Configuring a Layer 2 Switching Infrastructure Solution


This appendix provides step-by-step solutions for each configuration task required for Part I of the Chapter 11, "Comprehensive Switching Self-Study Study Lab." Each configuration task is listed, followed by the solution for each task. At the end of this appendix, the complete configurations for each network device relevant to Part I of the lab are provided.

Connect the Network Solution

Step 1.

Connect the network as show in Figure 11-1. All Fast Ethernet connections between switches require crossover UTP cables. For the two gigabit Ethernet connections between Switch-A and Switch-B, multi-mode fiber is required with SC connectors.

Step 2.

Configure each switch with the appropriate host name and configure a Telnet/enable password of "cisco."

Example A-1 and Example A-2 demonstrate the required configurations on Switch-A (Cisco IOS) and Switch-B (CatOS). Refer to the complete configuration examples at the end of this appendix if you want to view the relevant configuration for this task on any other switches.

Example A-1. Configuring Switch-A
 Switch> enable Switch# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Switch(config)# hostname Switch-A Switch-A(config)# enable secret cisco Switch-A(config)# line vty 0 15 Switch-A(config-line)# password cisco Switch-A(config-line)# end 

In Example A-1, using the enable secret command instead of the enable password command ensures the secret password is stored in a secure, encrypted fashion on the switch.

Example A-2. Configuring Switch-B
 Console> enable Enter password: Console> (enable) set system name Switch-B System name set. Switch-B> (enable) set password Enter old password: Enter new password: ***** Retype new password: ***** Password changed. Switch-B> (enable) set enablepass Enter old password: Enter new password: ***** Retype new password: ***** Password changed. 

On Switch-A, you must explicitly enable and configure each switch interface because Switch-A is running native IOS and, by default, all interfaces are Layer 3 interfaces in a shutdown state. On all other switches, all interfaces are enabled and configured as Layer 2 interfaces by default. Example A-3 shows the configuration required on Switch-A.

Example A-3. Enabling and Configuring Layer 2 Interfaces on Switch-A
 Switch-A# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Switch-A(config)# interface range GigabitEthernet1/1 - 2 Switch-A(config-if-range)# no shutdown Switch-A(config-if-range)# switchport Switch-A(config-if-range)# exit Switch-A(config)# interface range FastEthernet2/1 - 48 Switch-A(config-if-range)# no shutdown Switch-A(config-if-range)# switchport 

In Example A-3, all interfaces indicated on Figure 11-1 are enabled and configured as Layer 2 interfaces using the switchport interface configuration command.

Once you have connected the switches together, use the show cdp neighbors command to verify that each switch can see the correct locally connected neighbors. Example A-4 shows an example of using this command on Switch-A.

Example A-4. Verifying Connectivity to Local Neighbors on Switch-A
 Switch-A# show cdp neighbors Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge                   S - Switch, H - Host, I - IGMP, r - Repeater Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID Switch-B         Gig 1/1            173        T S I      WS-C6509  1/1 Switch-C         Fas 2/1            168        T S I      WS-C3550  0/1 Switch-D         Fas 2/2            157        T S I      WS-C3550  0/1 

Example A-4 shows that Switch-A is connected to Switch-B, Switch-C, and Switch-D and that Layer 2 connectivity is present to each switch.

Port, EtherChannel, and Trunking Configuration Solution

Step 1.

On all switches, configure all Fast Ethernet ports that connect to other switches for 100-Mbps full-duplex operation. On gigabit Ethernet ports, configure speed and duplex according to Cisco's recommendations.

Cisco recommends that all gigabit Ethernet ports be configured as autosensing, which is the default setting and thus requires no extra configuration. Autosensing on gigabit Ethernet passes a lot more information (such as flow control parameters) than is passed in the Fast Ethernet/Ethernet auto-negotiation process.

Example A-5 and Example A-6 demonstrate configuring 100-Mbps full-duplex operation on Switch-A (Cisco IOS) and Switch-B (CatOS).

Example A-5. Configuring Interface Speed and Duplex Settings on Switch-A
 Switch-A# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Switch-A(config)# interface range FastEthernet 2/1 - 2 Switch-A(config-if-range)# speed 100 Switch-A(config-if-range)# duplex full Switch-A(config-if-range)# exit 

Example A-6. Configuring Interface Speed and Duplex Settings on Switch-B
 Switch-B> (enable) set port speed 2/1-2 100 Ports 2/1-2 transmission speed set to 100Mbps. Switch-B> (enable) set port duplex 2/1-2 full Ports 2/1-2 set to full-duplex. 

Step 2.

Configure the two physical links that attach Switch-A and Switch-B so that they appear as a single Layer 2 connection. Ensure the configuration meets the following requirements:

  • A single physical link failure must not affect the spanning-tree topology.

  • Traffic should be distributed across the links based upon IP source and destination addressing.

  • Configure the links so that they are optimized for frames exchanged between two network attached storage (NAS) devices.

  • If receive buffers on either switch become full, configure both switches to send 802.3Z pause frames.

The feature required for this configuration task is EtherChannel, which allows you to configure multiple physical interfaces as a single, virtual Layer 2 interface. The requirements dictate how you must configure Port Aggregation Protocol (PAgP) and how you need to configure load distribution. For spanning tree to work correctly with EtherChannel bundles, you configure an EtherChannel mode of desirable on both sides. This PAgP mode ensures that spanning tree does not detect a physical link failure. The second requirement is straightforward and simply requires configuration of load sharing based upon source and destination IP address. The third and fourth requirements are physical interface parameters that should be configured on each interface within the EtherChannel bundle. To optimize the links for NAS operation, enable jumbo frames, which permit an MTU of 9216 bytes for higher data throughput. You must also configure flow control on each link so that 802.3z flow control frames are exchanged if queue congestion is experienced on either switch.

Example A-7 and Example A-8 show the configuration required on Switch-A and Switch-B.

Example A-7. Configuring EtherChannel, Jumbo Frames, and 802.3z Flow Control on Switch-A
 Switch-A# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Switch-A(config)# interface range GigabitEthernet 1/1 - 2 Switch-A(config-if-range)# mtu 9216 Switch-A(config-if-range)# flowcontrol receive on Switch-A(config-if-range)# flowcontrol send on Switch-A(config-if-range)# channel-group 1 mode desirable Switch-A(config-if-range)# exit Switch-A(config)# port-channel load-balance src-dst-ip 

Jumbo frames are enabled on Cisco IOS software by simply modifying the maximum transmission unit (MTU) of the appropriate interface(s), as shown in Example A-7 on the Gig0/1 and Gig0/2 interfaces. Notice that you must configure each switch to both send and receive (i.e., respond to) flow control frames for flow control to correctly work.

Example A-8. Configuring EtherChannel, Jumbo Frames, and 802.3z Flow Control on Switch-B
 Switch-B> (enable) set port jumbo 1/1-2 enable Jumbo frames enabled on ports 1/1-2 Switch-B> (enable) set port flowcontrol 1/1-2 receive on Ports 1/1-2 flow control receive administration status set to on (ports will require far end to send flowcontrol) Switch-B> (enable) set port flowcontrol 1/1-2 send on Ports 1/1-2 flow control send administration status set to on (ports will send flowcontrol to far end) Switch-B> (enable) set port channel 1/1-2 mode desirable Port(s) 1/1-2 channel mode set to desirable. Switch-B> (enable) set port channel all distribution ip both Channel distribution is set to ip both. 

Example A-9 shows how you can verify an EtherChannel bundle has formed on Switch-B.

Example A-9. Verifying EtherChannel Configuration
 Switch-B> (enable) show port channel Port  Status     Channel              Admin Ch                  Mode                 Group Id ----- ---------- -------------------- ----- -----  1/1  connected  desirable silent        40   801  1/2  connected  desirable silent        40   801 Port  Device-ID                       Port-ID                   Platform ----- ------------------------------- ------------------------- ----------------  1/1  Switch-A                        Gig1/1                    WS-C6509  1/2  Switch-A                        Gig1/2                    WS-C6509 

Step 3.

Configure the two physical links that attach Switch-C and Switch-D so that they appear as a single Layer 2 connection. Ensure the configuration meets the following requirement:

  • Switch-C should always try to actively negotiate the use of both links, while Switch-D should respond only to negotiations from Switch-C.

This task requires an EtherChannel bundle configured between Switch-C and Switch-D. You must configure Switch-C with a PAgP mode of desirable to allow it to actively negotiate and Switch-D with a PAgP mode of auto so that it responds only to PAgP negotiations. Example A-10 and Example A-11 show the configurations required on Switch-C and Switch-D.

Example A-10. Configuring EtherChannel on Switch-C
 Switch-C# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Switch-C(config)# interface range FastEthernet 0/3  4 Switch-C(config-if-range)# channel-group 1 mode desirable 

Example A-11. Configuring EtherChannel on Switch-D
 Switch-D# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Switch-D(config)# interface range FastEthernet 0/3  4 Switch-D(config-if-range)# channel-group 1 mode auto 

Step 4.

Configure trunks for all Inter-Switch Links (ISLs) in the network as follows:

  • Trunks between the core switches (Switch-A and Switch-B) must tag all frames with an appropriate VLAN ID. Configure Dynamic Trunking Protocol (DTP) so that the trunk always comes up.

  • All other trunks should be configured with a standards-based trunking protocol and should always try to actively negotiate trunking where possible.

For the trunk between Switch-A and Switch-B, all frames must be tagged, which requires the use of ISL for trunking because 802.1Q trunks do not tag traffic sent on the native VLAN. A DTP mode of on must also be configured on both switches so that the trunk always comes up.

All other switches must be configured with 802.1Q trunks, because 802.1Q is a standards-based protocol, and must all be configured to operate in a DTP mode of desirable to ensure trunks are always actively negotiated.

Example A-12 and Example A-13 show the configuration required on Switch-A and Switch-B for the ISL trunk that must be configured between them, as well as the 802.1Q trunks that must be configured to Switch-C and Switch-D. Refer to the examples at the end of this appendix for the trunk configurations of the other switches.

Example A-12. Configuring Trunking on Switch-A
 Switch-A# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Switch-A(config)# interface range GigabitEthernet 1/1  2 Switch-A(config-if-range)# switchport trunk encapsulation isl Switch-A(config-if-range)# switchport mode trunk Switch-A(config-if-range)# exit Switch-A(config)# interface range FastEthernet 2/1  2 Switch-A(config-if-range)# switchport trunk encapsulation dot1q Switch-A(config-if-range)# switchport mode dynamic desirable 

Example A-13. Configuring Trunking on Switch-B
 Switch-B> (enable) set trunk 1/1 on isl Port(s)  1/1 trunk mode set to on. Port(s)  1/1 trunk type set to isl. Switch-B> (enable) set trunk 1/2 on isl Port(s)  1/2 trunk mode set to on. Port(s)  1/2 trunk type set to isl. Switch-B> (enable) set trunk 2/1 desirable dot1q Port(s)  2/1 trunk mode set to desirable. Port(s)  2/1 trunk type set to dot1q. Switch-B> (enable) set trunk 2/2 desirable dot1q Port(s)  2/2 trunk mode set to desirable. Port(s)  2/2 trunk type set to dot1q. 

When configuring trunks on CatOS, you must configure each trunk port separately, as shown in Example A-13. You can configure a range of trunk ports only when you disable trunking (i.e., configure a mode of off).

Once configuration is complete, verify each trunk. Example A-14 and Example A-15 demonstrate verifying that each trunk is functioning on a Cisco IOS-based switch (Switch-A) and a CatOS-based switch (Switch-B).

Example A-14. Verifying Trunking on Switch-A
 Switch-A# show interface trunk Port      Mode         Encapsulation  Status        Native vlan Gi1/1     on           isl            trunking      1 Gi1/2     on           isl            trunking      1 Fa2/1     desirable    802.1q         trunking      1 Fa2/2     desirable    802.1q         trunking      1 ... <output truncated> ... 

Example A-15. Verifying Trunking on Switch-B
 Switch-B> (enable) show trunk * - indicates vtp domain mismatch Port      Mode         Encapsulation  Status        Native vlan --------  -----------  -------------  ------------  -----------  1/1      on           isl            trunking      1  1/2      on           isl            trunking      1  2/1      desirable    dot1q          trunking      1  2/2      desirable    dot1q          trunking      1 15/1      nonegotiate  isl            trunking      1 ...<output truncated> ... 

Notice in Example A-15 that port 15/1 is currently trunking. This port represents the internal port to the MSFC-2 that is installed on the Supervisor 2 of Switch-B.

VLAN Configuration Solution

Step 1.

Configure VLAN Trunking Protocol (VTP) parameters as follows:

  • Switch-A, Switch-B, and Switch-F should belong to a VTP domain called "ciscolab."

  • All VTP communications must be secured.

  • All other switches must be configured to belong to a VTP domain called "ccnp."

  • Switch-D should ignore VTP messages, but must propagate them to other switches.

  • All VTP communications must be secured.

  • Broadcast and multicast traffic within each VLAN should be propagated only to switches that connect active hosts on the VLAN.

  • Switch-A and Switch-C can write only to the VLAN database. All other switches must be able to read only the VLAN database.

In the description in the previous bullet list, two VTP domains must be configured. Such a configuration is not normally the case in a LAN infrastructure under common administrative control; however, this lab is designed to thoroughly test your knowledge and understanding of LAN switching, hence the unorthodox configuration requirements described here. When switches reside in separate VTP domains, be aware of several key considerations:

  • VLAN database information cannot be shared between different VTP domains. You must configure any VLAN requirements for this lab separately for each VTP domain.

  • Under certain conditions, trunks will not form between switches in different VTP domains. This situation occurs when a trunk is configured with a DTP mode of desirable or auto, because these modes include VTP domain information. Therefore, for any trunks configured between switches in different VTP domains, you must configure a DTP mode of on to ensure trunks are maintained.

  • When a switch is operating in VTP transparent mode, VTP version 2 must be configured to allow the transparent switch to propagate VTP messages from a different VTP domain to the VTP domain configured locally.

Because Switch-A is permitted read and write access to the VLAN database for the ciscolab VTP domain, it must be configured as a VTP server. Similarly, Switch-C must be configured as a VTP server in the ccnp VTP domain. All other switches (excluding Switch-D) are configured as VTP clients in their respective VTP domains, because VTP clients are permitted only read access to the VLAN database.

Switch-D must be configured with a VTP mode of transparent because it must ignore all VTP messages but still propagate them to other switches. Switch-D is to be configured with a VTP domain of ccnp; however, it is located between Switch-B and Switch-F, which are both in the ciscolab VTP domain. To ensure VTP messages from the ciscolab domain are propagated between Switch-B and Switch-F, VTP version 2 must be configured on Switch-D.

The other requirements are for VTP communications to be secured and for broadcast and multicast traffic in a VLAN to be propagated only to switches with active hosts within the VLAN. This configuration requires configuring VTP passwords and VTP pruning on all switches (except Switch-D).

Example A-16 shows the VTP configuration required on Switch-A, along with the reconfiguration of trunks to Switch-C and Switch-D (both of which are configured with a different VTP domain name).

Example A-16. Configuring VTP on Switch-A
 Switch-A# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Switch-A(config)# vtp domain ciscolab Changing VTP domain name from null to ciscolab Switch-A(config)# vtp mode server Setting device to VTP SERVER mode Switch-A(config)# vtp password cisco Setting device VLAN database password to cisco. Switch-A(config)# vtp pruning Pruning switched on Switch-A(config)# interface range FastEthernet 2/1 - 2 Switch-A(config-if-range)# switchport mode trunk 

In Example A-16, the last shaded line of the output configures a DTP mode of on, which ensures the trunks to Switch-C and Switch-D form.

Example A-17 shows the VTP and trunk configuration required on Switch-B, which is identical to the configuration required on Switch-F because both switches are CatOS switches in the ciscolab domain and both are VTP clients.

Example A-17. Configuring VTP on Switch-B
 Switch-B> (enable) set vtp domain ciscolab VTP domain ciscolab modified Switch-B> (enable) set vtp pruning enable This command will enable the pruning function in the entire management domain. All devices in the management domain should be pruning-capable before enabling. Do you want to continue (y/n) [n]? y VTP domain ciscolab modified Switch-B > (enable) set vtp passwd cisco Generating MD5 secret for the password .... VTP domain ciscolab modified Switch-B> (enable) set vtp mode client VTP domain ciscolab modified Switch-B> (enable) set trunk 2/1 on dot1q Port(s)  2/1 trunk mode set to on. Port(s)  2/1 trunk type set to dot1q. Switch-B> (enable) set trunk 2/2 on dot1q Port(s)  2/2 trunk mode set to on. Port(s)  2/2 trunk type set to dot1q. 

In Example A-17, you don't actually need to enable VTP pruning, because this feature is automatically learned from Switch-A (a VTP server).

On Switch-C, you need to apply the same configuration applied to Switch-A (see Example A-16); however, you must configure a VTP domain name of ccnp. You must also configure the trunks to Switch-A, Switch-B, and Switch-F with a DTP mode of on to ensure the trunks form. The configuration on Switch-E is the same as that configured on Switch-C, except you must configure a VTP mode of client instead of server and you do not need to modify the configuration of any trunks because each trunk connects to a switch in the ccnp VTP domain.

Finally, Example A-18 shows the VTP and trunk configuration required on Switch-D.

Example A-18. Configuring VTP on Switch-D
 Switch-D# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Switch-D(config)# vtp domain ccnp Changing VTP domain name from null to ccnp Switch-D(config)# vtp version 2 Switch-D(config)# vtp mode transparent Setting device to VTP TRANSPARENT mode Switch-D(config)# interface range FastEthernet 0/1  2 , FastEthernet0/6 Switch-D(config-if-range)# switchport mode trunk 

In Example A-18, notice that VTP version 2 is configured to ensure that Switch-D propagates VTP messages for the ciscolab domain sent from Switch-B to Switch-F. The last configuration of Example A-18 configures each trunk connected to a switch in the ciscolab domain with a DTP mode of on to ensure the trunks form.

Once your VTP configurations are in place, verify that all trunks are still functioning using the show trunk command (CatOS) and show interface trunk command (Cisco IOS).

Step 2.

Create the following VLANs, each with a name as indicated in the parenthesis:

  • VLAN 10 (management)

  • VLAN 100 (servers100)

  • VLAN 101 (servers101)

  • VLAN 200 (users200)

  • VLAN 201 (users201)

  • VLAN 202 (phones)

For this task, create the VLANs on the VTP servers in each VTP domain (remember, you can't create VLANs on VTP clients). You also need to create the VLANs on Switch-D because Switch-D is operating in VTP transparent mode and, therefore, uses only a locally configured VLAN database. Example A-19 demonstrates the configuration required on Switch-A, which is a VTP server for the ciscolab domain. The exact same configuration is also required on Switch-C (VTP server for ccnp domain) and on Switch-D.

TIP

VTP communications are passed only over trunk interfaces, so you must verify in advance that all trunks are working to ensure that the VLAN information is propagated to all switches.


Example A-19. Configuring VLANs on Switch-A
 Switch-A# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Switch-A(config)# vlan 10 Switch-A(config-vlan)# name management Switch-A(config-vlan)# exit Switch-A(config)# vlan 100 Switch-A(config-vlan)# name servers100 Switch-A(config-vlan)# exit Switch-A(config)# vlan 101 Switch-A(config-vlan)# name servers101 Switch-A(config-vlan)# exit Switch-A(config)# vlan 200 Switch-A(config-vlan)# name users200 Switch-A(config-vlan)# exit Switch-A(config)# vlan 201 Switch-A(config-vlan)# name users201 Switch-A(config-vlan)# exit Switch-A(config)# vlan 202 Switch-A(config-vlan)# name phones Switch-A(config-vlan)# exit 

Once complete, verify your configuration is correct on each VTP server and on all other VTP client switches to ensure VTP is working correctly. Also verify the VLAN configuration is correct on Switch-D. The real test that everything is configured correctly is to verify that all VLANs are present in the VLAN database of Switch-F, because VTP messages must be propagated through Switch-D to Switch-F. Example A-20 demonstrates verifying VLAN configuration on Switch-F.

Example A-20. Verifying VLAN Configuration on Switch-F
 Switch-F> (enable) show vlan VLAN Name                             Status    IfIndex Mod/Ports, Vlans ---- -------------------------------- --------- ------- ----------------------- 1    default                          active    4       2/1-50 10   management                       active    62 100  servers100                       active    63 101  servers101                       active    64 200  users200                         active    65 201  users201                         active    66 202  phones                           active    67 1002 fddi-default                     active    5 1003 trcrf-default                    active    6 1004 fddinet-default                  active    7       2003 1005 trbrf-default                    active ... <Output truncated> ... 

As you can see, each VLAN is present in the VLAN database on Switch-F. This output confirms that Switch-D is propagating VTP messages from Switch-B to Switch-F.

Step 3.

On Switch-A and Switch-B, configure the following VLAN memberships for each interface:

  • VLAN 100 Ports 2/3 to 2/24

  • VLAN 101 Ports 2/25 to 2/47

Once the VLAN database has been populated via VTP, you can assign ports to VLANs. Example A-21 and Example A-22 show the configuration required on Switch-A and Switch-B.

Example A-21. Configuring VLAN Port Membership on Switch-A
 Switch-A# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Switch-A(config)# interface range FastEthernet 2/3 - 24 Switch-A(config-if-range)# switchport access vlan 100 Switch-A(config-if-range)# exit Switch-A(config)# interface range FastEthernet 2/25 - 47 Switch-A(config-if-range)# switchport access vlan 101 

Example A-22. Configuring VLAN Port Membership on Switch-B
 Switch-B> (enable) set vlan 100 2/3-24 VLAN 100 modified. VLAN 1 modified. VLAN  Mod/Ports ---- ----------------------- 100   2/3-24 Switch-B> (enable) set vlan 101 2/25-47 VLAN 101 modified. VLAN 1 modified. VLAN  Mod/Ports ---- ----------------------- 101   2/25-47 

Once you have completed your configuration, verify the new VLAN port membership settings. Example A-23 demonstrates verifying VLAN port membership on Switch-B.

Example A-23. Verifying VLAN Port Membership on Switch-B
 Switch-B> (enable) show vlan VLAN Name                             Status    IfIndex Mod/Ports, Vlans ---- -------------------------------- --------- ------- ------------------------ 1    default                          active    5       1/1-2                                                         2/1-2,2/48 10   management                       active    37 100  servers100                       active    38      2/3-24 101  servers101                       active    39      2/25-47 ... <output truncated> ... 

Step 4.

On Switch-E, configure the following VLAN memberships for each interface:

  • VLAN 200 Fa0/3 to Fa0/12

  • VLAN 201 Fa0/13 to Fa0/24

Once the VLAN database has been populated via VTP, you can assign ports to VLANs. Example A-24 shows the configuration required on Switch-E to meet the configuration task.

Example A-24. Configuring VLAN Port Membership on Switch-E
 Switch-E# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Switch-E(config)# interface range fa0/3 - 12 Switch-E(config-if-range)# switchport access vlan 200 Switch-E(config-if-range)# exit Switch-E(config)# interface range fa0/13 - 24 Switch-E(config-if-range)# switchport access vlan 201 Switch-E(config-if-range)# end 

Once you have completed your configuration, verify the new VLAN port membership settings. Example A-25 demonstrates verifying VLAN port membership on Switch-E.

Example A-25. Verifying VLAN Port Membership on Switch-E
 Switch-E# show vlan VLAN Name                             Status    Ports ---- -------------------------------- --------- ------------------------------- 1    default                          active 10   management                       active 100  servers100                       active 101  servers101                       active 200  users200                         active    Fa0/3, Fa0/4, Fa0/5, Fa0/6                                                 Fa0/7, Fa0/8 ,Fa0/9, Fa0/10                                                 Fa0/11, Fa0/12 201  users201                         active    Fa 0/13, Fa0/14, Fa0/15, Fa0/16                                                 Fa0/17, Fa0/18, Fa0/19, Fa0/20                                                 Fa0/21, Fa0/22, Fa0/23, Fa0/24 ... <output truncated> ... 

Step 5.

On Switch-F, configure the following VLAN memberships for each interface:

  • VLAN 200 2/3 to 2/12

  • VLAN 201 2/13 to 2/24

  • Disable ports 2/25 to 2/48

Example A-26 shows the configuration required on Switch-F to meet the configuration task.

Example A-26. Configuring VLAN Port Membership on Switch-F
 Switch-F> (enable) set vlan 200 2/3-12 VLAN 200 modified. VLAN 1 modified. VLAN  Mod/Ports ---- ----------------------- 200   2/3-12 Switch-F> (enable) set vlan 201 2/13-24 VLAN 201 modified. VLAN 1 modified. VLAN  Mod/Ports ---- ----------------------- 201   2/13-24 Switch-F> (enable) set port disable 2/25-48 Ports 2/25-48 disabled. 

Step 6.

On all switches, configure all 802.1Q trunks so that any traffic sent on VLAN 10 is not tagged.

On 802.1Q trunks, traffic sent on the native VLAN is not tagged. By default, VLAN 1 is the native VLAN, so you must explicitly configure the native VLAN for each trunk as VLAN 10. To configure the native VLAN on CatOS, you simply change the access VLAN the trunk ports are configured for to the desired native VLAN. On Cisco IOS you must configure the trunking native VLAN as a separate entity, rather than changing the access VLAN of a trunk interface. Example A-27 and Example A-28 demonstrate the configuration required on Switch-C (Cisco IOS) and Switch-F (CatOS).

Example A-27. Configuring the Native VLAN for Trunks on Switch-C
 Switch-C# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Switch-C(config)# interface range FastEthernet 0/1 - 6 Switch-C(config-if-range)# switchport trunk native vlan 10 

Example A-28. Configuring the Native VLAN for Trunks on Switch-F
 Switch-F> (enable) set vlan 10 2/1-2 VLAN 10 modified. VLAN 1 modified. VLAN  Mod/Ports ---- ----------------------- 10    2/1-2 

The configurations just listed must be applied on all 802.1Q trunks between all switches in the network. Once you have completed your configuration, verify the native VLAN settings on all switches. Native VLAN mismatches can cause many headaches and wasted time spent troubleshooting, so if you are changing the native VLAN from the default VLAN 1, make sure you thoroughly verify all trunks in the switched network.

Example A-29 and Example A-30 demonstrate verifying native VLAN configuration on Switch-C (Cisco IOS) and Switch-F (CatOS).

Example A-29. Verifying Native VLAN Configuration on Switch-C
 Switch-C# show interface trunk Port      Mode         Encapsulation  Status        Native vlan Fa0/1     on           802.1q         trunking      10 Fa0/2     on           802.1q         trunking      10 Fa0/3     desirable    802.1q         trunking      10 Fa0/4     desirable    802.1q         trunking      10 Fa0/5     desirable    802.1q         trunking      10 Fa0/6     on           802.1q         trunking      10 ... <output truncated> ... 

Example A-30. Verifying Native VLAN Configuration on Switch-F
 Switch-F> (enable) show trunk * - indicates vtp domain mismatch Port      Mode         Encapsulation  Status        Native vlan --------  -----------  -------------  ------------  -----------  2/1      on           dot1q          trunking      10  2/2      on           dot1q          trunking      10 ... <Output Truncated> ... 

Spanning Tree Configuration Solution

Step 1.

Configure spanning tree so that the Switch-A is the root bridge for all even VLANs and Switch-B is the root bridge for all odd VLANs. Switch-A should be configured as the secondary bridge for all odd VLANs, and Switch-B should be configured as the secondary root bridge for all even VLANs. Configuring spanning-tree timers to ensure that the convergence time of the topology is the most optimal configuration, without placing any additional CPU load on each switch.

For this task, you must ensure that Switch-A is the root for all even VLANs, which includes VLANs 10, 100, 200, and 202. Similarly you must ensure that Switch-B is the root for all odd VLANs (VLANs 1, 101, and 201). You apply this configuration to introduce Spanning Tree Protocol (STP) load sharing; traffic on even VLANs should flow over different ISLs than the odd VLAN traffic flows over.

If you consider the requirements, to minimize the convergence time, you must reduce spanning-tree timers based upon the spanning-tree topology. You can reduce STP timers based upon a network diameter less than seven and/or by reducing the Hello timer from 2 seconds to 1 second. In this lab, the network diameter is four (e.g., Switch A to C to D to E). Notice that you must not affect the CPU load on the switch, which means you must not configure the Hello timer as a lower value (i.e., 1 second instead of 2 seconds). Use the spanning-tree macro command and specify a network diameter of four to calculate the correct STP timers.

Example A-31 shows the STP configuration required on Switch-A.

Example A-31. Configuring STP on Switch-A
 Switch-A# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Switch-A(config)# spanning-tree vlan 10 root primary diameter 4 % This switch is already the root bridge of the VLAN0010 spanning tree  vlan 10 bridge priority set to 24576  vlan 10 bridge max aging time set to 14  vlan 10 bridge hello time unchanged at 2  vlan 10 bridge forward delay set to 10 Switch-A(config)# spanning-tree vlan 100 root primary diameter 4 % This switch is already the root bridge of the VLAN0100 spanning tree  vlan 100 bridge priority set to 24576  vlan 100 bridge max aging time set to 14  vlan 100 bridge hello time unchanged at 2  vlan 100 bridge forward delay set to 10 Switch-A(config)# spanning-tree vlan 200 root primary diameter 4 % This switch is already the root bridge of the VLAN0200 spanning tree  vlan 200 bridge priority set to 24576  vlan 200 bridge max aging time set to 14  vlan 200 bridge hello time unchanged at 2  vlan 200 bridge forward delay set to 10 Switch-A(config)# spanning-tree vlan 202 root primary diameter 4 % This switch is already the root bridge of the VLAN0202 spanning tree  vlan 202 bridge priority set to 24576  vlan 202 bridge max aging time set to 14  vlan 202 bridge hello time unchanged at 2  vlan 202 bridge forward delay set to 10 Switch-A(config)# spanning-tree vlan 1 root secondary diameter 4  vlan 1 bridge priority set to 28672  vlan 1 bridge max aging time set to 14  vlan 1 bridge hello time unchanged at 2  vlan 1 bridge forward delay set to 10 Switch-A(config)# spanning-tree vlan 101 root secondary diameter 4  vlan 101 bridge priority set to 28672  vlan 101 bridge max aging time set to 14  vlan 101 bridge hello time unchanged at 2  vlan 101 bridge forward delay set to 10 Switch-A(config)# spanning-tree vlan 201 root secondary diameter 4  vlan 201 bridge priority set to 28672  vlan 201 bridge max aging time set to 14  vlan 201 bridge hello time unchanged at 2  vlan 201 bridge forward delay set to 10 Switch-A(config)# exit Switch-A# show spanning-tree vlan 10 VLAN0010   Spanning tree enabled protocol ieee   Root ID    Priority    24586              Address     0009.b7aa.9c80              This bridge is the root              Hello Time   2 sec  Max Age 14 sec  Forward Delay 10 sec   Bridge ID  Priority    24586  (priority 24576 sys-id-ext 10)              Address     0009.b7aa.9c80              Hello Time   2 sec  Max Age 14 sec  Forward Delay 10 sec              Aging Time 300 Interface        Port ID                     Designated                Port ID Name             Prio.Nbr      Cost Sts      Cost Bridge ID            Prio.Nbr ---------------- -------- --------- --- --------- -------------------- -------- Po1              128.65           4 FWD         0 24586 0009.b7aa.9c80 128.65 Fa2/1            128.65          12 FWD         0 24586 0009.b7aa.9c80 128.3 Fa2/2            128.65          12 FWD         0 24586 0009.b7aa.9c80 128.4 

In Example A-31, the show spanning-tree vlan 10 command is used to get the bridge ID of Switch-A in VLAN 10 (0009.b7aa.9c80). You need this information when you verify the spanning-tree topology. Because the designated root matches the local bridge ID, Switch-A is the root bridge for this VLAN.

Notice that the priority of Switch-A for VLAN 10 is 24586, which indicates the extended system ID feature (also known as MAC address reduction) is in place. When the extended system ID feature is not used, the root bridge priority is set to 8192, and the secondary root bridge priority is set to 16384 when using the root macro. On Switch-B, the extended system ID feature (referred to as MAC address reduction on CatOS) is not enabled because the Catalyst 6509 Supervisor 2 is assigned 1024 MAC addresses and, therefore, by default does not need MAC address reduction. So, if Switch-B is configured as the secondary root bridge using the root macro command, it actually becomes the root bridge because the priority is to 16384, which is lower than the priority on Switch-A. To ensure that you don't run into situations like this one just mentioned, you should ensure that the MAC address reduction feature is either enabled or disabled on all switches in the network. For this lab, you need to enable MAC address reduction because the Catalyst 3550 switch requires its use. Therefore, on Switch-B and Switch-F (CatOS switches), you should ensure MAC address reduction is enabled.

NOTE

The root and secondary root macro commands are useful tools; however, you should never completely depend on them because they may not operate how you expect in some environments. A good example is provided in the preceding paragraph where MAC address reduction's being enabled on a root bridge but not on a secondary root bridge causes the secondary root bridge to actually become the root bridge. A good way of using the macro commands is to configure them first to ensure the correct timers are configured based upon the Hello time and network diameter of your environment and then manually to configure bridge priority on your root bridge and secondary bridges to a very low value (e.g., 100 for the root, 200 for the secondary). This approach ensures you can be positive that the root and secondary root bridges will be who you expect them to be and also ensures spanning-tree timers will be correctly configured.


Example A-32 shows the spanning-tree configuration required on Switch-B.

Example A-32. Configuring STP on Switch-B
 Switch-B> (enable) set spantree macreduction enable MAC address reduction enabled Switch-B> (enable) set spantree root 1,101,201 dia 4 VLANs 1,101,201 bridge priority set to 24576. VLANs 1,101,201 bridge max aging time set to 14. VLANs 1,101,201 bridge hello time set to 2. VLANs 1,101,201 bridge forward delay set to 10. Switch is now the root switch for active VLANs 1,101,201. Switch-B> (enable) set spantree root secondary 10,100,200,202 dia 4 VLANs 10,100,200,202 bridge priority set to 28672. VLANs 10,100,200,202 bridge max aging time set to 14. VLANs 10,100,200,202 bridge hello time set to 2. VLANs 10,100,200,202 bridge forward delay set to 10. Switch-B> (enable) show spantree 1 VLAN 1 Spanning tree mode          PVST+ Spanning tree type          ieee Spanning tree enabled Designated Root             00-30-24-48-d4-00 Designated Root Priority    24577 Designated Root Cost        0 Designated Root Port        1/0 Root Max Age   14 sec   Hello Time 2  sec   Forward Delay 10 sec Bridge ID MAC ADDR          00-30-24-48-d4-00 Bridge ID Priority          24577  (bridge priority: 24576, sys ID ext: 1) Bridge Max Age 14 sec   Hello Time 2  sec   Forward Delay 10 sec ... ... <Output Truncated> 

In Example A-32, the show spantree 1 command is used to get the bridge ID of Switch-B in VLAN 1 (00-30-24-48-d4-00). Because the designated root matches the local bridge ID, Switch-B is the root bridge for VLAN 1. Again, you need this information when you verify the spanning-tree topology.

As a final verification step, verify on another non-root bridge in the network that the correct root bridges and timers have been propagated. Example A-33 demonstrates verifying the STP configuration for an odd and even VLAN on Switch-E.

Example A-33. Verifying STP on Switch-E
 Switch-E# show spanning-tree vlan 1 VLAN0001   Spanning tree enabled protocol ieee   Root ID    Priority    24577              Address     0030.2448.d400              Cost        38              Port        1 (FastEthernet0/1)              Hello Time   2 sec  Max Age 14 sec  Forward Delay 10 sec   Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)              Address     0009.b7ad.2764              Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec              Aging Time 10 Interface        Port ID                     Designated                Port ID Name             Prio.Nbr      Cost Sts      Cost Bridge ID            Prio.Nbr ---------------- -------- --------- --- --------- -------------------- -------- Fa0/1            128.1           38 FWD        19 32769 0009.2448.d400  128.5 Fa0/2            128.2           38 BLK        19 32769 0009.7483.aba1  128.5 Switch-E# show spanning-tree vlan 10 VLAN0010   Spanning tree enabled protocol ieee   Root ID    Priority    24586              Address     0009.b7aa.9c80              Cost        38              Port        1 (FastEthernet0/1)              Hello Time   2 sec  Max Age 14 sec  Forward Delay 10 sec   Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)              Address     0009.b7ad.2764              Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec              Aging Time 10 Interface        Port ID                     Designated                Port ID Name             Prio.Nbr      Cost Sts      Cost Bridge ID            Prio.Nbr ---------------- -------- --------- --- --------- -------------------- -------- Fa0/1            128.1           38 FWD        19 32769 0009.2448.d400  128.5 Fa0/2            128.2           38 BLK        19 32769 0009.7483.aba1  128.5 

In Example A-33, you can see that Switch-B (0030.2448.d400) is the root bridge for VLAN 1 (an odd VLAN), while Switch-A (0009.b7aa.9c80) is the root for VLAN 10 (an even VLAN), as indicated by the shaded root bridge IDs. Notice that the timers in use are overriding the configured timers on Switch-E, because all non-root bridges inherit the STP timers sent in each BPDU.

Step 2.

Configure the network such that all traffic within even VLANs follows the most optimal path towards the root bridge for even VLANs (Switch-A). Ensure that all traffic within odd VLANs follows the most optimal path towards the root bridge for odd VLANs (Switch-B).

If you refer back to Example A-33, notice that for the odd and even VLANs, the forwarding port (root port) on Switch-E is the same (Fa0/1). This is indicated by the Port description in the section that describes the root bridge for each VLAN, as well as in the section that describes each interface. This setting means that from Switch-E, all non-local traffic (odd and even VLANs) is forwarded over the Fa0/1 link under normal conditions; in other words, load sharing is not occurring.

NOTE

For all switches that are directly connected to the root bridges (i.e., Switch-C and Switch-D), load sharing occurs because the root bridge is directly connected and has direct influence over each path.


Because all switches except for Switch-E and Switch-F are directly connected to the root bridges, you need to configure only Switch-E and Switch-F for STP load sharing (however, it is good practice to configure all switches with redundant paths to the root bridge). The recommended approach to implementing STP load sharing is to use per VLAN port cost. Example A-34 demonstrates how to configure Switch-E to enable STP load sharing.

Example A-34. Configuring STP Load Sharing on Switch-E
 Switch-E# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Switch-E(config)# interface FastEthernet 0/1 Switch-E(config-if)# spanning-tree vlan 1 cost 10000 Switch-E(config-if)# spanning-tree vlan 101 cost 10000 Switch-E(config-if)# spanning-tree vlan 201 cost 10000 Switch-E(config-if)# exit Switch-E(config)# interface FastEthernet 0/2 Switch-E(config-if)# spanning-tree vlan 10 cost 10000 Switch-E(config-if)# spanning-tree vlan 100 cost 10000 Switch-E(config-if)# spanning-tree vlan 200 cost 10000 Switch-E(config-if)# spanning-tree vlan 202 cost 10000 Switch-E(config-if)# end 

Example A-35 demonstrates how to configure Switch-F to enable STP load sharing.

Example A-35. Configuring STP Load Sharing on Switch-F
 Switch-F> (enable) set spantree portvlancost 2/1 cost 10000 1,101,201 Port 2/1 VLANs 2-100,102-200,202-1005,1025-4094 have path cost 19. Port 2/1 VLANs 1,101,201 have path cost 10000. This parameter applies to trunking ports only. Switch-F> (enable) set spantree portvlancost 2/2 cost 10000 10,100,200,202 Port 2/2 VLANs 1-9,11-99,101-199,201,203-1005,1025-4094 have path cost 19. Port 2/2 VLANs 10,100,200,202 have path cost 10000. This parameter applies to trunking ports only. 

Example A-36 demonstrates how to verify that Switch-E is implementing STP load sharing.

Example A-36. Verifying STP Load Sharing on Switch-E
 Switch-E# show spanning-tree vlan 1 VLAN0001   Spanning tree enabled protocol ieee   Root ID    Priority    24577              Address     0030.2448.d400              Cost        38              Port        2 (FastEthernet0/2)              Hello Time   2 sec  Max Age 14 sec  Forward Delay 10 sec   Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)              Address     0009.b7ad.2764              Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec              Aging Time 10 Interface        Port ID                     Designated                Port ID Name             Prio.Nbr      Cost Sts      Cost Bridge ID            Prio.Nbr ---------------- -------- --------- --- --------- -------------------- -------- Fa0/1            128.1        10000 BLK        19 32769 0009.2448.d400  128.5 Fa0/2            128.2           38 FWD        19 32769 0009.7483.aba1  128.5 Switch-E# show spanning-tree vlan 10 VLAN0010   Spanning tree enabled protocol ieee   Root ID    Priority    24586              Address     0009.b7aa.9c80              Cost        38              Port        1 (FastEthernet0/1)              Hello Time   2 sec  Max Age 14 sec  Forward Delay 10 sec   Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)              Address     0009.b7ad.2764              Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec              Aging Time 10 Interface        Port ID                     Designated                Port ID Name             Prio.Nbr      Cost Sts      Cost Bridge ID            Prio.Nbr ---------------- -------- --------- --- --------- -------------------- -------- Fa0/1            128.1           38 FWD        19 32769 0009.2448.d400  128.5 Fa0/2            128.2        10000 BLK        19 32769 0009.7483.aba1  128.5 

If you compare Example A-36 with Example A-33, notice that for VLAN 1 the root port is now the Fa0/2 interface to Switch-D, while for VLAN 10 the root port is still the Fa0/1 interface. This change indicates that spanning tree load sharing has been configured.

Step 3.

Ensure that all workstation ports attached to VLAN 201 on Switch-E and Switch-F provide network connectivity within a few seconds after being activated. Configure Switch-E and Switch-F so that BPDUs are not sent out these ports by default.

To provide instant connectivity for workstations, you need to enable spanning tree PortFast, disable DTP, and disable PAgP (on Cisco IOS switches, PAgP is off by default) for all interfaces attached to VLAN 201. This configuration should reduce port activation times to around 3-4 seconds, which is the time taken for a port to negotiate Ethernet speed and duplex settings. You must also ensure that BPDUs are not sent out the workstation ports, which requires you to configure the BPDU Filter option. You can enable BPDU Filter globally or on a per-interface basis. When you globally enable filtering, if a BPDU is received on a PortFast-enabled port, the port is immediately taken out of a PortFast state. If you enable BPDU Filter on a per-interface basis, BPDUs received are simply ignored. Enabling BPDU Filter globally is the safest option and should be used unless you specifically required the behavior of per-interface BPDU Filter.

Example A-37 shows the required configuration on Switch-E.

Example A-37. Configuring Access Ports on Switch-E
 Switch-E# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Switch-E(config)# spanning-tree portfast bpdufilter default Switch-E(config)# interface range fa0/13 Switch-E(config-if)# switchport mode access Switch-E(config-if)# spanning-tree portfast %Warning: portfast should only be enabled on ports connected to a single host.  Connecting hubs, concentrators, switches,  bridges, etc.to this interface  when portfast is enabled, can cause temporary spanning tree loops.  Use with CAUTION %Portfast has been configured on FastEthernet0/13 but will only  have effect when the interface is in a non-trunking mode. Switch-E(config)# interface range fa0/14  24 Switch-E(config-if-range)# switchport host switchport mode will be set to access spanning-tree portfast will be enabled channel group will be disabled 

In Example A-37, BPDU Filter is first enabled globally, after which both methods of configuring workstation ports on Cisco IOS switches are demonstrated. You can manually configure each parameter (configuring a switchport mode of access and enabling PortFast), or you can use the switchport host interface configuration command, which is a macro command that configures a switchport mode of access, enables PortFast and ensures EtherChannel is disabled.

On Switch-F, you must also disable PAgP (EtherChannel) because each port is configured with a PAgP mode of auto by default. Example A-38 shows the required configuration on Switch-F. Again, you are recommended to configure BPDU Filter globally, as per the discussion on Switch-E earlier in the chapter.

Example A-38. Configuring Access Ports on Switch-F
 Switch-F> (enable) set spantree global-default bpdu-filter enable Spantree global-default bpdu-filter enabled on this switch. Switch-F> (enable) set port channel 2/13 mode off Port(s) 2/13 channel mode set to off. Switch-F> (enable) set trunk 2/13 off Port(s)  2/13 trunk mode set to off. Switch-F> (enable) set spantree portfast 2/13 enable Warning: Connecting Layer 2 devices to a fast start port can cause temporary spanning tree loops. Use with caution. Spantree port  2/13 fast start enabled. Switch-F> (enable) set port host 2/14-24 Port(s) 2/14-24 channel mode set to off. Warning: Connecting Layer 2 devices to a fast start port can cause temporary spanning tree loops. Use with caution. Spantree ports 2/14-24 fast start enabled. Port(s) 2/14-24 trunk mode set to off. 

In Example A-38, both methods of configuring workstation ports are demonstrated.

Step 4.

Configure the network so that Switch-E and Switch-F can recover from direct link failures to Switch-C or Switch-D within 3 seconds. Assume that the MAC address tables of Switch-E and Switch-F hold 600 local MAC addresses.

Switch-E and Switch-F are edge switches and, therefore, can be configured with the Cisco UplinkFast spanning-tree enhancement to provide fast convergence in the event of the direct failure of an uplink to the distribution layer switches in the network. UplinkFast is enabled only on edge switches and uses a dummy multicast mechanism to ensure the bridging tables of other switches in the network are synchronized after a redundant uplink has been activated. The dummy multicast rate by default is 150 multicasts per second, which means it would take 4 seconds to synchronize the 600 local MAC addresses on Switch-E and Switch-F. To provide the 3-second failover time, you must alter the dummy multicast rate to 200 multicasts per second.

Example A-39 and Example A-40 show the configuration required on Switch-E and Switch-F.

Example A-39. Configuring UplinkFast on Switch-E
 Switch-E# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Switch-E(config)# spanning-tree uplinkfast Switch-E(config)# spanning-tree uplinkfast max-update-rate 200 Switch-E(config)# exit Switch-E# show spanning-tree uplinkfast UplinkFast is enabled Station update rate set to 200 packets/sec. UplinkFast statistics ----------------------- Number of transitions via uplinkFast (all VLANs)            : 0 Number of proxy multicast addresses transmitted (all VLANs) : 0 Name                 Interface List -------------------- ------------------------------------ VLAN0001             Fa0/1, Fa0/2(fwd) VLAN0010             Fa0/1(fwd), Fa0/2 VLAN0100             Fa0/1(fwd), Fa0/2 VLAN0101             Fa0/1, Fa0/2(fwd) VLAN0200             Fa0/1(fwd), Fa0/2 VLAN0201             Fa0/1, Fa0/2(fwd) VLAN0202             Fa0/1(fwd), Fa0/2 

Example A-40. Configuring UplinkFast on Switch-F
 Switch-F> (enable) set spantree uplinkfast enable rate 20 VLANs 1-4094 bridge priority set to 49152. The port cost and portvlancost of all ports set to above 3000. Station update rate set to 20 packets/100ms. uplinkfast all-protocols field set to off. uplinkfast enabled for bridge. Switch-F> (enable) show spantree uplinkfast Station update rate set to 20 packets/100ms. uplinkfast all-protocols field set to off. VLAN          port list ----------------------------------------------- 1             2/1,2/2(fwd) 10            2/1(fwd),2/2 100           2/1(fwd),2/2 101           2/1,2/2(fwd) 200           2/1(fwd),2/2 201           2/1,2/2(fwd) 202           2/1(fwd),2/2 

In Example A-40, notice that the dummy multicast rate is configured in units of packets per 100 ms on CatOS, unlike Cisco IOS (see Example A-39) where the rate is configured in units of packets per second. The show spanning-tree uplinkfast (Switch-E) and show spantree uplinkfast (Switch-F) commands verify the update rate is configured correctly and also show the list of candidate root ports for immediate failover (ports with [fwd] next to them are the current active uplinks).

Step 5.

Devices in VLAN 100 and VLAN 101 are attached only to the core switches (Switch-A and Switch-B). Ensure that no spanning-tree instance runs for these VLANs on Switch-C, Switch-D, Switch-E, and Switch-F. You cannot explicitly disable spanning tree on any VLAN for this task.

This configuration task is testing your understanding of how far spanning-tree topologies reach when no active hosts are connected to some switches in the network. Although VTP pruning is enabled, which means unknown unicast, broadcast, and multicast traffic for VLANs 100 and 101 is not propagated outside of Switch-A and Switch-B, spanning-tree instances still run on every switch in the network.

NOTE

Because this lab uses multiple VTP domains, VTP pruning will not work as just indicated. For example, Switch-C is in a different VTP domain to Switch-A and Switch-B so no way exists for Switch-C to indicate to Switch-A and Switch-B to prune traffic for VLANs 100 and 101. Similarly, Switch-D is running in VTP transparent mode.


To remove spanning-tree instances on a switch for VLANs that have no active hosts or do not need to act as a transit switch for traffic within the VLAN, you must clear these VLANs from any trunks on the switch. By default, all VLANs are transmitted on trunks, which from the perspective of spanning tree creates a port for each VLAN on the trunk. By removing unnecessary VLANs from trunks, these ports do appear to spanning tree, which removes the spanning-tree instance for the unnecessary VLAN because no ports are active on the switch for the VLAN.

VLAN 100 and VLAN 101 are not required on Switch-C, Switch-D, Switch-E, or Switch-F; hence, all trunks to these switches should have VLANs 100 and 101 cleared. This step requires configuration on all switches in the network (including Switch-A and Switch-B because they have trunks to Switch-C and Switch-D). Example A-41 and Example A-42 demonstrate the configuration required on Switch-C (Cisco IOS) and Switch-B (CatOS). These configurations must be implemented on all trunks on all other switches in the network.

Example A-41. Clearing VLANs from Trunks on Switch-A
 Switch-C# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Switch-C(config)# interface range FastEthernet 0/1 - 6 Switch-C(config-if-range)# switchport trunk allowed vlan 1,10,200-202,1002-1005 

Example A-42. Clearing VLANs from Trunks on Switch-B
 Switch-B> (enable) clear trunk 2/1 1-1005,1025-4094 Removing Vlan(s) 1-1005,1025-4094 from allowed list. Port  2/1 allowed vlans modified to . Switch-B> (enable) set trunk 2/1 1,10,200-202 Adding vlans 1,10,200-202 to allowed list. Port(s)  2/1 allowed vlans modified to 1,200-202. VLANs 1-4094 bridge priority set to 49152. Switch-B> (enable) clear trunk 2/2 1-1005,1025-4094 Removing Vlan(s) 1-1005,1025-4094 from allowed list. Port  2/2 allowed vlans modified to . Switch-B> (enable) set trunk 2/2 1,200-202 Adding vlans 1,200-202 to allowed list. Port(s)  2/2 allowed vlans modified to 1,200-202. 

Notice on Switch-C (Cisco IOS, Catalyst 3550) that you must include VLANs 10021005 in the allowed VLAN list. On Switch-B (CatOS), you must first clear VLANs and then set the permitted VLANs.

Inter-VLAN Routing Configuration Solution

Step 1.

Configure the connection to Router-A as an 802.1Q trunk, ensuring that Switch-A is configured with the appropriate DTP mode of operation that is compatible with Router-A.

You need to configure port 2/48 on Switch-B as an 802.1Q trunk with a trunking mode of nonegotiate because Cisco routers do not support DTP. Also ensure you configure VLAN 10 as the native VLAN, as required by this lab for all trunks. Example A-43 shows the required configuration on Switch-B.

Example A-43. Configuring Trunking on Switch-B
 Switch-B> (enable) set vlan 10 2/48 VLAN 10 modified. VLAN 1 modified. VLAN  Mod/Ports ---- ----------------------- 10    1/1-2       2/1-2,2/48       15/1 Switch-B> (enable) set trunk 2/48 nonegotiate dot1q Port(s)  2/48 trunk mode set to nonegotiate. Port(s)  2/48 trunk type set to dot1q. 

Step 2.

Configure Router-A for inter-VLAN routing. Router-A should use an IP address of 192.168.x.1 on each VLAN, where x represents the VLAN ID. For example, on VLAN 10, Router-A should be configured with an IP address of 192.168.10.1. Also, configure an interface that represents a restricted network attached to Router-A (see Figure 11-1).

Router-A is currently unconfigured and must be configured with a host name and Telnet/enable passwords. Router-A also must be configured with an 802.1Q trunk to Switch-B, and the appropriate inter-VLAN routing configuration as described in the preceding paragraph is required. Example A-44 shows the required configuration on Router-A.

Example A-44. Configuring Router-A
 Router> enable Router# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Router(config)# hostname Router-A Router-A(config)# enable secret cisco Router-A(config)# line vty 0 4 Router-A(config-line)# password cisco Router-A(config-line)# exit Router-A(config)# interface FastEthernet0/0 Router-A(config-if)# no shutdown Router-A(config-if)# exit Router-A(config)# interface FastEthernet0/0.10 Router-A(config-if)# encapsulation dot1q 10 native Router-A(config-if)# ip address 192.168.100.1 255.255.255.0 Router-A(config-if)# exit Router-A(config)# interface FastEthernet0/0.100 Router-A(config-if)# encapsulation dot1q 100 Router-A(config-if)# ip address 192.168.101.1 255.255.255.0 Router-A(config-if)# exit Router-A(config)# interface FastEthernet0/0.101 Router-A(config-if)# encapsulation dot1q 101 Router-A(config-if)# ip address 192.168.200.1 255.255.255.0 Router-A(config-if)# exit Router-A(config)# interface FastEthernet0/0.200 Router-A(config-if)# encapsulation dot1q 200 Router-A(config-if)# ip address 192.168.201.1 255.255.255.0 Router-A(config-if)# exit Router-A(config)# interface FastEthernet0/0.201 Router-A(config-if)# encapsulation dot1q 201 Router-A(config-if)# ip address 192.168.10.1 255.255.255.0 Router-A(config-if)# exit Router-A(config)# interface fa0/0.202 Router-A(config-if)# encapsulation dot1q 202 Router-A(config-if)# ip address 192.168.202.1 255.255.255.0 Router-A(config-if)# exit Router-A(config)# interface loopback0 Router-A(config-if)# ip address 10.0.0.1 255.0.0.0 

Notice that a loopback interface is created to represent the restricted 10.0.0.0/8 network.

Step 3.

Configure all switches in the network with the management IP addressing as indicated in Figure 11-1. Ensure that all switches can ping any device in the network.

For this task, you need to configure the management interface on each switch within VLAN 10 and also ensure that you configure a default gateway of 192.168.10.1 (Router-A) to ensure you can communicate with all devices in the network. Example A-45 to Example A-47 demonstrate the required configuration on Switch-A (Cisco IOS, Catalyst 6509), Switch-C (Cisco IOS, Catalyst 3550), and Switch-B (CatOS).

Example A-45. Configuring IP Management on Switch-A
 Switch-A# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Switch-A(config)# interface VLAN 10 Switch-A(config-if)# no shutdown Switch-A(config-if)# ip address 192.168.10.2 255.255.255.0 Switch-A(config-if)# exit Switch-A(config)# ip route 0.0.0.0 0.0.0.0 192.168.10.1 

Example A-46. Configuring IP Management on Switch-C
 Switch-C# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Switch-C(config)# interface VLAN 10 Switch-C(config-if)# no shutdown Switch-C(config-if)# ip address 192.168.10.9 255.255.255.0 Switch-C(config-if)# exit Switch-C(config)# ip default-gateway 192.168.10.1 

Example A-47. Configuring IP Management on Switch-B
 Switch-B> (enable) set interface sc0 10 192.168.10.3 255.255.255.0 Interface sc0 vlan set, IP address and netmask set. Switch-B> (enable) set ip route default 192.168.10.1 Route added. 

Notice on Switch-A that you use the ip route configuration command to configure the default gateway, while on Switch-C you use the ip default-gateway command. Native IOS Catalyst 6500 switches operate as a Layer 3 router by default, meaning IP routing is enabled and the use of routes is required. On the other hand, the Catalyst 3550 operates as a Layer 2 switch by default, which means you cannot configure routes on Switch-C (and also Switch-D and Switch-E), only a default gateway instead.

Once your configurations are complete, verify IP connectivity with all devices using the ping utility.

Management and Security Configuration Solution

Step 1.

Configure Simple Network Management Protocol (SNMP) on all switches. Configure a read-only string of "cisco" and enable traps for all events to be sent to an SNMP host at 192.168.100.50.

Example A-48 and Example A-49 demonstrate the required configurations on Switch-B (CatOS) and Switch-C (Cisco IOS).

Example A-48. Configuring SNMP on Switch-B
 Switch-B> (enable) set snmp community read-only cisco SNMP read-only community string set to 'cisco'. Switch-B> (enable) set snmp trap enable all All SNMP traps enabled. Switch-B> (enable) set snmp trap 192.168.100.50 cisco SNMP trap receiver added. Switch-B> (enable) set snmp enable SNMP enabled. 

Example A-49. Configuring SNMP on Switch-C
 Switch-C# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Switch-C(config)# snmp-server community cisco ro Switch-C(config)# snmp-server enable traps Switch-C(config)# snmp-server host 192.168.100.50 traps cisco Switch-C(config)# end 

Step 2.

Restrict Telnet access on all switches to only hosts that reside in VLAN 100. Also, restrict SNMP access to the SNMP host at 192.168.100.50.

VLAN 100 represents the 192.168.100.0/24 subnet; you can restrict access only based upon IP addressing, not VLANs. Example A-50 and Example A-51 demonstrate the required configurations on Switch-B (CatOS) and Switch-C (Cisco IOS).

Example A-50. Restricting Telnet and SNMP Access on Switch-B
 Switch-B> (enable) set ip permit 192.168.100.0 255.255.255.0 telnet 192.168.100.0 with mask 255.255.255.0 added to Telnet permit list. Switch-B> (enable) set ip permit 192.168.100.50 snmp 192.168.100.50 added to Snmp permit list. Switch-B> (enable) set ip permit enable Telnet, Snmp and Ssh permit list enabled 

Example A-51. Restricting Telnet and SNMP Access on Switch-C
 Switch-C# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Switch-C(config)# access-list 1 permit 192.168.100.0 0.0.0.255 Switch-C(config)# line vty 0 15 Switch-C(config-line)# access-class 1 in Switch-C(config-line)# exit Switch-C(config)# access-list 2 permit host 192.168.100.50 Switch-C(config)# snmp-server community cisco RO 2 

Step 3.

An Network Time Protocol (NTP) server is available on the network. Configure all switches so that each has similar clock settings as follows:

  • NTP server has an IP address of 192.168.100.50.

  • Clock zone is Eastern Standard Time (GMT -5 hours).

Example A-52 and Example A-53 demonstrate the required configurations on Switch-B (CatOS) and Switch-C (Cisco IOS).

Example A-52. Configuring NTP on Switch-B
 Switch-B> (enable) set timezone EST -5 Timezone set to 'EST', offset from UTC is -5 hours Switch-B> (enable) set ntp server 192.168.100.50 NTP server 192.168.100.50 added 

Example A-53. Configuring NTP on Switch-C
 Switch-C# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Switch-C(config)# clock timezone EST -5 Switch-C(config)# ntp server 192.168.100.50 

Once you have completed your configurations, verify that each switch has synchronized with the NTP server and has the correct time using the show time command (CatOS) and show clock command (Cisco IOS).

Step 4.

To ensure that only IP phones are communicating from VLAN 202, configure the network so that only the communications required to support the IP phones are permitted. All other traffic must be discarded, and you must ensure that unauthorized traffic is discarded as soon as possible. The following lists the protocols that must be permitted from the perspective of communications originating from the IP phones:

  • Skinny Call Control Protocol (SCCP) TCP traffic sent to a destination port of 2000

  • Voice traffic User Datagram Protocol (UDP) traffic with source and destination ports in the range of 1638432767

  • HTTP traffic TCP traffic sent to a destination port of 80

  • Trivial File Transfer Protocol (TFTP) traffic UDP traffic sent to a destination port of 69

  • Dynamic Host Configuration Protocol (DHCP) traffic UDP traffic using a source port of 67 and destination port of 68

  • Internet Control Message Protocol (ICMP) traffic (for diagnostic purposes) ICMP echo and echo replies

For this task you are required to restrict traffic sent from VLAN 202. You must also ensure that unauthorized traffic is dropped as early as possible upon entry to the network. Because IP phones in VLAN 202 are connected only to Switch-E, to ensure unauthorized traffic sent from this VLAN is dropped immediately you must configure security access control lists (ACLs) on Switch-E to permit only authorized voice traffic and drop any unauthorized traffic. On the Catalyst 3550, you can apply security ACLs on a per-interface basis or on a per-VLAN basis (using VLAN access control lists or VACLs). The requirements clearly state that traffic within VLAN 202 should be restricted; hence, the most efficient configuration is to configure security ACLs on a per-VLAN basis using VACLs.

Example A-54 shows the configuration required on Switch-E.

Example A-54. Configuring Security ACLs on Switch-E
 Switch-E# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Switch-E(config)# access-list 100 permit tcp any any eq 2000 Switch-E(config)# access-list 100 permit tcp any eq 2000 any Switch-E(config)# access-list 100 permit udp any range 16384 32767 any range 16384 32767 Switch-E(config)# access-list 100 permit udp any eq 67 any eq 68 Switch-E(config)# access-list 100 permit udp any eq 68 any eq 67 Switch-E(config)# access-list 100 permit udp any any eq 69 Switch-E(config)# access-list 100 permit udp any eq 69 any Switch-E(config)# access-list 100 permit udp any eq 88 any Switch-E(config)# access-list 100 permit icmp any any echo Switch-E(config)# access-list 100 permit icmp any any echo-reply Switch-E(config)# vlan access-map VLAN202 10 Switch-E(config-access-map)# match ip address 100 Switch-E(config-access-map)# action forward Switch-E(config-access-map)# exit Switch-E(config)# vlan filter VLAN202 vlan-list 202 

In Example A-54, notice that two access control entries (ACEs) are configured for each type of traffic. For example, to permit HTTP traffic, any TCP traffic sent with a destination port of 80 is permitted, as well as any TCP traffic sent with a source port of 80. Because VACLs are applied to traffic as it enters and leaves the VLAN, you must ensure you permit traffic based upon both being sent from client to server and also from server to client. The VACL created has an implicit deny all at the end, which means only traffic defined in ACL 100 is be forwarded in and out of VLAN 202.

Step 5.

Configure Switch-E to permit access only to a PC with a MAC address of 0010.0010.0010 on interface Fa0/24. No other devices should be permitted access to the interface. If another device attempts to use the interface, the interface should be shut down immediately.

This task requires port security to be configured, with a MAC address defined that is permitted to attach to interface Fa0/24. Example A-55 shows the configuration required on Switch-E.

Example A-55. Configuring Port Security on Switch-E
 Switch-E# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Switch-E(config)# interface FastEthernet 0/24 Switch-E(config-if)# switchport port-security Switch-E(config-if)# switchport port-security maximum 1 Switch-E(config-if)# switchport port-security mac-address 0010.0010.0010 Switch-E(config-if)# switchport port-security violation shutdown Switch-E(config-if)# end Switch-E# show port-security interface FastEthernet 0/24 Port Security : Enabled Port status : SecureUp Violation mode : Shutdown Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 1 Sticky MAC Addresses : 0 Aging time : 0 mins Aging type : Absolute SecureStatic address aging : Disabled Security Violation count : 0 

In Example A-55, notice that you must explicitly enable port security on a port by using the switchport port-security interface configuration command without any options at all. A common mistake is to configure this command with each of the required options, but to forget to actually enable port security by configuring just the switchport port-security command. The show port-security interface command is then used to verify the configuration. You can see that port security is enabled, the status of the port is currently up, a security violation causes the port to shut down, and the maximum number of MAC addresses permitted on the port is one. The Security Violation count field can be used to track how many violations have occurred since the switch was last rebooted.

Step 6.

Configure the core of the network (Switch-A and Switch-B) to permit communications only between VLANs within the local switching infrastructure, ensuring local devices cannot communicate with the protected network (10.0.0.0/8). Configure these requirements using the least amount of configuration possible.

This task implements security that ensures the devices on the local LAN infrastructure cannot access the restricted network 10.0.0.0/8. To implement this on Switch-A and Switch-B, you can configure a single VACL and apply it to each VLAN. The access defined in the VACL is simple; it simply needs to permit IP communications from any subnet in the 192.168.x.x address space to any other subnet in the 192.168.x.x address space. This access can be defined in a single statement.

Before beginning this configuration, you should be able to ping the loopback interface on Router-A (10.0.0.1) from any switch in the network. After configuring VACLs, you should no longer be able to do this.

Example A-56 and Example A-57 demonstrates the configuration required on Switch-A and Switch-B.

Example A-56. Configuring VACLs on Switch-A
 Switch-A# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Switch-A(config)# access-list 100 permit ip 192.168.0.0 0.0.255.255   192.168.0.0 0.0.255.255 Switch-A(config)# vlan access-map INTERNAL 10 Switch-A(config-access-map)# match ip address 100 Switch-A(config-access-map)# action forward Switch-A(config-access-map)# exit Switch-A(config)# vlan filter INTERNAL vlan-list 1,10,100,101,200-202 

Example A-57. Configuring VACLs on Switch-B
 Switch-B> (enable) set security acl ip INTERNAL permit ip 192.168.0.0 0.0.255.255   192.168.0.0 0.0.255.255 INTERNAL editbuffer modified. Use 'commit' command to apply changes. Switch-A> (enable) commit security acl all Commit operation in progress. ACL 'INTERNAL' successfully committed. Switch-A> (enable) set security acl map INTERNAL 1,10,100,101,200-202 Mapping in progress... ACL INTERNAL successfully mapped to VLAN 1. ACL INTERNAL successfully mapped to VLAN 10. ACL INTERNAL successfully mapped to VLAN 100. ACL INTERNAL successfully mapped to VLAN 101. ACL INTERNAL successfully mapped to VLAN 200. ACL INTERNAL successfully mapped to VLAN 201. ACL INTERNAL successfully mapped to VLAN 202. 

Once you have configured, committed, and mapped the VACL, on any switch in the network you should be able to ping any other switch, but you should find that you can no longer ping the loopback interface on Router-A.

Quality of Service Configuration Solution

Step 1.

Ensure that all traffic generated by all end devices attached to Switch-E is classified as follows upon entry to the network:

  • All voice traffic should be marked with a Differentiated Services Code Point (DSCP) of 46. Voice control traffic (SCCP) should be marked with a DSCP value of 26.

  • All SQL server traffic (TCP traffic sent to a destination port of 1433) should be marked with a DSCP of 24.

  • All other traffic is marked with a DSCP of 8.

The task requires any traffic received from end devices (interfaces Fa0/324) to be classified and marked as indicated in the preceding list. Example A-58 shows the quality of service (QoS) configuration required on Switch-E.

Example A-58. Configuring QoS Classification and Marking on Switch-E
 Switch-E# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Switch-E(config)# mls qos Switch-E(config)# ip access-list extended VOICE Switch-E(config-ext-nacl)# permit udp any range 16384 32767 any range 16384 32767 Switch-E(config-ext-nacl)# exit Switch-E(config)# ip access-list extended VOICE-CONTROL Switch-E(config-ext-nacl)# permit tcp any any eq 2000 Switch-E(config-ext-nacl)# exit Switch-E(config)# ip access-list extended SQL Switch-E(config-ext-nacl)# permit tcp any any eq 1433 Switch-E(config-ext-nacl)# exit Switch-E(config)# class-map match-all VOICE Switch-E(config-cmap)# match access-group VOICE Switch-E(config-cmap)# exit Switch-E(config)# class-map match-all VOICE-CONTROl Switch-E(config-cmap)# match access-group VOICE-CONTROl Switch-E(config-cmap)# exit Switch-E(config)# class-map match-all SQL Switch-E(config-cmap)# match access-group SQL Switch-E(config-cmap)# exit Switch-E(config)# policy-map QOS Switch-E(config-pmap)# class VOICE Switch-E(config-pmap-c)# set ip dscp 46 Switch-E(config-pmap-c)# exit Switch-E(config-pmap)# class VOICE-CONTROL Switch-E(config-pmap-c)# set ip dscp 26 Switch-E(config-pmap-c)# exit Switch-E(config-pmap)# class SQL Switch-E(config-pmap-c)# set ip dscp 24 Switch-E(config-pmap-c)# exit Switch-E(config-pmap)# class class-default Switch-E(config-pmap-c)# set ip dscp 8 Switch-E(config-pmap-c)# exit Switch-E(config-pmap)# exit Switch-E(config)# interface range FastEthernet 2/3 - 24 Switch-E(config-if-range)# service-policy input QOS 

In Example A-58, ACLs are first created to define each type of traffic. Each ACL is then referenced in a class map, with each class map configured in a policy map. The policy map configures how the DSCP should be set, based upon each class map.

Step 2.

Configure Switch-E so that IP phones connected to interfaces Fa0/3Fa0/12 transmit voice in VLAN 202 and data from any attached PCs in VLAN 200. Also ensure that any data received from PCs connected to an IP phone has a class of service (CoS) of three.

For this task you must configure the voice VLAN ID (VVID) on ports connected to IP phones. The VVID is passed to Cisco IP phones from the Catalyst 3550 switch in Cisco Discovery Protocol (CDP) messages. The Cisco IP phone tags voice traffic with the VVID, while data from a locally attached PC is not tagged. Consequently, all data from PCs is sent in VLAN 200, as configured earlier. You can also pass the CoS value to apply to data devices attached to each phone, which enables you to specify a CoS of three for non-voice traffic. Example A-59 shows the required configuration.

Example A-59. Configuring Voice on Switch-E
 Switch-E# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Switch-E(config)# interface range FastEthernet 0/7 - 12 Switch-E(config-if-range)# switchport voice vlan 202 Switch-E(config-if-range)# switchport priority extend cos 3 

Step 3.

Web servers are attached to Switch-A and Switch-B. On the client side of HTTP connections, limit HTTP traffic to 1 Mbps per device (devices connected to Switch-E are considered client side). On the server side, limit HTTP traffic to 1 Mbps per connection (devices connected to Switch-A and Switch-B are considered server side).

As identified in the task, all client-side devices are attached to Switch-E. To configure policing, you need to modify the current policy map that was configured in Example A-58. Example A-60 shows the required configuration on Switch-E

Example A-60. Configuring Rate Limiting on Switch-E
 Switch-E# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Switch-E(config)# ip access-list extended HTTP Switch-E(config-ext-nacl)# permit tcp any any eq 80 Switch-E(config-ext-nacl)# exit Switch-E(config)# class-map match-all HTTP Switch-E(config-cmap)# match access-group HTTP Switch-E(config-cmap)# exit Switch-E(config)# policy-map QOS Switch-E(config-pmap)# class HTTP Switch-E(config-pmap-c)# police 1000000 187500 exceed-action drop 

In Example A-60, you must create a new extended ACL that classifies HTTP traffic. Next, you create a new class in the existing policy map QOS that is currently applied inbound to interfaces Fa0/324, specifying a rate of 1 Mbps, burst size of 187,500 bytes, and an action of drop for traffic exceeding the configured parameters. The burst size of 187,500 bytes is calculated by using Cisco's recommended calculation for burst bytes:

Burst (bytes) = CIR (bps) * 1.5 / 8 = 1500000/8 = 187,500

Because the QOS policy map is already applied to each interface, you don't need to reapply the policy map to each interface.

On the server-side, you must rate limit on Switch-A and Switch-B for ports 2/347, which attach to servers. With a Catalyst 6000/6500 PFC, you can police individual connections or flows (known as microflow policing) as required for this task. Example A-61 shows the required configuration on Switch-A.

Example A-61. Configuring Rate Limiting on Switch-A
 Switch-A# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Switch-A(config)# mls qos Switch-A(config)# ip access-list extended HTTP Switch-A(config-ext-nacl)# permit tcp any eq www any Switch-A(config-ext-nacl)# exit Switch-A(config)# class-map match-all HTTP Switch-A(config-cmap)# match access-group HTTP Switch-A(config-cmap)# exit Switch-A(config)# policy-map QOS Switch-A(config-pmap)# class HTTP Switch-A(config-pmap-c)# police flow 1000000 187500 conform-action   set-dscp-transmit 24 exceed-action drop Switch-A(config-pmap-c)# exit Switch-A(config-pmap)# exit Switch-A(config)# interface range FastEthernet 2/3  47 Switch-A(config-if-range)# mls qos vlan-based Switch-A(config-if-range)# exit Switch-A(config)# interface vlan 100 Switch-A(config-if)# mls qos bridged Switch-A(config-if)# service-policy input QOS Switch-A(config-if)# exit Switch-A(config)# interface vlan 101 Switch-A(config-if)# mls qos bridged Switch-A(config-if)# service-policy input QOS Switch-A(config-if)# exit 

In Example A-61, QoS must first be enabled on Switch-A. Classification of HTTP traffic sent from locally attached Web servers is then configured, after which microflow policing is configured for the HTTP traffic in a policy map called QOS. Because the policing needs to be defined for all Web servers, applying QoS on a per-VLAN basis rather than on the default per-port basis is configured. The mls qos vlan-based interface configuration command is required on each interface, after which VLAN 100 and VLAN 101 are configured using the interface vlan global configuration command. Notice that the mls qos bridged interface configuration command is applied for each VLAN, which enables microflow policing for Layer 2 switched traffic. The QOS policy map defined earlier is then applied for all traffic received in each VLAN.

Example A-62 shows the required configuration on Switch-B.

Example A-62. Configuring Rate Limiting on Switch-B
 Switch-B> (enable) set qos enable QoS is enabled. Switch-B> (enable) set qos bridged-microflow-policing enable 100-101 QoS microflow policing is enabled for bridged packets on vlans 100-101 Switch-B> (enable) set qos policer microflow HTTP rate 1000 burst 1500 drop QoS policer for microflow HTTP created successfully. Rate is set to 992 and burst is set to 1472 in hardware due to hardware   granularity. Switch-B> (enable) set qos acl ip QOS dscp 24 microflow HTTP tcp any eq 80 any QOS editbuffer modified. Use 'commit' command to apply changes. Switch-B> (enable) commit qos acl all QoS ACL 'QOS' successfully committed. Switch-B> (enable) set port qos 2/3-47 vlan-based Hardware programming in progress... QoS interface is set to vlan-based for ports 2/3-47. Switch-B> (enable) set qos acl map QOS 100 Hardware programming in progress... ACL my_acl is attached to vlan 100. Switch-B> (enable) set qos acl map QOS 101 Hardware programming in progress... ACL my_acl is attached to vlan 101. 

In Example A-62, QoS is first enabled on Switch-B, after which microflow policing is enabled for Layer 2 switched traffic. A microflow policer called HTTP is next created. The rate is specified in kbps; hence, a value of 1000 is configured to reflect 1 Mbps. Similarly, the burst value is configured in kilobits (Kb); to match the 187,500 bytes configured on Switch-E, a value of 1500 (1500 kilobits) is configured. Any traffic that exceeds the rate is dropped. Next, a QoS ACL called QOS is created, which classifies HTTP traffic sent from Web servers, applies the HTTP microflow policer, and also marks the DSCP as 24. VLAN-based QoS ACL mapping is then enabled, which allows the QoS policy to be applied to all ports within VLANs 100 and 101.

Step 4.

Configure the network so that the QoS policy configured at the edge is honored throughout the network. Ensure that all voice packets marked with a DSCP of 46 are placed into a priority queue for transmission where possible (assume that the Ethernet modules on Switch-A are WS-X6148-RJ45 with a transmit port type of 2q2t). Trust the IP precedence traffic markings received from Router-A.

For this task, you must configure each switch to honor the QoS marking (DSCP) that has been applied at the edge of the network. This task involves configuring each ISL or trunk to trust the QoS markings of received frames and then to queue traffic on egress ports based upon those markings, which means QoS must be enabled on all switches.

Switch-A and Switch-B must trust the markings of frames received on port 2/1 and port 2/2, and Switch-B must also trust the IP precedence of packets received on port 2/48 (attached to Router-A). Switch-C and Switch-D must trust markings of frames received on interfaces Fa0/1Fa0/6, with each link to Switch-F configured to trust CoS rather than DSCP because Switch-F does not support DSCP marking. Switch-E must trust markings of frames received on interface Fa0/1 and Fa0/2, while Switch-F must trust markings of frames received on ports 2/1 and 2/2. Switch-F automatically trusts the CoS of any tagged frames received (this is non-configurable) because it is a Catalyst 2900 series switch.

Example A-63 demonstrates the configuration required on Switch-C (Cisco IOS) to ensure the DSCP of frames received on interswitch trunks is trusted.

Example A-63. Configuring QoS Trust on Switch-C
 Switch-C# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Switch-C(config)# mls qos Switch-C(config)# interface range FastEthernet 0/1  5 Switch-C(config-if-range)# mls qos trust dscp Switch-C(config-if-range)# exit Switch-C(config)# interface FastEthernet 0/6 Switch-C(config-if)# mls qos trust cos 

In Example A-63, notice that you must enable QoS explicitly on Switch-C. Also notice that Switch-C is configured to trust the DSCP of received frames on interfaces Fa0/15, but configured to trust the CoS of received frames on interface Fa0/6. Interface Fa0/6 is connected to Switch-F (Catalyst 2948G), which does not possess any enhanced QoS intelligence and works only with CoS.

Example A-64 demonstrates the configuration required on Switch-B (CatOS) to ensure the DSCP of frames received on interswitch trunks is trusted, as well as the IP precedence of packets received from Router-A.

Example A-64. Configuring QoS Trust on Switch-B
 Switch-B> (enable) set port qos 1/1 trust trust-dscp Port 1/1 qos set to trust-dscp Switch-B> (enable) set port qos 1/2 trust trust-dscp Port 1/2 qos set to trust-dscp Switch-B> (enable) set port qos 2/1 trust trust-dscp Port 2/1 qos set to trust-dscp Switch-B> (enable) set port qos 2/2 trust trust-dscp Port 2/2 qos set to trust-dscp Switch-B> (enable) set port qos 2/48 trust trust-ipprec Port 2/1 qos set to trust-ipprec Switch-B> (enable) set port qos 2/1 trust trust-dscp Port 2/1 qos set to trust-dscp 

Now that port trust has been configured, you must configure queuing. When a frame is queued for transmission, each switch by default queues frames according to the CoS value of the frame. On all switches except for Switch-F, the CoS value is determined by the internal DSCP assigned to a frame, using a DSCP-to-CoS map. By default, the DSCP value of 46 is mapped to a CoS of 5.

On Switch-A and Switch-B (Catalyst 6509 switches with PFC2), the gigabit uplinks on the Supervisor 2 engines have a transmit port type of 1p2q2t, which represents one strict-priority queue, one high-priority queue, and one standard queue, with two discard thresholds per queue. By default, traffic with a CoS of 5 (i.e., voice in this scenario) is assigned to the strict-priority queue, so no configuration is required on the gigabit uplinks. For the Ethernet ports (tx port type = 2q2t), one high-priority queue and one standard queue exist. By default, traffic with a CoS of 58 is assigned to the high-priority queue, so again no configuration is required on Switch-A and Switch-B.

On Switch-C, Switch-D, and Switch-E (Catalyst 3550 switches), all ports have four queues that service in a weighted round robin fashion by default. On the Catalyst 3550, you can change queue 4 into a strict-priority queue, which is required for voice traffic in this scenario. By default, only frames with a CoS of 6 and 7 are placed into queue 4, so you must alter the CoS-to-queue map on each interface to ensure that traffic with a CoS of 5 is placed into the priority queue. Example A-65 shows the configuration required on Switch-C to ensure queuing is configured appropriately for this scenario.

Example A-65. Configuring Queuing on Switch-C
 Switch-C# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Switch-C(config)# interface range FastEthernet 0/1 - 6 Switch-C(config-if-range)# wrr-queue cos-map 4 5 6 7 Switch-C(config-if-range)# priority-queue out Switch-C(config-if-range)# exit Switch-C(config)# exit Switch-C# show mls qos interface FastEthernet 0/1 queueing FastEthernet0/1 Egress expedite queue: ena wrr bandwidth weights: qid-weights  1 - 25  2 - 25  3 - 25  4 - 25    when expedite queue is disabled Cos-queue map: cos-qid  0 - 1  1 - 1  2 - 2  3 - 2  4 - 3  5 - 4  6 - 4  7 - 4 

In Example A-65, the CoS-to-queue map for each interswitch trunk is modified so that frames with a CoS of 5, 6, and 7 are placed into queue 4. Strict priority queuing is then enabled for queue 4 by configuring the priority-queue out interface configuration command. Notice in the output of the show mls qos interface command that the egress expedite queue (strict priority queue) is enabled and that frames with a CoS of 5 are placed into queue ID #4.

Finally, on all ports of Switch-F (Catalyst 2948G) two queues are supported (one high priority and one low priority). By default, all frames are placed into the low priority queue, so you must modify this behavior to ensure frames with a CoS of 5 are placed into the high-priority queue. Example A-66 shows the configuration required on Switch-F to enable the high-priority queue for queuing of egress traffic.

Example A-66. Configuring Queuing on Switch-F
 Switch-F> (enable) set qos enable QoS is enabled. Switch-F> (enable) set qos defaultcos 3 qos defaultcos set to 3 Switch-F> (enable) set qos map 2q1t 1 1 cos 0-4 Qos tx priority queue and threshold mapped to cos successfully. Switch-F> (enable) set qos map 2q1t 2 1 cos 5-7 Qos tx priority queue and threshold mapped to cos successfully. 

In Example A-65, QoS is enabled on Switch-F, and then the default CoS assigned to any untagged frames received by the switch is configured as 3. Next, frames with a CoS of 04 are mapped to queue 1, threshold 1 on all ports with 2q1t capabilities (two queues, one threshold per queue), while frames with a CoS of 57 are mapped to queue 2, threshold 1, ensuring priority queuing for voice traffic.




CCNP Self-Study CCNP Practical Studies. Switching
CCNP(R) Practical Studies: Switching (CCNP Self-Study)
ISBN: 1587200600
EAN: 2147483647
Year: 2002
Pages: 135
Authors: Justin Menga

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net