Senior Acquisitions Editor: Kenyon Brown Development Editor: Kim Wimpsett

network?

5.  Which proprietary Cisco STP extension would put a switch port into

error disabled mode if a BPDU is received on this port?

6.  You want to configure a switch port to not transition through the STP

port states but to go immediately to forwarding mode. What

command will you use on a per-port basis?

7.  What command will you use to see information about a specific port

channel interface?

8.  What command can you use to set a switch so that it will be the root

bridge for VLAN 3 over any other switch?

9.  You need to find the VLANs for which your switch is the root bridge.

What two commands can you use?

10.  What are the two modes you can set with LACP?

Hands-on Labs

In this section, you will configure and verify STP, as well as configure

PortFast and BPDU Guard, and finally, bundle links together with

EtherChannel.

Note that the labs in this chapter were written to be used with real

equipment using 2960 switches. However, you can use the free

LammleSim IOS version simulator or Cisco’s Packet Tracer to run

through these labs.

The labs in this chapter are as follows:

Lab 15.1: Verifying STP and Finding Your Root Bridge

Lab 15.2: Configuring and Verifying Your Root Bridge

Lab 15.3: Configuring PortFast and BPDU Guard

Lab 15.4: Configuring and Verifying EtherChannel

We’ll use the following illustration for all four labs:

Hands-on Lab 15.1: Verifying STP and Finding Your Root

Bridge

This lab will assume that you have added VLANs 2 and 3 to each of your

switches and all of your links are trunked.

1.  From one of your switches, use the

show spanning-tree vlan 2

command. Verify the output.

S3#

sh spanning-tree vlan 2

VLAN0002

Spanning tree enabled protocol ieee

Root ID Priority 32770

Address 0001.C9A5.8748

Cost 19

Port 1(FastEthernet0/1)

Hello Time 2 sec Max Age 20 sec Forward Delay 15

sec

Bridge ID Priority 32770 (priority 32768 sys-id-ext 2)

Address 0004.9A04.ED97

Hello Time 2 sec Max Age 20 sec Forward Delay 15

sec

Aging Time 20

Interface Role Sts Cost Prio.Nbr Type

---------------- ---- --- --------- -------- -------------------

-------------

Fa0/1 Root FWD 19 128.1 P2p

Fa0/2 Desg FWD 19 128.2 P2p

Gi1/1 Altn BLK 4 128.25 P2p

Gi1/2 Altn BLK 4 128.26 P2p

Notice that S3 is not the root bridge, so to find your root bridge, just

follow the root port and see what bridge is connected to that port. Port

Fa0/1 is the root port with a cost of 19, which means the switch that is

off the Fa0/1 port is the root port connecting to the root bridge

because it is a cost of 19, meaning one Fast Ethernet link away.

2.  Find the bridge that is off of Fa0/1, which will be our root.

S3#

sh cdp neighbors

Capability Codes: R - Router, T - Trans Bridge, B - Source Route

Bridge

S - Switch, H - Host, I - IGMP, r - Repeater,

P - Phone

Device ID Local Intrfce Holdtme Capability Platform

Port ID

S1 Fas 0/1 158 S 2960

Fas 0/1

S2 Gig 1/1 151 S 2960

Gig 1/1

S2 Gig 1/2 151 S 2960

Gig 1/2

S3#

Notice that S1 is connected to the local interface Fa0/1, so let’s go to

S1 and verify our root bridge.

3.  Verify the root bridge for each of the three VLANs. From S1, use the

show spanning-tree summary

command.

S1#

sh spanning-tree summary

Switch is in pvst mode

Root bridge for:

default VLAN0002 VLAN0003

Extended system ID is enabled

Portfast Default is disabled

PortFast BPDU Guard Default is disabled

Portfast BPDU Filter Default is disabled

Loopguard Default is disabled

EtherChannel misconfig guard is disabled

UplinkFast is disabled

BackboneFast is disabled

Configured Pathcost method used is short

Name Blocking Listening Learning Forwarding

STP Active

---------------------- -------- --------- -------- ---------- --

--------

VLAN0001 0 0 0 2

2

VLAN0002 0 0 0 2

2

VLAN0003 0 0 0 2

2

---------------------- -------- --------- -------- ---------- --

--------

3 vlans 0 0 0 6

6

S1#

Notice that S1 is the root bridge for all three VLANs.

4.  Make note of all your root bridges, for all three VLANs, if you have

more than one root bridge.

Hands-on Lab 15.2: Configuring and Verifying Your Root

Bridge

This lab will assume you have performed Lab 1 and now know who your

root bridge is for each VLAN.

1.  Go to one of your non-root bridges and verify the bridge ID with the

show spanning-tree vlan

command.

S3#

sh spanning-tree vlan 1

VLAN0001

Spanning tree enabled protocol ieee

Root ID Priority 32769

Address 0001.C9A5.8748

Cost 19

Port 1(FastEthernet0/1)

Hello Time 2 sec Max Age 20 sec Forward Delay 15

sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)

Address 0004.9A04.ED97

Hello Time 2 sec Max Age 20 sec Forward Delay 15

sec

Aging Time 20

Interface Role Sts Cost Prio.Nbr Type

---------------- ---- --- --------- -------- -------------------

-------------

Fa0/1 Root FWD 19 128.1 P2p

Fa0/2 Desg FWD 19 128.2 P2p

Gi1/1 Altn BLK 4 128.25 P2p

Gi1/2 Altn BLK 4 128.26 P2p

Notice that this bridge is not the root bridge for VLAN 1 and the root

port is Fa0/1 with a cost of 19, which means the root bridge is directly

connected one Fast Ethernet link away.

2.  Make one of your non-root bridges the root bridge for VLAN 1. Use

priority 16,384, which is lower than the 32,768 of the current root.

S3(config)#

spanning-tree vlan 1 priority ?

<0-61440> bridge priority in increments of 4096

S3(config)#

spanning-tree vlan 1 priority 16384

3.  Verify the root bridge for VLAN 1.

S3#

sh spanning-tree vlan 1

VLAN0001

Spanning tree enabled protocol ieee

Root ID Priority 16385

Address 0004.9A04.ED97

This bridge is the root

Hello Time 2 sec Max Age 20 sec Forward Delay 15

sec

Bridge ID Priority 16385 (priority 16384 sys-id-ext 1)

Address 0004.9A04.ED97

Hello Time 2 sec Max Age 20 sec Forward Delay 15

sec

Aging Time 20

Interface Role Sts Cost Prio.Nbr Type

---------------- ---- --- --------- -------- -------------------

-------------

Fa0/1 Desg FWD 19 128.1 P2p

Fa0/2 Desg FWD 19 128.2 P2p

Gi1/1 Desg FWD 4 128.25 P2p

Gi1/2 Desg FWD 4 128.26 P2p

Notice that this bridge is indeed the root and all ports are in Desg FWD

mode.

Hands-on Lab 15.3: Configuring PortFast and BPDU Guard

This lab will have you configure ports on switches S3 and S2 to allow the

PC and server to automatically go into forward mode when they connect

into the port.

1.  Connect to your switch that has a host connected and enable PortFast

for the interface.

S3#

config t

S3(config)#

int fa0/2

S3(config-if)#

spanning-tree portfast

%Warning: portfast should only be enabled on ports connected to

a single

host. Connecting hubs, concentrators, switches, bridges, etc...

to this

interface when portfast is enabled, can cause temporary

bridging loops.

Use with CAUTION

%Portfast has been configured on FastEthernet0/2 but will only

have effect when the interface is in a non-trunking mode.

2.  Verify that the switch port will be shut down if another switch

Ethernet cable plugs into this port.

S3(config-if)#

spanning-tree bpduguard enable

3.  Verify your configuration with the

show running-config

command.

!

interface FastEthernet0/2

switchport mode trunk

spanning-tree portfast

spanning-tree bpduguard enable

!

Hands-on Lab 15.4: Configuring and Verifying

EtherChannel

This lab will have you configure the Cisco EtherChannel PAgP version on

the switches used in this lab. Because I have preconfigured the switches, I

have set up the trunks on all inter-switch ports. We’ll use the Gigabit

Ethernet ports between switches S3 and S2.

1.  Configure the S3 switch with EtherChannel by creating a port channel

interface.

S3#

config t

S3(config)#

inter port-channel 1

2.  Configure the ports to be in the bundle with the

channel-group

command.

S3(config-if)#

int range g1/1 - 2

S3(config-if-range)#

channel-group 1 mode ?

active Enable LACP unconditionally

auto Enable PAgP only if a PAgP device is detected

desirable Enable PAgP unconditionally

on Enable Etherchannel only

passive Enable LACP only if a LACP device is detected

S3(config-if-range)#

channel-group 1 mode desirable

I chose the PAgP desirable mode for the S3 switch.

3.  Configure the S2 switch with EtherChannel, using the same

parameters as S3.

S2#

config t

S2(config)#

interface port-channel 1

S2(config-if)#

int rang g1/1 - 2

S2(config-if-range)#

channel-group 1 mode desirable

%LINK-5-CHANGED: Interface Port-channel 1, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel 1,

changed state to up

Pretty simple, really. Just a couple of commands.

4.  Verify with the

show etherchannel port-channel

command.

S3#

sh etherchannel port-channel

Channel-group listing:

----------------------

Group: 1

----------

Port-channels in the group:

---------------------------

Port-channel: Po1

------------

Age of the Port-channel = 00d:00h:06m:43s

Logical slot/port = 2/1 Number of ports = 2

GC = 0x00000000 HotStandBy port = null

Port state = Port-channel

Protocol = PAGP

Port Security = Disabled

Ports in the Port-channel:

Index Load Port EC state No of bits

------+------+------+------------------+-----------

0 00 Gig1/1 Desirable-Sl 0

0 00 Gig1/2 Desirable-Sl 0

Time since last port bundled: 00d:00h:01m:30s Gig1/2

5.  Verify with the

show etherchannel summary

command.

S3#

sh etherchannel summary

Flags: D - down P - in port-channel

I - stand-alone s - suspended

H - Hot-standby (LACP only)

R - Layer3 S - Layer2

U - in use f - failed to allocate aggregator

u - unsuitable for bundling

w - waiting to be aggregated

d - default port

Number of channel-groups in use: 1

Number of aggregators: 1

Group Port-channel Protocol Ports

------+-------------+-----------+-------------------------------

---

1 Po1(SU) PAgP Gig1/1(P) Gig1/2(P)

S3#

Review Questions

The following questions are designed to test your

understanding of this chapter’s material. For more information on

how to get additional questions, please see

www.lammle.com/ccna

.

You can find the answers to these questions in Appendix B, “Answers to

Review Questions.”

1.  You receive the following output from a switch:

S2#

sh spanning-tree

VLAN0001

Spanning tree enabled protocol rstp

Root ID Priority 32769

Address 0001.42A7.A603

Cost 4

Port 26(GigabitEthernet1/2)

Hello Time 2 sec Max Age 20 sec Forward Delay 15

sec

[output cut]

Which are true regarding this switch? (Choose two.)

A.  The switch is a root bridge.

B.  The switch is a non-root bridge.

C.  The root bridge is four switches away.

D.  The switch is running 802.1w.

E.  The switch is running STP PVST+.

2.  You have configured your switches with the

spanning-tree vlan x

root primary

and

spanning-tree vlan x root secondary

commands.

Which of the following tertiary switch will take over if both switches

fail?

A.  A switch with priority 4096

B.  A switch with priority 8192

C.  A switch with priority 12288

D.  A switch with priority 20480

3.  Which of the following would you use to find the VLANs for which

your switch is the root bridge? (Choose two.)

A.

show spanning-tree

B.

show root all

C.

show spanning-tree port root VLAN

D.

show spanning-tree summary

4.  You want to run the new 802.1w on your switches. Which of the

following would enable this protocol?

A.

Switch(config)#spanning-tree mode rapid-pvst

B.

Switch#spanning-tree mode rapid-pvst

C.

Switch(config)#spanning-tree mode 802.1w

D.

Switch#spanning-tree mode 802.1w

5.  Which of the following is a layer 2 protocol used to maintain a loop-

free network?

A.  VTP

B.  STP

C.  RIP

D.  CDP

6.  Which statement describes a spanning-tree network that has

converged?

A.  All switch and bridge ports are in the forwarding state.

B.  All switch and bridge ports are assigned as either root or

designated ports.

C.  All switch and bridge ports are in either the forwarding or blocking

state.

D.  All switch and bridge ports are either blocking or looping.

7.  Which of the following modes enable LACP EtherChannel? (Choose

two.)

A.  On

B.  Prevent

C.  Passive

D.  Auto

E.  Active

F.  Desirable

8.  Which of the following are true regarding RSTP? (Choose three.)

A.  RSTP speeds the recalculation of the spanning tree when the layer

2 network topology changes.

B.  RSTP is an IEEE standard that redefines STP port roles, states,

and BPDUs.

C.  RSTP is extremely proactive and very quick, and therefore it

absolutely needs the 802.1 delay timers.

D.  RSTP (802.1w) supersedes 802.1d while remaining proprietary.

E.  All of the 802.1d terminology and most parameters have been

changed.

F.  802.1w is capable of reverting to 802.1d to interoperate with

traditional switches on a per-port basis.

9.  What does BPDU Guard perform?

A.  Makes sure the port is receiving BPDUs from the correct upstream

switch.

B.  Makes sure the port is not receiving BPDUs from the upstream

switch, only the root.

C.  If a BPDU is received on a BPDU Guard port, PortFast is used to

shut down the port.

D.  Shuts down a port if a BPDU is seen on that port.

10.  How many bits is the

sys-id-ext

field in a BPDU?

A.  4

B.  8

C.  12

D.  16

11.  There are four connections between two switches running RSTP

PVST+ and you want to figure out how to achieve higher bandwidth

without sacrificing the resiliency that RSTP provides. What can you

configure between these two switches to achieve higher bandwidth

than the default configuration is already providing?

A.  Set PortFast and BPDU Guard, which provides faster convergence.

B.  Configure unequal cost load balancing with RSTP PVST+.

C.  Place all four links into the same EtherChannel bundle.

D.  Configure PPP and use multilink.

12.  In which circumstance are multiple copies of the same unicast frame

likely to be transmitted in a switched LAN?

A.  During high-traffic periods

B.  After broken links are reestablished

C.  When upper-layer protocols require high reliability

D.  In an improperly implemented redundant topology

13.  You want to configure LACP. Which do you need to make sure are

configured exactly the same on all switch interfaces you are using?

(Choose three.)

A.  Virtual MAC address

B.  Port speeds

C.  Duplex

D.  PortFast enabled

E.  VLAN information

14.  Which of the following modes enable PAgP EtherChannel? (Choose

two.)

A.  On

B.  Prevent

C.  Passive

D.  Auto

E.  Active

F.  Desirable

15.  For this question, refer to the following illustration. SB’s RP to the

root bridge has failed.

What is the new cost for SB to make a single path to the root bridge?

A.  4

B.  8

C.  23

D.  12

16.  Which of the following would put switch interfaces into EtherChannel

port number 1, using LACP? (Choose two.)

A.

Switch(config)#interface port-channel 1

B.

Switch(config)#channel-group 1 mode active

C.

Switch#interface port-channel 1

D.

Switch(config-if)#channel-group 1 mode active

17.  Which two commands would guarantee your switch to be the root

bridge for VLAN 30? (Choose two.)

A.

spanning-tree vlan 30 priority 0

B.

spanning-tree vlan 30 priority 16384

C.

spanning-tree vlan 30 root guarantee

D.

spanning-tree vlan 30 root primary

18.  Why does Cisco use its proprietary extension of PVST+ with STP and

RSTP?

A.  Root bridge placement enables faster convergence as well as

optimal path determination.

B.  Non-root bridge placement clearly enables faster convergence as

well as optimal path determination.

C.  PVST+ allows for faster discarding of non-IP frames.

D.  PVST+ is actually an IEEE standard called 802.1w.

19.  Which are states in 802.1d? (Choose all that apply.)

A.  Blocking

B.  Discarding

C.  Listening

D.  Learning

E.  Forwarding

F.  Alternate

20.  Which of the following are roles in STP? (Choose all that apply.)

A.  Blocking

B.  Discarding

C.  Root

D.  Non-designated

E.  Forwarding

F.  Designated

Chapter 16

Network Device Management and Security

THE FOLLOWING ICND2 EXAM TOPICS ARE

COVERED IN THIS CHAPTER:

1.7 Describe common access layer threat mitigation

techniques

1.7.a 802.1x

1.7.b DHCP snooping

4.0 Infrastructure Services

4.1 Configure, verify, and troubleshoot basic HSRP

4.1.a Priority

4.1.b Preemption

4.1.c Version

5.0 Infrastructure Maintenance

5.1 Configure and verify device-monitoring protocols

5.1.a SNMPv2

5.1.b SNMPv3

5.4 Describe device management using AAA with TACACS+

and RADIUS

We’re going to start this chapter by discussing

how to mitigate threats at the access layer using various security

techniques. Keeping our discussion on security, we’re then going to turn

our attention to external authentication with authentication,

authorization, and accounting (AAA) of our network devices using

RADIUS and TACACS+.

Next, we’re going to look at Simple Network Management Protocol

(SNMP) and the type of alerts sent to the network management station

(NMS).

Last, I’m going to show you how to integrate redundancy and load-

balancing features into your network elegantly with the routers that you

likely have already. Acquiring some overpriced load-balancing device just

isn’t always necessary because knowing how to properly configure and

use Hot Standby Router Protocol (HSRP) can often meet your needs

instead.

Yüklə 22,5 Mb.

Dostları ilə paylaş: