is Standby 1 state change, last state change 00:55:55 Virtual IP address is 172.16.1.100 Active virtual MAC address is 0000.0c07.ac0a Local virtual MAC address is 0000.0c07.ac0a (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 2.320 secs Preemption enabled Active router is 172.16.1.2, priority 101 (expires in 8.272 sec) Standby router is local Priority 95 (configured 95) Group name is "hsrp-Fa0/0-10" (default)

Sitio2

R4interface FastEthernet0/0standby 10 ip 172.16.2.100 standby 10 priority 101 standby 10 preempt

R5interface FastEthernet0/0 standby 10 ip 172.16.2.100 standby 10 priority 95 standby 10 preempt R4#show debuggingHSRP: HSRP Events debugging is on

*May 16 17:51:42.043: HSRP: Fa0/0 API 172.16.2.4 is not an HSRP address*May 16 17:51:42.159: HSRP: Fa0/0 API 172.16.2.100 is not an HSRP address*May 16 17:51:42.163: HSRP: Fa0/0 Grp 10 Disabled -> Init*May 16 17:51:42.163: HSRP: Fa0/0 Grp 10 Redundancy "hsrp-Fa0/0-10" state Disabled -> Init*May 16 17:51:42.211: HSRP: Fa0/0 Grp 10 Priority 100 -> 101*May 16 17:51:52.179: HSRP: Fa0/0 Interface up*May 16 17:51:52.183: HSRP: Fa0/0 Starting minimum interface delay (1 secs)*May 16 17:51:53.179: HSRP: Fa0/0 Interface min delay expired*May 16 17:51:53.179: HSRP: Fa0/0 Grp 10 Init: a/HSRP enabled*May 16 17:51:53.183: HSRP: Fa0/0 Grp 10 Init -> Listen*May 16 17:51:53.183: HSRP: Fa0/0 Grp 10 Redundancy "hsrp-Fa0/0-10" state Init -> Backup*May 16 17:52:03.183: HSRP: Fa0/0 Grp 10 Listen: c/Active timer expired (unknown)*May 16 17:52:03.187: HSRP: Fa0/0 Grp 10 Listen -> Speak*May 16 17:52:03.187: HSRP: Fa0/0 Grp 10 Redundancy "hsrp-Fa0/0-10" state Backup -> Speak*May 16 17:52:13.187: HSRP: Fa0/0 Grp 10 Speak: d/Standby timer expired (unknown)*May 16 17:52:13.191: HSRP: Fa0/0 Grp 10 Standby router is local*May 16 17:52:13.191: HSRP: Fa0/0 Grp 10 Speak -> Standby*May 16 17:52:13.195: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 10 state Speak -> Standby*May 16 17:52:13.195: HSRP: Fa0/0 Grp 10 Redundancy "hsrp-Fa0/0-10" state Speak -> Standby

@ 2013136

Page 137: Guia Switch v2

CCNP Guía SWITCH v2.0

*May 16 17:52:13.687: HSRP: Fa0/0 Grp 10 Standby: c/Active timer expired (unknown)*May 16 17:52:13.691: HSRP: Fa0/0 Grp 10 Active router is local*May 16 17:52:13.691: HSRP: Fa0/0 Grp 10 Standby router is unknown, was local*May 16 17:52:13.695: HSRP: Fa0/0 Grp 10 Standby -> Active*May 16 17:52:13.695: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 10 state Standby -> Active*May 16 17:52:13.699: HSRP: Fa0/0 Grp 10 Redundancy "hsrp-Fa0/0-10" state Standby -> Active*May 16 17:52:16.707: HSRP: Fa0/0 Grp 10 Redundancy group hsrp-Fa0/0-10 state Active -> Active*May 16 17:52:19.711: HSRP: Fa0/0 Grp 10 Redundancy group hsrp-Fa0/0-10 state Active -> Active

R4#show standbyFastEthernet0/0 - Group 10 State is Active 2 state changes, last state change 01:04:37 Virtual IP address is 172.16.2.100 Active virtual MAC address is 0000.0c07.ac0a Local virtual MAC address is 0000.0c07.ac0a (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 2.048 secs Preemption enabled Active router is local Standby router is 172.16.2.5, priority 95 (expires in 10.112 sec) Priority 101 (configured 101) Group name is "hsrp-Fa0/0-10" (default)

R5#show standbyFastEthernet0/0 - Group 10 State is Standby 1 state change, last state change 01:04:40 Virtual IP address is 172.16.2.100 Active virtual MAC address is 0000.0c07.ac0a Local virtual MAC address is 0000.0c07.ac0a (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 0.896 secs Preemption enabled Active router is 172.16.2.4, priority 101 (expires in 9.920 sec) Standby router is local Priority 95 (configured 95) Group name is "hsrp-Fa0/0-10" (default)

Comprobamos que camino toman los paquetes utilizando una traza desde R1 a R6 y desde R6 a R1.

R1#traceroute 172.16.2.6 probe 1Type escape sequence to abort.Tracing the route to 172.16.2.6 1 172.16.1.2 32 msec 2 10.1.24.4 88 msec 3 172.16.2.6 128 msec

R6#traceroute 100.1.1.1 probe 1Type escape sequence to abort.Tracing the route to 100.1.1.1 1 172.16.2.4 36 msec

@ 2013137

Page 138: Guia Switch v2

CCNP Guía SWITCH v2.0

2 10.1.24.2 104 msec 3 172.16.1.1 120 msec

Tener presente que no debemos establecer cualquier número en la prioridad (esto aplica tanto a VRRP como HSRP). Debe ser consistente con el valor de decremento, es decir, si por ejemplo R2 con prioridad 100 no tiene señal del enlace FR, este disminuirá su prioridad en 10. Si R3 tiene configurada una prioridad HSRP de 90 se producirá un problema (ambos routers con la misma prioridad), el proceso HSRP tomará como router activo el que tenga la dirección IP mayor, y puede darse la casualidad que sea el mismo router que debería pasar al modo Standby. Para evitar esto debemos establecer números relativamente cercanos, por ejemplo 101 para el router activo, y 95 para el router respaldo, si el activo cae disminuye a 91 su prioridad, el respaldo con 95 toma de inmediato el rol activo. Un router de respaldo debe tomar el rol activo si:

El enlace Frame-Relay en el router activo no presenta señal de linea (L2) El router activo deja de funcionar.

Para testear el enlace Frame-Relay podemos utilizar el comando track como se muestra a continuación:Si protocolo de línea (line protocol) está down R2 disminuirá en 10 su prioridad dejando que R3 tome el rol de active. Recordemos que la prioridad de R2 es de 101, con 10 menso tenemos 91, en contraposición a R3 que fue configurado con prioridad 95.

Sitio1

R2track 23 interface Serial1/0 line-protocol

interface FastEthernet0/0 standby 10 track 23 decrement 10

R3track 23 interface Serial1/0 line-protocol

interface FastEthernet0/0 standby 10 track 23 decrement 10

R2#show standbyFastEthernet0/0 - Group 10 State is Active 2 state changes, last state change 00:18:33 Virtual IP address is 172.16.1.100 Active virtual MAC address is 0000.0c07.ac0a Local virtual MAC address is 0000.0c07.ac0a (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 2.276 secs Preemption enabled Active router is local Standby router is 172.16.1.3, priority 95 (expires in 7.956 sec) Priority 101 (configured 101) Track object 23 state Up decrement 10 IP redundancy name is "hsrp-Fa0/0-10" (default)

R3#show standbyFastEthernet0/0 - Group 10 State is Standby

@ 2013138

Page 139: Guia Switch v2

CCNP Guía SWITCH v2.0

1 state change, last state change 00:18:31 Virtual IP address is 172.16.1.100 Active virtual MAC address is 0000.0c07.ac0a Local virtual MAC address is 0000.0c07.ac0a (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 1.296 secs Preemption enabled Active router is 172.16.1.2, priority 101 (expires in 9.644 sec) Standby router is local Priority 95 (configured 95) Track object 23 state Up decrement 10 IP redundancy name is "hsrp-Fa0/0-10" (default)

Sitio2

R4track 45 interface Serial1/0 line-protocol

interface FastEthernet0/0 standby 10 track 45 decrement 10

R5track 45 interface Serial1/0 line-protocol

interface FastEthernet0/0 standby 10 track 45 decrement 10

R4#show standbyFastEthernet0/0 - Group 10 State is Active 2 state changes, last state change 00:11:01 Virtual IP address is 172.16.2.100 Active virtual MAC address is 0000.0c07.ac0a Local virtual MAC address is 0000.0c07.ac0a (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 1.808 secs Preemption enabled Active router is local Standby router is 172.16.2.5, priority 95 (expires in 7.320 sec) Priority 101 (configured 101) Track object 45 state Up decrement 10 IP redundancy name is "hsrp-Fa0/0-10" (default)

R5#show standbyFastEthernet0/0 - Group 10 State is Standby 1 state change, last state change 00:10:57 Virtual IP address is 172.16.2.100 Active virtual MAC address is 0000.0c07.ac0a Local virtual MAC address is 0000.0c07.ac0a (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 2.780 secs

@ 2013139

Page 140: Guia Switch v2

CCNP Guía SWITCH v2.0

Preemption enabled Active router is 172.16.2.4, priority 101 (expires in 8.312 sec) Standby router is local Priority 95 (configured 95) Track object 45 state Up decrement 10 IP redundancy name is "hsrp-Fa0/0-10" (default)

Para comprobar como funciona este esquema generamos en R2 desactivamos la interface serial. Y verificamos el cambio de prioridad en R2.

R2(config)#interface serial 1/0R2(config-if)#shutdown R2#show standbyFastEthernet0/0 - Group 10 State is Speak 3 state changes, last state change 00:00:06 Virtual IP address is 172.16.1.100 Active virtual MAC address is 0000.0c07.ac0a Local virtual MAC address is 0000.0c07.ac0a (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 2.748 secs Preemption enabled Active router is 172.16.1.3, priority 95 (expires in 9.824 sec) Standby router is unknown Priority 91 (configured 101) Track object 23 state Down decrement 10 IP redundancy name is "hsrp-Fa0/0-10" (default)R2#*May 16 18:04:40.735: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 10 state Speak -> Standby

R3#show standby brief P indicates configured to preempt. |Interface Grp Prio P State Active Standby Virtual IPFa0/0 10 95 P Active local 172.16.1.2 172.16.1.100

A pesar de todos los esfuerzos no se produce el comportamiento esperado, R1 pierde conectividad con R6.La razón es que ciertas tecnologías L2 como Frame-Relay son localmente significativas y solo requieren mantener conexión con el SW FR local; en nuestro caso, la serial de R2 está caída. Recordemos que R4 sigue sondenando el line protocol en localmente pero no decrementa su prioridad.

R1#ping 100.6.6.6Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 100.6.6.6, timeout is 2 seconds:.....Success rate is 0 percent (0/5)

R2#show ip int brief serial 1/0

@ 2013140

Page 141: Guia Switch v2

CCNP Guía SWITCH v2.0

Interface IP-Address OK? Method Status ProtocolSerial1/0 10.1.24.2 YES manual administratively down down

R4 no se entera que hay un problema en el cable puesto que la interface que conecta R4 con el SW Frame-Relay está UP:

R4#show ip int brief serial 1/0Interface IP-Address OK? Method Status ProtocolSerial1/0 10.1.24.4 YES manual up up

R2#show standby all brief P indicates configured to preempt. |Interface Grp Pri P State Active Standby Virtual IPFa0/0 10 91 P Standby 172.16.1.3 local 172.16.1.100

R3#show standby all brief P indicates configured to preempt. |Interface Grp Pri P State Active Standby Virtual IPFa0/0 10 95 P Active local 172.16.1.2 172.16.1.100

Puesto que R2 testea el enlace y nota de inmediato que la interface serial 1/0 está caída, se convierte en Stanby HSRP en Sitio1, sin embargo, no sucede lo mismo en Sitio2 y R4 sigue actuando como router activo a pesar de no tener conectividad con R2. Podemos solucionar este problema con alguno protocolo de enrutamiento interior (IGP) que genere keepalive, o generar artificialmente keepalive usando IP SLA, como veremos más adelante.Si volvemos a levantar la interface serial de R2 veremos el comportamiento de preempt. El tracking comprueba ahora que la interface serial está UP. R2 se publica a si mismo con una prioridad de 101 en HSRP que es mayor que 95 de R3, y se convierte nuevamente en el router activo.

R2(config)#interface serial 1/0R2(config-if)#no shutdown

R2#show standby all brief P indicates configured to preempt.Interface Grp Pri P State Active Standby Virtual IPFa0/0 10 101 P Active local 172.16.1.3 172.16.1.100

Para corregir el problema y mantener conectividad entre los sitios podemos utilizar una combinación de IP SLA y tracking. IP SLA nos permiten en esta sección sondear las seriales de nuestros vecinos, vale decir, la actividad que se produce a través de todo el enlace FR.La forma de configurar SLA varía entre plataformas. La que presentamos aquí corresponde al IOS 12.4(20)T

R2ip sla 10 icmp-echo 10.1.24.4 frequency 5ip sla schedule 10 life forever start-time now

@ 2013141

Page 142: Guia Switch v2

CCNP Guía SWITCH v2.0

track 10 ip sla 10 reachability

interface FastEthernet0/0 standby 10 preempt delay minimum 1 standby 10 track 10 decrement 10

R3ip sla 10 icmp-echo 10.1.35.5 frequency 5ip sla schedule 10 life forever start-time now

track 10 ip sla 10 reachability

interface FastEthernet0/0 standby 10 preempt delay minimum 1 standby 10 track 10 decrement 10

R4ip sla 10 icmp-echo 10.1.24.2 frequency 5ip sla schedule 10 life forever start-time now

track 10 ip sla 10 reachability

interface FastEthernet0/0 standby 10 preempt delay minimum 1 standby 10 track 10 decrement 10

R5ip sla 10 icmp-echo 10.1.35.3 frequency 5ip sla schedule 10 life forever start-time now

track 10 ip sla 10 reachability

interface FastEthernet0/0 standby 10 preempt delay minimum 1 standby 10 track 10 decrement 10

R2(config-if)#int s1/0R2(config-if)#shutdownR2(config-if)#%TRACKING-5-STATE: 23 interface Se1/0 line-protocol Up->DownR2(config-if)#%LINK-5-CHANGED: Interface Serial1/0, changed state to administratively downR2(config-if)#%ENTITY_ALARM-6-INFO: ASSERT INFO Se1/0 Physical Port Administrative State DownR2(config-if)#%HSRP-5-STATECHANGE: FastEthernet0/0 Grp 10 state Active -> Speak

@ 2013142

Page 143: Guia Switch v2

CCNP Guía SWITCH v2.0

%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to downR2(config-if)#%TRACKING-5-STATE: 10 ip sla 10 reachability Up->DownR2(config-if)#%HSRP-5-STATECHANGE: FastEthernet0/0 Grp 10 state Speak -> Standby

Como podemos ver R2 y R4 cambian de estado Active a Standby. R3 y R5 cambian de estado Standby a Active. Es el comportamiento deseado.

R2#show standbyFastEthernet0/0 - Group 10 State is Standby 9 state changes, last state change 00:01:56 Virtual IP address is 172.16.1.100 Active virtual MAC address is 0000.0c07.ac0a Local virtual MAC address is 0000.0c07.ac0a (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 1.904 secs Preemption enabled, delay min 1 secs Active router is 172.16.1.3, priority 95 (expires in 10.896 sec) Standby router is local Priority 81 (configured 101) Track object 10 state Down decrement 10 Group name is "hsrp-Fa0/0-10" (default)

R3#show standby all brief P indicates configured to preempt. |Interface Grp Pri P State Active Standby Virtual IPFa0/0 10 95 P Active local 172.16.1.2 172.16.1.100

R4#show standby all brief P indicates configured to preempt. |Interface Grp Pri P State Active Standby Virtual IPFa0/0 10 91 P Standby 172.16.2.5 local 172.16.2.100

R5#show standby all brief P indicates configured to preempt. |Interface Grp Pri P State Active Standby Virtual IPFa0/0 10 95 P Active local 172.16.2.4 172.16.2.100

Generamos nuevamente tráfico con un ping desde R1 a R6. Esta vez solo existe un pequeño retardo y luego R3 actúa como GW y R1 puede alcanzar a R6.

R1#ping 172.16.2.6 repeat 10000Type escape sequence to abort.Sending 10000, 100-byte ICMP Echos to 172.16.2.6, timeout is 2 seconds:

@ 2013143

Page 144: Guia Switch v2

CCNP Guía SWITCH v2.0

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.........!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.Success rate is 88 percent (123/139), round-trip min/avg/max = 32/98/180 ms

R2#show ip sla statisticsIPSLAs Latest Operation Statistics

IPSLA operation id: 10 Latest RTT: NoConnection/Busy/TimeoutLatest operation start time: *22:38:46.546 UTC Wed Mar 17 2010Latest operation return code: TimeoutNumber of successes: 0Number of failures: 177Operation time to live: Forever

R3#show ip sla statisticsIPSLAs Latest Operation Statistics

IPSLA operation id: 10 Latest RTT: 52 millisecondsLatest operation start time: *22:38:21.254 UTC Wed Mar 17 2010Latest operation return code: OKNumber of successes: 347Number of failures: 0Operation time to live: Forever

R4#show ip sla statisticsIPSLAs Latest Operation Statistics

IPSLA operation id: 10 Latest RTT: NoConnection/Busy/TimeoutLatest operation start time: *22:39:16.122 UTC Wed Mar 17 2010Latest operation return code: TimeoutNumber of successes: 0Number of failures: 177Operation time to live: Forever

R5#show ip sla statisticsIPSLAs Latest Operation Statistics

IPSLA operation id: 10 Latest RTT: 32 millisecondsLatest operation start time: *22:39:39.830 UTC Wed Mar 17 2010Latest operation return code: OKNumber of successes: 357Number of failures: 0Operation time to live: Forever

Rehabilitamos el enlace R2/R4

R2(config)#interface serial 1/0R2(config-if)#no shutdownR2(config-if)#%TRACKING-5-STATE: 23 interface Se1/0 line-protocol Down->Up

@ 2013144

Page 145: Guia Switch v2

CCNP Guía SWITCH v2.0

R2(config-if)#%LINK-3-UPDOWN: Interface Serial1/0, changed state to upR2(config-if)#%ENTITY_ALARM-6-INFO: CLEAR INFO Se1/0 Physical Port Administrative State DownR2(config-if)#%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to upR2(config-if)#%TRACKING-5-STATE: 10 ip sla 10 reachability Down->UpR2#%HSRP-5-STATECHANGE: FastEthernet0/0 Grp 10 state Standby -> Active

R1#traceroute 172.16.2.6 1 172.16.1.2 84 msec 72 msec 28 msec 2 10.1.24.4 76 msec 40 msec 72 msec 3 172.16.2.6 120 msec * 100 msec

@ 2013145

Page 146: Guia Switch v2

CCNP Guía SWITCH v2.0

HSRP Balanceo

Configure direccionamiento mostrado (incluyendo la red Broadcast). Configure FR p2p entre R1-R2 y R1-R3 respetando el esquema de direccionamiento que aparece en la figura.

R1interface Serial1/0 encapsulation frame-relay no shut

interface Serial1/0.12 point-to-point ip address 10.1.12.1 255.255.255.0 frame-relay interface-dlci 102

interface Serial1/0.13 point-to-point

@ 2013146

Page 147: Guia Switch v2

CCNP Guía SWITCH v2.0

ip address 10.1.13.1 255.255.255.0 frame-relay interface-dlci 103

R2interface Serial1/0 encapsulation frame-relay no shut

interface Serial1/0.12 point-to-point ip address 10.1.12.2 255.255.255.0 frame-relay interface-dlci 201

R3interface Serial1/0 encapsulation frame-relay no shut

interface Serial1/0.13 point-to-point ip address 10.1.13.3 255.255.255.0 frame-relay interface-dlci 301

R1#show frame-relay mapSerial1/0.12 (up): point-to-point dlci, dlci 102(0x66,0x1860), broadcast status defined, activeSerial1/0.13 (up): point-to-point dlci, dlci 103(0x67,0x1870), broadcast status defined, active

R1#show frame-relay pvc | i STATUSDLCI = 102, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial1/0.12DLCI = 103, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial1/0.13

R1#ping 10.1.12.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.1.12.2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 24/34/48 ms

R1#ping 10.1.13.3Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.1.13.3, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 24/40/60 ms

R2interface FastEthernet0/0 ip address 10.1.100.2 255.255.255.0 no shut

R3interface FastEthernet0/0 ip address 10.1.100.3 255.255.255.0 no shut

@ 2013147

Page 148: Guia Switch v2

CCNP Guía SWITCH v2.0

R4interface FastEthernet0/0 ip address 10.1.100.4 255.255.255.0 no shut

R5interface FastEthernet0/0 ip address 10.1.100.5 255.255.255.0 no shut

R4#ping 255.255.255.255 repeat 1Type escape sequence to abort.Sending 1, 100-byte ICMP Echos to 255.255.255.255, timeout is 2 seconds:Reply to request 0 from 10.1.100.5, 60 msReply to request 0 from 10.1.100.2, 124 msReply to request 0 from 10.1.100.3, 120 ms

En R1 configure una ruta estátiva apuntando a la red LAN 10.1.100.0/24 a través de R2. En R1 configure una ruta estátiva apuntando a la red LAN 10.1.100.0/24 a través de R2. En R2 configure una ruta estática apuntando a la IP 100.1.1.1. En R3 configure una ruta estática apuntando a la IP 100.1.1.1. R4 y R5 deben crear una ruta por defecto apuntando a la IP virtual 10.1.100.10.

R1ip route 10.1.100.0 255.255.255.0 10.1.12.2ip route 10.1.100.0 255.255.255.0 10.1.13.3

R2ip route 100.1.1.1 255.255.255.255 10.1.12.1

R3ip route 100.1.1.1 255.255.255.255 10.1.13.1

R4ip route 0.0.0.0 0.0.0.0 10.1.100.10

R5ip route 0.0.0.0 0.0.0.0 10.1.100.10

Configure HSRP de manera que R2 sea el router activo y R3 el router stand-by. Utilizar IP virtual 10.1.100.10. Utilizar grupo 1. R3 debe mantener su prioridad por defecto.

Probar conectividad entre R4-R5 e IP virtual luego conectividad a IP 100.1.1.1. Utilice ping y tracert.

R2interface FastEthernet0/0 standby 1 ip 10.1.100.10 standby 1 priority 200

R3

@ 2013148

Page 149: Guia Switch v2

CCNP Guía SWITCH v2.0

interface FastEthernet0/0 standby 1 ip 10.1.100.10

R2#show standby brief P indicates configured to preempt. |Interface Grp Pri P State Active Standby Virtual IPFa0/0 1 200 Active local 10.1.100.3 10.1.100.10

R3#show standby brief P indicates configured to preempt. |Interface Grp Pri P State Active Standby Virtual IPFa0/0 1 100 Standby 10.1.100.2 local 10.1.100.10

R4#ping 100.1.1.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 100.1.1.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 12/43/88 ms

R4#traceroute 100.1.1.1 probe 1Type escape sequence to abort.Tracing the route to 100.1.1.1 1 10.1.100.2 52 msec 2 10.1.12.1 84 msec

R5#ping 100.1.1.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 100.1.1.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 56/101/204 ms

R5#traceroute 100.1.1.1 probe 1Type escape sequence to abort.Tracing the route to 100.1.1.1 1 10.1.100.2 32 msec 2 10.1.12.1 60 msec

Configure autentificación HSRP entre R2 y R3. Utilice password duoc.com. Utilizar método más seguro.

R2key chain ZZTOP key 1 key-string duoc.com

interface FastEthernet0/0 standby 1 authentication md5 key-chain ZZTOP

@ 2013149

Page 150: Guia Switch v2

CCNP Guía SWITCH v2.0

R3key chain ZZTOP key 1 key-string duoc.com

interface FastEthernet0/0 standby 1 authentication md5 key-chain ZZTOP

R2#show standbyFastEthernet0/0 - Group 1 State is Active 2 state changes, last state change 00:38:57 Virtual IP address is 10.1.100.10 Active virtual MAC address is 0000.0c07.ac01 Local virtual MAC address is 0000.0c07.ac01 (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 0.144 secs Authentication MD5, key-chain "ZZTOP" Preemption disabled Active router is local Standby router is 10.1.100.3, priority 100 (expires in 9.600 sec) Priority 200 (configured 200) Group name is "hsrp-Fa0/0-1" (default)

R3 y R2 deben tomar el rol activo después de finalizado el holdtime.

R2interface FastEthernet0/0 standby 1 preempt

R3interface FastEthernet0/0 standby 1 preempt

R2#show standbyFastEthernet0/0 - Group 1 State is Active 2 state changes, last state change 00:45:45 Virtual IP address is 10.1.100.10 Active virtual MAC address is 0000.0c07.ac01 Local virtual MAC address is 0000.0c07.ac01 (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 2.528 secs Authentication MD5, key-chain "ZZTOP" Preemption enabled Active router is local Standby router is 10.1.100.3, priority 100 (expires in 8.704 sec) Priority 200 (configured 200) Group name is "hsrp-Fa0/0-1" (default)

@ 2013150

Page 151: Guia Switch v2

CCNP Guía SWITCH v2.0

Modificar los interveslos hello y holdtime a 2 y 6 segundos respectivamente

R2interface FastEthernet0/0 standby 1 timers 2 6

R3interface FastEthernet0/0 standby 1 timers 2 6

R2#show standby | include Hello Hello time 2 sec, hold time 6 sec

Crear una nueva DG con la IP virtual 10.1.100.11. Utilice grupo 2. Configurar R4 para que su DG sea la IP 10.1.100.11. R4 debe utilizar a R3 para alcanzar la IP 100.1.1.1.

R2interface FastEthernet0/0 standby 2 ip 10.1.100.11 standby 2 priority 95 standby 2 preempt

R3interface FastEthernet0/0 standby 2 ip 10.1.100.11 standby 2 priority 105 standby 2 preempt

R2#show standby brief P indicates configured to preempt. |Interface Grp Pri P State Active Standby Virtual IPFa0/0 1 200 P Active local 10.1.100.3 10.1.100.10Fa0/0 2 95 P Standby 10.1.100.3 local 10.1.100.11

R3#show standby brief P indicates configured to preempt. |Interface Grp Pri P State Active Standby Virtual IPFa0/0 1 100 P Standby 10.1.100.2 local 10.1.100.10Fa0/0 2 105 P Active local 10.1.100.2 10.1.100.11

R4no ip route 0.0.0.0 0.0.0.0 10.1.100.10ip route 0.0.0.0 0.0.0.0 10.1.100.11

@ 2013151

Page 152: Guia Switch v2

CCNP Guía SWITCH v2.0

R4#traceroute 100.1.1.1 probe 1Type escape sequence to abort.Tracing the route to 100.1.1.1 1 10.1.100.3 36 msec 2 10.1.13.1 80 msec

R5#traceroute 100.1.1.1 probe 1Type escape sequence to abort.Tracing the route to 100.1.1.1 1 10.1.100.2 64 msec 2 10.1.12.1 52 msec

Los routers deben enviar traps HSRP al NNS con la dirección 172.16.1.1

R2snmp-server enable traps hsrpsnmp-server host 172.16.1.1 public hsrp

R3snmp-server enable traps hsrpsnmp-server host 172.16.1.1 public hsrp

@ 2013152

Page 153: Guia Switch v2

CCNP Guía SWITCH v2.0

VRRP utilizando Routers

Pre LABConstruir el laboratorio mostrado en el diagrama.Las configuraciones base/iniciales deben cargarse antes de continuar con el laboratorio.

Utilizaremos equilibrado de carga (Load-Sharing)

Formar conectividad entre sitios utilizando enrutamiento estático. R1 debe apuntar a la puerta de enlace 172.16.1.100 (IP Virtual) R6 debe apuntar a la puerta de enlace 172.16.2.100 (IP Virtual)

R1ip route 0.0.0.0 0.0.0.0 172.16.1.100

R2ip route 100.1.1.1 255.255.255.255 172.16.1.1ip route 172.16.2.0 255.255.255.0 10.1.24.4ip route 100.6.6.6 255.255.255.255 10.1.24.4

R3ip route 100.1.1.1 255.255.255.255 172.16.1.1ip route 172.16.2.0 255.255.255.0 10.1.35.5ip route 100.6.6.6 255.255.255.255 10.1.35.5

@ 2013153

Page 154: Guia Switch v2

CCNP Guía SWITCH v2.0

Sitio2

R6ip route 0.0.0.0 0.0.0.0 172.16.2.100

R4ip route 100.6.6.6 255.255.255.255 172.16.2.6ip route 172.16.1.0 255.255.255.0 10.1.24.2ip route 100.1.1.1 255.255.255.255 10.1.24.2

R5ip route 100.6.6.6 255.255.255.255 172.16.2.6ip route 172.16.1.0 255.255.255.0 10.1.35.3ip route 100.1.1.1 255.255.255.255 10.1.35.3

Configurar R2 como Master VRRP y R3 Backup para la ip address 172.16.1.100 Configurar R2 como Master VRRP y R3 Backup para la ip address 172.16.2.100

R2interface FastEthernet0/0 vrrp 10 ip 172.16.1.100 vrrp 10 priority 150 vrrp 10 preempt

R3interface FastEthernet0/0 vrrp 10 ip 172.16.1.100 vrrp 10 priority 100 vrrp 10 preempt R2#show vrrpFastEthernet0/0 - Group 10 State is Master Virtual IP address is 172.16.1.100 Virtual MAC address is 0000.5e00.010a Advertisement interval is 1.000 sec Preemption enabled Priority is 150 Master Router is 172.16.1.2 (local), priority is 150 Master Advertisement interval is 1.000 sec Master Down interval is 3.414 sec

R3#show vrrpFastEthernet0/0 - Group 10 State is Backup Virtual IP address is 172.16.1.100 Virtual MAC address is 0000.5e00.010a Advertisement interval is 1.000 sec Preemption enabled Priority is 100 Master Router is 172.16.1.2, priority is 150

@ 2013154

Page 155: Guia Switch v2

CCNP Guía SWITCH v2.0

Master Advertisement interval is 1.000 sec Master Down interval is 3.609 sec (expires in 3.253 sec)

R4interface FastEthernet0/0 vrrp 10 ip 172.16.2.100 vrrp 10 priority 150 vrrp 10 preempt

R5interface FastEthernet0/0 vrrp 10 ip 172.16.2.100 vrrp 10 priority 100 vrrp 10 preempt

R4#show vrrpFastEthernet0/0 - Group 10 State is Master Virtual IP address is 172.16.2.100 Virtual MAC address is 0000.5e00.010a Advertisement interval is 1.000 sec Preemption enabled Priority is 150 Master Router is 172.16.2.4 (local), priority is 150 Master Advertisement interval is 1.000 sec Master Down interval is 3.414 sec

R5#show vrrpFastEthernet0/0 - Group 10 State is Backup Virtual IP address is 172.16.2.100 Virtual MAC address is 0000.5e00.010a Advertisement interval is 1.000 sec Preemption enabled Priority is 100 Master Router is 172.16.2.4, priority is 150 Master Advertisement interval is 1.000 sec Master Down interval is 3.609 sec (expires in 3.545 sec)

R1#ping 172.16.1.100Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.16.1.100, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 20/46/80 ms R2 es el Master VRRP por tanto es el GW de salida para alcanzar a R6.

R1#traceroute 172.16.2.6Type escape sequence to abort.Tracing the route to 172.16.2.6

1 172.16.1.2 128 msec 64 msec 28 msec 2 10.1.24.4 72 msec 60 msec 52 msec 3 172.16.2.6 108 msec * 116 msec

@ 2013155

Page 156: Guia Switch v2

CCNP Guía SWITCH v2.0

Un router de respaldo debe tomar el rol activo si: El enlace HDLC en el router activo no presenta señal de línea (L2) El router activo deja de funcionar.

Esta tarea requiere utilizar el comando track para determinar el estado de la interface serial. Considerar que el valor de decremento de VRRP para el track es de 10, este valor no es suficiente para que el router Backup asuma el papel de Master. Lo modificamos a 60 en R2 y R4.

R2track 10 interface Serial1/0 line-protocol carrier-delay

interface FastEthernet0/0 vrrp 10 track 10 decrement 60

R3track 10 interface Serial1/0 line-protocol carrier-delay

interface FastEthernet0/0 vrrp 10 track 10

R4track 10 interface Serial1/0 line-protocol carrier-delay

interface FastEthernet0/0 vrrp 10 track 10 decrement 60

R5track 10 interface Serial1/0 line-protocol carrier-delay

interface FastEthernet0/0 vrrp 10 track 10

Verificación

R2(config)#interface serial 1/0R2(config-if)#shutdownR2(config-if)#%LINK-5-CHANGED: Interface Serial1/0, changed state to administratively down%ENTITY_ALARM-6-INFO: ASSERT INFO Se1/0 Physical Port Administrative State DownR2(config-if)#%TRACKING-5-STATE: 10 interface Se1/0 line-protocol Up->Down%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to downR2(config-if)#%VRRP-6-STATECHANGE: Fa0/0 Grp 10 state Master -> Backup

@ 2013156

Page 157: Guia Switch v2

CCNP Guía SWITCH v2.0

R2#show vrrpFastEthernet0/0 - Group 10 State is Backup Virtual IP address is 172.16.1.100 Virtual MAC address is 0000.5e00.010a Advertisement interval is 1.000 sec Preemption enabled Priority is 90 (cfgd 150) Track object 10 state Down decrement 60 Master Router is 172.16.1.3, priority is 100 Master Advertisement interval is 1.000 sec Master Down interval is 3.414 sec (expires in 2.918 sec)

R3#show vrrpFastEthernet0/0 - Group 10 State is Master Virtual IP address is 172.16.1.100 Virtual MAC address is 0000.5e00.010a Advertisement interval is 1.000 sec Preemption enabled Priority is 100 Track object 10 state Up decrement 10 Master Router is 172.16.1.3 (local), priority is 100 Master Advertisement interval is 1.000 sec Master Down interval is 3.609 sec

Los routers R2 y R4 bajan su prioridad al no detectar señal , por tanto el camino (path) que sigue R1 para alcanzar a R6 es ahora a través del enlace R3/R5.Tanto R2 como R4 ahora son Backup. Notar que el decremento de las prioridades en ambos es de 90. Como R3 y R5 tienen la prioridad por defecto 100 son ahora routers VRRP Masters.

R1#traceroute 172.16.2.6Type escape sequence to abort.Tracing the route to 172.16.2.6 1 172.16.1.3 68 msec 60 msec 40 msec 2 10.1.35.5 84 msec 40 msec 60 msec 3 172.16.2.6 124 msec * 104 msec

@ 2013157

Page 158: Guia Switch v2

CCNP Guía SWITCH v2.0

Load Sharing

Borrar configuración VRRP anterior y subir interface serial de R2.

En R2/R3/R4/R5(config-if)#no vrrp 10

R2(config-if)#int s1/0R2(config-if)#no shutdown

Configurar R2 como Master VRRP y R3 Backup para la dirección IP 172.16.1.100. Configurar R2 como Backup VRRP y R3 Master para la dirección IP 172.16.1.101. Configurar R4 como Master VRRP y R5 Backup para la dirección IP 172.16.2.100. Configurar R4 como Backup VRRP y R5 Master para la dirección IP 172.16.2.101.

R1 y R6 deben tener dos rutas estaticas con igual distancia administrativa (AD 69)para que exista balance de carga.

R1ip route 0.0.0.0 0.0.0.0 172.16.1.101 69ip route 0.0.0.0 0.0.0.0 172.16.1.100 69

R1#sh ip route staticS* 0.0.0.0/0 [69/0] via 172.16.1.101 [69/0] via 172.16.1.100

R6ip route 0.0.0.0 0.0.0.0 172.16.2.101 69ip route 0.0.0.0 0.0.0.0 172.16.2.100 69

R6#sh ip route staticS* 0.0.0.0/0 [69/0] via 172.16.2.101 [69/0] via 172.16.2.100

Para lograr que la carga se comparta entre los dos puntos de salida, debemos crear dos procesos en VRRP. Un router actúa para un proceso como Master y para el otro como Backup.

R2interface FastEthernet0/0 vrrp 10 ip 172.16.1.100 vrrp 10 priority 200 vrrp 20 ip 172.16.1.101 no vrrp 20 preempt

R3interface FastEthernet0/0 vrrp 10 ip 172.16.1.100 no vrrp 10 preempt vrrp 20 ip 172.16.1.101

@ 2013158

Page 159: Guia Switch v2

CCNP Guía SWITCH v2.0

vrrp 20 priority 200

R2#show vrrp briefInterface Grp Pri Time Own Pre State Master addr Group addrFa0/0 10 200 3218 Y Master 172.16.1.2 172.16.1.100Fa0/0 20 100 3609 Backup 172.16.1.3 172.16.1.101

R3#show vrrp briefInterface Grp Pri Time Own Pre State Master addr Group addrFa0/0 10 100 3609 Backup 172.16.1.2 172.16.1.100Fa0/0 20 200 3218 Y Master 172.16.1.3 172.16.1.101

R4interface FastEthernet0/0 vrrp 10 ip 172.16.2.100 vrrp 10 priority 200 vrrp 20 ip 172.16.2.101 no vrrp 20 preempt

R5interface FastEthernet0/0 vrrp 10 ip 172.16.2.100 no vrrp 10 preempt vrrp 20 ip 172.16.2.101 vrrp 20 priority 200

R4#show vrrp briefInterface Grp Pri Time Own Pre State Master addr Group addrFa0/0 10 200 3218 Y Master 172.16.2.4 172.16.2.100Fa0/0 20 100 3609 Backup 172.16.2.5 172.16.2.101

R5#show vrrp briefInterface Grp Pri Time Own Pre State Master addr Group addrFa0/0 10 100 3609 Backup 172.16.2.4 172.16.2.100Fa0/0 20 200 3218 Y Master 172.16.2.5 172.16.2.101

Verificamos que el trafico fluya a través de ambos routers R2/R3 en Sitio1

R1#traceroute 172.16.2.6Type escape sequence to abort.Tracing the route to 172.16.2.6

1 172.16.1.3 120 msec 172.16.1.2 60 msec 172.16.1.3 44 msec 2 10.1.24.4 44 msec 10.1.35.5 48 msec 10.1.24.4 44 msec 3 172.16.2.6 168 msec * 176 msec

@ 2013159

Page 160: Guia Switch v2

CCNP Guía SWITCH v2.0

Verificamos que el trafico fluya a través de ambos routers R4/R5 en Sitio2

R6#traceroute 172.16.1.1Type escape sequence to abort.Tracing the route to 172.16.1.1

1 172.16.2.4 64 msec 172.16.2.5 108 msec 172.16.2.4 44 msec 2 10.1.35.3 56 msec 10.1.24.2 88 msec 10.1.35.3 68 msec 3 172.16.1.1 180 msec * 128 msec

@ 2013160

Page 161: Guia Switch v2

CCNP Guía SWITCH v2.0

VLANs ACLs v/s Seguridad en sesiones Telnet Configure Portchannel mostrado en la figura. Utilizar LACP y 802.1q como protocolo de trunking. En DLS1 crear la VLAN 10 y comprobar que se propaga a DLS2. Configurar los puertos de acceso para la VLAN10. Utilice portfast.

DLS1default interface range fastEthernet 0/6-7

interface range fastEthernet 0/6-7 channel-group 3 mode active exit

interface Port-channel3 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,10 switchport mode trunk

vlan 10vtp domain cisco

DLS2default interface range fastEthernet 0/6-7

interface range fastEthernet 0/6-7 channel-group 3 mode active exit

interface Port-channel3 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,10 switchport mode trunk

@ 2013161

Page 162: Guia Switch v2

CCNP Guía SWITCH v2.0

DLS1#sh etherchannel summaryFlags: D - down P - bundled in port-channel I - stand-alone s - suspended H - Hot-standby (LACP only) R - Layer3 S - Layer2 U - in use f - failed to allocate aggregator

M - not in use, minimum links not met u - unsuitable for bundling w - waiting to be aggregated d - default portNumber of channel-groups in use: 1Number of aggregators: 1Group Port-channel Protocol Ports------+-------------+-----------+-----------------------------------------------3 Po3(SU) LACP Fa0/6(P) Fa0/7(P)

DLS2#show vlan brief | exclude unsupVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4 Fa0/5, Fa0/8, Fa0/9, Fa0/10 Fa0/11, Fa0/12, Fa0/13, Fa0/14 Fa0/15, Fa0/16, Fa0/17, Fa0/18 Fa0/19, Fa0/20, Fa0/21, Fa0/22 Fa0/23, Fa0/24, Gi0/1, Gi0/210 VLAN0010 active

DLS1interface FastEthernet0/1 switchport access vlan 10 switchport mode access switchport host

DLS2interface FastEthernet0/1 switchport access vlan 10 switchport mode access switchport host

R1interface FastEthernet0/0 ip address 10.1.1.1 255.255.255.0 no shut

R2interface FastEthernet0/0 ip address 10.1.1.1 255.255.255.0 no shut

R1#ping 10.1.1.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:!!!!!

@ 2013162

Page 163: Guia Switch v2

CCNP Guía SWITCH v2.0

Success rate is 100 percent (5/5), round-trip min/avg/max = 40/61/80 ms

Configurar los routers con el direccionamiento mostrado y habilite telnet. En R1 se permite sesiones de entrada de la IP 100.2.2.2. En R2 se permite sesiones de entrada de la IP 100.1.1.1. Si existe un intento de conexión telnet desde una dirección de origen distinta se debe enviar un log a la consola indicándolo.

Formar adyacencia OSPF 1 area 0entre R1 y R2. No debe existir elección DR/BDR. Crear y publicar la loopback0 100.1.1.1/24 en R1 y la loopback0 100.2.2.2/24 utilizando OSPF. Comprobar

que se publiquen con sus máscaras correctas.

R1interface Loopback0 ip address 100.1.1.1 255.255.255.0 ip ospf 1 area 0 ip ospf network point-to-point

interface FastEthernet0/0 ip ospf network point-to-point ip ospf 1 area 0

R2interface Loopback0 ip address 100.2.2.2 255.255.255.0 ip ospf 1 area 0 ip ospf network point-to-point

interface FastEthernet0/0 ip ospf network point-to-point ip ospf 1 area 0

R2#show ip ospf neighborNeighbor ID Pri State Dead Time Address Interface100.1.1.1 0 FULL/ - 00:00:33 10.1.1.1 FastEthernet0/0

R2#sh ip route ospfGateway of last resort is not set 100.0.0.0/8 is variably subnetted, 3 subnets, 2 masksO 100.1.1.0/24 [110/2] via 10.1.1.1, 00:00:25, FastEthernet0/0

R2#ping 100.1.1.1 source 100.2.2.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 100.1.1.1, timeout is 2 seconds:Packet sent with a source address of 100.2.2.2!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 40/60/68 ms

@ 2013163

Page 164: Guia Switch v2

CCNP Guía SWITCH v2.0

R1access-list 10 permit 100.2.2.0 0.0.0.255access-list 10 deny any log

line vty 0 4 access-class 10 in exec-timeout 0 0 password cisco login transport input telnet transport output telnet

R2access-list 10 permit 100.1.1.0 0.0.0.255access-list 10 deny any log

line vty 0 4 access-class 10 in exec-timeout 0 0 password cisco login transport input telnet transport output telnet

R1#telnet 100.2.2.2Trying 100.2.2.2 ...% Connection refused by remote host

R2#*Jun 13 13:53:58.599: %SEC-6-IPACCESSLOGNP: list 10 denied 0 10.1.1.1 -> 0.0.0.0, 1 packet

R1#telnet 100.2.2.2 /source-interface loo0Trying 100.2.2.2 ... Open

User Access Verification

Password:ciscoR2>enPassword:cisco

@ 2013164

Page 165: Guia Switch v2

CCNP Guía SWITCH v2.0

En DLS2 utilice VLAN Access-list para bloquear todo el tráfico ICMP y HTML . Se debe permitir el tráfico telnet.

DLS2ip access-list extended ICMP permit icmp any any

vlan access-map DROP-ICMP 10 match ip address ICMP action drop vlan access-map DROP-ICMP 20 action forward

R1#ping 100.2.2.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 100.2.2.2, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 44/64/100 ms

Como podemos ver en la salida anterior, aun es posible utilizar el ping. Para activar las políticas restrictivas debemos utilizar el comando vlan filter indicando la VLAN sobre la que tendrá influencia el filtro; en nuestro caso se trata de la VLAN 10.Luego de hacer la última configuración podemos ver que no es posible el trafico icmp entre sitios, sin embargo aun podemos ingresar a través de telnet.

DLS2vlan filter DROP-ICMP vlan-list 10

R1#ping 100.2.2.2Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 100.2.2.2, timeout is 2 seconds:.....Success rate is 0 percent (0/5)

R1#telnet 100.2.2.2 /source-interface loo0Trying 100.2.2.2 ... Open

User Access VerificationPassword:R2>enPassword:

@ 2013165

Page 166: Guia Switch v2

CCNP Guía SWITCH v2.0

SSH Configure SSH en DLS2 utilizando las siguientes políticas:

- Domain: duoc.cl- Key: 1024- Authentication: Debería ser realizada en base a la base de datos local.- Username: U1- Password: cisco- Puertos: Debería ser activa la autenticación para los puertos VTY.- Restricciones: Solo se permiten conexiones SSH en DLS2.

DLS2ip domain name duoc.cl

DLS2(config)#crypto key zeroize rsa% All RSA keys will be removed.% All router certs issued using these keys will also be removed.Do you really want to remove these keys? [yes/no]: yesDLS2(config)#*Mar 1 06:11:47.245: %SSH-5-DISABLED: SSH 1.99 has been disabledDLS2(config)#crypto key generate rsa usage-keysThe name for the keys will be: DLS2.duoc.clChoose the size of the key modulus in the range of 360 to 4096 for your Signature Keys. Choosing a key modulus greater than 512 may take a few minutes.

How many bits in the modulus [512]: 1024Choose the size of the key modulus in the range of 360 to 4096 for your Encryption Keys. Choosing a key modulus greater than 512 may take a few minutes.

How many bits in the modulus [512]: 1024% Generating 1024 bit RSA keys, keys will be non-exportable...[OK] (elapsed time was 5 seconds)% Generating 1024 bit RSA keys, keys will be non-exportable...[OK] (elapsed time was 6 seconds)

DLS2(config)#*Mar 1 06:12:15.012: %SSH-5-ENABLED: SSH 1.99 has been enabled

La siguiente configuración habilita los servicios AAA

DLS2aaa new-modelusername U1 password duocaaa authentication login LOCAL local

line vty 0 4

@ 2013166

Page 167: Guia Switch v2

CCNP Guía SWITCH v2.0

login authentication LOCAL transport input sshDLS1#ssh -l U1 -c aes128-cbc 1.1.1.2

Password:cisco

DLS2>enPassword:duoc

SPAN En DLS1 crear las VLANs 10, 20, 99. Formar trunk entre Switches directamente conectados (utilice dos enlaces entre dispositivos). Se deben

permitir únicamente las VLANs recién creadas más la VLAN por defecto. Utilizar protocolo de trunk estándar.

DLS1 es el server para el dominio VTP duoc, el resto de los switches tienen el rol de client. Comprobar que las VLANs se han propagado en cada uno los switches.

DLS1 debe ser root para las VLANs 1, 10 y 20. Y Root secundario para la VLAN 99 DLS2 debe ser root para la VLAN 99. Y Root secundario para las VLANs 1, 10 y 20.

DLS1interface range fastEthernet 0/2-7 switchport trunk encapsulation dot1q switchport mode trunk switchport trunk allowed vlan 1,10,20,99

DLS2interface range fastEthernet 0/13-20 shutdown

interface range fastEthernet 0/2-7 switchport trunk encapsulation dot1q switchport mode trunk switchport trunk allowed vlan 1,10,20,99

ALS1interface range fastEthernet 0/13-20 shutdown

interface range fastEthernet 0/2-7 switchport mode trunk switchport trunk allowed vlan 1,10,20,99

ALS2interface range fastEthernet 0/2-7 switchport mode trunk switchport trunk allowed vlan 1,10,20,99

@ 2013167

Page 168: Guia Switch v2

CCNP Guía SWITCH v2.0

DLS1#sh interfaces trunkPort Mode Encapsulation Status Native vlanFa0/2 on 802.1q trunking 1Fa0/3 on 802.1q trunking 1Fa0/4 on 802.1q trunking 1Fa0/5 on 802.1q trunking 1Fa0/6 on 802.1q trunking 1Fa0/7 on 802.1q trunking 1

Port Vlans allowed on trunkFa0/2 1,10,20,99Fa0/3 1,10,20,99Fa0/4 1,10,20,99Fa0/5 1,10,20,99Fa0/6 1,10,20,99Fa0/7 1,10,20,99

DLS2#show interfaces trunkPort Mode Encapsulation Status Native vlanFa0/2 on 802.1q trunking 1Fa0/3 on 802.1q trunking 1Fa0/4 on 802.1q trunking 1Fa0/5 on 802.1q trunking 1Fa0/6 on 802.1q trunking 1Fa0/7 on 802.1q trunking 1

Port Vlans allowed on trunkFa0/2 1,10,20,99Fa0/3 1,10,20,99Fa0/4 1,10,20,99Fa0/5 1,10,20,99Fa0/6 1,10,20,99Fa0/7 1,10,20,99

ALS1#show interfaces trunkPort Mode Encapsulation Status Native vlanFa0/2 on 802.1q trunking 1Fa0/3 on 802.1q trunking 1Fa0/4 on 802.1q trunking 1Fa0/5 on 802.1q trunking 1Fa0/6 on 802.1q trunking 1Fa0/7 on 802.1q trunking 1

Port Vlans allowed on trunkFa0/2 1,10,20,99Fa0/3 1,10,20,99Fa0/4 1,10,20,99Fa0/5 1,10,20,99Fa0/6 1,10,20,99Fa0/7 1,10,20,99

@ 2013168

Page 169: Guia Switch v2

CCNP Guía SWITCH v2.0

DLS2vtp mode client

ALS1vtp mode client

ALS2vtp mode client

DLS1vtp mode servervtp domain duoc

vlan 10,20,99

DLS1#sh vlan brief | exclude unsupVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/8, Fa0/9, Fa0/10 Fa0/11, Fa0/12, Fa0/13, Fa0/14 Fa0/15, Fa0/16, Fa0/17, Fa0/18 Fa0/19, Fa0/20, Fa0/21, Fa0/22 Fa0/23, Fa0/24, Gi0/1, Gi0/210 VLAN0010 active20 VLAN0020 active99 VLAN0099 active

DLS2#show vlan brief | exclude unsupVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/8, Fa0/9, Fa0/10 Fa0/11, Fa0/12, Fa0/13, Fa0/14 Fa0/15, Fa0/16, Fa0/17, Fa0/18 Fa0/19, Fa0/20, Fa0/21, Fa0/22 Fa0/23, Fa0/24, Gi0/1, Gi0/210 VLAN0010 active20 VLAN0020 active99 VLAN0099 active

ALS1#show vlan brief | exclude unsupVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/8, Fa0/9, Fa0/10 Fa0/11, Fa0/12, Fa0/13, Fa0/14 Fa0/15, Fa0/16, Fa0/17, Fa0/18 Fa0/19, Fa0/20, Fa0/21, Fa0/22 Fa0/23, Fa0/24, Gi0/1, Gi0/210 VLAN0010 active20 VLAN0020 active

@ 2013169

Page 170: Guia Switch v2

CCNP Guía SWITCH v2.0

99 VLAN0099 active

@ 2013170

Page 171: Guia Switch v2

CCNP Guía SWITCH v2.0

ALS2#show vlan brief | exclude unsupVLAN Name Status Ports---- -------------------------------- --------- -------------------------------1 default active Fa0/1, Fa0/8, Fa0/9, Fa0/10 Fa0/11, Fa0/12, Fa0/13, Fa0/14 Fa0/15, Fa0/16, Fa0/17, Fa0/18 Fa0/19, Fa0/20, Fa0/21, Fa0/22 Fa0/23, Fa0/24, Gi0/1, Gi0/210 VLAN0010 active20 VLAN0020 active99 VLAN0099 active

DLS1spanning-tree vlan 1,10,20 root primary diameter 3spanning-tree vlan 99 root secondary diameter 3

DLS2spanning-tree vlan 99 root primary diameter 3spanning-tree vlan 1,10,20 root secondary diameter 3

DLS2#show spanning-tree vlan 99VLAN0099 Spanning tree enabled protocol ieee Root ID Priority 24675 Address 3037.a6eb.d580 This bridge is the root Hello Time 2 sec Max Age 12 sec Forward Delay 9 sec

Bridge ID Priority 24675 (priority 24576 sys-id-ext 99) Address 3037.a6eb.d580 Hello Time 2 sec Max Age 12 sec Forward Delay 9 sec Aging Time 9

Interface Role Sts Cost Prio.Nbr Type---------------- ---- --- --------- -------- --------------------------------Fa0/2 Desg LRN 19 128.4 P2pFa0/3 Desg LRN 19 128.5 P2pFa0/4 Desg LRN 19 128.6 P2pFa0/5 Desg LRN 19 128.7 P2pFa0/6 Desg FWD 19 128.8 P2pFa0/7 Desg LRN 19 128.9 P2p

@ 2013171

Page 172: Guia Switch v2

CCNP Guía SWITCH v2.0

En ALS2 instalar un analizador de protocolos en el Puerto Fa0/1 y sondear el tráfico que se genera en el mismo switch pero en el puerto de acceso Fa0/11 donde se encuentra un PC abriendo una sesión telnet apuntando a la SVI1 (1.1.1.X).

ALS2interface FastEthernet0/1 switchport mode access switchport access vlan 1 spanning-tree portfast

interface FastEthernet0/11 switchport mode access switchport access vlan 1 spanning-tree portfast

monitor session 1 source interface fastEthernet 0/11 bothmonitor session 1 destination interface fastEthernet 0/1

TELNETC:\>telnet 1.1.1.1

User Access Verification

Password:DLS1>enPassword:DLS1#

@ 2013172

Page 173: Guia Switch v2

CCNP Guía SWITCH v2.0

Remote SPAN (RSPAN) En DLS2 instalar un analizador de protocolos en el Puerto Fa0/1 y sondear el tráfico que se genera en DLS1

Puerto de acceso Fa0/8 donde se encuentra un PC abriendo una sesión telnet apuntando a la SVI1 (1.1.1.X). La VLAN 99 debe ser configurada como VLAN SPAN.

Nota: Podemos enviar el tráfico que se genera en la Fa0/1 de DLS1 en cualquier switch que tenga acceso a la VLAN 99, la RSPAN. En este ejemplo solo utilizamos DLS2 como receptor pero podrían ser además ALS1 y ALS2.

DLS1vlan 99 remote-span

DLS1#sh vlan remote-spanRemote SPAN VLANs------------------------------------------------------------------------------99

DLS2#show vlan remote-spanRemote SPAN VLANs------------------------------------------------------------------------------99

ALS1#show vlan remote-spanRemote SPAN VLANs------------------------------------------------------------------------------99

ALS2#sh vlan remote-spanRemote SPAN VLANs------------------------------------------------------------------------------99

DLS1monitor session 2 source interface fastEthernet 0/8monitor session 2 destination remote vlan 99

@ 2013173

Page 174: Guia Switch v2

CCNP Guía SWITCH v2.0

DLS1#sh monitor session 2Session 2---------Type : Remote Source SessionSource Ports : Both : Fa0/8Dest RSPAN VLAN : 99

DLS2monitor session 2 source remote vlan 99monitor session 2 destination interface fastEthernet 0/1

DLS1interface FastEthernet0/8 switchport mode access spanning-tree portfast

DLS2interface FastEthernet0/1 switchport mode access spanning-tree portfast

TELNETC:\>telnet 1.1.1.1

User Access Verification

Password:DLS1>enPassword:DLS1#

@ 2013174

Page 175: Guia Switch v2

CCNP Guía SWITCH v2.0

Syslog Crear PortChannel 3 entre DLS1 y DLS2, no utilizar PAgP o LACP. Habilitar interfaces para conectividad L 3.

Y configurar direccionamiento mostrado. Verificar que existe conectividad entre ambos dispositivos L3.

DLS1ip routing

interface Port-channel3 no switchport ip address 10.1.12.1 255.255.255.0

interface FastEthernet0/6 no switchport channel-group 3 mode on

interface FastEthernet0/7 no switchport channel-group 3 mode on

DLS2ip routing

interface Port-channel3 no switchport ip address 10.1.12.2 255.255.255.0

interface FastEthernet0/6 no switchport channel-group 3 mode on

interface FastEthernet0/7 no switchport channel-group 3 mode on

DLS2#ping 10.1.12.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 10.1.12.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms

@ 2013175

Page 176: Guia Switch v2

CCNP Guía SWITCH v2.0

Configure EIGRP 1 como muestra la figura. Publicar además la loopback0 de cada switch. La red 172.16.1.0/24 debe ser redistribuida dentro de EIGRP.

DLS1interface Loopback0 ip address 10.1.1.1 255.255.255.0

router eigrp 1 network 10.0.0.0 no auto-summary

DLS2interface Loopback0 ip address 10.2.2.2 255.255.255.0

router eigrp 1 network 10.0.0.0 no auto-summary

DLS2#sh ip route eigrp 10.0.0.0/24 is subnetted, 3 subnetsD 10.1.1.0 [90/143360] via 10.1.12.1, 00:00:12, Port-channel3

DLS2interface FastEthernet0/1 no switchport ip address 172.16.1.1 255.255.255.0

router eigrp 1 redistribute connected metric 1 1 1 1 1

DLS1#sh ip route eigrp 172.16.0.0/24 is subnetted, 1 subnetsD EX 172.16.1.0 [170/2560002816] via 10.1.12.2, 00:00:36, Port-channel3 10.0.0.0/24 is subnetted, 3 subnetsD 10.2.2.0 [90/143360] via 10.1.12.2, 00:03:47, Port-channel3

Configure DLS1 de manera que todos los mensajes logs se envíen al servidor Syslog 172.16.1.2.

DLS1logging onlogging trap 7logging source-interface Loopback0logging 172.16.1.2logging host 172.16.1.2

@ 2013176

Page 177: Guia Switch v2

CCNP Guía SWITCH v2.0

06-26-2012 14:27:00 Local7.Debug 10.1.1.1 62: *Mar 1 00:42:05.767: EIGRP: Packet from ourselves ignored06-26-2012 14:27:00 Local7.Debug 10.1.1.1 61: *Mar 1 00:42:05.767: AS 1, Flags 0x0, Seq 0/0 interfaceQ 0/006-26-2012 14:27:00 Local7.Debug 10.1.1.1 60: *Mar 1 00:42:05.767: EIGRP: Received HELLO on Loopback0 nbr 10.1.1.106-26-2012 14:27:00 Local7.Debug 10.1.1.1 59: *Mar 1 00:42:05.767: AS 1, Flags 0x0, Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/006-26-2012 14:27:00 Local7.Debug 10.1.1.1 58: *Mar 1 00:42:05.767: EIGRP: Sending HELLO on Loopback006-26-2012 14:27:00 Local7.Debug 10.1.1.1 57: *Mar 1 00:42:05.700: AS 1, Flags 0x0, Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/006-26-2012 14:27:00 Local7.Debug 10.1.1.1 56: *Mar 1 00:42:05.700: EIGRP: Sending HELLO on Port-channel306-26-2012 14:27:00 Local7.Debug 10.1.1.1 55: *Mar 1 00:42:05.549: AS 1, Flags 0x0, Seq 0/0 interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/006-26-2012 14:27:00 Local7.Debug 10.1.1.1 54: *Mar 1 00:42:05.549: EIGRP: Received HELLO on Port-channel3 nbr 10.1.12.206-26-2012 14:25:18 Local7.Info 10.1.1.1 53: *Mar 1 00:40:24.492: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 172.16.1.2 Port 514 started - CLI initiated06-26-2012 14:25:17 Local7.Notice 10.1.1.1 52: *Mar 1 00:40:18.485: %SYS-5-CONFIG_I: Configured from console by vty0 (10.1.12.2)06-26-2012 14:22:30 Local7.Debug 127.0.0.1 Kiwi Syslog Server - Test message number 000206-26-2012 14:19:55 Local7.Info 10.1.12.1 51: *Mar 1 00:35:03.149: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 172.16.1.2 Port 514 started - CLI initiated06-26-2012 14:19:54 Local7.Notice 10.1.12.1 50: *Mar 1 00:35:02.092: %SYS-5-CONFIG_I: Configured from console by vty0 (10.1.12.2)06-26-2012 14:17:17 Local7.Debug 127.0.0.1 Kiwi Syslog Server - Test message number 0001

@ 2013177

Page 178: Guia Switch v2

CCNP Guía SWITCH v2.0

Port-Security utilizando MACROs Antes de comenzar este laboratorio debemos borrar la configuración del switch. Configure ALSx de manera que los puertos de la fastethernet 0/10 a fastethernet 0/16 solo permitan una

dirección MAC. En caso de que se detecte más de una MAC el switch debe descartar el tráfico para esa MAC no permitida.

Utilizar una MACRO Comprobar conectando PC.

El siguiente comando define un rango de puertos del switch con el nombre UNA-MAC.

ALSxdefine interface-range UNA-MAC fastEthernet 0/10-16macro name SECURITYEnter macro commands one per line. End with the character '@'.switchport mode access switchport port-securityswitchport port-security maximum 1switchport port-security violation protect@

interface range macro UNA-MAC macro apply SECURITY

ALS2#show running-config interface fastEthernet 0/11Building configuration...

Current configuration : 167 bytes!interface FastEthernet0/11 switchport mode access switchport port-security switchport port-security violation protect macro description SECURITY

ALS2#show interfaces fastEthernet 0/11 switchportName: Fa0/11Switchport: EnabledAdministrative Mode: static accessOperational Mode: downAdministrative Trunking Encapsulation: dot1qNegotiation of Trunking: OffAccess Mode VLAN: 1 (default)Trunking Native Mode VLAN: 1 (default)Administrative Native VLAN tagging: enabledVoice VLAN: noneAdministrative private-vlan host-association: noneAdministrative private-vlan mapping: noneAdministrative private-vlan trunk native VLAN: noneAdministrative private-vlan trunk Native VLAN tagging: enabledAdministrative private-vlan trunk encapsulation: dot1qAdministrative private-vlan trunk normal VLANs: noneAdministrative private-vlan trunk private VLANs: none

@ 2013178

Page 179: Guia Switch v2

CCNP Guía SWITCH v2.0

Operational private-vlan: noneTrunking VLANs Enabled: ALLPruning VLANs Enabled: 2-1001Capture Mode DisabledCapture VLANs Allowed: ALL

Protected: falseUnknown unicast blocked: disabledUnknown multicast blocked: disabledAppliance trust: none

Blocking UNICAST/MULTICAST Configure los puertos anteriores de manera que bloqueen las tramas de unicast/multicast desconocidos

(unknowns).

Nota: Por defecto los switches inundan con direcciones MAC destino desconocidas en todos los puertos en la misma VLAN. Algunos puertos no lo requieren porque por ejemplo tienen asignada una MAC estática.

ALSxinterface range fastEthernet 0/10-16 switchport block multicast switchport block unicast

ALS2#show interfaces fastEthernet 0/11 switchportName: Fa0/11Switchport: EnabledAdministrative Mode: static accessOperational Mode: downAdministrative Trunking Encapsulation: dot1qNegotiation of Trunking: OffAccess Mode VLAN: 1 (default)Trunking Native Mode VLAN: 1 (default)Administrative Native VLAN tagging: enabledVoice VLAN: noneAdministrative private-vlan host-association: noneAdministrative private-vlan mapping: noneAdministrative private-vlan trunk native VLAN: noneAdministrative private-vlan trunk Native VLAN tagging: enabledAdministrative private-vlan trunk encapsulation: dot1qAdministrative private-vlan trunk normal VLANs: noneAdministrative private-vlan trunk private VLANs: noneOperational private-vlan: noneTrunking VLANs Enabled: ALLPruning VLANs Enabled: 2-1001Capture Mode DisabledCapture VLANs Allowed: ALLProtected: falseUnknown unicast blocked: enabledUnknown multicast blocked: enabledAppliance trust: none

@ 2013179

Page 180: Guia Switch v2

CCNP Guía SWITCH v2.0

Filtro MAC Configure en ALSx un filtro para MAC unicast de manera que el switch descarte paquetes que tengan la

dirección origen o destino 0000.1234.DC10. SI un paquete se recibe por cualquier puerto que está asociado a la VLAN por defecto, este debe ser descartado (drops).

Comprobar configurando la MAC 0000.1234.DC10 en la interface f0/0 del Router y conectarlo al puerto f0/23 del switch ALS1.

ALS1mac-address-table static 0000.1234.DC10 vlan 1 drop

ALS2#show mac-address-table static address 0000.1234.DC10 Mac Address Table-------------------------------------------

Vlan Mac Address Type Ports---- ----------- -------- ----- 1 0000.1234.dc10 STATIC DropTotal Mac Addresses for this criterion: 1

ALS1interface FastEthernet0/23 switchport mode access spanning-tree portfast

R1interface FastEthernet0/0 mac-address 0000.1234.dc10 ip address 10.1.1.10 255.255.255.0

@ 2013180

Page 181: Guia Switch v2

CCNP Guía SWITCH v2.0

DHCP Snooping DLS1 debe tener el rol VTP Server en el dominio duoc.cl. ALS1 debe ser client. DLS1 debe crear la VLAN 100 llamada DHCP. Comprobar que se propague a ALS1. Crear PortChannel 1 entre DLS1 y ALS1, no utilizar PAgP o LACP . Habilitar trunking utilizando 802.1q y

permitir las VLANs 1 y 100. Deshabilitar DTP.

DLS1vtp mode servervtp domain duoc.clvlan 100 name DHCP

interface range fastEthernet 0/2-3 channel-group 1 mode on

interface Port-channel1 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,100 switchport mode trunk switchport nonegotiate

ALS1vtp mode client

interface range fastEthernet 0/2-3 channel-group 1 mode on

@ 2013181

Page 182: Guia Switch v2

CCNP Guía SWITCH v2.0

interface Port-channel1 switchport trunk allowed vlan 1,100 switchport mode trunk switchport nonegotiate

ALS1#show etherchannel summaryFlags: D - down P - in port-channel I - stand-alone s - suspended H - Hot-standby (LACP only) R - Layer3 S - Layer2 U - in use f - failed to allocate aggregator u - unsuitable for bundling w - waiting to be aggregated d - default portNumber of channel-groups in use: 1Number of aggregators: 1

Group Port-channel Protocol Ports------+-------------+-----------+-----------------------------------------------1 Po1(SU) - Fa0/2(P) Fa0/3(P)

En DLS1 SVI 100 utilizando la IP address 100.1.1.1/24. Configurar DHCP en DLS1 con las siguientes características:

- Pool ABCD 100.1.1.0/24 - Default Router 100.1.1.1- Arriendo 4 días, 10 horas, 30 minutos.- Se debe excluir el rango 100.1.1.1 a 100.1.1.20

En ALS1 asignar al puerto Fa0/23 la VLAN 100 (puerto de acceso).

DLS1interface Vlan100 ip address 100.1.1.1 255.255.255.0 no shutdown

ip dhcp excluded-address 100.1.1.1 100.1.1.20

ip dhcp pool ABCD network 100.1.1.0 255.255.255.0 default-router 100.1.1.1 lease 4 10 30

@ 2013182

Page 183: Guia Switch v2

CCNP Guía SWITCH v2.0

ALS1interface FastEthernet0/23 switchport access vlan 100 switchport mode access spanning-tree portfast

interface FastEthernet0/21 switchport access vlan 100 switchport mode access spanning-tree portfast

DLS1#sh ip dhcp bindingBindings from all pools not associated with VRF:IP address Client-ID/ Lease expiration Type Hardware address/ User name100.1.1.21 0100.2622.706d.df Mar 05 1993 11:37 AM Automatic

Configurar R1 con el mismo esquema DHCP

R1ip dhcp excluded-address 100.1.1.1 100.1.1.20

ip dhcp pool ABCD network 100.1.1.0 255.255.255.0 default-router 100.1.1.1 lease 4 10 30

interface FastEthernet0/0 ip address 100.1.1.1 255.255.255.0 no shutdown

Deshabilitar PortChannel 1 y comprobar que el PC aprende desde el Pool DHCP del Router.

ALS1interface port-channel 1 shutdown

@ 2013183

Page 184: Guia Switch v2

CCNP Guía SWITCH v2.0

Configurar DHCP Snooping de manera que solo la interface confiable sea la que comunica con el server DHCP DLS1.

Limitar a solo 3 paquetes los puertos no confiables.

ALS1#debug ip dhcp snooping eventDHCP Snooping Event debugging is on

ALS1ip dhcp snoopingip dhcp snooping vlan 100ip dhcp snooping information option

interface FastEthernet0/21 ip dhcp snooping limit rate 3

interface FastEthernet0/23 ip dhcp snooping limit rate 3

interface Port-channel1 ip dhcp snooping trust

ALS1#show ip dhcp snoopingSwitch DHCP snooping is enabledDHCP snooping is configured on following VLANs:100DHCP snooping is configured on the following Interfaces:

Insertion of option 82 is enabled circuit-id format: vlan-mod-port remote-id format: MACOption 82 on untrusted port is not allowedVerification of hwaddr field is enabledInterface Trusted Rate limit (pps)------------------------ ------- ----------------FastEthernet0/21 no 3FastEthernet0/23 no 3Port-channel1 yes unlimited

@ 2013184