Multilayer Configuration Solution | CCNP(R) Practical Studies: Switching (CCNP Self-Study)

This appendix provides step-by-step solutions for each configuration task required for Part II of the Chapter 11, "Comprehensive Switching Self-Study Study Lab," which continues on from the Part I solution in Appendix A. Each configuration task is listed, followed by the solution for each task. At the end of this appendix, the complete configurations for each network device relevant to Part II of the lab are provided.

Core Layer Configuration Solution

Step 1.

To avoid any IP addressing conflicts with Router-A while you convert the network, disconnect Router-A from Switch-B.

There is no configuration required to complete this task.

Step 2.

The new multilayer topology has split the Layer 2 domain into smaller pieces. Ensure that Switch-A and Switch-B are configured appropriately to ensure the VTP, VLAN, and spanning-tree parameters configured in the first lab are maintained in the new core Layer 2 domain formed.

In Figure 11-2, notice that all connections to Switch-A and Switch-B from Switch-C and Switch-D are now routed connections, which means that Switch-A and Switch-B are essentially in a new Layer 2 domain and, therefore, you must ensure that VLAN Trunking Protocol (VTP), VLANs, trunks, and Spanning Tree Protocol (STP) are configured appropriately for the new Layer 2 domain. In terms of VTP, because Switch-A and Switch-B are in the ciscolab VTP domain and Switch-A is configured as a VTP server, no modification to the VTP configuration is required. In terms of VLANs, VLANs 200, 201, and 202 are no longer required because these VLANs are present only at the edge of the network, which is now separated by a Layer 3 routing domain. In terms of spanning tree, Switch-A and Switch-B are configured as the root/secondary root bridges for odd and even VLANs already, so no configuration of root bridges is required. However, the network diameter has reduced to 2 switch hops, so you can further reduce spanning-tree timers.

Example B-1 and Example B-2 show the VLAN and spanning-tree configuration required on Switch-A and Switch-B for the new Layer 2 domain.

Example B-1. Switch-A Layer 2 Configuration

 Switch-A# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Switch-A(config)# no vlan 200 Switch-A(config)# no vlan 201 Switch-A(config)# no vlan 202 Switch-A(config)# spanning-tree vlan 10 root primary diameter 2 % This switch is already the root bridge of the VLAN0010 spanning tree  vlan 10 bridge priority unchanged at 24576  vlan 10 bridge max aging time set to 10  vlan 10 bridge hello time unchanged at 2  vlan 10 bridge forward delay set to 7 Switch-A(config)# spanning-tree vlan 100 root primary diameter 2 % This switch is already the root bridge of the VLAN0100 spanning tree  vlan 100 bridge priority unchanged at 24576  vlan 100 bridge max aging time set to 10  vlan 100 bridge hello time unchanged at 2  vlan 100 bridge forward delay set to 7 Switch-A(config)# spanning-tree vlan 1 root secondary diameter 2  vlan 1 bridge priority set to 28672  vlan 1 bridge max aging time set to 10  vlan 1 bridge hello time unchanged at 2  vlan 1 bridge forward delay set to 7 Switch-A(config)# spanning-tree vlan 101 root secondary diameter 2  vlan 101 bridge priority set to 28672  vlan 101 bridge max aging time set to 10  vlan 101 bridge hello time unchanged at 2  vlan 101 bridge forward delay set to 7

Example B-2. Switch-B Layer 2 Configuration

 Switch-B> (enable) set spantree root 1,101 dia 2 VLANs 1,101 bridge priority set to 24576. VLANs 1,101 bridge max aging time set to 10. VLANs 1,101 bridge hello time set to 2. VLANs 1,101 bridge forward delay set to 7. Switch is now the root switch for active VLANs 1,101. Switch is already the root switch for active VLANs 1,101. Switch-B> (enable) set spantree root secondary 10,100 dia 2 VLANs 10,100 bridge priority set to 28672. VLANs 10,100 bridge max aging time set to 10. VLANs 10,100 bridge hello time set to 2. VLANs 10,100 bridge forward delay set to 7.

In Example B-1, VLANs 200202 are deleted because they are no longer required in the new Layer 2 domain. Notice that these are deleted only on Switch-A because Switch-A is the VTP server for the ciscolab domain. In Example B-1 and Example B-2, the spanning-tree root macros are used on both switches to generate new timers based upon a network diameter of 2.

Step 3.

Configure Switch-A and Switch-B as Layer 3 switches using the IP addressing indicated in Figure 11-2. Assume a 24-bit subnet mask for all subnets. Switch-B has an Multilayer Switch Feature Card (MSFC) installed that provides Layer 3 switching and is to be named "MSFC-B." Ensure that physical interfaces are configured as routed interfaces wherever possible, instead of using switch virtual interfaces (SVIs). If required, you are permitted to create new VLANs.

Switch-A (native IOS) is by default configured as a Layer 3 switch; therefore, no extra configuration is required to enable this function. The Inter-Switch Links (ISLs) to Switch-C and Switch-D are now routed links and, therefore, no longer require trunking. On Switch-A, the interfaces attached to Switch-C and Switch-D can be configured as routed interfaces because native IOS supports this configuration. Example B-3 shows the configuration required on Switch-A to configure the new routed interfaces.

Example B-3. Switch-A Layer 2 Configuration

 Switch-A# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Switch-A(config)# interface FastEthernet 2/1 Switch-A(config-if)# no switchport Switch-A(config-if)# ip address 192.168.1.1 255.255.255.0 Switch-A(config-if)# exit Switch-A(config)# interface FastEthernet 2/2 Switch-A(config-if)# no switchport Switch-A(config-if)# ip address 192.168.2.1 255.255.255.0 Switch-A(config-if)# exit

In Example B-3, the no switchport command configures interfaces Fa2/1 and Fa2/2 as routed interfaces. The appropriate IP addressing is assigned as per Figure 11-2 in Chapter 11.

On Switch-B (hybrid IOS), the MSFC-2 installed onboard the Supervisor 2 engine provides a routing component that must be configured separate from the switch operating system to enable Layer 3 switching. With hybrid IOS, to create a routed interface, you can configure a SVI only on the MSFC, which attaches to a VLAN. Consequently, a new VLAN must be created for each link to Switch-C and Switch-D so that the MSFC can communicate with Switch-C and Switch-D at the end of each link. Notice in Figure 11-2 that a routed link is required to Router-A as well. Because Switch-A is the VTP server, the VLANs must be created on Switch-A as depicted in Example B-4.

Example B-4. Creating VLANs on Switch-A

 Switch-A# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Switch-A(config)# vlan 3 Switch-A(config-vlan)# name SwitchB_to_SwitchC Switch-A(config-vlan)# exit Switch-A(config)# vlan 4 Switch-A(config-vlan)# name SwitchB_to_SwitchD Switch-A(config-vlan)# exit Switch-A(config)# vlan 5 Switch-A(config-vlan)# name SwitchB_to_RouterA Switch-A(config-vlan)# exit Switch-A(config)# spanning-tree vlan 3 root secomdary diameter 2  vlan 3 bridge priority set to 28672  vlan 3 bridge max aging time set to 10  vlan 3 bridge hello time unchanged at 2  vlan 3 bridge forward delay set to 7 Switch-A(config)# spanning-tree vlan 4 root primary diameter 2 % This switch is already the root bridge of the VLAN0004 spanning tree  vlan 4 bridge priority set to 28672  vlan 4 bridge max aging time set to 10  vlan 4 bridge hello time unchanged at 2  vlan 4 bridge forward delay set to 7 Switch-A(config)# spanning-tree vlan 5 root secondary diameter 2  vlan 5 bridge priority set to 28672  vlan 5 bridge max aging time set to 10  vlan 5 bridge hello time unchanged at 2  vlan 5 bridge forward delay set to 7

In Example B-4, notice that you must also configure spanning tree for the new VLANs. Once the VLANs have propagated to Switch-B, the appropriate VLANs are in place to begin configuring the MSFC. Example B-5 shows the configuration required on Switch-B to remove trunks, configure spanning tree, assign the appropriate VLANs, and configure the MSFC (MSFC-B) to enable Layer 3 switching.

Example B-5. MSFC-B Configuration

 Switch-B> (enable) set trunk 2/1-2 off Port(s) 2/1-2 trunk mode set to off. Switch-B> (enable) set spantree root 3,5 dia 2 VLANs 3,5 bridge priority set to 24576. VLANs 3,5 bridge max aging time set to 10. VLANs 3,5 bridge hello time set to 2. VLANs 3,5 bridge forward delay set to 7. Switch is now the root switch for active VLANs 1,101. Switch-B> (enable) set spantree root secondary 4 dia 2 VLANs 4 bridge priority set to 28672. VLANs 4 bridge max aging time set to 10. VLANs 4 bridge hello time set to 2. VLANs 4 bridge forward delay set to 7. Switch-B> (enable) set vlan 3 2/1 VLAN 3 modified. VLAN 1 modified. VLAN  Mod/Ports ---- ----------------------- 3     2/1 Switch-B> (enable) set vlan 4 2/2 VLAN 4 modified. VLAN 1 modified. VLAN  Mod/Ports ---- ----------------------- 4     2/2 Switch-B> (enable) session 15 Trying Router-15... Connected to Router-15. Escape character is '^]'. Router> enable Router# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Router(config)# hostname MSFC-B MSFC-B(config)# enable secret cisco MSFC-B(config)# line vty 0 4 MSFC-B(config-line)# password cisco MSFC-B(config-line)# exit MSFC-B(config)# interface VLAN 3 MSFC-B(config-if)# ip address 192.168.3.1 255.255.255.0 MSFC-B(config-if)# exit MSFC-B(config)# interface VLAN 4 MSFC-B(config-if)# ip address 192.168.4.1 255.255.255.0 MSFC-B(config-if)# exit MSFC-B(config)# interface VLAN 10 MSFC-B(config-if)# ip address 192.168.10.4 255.255.255.0 MSFC-B(config-if)# exit

In Example B-5, Switch-B is first cleared of any trunks to Switch-C and Switch-D, spanning tree is configured for each VLAN, and each port is then placed into the appropriate VLAN. The MSFC is next configured with an appropriate host name, and a VLAN 10 SVI is created for management purposes. SVIs are created for VLAN 3 and VLAN 4, which enable IP communications over ports 2/1 and 2/2 to Switch-C and Switch-D.

Step 4.

Ensure that devices connected to VLANs 100 and 101 can still connect to the rest of the network without reconfiguration of the IP addressing parameters on any edge device in these VLANs. Traffic for VLAN 100 should be routed through Switch-A, and traffic for VLAN 101 should be routed through MSFC-B. However, should either of the routing engines on either core switch fail, then the remaining working routing engine takes over.

This configuration task requires Hot Standby Router Protocol (HSRP) to be configured on Switch-A and MSFC-B for VLANs 100 and 101, with the virtual IP addresses configured as 192.168.100.1 and 192.168.101.1 (recall from Part I, Router-A was configured with these IP addresses that are used as the default gateway on each VLAN). Example B-6 and Example B-7 show the HSRP configuration required on Switch-A and MSFC-B.

Example B-6. Configuring HSRP for VLANs 100 and 101 on Switch-A

 Switch-A# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Switch-A(config)# interface vlan 100 Switch-A(config-if)# ip address 192.168.100.2 255.255.255.0 Switch-A(config-if)# standby ip 192.168.100.1 Switch-A(config-if)# standby priority 150 preempt Switch-A(config-if)# exit Switch-A(config)# interface vlan 101 Switch-A(config-if)# no shutdown Switch-A(config-if)# ip address 192.168.101.2 255.255.255.0 Switch-A(config-if)# standby ip 192.168.101.1 Switch-A(config-if)# standby priority 100

Example B-7. Configuring HSRP for VLANs 100 and 101 on MSFC-B

 MSFC-B# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. MSFC-B(config)# interface vlan 100 MSFC-B(config-if)# ip address 192.168.100.3 255.255.255.0 MSFC-B(config-if)# standby ip 192.168.100.1 MSFC-B(config-if)# standby priority 100 MSFC-B(config-if)# exit MSFC-B(config)# interface vlan 101 MSFC-B(config-if)# ip address 192.168.101.3 255.255.255.0 MSFC-B(config-if)# standby ip 192.168.101.1 MSFC-B(config-if)# standby priority 150 preempt

In Example B-6 and Example B-7, SVIs are created on both devices to enable access to each server VLAN. Notice that Switch-A is configured as the active (primary) router for VLAN 100 (as its priority is higher than Switch-B), while Switch-B is configured as the active router for VLAN 101. Notice that you must create separate physical IP addresses for each HSRP router.

Distribution and Access Layer Configuration Solution

Step 1.

The new multilayer topology has split the Layer 2 domain into smaller pieces. Ensure that Switch-C, Switch-D, Switch-E, and Switch-F are configured appropriately to ensure the VTP, VLAN, and spanning-tree parameters configured in the first lab are maintained in the new Layer 2 topology.

All connections to Switch-A and Switch-B from Switch-C and Switch-D are now routed connections, while the connections to Switch-E and Switch-F are still switched connections. Consequently, Switch-C through Switch-F are essentially in a new Layer 2 domain, and you must ensure that VTP, VLANs, trunks, and STP are configured appropriately for the new Layer 2 domain. In terms of VTP, reconfiguration is required because Switch-D is configured in VTP transparent mode and Switch-F is configured in a different VTP domain. In terms of VLANs, VLANs 100 and 101 are no longer required because these VLANs are present only at the core of the network that is now separated by a Layer 3 routing domain. In terms of spanning tree, Switch-C and Switch-D should be configured as root/secondary bridges for each VLAN.

Example B-8 and Example B-9 show the VTP configuration required on Switch-D and Switch-F to ensure all switches are part of the same VTP domain.

Example B-8. Switch-D VTP Configuration

 Switch-D# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Switch-D(config)# vtp password cisco Setting device VLAN database password to cisco. Switch-D(config)# vtp mode client Setting device to VTP CLIENT mode.

Example B-9. Switch-F VTP Configuration

 Switch-F> (enable) set vtp domain ccnp VTP domain ccnp modified

In Example B-9, Switch-F is already configured as a VTP client; hence, you don't need to change the VTP mode.

Example B-10 and Example B-11 show the configuration required for VLANs and spanning tree on Switch-C and Switch-D.

Example B-10. Switch-C VLAN and Spanning Tree Configuration

 Switch-C# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Switch-C(config)# no vlan 100 Switch-C(config)# no vlan 101 Switch-C(config)# spanning-tree vlan 10 root primary diameter 4 % This switch is already the root bridge of the VLAN0010 spanning tree  vlan 10 bridge priority set to 24576  vlan 10 bridge max aging time set to 14  vlan 10 bridge hello time unchanged at 2  vlan 10 bridge forward delay set to 10 Switch-C(config)# spanning-tree vlan 200 root primary diameter 4 % This switch is already the root bridge of the VLAN0200 spanning tree  vlan 200 bridge priority set to 24576  vlan 200 bridge max aging time set to 14  vlan 200 bridge hello time unchanged at 2  vlan 200 bridge forward delay set to 10 Switch-C(config)# spanning-tree vlan 1 root secondary diameter 4  vlan 1 bridge priority set to 28672  vlan 1 bridge max aging time set to 14  vlan 1 bridge hello time unchanged at 2  vlan 1 bridge forward delay set to 10 Switch-C(config)# spanning-tree vlan 201 root secondary diameter 4  vlan 201 bridge priority set to 28672  vlan 201 bridge max aging time set to 14  vlan 201 bridge hello time unchanged at 2  vlan 201 bridge forward delay set to 10

Example B-11. Switch-D Spanning Tree Configuration

 Switch-D# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Switch-D(config)# spanning-tree vlan 1 root primary diameter 4  vlan 1 bridge priority set to 24576  vlan 1 bridge max aging time set to 14  vlan 1 bridge hello time unchanged at 2  vlan 1 bridge forward delay set to 10 Switch-D(config)# spanning-tree vlan 201 root primary diameter 4  vlan 201 bridge priority set to 24576  vlan 201 bridge max aging time set to 14  vlan 201 bridge hello time unchanged at 2  vlan 201 bridge forward delay set to 10 Switch-D(config)# spanning-tree vlan 10 root secondary diameter 4  vlan 10 bridge priority set to 28672  vlan 10 bridge max aging time set to 14  vlan 10 bridge hello time unchanged at 2  vlan 10 bridge forward delay set to 10 Switch-D(config)# spanning-tree vlan 200 root secondary diameter 4  vlan 200 bridge priority set to 28672  vlan 200 bridge max aging time set to 14  vlan 200 bridge hello time unchanged at 2  vlan 200 bridge forward delay set to 10

In Example B-10 and Example B-11, notice that Switch-C is configured as the root bridge for even VLANs, while Switch-D is configured as the root bridge for odd VLANs.

Step 2.

Configure Switch-C and Switch-D as Layer 3 switches using the IP addressing shown in Figure 11-2. Ensure that physical interfaces are configured as routed interfaces wherever possible, instead of using SVIs. If required, you are permitted to create new VLANs.

Switch-C and Switch-D are Layer 3capable switches; however, by default, this functionality is not enabled. The ISLs to Switch-A and Switch-B are now routed links and, therefore, no longer require trunking. The EtherChannel bundle between Switch-C and Switch-D still needs to remain a Layer 2 trunk. On both switches, the interfaces attached to Switch-A and Switch-B can be configured as routed interfaces because Cisco IOS supports this configuration. Example B-12 and Example B-13 show the configuration required on Switch-C and Switch-D to enable Layer 3 switching.

Example B-12. Configuring Layer 3 Switching on Switch-C

 Switch-C# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Switch-C(config)# ip routing Switch-C(config)# interface FastEthernet 0/1 Switch-C(config-if)# no switchport Switch-C(config-if)# ip address 192.168.1.2 255.255.255.0 Switch-C(config-if)# exit Switch-C(config)# interface FastEthernet 0/2 Switch-C(config-if)# no switchport Switch-C(config-if)# ip address 192.168.3.2 255.255.255.0

Example B-13. Configuring Layer 3 Switching on Switch-D

 Switch-D# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Switch-D(config)# ip routing Switch-D(config)# interface FastEthernet 0/1 Switch-D(config-if)# no switchport Switch-D(config-if)# ip address 192.168.2.2 255.255.255.0 Switch-D(config-if)# exit Switch-D(config)# interface FastEthernet 0/2 Switch-D(config-if)# no switchport Switch-D(config-if)# ip address 192.168.4.2 255.255.255.0

In Example B-12 and Example B-13, notice that the ip routing global configuration command is required to enable Layer 3 switching. The no switchport command configures interfaces Fa2/1 and Fa2/2 as routed interfaces. Also, notice that both switch uplinks to Switch-A and Switch-B are configured as routed physical ports.

At this point, you should be able to ping Switch-A and Switch-B across the ISLs from Switch-C and Switch-D. Example B-14 demonstrates Switch-C successfully pinging Switch-A and Switch-B.

Example B-14. Verifying IP Connectivity from Switch-C

 Switch-C# ping 192.168.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/9/16 ms Switch-C# ping 192.168.3.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/10 ms

Step 3.

Configure the network so that devices connected to VLANs 200, 201, and 202 can still connect to the rest of the network without reconfiguration of the IP addressing parameters on any edge device in these VLANs. You must ensure that edge devices can still connect to the rest of the network within 5 seconds after the failure of either Switch-C or Switch-D. The routed traffic load should be shared for even and odd VLANs by Switch-C and Switch-D, respectively.

This configuration task requires HSRP to be configured on Switch-C and Switch-D for VLANs 200, 201, and 202, with the virtual IP addresses configured as 192.168.200.1, 192.168.201.1, and 192.168.202.1. Example B-15 and Example B-16 show the HSRP configuration required on Switch-C and Switch-D.

Example B-15. Configuring HSRP for VLANs 200202 on Switch-C

 Switch-C# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Switch-C(config)# interface vlan 200 Switch-C(config-if)# ip address 192.168.200.2 255.255.255.0 Switch-C(config-if)# standby ip 192.168.200.1 Switch-C(config-if)# standby priority 150 preempt Switch-C(config-if)# exit Switch-C(config)# interface vlan 201 Switch-C(config-if)# ip address 192.168.201.2 255.255.255.0 Switch-C(config-if)# standby ip 192.168.201.1 Switch-C(config-if)# standby priority 100 Switch-C(config)# interface vlan 202 Switch-C(config-if)# ip address 192.168.202.2 255.255.255.0 Switch-C(config-if)# standby ip 192.168.202.1 Switch-C(config-if)# standby priority 150 preempt

Example B-16. Configuring HSRP for VLANs 200-202 on Switch-D

 Switch-D# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Switch-D(config)# interface vlan 200 Switch-D(config-if)# ip address 192.168.200.3 255.255.255.0 Switch-D(config-if)# standby ip 192.168.200.1 Switch-D(config-if)# standby priority 100 Switch-D(config-if)# exit Switch-D(config)# interface vlan 201 Switch-D(config-if)# no shutdown Switch-D(config-if)# ip address 192.168.201.3 255.255.255.0 Switch-D(config-if)# standby ip 192.168.201.1 Switch-D(config-if)# standby priority 150 preempt Switch-D(config)# interface vlan 202 Switch-D(config-if)# no shutdown Switch-D(config-if)# ip address 192.168.202.3 255.255.255.0 Switch-D(config-if)# standby ip 192.168.202.1 Switch-D(config-if)# standby priority 100

In Example B-15 and Example B-16, notice that HSRP priorities are configured so that Switch-C is the active router for even VLANs (200 and 202) and Switch-D is the active router for odd VLANs (201).

Routing and Multicast Routing Configuration Solution

Step 1.

Configure Router-A as indicated in Figure 11-2. The FastEthernet0/0 interface should now be configured as a non-trunk port with a single IP address configured, as shown in Figure 11-2. Once complete, reconnect Router-A to Switch-B.

To complete this configuration task, the trunk configuration on Router-A must be removed, as well as the configuration on Switch-B for port 2/48. A new VLAN interface must be configured on MSFC-B to allow MSFC-B to communicate with the 192.168.5.0/24 subnet that is to be configured between Switch-B and Router-A. Example B-17 shows the configuration required on Switch-B and MSFC-B to disable trunking and create the new VLAN interface for communications to Router-A.

Example B-17. Configuring the Connection Between Switch-B and Router-A

 Switch-B> (enable) set trunk 2/48 off Port(s)  2/48 trunk mode set to off. Switch-B> (enable) set vlan 5 2/48 VLAN 5 modified. VLAN 1 modified. VLAN  Mod/Ports ---- ----------------------- 5     2/48       15/1 Switch-B> (enable) session 15 Trying Router-15... Connected to Router-15. Escape character is '^]'. MSFC-B> enable MSFC-B# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. MSFC-B(config)# interface vlan 5 MSFC-B(config-if)# no shutdown MSFC-B(config-if)# ip address 192.168.5.2 255.255.255.0

Example B-18 shows the configuration required on Router-A.

Example B-18. Reconfiguring Router-A

 Router-A# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Router-A(config)# no interface FastEthernet 0/0.10 % Not all config may be removed and may reappear after reactivating     the sub-interface Router-A(config)# no interface FastEthernet 0/0.100 % Not all config may be removed and may reappear after reactivating     the sub-interface Router-A(config)# no interface FastEthernet 0/0.101 % Not all config may be removed and may reappear after reactivating     the sub-interface Router-A(config)# no interface FastEthernet 0/0.200 % Not all config may be removed and may reappear after reactivating     the sub-interface Router-A(config)# no interface FastEthernet 0/0.201 % Not all config may be removed and may reappear after reactivating     the sub-interface Router-A(config)# no interface FastEthernet 0/0.202 % Not all config may be removed and may reappear after reactivating     the sub-interface Router-A(config)# interface FastEthernet 0/0 Router-A(config-if)# ip address 192.168.5.1 255.255.255.0

In Router-A, each subinterface is removed because trunking is no longer configured. The physical interface is then configured with an IP address of 192.168.5.1/24. After connecting Router-A back to Switch-B, Router-A should be able to ping 192.168.5.2 on MSFC-B.

Step 2.

Ensure that all switches can be managed using the 192.168.10.x addressing used in Part I. The management IP addresses configured on each device cannot be altered, although you may alter the subnet mask and default gateway configuration.

To complete this task, you must split up the 192.168.10.0/24 subnet into smaller subnets so that each subnet fits into the new Layer 3 topology. In the new topology, two Layer 2 domains are separated by a Layer 3 routing domain. The first Layer 2 domain consists of Switch-A and Switch-B, while the second Layer 2 domain consists of Switch-C, Switch-D, Switch-E, and Switch-F. With a 24-bit subnet mask configured, all switches think that all other switches are within the same IP subnet (Layer 2 domain), which, of course, is not the case because routing devices now exist between each Layer 2 domain. To resolve this situation, you must split up the 192.168.10.0/24 subnet into two subnets to represent the fact that two Layer 2 domains now exist. The following lists the new subnets that must be created:

192.168.10.0/29 This subnet consists of devices in the address range of 192.168.10.0192.168.10.7, which includes Switch-A and Switch-B.
192.168.10.8/29 This subnet consists of devices in the address range of 192.168.10.8192.168.10.15, which include Switch-C, Switch-D, Switch-E, and Switch-F.

Each subnet can be created by simply altering the subnet mask on each switch from a 24-bit mask (255.255.255.0) to a 29-bit mask (255.255.255.248). After creating the subnets, the next thing that must be configured is an appropriate default gateway for switches that do not possess Layer 3 routing capabilities. These switches include Switch-B (although Switch-B is a Layer 3 switch, MSFC-B provides the separate routing component) and Switch-F. All other switches are now configured for routing, and do not require default gateway configuration. For this lab, Switch-A is configured as the default gateway for Switch-B, and Switch-C is configured as the default gateway for Switch-F.

Example B-19 and Example B-20 demonstrates the configuration required on Switch-A and Switch-B to enable management communications using the same IP addressing.

Example B-19. Configuring the Management Interface for 192.168.10.0/29 on Switch-A

 Switch-A# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Switch-A(config)# interface vlan 10 Switch-A(config-if)# ip address 192.168.10.2 255.255.255.248

Example B-20. Configuring the Management Interface for 192.168.10.0/29 on Switch-B

 Switch-B> (enable) set interface sc0 10 192.168.10.3 255.255.255.248 Interface sc0 vlan set, IP address and netmask set. Switch-B> (enable) clear ip route all All routes deleted. Switch-B> (enable) set ip route default 192.168.10.2 Route added.

In Example B-20, the default gateway is configured as 192.168.10.2 (Switch-A) instead of 192.168.10.1 because Router-A is no longer configured with this address and Switch-A is providing routing. The same configurations used in Examples B-19 and B-20 are required on the remaining switches. The subnet mask on each switch needs to be configured as a 29-bit (255.255.255.248) mask. On Switch-E and Switch-F, a default gateway of 192.168.10.9 (Switch-C) needs to be configured.

Step 3.

Configure Enhanced Interior Gateway Routing Protocol (EIGRP) on all routing devices so that any device in the network can communicate with any other device, regardless of the location in the network.

All routing devices must be configured for EIGRP and should advertise information about all subnets. This configuration can easily be achieved by configuring all 192.168.x.x networks to be included in EIGRP. You must also remove any default routes that point to Router-A from Part I (192.168.10.1) because this address no longer exists, invalidating the route. Example B-21 demonstrates the EIGRP configuration required on Switch-A.

Example B-21. Configuring EIGRP on Switch-A

 Switch-A# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Switch-A(config)# no ip route 0.0.0.0 0.0.0.0 192.168.10.1 Switch-A(config)# router eigrp 1 Switch-A(config-router)# network 192.168.0.0 0.0.255.255

The preceding configuration configures EIGRP autonomous system 1 to advertise and operate over any 192.168.x.x network on Switch-A. The same configuration is required on all other routing devices, except for Router-A, which also requires the 10.0.0.0/8 network to be advertised. You must ensure that the same autonomous system number (1) is configured on all EIGRP routers. Once all routing configuration is in place, you should be able to ping any IP address from anywhere in the network (excluding 10.0.0.0/8 because it is a restricted network). Example B-22 shows the routing table on Switch-A after all routing configuration has been completed.

Example B-22. Displaying the IP Routing Table on Switch-A

 Switch-A# show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP        D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2        E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP        i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area        * - candidate default, U - per-user static route, o - ODR        P - periodic downloaded static route Gateway of last resort is not set D    10.0.0.0/8       [90/3072] via 192.168.100.3, 00:00:28, Vlan100                       [90/3072] via 192.168.101.3, 00:00:28, Vlan100 C    192.168.1.0/24 is directly connected, Fa2/1 C    192.168.2.0/24 is directly connected, Fa2/2      192.168.10.0/29 is subnetted, 2x subnets C       192.168.10.2 is directly connected, Vlan10 D       192.168.10.8  [90/3072] via 192.168.1.2, 00:00:28, Fa2/1                       [90/3072] via 192.168.2.2, 00:00:14, Fa2/2 C    192.168.100.0/24 is directly connected, Vlan100 C    192.168.101.0/24 is directly connected, Vlan101 D    192.168.200.0/24 [90/3072] via 192.168.1.2, 00:00:28, Vlan11                       [90/3072] via 192.168.2.2, 00:00:14, Vlan11 D    192.168.201.0/24 [90/3072] via 192.168.1.2, 00:00:28, Vlan11                       [90/3072] via 192.168.2.2, 00:00:14, Vlan11 D    192.168.202.0/24 [90/3072] via 192.168.1.2, 00:00:28, Vlan11                       [90/3072] via 192.168.2.2, 00:00:14, Vlan11

Notice that many routes have two paths available, reflecting the redundant topology of the network. For example, 192.168.200.0/24 is reachable via both 192.168.1.2 (Switch-C) and 192.168.2.2 (Switch-D). Both routes have an equal cost (3072) and, hence, are both installed into the routing table. All traffic routed by the MSFC (in reality, by the L3 engine on the Policy Feature Card [PFC] onboard Switch-A) is load shared over each route, which ensures that the load placed on the redundant paths in your network is being equally distributed, increasing network efficiency and performance.

TIP

Load sharing on the PFC-2 (using Cisco Express Forwarding [CEF]) is performed on a per-destination basis in which packets to a destination always take the same path. This load sharing can result in an uneven distribution of traffic, particularly if you have one heavily used device in the network. Per-packet load sharing load shares by sending each packet over equal cost paths, resulting in a more even distribution of traffic. This feature is supported in CEF for Cisco routers, but is not supported on the PFC-2.

Step 4.

Configure multicast routing on all routing devices, which includes all switches except for Switch-E and Switch-F. Configure a shared tree that is rooted at Router-A, which should be used for initial forwarding of multicast traffic. You are not permitted to manually configure Router-A as the root of the shared tree on any other multicast router. Ensure all interfaces enabled for multicast routing are operating in the appropriate mode as recommended by Cisco.

This task requires the configuration of PIM sparse-dense mode, with a rendezvous point (RP) configured at Router-A. Router-A must be configured for Auto-RP, because you cannot manually configure RPs in the task. On Switch-A, Switch-C, Switch-D, and MSFC-B, you must configure multicast routing and enable it for each interface in the network. Example B-23 demonstrates the multicast configuration required on Switch-C.

Example B-23. Configuring Multicast Routing

 Switch-C# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Switch-C(config)# ip multicast-routing Switch-C(config)# interface range FastEthernet 0/1 - 2 Switch-C(config-if)# ip pim sparse-dense-mode Switch-C(config-if)# exit Switch-C(config)# interface vlan 10 Switch-C(config-if)# ip pim sparse-dense-mode Switch-C(config-if)# exit Switch-C(config)# interface vlan 200 - 202 Switch-C(config-if)# ip pim sparse-dense-mode Switch-C(config-if)# exit

Router-A must be configured as a RP and must also announce its presence using a protocol such as Auto-RP. Example B-24 shows the configuration required on Router-A.

Example B-24. Configuring Multicast Routing on Router-A

 Router-A# show ip route Enter configuration commands, one per line.  End with CNTL/Z. Router-A(config)# ip multicast-routing Router-A(config)# ip pim send-rp-announce FastEthernet 0/0 scope 5 Router-A(config)# interface FastEthernet 0/0 Router-A(config-if)# ip pim sparse-dense-mode

The ip pim send-rp-announce command is configured to announce the IP address of the FastEthernet0/0 interface (192.168.5.2) as the RP. The scope keyword is configured so that the time-to-live (TTL) of the RP announcements is set to 5 hops.

Step 5.

Configure Switch-E to join the multicast group 239.1.1.1 on interface VLAN 10. Ensure that any edge device can ping the 239.1.1.1 address with a response from Switch-E.

Example B-25 shows the configuration required on Switch-E.

Example B-25. Joining a Multicast Group on Router-E

 Switch-E# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Switch-E(config)# interface vlan 10 Switch-E(config-if)# ip igmp join-group 239.1.1.1

After the configuration of Example B-25, Switch-E joins the 239.1.1.1 group on VLAN 10. Switch-C and Switch-D are both attached to VLAN 10 and, hence, receive Internet Group Management Protocol (IGMP) Joins sent by Switch-E to join the 239.1.1.1 address.

This action causes Switch-C and Switch-D to join a shared tree rooted at Router-A. As soon as a device starts sending traffic to the 239.1.1.1 address, a shortest path tree (SPT) is formed between the multicast router located closest to the source device and either Switch-C or Switch-D, with the Protocol Independent Multicast (PIM) assert process determining whether Switch-C or Switch-D is the forwarding PIM router for the VLAN 10 subnet. Because all edge devices in this network are reachable over equal cost paths using either Switch-C or Switch-D, the PIM assert process chooses the router with the highest IP address on VLAN 10in this case, Switch-D (192.168.10.10).

To test the multicast routing topology, attempt to ping 239.1.1.1 from Switch-B. Example B-26 shows the multicast routing table of Switch-D after ping connectivity has been successfully established.

Example B-26. Viewing the Multicast Routing Table on Switch-D

 Switch-D# show ip mroute IP Multicast Routing Table Flags: D - Dense, S - Sparse, s - SSM Group, C - Connected, L - Local,        P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set,        J - Join SPT, M - MSDP created entry, X - Proxy Join Timer Running        A - Advertised via MSDP, U - URD, I - Received Source Specific Host            Report Outgoing interface flags: H - Hardware switched Timers: Uptime/Expires Interface state: Interface, Next-Hop or VCD, State/Mode (*, 239.1.1.1), 01:25:49/00:02:32, RP 192.168.5.1, flags: SJC   Incoming interface: FastEthernet0/2, RPF nbr 192.168.4.1   Outgoing interface list:     FastEthernet0/1, Prune/Sparse, 01:08:34/00:00:00     Vlan10, Forward/Sparse, 01:08:49/00:00:00, H     Vlan200, Prune/Sparse, 01:08:44/00:00:00     Vlan201, Prune/Sparse, 01:08:53/00:00:00     Vlan202, Prune/Sparse, 01:08:51/00:00:00 (192.168.10.3, 239.1.1.1), 01:18:53/00:01:41, RP 192.168.5.1, flags: CT   Incoming interface: FastEthernet0/2, RPF nbr 192.168.4.1   Outgoing interface list:     FastEthernet0/1, Prune/Sparse, 01:09:34/00:00:00     Vlan10, Forward/Sparse, 01:25:49/00:00:00, H     Vlan200, Prune/Sparse, 01:16:04/00:00:00     Vlan201, Prune/Sparse, 01:16:04/00:00:00     Vlan202, Prune/Sparse, 01:16:04/00:00:00 (*, 224.0.1.40), 01:40:01/00:02:42, RP 0.0.0.0, flags: SJCL   Incoming interface: Null, RPF nbr 0.0.0.0   Outgoing interface list:     FastEthernet0/2, Forward/Dense, 01:39:54/00:00:00

In Example B-26, notice the two shaded multicast route entries. The first, (*,239.1.1.1), is the shared tree that is rooted at the RP. The second, (192.168.10.3,239.1.1.1), is the SPT for Switch-B sending multicast traffic to the 239.1.1.1 group.

Step 6.

Ensure that all switches constrain multicast traffic to multicast routers and receivers within each Layer 2 network.

All switches in this lab support IGMP snooping, except for Switch-F, which supports only Cisco Group Management Protocol (CGMP). All switches in this lab have the IGMP snooping feature enabled by default; hence, no extra configuration is required.

To configure CGMP on Switch-F, you must also enable CGMP on each multicast router that is attached to the VLAN 10 subnet Switch-F is attached to. Example B-27 shows the configuration required on Switch-C. This configuration is also required on Switch-D because both are multicast routers attached to Switch-F.

Example B-27. Configuring CGMP on Switch-C

 Switch-C# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Switch-C(config)# interface range vlan 10, vlan 200  202 Switch-C(config-if-range)# ip cgmp

Example B-28 shows the configuration required on Switch-F, which enables it to receive CGMP messages from Switch-C and Switch-D.

Example B-28. Configuring CGMP on Switch-F

 Switch-F> (config) set cgmp enable CGMP support for IP multicast enabled.

Step 7.

Ensure that any access control configurations on the core switches are still compatible with the new topology.

In Part I you configured VLAN access control lists (VACLs) on Switch-A and Switch-B. A VACL called INTERNAL was created that permitted access only between devices within the 192.168.x.x networks. Because the VLANs in use within the core have changed, you must apply the VACL to the new VLANs to maintain security filtering. Example B-29 and Example B-30 shows the configuration required on Switch-A and Switch-B.

Example B-29. Updating VACLs on Switch-A

 Switch-A# configure terminal Enter configuration commands, one per line.  End with CNTL/Z. Switch-A(config)# no vlan filter INTERNAL 1, 10, 100, 101, 200-202 Switch-A(config)# vlan filter INTERNAL 1, 3-5, 10, 100, 101

Example B-30. Updating VACLs on Switch-B

 Switch-B> (enable) Switch-B> (enable) clear security acl map all Map deletion in progress. Successfully cleared mapping between ACL INTERNAL and VLAN 1. Successfully cleared mapping between ACL INTERNAL and VLAN 10. Successfully cleared mapping between ACL INTERNAL and VLAN 100. Successfully cleared mapping between ACL INTERNAL and VLAN 101. Successfully cleared mapping between ACL INTERNAL and VLAN 200. Successfully cleared mapping between ACL INTERNAL and VLAN 201. Successfully cleared mapping between ACL INTERNAL and VLAN 202. Switch-B> (enable) set security acl map INTERNAL 1,3-5,10,100,101 Mapping in progress... ACL INTERNAL successfully mapped to VLAN 1. ACL INTERNAL successfully mapped to VLAN 3. ACL INTERNAL successfully mapped to VLAN 4. ACL INTERNAL successfully mapped to VLAN 5. ACL INTERNAL successfully mapped to VLAN 10. ACL INTERNAL successfully mapped to VLAN 100. ACL INTERNAL successfully mapped to VLAN 101.