You are on page 1of 205

CCNP Guía SWITCH v2.

0


@ 2013
1
Topología ................................................................................................................................... 2
DTP ............................................................................................................................................. 3
Trunks ........................................................................................................................................ 8
Creación y Administración de VLANs....................................................................................... 14
Asignación VLANs TRUNK ........................................................................................................ 18
VTP I ......................................................................................................................................... 22
VTP II Problema con el número Configuration Revision en VTP ............................................. 26
Private VLANs único Switch ..................................................................................................... 37
Private-VLANs pruebas de conectividad.................................................................................. 41
Port Protected ......................................................................................................................... 43
EtherChannel I PAgP (Port Aggregation Protocol) ................................................................... 47
EtherChannel II sin negociación .............................................................................................. 51
EtherChannel III modo Desirable ............................................................................................. 55
EtherChannel III Link Aggregation Control Protocol LACP ...................................................... 58
EtherChannel IV Load-Shared .................................................................................................. 61
EtherChannel V Prioridad LACP ............................................................................................... 63
EtherChannel Layer 3 ............................................................................................................... 67
STP Comportamiento por defecto ........................................................................................... 71
STP Configuración. ................................................................................................................... 79
STP BPDU Guard ...................................................................................................................... 89
FLEX Link .................................................................................................................................. 90
MSTP Multiple Spanning Tree MST 802.1s .............................................................................. 95
InterVLAN Routing utilizando SW L3 ..................................................................................... 105
InterVLAN Routing entre switches L2/L3............................................................................... 110
IP DHCP .................................................................................................................................. 117
InterVLAN Routing con HSRP en Switchs L3 .......................................................................... 121
HSRP utilizando Routers ........................................................................................................ 134
HSRP Balanceo ....................................................................................................................... 146
VRRP utilizando Routers ........................................................................................................ 153
Seguridad L2 ................................................................................. 160
Overflow Attack ..................................................................................................................... 160
CDP Attack ............................................................................................................................. 170
STP Root Guard ...................................................................................................................... 172
STP PortFast ........................................................................................................................... 174
STP BPDU Filter ...................................................................................................................... 175
VLANs ACLs v/s Seguridad en sesiones Telnet ...................................................................... 179
SSH ......................................................................................................................................... 184
SPAN ...................................................................................................................................... 185
Remote SPAN (RSPAN) .......................................................................................................... 190
Syslog ..................................................................................................................................... 192
Port-Security utilizando MACROs .......................................................................................... 195
Blocking UNICAST/MULTICAST .............................................................................................. 196
Filtro MAC .............................................................................................................................. 197
VACLs ..................................................................................................................................... 198
DHCP Snooping ...................................................................................................................... 201
ARP Spoofing (Poisoning). ..................................................................................................... 205

CCNP Guía SWITCH v2.0


@ 2013
2
Topología


CCNP Guía SWITCH v2.0


@ 2013
3
DTP
Permite la negociación de un trunk. Las posibles opciones según el modo de puerto configurado son:

Dynamic
Auto
Dynamic
Desirable
Trunk Access
Dynamic
Auto
Access Trunk Trunk Access
Dynamic
Desirable
Trunk Trunk Trunk Access
Trunk Trunk Trunk Trunk
Conectividad
Limitada
Access Access Access
Conectividad
Limitada
Access

Recordemos que los modos posibles modos de un puerto son:
Access: Puerto de usuario asociado a una VLAN.
Trunk: Deja el puerto en permanente trunk y negocia el estado del mismo.
Non-Negotiate: Desactiva DTP.
Dynamic-Desirable: El puerto intenta activamente convertir el enlace en trunk al otro extremo del enlace. Si vemos
la tabla anterior podremos notar que se formará un trunk si el otro extremo del enlace es dynamic-auto, dynamic-
desirable o trunk.
Dynamic Auto (modo por defecto): Modo pasivo, el puerto solo formará trunk si el otro extremo del enlace es ,
dynamic-desirable o trunk.

Configure ISL trunk entre DLS1 y DLS2 cumpliendo las siguientes políticas:
 DLS1 FastEthernet0/6 en modo trunk permanente intentando negociación constante con el extremo
FastEthernet0/6 de DLS2.
 DLS2 FastEthernet0/6 modo dynamic auto.
Bajo este escenario no es necesario configurar la interface f0/6 de DSL2 puesto que por defecto tiene el modo
dynamic auto.
Antes de la configuración comprobamos el modo del puerto en DLS1.

 Al final del laboratorio explique:
- Ventajas de ISL.
- Estructura de ISL, (cada uno de sus campos y utilidad)

DLS1#sh interfaces fastEthernet 0/6 switchport
Name: Fa0/6
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: On

DLS1#show interfaces trunk
No se ha formado el trunk

DLS1
interface FastEthernet0/6
switchport trunk encapsulation isl
switchport mode trunk


CCNP Guía SWITCH v2.0


@ 2013
4
DLS1#show interfaces fastEthernet 0/6 switchport
Name: Fa0/6
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: isl
Operational Trunking Encapsulation: isl

DLS2#show interfaces fastEthernet 0/6 switchport
Name: Fa0/6
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: trunk
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: isl
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none

DLS2#show interfaces trunk

Port Mode Encapsulation Status Native vlan
Fa0/6 auto n-isl trunking 1
Port Vlans allowed on trunk
Fa0/6 1-4094
Port Vlans allowed and active in management domain
Fa0/6 1
Port Vlans in spanning tree forwarding state and not pruned
Fa0/6 1



n-isl= uso de DTP.
CCNP Guía SWITCH v2.0


@ 2013
5
Configure ISL trunk entre DLS1 y DLS2 cumpliendo las siguientes políticas:
 DLS1 FastEthernet0/7 debe negociar activamente la formación del trunk con extremo del enlace. El puerto
FastEthernet0/7 de DLS2 debe estar en modo pasivo en espera de formar el trunk.
Nota. Como en la caso anterior verifique el modo del puerto.

 Al final del laboratorio indique:
- Ventajas y desventajas de DTP. ¿Que recomienda Cisco respecto a DTP?
- Al utilizar el comando "sh interfaces fastEthernet 0/7 switchport" indique el significado de
Administrative Trunking Encapsulation: negotiate

DLS1#sh interfaces fastEthernet 0/7 switchport
Name: Fa0/7
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)

DLS1
interface FastEthernet0/7
switchport mode dynamic desirable

DLS1#
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/7, changed state to up

DLS1#show interfaces fastEthernet 0/7 switchport
Name: Fa0/7
Switchport: Enabled
Administrative Mode: dynamic desirable
Operational Mode: trunk
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: isl
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)

DLS1#sh interfaces fastEthernet 0/7 trunk

Port Mode Encapsulation Status Native vlan
Fa0/7 desirable n-isl trunking 1
Port Vlans allowed on trunk
Fa0/7 1-4094
Port Vlans allowed and active in management domain
Fa0/7 1
Port Vlans in spanning tree forwarding state and not pruned
Fa0/7 none

CCNP Guía SWITCH v2.0


@ 2013
6
DLS2#show interfaces trunk

Port Mode Encapsulation Status Native vlan
Fa0/6 auto n-isl trunking 1
Fa0/7 auto n-isl trunking 1
Port Vlans allowed on trunk
Fa0/6 1-4094
Fa0/7 1-4094
Port Vlans allowed and active in management domain
Fa0/6 1
Fa0/7 1
Port Vlans in spanning tree forwarding state and not pruned
Fa0/6 1
Fa0/7 1


 Configure ISL entre DLS1 y DLS2. En DLS1 desactive DTP.
 En ambos switchs remueva cualquier configuración existente (interfaces fastEthernet 0/6 y fastEthernet
0/7).
 Al final del laboratorio indique:
- Diferencias entre la encapsulación isl y n-isl que muestra el comando "sh interfaces trunk"


DLSX
default interface range fastEthernet 0/6-7

DLS1#
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/6, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/7, changed state to down

DLS1#sh interfaces trunk
El trunk existente se pierde luego de establecer las interfaces a sus valores por defecto.

DLS1
interface FastEthernet0/6
switchport trunk encapsulation isl
switchport mode trunk
switchport nonegotiate

interface FastEthernet0/7
switchport trunk encapsulation isl
switchport mode trunk
switchport nonegotiate

DLS1#show spanning-tree | include Fa0/6|Fa0/7
Fa0/6 Altn BLK 19 128.8 P2p
Fa0/7 Altn BLK 19 128.9 P2p

DLS2#show spanning-tree | include Fa0/6|Fa0/7
Fa0/6 Desg FWD 19 128.8 P2p
Fa0/7 Desg FWD 19 128.9 P2p


Los resultados
puedes ser
diferentes para
STP.
CCNP Guía SWITCH v2.0


@ 2013
7
DLS1#sh interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/6 on isl trunking 1
Fa0/7 on isl trunking 1
Port Vlans allowed on trunk
Fa0/6 1-4094
Fa0/7 1-4094
Port Vlans allowed and active in management domain
Fa0/6 1
Fa0/7 1
Port Vlans in spanning tree forwarding state and not pruned
Fa0/6 none
Fa0/7 none

DLS2
interface FastEthernet0/6
switchport trunk encapsulation isl
switchport mode trunk
switchport nonegotiate

interface FastEthernet0/7
switchport trunk encapsulation isl
switchport mode trunk
switchport nonegotiate

DLS2#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/6 on isl trunking 1
Fa0/7 on isl trunking 1

Port Vlans allowed on trunk
Fa0/6 1-4094
Fa0/7 1-4094

Port Vlans allowed and active in management domain
Fa0/6 1
Fa0/7 1

Port Vlans in spanning tree forwarding state and not pruned
Fa0/6 1
Fa0/7 1

DLS2#show interfaces fastEthernet 0/6 switchport
Name: Fa0/6
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: isl
Operational Trunking Encapsulation: isl
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)

CCNP Guía SWITCH v2.0


@ 2013
8

Trunks
 De acuerdo a la topología mostrada, configure 802.1q entre los enlaces DLS1-ALS1, DLS1-ALS2, DLS2-ALS1,
y DLS2-ALS2. Los switchs de acceso (ALS1 y ALS2) deben crear dinámicamente el trunk. Los switchs de
distribución deben estar en un permanente estado de trunk.

 Al final del laboratorio explique:
- Ventajas de 802.1q.
- Estructura de 802.1q, (cada uno de sus campos y funcionalidad)
- Que indica el siguiente mensaje:
 %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 1 on
FastEthernet0/1 VLAN10.
- Si configuramos en modo dynamic desirable en la interface f0/6 de DLS1 sin identificar el protocolo
de trunking, cual utilizará: ISL o 802.1q?


DLS1
default interface range fastEthernet 0/2-7

DLS2
default interface range fastEthernet 0/2-7

ALS1
default interface range fastEthernet 0/2-7

ALS2
default interface range fastEthernet 0/2-7

DLS1#sh interfaces fastEthernet 0/2 switchport
Name: Fa0/2
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: static access
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: On


CCNP Guía SWITCH v2.0


@ 2013
9
DLS1
interface range fastEthernet 0/2-5
switchport trunk encapsulation dot1q
switchport mode trunk

DLS1#sh interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/2 on 802.1q trunking 1
Fa0/3 on 802.1q trunking 1
Fa0/4 on 802.1q trunking 1
Fa0/5 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/2 1-4094
Fa0/3 1-4094
Fa0/4 1-4094
Fa0/5 1-4094
Port Vlans allowed and active in management domain
Fa0/2 1
Fa0/3 1
Fa0/4 1
Fa0/5 1
Port Vlans in spanning tree forwarding state and not pruned
Fa0/2 none
Fa0/3 none
Fa0/4 1
Port Vlans in spanning tree forwarding state and not pruned
Fa0/5 none

ALS1#show interfaces fastEthernet 0/2 switchport
Name: Fa0/2
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On

ALS1#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/2 auto 802.1q trunking 1
Fa0/3 auto 802.1q trunking 1

Port Vlans allowed on trunk
Fa0/2 1-4094
Fa0/3 1-4094

Port Vlans allowed and active in management domain
Fa0/2 1
Fa0/3 1

Port Vlans in spanning tree forwarding state and not pruned
Fa0/2 1
Fa0/3 1

Como podemos observar, los
switchs L2 2960 (ALS1 y ALS2) en
estado dynamic auto forman el
trunk dinámicamente (DTP)
utilizando 802.1q (no soportan
ISL). Para esta tarea necesitamos
configurar los switchs DLSx.
CCNP Guía SWITCH v2.0


@ 2013
10
DLS2
interface range fastEthernet 0/2-5
switchport trunk encapsulation dot1q
switchport mode trunk

DLS2#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/2 on 802.1q trunking 1
Fa0/3 on 802.1q trunking 1
Fa0/4 on 802.1q trunking 1
Fa0/5 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/2 1-4094
Fa0/3 1-4094
Fa0/4 1-4094
Fa0/5 1-4094
Port Vlans allowed and active in management domain
Fa0/2 1
Fa0/3 1
Fa0/4 1
Fa0/5 1
Port Vlans in spanning tree forwarding state and not pruned
Fa0/2 none
Fa0/3 none
Fa0/4 none
Port Vlans in spanning tree forwarding state and not pruned
Fa0/5 none

ALS2#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/2 auto 802.1q trunking 1
Fa0/3 auto 802.1q trunking 1
Fa0/4 auto 802.1q trunking 1
Fa0/5 auto 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/2 1-4094
Fa0/3 1-4094
Fa0/4 1-4094
Fa0/5 1-4094
Port Vlans allowed and active in management domain
Fa0/2 1
Fa0/3 1
Fa0/4 1
Fa0/5 1
Port Vlans in spanning tree forwarding state and not pruned
Fa0/2 1
Fa0/3 1
Fa0/4 1
Port Vlans in spanning tree forwarding state and not pruned
Fa0/5 1



CCNP Guía SWITCH v2.0


@ 2013
11
 ALS1 y ALS2 deben formar trunk utilizando 802.1q. No se permite DTP entre estos Switches.
Nota: el/los puertos deben estar en modo trunk antes de desactivar DTP de otra manera obtendremos la siguiente
advertencia:
Command rejected: Conflict between 'nonegotiate' and 'dynamic' status.
% Range command terminated because it failed on FastEthernet0/2


ALS1
default interface range fastEthernet 0/2-7

ALS2
default interface range fastEthernet 0/2-7

ALS1
interface range fastEthernet 0/2-7
switchport mode trunk
switchport nonegotiate

ALS2
interface range fastEthernet 0/2-7
switchport mode trunk
switchport nonegotiate

ALS1#show dtp interface fastEthernet 0/2
DTP information for FastEthernet0/2:
TOS/TAS/TNS: TRUNK/NONEGOTIATE/TRUNK
TOT/TAT/TNT: 802.1Q/802.1Q/802.1Q
Neighbor address 1: E8BA70CBF604
Neighbor address 2: 000000000000
Hello timer expiration (sec/state): never/STOPPED
Access timer expiration (sec/state): never/STOPPED
Negotiation timer expiration (sec/state): never/STOPPED
Multidrop timer expiration (sec/state): never/STOPPED
FSM state: S6:TRUNK

ALS2#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/2 on 802.1q trunking 1
Fa0/3 on 802.1q trunking 1
Fa0/4 on 802.1q trunking 1
Fa0/5 on 802.1q trunking 1
Fa0/6 on 802.1q trunking 1
Fa0/7 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/2 1-4094
Fa0/3 1-4094
Fa0/4 1-4094
Fa0/5 1-4094
Fa0/6 1-4094
Fa0/7 1-4094
Port Vlans allowed and active in management domain
Fa0/2 1
Fa0/3 1
Fa0/4 1
CCNP Guía SWITCH v2.0


@ 2013
12
Fa0/5 1
Fa0/6 1
Port Vlans allowed and active in management domain
Fa0/7 1
Port Vlans in spanning tree forwarding state and not pruned
Fa0/2 1
Fa0/3 1
Fa0/4 1
Fa0/5 1
Fa0/6 1
Fa0/7 1

ALS1#show interfaces fastEthernet 0/6 trunk
Port Mode Encapsulation Status Native vlan
Fa0/6 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/6 1-4094
Port Vlans allowed and active in management domain
Fa0/6 1
Port Vlans in spanning tree forwarding state and not pruned
Fa0/6 1

ALS1#show interfaces fastEthernet 0/6 switchport
Name: Fa0/6
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: Off


 Configure 802.1q entre los switchs L3. Estos switchs deben negociar activamente la formación del trunk.
No modifique los valores por defecto de los puertos de DLS2.


DLS1
interface range fastEthernet 0/6-7
switchport mode dynamic desirable

DLS1#sh interfaces fastEthernet 0/6 switchport
Name: Fa0/6
Switchport: Enabled
Administrative Mode: dynamic desirable
Operational Mode: trunk
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: isl
Negotiation of Trunking: On

DLS2#show interfaces fastEthernet 0/6 switchport
Name: Fa0/6
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: trunk
CCNP Guía SWITCH v2.0


@ 2013
13
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: isl
Negotiation of Trunking: On

DLS1#show interfaces fastEthernet 0/7 trunk
Port Mode Encapsulation Status Native vlan
Fa0/7 desirable n-isl trunking 1
Port Vlans allowed on trunk
Fa0/7 1-4094
Port Vlans allowed and active in management domain
Fa0/7 1
Port Vlans in spanning tree forwarding state and not pruned
Fa0/7 none

DLS2#show interfaces fastEthernet 0/6 trunk
Port Mode Encapsulation Status Native vlan
Fa0/6 auto n-isl trunking 1
Port Vlans allowed on trunk
Fa0/6 1-4094
Port Vlans allowed and active in management domain
Fa0/6 1
Port Vlans in spanning tree forwarding state and not pruned
Fa0/6 1


CCNP Guía SWITCH v2.0


@ 2013
14
Creación y Administración de VLANs
 Cree las siguientes vlans en DLS1 y verifique que se propagan dentro de todo el dominio:
- 10, 20, 30, 100-105
- La VLAN 10 debe ser nativa.
 Considere para VTP los siguientes parámetros:
- version 2
- dominio class
Nota: Compruebe que la version del protocolo VTP sea consistente en todos los switchs.
 Al final del laboratorio explique:
- Que es la VLAN nativa? Que información puede transportar? Si la VLAN nativa (native vlan) no
coincide en ambos extremos que sucede y que protocolo reconoce este comportamiento?.
- Que información entrega la siguiente salida:
DLS1#
%DTP-5-DOMAINMISMATCH: Unable to perform trunk negotiation on port Fa0/7 because of VTP
domain mismatch.
DLS1#
%DTP-5-DOMAINMISMATCH: Unable to perform trunk negotiation on port Fa0/6 because of VTP
domain mismatch.


DLS1
vtp domain class
vtp version 2

vlan 10,20,30,100-105

DLS1#sh vtp status
VTP Version : running VTP2
Configuration Revision : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs : 5
VTP Operating Mode : Server
VTP Domain Name : class
VTP Pruning Mode : Disabled
VTP V2 Mode : Enabled
VTP Traps Generation : Disabled
MD5 digest : 0xE6 0xC7 0x39 0x8D 0xB9 0x5E 0x5F 0x98
Configuration last modified by 1.1.1.1 at 3-1-93 08:40:28
Local updater ID is 1.1.1.1 on interface Vl1 (lowest numbered VLAN interface found)

DLS2
vtp domain class
vtp version 2

ALS1
vtp domain class
vtp version 2

ALS2
vtp domain class
vtp version 2


CCNP Guía SWITCH v2.0


@ 2013
15
DLS1#sh vlan brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/8, Fa0/9, Fa0/10
Fa0/11, Fa0/12, Fa0/13, Fa0/14
Fa0/15, Fa0/16, Fa0/17, Fa0/18
Fa0/19, Fa0/20, Fa0/21, Fa0/22
Fa0/23, Fa0/24, Gi0/1, Gi0/2
10 VLAN0010 active
20 VLAN0020 active
30 VLAN0030 active
100 VLAN0100 active
101 VLAN0101 active
102 VLAN0102 active
103 VLAN0103 active
104 VLAN0104 active
105 VLAN0105 active
1000 VLAN1000 active

DLS1#sh vtp status
VTP Version : running VTP2
Configuration Revision : 1
Maximum VLANs supported locally : 1005
Number of existing VLANs : 14
VTP Operating Mode : Server
VTP Domain Name : class
VTP Pruning Mode : Disabled
VTP V2 Mode : Enabled
VTP Traps Generation : Disabled
MD5 digest : 0xBE 0xEE 0x27 0xCB 0x4A 0xB7 0xE9 0x5E
Configuration last modified by 1.1.1.1 at 3-1-93 08:46:56
Local updater ID is 1.1.1.1 on interface Vl1 (lowest numbered VLAN interface found)

DLS2#show vl brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/8, Fa0/9, Fa0/10
Fa0/11, Fa0/12, Fa0/13, Fa0/14
Fa0/15, Fa0/16, Fa0/17, Fa0/18
Fa0/19, Fa0/20, Fa0/21, Fa0/22
Fa0/23, Fa0/24, Gi0/1, Gi0/2
10 VLAN0010 active
20 VLAN0020 active
30 VLAN0030 active
100 VLAN0100 active
101 VLAN0101 active
102 VLAN0102 active
103 VLAN0103 active
104 VLAN0104 active
105 VLAN0105 active


CCNP Guía SWITCH v2.0


@ 2013
16
ALS1#show vlan brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/8, Fa0/9, Fa0/10
Fa0/11, Fa0/12, Fa0/13, Fa0/14
Fa0/15, Fa0/16, Fa0/17, Fa0/18
Fa0/19, Fa0/20, Fa0/21, Fa0/22
Fa0/23, Fa0/24, Gi0/1, Gi0/2
10 VLAN0010 active
20 VLAN0020 active
30 VLAN0030 active
100 VLAN0100 active
101 VLAN0101 active
102 VLAN0102 active
103 VLAN0103 active
104 VLAN0104 active
105 VLAN0105 active

ALS2#show vlan brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/8, Fa0/9, Fa0/10
Fa0/11, Fa0/12, Fa0/13, Fa0/14
Fa0/15, Fa0/16, Fa0/17, Fa0/18
Fa0/19, Fa0/20, Fa0/21, Fa0/22
Fa0/23, Fa0/24, Gi0/1, Gi0/2
10 VLAN0010 active
20 VLAN0020 active
30 VLAN0030 active
100 VLAN0100 active
101 VLAN0101 active
102 VLAN0102 active
103 VLAN0103 active
104 VLAN0104 active
105 VLAN0105 active


Para establecer la VLAN nativa la designamos directamente en la/las interfaces que participan en el trunk. Si el
trunk está correctamente configurado deberíamos poder ver las VLANs creadas por DLS1 en todo el dominio.


ALS2
interface range fastEthernet 0/2-7
switchport trunk native vlan 10

DLS1#show spanning-tree inconsistentports
Name Interface Inconsistency
-------------------- ------------------------ ------------------
VLAN0001 FastEthernet0/4 Port VLAN ID Mismatch
VLAN0001 FastEthernet0/5 Port VLAN ID Mismatch
VLAN0010 FastEthernet0/4 Port VLAN ID Mismatch
VLAN0010 FastEthernet0/5 Port VLAN ID Mismatch
Number of inconsistent ports (segments) in the system : 4

CCNP Guía SWITCH v2.0


@ 2013
17
DLS2
interface range fastEthernet 0/2-7
switchport trunk native vlan 10

DLS1
interface range fastEthernet 0/2-7
switchport trunk native vlan 10

ALS1
interface range fastEthernet 0/2-7
switchport trunk native vlan 10

%SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking FastEthernet0/6 on VLAN0010. Port consistency restored.
%SPANTREE-2-UNBLOCK_CONSIST_PORT: Unblocking FastEthernet0/6 on VLAN0001. Port consistency restored.

DLS1#show spanning-tree inconsistentports
Name Interface Inconsistency
-------------------- ------------------------ ------------------
Number of inconsistent ports (segments) in the system : 0

DLS1#sh interfaces fastEthernet 0/2 switchport | i Native
Trunking Native Mode VLAN: 10 (VLAN0010)
Administrative Native VLAN tagging: enabled
Administrative private-vlan trunk Native VLAN tagging: enabled

DLS2#sh interfaces fastEthernet 0/2 switchport | i Native
Trunking Native Mode VLAN: 10 (VLAN0010)
Administrative Native VLAN tagging: enabled
Administrative private-vlan trunk Native VLAN tagging: enabled

ALS1#sh interfaces fastEthernet 0/2 switchport | i Native
Trunking Native Mode VLAN: 10 (VLAN0010)
Administrative Native VLAN tagging: enabled
Administrative private-vlan trunk Native VLAN tagging: enabled

ALS2#sh interfaces fastEthernet 0/2 switchport | i Native
Trunking Native Mode VLAN: 10 (VLAN0010)
Administrative Native VLAN tagging: enabled
Administrative private-vlan trunk Native VLAN tagging: enabled


CCNP Guía SWITCH v2.0


@ 2013
18
Asignación VLANs TRUNK
 En el trunk asigne (permita) VLANs según la siguiente tabla:


Interface Switchs VLANs
FastEthernet 0/6 DLS1↔DLS2 1,10,20,30,100
FastEthernet 0/2 DLS2↔ALS2 1,10,20,30,101
FastEthernet 0/6 ALS1↔ALS2 1,10,20,30,102
FastEthernet 0/2 DLS1↔ALS1 1,10,20,30,103
FastEthernet 0/4 DLS1↔ALS2 1,10,20,30,104
FastEthernet 0/4 DLS2↔ALS1 1,10,20,30,105
 Las interfaces que no participan en el trunk deben ser desactivadas.

Nota: Antes de comenzar el laboratorio es importante conocer que VLANs están asociadas a los trunks utilizando el
comando show interface trunk.

 Al finalizar el laboratorio explique el significado del siguiente log:
- %SW_VLAN-4-VLAN_CREATE_FAIL: Failed to create VLANs 4094: extended VLAN(s) not allowed in current VTP mode

 Cree y agregue en todos los trunks las VLANs 31,32 y 33, y elimine la VLAN 30 del mismo.


DLS1#sh interfaces fastEthernet 0/6 trunk
Port Mode Encapsulation Status Native vlan
Fa0/6 desirable n-isl trunking 10
Port Vlans allowed on trunk
Fa0/6 1-4094
Port Vlans allowed and active in management domain
Fa0/6 1,10,20,30,100-105
Port Vlans in spanning tree forwarding state and not pruned
Fa0/6 none

DLS1
interface range fastEthernet 0/7 , fastEthernet 0/5 , fastEthernet 0/3
shutdown

DLS2
interface range fastEthernet 0/7 , fastEthernet 0/5 , fastEthernet 0/3
shutdown

ALS1
interface range fastEthernet 0/7 , fastEthernet 0/5 , fastEthernet 0/3
shutdown

ALS2
interface range fastEthernet 0/7 , fastEthernet 0/5 , fastEthernet 0/3
shutdown

ALS2#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/2 on 802.1q trunking 10
Fa0/4 on 802.1q trunking 10
Fa0/6 on 802.1q trunking 10
CCNP Guía SWITCH v2.0


@ 2013
19
Port Vlans allowed on trunk
Fa0/2 1-4094
Fa0/4 1-4094
Fa0/6 1-4094
Port Vlans allowed and active in management domain
Fa0/2 1,10,20,30,100-105
Fa0/4 1,10,20,30,100-105
Fa0/6 1,10,20,30,100-105
Port Vlans in spanning tree forwarding state and not pruned
Fa0/2 1,10,20,30,100-105
Fa0/4 1,10,20,30,100-105
Fa0/6 1,10,20,30,100-105

DLS1↔DLS2

DLS1
interface FastEthernet0/6
switchport trunk allowed vlan 1,10,20,30,100

DLS2
interface FastEthernet0/6
switchport trunk allowed vlan 1,10,20,30,100

DLS2#show interfaces fastEthernet 0/6 trunk
Port Mode Encapsulation Status Native vlan
Fa0/6 desirable n-isl trunking 10
Port Vlans allowed on trunk
Fa0/6 1,10,20,30,100
Port Vlans allowed and active in management domain
Fa0/6 1,10,20,30,100
Port Vlans in spanning tree forwarding state and not pruned
Fa0/6 1,10,20,30,100

DLS2↔ALS2

DLS2
interface FastEthernet0/2
switchport trunk allowed vlan 1,10,20,30,101

ALS2
interface FastEthernet0/2
switchport trunk allowed vlan 1,10,20,30,101

ALS2#show interfaces fastEthernet 0/2 trunk
Port Mode Encapsulation Status Native vlan
Fa0/2 on 802.1q trunking 10
Port Vlans allowed on trunk
Fa0/2 1,10,20,30,101
Port Vlans allowed and active in management domain
Fa0/2 1,10,20,30,101
Port Vlans in spanning tree forwarding state and not pruned
Fa0/2 1,10,20,30,101


CCNP Guía SWITCH v2.0


@ 2013
20
ALS1↔ALS2

ALS1
interface FastEthernet0/6
switchport trunk allowed vlan 1,10,20,30,102

ALS2
interface FastEthernet0/6
switchport trunk allowed vlan 1,10,20,30,102

ALS2#show interfaces fastEthernet 0/6 trunk
Port Mode Encapsulation Status Native vlan
Fa0/6 on 802.1q trunking 10
Port Vlans allowed on trunk
Fa0/6 1,10,20,30,102
Port Vlans allowed and active in management domain
Fa0/6 1,10,20,30,102
Port Vlans in spanning tree forwarding state and not pruned
Fa0/6 1,10,20,30,102

DLS1↔ALS1

DLS1
interface FastEthernet0/2
switchport trunk allowed vlan 1,10,20,30,103

ALS1
interface FastEthernet0/2
switchport trunk allowed vlan 1,10,20,30,103

ALS1#show interfaces fastEthernet 0/2 trunk
Port Mode Encapsulation Status Native vlan
Fa0/2 on 802.1q trunking 10
Port Vlans allowed on trunk
Fa0/2 1,10,20,30,103
Port Vlans allowed and active in management domain
Fa0/2 1,10,20,30,103
Port Vlans in spanning tree forwarding state and not pruned
Fa0/2 1,10,20,30,103

DLS1↔ALS2

DLS1
interface FastEthernet0/4
switchport trunk allowed vlan 1,10,20,30,104

ALS2
interface FastEthernet0/4
switchport trunk allowed vlan 1,10,20,30,104

ALS2#show interfaces fastEthernet 0/4 trunk
Port Mode Encapsulation Status Native vlan
Fa0/4 on 802.1q trunking 10
Port Vlans allowed on trunk
CCNP Guía SWITCH v2.0


@ 2013
21
Fa0/4 1,10,20,30,104
Port Vlans allowed and active in management domain
Fa0/4 1,10,20,30,104
Port Vlans in spanning tree forwarding state and not pruned
Fa0/4 1,10,20,30,104

DLS2↔ALS1

DLS2
interface FastEthernet0/4
switchport trunk allowed vlan 1,10,20,30,105

ALS1
interface FastEthernet0/4
switchport trunk allowed vlan 1,10,20,30,105

DLS2#show interfaces fastEthernet 0/4 trunk
Port Mode Encapsulation Status Native vlan
Fa0/4 on 802.1q trunking 10
Port Vlans allowed on trunk
Fa0/4 1,10,20,30,105
Port Vlans allowed and active in management domain
Fa0/4 1,10,20,30,105
Port Vlans in spanning tree forwarding state and not pruned
Fa0/4 none




CCNP Guía SWITCH v2.0


@ 2013
22
VTP I

Setup: borre toda la información de configuración y reinicie el/los switches (elimine archivo vlan.dat y de
configuración)
 Configurar trunk 802.1q entre DLS1 y DLS2 a través de la interface fastethernet 0/6.
 Configure VTP en DLS1 y DLS2 usando dominio CLASS entre DLS1 y DLS2, versión 2, modo server, password
cisco.
 En DLS1 cree las VLANs 10 (ENG), 20 (RRHH) y 30 (NATIVA). Permita en el trunk las VLANs recién creadas
más la VLAN 1. La VLAN 30 debe permitir información CDP, VTP, PAgP. Desactive Dynamic Trunk Protocol.

 Al finalizar el laboratorio indique:
- Que rol VTP permite que se guarde la configuración en el archivo vlan.dat de la flash.
- Que plataformas soportan la version VTP 3.
- De que manera podemos reestablecer a 0 el número de revisión VTP.


DLS1
vtp version 2
vtp domain CLASS
vtp password cisco

interface FastEthernet0/6
switchport trunk encapsulation dot1q
switchport trunk native vlan 30
switchport trunk allowed vlan 1,10,20,30
switchport mode trunk
switchport nonegotiate

DLS2
vtp version 2
vtp domain CLASS
vtp password cisco

interface FastEthernet0/6
switchport trunk encapsulation dot1q
switchport trunk native vlan 30
switchport trunk allowed vlan 1,10,20,30
switchport mode trunk
switchport nonegotiate

DLS1
vlan 10
name ENG

vlan 20
CCNP Guía SWITCH v2.0


@ 2013
23
name RRHH

vlan 30
name NATIVA

DLS2#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/6 on 802.1q trunking 30
Port Vlans allowed on trunk
Fa0/6 1,10,20,30
Port Vlans allowed and active in management domain
Fa0/6 1,10,20,30
Port Vlans in spanning tree forwarding state and not pruned
Fa0/6 1,10,20,30

DLS1#sh vlan brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/7, Fa0/8, Fa0/9
Fa0/10, Fa0/11, Fa0/12, Fa0/13
Fa0/14, Fa0/15, Fa0/16, Fa0/17
Fa0/18, Fa0/19, Fa0/20, Fa0/21
Fa0/22, Fa0/23, Fa0/24, Gi0/1
Gi0/2
10 ENG active
20 RRHH active
30 NATIVA active

DLS2#sh vlan brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/7, Fa0/8, Fa0/9
Fa0/10, Fa0/11, Fa0/12, Fa0/13
Fa0/14, Fa0/15, Fa0/16, Fa0/17
Fa0/18, Fa0/19, Fa0/20, Fa0/21
Fa0/22, Fa0/23, Fa0/24, Gi0/1
Gi0/2
10 ENG active
20 RRHH active
30 NATIVA active

DLS2#show vtp status
VTP Version : running VTP2
Configuration Revision : 4
Maximum VLANs supported locally : 1005
Number of existing VLANs : 8
VTP Operating Mode : Server
VTP Domain Name : CLASS
VTP Pruning Mode : Disabled
VTP V2 Mode : Enabled
VTP Traps Generation : Disabled
MD5 digest : 0xD7 0x7F 0x5F 0x97 0x91 0x0A 0x96 0x34
CCNP Guía SWITCH v2.0


@ 2013
24
DLS1#sh vtp status
VTP Version : running VTP2
Configuration Revision : 4
Maximum VLANs supported locally : 1005
Number of existing VLANs : 8
VTP Operating Mode : Server
VTP Domain Name : CLASS
VTP Pruning Mode : Disabled
VTP V2 Mode : Enabled
VTP Traps Generation : Disabled
MD5 digest : 0xD7 0x7F 0x5F 0x97 0x91 0x0A 0x96 0x34


 Cree la VLAN 50 (nombre DATOS) y agréguela al trunk.


DLS1#show running-config interface fastEthernet 0/6
Building configuration...

Current configuration : 193 bytes
!
interface FastEthernet0/6
switchport trunk encapsulation dot1q
switchport trunk native vlan 30
switchport trunk allowed vlan 1,10,20,30
switchport mode trunk
switchport nonegotiate

DLS1
vlan 50
name DATOS

interface FastEthernet0/6
switchport trunk allowed vlan add 50

DLS1#show running-config interface fastEthernet 0/6
Building configuration...

Current configuration : 196 bytes
!
interface FastEthernet0/6
switchport trunk encapsulation dot1q
switchport trunk native vlan 30
switchport trunk allowed vlan 1,10,20,30,50
switchport mode trunk
switchport nonegotiate


CCNP Guía SWITCH v2.0


@ 2013
25
DLS2#show running-config interface fastEthernet 0/6
Building configuration...

Current configuration : 193 bytes
!
interface FastEthernet0/6
switchport trunk encapsulation dot1q
switchport trunk native vlan 30
switchport trunk allowed vlan 1,10,20,30
switchport mode trunk
switchport nonegotiate
end

DLS2
interface FastEthernet0/6
switchport trunk allowed vlan add 50

DLS2#show running-config interface fastEthernet 0/6
Building configuration...

Current configuration : 196 bytes
!
interface FastEthernet0/6
switchport trunk encapsulation dot1q
switchport trunk native vlan 30
switchport trunk allowed vlan 1,10,20,30,50
switchport mode trunk
switchport nonegotiate

DLS2#show vlan brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/7, Fa0/8, Fa0/9
Fa0/10, Fa0/11, Fa0/12, Fa0/13
Fa0/14, Fa0/15, Fa0/16, Fa0/17
Fa0/18, Fa0/19, Fa0/20, Fa0/21
Fa0/22, Fa0/23, Fa0/24, Gi0/1
Gi0/2
10 ENG active
20 RRHH active
30 NATIVA active
50 DATOS active



CCNP Guía SWITCH v2.0


@ 2013
26
VTP II Problema con el número Configuration Revision en VTP
VTP puede presentar problemas graves si no se toman ciertas precauciones. El siguiente escenario nos presenta un
problerma habitual que sucede cuando se conecta un switch Catalyst con un número VTP revisión mayor que el
que presenta el server VTP, este nuevo switch sobreescribirá toda la información respecto a las VLANs y su
propagación puesto que un numero mayor se considera información mas actualizada.

 Borre toda la configuración anterior.
 Deshabilite todas las interfaces de todos los switches (nos permite tener mayor control en lo que se refiere
a la seguridad).
 Configurar trunk 802.1q con la siguientes disposición:
- DLS1↔ DLS2 (fastethernet 0/6).
- DLS1↔ ALS1 (fastethernet 0/2).
- DLS1↔ ALS2 (fastethernet 0/4).
- DLS2↔ ALS1 (fastethernet 0/4).
- DLS2↔ ALS2 (fastethernet 0/2).
- ALS1↔ ALS2 (fastethernet 0/6).
- Habilite las interfaces que participan en el trunk.
 En el trunk permita las VLANs 1, 10-20 excluyendo la VLAN 19. Deshabilite DTP.

DLS1
interface range fastEthernet 0/1-24
shutdown

DLS2
interface range fastEthernet 0/1-24
shutdown

ALS1
interface range fastEthernet 0/1-24
shutdown

ALS2
interface range fastEthernet 0/1-24
shutdown
ALS2#show interfaces status
Port Name Status Vlan Duplex Speed Type
Fa0/1 disabled 1 auto auto 10/100BaseTX
Fa0/2 disabled 1 auto auto 10/100BaseTX
Fa0/3 disabled 1 auto auto 10/100BaseTX
CCNP Guía SWITCH v2.0


@ 2013
27
Fa0/4 disabled 1 auto auto 10/100BaseTX
Fa0/5 disabled 1 auto auto 10/100BaseTX
Fa0/6 disabled 1 auto auto 10/100BaseTX
Fa0/7 disabled 1 auto auto 10/100BaseTX
Fa0/8 disabled 1 auto auto 10/100BaseTX
Fa0/9 disabled 1 auto auto 10/100BaseTX
Fa0/10 disabled 1 auto auto 10/100BaseTX
Fa0/11 disabled 1 auto auto 10/100BaseTX
Fa0/12 disabled 1 auto auto 10/100BaseTX
Fa0/13 disabled 1 auto auto 10/100BaseTX
Fa0/14 disabled 1 auto auto 10/100BaseTX
Fa0/15 disabled 1 auto auto 10/100BaseTX
Fa0/16 disabled 1 auto auto 10/100BaseTX
Fa0/17 disabled 1 auto auto 10/100BaseTX
Fa0/18 disabled 1 auto auto 10/100BaseTX
Fa0/19 disabled 1 auto auto 10/100BaseTX
Fa0/20 disabled 1 auto auto 10/100BaseTX
Fa0/21 disabled 1 auto auto 10/100BaseTX

Port Name Status Vlan Duplex Speed Type
Fa0/22 disabled 1 auto auto 10/100BaseTX
Fa0/23 disabled 1 auto auto 10/100BaseTX
Fa0/24 disabled 1 auto auto 10/100BaseTX

DLS1↔ DLS2 (fastethernet 0/6)

DLS1
interface FastEthernet0/6
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
switchport trunk allowed vlan 10-20
switchport trunk allowed vlan remove 19
switchport trunk allowed vlan add 1
no shutdown

DLS1#show running-config interface fastEthernet 0/6
Building configuration...

Current configuration : 158 bytes
!
interface FastEthernet0/6
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10-18,20
switchport mode trunk
switchport nonegotiate




CCNP Guía SWITCH v2.0


@ 2013
28
DLS2
interface FastEthernet0/6
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
switchport trunk allowed vlan 10-20
switchport trunk allowed vlan remove 19
switchport trunk allowed vlan add 1
no shutdown

DLS2#show running-config interface fastEthernet 0/6
Building configuration...

Current configuration : 160 bytes
!
interface FastEthernet0/6
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10-18,20
switchport mode trunk
switchport nonegotiate
end

DLS2#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/6 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/6 1,10-18,20
Port Vlans allowed and active in management domain
Fa0/6 1
Port Vlans in spanning tree forwarding state and not pruned
Fa0/6 1

DLS1↔ ALS1 (fastethernet 0/2)

DLS1
interface FastEthernet0/2
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
switchport trunk allowed vlan 10-20
switchport trunk allowed vlan remove 19
switchport trunk allowed vlan add 1
no shutdown

ALS1
interface FastEthernet0/2
switchport mode trunk
switchport nonegotiate
switchport trunk allowed vlan 10-20
switchport trunk allowed vlan remove 19
switchport trunk allowed vlan add 1
no shutdown


CCNP Guía SWITCH v2.0


@ 2013
29
DLS1↔ ALS2 (fastethernet 0/4)

DLS1
interface FastEthernet0/4
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
switchport trunk allowed vlan 10-20
switchport trunk allowed vlan remove 19
switchport trunk allowed vlan add 1
no shutdown

ALS2
interface FastEthernet0/4
switchport mode trunk
switchport nonegotiate
switchport trunk allowed vlan 10-20
switchport trunk allowed vlan remove 19
switchport trunk allowed vlan add 1
no shutdown


DLS2↔ ALS1 (fastethernet 0/4)

DLS2
interface FastEthernet0/4
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
switchport trunk allowed vlan 10-20
switchport trunk allowed vlan remove 19
switchport trunk allowed vlan add 1
no shutdown

ALS1
interface FastEthernet0/4
switchport mode trunk
switchport nonegotiate
switchport trunk allowed vlan 10-20
switchport trunk allowed vlan remove 19
switchport trunk allowed vlan add 1
no shutdown

ALS1#show interfaces fastEthernet 0/4 trunk
Port Mode Encapsulation Status Native vlan
Fa0/4 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/4 1,10-18,20
Port Vlans allowed and active in management domain
Fa0/4 1
Port Vlans in spanning tree forwarding state and not pruned
Fa0/4 1


CCNP Guía SWITCH v2.0


@ 2013
30
DLS2↔ ALS2 (fastethernet 0/2)

DLS2
interface FastEthernet0/2
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
switchport trunk allowed vlan 10-20
switchport trunk allowed vlan remove 19
switchport trunk allowed vlan add 1
no shutdown

ALS2
interface FastEthernet0/2
switchport mode trunk
switchport nonegotiate
switchport trunk allowed vlan 10-20
switchport trunk allowed vlan remove 19
switchport trunk allowed vlan add 1
no shutdown

ALS1↔ ALS2 (fastethernet 0/6)

ALS1
interface FastEthernet0/6
switchport mode trunk
switchport nonegotiate
switchport trunk allowed vlan 10-20
switchport trunk allowed vlan remove 19
switchport trunk allowed vlan add 1
no shutdown

ALS2
interface FastEthernet0/6
switchport mode trunk
switchport nonegotiate
switchport trunk allowed vlan 10-20
switchport trunk allowed vlan remove 19
switchport trunk allowed vlan add 1
no shutdown

ALS2#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/2 on 802.1q trunking 1
Fa0/4 on 802.1q trunking 1
Fa0/6 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/2 1,10-18,20
Fa0/4 1,10-18,20
Fa0/6 1,10-18,20
Port Vlans allowed and active in management domain
Fa0/2 1
Fa0/4 1
Fa0/6 1
CCNP Guía SWITCH v2.0


@ 2013
31

Port Vlans in spanning tree forwarding state and not pruned
Fa0/2 1
Fa0/4 1
Fa0/6 1

DLS1#sh interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/2 on 802.1q trunking 1
Fa0/4 on 802.1q trunking 1
Fa0/6 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/2 1,10-18,20
Fa0/4 1,10-18,20
Fa0/6 1,10-18,20
Port Vlans allowed and active in management domain
Fa0/2 1
Fa0/4 1
Fa0/6 1
Port Vlans in spanning tree forwarding state and not pruned
Fa0/2 none
Fa0/4 1
Fa0/6 none

DLS2#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/2 on 802.1q trunking 1
Fa0/4 on 802.1q trunking 1
Fa0/6 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/2 1,10-18,20
Fa0/4 1,10-18,20
Fa0/6 1,10-18,20
Port Vlans allowed and active in management domain
Fa0/2 1
Fa0/4 1
Fa0/6 1
Port Vlans in spanning tree forwarding state and not pruned
Fa0/2 1
Fa0/4 none
Fa0/6 1



CCNP Guía SWITCH v2.0


@ 2013
32
 Configure VTP usando dominio DUOC, versión 2, modo server, password duoc en todos los switchs. Cree la
loopback0 en cada Switch para utilizarlas como ID en sesiones VTP con la siguiente disposición:
- DLS1 loopback0 → 10.1.1.1/32
- DLS2 loopback0 → 10.2.2.2/32
- ALS1 loopback0 → 10.3.3.3/32
- ALS2 loopback0 → 10.4.4.4/32
 En DLS1 cree las VLANs 10 a 20. Verificar que se han propagado. Recordemos que la VLAN 19 debe estar
excluida en el trunk, pero no localmente en DLS1.

DLS1
vlan 10-120
interface Loopback0
ip address 10.1.1.1 255.255.255.255

vtp version 2
vtp mode server
vtp domain DUOC
vtp password duoc
vtp interface Loopback0

DLS2
interface Loopback0
ip address 10.2.2.2 255.255.255.255

vtp version 2
vtp mode server
vtp domain DUOC
vtp password duoc
vtp interface Loopback0

ALS1
interface Loopback0
ip address 10.3.3.3 255.255.255.255

vtp version 2
vtp mode server
vtp domain DUOC
vtp password duoc
vtp interface Loopback0

ALS2
interface Loopback0
ip address 10.4.4.4 255.255.255.255

vtp version 2
vtp mode server
vtp domain DUOC
vtp password duoc
vtp interface Loopback0




CCNP Guía SWITCH v2.0


@ 2013
33
DLS1#sh vlan brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/3, Fa0/5, Fa0/7
Fa0/8, Fa0/9, Fa0/10, Fa0/11
Fa0/12, Fa0/13, Fa0/14, Fa0/15
Fa0/16, Fa0/17, Fa0/18, Fa0/19
Fa0/20, Fa0/21, Fa0/22, Fa0/23
Fa0/24, Gi0/1, Gi0/2
10 VLAN0010 active
11 VLAN0011 active
12 VLAN0012 active
13 VLAN0013 active
14 VLAN0014 active
15 VLAN0015 active
16 VLAN0016 active
17 VLAN0017 active
18 VLAN0018 active
19 VLAN0019 active
20 VLAN0020 active

ALS2#sh vlan brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/3, Fa0/5, Fa0/7
Fa0/8, Fa0/9, Fa0/10, Fa0/11
Fa0/12, Fa0/13, Fa0/14, Fa0/15
Fa0/16, Fa0/17, Fa0/18, Fa0/19
Fa0/20, Fa0/21, Fa0/22, Fa0/23
Fa0/24, Gi0/1, Gi0/2
10 VLAN0010 active
11 VLAN0011 active
12 VLAN0012 active
13 VLAN0013 active
14 VLAN0014 active
15 VLAN0015 active
16 VLAN0016 active
17 VLAN0017 active
18 VLAN0018 active
19 VLAN0019 active
20 VLAN0020 active

ALS1#show vlan brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/3, Fa0/5, Fa0/7
Fa0/8, Fa0/9, Fa0/10, Fa0/11
Fa0/12, Fa0/13, Fa0/14, Fa0/15
Fa0/16, Fa0/17, Fa0/18, Fa0/19
Fa0/20, Fa0/21, Fa0/22, Fa0/23
Fa0/24, Gi0/1, Gi0/2
10 VLAN0010 active
11 VLAN0011 active
12 VLAN0012 active
CCNP Guía SWITCH v2.0


@ 2013
34
13 VLAN0013 active
14 VLAN0014 active
15 VLAN0015 active
16 VLAN0016 active
17 VLAN0017 active
18 VLAN0018 active
19 VLAN0019 active
20 VLAN0020 active
999 VLAN0999 active

DLS2#show vl brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/3, Fa0/5, Fa0/7
Fa0/8, Fa0/9, Fa0/10, Fa0/11
Fa0/12, Fa0/13, Fa0/14, Fa0/15
Fa0/16, Fa0/17, Fa0/18, Fa0/19
Fa0/20, Fa0/21, Fa0/22, Fa0/23
Fa0/24, Gi0/1, Gi0/2
10 VLAN0010 active
11 VLAN0011 active
12 VLAN0012 active
13 VLAN0013 active
14 VLAN0014 active
15 VLAN0015 active
16 VLAN0016 active
17 VLAN0017 active
18 VLAN0018 active
19 VLAN0019 active
20 VLAN0020 active

DLS1#sh vtp status
VTP Version : running VTP2
Configuration Revision : 8
Maximum VLANs supported locally : 1005
Number of existing VLANs : 16
VTP Operating Mode : Server
VTP Domain Name : DUOC
VTP Pruning Mode : Disabled
VTP V2 Mode : Enabled
VTP Traps Generation : Disabled
MD5 digest : 0xAE 0xB8 0xA3 0xDF 0x7E 0xA7 0x83 0x5A
Configuration last modified by 10.2.2.2 at 3-1-93 01:49:42
Local updater ID is 10.1.1.1 on interface Lo0 (preferred interface)
Preferred interface name is Loopback0


En número de revisión es el 8, es decir, junto con el 8 se entregó la información más actualizada. Ahora bien,
vamos a suponer que ALS2 aún no se une a la red, pero tiene el mismo nombre de dominio y el número de revisión
8. Puesto que ALS2 está configurado como VTP server (valor por defecto) la información la guarda en el archivo
vlan.dat en la flash.
Podemos borrar las vlan 10 a 20 en ALS2 y el número de revisión se incrementará a 9 como podemos ver en el
siguiente ejemplo. Esto producirá información "mas actualizada" para VTP y eliminará de las bases de datos las
VLAN creadas por DLS1.
CCNP Guía SWITCH v2.0


@ 2013
35


ALS2#show vtp status
VTP Version : 2
Configuration Revision : 8
Maximum VLANs supported locally : 255
Number of existing VLANs : 16
VTP Operating Mode : Server
VTP Domain Name : DUOC
VTP Pruning Mode : Disabled
VTP V2 Mode : Enabled
VTP Traps Generation : Disabled
MD5 digest : 0xAE 0xB8 0xA3 0xDF 0x7E 0xA7 0x83 0x5A
Configuration last modified by 10.2.2.2 at 3-1-93 01:49:42
Local updater ID is 10.4.4.4 on interface Lo0 (preferred interface)
Preferred interface name is Loopback0

ALS2
interface range fastEthernet 0/2 , fastEthernet 0/4 , fastEthernet 0/6
shutdown

no vlan 10-20

ALS2#show vtp status
VTP Version : 2
Configuration Revision : 9
Maximum VLANs supported locally : 255
Number of existing VLANs : 6
VTP Operating Mode : Server
VTP Domain Name : DUOC
VTP Pruning Mode : Disabled
VTP V2 Mode : Enabled
VTP Traps Generation : Disabled
MD5 digest : 0x75 0x25 0xD6 0x97 0x64 0xEF 0x6F 0x29
Configuration last modified by 10.4.4.4 at 3-1-93 01:57:08
Local updater ID is 10.4.4.4 on interface Lo0 (preferred interface)
Preferred interface name is Loopback0

ALS2#show vlan brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gi0/1, Gi0/2






CCNP Guía SWITCH v2.0


@ 2013
36
Levantamos las interfaces y vemos los resultados en los demás switchs. Nos hemos cargado todas las VLAN que
creó DLS1!!!!!!!


ALS2
interface range fastEthernet 0/2 , fastEthernet 0/4 , fastEthernet 0/6
no shutdown

DLS1#sh vlan brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/3, Fa0/5, Fa0/7
Fa0/8, Fa0/9, Fa0/10, Fa0/11
Fa0/12, Fa0/13, Fa0/14, Fa0/15
Fa0/16, Fa0/17, Fa0/18, Fa0/19
Fa0/20, Fa0/21, Fa0/22, Fa0/23
Fa0/24, Gi0/1, Gi0/2


DLS2#sh vlan brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/3, Fa0/5, Fa0/7
Fa0/8, Fa0/9, Fa0/10, Fa0/11
Fa0/12, Fa0/13, Fa0/14, Fa0/15
Fa0/16, Fa0/17, Fa0/18, Fa0/19
Fa0/20, Fa0/21, Fa0/22, Fa0/23
Fa0/24, Gi0/1, Gi0/2

ALS1#sh vlan brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/3, Fa0/5, Fa0/7
Fa0/8, Fa0/9, Fa0/10, Fa0/11
Fa0/12, Fa0/13, Fa0/14, Fa0/15
Fa0/16, Fa0/17, Fa0/18, Fa0/19
Fa0/20, Fa0/21, Fa0/22, Fa0/23
Fa0/24, Gi0/1, Gi0/2


Como podemos notar, utilizar VTP puede ahorrarnos tiempo de configuración pero debe haber un plan de diseño y
configuración muy depurado de otra manera podríamos dejar una red completa sin conectividad.

 De acuerdo al ejemplo recién explicado, que solución recomendaría para evitar este grave problema



CCNP Guía SWITCH v2.0


@ 2013
37
Private VLANs único Switch

 Arme la siguiente topología:



 Asígneles el siguiente direccionamiento:
PC IP
PC1 10.1.1.1/24
PC2 10.1.1.2/24
PC3 10.1.1.3/24

 Comprueba que exista comunicación entre todos los PCs. Nota: puesto que los switches se encuentran si
configuración anterior utilizarán la VLAN 1 como dominio de broadcast. Desactivar el FW en los PCs.
Nota: En plataformas Catalyst 4500 y superiores podemos habilitar PVLAN en los trunks (switchport mode private-
vlans trunk).

PC3
C:\>ping 10.1.1.1
Haciendo ping a 10.1.1.1 con 32 bytes de datos:
Respuesta desde 10.1.1.1: bytes=32 tiempo<1m TTL=255
Respuesta desde 10.1.1.1: bytes=32 tiempo=2ms TTL=255
Respuesta desde 10.1.1.1: bytes=32 tiempo=1ms TTL=255
Respuesta desde 10.1.1.1: bytes=32 tiempo=1ms TTL=255

Estadísticas de ping para 10.1.1.1:
Paquetes: enviados = 4, recibidos = 4, perdidos = 0
(0% perdidos),
Tiempos aproximados de ida y vuelta en milisegundos:
Mínimo = 0ms, Máximo = 2ms, Media = 1ms

C:\>ping 10.1.1.2
Haciendo ping a 10.1.1.2 con 32 bytes de datos:
Respuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128
CCNP Guía SWITCH v2.0


@ 2013
38
Respuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128
Estadísticas de ping para 10.1.1.2:
Paquetes: enviados = 4, recibidos = 4, perdidos = 0
(0% perdidos),
Tiempos aproximados de ida y vuelta en milisegundos:
Mínimo = 0ms, Máximo = 0ms, Media = 0ms

DLS1#ping 10.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms

DLS1#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

DLS1#ping 10.1.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms



 Configure Private VLANs basándose en la siguiente tabla:
Dispositivo VLAN-Type VLAN-ID
Router Primary 100
PC1 Community 200
PC2 Community 200
PC3 Isolated 300

Private VLANs requieren una serie de pasos.
 Configure el switch en modo vtp transparent
 Cree la Primary VLAN
 Defina las Secondary VLANs
 Asocie la Secondary VLANs la Primary VLAN.

DLS1
vtp mode transparent

DLS1#sh vtp status
VTP Version : running VTP1 (VTP2 capable)
Configuration Revision : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs : 5
VTP Operating Mode : Transparent
VTP Domain Name :
VTP Pruning Mode : Disabled
CCNP Guía SWITCH v2.0


@ 2013
39
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x57 0xCD 0x40 0x65 0x63 0x59 0x47 0xBD
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00

DLS1
vlan 100
name VLAN_PRIMARIA
private-vlan primary
private-vlan association 411,421,431

vlan 200
private-vlan community
vlan 300
private-vlan isolated

DLS1#sh vlan private-vlan
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
100 primary
200 community
300 isolated

DLS1
vlan 100
private-vlan association add 200,300

DLS1#sh vlan private-vlan
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
100 200 community
100 300 isolated


El siguiente paso consiste en configurar la interface fastethernet 0/4 (que se conecta con el Router) en modo
promiscuo y hacer mapeo de VLAN Primaria con Secundarias.


DLS1
interface FastEthernet0/4
switchport private-vlan mapping 100 200,300
switchport mode private-vlan promiscuous

DLS1#sh vlan private-vlan
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
100 200 community Fa0/4
100 300 isolated Fa0/4


 En los puertos que conectan los hosts crear la asociación y definirlos en modo host.


DLS1
CCNP Guía SWITCH v2.0


@ 2013
40
interface FastEthernet0/1
switchport private-vlan host-association 100 200
switchport mode private-vlan host
spanning-tree portfast

interface FastEthernet0/2
switchport private-vlan host-association 100 200
switchport mode private-vlan host
spanning-tree portfast

interface FastEthernet0/3
switchport private-vlan host-association 100 300
switchport mode private-vlan host
spanning-tree portfast

DLS1#sh interfaces fastEthernet 0/4 switchport
Name: Fa0/4
Switchport: Enabled
Administrative Mode: private-vlan promiscuous
Operational Mode: down
Administrative Trunking Encapsulation: negotiate
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: 100 (VLAN_PRIMARIA) 200 (VLAN0200) 300 (VLAN0300)
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none

DLS1#sh vlan private-vlan
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
100 200 community Fa0/1, Fa0/2, Fa0/4
100 300 isolated Fa0/3, Fa0/4


Asociación entre
puertos hosts y
promiscuous
CCNP Guía SWITCH v2.0


@ 2013
41
Private-VLANs pruebas de conectividad.
Según lo que hemos estudiado PC1 y PC2 deben tener conectividad junto con el Router que se encuentra en modo
promiscuo.


PC2
C:\>ping 10.1.1.1
Haciendo ping a 10.1.1.1 con 32 bytes de datos:
Respuesta desde 10.1.1.1: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.1.1: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.1.1: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.1.1: bytes=32 tiempo<1m TTL=128
Estadísticas de ping para 10.1.1.1:
Paquetes: enviados = 4, recibidos = 4, perdidos = 0
(0% perdidos),
Tiempos aproximados de ida y vuelta en milisegundos:
Mínimo = 0ms, Máximo = 0ms, Media = 0ms

C:\>ping 10.1.1.100
Haciendo ping a 10.1.1.100 con 32 bytes de datos:
Respuesta desde 10.1.1.100: bytes=32 tiempo=38ms TTL=255
Respuesta desde 10.1.1.100: bytes=32 tiempo=15ms TTL=255
Respuesta desde 10.1.1.100: bytes=32 tiempo=16ms TTL=255
Respuesta desde 10.1.1.100: bytes=32 tiempo=31ms TTL=255
Estadísticas de ping para 10.1.1.100:
Paquetes: enviados = 4, recibidos = 4, perdidos = 0
(0% perdidos),
Tiempos aproximados de ida y vuelta en milisegundos:
Mínimo = 15ms, Máximo = 38ms, Media = 25ms

PC3
C:\>ping 10.1.1.1
Haciendo ping a 10.1.1.1 con 32 bytes de datos:
Tiempo de espera agotado para esta solicitud.
Tiempo de espera agotado para esta solicitud.
Tiempo de espera agotado para esta solicitud.
Tiempo de espera agotado para esta solicitud.
Estadísticas de ping para 10.1.1.1:
Paquetes: enviados = 4, recibidos = 0, perdidos = 4
(100% perdidos),

C:\>ping 10.1.1.100
Haciendo ping a 10.1.1.100 con 32 bytes de datos:
Respuesta desde 10.1.1.100: bytes=32 tiempo=23ms TTL=255
Respuesta desde 10.1.1.100: bytes=32 tiempo=16ms TTL=255
Respuesta desde 10.1.1.100: bytes=32 tiempo=31ms TTL=255
Respuesta desde 10.1.1.100: bytes=32 tiempo=15ms TTL=255
Estadísticas de ping para 10.1.1.100:
Paquetes: enviados = 4, recibidos = 4, perdidos = 0
(0% perdidos),
Tiempos aproximados de ida y vuelta en milisegundos:
Mínimo = 15ms, Máximo = 31ms, Media = 21ms

CCNP Guía SWITCH v2.0


@ 2013
42

Mientras el Router que se encuentra en estado promiscuo tiene conectividad con todos los hosts como podemos
observar en las siguientes pruebas:


R1#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/19/32 ms

R1#ping 10.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/20/44 ms

R1#ping 10.1.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/17/36 ms


CCNP Guía SWITCH v2.0


@ 2013
43
Port Protected



 Crear la VLAN 10 en ALS1.
 Configurar como puertos de acceso las interfaces Fa0/10 y Fa0/11 como muestra la figura. Probar si existe
conectividad entre los PCs . Luego habilitar port protect.
 Comprobar que los PCs pueden comunicarse con el Router pero no entre ellos.
Nota: Ambos puertos deben estar en modo protected para que estén aislados el uno del otro.

ALS1
vlan 111
name PORT-PROTECTED

interface FastEthernet0/10
switchport access vlan 111
switchport mode access
spanning-tree portfast

interface FastEthernet0/11
switchport access vlan 111
switchport mode access
spanning-tree portfast

PC1
C:\>ping 10.1.12.2 -t
Haciendo ping a 10.1.12.2 con 32 bytes de datos:
Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128
CCNP Guía SWITCH v2.0


@ 2013
44
Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.12.2: bytes=32 tiempo<1m TTL=128

ALS1
interface FastEthernet0/10
switchport protected

interface FastEthernet0/11
switchport protected

Tiempo de espera agotado para esta solicitud.
Tiempo de espera agotado para esta solicitud.
Tiempo de espera agotado para esta solicitud.
Tiempo de espera agotado para esta solicitud.
Tiempo de espera agotado para esta solicitud.
Tiempo de espera agotado para esta solicitud.

Estadísticas de ping para 10.1.12.2:
Paquetes: enviados = 33, recibidos = 27, perdidos = 6
(18% perdidos),
Tiempos aproximados de ida y vuelta en milisegundos:
Mínimo = 0ms, Máximo = 0ms, Media = 0ms
Control-C


La salida anterior nos muestra que existe conectividad entre los PCs hasta que se habilita port-protected

 Configurar puerto de acceso para la VLAN 111 en Fa0/9 que conecta al Router. Habilitar la interfaces del
Router con la IP 10.1.12.100/24.


R1
interface FastEthernet0/0
ip address 10.1.12.100 255.255.255.0
CCNP Guía SWITCH v2.0


@ 2013
45
no shut
ALS1
interface FastEthernet0/9
switchport access vlan 111
switchport mode access
spanning-tree portfast

ALS1#show interfaces fastEthernet 0/10 switchport
Name: Fa0/10
Switchport: Enabled
Administrative Mode: static access
Operational Mode: down
Administrative Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: 111 (PORT-PROTECTED)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Protected: true
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none

R1#ping 10.1.12.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.12.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/20/40 ms













CCNP Guía SWITCH v2.0


@ 2013
46

PC2





CCNP Guía SWITCH v2.0


@ 2013
47
EtherChannel I PAgP (Port Aggregation Protocol)


 Crear trunking configurando las interfaces f0/6 y f0/7 de DLS1 y DLS2. Utilice protocolo standard de la
industria. Como resultado deberíamos ver un solo enlace para STP. Si un enlace falla no debería haber
interrupción del tráfico. DLS1 solo debe responder si se inicia una negociación desde el otro extremo, debe
adoptar modo pasivo. DLS2 debe intentarformar un etherchannel en forma activa.
PortChannel
SW1 Configurado con SW2 Configurado con Etherchannel?
Desirable (PAgP Cisco) Desirable Sí
Desirable (PAgP Cisco) Auto Sí
Auto Auto No

Modos PAgP:
On: No existe negociación PAgP. En el otro extremo debe estar en modo ON igualmente.
Auto (default): Responde a mensajes PAgP pero no inicia la negociación. Se creará el portchannel siempre que en
el otro extremo este en modo Desirable.
Desirable: El puerto intenta activamente formar un etherchannel. Para que sea se forme el PortChannel en el otro
extremo debe estar configurado en modo Auto o Desirable.

Proceso recomendado:
1. Utilice default interface para dejar la interface sin configuración (valores por defecto)
2. Crear un channel-group en la interface física (asignar un número identificativo), se creará un portchannel
automáticamente.
3. (Muy importante) definir el trunk dentro del portchannel (encapsulation, mode, …)

 Al finalizar el laboratorio explique:
- Finalidad del modo non-silent en conjunto con auto y desirable.
- Que información entrega el comando show pagp internal.
------------------------------------------------------------------------------------------------------------------------
Ejemplo de tipos de etherchannels PAgP

DLS1(config)#interface range fastEthernet 0/6-7
DLS1(config-if-range)#channel-group 1 mode ?
active Enable LACP unconditionally
auto Enable PAgP only if a PAgP device is detected
desirable Enable PAgP unconditionally
on Enable Etherchannel only
passive Enable LACP only if a LACP device is detected
------------------------------------------------------------------------------------------------------------------------


CCNP Guía SWITCH v2.0


@ 2013
48
DLS1
default interface range fastEthernet 0/6-7

interface FastEthernet0/6
channel-group 1 mode auto non-silent

interface FastEthernet0/7
channel-group 1 mode auto non-silent

interface Port-channel1
switchport trunk encapsulation dot1q
switchport mode trunk

DLS2
default interface range fastEthernet 0/6-7

interface FastEthernet0/6
channel-group 1 mode desirable non-silent

interface FastEthernet0/7
channel-group 1 mode desirable non-silent

interface Port-channel1
switchport trunk encapsulation dot1q
switchport mode trunk

DLS2#show pagp neighbor
Flags: S - Device is sending Slow hello. C - Device is in Consistent state.
A - Device is in Auto mode. P - Device learns on physical port.

Channel group 1 neighbors
Partner Partner Partner Partner Group
Port Name Device ID Port Age Flags Cap.
Fa0/6 DLS1 e8ba.70cb.f600 Fa0/6 21s SAC 10001
Fa0/7 DLS1 e8ba.70cb.f600 Fa0/7 21s SAC 10001

DLS2#show pagp internal
Flags: S - Device is sending Slow hello. C - Device is in Consistent state.
A - Device is in Auto mode. d - PAgP is down
Timers: H - Hello timer is running. Q - Quit timer is running.
S - Switching timer is running. I - Interface timer is running.

Channel group 1
Hello Partner PAgP Learning Group
Port Flags State Timers Interval Count Priority Method Ifindex
Fa0/6 SC U6/S7 H 30s 1 128 Any 5001
Fa0/7 SC U6/S7 H 30s 1 128 Any 5001


CCNP Guía SWITCH v2.0


@ 2013
49
DLS2#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Po1 on 802.1q trunking 1
Port Vlans allowed on trunk
Po1 1-4094
Port Vlans allowed and active in management domain
Po1 1
Port Vlans in spanning tree forwarding state and not pruned
Po1 1

DLS2#show interfaces fastEthernet 0/6 switchport | include Mode
Administrative Mode: trunk
Operational Mode: trunk (member of bundle Po1)
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Capture Mode Disabled

DLS1#show interfaces fastEthernet 0/6 switchport | include Mode
Administrative Mode: trunk
Operational Mode: trunk (member of bundle Po1)
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Capture Mode Disabled


En terminos de trunk el PortChannel está operativo, sin embargo debemos comprobar que el enlace aparezca
como uno solo desde el punto de vista de Spanning Tree. Naturalmente no hemos creado VLANs y nos basaremos
en la VLAN por defecto. En la siguiente salida podemos observar que para STP solo aparece un enlace: el
PortChannel.


DLS2#show spanning-tree vlan 1

VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 0022.5688.7900
Cost 31
Port 56 (Port-channel1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 3037.a6eb.d580
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 15

Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Po1 Root FWD 12 128.56 P2p


CCNP Guía SWITCH v2.0


@ 2013
50
DLS1#sh spanning-tree vlan 1
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address e8ba.70cb.f600
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address e8ba.70cb.f600
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 15 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Po1 Desg FWD 12 128.56 P2p


CCNP Guía SWITCH v2.0


@ 2013
51
EtherChannel II sin negociación


 Configure trunk entre DLS1 y ALS1 como muestra la figura (utilice protocolo estándar 802.1q). Como
resultado deberíamos ver un solo enlace para STP. Si un enlace falla no debería haber interrupción del
tráfico. No se permite el uso de ningún protocolo etherchannel de negociación. Utilice el número de
Portchannel 2.
PortChannel
SW1 Configurado con SW2 Configurado con Etherchannel?
On On Sí
Nota: No podemos utilizar PAgP ni LACP. Como buena práctica tener en cuenta el proceso recomendado de
configuración.

Al final del laboratorio indique:
- Las ventajas y desventajas de PAgP y LACP.
- Cuantos PortChannel pueden configurarse en los Catalyst 3560 y 2960.


CCNP Guía SWITCH v2.0


@ 2013
52
DLS1
default interface range fastEthernet 0/2-3

interface FastEthernet0/2
channel-group 2 mode on
no shut

interface FastEthernet0/3
channel-group 2 mode on
no shut

interface Port-channel2
switchport trunk encapsulation dot1q
switchport mode trunk

ALS1
default interface range fastEthernet 0/2-3

interface FastEthernet0/2
channel-group 2 mode on
no shut

interface FastEthernet0/3
channel-group 2 mode on
no shut

interface Port-channel2
switchport mode trunk

DLS1#sh interfaces trunk
Port Mode Encapsulation Status Native vlan
Po1 on 802.1q trunking 1
Po2 on 802.1q trunking 1
Port Vlans allowed on trunk
Po1 1-4094
Po2 1-4094
Port Vlans allowed and active in management domain
Po1 1
Po2 1
Port Vlans in spanning tree forwarding state and not pruned
Po1 1
Po2 1

ALS1#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Po2 on 802.1q trunking 1
Port Vlans allowed on trunk
Po2 1-4094
Port Vlans allowed and active in management domain
Po2 1
Port Vlans in spanning tree forwarding state and not pruned
Po2 1

CCNP Guía SWITCH v2.0


@ 2013
53
ALS1#show etherchannel summary
Flags: D - down P - in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
u - unsuitable for bundling
w - waiting to be aggregated
d - default port

Number of channel-groups in use: 1
Number of aggregators: 1

Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
2 Po2(SU) - Fa0/2(P) Fa0/3(P)

DLS1#sh etherchannel summary
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator

M - not in use, minimum links not met
u - unsuitable for bundling
w - waiting to be aggregated
d - default port

Number of channel-groups in use: 2
Number of aggregators: 2

Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
1 Po1(SU) PAgP Fa0/6(P) Fa0/7(P)
2 Po2(SU) - Fa0/2(P) Fa0/3(P)

DLS1#sh etherchannel protocol
Channel-group listing:
----------------------
Group: 1
----------
Protocol: PAgP
Group: 2
----------
Protocol: - (Mode ON)


CCNP Guía SWITCH v2.0


@ 2013
54
ALS1#show etherchannel protocol
Channel-group listing:
----------------------
Group: 2
----------
Protocol: - (Mode ON)

ALS1#show spanning-tree interface port-channel 2
Vlan Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
VLAN0001 Desg FWD 12 128.64 P2p

DLS1#sh spanning-tree interface port-channel 2
Vlan Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
VLAN0001 Root FWD 12 128.64 P2p


CCNP Guía SWITCH v2.0


@ 2013
55
EtherChannel III modo Desirable

 Configure trunk entre DLS2 y ALS2 como muestra la figura. Como resultado deberíamos ver un solo enlace
para STP. Si un enlace falla no debería haber interrupción del tráfico. En ambos switches utilizar
negocioación PAgP constante.
PortChannel PAgP
SW1 Configurado con SW2 Configurado con Etherchannel?
Desirable (PAgP Cisco) Desirable Sí
Desirable (PAgP Cisco) Auto Sí
Auto Auto No
Este escenario requiere qque ambos extremos intenten formar un ehterchannel activamente. Esto nos da una pista
importante si analizamos la tabla anterior, en modo desirable en ambos lados obtendremos el resultado esperado.

DLS2
default interface range fastEthernet 0/2-3

interface range FastEthernet0/2-3
channel-group 2 mode desirable
no shut

interface Port-channel2
switchport trunk encapsulation dot1q
switchport mode trunk

ALS2
default interface range fastEthernet 0/2-3

interface range FastEthernet0/2-3
channel-group 2 mode desirable
no shut
exit

interface Port-channel2
switchport mode trunk
ALS2#show etherchannel summary
Flags: D - down P - in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
CCNP Guía SWITCH v2.0


@ 2013
56
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
u - unsuitable for bundling
w - waiting to be aggregated
d - default port


Number of channel-groups in use: 1
Number of aggregators: 1

Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
2 Po2(SU) PAgP Fa0/2(P) Fa0/3(P)

DLS2#show etherchannel summary
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator

M - not in use, minimum links not met
u - unsuitable for bundling
w - waiting to be aggregated
d - default port

Number of channel-groups in use: 2
Number of aggregators: 2

Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
1 Po1(SU) PAgP Fa0/6(P) Fa0/7(P)
2 Po2(SU) PAgP Fa0/2(P) Fa0/3(P)

DLS2#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Po1 on 802.1q trunking 1
Po2 on 802.1q trunking 1
Port Vlans allowed on trunk
Po1 1-4094
Po2 1-4094
Port Vlans allowed and active in management domain
Po1 1
Po2 1
Port Vlans in spanning tree forwarding state and not pruned
Po1 1
Po2 1



ALS2#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Po2 on 802.1q trunking 1
Port Vlans allowed on trunk
CCNP Guía SWITCH v2.0


@ 2013
57
Po2 1-4094
Port Vlans allowed and active in management domain
Po2 1
Port Vlans in spanning tree forwarding state and not pruned
Po2 1

ALS2#show etherchannel protocol
Channel-group listing:
----------------------
Group: 2
----------
Protocol: PAgP

DLS2#show etherchannel protocol
Channel-group listing:
----------------------
Group: 1
----------
Protocol: PAgP

Group: 2
----------
Protocol: PAgP


Otro comando útil para verificar el PortChannel es el show interface etherchannel.
 Explique cada campo del comando.


DLS2#show interfaces fastEthernet 0/2 etherchannel
Port state = Up Mstr In-Bndl
Channel group = 2 Mode = Desirable-Sl Gcchange = 0
Port-channel = Po2 GC = 0x00020001 Pseudo port-channel = Po2
Port index = 0 Load = 0x00 Protocol = PAgP
Flags: S - Device is sending Slow hello. C - Device is in Consistent state.
A - Device is in Auto mode. P - Device learns on physical port.
d - PAgP is down.
Timers: H - Hello timer is running. Q - Quit timer is running.
S - Switching timer is running. I - Interface timer is running.
Local information:
Hello Partner PAgP Learning Group
Port Flags State Timers Interval Count Priority Method Ifindex
Fa0/2 SC U6/S7 H 30s 1 128 Any 5002
Partner's information:
Partner Partner Partner Partner Group
Port Name Device ID Port Age Flags Cap.
Fa0/2 ALS2 0022.5688.7900 Fa0/2 21s SC 20001
Age of the port in the current state: 0d:00h:06m:28s


CCNP Guía SWITCH v2.0


@ 2013
58
EtherChannel III Link Aggregation Control Protocol LACP


 Configure trunk entre ALS1 y ALS2 como muestra la figura. Como resultado deberíamos ver un solo enlace
para STP. Si un enlace falla no debería haber interrupción del tráfico. Configurar LACP. ALS1 debe estar en
modo pasivo. ALS2 debe intentar activamente formar un etherchannel.

PortChannel LACP
SW1 Configurado con SW2 Configurado con Etherchannel?
Active Active Sí
Active Passive Sí
Passive Passive No


ALS1
default interface range fastEthernet 0/6-7

interface range fastEthernet 0/6-7
channel-group 1 mode passive

interface Port-channel1
switchport mode trunk

ALS2
default interface range fastEthernet 0/6-7

interface range fastEthernet 0/6-7
channel-group 1 mode active

interface Port-channel1
switchport mode trunk

CCNP Guía SWITCH v2.0


@ 2013
59
ALS1#show etherchannel summary
Flags: D - down P - in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
u - unsuitable for bundling
w - waiting to be aggregated
d - default port

Number of channel-groups in use: 2
Number of aggregators: 2

Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
1 Po1(SU) LACP Fa0/6(P) Fa0/7(P)
2 Po2(SU) - Fa0/2(P) Fa0/3(P)

ALS2#show etherchannel summary
Flags: D - down P - in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
u - unsuitable for bundling
w - waiting to be aggregated
d - default port

Number of channel-groups in use: 2
Number of aggregators: 2

Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
1 Po1(SU) LACP Fa0/6(P) Fa0/7(P)
2 Po2(SU) PAgP Fa0/2(P) Fa0/3(P)

ALS2#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Po1 on 802.1q trunking 1
Po2 on 802.1q trunking 1
Port Vlans allowed on trunk
Po1 1-4094
Po2 1-4094
Port Vlans allowed and active in management domain
Po1 1
Po2 1
Port Vlans in spanning tree forwarding state and not pruned
Po1 1
Po2 1


CCNP Guía SWITCH v2.0


@ 2013
60
ALS2#show lacp neighbor
Flags: S - Device is requesting Slow LACPDUs
F - Device is requesting Fast LACPDUs
A - Device is in Active mode P - Device is in Passive mode

Channel group 1 neighbors

Partner's information:

LACP port Oper Port Port
Port Flags Priority Dev ID Age Key Number State
Fa0/6 SP 32768 0022.5689.5d80 17s 0x1 0x6 0x3C
Fa0/7 SP 32768 0022.5689.5d80 16s 0x1 0x7 0x3C




CCNP Guía SWITCH v2.0


@ 2013
61
EtherChannel IV Load-Shared
 Configure el switch DLS1 de manera que todo el tráfico generado localmente sea distribuido en el
Etherchannel en base a la dirección MAC destino.

Nota: Dependiendo del modelo los distintos criterios utilizados para distribuir la carga (load-shared) variarán.
Comprobemos que tipo de load-sharing está activada por defecto (source-mac). Podemos verificar esto utilizando
el comando show etherchannel load-balance.

 Al finalizar el laboratorio determine:
- Cual es el modo de balanceo por defecto en la plataforma Catalyst 3560, 3750, 4550 y C6500 para
agregación L2 y L3.


DLS1#sh etherchannel load-balance
EtherChannel Load-Balancing Configuration:
src-mac

EtherChannel Load-Balancing Addresses Used Per-Protocol:
Non-IP: Source MAC address
IPv4: Source MAC address
IPv6: Source MAC address

DLS1
port-channel load-balance dst-mac

DLS1#sh etherchannel load-balance
EtherChannel Load-Balancing Configuration:
dst-mac

EtherChannel Load-Balancing Addresses Used Per-Protocol:
Non-IP: Destination MAC address
IPv4: Destination MAC address
IPv6: Destination MAC address


 Los Etherchannel creados en DLS2 deben distribuir la carga (load-shared) cumpliendo las siguientes
políticas:
 Para tráfico no IP, MAC destino
 Para tráfico IPv4, IP destino
 Para tráfico IPv6, IP destino
 Configurar todos los modos de load-sharing y comprobar resultados.

Nota: según la forma de configurar tendremos distintos resultados, en este punto podríamos probar las opciones
de load-balanced que se nos presenta y comprobar los cambios con el comando etherchannel load-balance. Tiene
sentido por el hecho que no podemos modificar el comportamiento directamente para el tráfico IPv6, este se
ajusta en base a la configuración que hayamos efectuado para IPv4.

DLS2
port-channel load-balance dst-ip


CCNP Guía SWITCH v2.0


@ 2013
62
DLS2#show etherchannel load-balance
EtherChannel Load-Balancing Configuration:
dst-ip
EtherChannel Load-Balancing Addresses Used Per-Protocol:
Non-IP: Destination MAC address
IPv4: Destination IP address
IPv6: Destination IP address


CCNP Guía SWITCH v2.0


@ 2013
63
EtherChannel V Prioridad LACP


 Agregar al Etherchannel Po2 de DLS2 y ALS2 las interfaces Fa0/13 a Fa0/18.
 Los puertos Fa0/15 y Fa0/18 deben quedar en estado StandBy. Utilice la prioridad adecuada.

 Al finalar el laboratorio indique:
- Cual método utiliza PAgP para mantener el mismo comportamiento, es decir, puertos de respaldo
dentro de un PortChannel.

DLS2
default interface range fastEthernet 0/2-3 , fastEthernet 0/13-20

interface range fastEthernet 0/2-3 , fastEthernet 0/13-20
channel-group 2 mode active

interface Port-channel2
switchport trunk encapsulation dot1q
switchport mode trunk

ALS2
default interface range fastEthernet 0/2-3 , fastEthernet 0/13-20

interface range fastEthernet 0/2-3 , fastEthernet 0/13-20
channel-group 2 mode active

interface Port-channel2
switchport mode trunk


CCNP Guía SWITCH v2.0


@ 2013
64
ALS2#show etherchannel summary
Flags: D - down P - in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
u - unsuitable for bundling
w - waiting to be aggregated
d - default port

Number of channel-groups in use: 2
Number of aggregators: 2

Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
1 Po1(SU) LACP Fa0/6(P) Fa0/7(P)
2 Po2(SU) LACP Fa0/2(P) Fa0/3(P) Fa0/13(P)
Fa0/14(P) Fa0/15(P) Fa0/16(P)
Fa0/17(P) Fa0/18(P) Fa0/19(H)
Fa0/20(H)


La salida anterior nos muestra que el protocolo estándar LACP o IEEE 802.2ad puede crear un portchannel
utilizando hasta 16 puertos, pero solo quedarán activos 8, el resto actúan como respaldo. En este caso, sin
configuración adicional, el proceso LACP se encarga de escoger cuales puertos estarán activos y cuales standby. En
este laboratorio se pide que los puertos que actuarán como respaldo deben ser Fa0/13 a Fa0/18. Debemos tener
presente que el switch con menor lacp sys-id es quién define que enlaces físicos serán primarios y secundarios. En
este caso debería ser ALS2. Este dato es importante puesto que la configuración de la prioridad la debemos hacer
en el Catalyst que tenga menor prioridad.


ALS2#show lacp sys-id
32768, 0022.5688.7900

DLS2#show lacp sys-id
32768, 3037.a6eb.d580

ALS2
lacp system-priority 100

interface range fa0/2 - 3 , fa0/13 - 20
channel-protocol lacp

interface range fa0/2 - 3 , fa0/14 - 17 , f0/19-20
lacp port-priority 100


CCNP Guía SWITCH v2.0


@ 2013
65
ALS2#show etherchannel summary
Flags: D - down P - in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
u - unsuitable for bundling
w - waiting to be aggregated
d - default port
Number of channel-groups in use: 2
Number of aggregators: 2
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
1 Po1(SU) LACP Fa0/6(P) Fa0/7(P)
2 Po2(SU) LACP Fa0/2(P) Fa0/3(P) Fa0/13(H)
Fa0/14(P) Fa0/15(P) Fa0/16(P)
Fa0/17(P) Fa0/18(H) Fa0/19(P)
Fa0/20(P)

ALS2#show interfaces fastEthernet 0/18 etherchannel
Port state = Up Mstr Assoc Hot-stdby Not-in-Bndl
Channel group = 2 Mode = Active Gcchange = -
Port-channel = null GC = - Pseudo port-channel = Po2
Port index = 0 Load = 0x00 Protocol = LACP
Flags: S - Device is sending Slow LACPDUs F - Device is sending fast LACPDUs.
A - Device is in active mode. P - Device is in passive mode.
Local information:
LACP port Admin Oper Port Port
Port Flags State Priority Key Key Number State
Fa0/18 SA hot-sby 32768 0x2 0x2 0x12 0x5
Partner's information:
LACP port Oper Port Port
Port Flags Priority Dev ID Age Key Number State
Fa0/18 SA 32768 3037.a6eb.d580 3s 0x2 0x14 0x5
Age of the port in the current state: 0d:00h:07m:23s

ALS2#show interfaces fastEthernet 0/13 etherchannel
Port state = Up Mstr Assoc Hot-stdby Not-in-Bndl
Channel group = 2 Mode = Active Gcchange = -
Port-channel = null GC = - Pseudo port-channel = Po2
Port index = 0 Load = 0x00 Protocol = LACP
Flags: S - Device is sending Slow LACPDUs F - Device is sending fast LACPDUs.
A - Device is in active mode. P - Device is in passive mode.
Local information:
LACP port Admin Oper Port Port
Port Flags State Priority Key Key Number State
Fa0/13 SA hot-sby 32768 0x2 0x2 0xD 0x5
Partner's information:
LACP port Oper Port Port
Port Flags Priority Dev ID Age Key Number State
Fa0/13 SA 32768 3037.a6eb.d580 22s 0x2 0xF 0x5
Age of the port in the current state: 0d:00h:08m:01s

CCNP Guía SWITCH v2.0


@ 2013
66
ALS2#show spanning-tree interface port-channel 2

Vlan Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
VLAN0001 Desg FWD 5 128.64 P2p

DLS2#show spanning-tree vlan 1
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 0022.5688.7900
Cost 5
Port 64 (Port-channel2)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 3037.a6eb.d580
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Po1 Desg FWD 12 128.56 P2p
Po2 Root FWD 5 128.64 P2p

DLS2#show etherchannel port-channel | begin Group: 2
Group: 2
----------
Port-channels in the group:
---------------------------
Port-channel: Po2 (Primary Aggregator)
------------
Age of the Port-channel = 0d:00h:24m:19s
Logical slot/port = 2/2 Number of ports = 8
HotStandBy port = Fa0/18 Fa0/13
Port state = Port-channel Ag-Inuse
Protocol = LACP
Port security = Disabled

Ports in the Port-channel:
Index Load Port EC state No of bits
------+------+------+------------------+-----------
0 00 Fa0/2 Active 0
0 00 Fa0/3 Active 0
0 00 Fa0/14 Active 0
0 00 Fa0/15 Active 0
0 00 Fa0/16 Active 0
0 00 Fa0/17 Active 0
0 00 Fa0/19 Active 0
0 00 Fa0/20 Active 0
Time since last port bundled: 0d:00h:12m:30s Fa0/20
Time since last port Un-bundled: 0d:00h:12m:32s Fa0/13



CCNP Guía SWITCH v2.0


@ 2013
67
EtherChannel Layer 3

Setup: Borrar configuraciónes anteriores de ambos Switches.

 Configurar los puertos FastEthernet0/6 al FastEthernet0/7 de DLS1 y DLS2 como muestra la figura. Estos
enlaces se deben ver como uno solo. Configurar direccionamiento IP mostrado. En la creación del
Portchannel 12 no debe existir negociación.
 Configure OSPF y forme adyacencia entre los dos switchs 3560. Cree la loopback0 con la siguiente
disposición:
- DLS1→10.1.1.1/24
- DLS2→10.2.2.2/24
 Publique esta interfaces con sus máscaras correctas.
 Habilite telnet en DLS2 Catalyst, utilice los siguientes datos:
- usuario admin password cisco
- Autentificar en función de base de datos local utilizando AAA.
- Solo se permite la loopback0 como dirección de origen (10.1.1.1/24), en caso contrario se debe
bloquear la conexión y enviar un log a la consola.


DLS1
ip routing
default interface range fastEthernet 0/6-7

interface Port-channel12
no switchport
ip address 10.1.12.1 255.255.255.0

interface range fastEthernet 0/6-7
no switchport
channel-group 12 mode on

DLS2
default interface range fastEthernet 0/6-7

interface Port-channel12
no switchport
ip address 10.1.12.2 255.255.255.0

interface range fastEthernet 0/6-7
no switchport
channel-group 12 mode on


CCNP Guía SWITCH v2.0


@ 2013
68
DLS2#show etherchannel summary
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
M - not in use, minimum links not met
u - unsuitable for bundling
w - waiting to be aggregated
d - default port
Number of channel-groups in use: 1
Number of aggregators: 1
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
12 Po12(RU) - Fa0/6(P) Fa0/7(P)

DLS2#show etherchannel summary
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator

M - not in use, minimum links not met
u - unsuitable for bundling
w - waiting to be aggregated
d - default port
Number of channel-groups in use: 1
Number of aggregators: 1
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
12 Po12(RU) - Fa0/6(D) Fa0/7(P)


 Pruebas Etherchanel L3


DLS2#ping 10.1.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.12.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms

DLS2
access-list 100 permit ip host 10.1.12.2 host 10.1.12.1

DLS2#debug ip packet 100
IP packet debugging is on for access list 100

DLS2#ping 10.1.12.1 source 10.1.12.2 repeat 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 10.1.12.1, timeout is 2 seconds:
Packet sent with a source address of 10.1.12.2
!
CCNP Guía SWITCH v2.0


@ 2013
69
IP: tableid=0, s=10.1.12.2 (local), d=10.1.12.1 (Port-channel12), routed via FIB
IP: s=10.1.12.2 (local), d=10.1.12.1 (Port-channel12), len 100, sending
IP: s=10.1.12.2 (local), d=10.1.12.1 (Port-channel12), len 100, output feature, Check hwidb(63), rtype 1, forus
FALSE, sendself FALSE, mtu 0
IP: s=10.1.12.2 (local), d=10.1.12.1 (Port-channel12), len 100, sending full packet

DLS2
interface Loopback0
ip address 10.2.2.2 255.255.255.0
ip ospf network point-to-point
ip ospf 1 area 0

interface Port-channel12
ip ospf 1 area 0

DLS1
interface Loopback0
ip address 10.1.1.1 255.255.255.0
ip ospf network point-to-point

interface Port-channel12
ip ospf 1 area 0

DLS2#show ip ospf neighbor detail
Neighbor 10.1.1.1, interface address 10.1.12.1
In the area 0 via interface Port-channel12
Neighbor priority is 1, State is FULL, 6 state changes
DR is 10.1.12.1 BDR is 10.1.12.2
Options is 0x52
LLS Options is 0x1 (LR)
Dead timer due in 00:00:37
Neighbor is up for 00:00:50
Index 1/1, retransmission queue length 0, number of retransmission 0
First 0x0(0)/0x0(0) Next 0x0(0)/0x0(0)
Last retransmission scan length is 0, maximum is 0
Last retransmission scan time is 0 msec, maximum is 0 msec

DLS2
username admin password cisco
aaa authentication login TELNET local none

access-list 10 permit 10.1.1.1
access-list 10 deny any log

line vty 0 4
access-class 10 in
login authentication TELNET

DLS1#telnet 10.2.2.2 /source-interface loopback 0
Trying 10.2.2.2 ... Open
User Access Verification

Username: admin
Password:cisco
CCNP Guía SWITCH v2.0


@ 2013
70
DLS1#telnet 10.2.2.2
Trying 10.2.2.2 ...
% Connection refused by remote host


DLS2#
%SEC-6-IPACCESSLOGS: list 10 denied 10.1.12.1 1 packet


CCNP Guía SWITCH v2.0


@ 2013
71
STP Comportamiento por defecto


 Deshabilitar las interfaces que no participan en la topología.
¿Como podemos determinar el comportamiento de STP en este ejemplo? Iremos paso a paso explicando este
proceso. Para este ejemplo utilizaremos la VLAN 1 como referencia. La manera más efectiva y sencilla de
determinar los roles STP es el siguiente:
1. Determinar el costo de cada enlace. Para eso nos resultará útil la siguiente tabla (podemos verificar que
los datos sean efectivamente los que aparecen utilizando show interface):


BW del
enlace
Costo
STP
4 Mbps 250
10 Mbps 100
16 Mbps 62
45 Mbps 39
100 Mbps 19
155 Mbps 14
622 Mbps 6
1 Gbps 4
10 Gbps 2

- Bridge ID: Bridge priority: Bridge MAC address.
DLS1#show spanning-tree bridge id
VLAN0001 8001.e8ba.70cb.f600
DLS2#show spanning-tree bridge id
VLAN0001 8001.3037.a6eb.d580
ALS1#show spanning-tree bridge id
VLAN0001 8001.0022.5689.5d80
ALS2#show spanning-tree bridge id
VLAN0001 8001.0022.5688.7900

CCNP Guía SWITCH v2.0


@ 2013
72



2. Identificar el Root Bridge
Esto requiere que investiguemos que MAC está utilizando el switch (suponiendo que la prioridad es la misma para
todos los switches del dominio). Para esto determinamos la MAC con el comando show versión como veremos a
continuación:


DLS1#sh version | include Base
Base ethernet MAC Address : E8:BA:70:CB:F6:00

DLS2#sh version | include Base
Base ethernet MAC Address : 30:37:A6:EB:D5:80

ALS1#sh version | include Base
Base ethernet MAC Address : 00:22:56:89:5D:80

ALS2#sh version | include Base
Base ethernet MAC Address : 00:22:56:88:79:00


Si observamos las salidas anteriores podemos darnos cuenta que ningún switch L3 será elegido Root Bridge porque
el valor menor es considerado, por tanto debemos determinar cuál de los dos switches ALS1 o ALS2 obtendrá el
título de Root Bridge.
El comando show spanning-tree nos mostrará quién es el Root Bridge.
Nota: Obviamente estos resultados pueden variar entre distintos equipos puesto que tienen diferentes MACs.


ALS1 → 00:22:56:89:5D:80
ALS1 → 0x002256895D80 (Hex)
ALS1 → 147480731008 (decimal)

ALS2 → 00:22:56:88:79:00
ALS2 → 0x002256887900 (Hex)
ALS2 → 147480672512 (decimal) //Menor Valor por lo tanto debe ser el Root Bridge.

ALS2#show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
CCNP Guía SWITCH v2.0


@ 2013
73
Root ID Priority 32769
Address 0022.5688.7900
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

DLS1#sh spanning-tree vlan 1
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 0022.5688.7900
Cost 19
Port 6 (FastEthernet0/4)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec



CCNP Guía SWITCH v2.0


@ 2013
74


3. Seleccionar el ROOT PORT (solo uno en cada noroot bridge). Este puerto corresponde al bridge (o switch)
que tiene el mejor camino al Root Bridge, es decir, el costo menor.
DLS1 el RP es la interface fastethernet 0/4 (costo 19).
DLS2 el RP es la interface fastethernet 0/2 (costo 19).
ALS1 el RP es la interface fastethernet 0/6 (costo 19).
ALS2 es el ROOT BRIDGE. No aplica.




DLS1#sh spanning-tree root port
VLAN0001 FastEthernet0/9

DLS2#sh spanning-tree root port
VLAN0001 FastEthernet0/7

ALS1#sh spanning-tree root port
VLAN0001 FastEthernet0/11

4. Selección de Designated Port DP. Cada enlace debe seleccionar el puerto que tenga menor costo al Root
Bridge. Este último también participa, y como es lógico todos sus puertos son designados. En caso de que
los valores sean los mismos debemos utilizar un método de desempate.
CCNP Guía SWITCH v2.0


@ 2013
75
- Menor root bridge ID
- Menor costo hacia el root bridge
- Menor ID del Sender Bridge
- Menor ID de Sender por ID

Nota: la mayoría de los parámetros se pueden obtener utilizando el comando show spanning-tree
interface detail.

ALS2#show spanning-tree interface fastEthernet 0/2 detail
Port 2 (FastEthernet0/2) of VLAN0001 is forwarding
Port path cost 19, Port priority 128, Port Identifier 128.2.
Designated root has priority 32769, address 0022.5688.7900
Designated bridge has priority 32769, address 0022.5688.7900
Designated port id is 128.2, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
Link type is point-to-point by default
BPDU: sent 4002, received 2

Enlace DLS1 ↔ DLS2: el costo de ambas interfaces es el mismo al Root Bridge. Debemos comprobar otros
criterios. El valor de Root Bridge ID de DLS1 es mayor que el valor de DLS2.

DLS1#sh spanning-tree bridge id
VLAN0001 8001.e8ba.70cb.f600

DLS2#show spanning-tree bridge id
VLAN0001 8001.3037.a6eb.d580

DLS1#sh spanning-tree vlan 1 interface fastEthernet 0/6
Vlan Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
VLAN0001 Altn BLK 19 128.8 P2p


DLS2#sh spanning-tree vlan 1 interface fastEthernet 0/6
Vlan Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
VLAN0001 Desg FWD 19 128.8 P2p



CCNP Guía SWITCH v2.0


@ 2013
76
Enlace DLS1 ↔ ALS2. ALS2 es el Root, de manera que el mejor camino al Root es sencillamente el puerto
de ALS2 fastethernet 0/4. Lo mismo aplica para DLS2 ↔ ALS2 y ALS1 ↔ ALS2.

ALS2#show spanning-tree vlan 1 interface fastEthernet 0/2
Vlan Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
VLAN0001 Desg FWD 19 128.2 P2p

ALS2#show spanning-tree vlan 1 interface fastEthernet 0/4
Vlan Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
VLAN0001 Desg FWD 19 128.4 P2p

ALS2#show spanning-tree vlan 1 interface fastEthernet 0/6
Vlan Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
VLAN0001 Desg FWD 19 128.6 P2p

Enlace DLS2↔ALS1. Verificamos que existe el mismo costo para alcanzar el Root Bridge por lo tanto
determinamos cual es el Bridge con el menor ID, en este caso la prioridad menor la tiene ALS1 por lo tanto
el puerto designado (DP) es la interface fastethernet 0/4 de ALS1.
DLS2#sh spanning-tree bridge id
VLAN0001 8001.3037.a6eb.d580

ALS1#sh spanning-tree bridge id
VLAN0001 8001.0022.5689.5d80

ALS1#show spanning-tree interface fastEthernet 0/4
Vlan Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
VLAN0001 Desg FWD 19 128.4 P2p

DLS2#show spanning-tree interface fastEthernet 0/4
Vlan Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
VLAN0001 Altn BLK 19 128.6 P2p

Enlace DLS1↔ALS1. Verificamos que existe el mismo costo para alcanzar el Root Bridge por lo tanto
determinamos cual es el Bridge con el menor ID, en este caso la prioridad menor la tiene ALS1 por lo tanto
el puerto designado (DP) es la interface fastethernet 0/4 de ALS1.

ALS1#sh spanning-tree bridge id
VLAN0001 8001.0022.5689.5d80

DLS1#show spanning-tree bridge id
VLAN0001 8001.e8ba.70cb.f600

DLS1#sh spanning-tree interface fastEthernet 0/2
Vlan Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
VLAN0001 Altn BLK 19 128.4 P2p



CCNP Guía SWITCH v2.0


@ 2013
77

Finalmente habiendo determinado el Root Bridge, los Root Ports y Designated Ports tenemos la siguiente
disposición.

5. Identificar los puertos bloqueados. Esta tarea es rápida, si un puerto no es RP o DP sencillamente es un
puerto bloqueado. La imagen entonces debería quedar de la siguiente manera:


Comprobamos que la elección de STP corresponde con la determinada mediante el proceso teórico. Voilà!

DLS1#sh spanning-tree vlan 1 | begin Interface
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/2 Altn BLK 19 128.4 P2p
Fa0/4 Root FWD 19 128.6 P2p
Fa0/6 Altn BLK 19 128.8 P2p

DLS2#sh spanning-tree vlan 1 | begin Interface
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/2 Root FWD 19 128.4 P2p
Fa0/4 Altn BLK 19 128.6 P2p
Fa0/6 Desg FWD 19 128.8 P2p

CCNP Guía SWITCH v2.0


@ 2013
78
ALS1#sh spanning-tree vlan 1 | begin Interface
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/2 Desg FWD 19 128.2 P2p
Fa0/4 Desg FWD 19 128.4 P2p
Fa0/6 Root FWD 19 128.6 P2p

ALS2#sh spanning-tree vlan 1 | begin Interface
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/2 Desg FWD 19 128.2 P2p
Fa0/4 Desg FWD 19 128.4 P2p
Fa0/6 Desg FWD 19 128.6 P2p


CCNP Guía SWITCH v2.0


@ 2013
79
STP Configuración.


Prelab: Borrar configuraciónes anteriores.

 Configurar Etherchannel entre DLS1 y DLS2 (Fa0/6 y Fa0/7). Utilizar LACP.
 Para el trunk configure ISL entre DLS1 y DLS2. No utilizar DTP.

 Al final del laboratorio indique:
- La utilidad del comando no-isl-entries enable.
- Que utilidad tiene el comando debug spanning-tree switch state.


DLS1
default interface range fastEthernet 0/6-7

interface range fastEthernet 0/6-7
channel-group 12 mode active

interface Port-channel12
switchport trunk encapsulation isl
switchport mode trunk
switchport nonegotiate

DLS2
default interface range fastEthernet 0/6-7

interface range fastEthernet 0/6-7
channel-group 12 mode active

interface Port-channel12
switchport trunk encapsulation isl
switchport mode trunk
switchport nonegotiate

CCNP Guía SWITCH v2.0


@ 2013
80
DLS1#sh etherchannel summary
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator

M - not in use, minimum links not met
u - unsuitable for bundling
w - waiting to be aggregated
d - default port
Number of channel-groups in use: 1
Number of aggregators: 1
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
12 Po12(SU) LACP Fa0/6(P) Fa0/7(P)

DLS2#sh etherchannel summary
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
M - not in use, minimum links not met
u - unsuitable for bundling
w - waiting to be aggregated
d - default port
Number of channel-groups in use: 1
Number of aggregators: 1
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
12 Po12(SU) LACP Fa0/6(P) Fa0/7(P)

DLS2#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Po12 on isl trunking 1
Port Vlans allowed on trunk
Po12 1-4094
Port Vlans allowed and active in management domain
Po12 1
Port Vlans in spanning tree forwarding state and not pruned
Po12 1

DLS2#show spanning-tree vlan 1 interface port-channel 12
Vlan Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
VLAN0001 Desg FWD 12 128.144 P2p

DLS1#show spanning-tree vlan 1 interface port-channel 12
Vlan Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
VLAN0001 Altn BLK 12 128.144 P2p


CCNP Guía SWITCH v2.0


@ 2013
81
 Configurar 802.1q en el resto de enlaces como muestra la figura. Las interfaces que no participan en el
laboratroio deben deshabilitarse.
 Al final de esta sección indique que método de pathcost es usado.

DLS1#show interfaces status | include disabled
Fa0/3 disabled 1 auto auto 10/100BaseTX
Fa0/5 disabled 1 auto auto 10/100BaseTX

DLS1
default interface range fastEthernet 0/2 , fastEthernet 0/4
interface range fastEthernet 0/2 , fastEthernet 0/4
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate

DLS2
default interface range fastEthernet 0/2 , fastEthernet 0/4
interface range fastEthernet 0/2 , fastEthernet 0/4
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate

ALS1
default interface range fastEthernet 0/2 , fastEthernet 0/4 , fastEthernet 0/6
interface range fastEthernet 0/2 , fastEthernet 0/4 , fastEthernet 0/6
switchport mode trunk
switchport nonegotiate

ALS2
default interface range fastEthernet 0/2 , fastEthernet 0/4 , fastEthernet 0/6
interface range fastEthernet 0/2 , fastEthernet 0/4 , fastEthernet 0/6
switchport mode trunk
switchport nonegotiate

DLS1#sh interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/2 on 802.1q trunking 1
Fa0/4 on 802.1q trunking 1
Po12 on isl trunking 1
Port Vlans allowed on trunk
Fa0/2 1-4094
Fa0/4 1-4094
Po12 1-4094
Port Vlans allowed and active in management domain
Fa0/2 1
Fa0/4 1
Po12 1
Port Vlans in spanning tree forwarding state and not pruned
Fa0/2 none
Fa0/4 1
Po12 none

CCNP Guía SWITCH v2.0


@ 2013
82
DLS2#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/2 on 802.1q trunking 1
Fa0/4 on 802.1q trunking 1
Po12 on isl trunking 1
Port Vlans allowed on trunk
Fa0/2 1-4094
Fa0/4 1-4094
Po12 1-4094
Port Vlans allowed and active in management domain
Fa0/2 1
Fa0/4 1
Po12 1
Port Vlans in spanning tree forwarding state and not pruned
Fa0/2 1
Fa0/4 none
Po12 1

ALS1#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/2 on 802.1q trunking 1
Fa0/4 on 802.1q trunking 1
Fa0/6 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/2 1-4094
Fa0/4 1-4094
Fa0/6 1-4094
Port Vlans allowed and active in management domain
Fa0/2 1
Fa0/4 1
Fa0/6 1
Port Vlans in spanning tree forwarding state and not pruned
Fa0/2 1
Fa0/4 1
Fa0/6 1

ALS2#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/2 on 802.1q trunking 1
Fa0/4 on 802.1q trunking 1
Fa0/6 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/2 1-4094
Fa0/4 1-4094
Fa0/6 1-4094
Port Vlans allowed and active in management domain
Fa0/2 1
Fa0/4 1
Fa0/6 1
Port Vlans in spanning tree forwarding state and not pruned
Fa0/2 1
Fa0/4 1
Fa0/6 1

CCNP Guía SWITCH v2.0


@ 2013
83

Como observamos, ASL2 será siempre el Root Bridge, puesto que tiene la MAC menor. Esto provoca que todos los
puertos de ALS2 se encuentren en estado FWD (Forwarding) como podemos ver en la siguiente salida.
 Indique la utilidad de los temporizadores hello, forward delay y Max Age en el envío de BDPUs.


ALS2#show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 0022.5688.7900
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 0022.5688.7900
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/2 Desg FWD 19 128.2 P2p
Fa0/4 Desg FWD 19 128.4 P2p
Fa0/6 Desg FWD 19 128.6 P2p


 Configure VTP con la siguiente disposición:
- DLS1 VTP Server, versión 2, domain DUOC, password cisco
- DLS2 VTP Client, versión 2, domain DUOC, password cisco
- ALS1 VTP Client, versión 2, domain DUOC, password cisco
- ALS2 VTP Client, versión 2, domain DUOC, password cisco


DLS1
vtp domain DUOC
vtp password cisco
vtp mode server

DLS2
vtp domain DUOC
vtp password cisco
vtp mode client

ALS1
vtp domain DUOC
vtp password cisco
vtp mode client

ALS2
vtp domain DUOC
vtp password cisco
vtp mode client


CCNP Guía SWITCH v2.0


@ 2013
84
 En DLS1 crear la VLAN 2, 3, 4, 5, 6, 7, 8, 9, 10.
 Comprobar que estas VLANs se hayan instalado en los switchs VTP client.

 Donde guardan las VLANs los switchs con el rol de VTP client?

DLS1
vlan 2-10

DLS1#sh vl brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/3, Fa0/5, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gi0/1, Gi0/2
2 VLAN0002 active
3 VLAN0003 active
4 VLAN0004 active
5 VLAN0005 active
6 VLAN0006 active
7 VLAN0007 active
8 VLAN0008 active
9 VLAN0009 active
10 VLAN0010 active

DLS2#sh vl brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/3, Fa0/5, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gi0/1, Gi0/2
2 VLAN0002 active
3 VLAN0003 active
4 VLAN0004 active
5 VLAN0005 active
6 VLAN0006 active
7 VLAN0007 active
8 VLAN0008 active
9 VLAN0009 active
10 VLAN0010 active

CCNP Guía SWITCH v2.0


@ 2013
85
ALS1#show vl brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/3, Fa0/5, Fa0/7
Fa0/8, Fa0/9, Fa0/10, Fa0/11
Fa0/12, Fa0/13, Fa0/14, Fa0/15
Fa0/16, Fa0/17, Fa0/18, Fa0/19
Fa0/20, Fa0/21, Fa0/22, Fa0/23
Fa0/24, Gi0/1, Gi0/2
2 VLAN0002 active
3 VLAN0003 active
4 VLAN0004 active
5 VLAN0005 active
6 VLAN0006 active
7 VLAN0007 active
8 VLAN0008 active
9 VLAN0009 active
10 VLAN0010 active

ALS2#show vl brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/3, Fa0/5, Fa0/7
Fa0/8, Fa0/9, Fa0/10, Fa0/11
Fa0/12, Fa0/13, Fa0/14, Fa0/15
Fa0/16, Fa0/17, Fa0/18, Fa0/19
Fa0/20, Fa0/21, Fa0/22, Fa0/23
Fa0/24, Gi0/1, Gi0/2
2 VLAN0002 active
3 VLAN0003 active
4 VLAN0004 active
5 VLAN0005 active
6 VLAN0006 active
7 VLAN0007 active
8 VLAN0008 active
9 VLAN0009 active
10 VLAN0010 active



CCNP Guía SWITCH v2.0


@ 2013
86
 DLS1 debe ser Root Bridge para las VLANs 1, 2, 3, 4, y Bridge de respaldo para las VLANs 5, 6, 7, 8, 9, 10.
 DLS2 debe ser Root Bridge para las VLANs 5, 6, 7, 8, 9, 10, y Bridge de respaldo para las VLANs 1,2,3,4.

Notemos en algunos detalles. ALS2 (poner atención, en los equipos de cada POD el resultado puede ser distinto,
trabajamos con valores por defecto) es el Root Bridge para todas las VLANs.

ALS2#show version | include Base
Base ethernet MAC Address : 00:22:56:88:79:00

ALS2#show spanning-tree bridge
Hello Max Fwd
Vlan Bridge ID Time Age Dly Protocol
---------------- --------------------------------- ----- --- --- --------
VLAN0001 32769 (32768, 1) 0022.5688.7900 2 20 15 ieee
VLAN0002 32770 (32768, 2) 0022.5688.7900 2 20 15 ieee
VLAN0003 32771 (32768, 3) 0022.5688.7900 2 20 15 ieee
VLAN0004 32772 (32768, 4) 0022.5688.7900 2 20 15 ieee
VLAN0005 32773 (32768, 5) 0022.5688.7900 2 20 15 ieee
VLAN0006 32774 (32768, 6) 0022.5688.7900 2 20 15 ieee
VLAN0007 32775 (32768, 7) 0022.5688.7900 2 20 15 ieee
VLAN0008 32776 (32768, 8) 0022.5688.7900 2 20 15 ieee
VLAN0009 32777 (32768, 9) 0022.5688.7900 2 20 15 ieee
VLAN0010 32778 (32768, 10) 0022.5688.7900 2 20 15 ieee

DLS1#sho spanning-tree root id
VLAN0001 8001.0022.5688.7900
VLAN0002 8002.0022.5688.7900
VLAN0003 8003.0022.5688.7900
VLAN0004 8004.0022.5688.7900
VLAN0005 8005.0022.5688.7900
VLAN0006 8006.0022.5688.7900
VLAN0007 8007.0022.5688.7900
VLAN0008 8008.0022.5688.7900
VLAN0009 8009.0022.5688.7900
VLAN0010 800A.0022.5688.7900


En la siguiente salida podemos observar la BridgeID de DLS1. Cuando le asignemos el rol primario para las VLANs 1,
2, 3, 4 veremos que la BridgeID coincide con el de DLS1.


DLS1#show version | include Base
Base ethernet MAC Address : E8:BA:70:CB:F6:00

ALS2#show spanning-tree root
Root Hello Max Fwd
Vlan Root ID Cost Time Age Dly Root Port
---------------- -------------------- --------- ----- --- --- ------------
VLAN0001 32769 0022.5688.7900 0 2 20 15
VLAN0002 32770 0022.5688.7900 0 2 20 15
VLAN0003 32771 0022.5688.7900 0 2 20 15
VLAN0004 32772 0022.5688.7900 0 2 20 15
VLAN0005 32773 0022.5688.7900 0 2 20 15
VLAN0006 32774 0022.5688.7900 0 2 20 15
DLS1 reconoce que el root para todas las VLANs
creadas y VLAN 1 es el switch que tiene el
Bridge-ID 8001.0022.5688.7900, es decir, ALS2.
La misma comprobación debemos hacerla en
cada switch no root.
CCNP Guía SWITCH v2.0


@ 2013
87
VLAN0007 32775 0022.5688.7900 0 2 20 15
VLAN0008 32776 0022.5688.7900 0 2 20 15
VLAN0009 32777 0022.5688.7900 0 2 20 15
VLAN0010 32778 0022.5688.7900 0 2 20 15



DLS1
spanning-tree vlan 1,2,3,4 root primary
spanning-tree vlan 5-10 root secondary


DLS1 es ahora el root para las VLAN 1,2,3,4. Utilizando el comando show spanning-tree root vemos el BridgeID
24577 e8ba.70cb.f600 correspondiente a la VLAN 1.

 En que casos el proceso STP baja la prioridad 4096?
 Porque DLS1 asume el rol de Root para todas las VLANs siendo que se configuró para que sea primario para
las VLANs 1 a la 4?

ALS2#show spanning-tree root
Root Hello Max Fwd
Vlan Root ID Cost Time Age Dly Root Port
---------------- -------------------- --------- ----- --- --- ------------
VLAN0001 24577 e8ba.70cb.f600 19 2 20 15 Fa0/4
VLAN0002 24578 e8ba.70cb.f600 19 2 20 15 Fa0/4
VLAN0003 24579 e8ba.70cb.f600 19 2 20 15 Fa0/4
VLAN0004 24580 e8ba.70cb.f600 19 2 20 15 Fa0/4
VLAN0005 28677 e8ba.70cb.f600 19 2 20 15 Fa0/4
VLAN0006 28678 e8ba.70cb.f600 19 2 20 15 Fa0/4
VLAN0007 28679 e8ba.70cb.f600 19 2 20 15 Fa0/4
VLAN0008 28680 e8ba.70cb.f600 19 2 20 15 Fa0/4
VLAN0009 28681 e8ba.70cb.f600 19 2 20 15 Fa0/4
VLAN0010 28682 e8ba.70cb.f600 19 2 20 15 Fa0/4

DLS1#sh spanning-tree root
Root Hello Max Fwd
Vlan Root ID Cost Time Age Dly Root Port
---------------- -------------------- --------- ----- --- --- ------------
VLAN0001 24577 e8ba.70cb.f600 0 2 20 15
VLAN0002 24578 e8ba.70cb.f600 0 2 20 15
VLAN0003 24579 e8ba.70cb.f600 0 2 20 15
VLAN0004 24580 e8ba.70cb.f600 0 2 20 15
VLAN0005 28677 e8ba.70cb.f600 0 2 20 15
VLAN0006 28678 e8ba.70cb.f600 0 2 20 15
VLAN0007 28679 e8ba.70cb.f600 0 2 20 15
VLAN0008 28680 e8ba.70cb.f600 0 2 20 15
VLAN0009 28681 e8ba.70cb.f600 0 2 20 15
VLAN0010 28682 e8ba.70cb.f600 0 2 20 15






Sabemos que la prioridad STP por defecto es de 32768.
Notemos además que se suma el número de la VLAN a cada
prioridad, es decir, si se trata de la VLAN 10 el valor de la
prioridad será de 32768 + 10→32778. Si un switch le
asignamos el rol de root para ciertas o todas las VLANs por
medio de la configuración, STP baja la prioridad 8192 + el
valor de la VLAN. Si vemos el ejemplo la VLAN 4 tenemos
que 32768 + 4 →32772 - 8192 = 24580.
CCNP Guía SWITCH v2.0


@ 2013
88
Configuramos la segunda tarea.


DLS2
spanning-tree vlan 5,6,7,8,9,10 root primary
spanning-tree vlan 1-4 root secondary

DLS2#show spanning-tree root
Root Hello Max Fwd
Vlan Root ID Cost Time Age Dly Root Port
---------------- -------------------- --------- ----- --- --- ------------
VLAN0001 24577 e8ba.70cb.f600 12 2 20 15 Po12
VLAN0002 24578 e8ba.70cb.f600 12 2 20 15 Po12
VLAN0003 24579 e8ba.70cb.f600 12 2 20 15 Po12
VLAN0004 24580 e8ba.70cb.f600 12 2 20 15 Po12
VLAN0005 24581 3037.a6eb.d580 0 2 20 15
VLAN0006 24582 3037.a6eb.d580 0 2 20 15
VLAN0007 24583 3037.a6eb.d580 0 2 20 15
VLAN0008 24584 3037.a6eb.d580 0 2 20 15
VLAN0009 24585 3037.a6eb.d580 0 2 20 15
VLAN0010 24586 3037.a6eb.d580 0 2 20 15

DLS1#sh spanning-tree root
Root Hello Max Fwd
Vlan Root ID Cost Time Age Dly Root Port
---------------- -------------------- --------- ----- --- --- ------------
VLAN0001 24577 e8ba.70cb.f600 0 2 20 15
VLAN0002 24578 e8ba.70cb.f600 0 2 20 15
VLAN0003 24579 e8ba.70cb.f600 0 2 20 15
VLAN0004 24580 e8ba.70cb.f600 0 2 20 15
VLAN0005 24581 3037.a6eb.d580 12 2 20 15 Po12
VLAN0006 24582 3037.a6eb.d580 12 2 20 15 Po12
VLAN0007 24583 3037.a6eb.d580 12 2 20 15 Po12
VLAN0008 24584 3037.a6eb.d580 12 2 20 15 Po12
VLAN0009 24585 3037.a6eb.d580 12 2 20 15 Po12
VLAN0010 24586 3037.a6eb.d580 12 2 20 15 Po12


CCNP Guía SWITCH v2.0


@ 2013
89
STP BPDU Guard
 La interface fastethernet0/2 de ALS2 debe pertenecer a la VLAN 10. Próximamente se conectará un PC.
Evitar que el proceso STP transite por los estados listening/learning. En caso que la interface reciba algún
paquete BPDU deberá quedar en estado errdisable que tendrá una duración de 30 segundos.


ALS2
interface FastEthernet0/2
switchport access vlan 10
switchport mode access
spanning-tree portfast

ALS2#show interfaces fastEthernet 0/1 switchport
Name: Fa0/1
Switchport: Enabled
Administrative Mode: static access
Operational Mode: down
Administrative Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: 10 (VLAN0010)

ALS2
spanning-tree portfast bpduguard default
errdisable recovery interval 30


Si conectamos algún dispositivo que envíe BPDUs (ejemplo un Switch) obtendremos los siguientes resultados:


04:27:48: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/7, changed state to down
04:27:49: %LINK-3-UPDOWN: Interface FastEthernet0/7, changed state to down
04:27:50: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port FastEthernet0/2 with BPDU Guard enabled.
Disabling port.
ALS2#
04:27:50: %PM-4-ERR_DISABLE: bpduguard error detected on Fa0/2, putting Fa0/2 in err-disable state

ALS2#show interfaces fastEthernet 0/2 status err-disabled
Port Name Status Reason
Fa0/2 err-disabled bpduguard


CCNP Guía SWITCH v2.0


@ 2013
90
FLEX Link




 Crear trunk utilizando Fa0/7 y Fa0/8 de ambos switches utilizando un protocolo estándar.
 DLS1 VTP Server
 ALS1 VTP Client
 DLS1 debe crear las VLANs 100, 200, 300 y 400. DLS1 debe ser root de todas las VLANs
 Comprueba que ALS1 posee las VLANs


El enlace Flex (Flex link) es una característica que se encuentra disponible en capa 2 y puede coexistir con STP. Esta
mejora permite que el tiempo de convergencia sea menor a 50 milisegundos, en resumen este tiempo se mantiene
constante independientemente del número de VLAN o dirección MAC configuradas en el switch.

Este enlace consta de un par de interfaces de capa 2 que pueden estar configuradas como switchports o port
channels, y funcionan como respaldo para otro enlace. También ofrece una solución alternativa al protocolo
Spanning Tree (STP), permitiendo a los usuarios su desactivación y todavía proporcionar un enlace redundante.


DLS1
interface FastEthernet0/7
switchport trunk encapsulation dot1q
switchport mode trunk
CCNP Guía SWITCH v2.0


@ 2013
91

interface FastEthernet0/8
switchport trunk encapsulation dot1q
switchport mode trunk

ALS1
interface FastEthernet0/7
switchport mode trunk

interface FastEthernet0/8
switchport mode trunk

DLS1
vtp mode server
vtp domain duoc
vtp version 2
vlan 100,200,300,400
spanning-tree vlan 100,200,300,400 root primary

ALS1
vtp mode client
vtp domain duoc
vtp version 2


ALS1#show vlan brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/9, Fa0/10
Fa0/11, Fa0/12, Fa0/13, Fa0/14
Fa0/15, Fa0/16, Fa0/17, Fa0/18
Fa0/19, Fa0/20, Fa0/21, Fa0/22
Fa0/23, Fa0/24, Gi0/1, Gi0/2
100 VLAN0100 active
200 VLAN0200 active
300 VLAN0300 active
400 VLAN0400 active



CCNP Guía SWITCH v2.0


@ 2013
92
DLS1#sh spanning-tree vlan 100
VLAN0100
Spanning tree enabled protocol ieee
Root ID Priority 24676
Address e8ba.70cb.f600
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 24676 (priority 24576 sys-id-ext 100)
Address e8ba.70cb.f600
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 15 sec

Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/7 Desg FWD 19 128.9 P2p
Fa0/8 Desg FWD 19 128.10 P2p

ALS1#show spanning-tree vlan 100
VLAN0100
Spanning tree enabled protocol ieee
Root ID Priority 24676
Address e8ba.70cb.f600
Cost 19
Port 7 (FastEthernet0/7)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32868 (priority 32768 sys-id-ext 100)
Address 0022.5689.5d80
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300

Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/7 Root FWD 19 128.7 P2p
Fa0/8 Altn BLK 19 128.8 P2p


Configurar FlexLink con las siguientes políticas.
 ALS1 fa0/7 backup
 Conectar PCs a algún puerto de acceso de DLS1 y ALS1 (misma VLAN y probar conectividad entre ellos).
 Desactivar enlace activo y esperar comprobar el tiempo de activación.
Hacer balanceo de carga usandoel comando de interface switchport backup interface fastEthernet 0/3 prefer vlan
101…..


ALS1
interface FastEthernet0/8
switchport mode trunk
switchport backup interface Fa0/7


CCNP Guía SWITCH v2.0


@ 2013
93
ALS1#show interfaces switchport backup
Switch Backup Interface Pairs:
Active Interface Backup Interface State
------------------------------------------------------------------------
FastEthernet0/8 FastEthernet0/7 Active Up/Backup Standby

DLS1
interface FastEthernet0/1
switchport access vlan 100
switchport mode access
spanning-tree portfast

ALS1
interface FastEthernet0/1
switchport access vlan 100
switchport mode access
spanning-tree portfast


Pruebas de conectividad Flex Link
PC1 → 10.1.1.1/24 conectado a la Fa0/1 de DLS1
PC2 → 10.1.1.2/24 conectado a la Fa0/1 de ALS1
Deberíamos tener conectividad a través de ping.
Fa0/8 actúa activamente en el tráfico, si deshabilitamos la interface no existe interrumpción de tráfico.


ALS1(config)#interface fastEthernet 0/8
ALS1(conig-if)#shutdown

ALS1#show interfaces switchport backup
Switch Backup Interface Pairs:
Active Interface Backup Interface State
------------------------------------------------------------------------
FastEthernet0/8 FastEthernet0/7 Active Down/Backup Up

PC1 ping 10.1.1.2 -t
Respuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128
Respuesta desde 10.1.1.2: bytes=32 tiempo<1m TTL=128

ALS1(config)#interface fastEthernet 0/8
ALS1(config-if)#no shutdown
CCNP Guía SWITCH v2.0


@ 2013
94
ALS1#show interfaces switchport backup
Switch Backup Interface Pairs:
Active Interface Backup Interface State
------------------------------------------------------------------------
FastEthernet0/8 FastEthernet0/7 Active Standby/Backup Up


Como vemos en la salida anterior la interface fa0/8 no vuelva al estado activo por defecto. En otras palabras no se
apropia del puesto que dejó. Para esto debemos establecer explícitamente que lo haga.

 Fastethernet 0/8 debe vovler a su estado UP en 4 segundos luego de restablecer el enlace.


ALS1
interface FastEthernet0/8
switchport backup interface Fa0/7 preemption delay 4
switchport backup interface Fa0/7 preemption mode forced //Si no incluimos forced el proceso no lo considera

01:14:35: %BACKUP_INTERFACE-5-PREEMPT: Preempting interface Fa0/7 in backup pair (Fa0/8, Fa0/7),
preemption mode is forced

ALS1#show interfaces switchport backup detail
Switch Backup Interface Pairs:
Active Interface Backup Interface State
------------------------------------------------------------------------
FastEthernet0/8 FastEthernet0/7 Active Up/Backup Standby

Interface Pair : Fa0/8, Fa0/7
Preemption Mode : forced
Preemption Delay : 4 seconds
Bandwidth : 100000 Kbit (Fa0/8), 100000 Kbit (Fa0/7)
Mac Address Move Update Vlan : auto


CCNP Guía SWITCH v2.0


@ 2013
95
MSTP Multiple Spanning Tree MST 802.1s


 Configure ambos switches en modo trunk. Utilice 802.1q.
 VTP. DLS1 debe ser server VTP, DLS2 client VTP. Utilizar domain VTP DUOC, VTP versión 2.
 En DLS1 crear las VLANs 10, 20, 30, 40, 50, y 60. Comprobar que estas VLANs se propaguen a DLS2.
 Utilice RSTP+ para la configuración inicial.


DLS1
spanning-tree mode rapid-pvst
vlan 10,20,30,40,50,60
vtp mode server
vtp domain DUOC
vtp version 2

DLS2
spanning-tree mode rapid-pvst
vtp mode client
vtp domain DUOC
vtp version 2

DLS1
interface range fastEthernet 0/6-7
switchport trunk encapsulation dot1q
switchport mode trunk

DLS2
interface range fastEthernet 0/6-7
switchport trunk encapsulation dot1q
switchport mode trunk

DLS1#sh interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/6 on 802.1q trunking 1
Fa0/7 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/6 1-4094
Fa0/7 1-4094
Port Vlans allowed and active in management domain
Fa0/6 1,10,20,30,40,50,60
Fa0/7 1,10,20,30,40,50,60
Port Vlans in spanning tree forwarding state and not pruned
Fa0/6 1,10,20,30,40,50,60
Fa0/7 none

LS2#show interfaces trunk
CCNP Guía SWITCH v2.0


@ 2013
96
Port Mode Encapsulation Status Native vlan
Fa0/6 on 802.1q trunking 1
Fa0/7 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/6 1-4094
Fa0/7 1-4094
Port Vlans allowed and active in management domain
Fa0/6 1,10,20,30,40,50,60
Fa0/7 1,10,20,30,40,50,60
Port Vlans in spanning tree forwarding state and not pruned
Fa0/6 1,10,20,30,40,50,60
Fa0/7 1

DLS2#show vtp status
VTP Version : running VTP2
Configuration Revision : 2
Maximum VLANs supported locally : 1005
Number of existing VLANs : 11
VTP Operating Mode : Client
VTP Domain Name : DUOC
VTP Pruning Mode : Disabled
VTP V2 Mode : Enabled
VTP Traps Generation : Disabled
MD5 digest : 0x87 0xDB 0x5B 0x22 0xB7 0x09 0xAD 0x2D
Configuration last modified by 1.1.1.1 at 3-1-93 00:24:25

DLS1#sh vtp status
VTP Version : running VTP2
Configuration Revision : 2
Maximum VLANs supported locally : 1005
Number of existing VLANs : 11
VTP Operating Mode : Server
VTP Domain Name : DUOC
VTP Pruning Mode : Disabled
VTP V2 Mode : Enabled
VTP Traps Generation : Disabled
MD5 digest : 0x87 0xDB 0x5B 0x22 0xB7 0x09 0xAD 0x2D
Configuration last modified by 1.1.1.1 at 3-1-93 00:24:25
Local updater ID is 1.1.1.1 on interface Vl1 (lowest numbered VLAN interface found)

DLS2>show vlan brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/8, Fa0/9, Fa0/10
Fa0/11, Fa0/12, Fa0/13, Fa0/14
Fa0/15, Fa0/16, Fa0/17, Fa0/18
Fa0/19, Fa0/20, Fa0/21, Fa0/22
Fa0/23, Fa0/24, Gi0/1, Gi0/2
10 VLAN0010 active
20 VLAN0020 active
30 VLAN0030 active
40 VLAN0040 active
50 VLAN0050 active
CCNP Guía SWITCH v2.0


@ 2013
97
60 VLAN0060 active


Configure MST siguiendo las siguientes políticas:
 Crear dos instancias STP: instancia1, instancia2.
 El número de revisión (revision number) debe ser 1.
 El nombre MST debe ser CLASS
 A instancia1 le corresponden las VLANs 10, 20, 30
 A instancia2 le corresponde la VLANs 40, 50, 60 y 1
 Las siguientes VLANs serán parte de la instancia0.
 Instacia1 → fastethernet0/6
 Instacia2 → fastethernet0/7
 DLS1 debe ser Root Bridge para instancia1
 DLS2 debe ser Root Bridge para instancia2

La ventaja de MST es que puede mapear multiples VLANs que tengan los mismos requerimientos (mismo tráfico) y
generar una sola instancia de STP, lo que se traduce en una menor utilización de los recursos del dispositivo.
Nota: Al habilitar MST deshabilitamos RSTP+.
Verifiquemos cuantas instancias existen. Para eso utilizaremos el comando show spanning-tree.


DLS1#sh spanning-tree

VLAN0001
Spanning tree enabled protocol rstp
Root ID Priority 32769
Address 0022.5688.7900
Cost 38
Port 8 (FastEthernet0/6)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address e8ba.70cb.f600
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/6 Root FWD 19 128.8 P2p
Fa0/7 Altn BLK 19 128.9 P2p

VLAN0010
Spanning tree enabled protocol rstp
Root ID Priority 32778
Address 3037.a6eb.d580
Cost 19
Port 8 (FastEthernet0/6)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32778 (priority 32768 sys-id-ext 10)
Address e8ba.70cb.f600
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
CCNP Guía SWITCH v2.0


@ 2013
98

Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/6 Root FWD 19 128.8 P2p
Fa0/7 Altn BLK 19 128.9 P2p
*
*
*
VLAN0060
Spanning tree enabled protocol rstp
Root ID Priority 32828
Address 3037.a6eb.d580
Cost 19
Port 8 (FastEthernet0/6)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32828 (priority 32768 sys-id-ext 60)
Address e8ba.70cb.f600
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/6 Root FWD 19 128.8 P2p
Fa0/7 Altn BLK 19 128.9 P2p


Como vemos en la salida anterior STP está corriendo una instancia distinta para cada VLAN, asumiendo que cada
instancia tiene un camino distinto o flujo distinto, aun cuando siguen misma topología física. DLS1 y DLS2 podrán
utilizar MST si ambos tienen identica:

 Región name
 Revision number
 VLAN-to-instance assignments

Para configuirar MST debemos seguir los siguientes pasos:
1. Configurar MST globalmente:


DLS1
spanning-tree mode mst

DLS2
spanning-tree mode mst

DLS2#show spanning-tree vlan 10

MST0
Spanning tree enabled protocol mstp
Root ID Priority 32768
Address 3037.a6eb.d580
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

CCNP Guía SWITCH v2.0


@ 2013
99
Bridge ID Priority 32768 (priority 32768 sys-id-ext 0)
Address 3037.a6eb.d580
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/6 Desg FWD 200000 128.8 P2p
Fa0/7 Desg BLK 200000 128.9 P2p

DLS1#sh spanning-tree vlan 10

MST0
Spanning tree enabled protocol mstp
Root ID Priority 32768
Address 3037.a6eb.d580
Cost 0
Port 8 (FastEthernet0/6)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32768 (priority 32768 sys-id-ext 0)
Address e8ba.70cb.f600
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/6 Root FWD 200000 128.8 P2p
Fa0/7 Altn BLK 200000 128.9 P2p


Nota: Si no se establece, todas las instancias quedan en instancia 0.


DLS1#sh spanning-tree mst configuration
Name []
Revision 0 Instances configured 1

Instance Vlans mapped
-------- ---------------------------------------------------------------------
0 1-4094
-------------------------------------------------------------------------------

DLS2#show spanning-tree mst configuration
Name []
Revision 0 Instances configured 1

Instance Vlans mapped
-------- ---------------------------------------------------------------------
0 1-4094
-------------------------------------------------------------------------------



CCNP Guía SWITCH v2.0


@ 2013
100
2. Entrar en el modo de configuración MST con el comando spanning-tree mst configuration.
3. Establecer el número de revisión
4. Nombre de región
5. Crear las instancias y asignarles las VLANs

A instancia1 le corresponden las VLANs 10, 20, 30. A instancia2 le corresponde la VLANs 40, 50, 60 y 1

DLS1
spanning-tree mst configuration
revision 1
name CLASS
instance 1 vlan 10,20,30
instance 2 vlan 1,40,50,60

DLS2
spanning-tree mst configuration
revision 1
name CLASS
instance 2 vlan 10,20,30
instance 1 vlan 1,40,50,60

DLS2#show spanning-tree mst configuration
Name [CLASS]
Revision 1 Instances configured 3

Instance Vlans mapped
-------- ---------------------------------------------------------------------
0 2-9,11-19,21-29,31-39,41-49,51-59,61-4094
1 1,40,50,60
2 10,20,30
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------

DLS1#show spanning-tree mst configuration
Name []
Revision 1 Instances configured 3

Instance Vlans mapped
-------- ---------------------------------------------------------------------
0 2-9,11-19,21-29,31-39,41-49,51-59,61-4094
1 10,20,30
2 1,40,50,60
-------------------------------------------------------------------------------

CCNP Guía SWITCH v2.0


@ 2013
101
DLS1#sh spanning-tree
MST0
Spanning tree enabled protocol mstp
Root ID Priority 32768
Address 3037.a6eb.d580
Cost 200000
Port 8 (FastEthernet0/6)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32768 (priority 32768 sys-id-ext 0)
Address e8ba.70cb.f600
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/6 Root FWD 200000 128.8 P2p Bound(RSTP)
Fa0/7 Altn BLK 200000 128.9 P2p Bound(RSTP)

MST1
Spanning tree enabled protocol mstp
Root ID Priority 32769
Address e8ba.70cb.f600
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address e8ba.70cb.f600
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/6 Mstr FWD 200000 128.8 P2p Bound(RSTP)
Fa0/7 Altn BLK 200000 128.9 P2p Bound(RSTP)

MST2
Spanning tree enabled protocol mstp
Root ID Priority 32770
Address e8ba.70cb.f600
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32770 (priority 32768 sys-id-ext 2)
Address e8ba.70cb.f600
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/6 Mstr FWD 200000 128.8 P2p Bound(RSTP)
Fa0/7 Altn BLK 200000 128.9 P2p Bound(RSTP)



CCNP Guía SWITCH v2.0


@ 2013
102
Podemos notar que existe un BID por cada instancia, a 32768 se le suma el número de la instancia haciendo del BID
único.


DLS1#sh spanning-tree bridge
Hello Max Fwd
MST Instance Bridge ID Time Age Dly Protocol
---------------- --------------------------------- ----- --- --- --------
MST0 32768 (32768, 0) e8ba.70cb.f600 2 20 15 mstp
MST1 32769 (32768, 1) e8ba.70cb.f600 2 20 15 mstp
MST2 32770 (32768, 2) e8ba.70cb.f600 2 20 15 mstp

DLS1#show version | include Base
Base ethernet MAC Address : E8:BA:70:CB:F6:00

DLS2#show spanning-tree root
Hello Max Fwd
MST Instance Bridge ID Time Age Dly Protocol
---------------- --------------------------------- ----- --- --- --------
MST0 32768 (32768, 0) 3037.a6eb.d580 2 20 15 mstp
MST1 32769 (32768, 1) 3037.a6eb.d580 2 20 15 mstp
MST2 32770 (32768, 2) 3037.a6eb.d580 2 20 15 mstp

DLS2#show version | include Base
Base ethernet MAC Address : 30:37:A6:EB:D5:80


 DLS1 debe ser Root Bridge para instancia1
 DLS2 debe ser Root Bridge para instancia2

Ya podemos establecer prioridades trabajando con VLANs empaquetadas, como una sola entidad, instancia 1 e
instancia 2. La prioridad debemos establecerla en incrementos de 4096 (0, 4096, 8192..)


DLS1(config)#spanning-tree mst 1 priority ?
<0-61440> bridge priority in increments of 4096

DLS1(config)#spanning-tree mst 1 priority 0
DLS1(config)#spanning-tree mst 2 priority 4096

DLS2
spanning-tree mst 1 priority 4096
spanning-tree mst 2 priority 0

spanning-tree mst 2 priority 4096
spanning-tree mst 1 priority 0

DLS1#show version | include Base
Base ethernet MAC Address : E8:BA:70:CB:F6:00

DLS2#show version | include Base
Base ethernet MAC Address : 30:37:A6:EB:D5:80
CCNP Guía SWITCH v2.0


@ 2013
103
DLS1#show spanning-tree root
Root Hello Max Fwd
MST Instance Root ID Cost Time Age Dly Root Port
---------------- -------------------- --------- ----- --- --- ------------
MST0 32768 3037.a6eb.d580 200000 2 20 15 Fa0/6
MST1 1 e8ba.70cb.f600 0 2 20 15
MST2 4098 e8ba.70cb.f600 0 2 20 15

DLS2#show spanning-tree root
Root Hello Max Fwd
MST Instance Root ID Cost Time Age Dly Root Port
---------------- -------------------- --------- ----- --- --- ------------
MST0 32768 3037.a6eb.d580 0 2 20 15
MST1 4097 3037.a6eb.d580 0 2 20 15
MST2 2 3037.a6eb.d580 0 2 20 15



DLS1#sh spanning-tree interface fastEthernet 0/6
Mst Instance Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
MST0 Root FWD 200000 128.8 P2p Bound(RSTP)
MST1 Mstr FWD 200000 128.8 P2p Bound(RSTP)
MST2 Mstr FWD 200000 128.8 P2p Bound(RSTP)

DLS1#sh spanning-tree interface fastEthernet 0/7
Mst Instance Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
MST0 Altn BLK 200000 128.9 P2p Bound(RSTP)
MST1 Altn BLK 200000 128.9 P2p Bound(RSTP)
MST2 Altn BLK 200000 128.9 P2p Bound(RSTP)

DLS2#sh spanning-tree interface fastEthernet 0/6
Mst Instance Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
MST0 Desg FWD 200000 128.8 P2p
MST1 Desg FWD 200000 128.8 P2p
MST2 Desg FWD 200000 128.8 P2p

DLS2#sh spanning-tree interface fastEthernet 0/7
Mst Instance Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
MST0 Desg FWD 200000 128.9 P2p
MST1 Desg FWD 200000 128.9 P2p
MST2 Desg FWD 200000 128.9 P2p




CCNP Guía SWITCH v2.0


@ 2013
104
Queremos que el tráfico de la instancia 1 utilice la Fa0/6 y la instancia 2 la Fa0/7


DLS1
interface FastEthernet0/6
spanning-tree mst 1 port-priority 0
spanning-tree mst 2 port-priority 240

interface FastEthernet0/7
spanning-tree mst 1 port-priority 240
spanning-tree mst 2 port-priority 0

DLS2
interface FastEthernet0/6
spanning-tree mst 1 port-priority 0
spanning-tree mst 2 port-priority 240

interface FastEthernet0/7
spanning-tree mst 1 port-priority 240
spanning-tree mst 2 port-priority 0


Notemos que instancia 1 utiliza la interface Fa0/6 y la instancia 2 la Fa0/7


DLS2#show spanning-tree interface fastEthernet 0/6
Mst Instance Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
MST0 Desg FWD 200000 128.13 P2p
MST1 Root FWD 200000 0.13 P2p
MST2 Desg FWD 200000 240.13 P2p

DLS2#show spanning-tree interface fastEthernet 0/7
Mst Instance Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
MST0 Desg FWD 200000 128.14 P2p
MST1 Altn BLK 200000 240.14 P2p
MST2 Desg FWD 200000 0.14 P2p







CCNP Guía SWITCH v2.0


@ 2013
105
InterVLAN Routing utilizando SW L3



 En DLS1 crear las VLANs 10 y 20. Posteriormente cree la interface VLAN (SVI) correspondiente a las VLANs
 creadas.

 Asignar las VLANs de acceso como muestra la figura. Evitar que el proceso STP transite por los estados
listening/learning en los puertos de acceso Fa0/1 y Fa0/8.

 Configurar los PCs como muestra la figura y establecer como Default Gateway la SVI. Comprobar
conectividad.


DLS1
vlan 10,20

interface Vlan10
ip address 10.0.0.1 255.255.255.0
no shut

interface Vlan20
ip address 20.0.0.1 255.255.255.0
no shut

DLS1#sh vlan brief | exclude unsup

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gi0/1, Gi0/2
10 VLAN0010 active
20 VLAN0020 active


CCNP Guía SWITCH v2.0


@ 2013
106
 Asignar las VLANs de acceso como muestra la figura. Evitar que el proceso STP transite por los estados
listening/learning en los puertos de acceso Fa0/1 y Fa0/8.


DLS1
interface FastEthernet0/1
description ***a PC1***
switchport access vlan 10
switchport mode access
spanning-tree portfast
no shutdown

interface FastEthernet0/8
description ***a PC2***
switchport access vlan 20
switchport mode access
spanning-tree portfast
no shutdown

DLS1#ping 10.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms

DLS1#ping 20.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.0.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms

PC1
C:\>ping 10.0.0.1
Haciendo ping a 10.0.0.1 con 32 bytes de datos:

Respuesta desde 10.0.0.1: bytes=32 tiempo=3ms TTL=255
Respuesta desde 10.0.0.1: bytes=32 tiempo=1ms TTL=255
Respuesta desde 10.0.0.1: bytes=32 tiempo=1ms TTL=255
Respuesta desde 10.0.0.1: bytes=32 tiempo<1m TTL=255

Estadísticas de ping para 10.0.0.1:
Paquetes: enviados = 4, recibidos = 4, perdidos = 0
(0% perdidos),
Tiempos aproximados de ida y vuelta en milisegundos:
Mínimo = 0ms, Máximo = 3ms, Media = 1ms







CCNP Guía SWITCH v2.0


@ 2013
107
PC2
C:\>ping 20.0.0.1

Haciendo ping a 20.0.0.1 con 32 bytes de datos:

Respuesta desde 20.0.0.1: bytes=32 tiempo=28ms TTL=255
Respuesta desde 20.0.0.1: bytes=32 tiempo=2ms TTL=255
Respuesta desde 20.0.0.1: bytes=32 tiempo=2ms TTL=255
Respuesta desde 20.0.0.1: bytes=32 tiempo=1ms TTL=255

Estadísticas de ping para 20.0.0.1:
Paquetes: enviados = 4, recibidos = 4, perdidos = 0
(0% perdidos),
Tiempos aproximados de ida y vuelta en milisegundos:
Mínimo = 1ms, Máximo = 28ms, Media = 8ms


 Habilitar ruteo en el switch.


DLS1
ip routing

DLS1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

20.0.0.0/24 is subnetted, 1 subnets
C 20.0.0.0 is directly connected, Vlan20
10.0.0.0/24 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, Vlan10



 Creamos una ruta por defecto en los PCs.

 Comprobamos que tenemos conectividad entre PC1 (VLAN 10) y PC2(VLAN 20)


PC1
C:\>route add 0.0.0.0 mask 0.0.0.0 10.0.0.1

PC2
C:\>route add 0.0.0.0 mask 0.0.0.0 20.0.0.1



CCNP Guía SWITCH v2.0


@ 2013
108
PC1
C:\>route print
===========================================================================
ILista de interfaces
0x1 ........................... MS TCP Loopback interface
0x2 ...00 24 8c cd 2a 2a ...... SiS191 Ethernet Controller - Minipuerto del admi
nistrador de paquetes
0x3 ...08 00 27 00 f0 c5 ...... VirtualBox Host-Only Ethernet Adapter - Minipuer
to del administrador de paquetes
===========================================================================
===========================================================================
Rutas activas:
Destino de red Máscara de red Puerta de acceso Interfaz Métrica
0.0.0.0 0.0.0.0 10.0.0.1 10.0.0.2 1

PC2
C:\>route print
===========================================================================
ILista de interfaces
0x1 ........................... MS TCP Loopback interface
0x2 ...0c ee e6 a0 33 43 ...... Adaptador de red Broadcom 802.11g - Minipuerto d
el administrador de paquetes
0x10004 ...00 26 22 70 6d df ...... Atheros AR8132 PCI-E Fast Ethernet Controlle
r - Minipuerto del administrador de paquetes
===========================================================================
===========================================================================
Rutas activas:
Destino de red Máscara de red Puerta de acceso Interfaz Métrica
0.0.0.0 0.0.0.0 20.0.0.1 20.0.0.2 1


PC1
C:\>ping 20.0.0.2

Haciendo ping a 20.0.0.2 con 32 bytes de datos:

Respuesta desde 20.0.0.2: bytes=32 tiempo=1ms TTL=127
Respuesta desde 20.0.0.2: bytes=32 tiempo<1m TTL=127
Respuesta desde 20.0.0.2: bytes=32 tiempo<1m TTL=127
Respuesta desde 20.0.0.2: bytes=32 tiempo<1m TTL=127

Estadísticas de ping para 20.0.0.2:
Paquetes: enviados = 4, recibidos = 4, perdidos = 0
(0% perdidos),
Tiempos aproximados de ida y vuelta en milisegundos:
Mínimo = 0ms, Máximo = 1ms, Media = 0ms


CCNP Guía SWITCH v2.0


@ 2013
109
PC2
C:\>ping 10.0.0.2

Haciendo ping a 10.0.0.2 con 32 bytes de datos:

Respuesta desde 10.0.0.2: bytes=32 tiempo<1m TTL=127
Respuesta desde 10.0.0.2: bytes=32 tiempo<1m TTL=127
Respuesta desde 10.0.0.2: bytes=32 tiempo<1m TTL=127
Respuesta desde 10.0.0.2: bytes=32 tiempo<1m TTL=127

Estadísticas de ping para 10.0.0.2:
Paquetes: enviados = 4, recibidos = 4, perdidos = 0
(0% perdidos),
Tiempos aproximados de ida y vuelta en milisegundos:
Mínimo = 0ms, Máximo = 0ms, Media = 0ms







CCNP Guía SWITCH v2.0


@ 2013
110
InterVLAN Routing entre switches L2/L3.



 Configurar los cuatro switchs basado en los siquientes requerimientos::
- VTP domain duoc
- VTP versión 2
- DLS1 → VTP Server, DLS2 → VTP Client, ALS2 → VTP Client, ALS1 → VTP Client
- Domain duoc

 Configurar Link Aggregation como muestra la figura, no utilice negociación en los portchannels, salvo en
Po2 DLS2-ALS2. Configurar trunk utilizando encapsulación 802.1q.

 DLS1 debe crear las VLANs 10 y 20.Comprobar que estas VLANs mas la default sean “visibles” por los
demás switchs (DLS2, ALS1 y ALS2)

CCNP Guía SWITCH v2.0


@ 2013
111
 Configurar los puertos de acceso en los switchs L2 como muestra la figura asignando la VLAN
correspondiente. Evitar que el proceso STP transite por los estados listening/learning.

 Crear las SVI en cada switch L3. Habilitar routing.

 En los PC asignar direccionamiento mostrados. Adicionalmente crear una ruta por defecto apuntando al
DG.

 Comprobamos que tenemos conectividad entre PC1 (VLAN 10) y PC2(VLAN 20).

 Configurar los PCs como muestra la figura y establecer como Default Gateway la IP de la interface VLAN.
Comprobar conectividad.

 Configurar los cuatro switchs basado en los siquientes requerimientos::
- VTP domain i29
- VTP versión 2
- DLS1 → VTP Server, DLS2 → VTP Client, ALS2 → VTP Client, ALS1 → VTP Client.

 Configurar Link Aggregation como muestra la figura, no utilice negociación en los portchannels, salvo en
Po1 DLS2-ALS2. Configurar trunk utilizando encapsulación 802.1q. Solo se permiten las VLANs defaul, 10 y
20.


DLS1
vtp mode server
vtp domain i29
vtp version 2

DLS2
vtp mode client
vtp domain i29
vtp version 2

ALS1
vtp mode client
vtp domain i29
vtp version 2

ALS2
vtp mode client
vtp domain i29
vtp version 2

DLS1
default interface range fastEthernet 0/2-3 , fastEthernet 0/6-7

interface range fastEthernet 0/2-3
channel-group 1 mode on

interface Port-channel1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10,20
switchport mode trunk
CCNP Guía SWITCH v2.0


@ 2013
112
switchport nonegotiate

interface range fastEthernet 0/6-7
channel-group 12 mode on

interface Port-channel12
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10,20
switchport mode trunk
switchport nonegotiate


DLS2
default interface range fastEthernet 0/2-3 , fastEthernet 0/6-7 , fastEthernet 0/13-20

interface range fastEthernet 0/2-3 , fastEthernet 0/13-20
channel-group 2 mode active

interface Port-channel2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10,20
switchport mode trunk
switchport nonegotiate

interface range fastEthernet 0/6-7
channel-group 12 mode on

interface Port-channel12
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10,20
switchport mode trunk
switchport nonegotiate

DLS2#show etherchannel 12 summary
Flags: D - down P - in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
u - unsuitable for bundling
w - waiting to be aggregated
d - default port

Number of channel-groups in use: 2
Number of aggregators: 2

Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
12 Po12(SU) - Fa0/6(P) Fa0/7(P)

ALS1
default interface range fastEthernet 0/2-3

interface range fastEthernet 0/2-3
CCNP Guía SWITCH v2.0


@ 2013
113
channel-group 1 mode on

interface Port-channel1
switchport trunk allowed vlan 1,10,20
switchport mode trunk
switchport nonegotiate

DLS1#sh etherchannel 1 summary
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator

M - not in use, minimum links not met
u - unsuitable for bundling
w - waiting to be aggregated
d - default port

Number of channel-groups in use: 2
Number of aggregators: 2

Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
1 Po1(SU) - Fa0/2(P) Fa0/3(P)

ALS2
default interface range fastEthernet 0/2-3 , fastEthernet 0/13-20

interface range fastEthernet 0/2-3 , fastEthernet 0/13-20
channel-group 2 mode active

interface Port-channel2
switchport trunk allowed vlan 1,10,20
switchport mode trunk
switchport nonegotiate

ALS2#show etherchannel summary
Flags: D - down P - in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
u - unsuitable for bundling
w - waiting to be aggregated
d - default port

Number of channel-groups in use: 1
Number of aggregators: 1

Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
2 Po2(SU) LACP Fa0/2(P) Fa0/3(P) Fa0/13(P)
Fa0/14(P) Fa0/15(P) Fa0/16(P)
CCNP Guía SWITCH v2.0


@ 2013
114
Fa0/17(P) Fa0/18(P) Fa0/19(H)
Fa0/20(H)


 DLS1 debe crear las VLANs 10 y 20.Comprobar que estas VLANs mas la default sean “visibles” por los
demás switchs (DLS2, ALS1 y ALS2)

 Configurar los puertos de acceso en los switchs L2 como muestra la figura asignando la VLAN
correspondiente. Evitar que el proceso STP transite por los estados listening/learning.


DLS1
vlan 10,20

DLS1#sh vlan brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/4, Fa0/5, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Fa0/24
Gi0/1, Gi0/2
10 VLAN0010 active
20 VLAN0020 active

DLS2#sh vlan brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/4, Fa0/5, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/19, Fa0/20, Fa0/21, Fa0/22
Fa0/23, Fa0/24, Gi0/1, Gi0/2
10 VLAN0010 active
20 VLAN0020 active

ALS1
interface FastEthernet0/23
switchport access vlan 10
switchport mode access
spanning-tree portfast


ALS1#show vlan brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/4, Fa0/5, Fa0/6
Fa0/7, Fa0/8, Fa0/9, Fa0/10
Fa0/11, Fa0/12, Fa0/13, Fa0/14
Fa0/15, Fa0/16, Fa0/17, Fa0/18
Fa0/19, Fa0/20, Fa0/21, Fa0/22
Fa0/24, Gi0/1, Gi0/2
10 VLAN0010 active Fa0/23
20 VLAN0020 active
CCNP Guía SWITCH v2.0


@ 2013
115
ALS2
interface FastEthernet0/23
switchport access vlan 20
switchport mode access
spanning-tree portfast


ALS2#show vlan brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/4, Fa0/5, Fa0/6
Fa0/7, Fa0/8, Fa0/9, Fa0/10
Fa0/11, Fa0/12, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/24, Gi0/1
Gi0/2
10 VLAN0010 active
20 VLAN0020 active Fa0/23



 Crear las SVI en cada switch L3 (ver figura). Habilitar routing.

 En los PC asignar direccionamiento mostrados.


DLS1
interface Vlan10
ip address 10.0.0.1 255.255.255.0

interface Vlan20
ip address 20.0.0.1 255.255.255.0

DLS2
interface Vlan10
ip address 10.0.0.2 255.255.255.0

interface Vlan20
ip address 20.0.0.2 255.255.255.0

DLS2#ping 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms

DLS2#ping 20.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms

DLS1
ip routing

CCNP Guía SWITCH v2.0


@ 2013
116
DLS2
ip routing

PC1
C:\>ping 20.0.0.10
Haciendo ping a 20.0.0.10 con 32 bytes de datos:
Respuesta desde 20.0.0.10: bytes=32 tiempo<1m TTL=127
Respuesta desde 20.0.0.10: bytes=32 tiempo<1m TTL=127
Respuesta desde 20.0.0.10: bytes=32 tiempo<1m TTL=127
Respuesta desde 20.0.0.10: bytes=32 tiempo<1m TTL=127

Estadísticas de ping para 20.0.0.10:
Paquetes: enviados = 4, recibidos = 4, perdidos = 0
(0% perdidos),
Tiempos aproximados de ida y vuelta en milisegundos:
Mínimo = 0ms, Máximo = 0ms, Media = 0ms



CCNP Guía SWITCH v2.0


@ 2013
117
IP DHCP

Continuación laboratorio anterior.
 Deshabilitar Po12

 En DLS1 crear la VLAN 100 más la SVI 100 utilizando la IP address 100.1.1.1/24. Debe ser permitida en el
Po1 DLS1/ALS1.

 Configurar DHCP en DLS1 con las siguientes características:
- Pool ABCD 100.1.1.0/24
- Default Router 100.1.1.1
- Arriendo indefinido.
- Se debe excluir el rango 100.1.1.1 a 100.1.1.20

 En ALS1 asignar al puerto Fa0/23 la VLAN 100 (puerto de acceso).

CCNP Guía SWITCH v2.0


@ 2013
118

DLS1
vlan 100

interface Vlan100
ip address 100.1.1.1 255.255.255.0

ip dhcp excluded-address 100.1.1.1 100.1.1.20

ip dhcp pool ABCD
network 100.1.1.0 255.255.255.0
default-router 100.1.1.1
lease infinite

interface port-channel 1
switchport trunk allowed vlan add 100

DLS1#sh running-config interface port-channel 1
Building configuration...

Current configuration : 159 bytes
!
interface Port-channel1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10,20,100
switchport mode trunk
switchport nonegotiate

ALS1
interface port-channel 1
switchport trunk allowed vlan add 100

ALS1#sh running-config interface port-channel 1
Building configuration...

Current configuration : 121 bytes
!
interface Port-channel1
switchport trunk allowed vlan 1,10,20,100
switchport mode trunk
switchport nonegotiate

ALS1#show vlan brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/4, Fa0/5, Fa0/6
Fa0/7, Fa0/8, Fa0/9, Fa0/10
Fa0/11, Fa0/12, Fa0/13, Fa0/14
Fa0/15, Fa0/16, Fa0/17, Fa0/18
Fa0/19, Fa0/20, Fa0/21, Fa0/22
Fa0/24, Gi0/1, Gi0/2
10 VLAN0010 active Fa0/23
20 VLAN0020 active
100 VLAN0100 active
CCNP Guía SWITCH v2.0


@ 2013
119


ALS1
default interface fastEthernet 0/23

interface FastEthernet0/23
switchport access vlan 100
switchport mode access
spanning-tree portfast


 Conectamos PC1 a puerto Fa0/23 y utilizamos el comando debug ip dhcp server packet para verificar la
negociación DHCP entre cliente y servidor.


DLS1#debug ip dhcp server packet
DHCP server packet debugging is on.

*Mar 1 01:25:03.142: DHCPD: Reload workspace interface Vlan100 tableid 0.
*Mar 1 01:25:03.142: DHCPD: tableid for 100.1.1.1 on Vlan100 is 0
*Mar 1 01:25:03.142: DHCPD: client's VPN is .
*Mar 1 01:25:03.142: DHCPD: DHCPREQUEST received from client 0100.248c.cd2a.2a.
*Mar 1 01:25:03.142: DHCPD: client has moved to a new subnet.
*Mar 1 01:25:03.142: DHCPD: Sending DHCPNAK to client 0100.248c.cd2a.2a.
*Mar 1 01:25:03.142: DHCPD: broadcasting BOOTREPLY to client 0024.8ccd.2a2a.
*Mar 1 01:25:04.
DLS1#140: DHCPD: Reload workspace interface Vlan100 tableid 0.
*Mar 1 01:25:04.140: DHCPD: tableid for 100.1.1.1 on Vlan100 is 0
*Mar 1 01:25:04.140: DHCPD: client's VPN is .
*Mar 1 01:25:04.140: DHCPD: using received relay info.
*Mar 1 01:25:04.140: DHCPD: DHCPDISCOVER received from client 0100.248c.cd2a.2a on interface Vlan100.
*Mar 1 01:25:04.140: DHCPD: using received relay info.
DLS1#
*Mar 1 01:25:06.153: DHCPD: Sending DHCPOFFER to client 0100.248c.cd2a.2a (100.1.1.21).
*Mar 1 01:25:06.153: DHCPD: Check for IPe on Vlan100
*Mar 1 01:25:06.153: DHCPD: creating ARP entry (100.1.1.21, 0024.8ccd.2a2a).
*Mar 1 01:25:06.153: DHCPD: unicasting BOOTREPLY to client 0024.8ccd.2a2a (100.1.1.21).
*Mar 1 01:25:06.162: DHCPD: Reload workspace interface Vlan100 tableid 0.
*Mar 1 01:25:06.162: DHCPD: tableid for 100.1.1.1 on Vlan100 is 0
*Mar 1 01:25:06.162: DHCPD: client's VPN is .
*Ma
DLS1#r 1 01:25:06.162: DHCPD: DHCPREQUEST received from client 0100.248c.cd2a.2a.
*Mar 1 01:25:06.162: DHCPD: Sending DHCPACK to client 0100.248c.cd2a.2a (100.1.1.21).
*Mar 1 01:25:06.162: DHCPD: Check for IPe on Vlan100
*Mar 1 01:25:06.162: DHCPD: creating ARP entry (100.1.1.21, 0024.8ccd.2a2a).
*Mar 1 01:25:06.162: DHCPD: unicasting BOOTREPLY to client 0024.8ccd.2a2a (100.1.1.21).

CCNP Guía SWITCH v2.0


@ 2013
120




CCNP Guía SWITCH v2.0


@ 2013
121
InterVLAN Routing con HSRP en Switchs L3


Objetivos:
Configurar InterVLAN routing utilizando HSRP para redundancia y tolerante a fallas (en DG).

VLAN HSRP GW Address
1 1.1.1.1/24
10 10.0.0.1/24
20 20.0.0.1/24
30 30.0.0.1/24
40 40.0.0.0/24


 Configure Etherchannel como muestra la figura. Utilice LACP. Utilice 802.1q como protocolo de trunking.


DLS1
default interface range fastEthernet 0/2-7

interface range fastEthernet 0/2-3
channel-group 1 mode active

interface Port-channel1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10,20,30,40
switchport mode trunk

interface range fastEthernet 0/4-5
channel-group 2 mode active

interface Port-channel2
CCNP Guía SWITCH v2.0


@ 2013
122
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10,20,30,40
switchport mode trunk

interface range fastEthernet 0/6-7
channel-group 3 mode active

interface Port-channel3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10,20,30,40
switchport mode trunk

DLS2
default interface range fastEthernet 0/2-7

interface range fastEthernet 0/2-3
channel-group 1 mode active

interface Port-channel1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10,20,30,40
switchport mode trunk

interface range fastEthernet 0/4-5
channel-group 2 mode active

interface Port-channel2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10,20,30,40
switchport mode trunk

interface range fastEthernet 0/6-7
channel-group 3 mode active

interface Port-channel3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10,20,30,40
switchport mode trunk

DLS2#show etherchannel 3 summary
Flags: D - down P - in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
u - unsuitable for bundling
w - waiting to be aggregated
d - default port
Number of channel-groups in use: 3
Number of aggregators: 3

Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
3 Po3(SU) LACP Fa0/6(P) Fa0/7(P)
CCNP Guía SWITCH v2.0


@ 2013
123
ALS1
default interface range fastEthernet 0/2-7

interface range fastEthernet 0/2-3
channel-group 1 mode active

interface Port-channel1
switchport trunk allowed vlan 1,10,20,30,40
switchport mode trunk

interface range fastEthernet 0/4-5
channel-group 2 mode active

interface Port-channel2
switchport trunk allowed vlan 1,10,20,30,40
switchport mode trunk

interface range fastEthernet 0/6-7
channel-group 3 mode active

interface Port-channel3
switchport trunk allowed vlan 1,10,20,30,40
switchport mode trunk

ALS1#show etherchannel summary
Flags: D - down P - in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
u - unsuitable for bundling
w - waiting to be aggregated
d - default port
Number of channel-groups in use: 3
Number of aggregators: 3
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
1 Po1(SU) LACP Fa0/2(P) Fa0/3(P)
2 Po2(SU) LACP Fa0/4(P) Fa0/5(P)
3 Po3(SD) LACP Fa0/6(I) Fa0/7(I)

ALS2
default interface range fastEthernet 0/2-7

interface range fastEthernet 0/2-3
channel-group 1 mode active

interface Port-channel1
switchport trunk allowed vlan 1,10,20,30,40
switchport mode trunk

interface range fastEthernet 0/4-5
channel-group 2 mode active

CCNP Guía SWITCH v2.0


@ 2013
124
interface Port-channel2
switchport trunk allowed vlan 1,10,20,30,40
switchport mode trunk

interface range fastEthernet 0/6-7
channel-group 3 mode active

interface Port-channel3
switchport trunk allowed vlan 1,10,20,30,40
switchport mode trunk

ALS2#show etherchannel summary
Flags: D - down P - in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
u - unsuitable for bundling
w - waiting to be aggregated
d - default port
Number of channel-groups in use: 3
Number of aggregators: 3
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
1 Po1(SU) LACP Fa0/2(P) Fa0/3(P)
2 Po2(SU) LACP Fa0/4(P) Fa0/5(P)
3 Po3(SU) LACP Fa0/6(P) Fa0/7(P)

DLS1#sh interfaces trunk
Port Mode Encapsulation Status Native vlan
Po1 on 802.1q trunking 1
Po2 on 802.1q trunking 1
Po3 on 802.1q trunking 1

Port Vlans allowed on trunk
Po1 1,10,20,30,40
Po2 1,10,20,30,40
Po3 1,10,20,30,40

Port Vlans allowed and active in management domain
Po1 1
Po2 1
Po3 1

Port Vlans in spanning tree forwarding state and not pruned
Po1 none
Po2 1
Po3 none



CCNP Guía SWITCH v2.0


@ 2013
125
 Confiure DLS2, ALS1 y ALS2 en modo cliente VTP.
 En DLS1 utilice el domino VTP duoc.cl, además cree las VLANs que muestra la figura con sus nombres
correspondientes. Compruebe que todas las VLANs sean visibles en todos los switches.


DLS2
vtp mode client

ALS1
vtp mode client

ALS2
vtp mode client

ALS2#show vtp status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 255
Number of existing VLANs : 5
VTP Operating Mode : Client
VTP Domain Name :
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x57 0xCD 0x40 0x65 0x63 0x59 0x47 0xBD
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00

DLS1
vtp domain duoc.cl

vlan 10
name CONTROL

vlan 20
name RRHH

vlan 30
name SMTP

vlan 40
name WWW

DLS1#sh vlan brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/8, Fa0/9, Fa0/10
Fa0/11, Fa0/12, Fa0/13, Fa0/14
Fa0/15, Fa0/16, Fa0/17, Fa0/18
Fa0/19, Fa0/20, Fa0/21, Fa0/22
Fa0/23, Fa0/24, Gi0/1, Gi0/2
10 CONTROL active
20 RRHH active
30 SMTP active
40 WWW active
CCNP Guía SWITCH v2.0


@ 2013
126

ALS2#sh vlan brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/8, Fa0/9, Fa0/10
Fa0/11, Fa0/12, Fa0/13, Fa0/14
Fa0/15, Fa0/16, Fa0/17, Fa0/18
Fa0/19, Fa0/20, Fa0/21, Fa0/22
Fa0/23, Fa0/24, Gi0/1, Gi0/2
10 CONTROL active
20 RRHH active
30 SMTP active
40 WWW active

ALS1#show vlan brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/8, Fa0/9, Fa0/10
Fa0/11, Fa0/12, Fa0/13, Fa0/14
Fa0/15, Fa0/16, Fa0/17, Fa0/18
Fa0/19, Fa0/20, Fa0/21, Fa0/22
Fa0/23, Fa0/24, Gi0/1, Gi0/2
10 CONTROL active
20 RRHH active
30 SMTP active
40 WWW active


DLS2#show vlan brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/8, Fa0/9, Fa0/10
Fa0/11, Fa0/12, Fa0/13, Fa0/14
Fa0/15, Fa0/16, Fa0/17, Fa0/18
Fa0/19, Fa0/20, Fa0/21, Fa0/22
Fa0/23, Fa0/24, Gi0/1, Gi0/2
10 CONTROL active
20 RRHH active
30 SMTP active
40 WWW active


 Configure los puertos de acceso en cada switch con su VLAN correspondiente. Estos puertos no deben
transitar en los estados de STP (Listening, Learning..).


DLS1
interface FastEthernet0/1
switchport access vlan 30
switchport mode access
spanning-tree portfast


CCNP Guía SWITCH v2.0


@ 2013
127
DLS2
interface FastEthernet0/1
switchport access vlan 40
switchport mode access
spanning-tree portfast

ALS1
interface FastEthernet0/1
switchport access vlan 10
switchport mode access
spanning-tree portfast

ALS2
interface FastEthernet0/1
switchport access vlan 20
switchport mode access
spanning-tree portfast


 Configure los hosts de acuerdo al direccionamiento mostrado. En el ejemplo siguiente solo se incluyen dos
ejemplos, puerto de acceso VLAN 10 y puerto acceso VLAN 40.







CCNP Guía SWITCH v2.0


@ 2013
128
InterVLANs
 Provea conectividad extremo a extremo entre VLANs. Crear SVI que serán utilizadas como D-GW.


DLS1
ip routing

interface Vlan10
ip address 10.0.0.1 255.255.255.0

interface Vlan20
ip address 20.0.0.1 255.255.255.0

interface Vlan30
ip address 30.0.0.1 255.255.255.0

interface Vlan40
ip address 40.0.0.1 255.255.255.0

DLS2
ip routing

interface Vlan10
ip address 10.0.0.2 255.255.255.0

interface Vlan20
ip address 20.0.0.2 255.255.255.0

interface Vlan30
ip address 30.0.0.2 255.255.255.0

interface Vlan40
ip address 40.0.0.2 255.255.255.0


 Probar conectividad con las interfaces SVI y luego entre sitios.
Deshabilitar FW en los PCs o crear una excepción.


Server WWW
C:\>ipconfig

Configuración IP de Windows

Adaptador Ethernet Conexión de área local :

Estado de los medios. . . .: medios desconectados

Adaptador Ethernet Conexión de área local :
Sufijo de conexión específica DNS :
Dirección IP. . . . . . . . . . . : 40.0.0.10
Máscara de subred . . . . . . . . : 255.255.255.0
Puerta de enlace predeterminada : 40.0.0.1

CCNP Guía SWITCH v2.0


@ 2013
129
C:\>ping 10.0.0.1
Haciendo ping a 10.0.0.1 con 32 bytes de datos:
Respuesta desde 10.0.0.1: bytes=32 tiempo=23ms TTL=255
Respuesta desde 10.0.0.1: bytes=32 tiempo=1ms TTL=255
Respuesta desde 10.0.0.1: bytes=32 tiempo=2ms TTL=255
Respuesta desde 10.0.0.1: bytes=32 tiempo=6ms TTL=255
Estadísticas de ping para 10.0.0.1:
Paquetes: enviados = 4, recibidos = 4, perdidos = 0
(0% perdidos),
Tiempos aproximados de ida y vuelta en milisegundos:
Mínimo = 1ms, Máximo = 23ms, Media = 8ms

C:\>ping 20.0.0.1
Haciendo ping a 20.0.0.1 con 32 bytes de datos:
Respuesta desde 20.0.0.1: bytes=32 tiempo=1ms TTL=255
Respuesta desde 20.0.0.1: bytes=32 tiempo=2ms TTL=255
Respuesta desde 20.0.0.1: bytes=32 tiempo<1m TTL=255
Respuesta desde 20.0.0.1: bytes=32 tiempo=2ms TTL=255
Estadísticas de ping para 20.0.0.1:
Paquetes: enviados = 4, recibidos = 4, perdidos = 0
(0% perdidos),
Tiempos aproximados de ida y vuelta en milisegundos:
Mínimo = 0ms, Máximo = 2ms, Media = 1ms

C:\>ping 30.0.0.1
Haciendo ping a 30.0.0.1 con 32 bytes de datos:
Respuesta desde 30.0.0.1: bytes=32 tiempo=2ms TTL=255
Respuesta desde 30.0.0.1: bytes=32 tiempo=2ms TTL=255
Respuesta desde 30.0.0.1: bytes=32 tiempo=1ms TTL=255
Respuesta desde 30.0.0.1: bytes=32 tiempo=6ms TTL=255
Estadísticas de ping para 30.0.0.1:
Paquetes: enviados = 4, recibidos = 4, perdidos = 0
(0% perdidos),
Tiempos aproximados de ida y vuelta en milisegundos:
Mínimo = 1ms, Máximo = 6ms, Media = 2ms

C:\>ping 40.0.0.1
Haciendo ping a 40.0.0.1 con 32 bytes de datos:
Respuesta desde 40.0.0.1: bytes=32 tiempo=1ms TTL=255
Respuesta desde 40.0.0.1: bytes=32 tiempo=2ms TTL=255
Respuesta desde 40.0.0.1: bytes=32 tiempo<1m TTL=255
Respuesta desde 40.0.0.1: bytes=32 tiempo=1ms TTL=255
Estadísticas de ping para 40.0.0.1:
Paquetes: enviados = 4, recibidos = 4, perdidos = 0
(0% perdidos),
Tiempos aproximados de ida y vuelta en milisegundos:
Mínimo = 0ms, Máximo = 2ms, Media = 1ms


CCNP Guía SWITCH v2.0


@ 2013
130
PC CONTROL
C:\>ipconfig
Configuración IP de Windows
Adaptador Ethernet Conexión de área local :
Estado de los medios. . . .: medios desconectados
Adaptador Ethernet Conexión de área local :
Sufijo de conexión específica DNS :
Dirección IP. . . . . . . . . . . : 10.0.0.10
Máscara de subred . . . . . . . . : 255.255.255.0
Puerta de enlace predeterminada : 10.0.0.1

C:\>ping 10.0.0.10 -t
Haciendo ping a 10.0.0.10 con 32 bytes de datos:
Respuesta desde 10.0.0.10: bytes=32 tiempo=1ms TTL=127
Respuesta desde 10.0.0.10: bytes=32 tiempo<1m TTL=127
Respuesta desde 10.0.0.10: bytes=32 tiempo<1m TTL=127
Respuesta desde 10.0.0.10: bytes=32 tiempo<1m TTL=127
Respuesta desde 10.0.0.10: bytes=32 tiempo<1m TTL=127
Respuesta desde 10.0.0.10: bytes=32 tiempo<1m TTL=127
Respuesta desde 10.0.0.10: bytes=32 tiempo<1m TTL=127
Respuesta desde 10.0.0.10: bytes=32 tiempo<1m TTL=127


HSRP
 DLS1 debe tener el rol activo HSRP para las VLANs 1, 10 y 20. Modificar prioridad HSRP en las interfaces
que corresponda. Cada IP Virtual HSRP debe utilizar su cuarto octeto con el número.100/24.
 DLS2 debe tener el rol activo HSRP para las VLANs 30 y 40. Modificar prioridad HSRP en las interfaces que
corresponda. Cada IP Virtual HSRP debe utilizar su cuarto octeto con el número.100/24.


DLS1
interface Vlan1
ip address 1.1.1.1 255.255.255.0
standby 1 ip 1.1.1.100
standby 1 priority 101
standby 1 preempt

interface Vlan10
ip address 10.0.0.1 255.255.255.0
standby 1 ip 10.0.0.100
standby 1 priority 101
standby 1 preempt

interface Vlan20
ip address 20.0.0.1 255.255.255.0
standby 1 ip 20.0.0.100
standby 1 priority 101
standby 1 preempt

interface Vlan30
ip address 30.0.0.1 255.255.255.0
standby 1 ip 30.0.0.100
standby 1 priority 100
standby 1 preempt
CCNP Guía SWITCH v2.0


@ 2013
131
interface Vlan40
ip address 40.0.0.1 255.255.255.0
standby 1 ip 40.0.0.100
standby 1 priority 100
standby 1 preempt

DLS1#sh standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Vl1 1 101 P Active local unknown 1.1.1.100
Vl10 1 101 P Active local unknown 10.0.0.100
Vl20 1 101 P Active local unknown 20.0.0.100
Vl30 1 100 P Active local unknown 30.0.0.100
Vl40 1 100 P Active local unknown 40.0.0.100

DLS2
interface Vlan1
standby 1 ip 1.1.1.100
standby 1 priority 100
standby 1 preempt

interface Vlan10
standby 1 ip 10.0.0.100
standby 1 priority 100
standby 1 preempt

interface Vlan20
standby 1 ip 20.0.0.100
standby 1 priority 100
standby 1 preempt

interface Vlan30
standby 1 ip 30.0.0.100
standby 1 priority 101
standby 1 preempt

interface Vlan40
standby 1 ip 40.0.0.100
standby 1 priority 101
standby 1 preempt

DLS1
*Mar 1 05:59:39.701: %HSRP-5-STATECHANGE: Vlan30 Grp 1 state Active -> Speak
*Mar 1 05:59:39.919: %HSRP-5-STATECHANGE: Vlan40 Grp 1 state Active -> Speak
*Mar 1 05:59:50.581: %HSRP-5-STATECHANGE: Vlan40 Grp 1 state Speak -> Standby
*Mar 1 05:59:50.883: %HSRP-5-STATECHANGE: Vlan30 Grp 1 state Speak -> Standby

CCNP Guía SWITCH v2.0


@ 2013
132
DLS1#show standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Vl1 1 101 P Active local 1.1.1.2 1.1.1.100
Vl10 1 101 P Active local 10.0.0.2 10.0.0.100
Vl20 1 101 P Active local 20.0.0.2 20.0.0.100
Vl30 1 100 P Standby 30.0.0.2 local 30.0.0.100
Vl40 1 100 P Standby 40.0.0.2 local 40.0.0.100

DLS1#sh standby
Vlan1 - Group 1
State is Active
2 state changes, last state change 00:24:00
Virtual IP address is 1.1.1.100
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.048 secs
Preemption enabled
Active router is local
Standby router is 1.1.1.2, priority 100 (expires in 10.112 sec)
Priority 101 (configured 101)
Group name is "hsrp-Vl1-1" (default)
Vlan10 - Group 1
State is Active
2 state changes, last state change 00:20:47
Virtual IP address is 10.0.0.100
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.416 secs
Preemption enabled
Active router is local
Standby router is 10.0.0.2, priority 100 (expires in 9.664 sec)
Priority 101 (configured 101)
Group name is "hsrp-Vl10-1" (default)
Vlan20 - Group 1
State is Active
2 state changes, last state change 00:20:48
Virtual IP address is 20.0.0.100
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.368 secs
Preemption enabled
Active router is local
Standby router is 20.0.0.2, priority 100 (expires in 8.144 sec)
Priority 101 (configured 101)
Group name is "hsrp-Vl20-1" (default)
Vlan30 - Group 1
State is Standby
4 state changes, last state change 00:11:23
Virtual IP address is 30.0.0.100
CCNP Guía SWITCH v2.0


@ 2013
133
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 1.664 secs
Preemption enabled
Active router is 30.0.0.2, priority 101 (expires in 9.888 sec)
Standby router is local
Priority 100 (default 100)
Group name is "hsrp-Vl30-1" (default)
Vlan40 - Group 1
State is Standby
4 state changes, last state change 00:11:24
Virtual IP address is 40.0.0.100
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.464 secs
Preemption enabled
Active router is 40.0.0.2, priority 101 (expires in 8.576 sec)
Standby router is local
Priority 100 (default 100)
Group name is "hsrp-Vl40-1" (default)



CCNP Guía SWITCH v2.0


@ 2013
134
HSRP utilizando Routers


Pre LAB
Construir el laboratorio mostrado en el diagrama.
Las configuraciones base/iniciales deben cargarse antes de continuar con el laboratorio.


 Formar conectividad entre sitios utilizando enrutamiento estático.
 R1 debe apuntar a la puerta de enlace 172.16.1.100 (IP Virtual)
 R6 debe apuntar a la puerta de enlace 172.16.2.100 (IP Virtual)

Sitio1

R1
ip route 0.0.0.0 0.0.0.0 172.16.1.100

R2
ip route 100.1.1.1 255.255.255.255 172.16.1.1
ip route 172.16.2.0 255.255.255.0 10.1.24.4
ip route 100.6.6.6 255.255.255.255 10.1.24.4

R3
ip route 100.1.1.1 255.255.255.255 172.16.1.1
ip route 172.16.2.0 255.255.255.0 10.1.35.5
ip route 100.6.6.6 255.255.255.255 10.1.35.5


Sitio2

CCNP Guía SWITCH v2.0


@ 2013
135
R6
ip route 0.0.0.0 0.0.0.0 172.16.2.100

R4
ip route 100.6.6.6 255.255.255.255 172.16.2.6
ip route 172.16.1.0 255.255.255.0 10.1.24.2
ip route 100.1.1.1 255.255.255.255 10.1.24.2

R5
ip route 100.6.6.6 255.255.255.255 172.16.2.6
ip route 172.16.1.0 255.255.255.0 10.1.35.3
ip route 100.1.1.1 255.255.255.255 10.1.35.3

R2#sh ip route static
100.0.0.0/32 is subnetted, 2 subnets
S 100.6.6.6 [1/0] via 10.1.24.4
S 100.1.1.1 [1/0] via 172.16.1.1
172.16.0.0/24 is subnetted, 2 subnets
S 172.16.2.0 [1/0] via 10.1.24.4


 Configurar R2 como router activo HSRP y R3 backup (STANDBY).
 Configurar R4 como router activo HSRP y R5 backup (STANDBY).

Un router de respaldo debe tomar el rol activo si:
 El enlace Frame-Relay en el router activo no presenta señal de linea (L2)
 El router activo deja de funcionar.

Sitio1
En los routers HSRP definimos la dirección que será usada como puerta de enlace por R1. Modificamos la prioridad
tanto en R2 como en R3, lo importante es que R2 siempre tenga un número de prioridad mayor, la prioridad define
los roles en un dominio HSRP.

Debemos tener en cuenta que HSRP soporta preempt , esto quiere decir que si un router HSRP con una prioridad
mayor se conecta al segmento de red éste dispositivo adoptará el papel de activo, aunque ya exista otro
cumpliendo ese papel.


R2
interface FastEthernet0/0
standby 10 ip 172.16.1.100
standby 10 priority 101
standby 10 preempt

R3
interface FastEthernet0/0
standby 10 ip 172.16.1.100
standby 10 priority 95
standby 10 preempt

R3#debug standby events
HSRP Events debugging is on
*May 16 17:43:10.843: HSRP: Fa0/0 Interface up
CCNP Guía SWITCH v2.0


@ 2013
136
*May 16 17:43:10.847: HSRP: Fa0/0 Starting minimum interface delay (1 secs)
*May 16 17:43:11.847: HSRP: Fa0/0 Interface min delay expired
*May 16 17:43:11.847: HSRP: Fa0/0 Grp 10 Init: a/HSRP enabled
*May 16 17:43:11.851: HSRP: Fa0/0 Grp 10 Init -> Listen
*May 16 17:43:11.855: HSRP: Fa0/0 Grp 10 Redundancy "hsrp-Fa0/0-10" state Init -> Backup
*May 16 17:43:21.851: HSRP: Fa0/0 Grp 10 Listen: c/Active timer expired (unknown)
*May 16 17:43:21.855: HSRP: Fa0/0 Grp 10 Listen -> Speak
*May 16 17:43:21.855: HSRP: Fa0/0 Grp 10 Redundancy "hsrp-Fa0/0-10" state Backup -> Speak
*May 16 17:43:22.779: HSRP: Fa0/0 Grp 10 Speak: f/Hello rcvd from higher pri Speak router (101/172.16.1.2)
*May 16 17:43:22.783: HSRP: Fa0/0 Grp 10 Speak -> Listen
*May 16 17:43:22.787: HSRP: Fa0/0 Grp 10 Redundancy "hsrp-Fa0/0-10" state Speak -> Backup


Verificamos que R2 sea el router activo y R3 el respaldo:


R2#show standby
FastEthernet0/0 - Group 10
State is Active
2 state changes, last state change 00:55:27
Virtual IP address is 172.16.1.100
Active virtual MAC address is 0000.0c07.ac0a
Local virtual MAC address is 0000.0c07.ac0a (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 1.744 secs
Preemption enabled
Active router is local
Standby router is 172.16.1.3, priority 95 (expires in 10.112 sec)
Priority 101 (configured 101)
Group name is "hsrp-Fa0/0-10" (default)

R3#show standby
FastEthernet0/0 - Group 10
State is Standby
1 state change, last state change 00:55:55
Virtual IP address is 172.16.1.100
Active virtual MAC address is 0000.0c07.ac0a
Local virtual MAC address is 0000.0c07.ac0a (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.320 secs
Preemption enabled
Active router is 172.16.1.2, priority 101 (expires in 8.272 sec)
Standby router is local
Priority 95 (configured 95)
Group name is "hsrp-Fa0/0-10" (default)


Sitio2

R4
interface FastEthernet0/0
standby 10 ip 172.16.2.100
standby 10 priority 101
standby 10 preempt
CCNP Guía SWITCH v2.0


@ 2013
137

R5
interface FastEthernet0/0
standby 10 ip 172.16.2.100
standby 10 priority 95
standby 10 preempt

R4#show debugging
HSRP:
HSRP Events debugging is on

*May 16 17:51:42.043: HSRP: Fa0/0 API 172.16.2.4 is not an HSRP address
*May 16 17:51:42.159: HSRP: Fa0/0 API 172.16.2.100 is not an HSRP address
*May 16 17:51:42.163: HSRP: Fa0/0 Grp 10 Disabled -> Init
*May 16 17:51:42.163: HSRP: Fa0/0 Grp 10 Redundancy "hsrp-Fa0/0-10" state Disabled -> Init
*May 16 17:51:42.211: HSRP: Fa0/0 Grp 10 Priority 100 -> 101
*May 16 17:51:52.179: HSRP: Fa0/0 Interface up
*May 16 17:51:52.183: HSRP: Fa0/0 Starting minimum interface delay (1 secs)
*May 16 17:51:53.179: HSRP: Fa0/0 Interface min delay expired
*May 16 17:51:53.179: HSRP: Fa0/0 Grp 10 Init: a/HSRP enabled
*May 16 17:51:53.183: HSRP: Fa0/0 Grp 10 Init -> Listen
*May 16 17:51:53.183: HSRP: Fa0/0 Grp 10 Redundancy "hsrp-Fa0/0-10" state Init -> Backup
*May 16 17:52:03.183: HSRP: Fa0/0 Grp 10 Listen: c/Active timer expired (unknown)
*May 16 17:52:03.187: HSRP: Fa0/0 Grp 10 Listen -> Speak
*May 16 17:52:03.187: HSRP: Fa0/0 Grp 10 Redundancy "hsrp-Fa0/0-10" state Backup -> Speak
*May 16 17:52:13.187: HSRP: Fa0/0 Grp 10 Speak: d/Standby timer expired (unknown)
*May 16 17:52:13.191: HSRP: Fa0/0 Grp 10 Standby router is local
*May 16 17:52:13.191: HSRP: Fa0/0 Grp 10 Speak -> Standby
*May 16 17:52:13.195: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 10 state Speak -> Standby
*May 16 17:52:13.195: HSRP: Fa0/0 Grp 10 Redundancy "hsrp-Fa0/0-10" state Speak -> Standby
*May 16 17:52:13.687: HSRP: Fa0/0 Grp 10 Standby: c/Active timer expired (unknown)
*May 16 17:52:13.691: HSRP: Fa0/0 Grp 10 Active router is local
*May 16 17:52:13.691: HSRP: Fa0/0 Grp 10 Standby router is unknown, was local
*May 16 17:52:13.695: HSRP: Fa0/0 Grp 10 Standby -> Active
*May 16 17:52:13.695: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 10 state Standby -> Active
*May 16 17:52:13.699: HSRP: Fa0/0 Grp 10 Redundancy "hsrp-Fa0/0-10" state Standby -> Active
*May 16 17:52:16.707: HSRP: Fa0/0 Grp 10 Redundancy group hsrp-Fa0/0-10 state Active -> Active
*May 16 17:52:19.711: HSRP: Fa0/0 Grp 10 Redundancy group hsrp-Fa0/0-10 state Active -> Active

R4#show standby
FastEthernet0/0 - Group 10
State is Active
2 state changes, last state change 01:04:37
Virtual IP address is 172.16.2.100
Active virtual MAC address is 0000.0c07.ac0a
Local virtual MAC address is 0000.0c07.ac0a (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.048 secs
Preemption enabled
Active router is local
Standby router is 172.16.2.5, priority 95 (expires in 10.112 sec)
Priority 101 (configured 101)
Group name is "hsrp-Fa0/0-10" (default)

CCNP Guía SWITCH v2.0


@ 2013
138
R5#show standby
FastEthernet0/0 - Group 10
State is Standby
1 state change, last state change 01:04:40
Virtual IP address is 172.16.2.100
Active virtual MAC address is 0000.0c07.ac0a
Local virtual MAC address is 0000.0c07.ac0a (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.896 secs
Preemption enabled
Active router is 172.16.2.4, priority 101 (expires in 9.920 sec)
Standby router is local
Priority 95 (configured 95)
Group name is "hsrp-Fa0/0-10" (default)


Comprobamos que camino toman los paquetes utilizando una traza desde R1 a R6 y desde R6 a R1.


R1#traceroute 172.16.2.6 probe 1
Type escape sequence to abort.
Tracing the route to 172.16.2.6
1 172.16.1.2 32 msec
2 10.1.24.4 88 msec
3 172.16.2.6 128 msec

R6#traceroute 100.1.1.1 probe 1
Type escape sequence to abort.
Tracing the route to 100.1.1.1
1 172.16.2.4 36 msec
2 10.1.24.2 104 msec
3 172.16.1.1 120 msec


Tener presente que no debemos establecer cualquier número en la prioridad (esto aplica tanto a VRRP como
HSRP). Debe ser consistente con el valor de decremento, es decir, si por ejemplo R2 con prioridad 100 no tiene
señal del enlace FR, este disminuirá su prioridad en 10. Si R3 tiene configurada una prioridad HSRP de 90 se
producirá un problema (ambos routers con la misma prioridad), el proceso HSRP tomará como router activo el que
tenga la dirección IP mayor, y puede darse la casualidad que sea el mismo router que debería pasar al modo
Standby. Para evitar esto debemos establecer números relativamente cercanos, por ejemplo 101 para el router
activo, y 95 para el router respaldo, si el activo cae disminuye a 91 su prioridad, el respaldo con 95 toma de
inmediato el rol activo.
Un router de respaldo debe tomar el rol activo si:
 El enlace Frame-Relay en el router activo no presenta señal de linea (L2)
 El router activo deja de funcionar.

Para testear el enlace Frame-Relay podemos utilizar el comando track como se muestra a continuación:
Si protocolo de línea (line protocol) está down R2 disminuirá en 10 su prioridad dejando que R3 tome el rol de
active. Recordemos que la prioridad de R2 es de 101, con 10 menso tenemos 91, en contraposición a R3 que fue
configurado con prioridad 95.

Sitio1

R2
CCNP Guía SWITCH v2.0


@ 2013
139
track 23 interface Serial1/0 line-protocol

interface FastEthernet0/0
standby 10 track 23 decrement 10

R3
track 23 interface Serial1/0 line-protocol

interface FastEthernet0/0
standby 10 track 23 decrement 10

R2#show standby
FastEthernet0/0 - Group 10
State is Active
2 state changes, last state change 00:18:33
Virtual IP address is 172.16.1.100
Active virtual MAC address is 0000.0c07.ac0a
Local virtual MAC address is 0000.0c07.ac0a (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.276 secs
Preemption enabled
Active router is local
Standby router is 172.16.1.3, priority 95 (expires in 7.956 sec)
Priority 101 (configured 101)
Track object 23 state Up decrement 10
IP redundancy name is "hsrp-Fa0/0-10" (default)

R3#show standby
FastEthernet0/0 - Group 10
State is Standby
1 state change, last state change 00:18:31
Virtual IP address is 172.16.1.100
Active virtual MAC address is 0000.0c07.ac0a
Local virtual MAC address is 0000.0c07.ac0a (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 1.296 secs
Preemption enabled
Active router is 172.16.1.2, priority 101 (expires in 9.644 sec)
Standby router is local
Priority 95 (configured 95)
Track object 23 state Up decrement 10
IP redundancy name is "hsrp-Fa0/0-10" (default)


Sitio2


R4
track 45 interface Serial1/0 line-protocol

interface FastEthernet0/0
standby 10 track 45 decrement 10

R5
CCNP Guía SWITCH v2.0


@ 2013
140
track 45 interface Serial1/0 line-protocol

interface FastEthernet0/0
standby 10 track 45 decrement 10

R4#show standby
FastEthernet0/0 - Group 10
State is Active
2 state changes, last state change 00:11:01
Virtual IP address is 172.16.2.100
Active virtual MAC address is 0000.0c07.ac0a
Local virtual MAC address is 0000.0c07.ac0a (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 1.808 secs
Preemption enabled
Active router is local
Standby router is 172.16.2.5, priority 95 (expires in 7.320 sec)
Priority 101 (configured 101)
Track object 45 state Up decrement 10
IP redundancy name is "hsrp-Fa0/0-10" (default)

R5#show standby
FastEthernet0/0 - Group 10
State is Standby
1 state change, last state change 00:10:57
Virtual IP address is 172.16.2.100
Active virtual MAC address is 0000.0c07.ac0a
Local virtual MAC address is 0000.0c07.ac0a (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.780 secs
Preemption enabled
Active router is 172.16.2.4, priority 101 (expires in 8.312 sec)
Standby router is local
Priority 95 (configured 95)
Track object 45 state Up decrement 10
IP redundancy name is "hsrp-Fa0/0-10" (default)


Para comprobar como funciona este esquema generamos en R2 desactivamos la interface serial. Y verificamos el
cambio de prioridad en R2.


R2(config)#interface serial 1/0
R2(config-if)#shutdown

R2#show standby
FastEthernet0/0 - Group 10
State is Speak
3 state changes, last state change 00:00:06
Virtual IP address is 172.16.1.100
Active virtual MAC address is 0000.0c07.ac0a
Local virtual MAC address is 0000.0c07.ac0a (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.748 secs
CCNP Guía SWITCH v2.0


@ 2013
141
Preemption enabled
Active router is 172.16.1.3, priority 95 (expires in 9.824 sec)
Standby router is unknown
Priority 91 (configured 101)
Track object 23 state Down decrement 10
IP redundancy name is "hsrp-Fa0/0-10" (default)
R2#
*May 16 18:04:40.735: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 10 state Speak -> Standby

R3#show standby brief
P indicates configured to preempt.
|
Interface Grp Prio P State Active Standby Virtual IP
Fa0/0 10 95 P Active local 172.16.1.2 172.16.1.100



A pesar de todos los esfuerzos no se produce el comportamiento esperado, R1 pierde conectividad con R6.
La razón es que ciertas tecnologías L2 como Frame-Relay son localmente significativas y solo requieren mantener
conexión con el SW FR local; en nuestro caso, la serial de R2 está caída. Recordemos que R4 sigue sondenando el
line protocol en localmente pero no decrementa su prioridad.


R1#ping 100.6.6.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.6.6.6, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R2#show ip int brief serial 1/0
Interface IP-Address OK? Method Status Protocol
Serial1/0 10.1.24.2 YES manual administratively down down


R4 no se entera que hay un problema en el cable puesto que la interface que conecta R4 con el SW Frame-Relay
está UP:


R4#show ip int brief serial 1/0
Interface IP-Address OK? Method Status Protocol
Serial1/0 10.1.24.4 YES manual up up

R2#show standby all brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Fa0/0 10 91 P Standby 172.16.1.3 local 172.16.1.100

R3#show standby all brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Fa0/0 10 95 P Active local 172.16.1.2 172.16.1.100

CCNP Guía SWITCH v2.0


@ 2013
142

Puesto que R2 testea el enlace y nota de inmediato que la interface serial 1/0 está caída, se convierte en Stanby
HSRP en Sitio1, sin embargo, no sucede lo mismo en Sitio2 y R4 sigue actuando como router activo a pesar de no
tener conectividad con R2. Podemos solucionar este problema con alguno protocolo de enrutamiento interior
(IGP) que genere keepalive, o generar artificialmente keepalive usando IP SLA, como veremos más adelante.
Si volvemos a levantar la interface serial de R2 veremos el comportamiento de preempt. El tracking comprueba
ahora que la interface serial está UP. R2 se publica a si mismo con una prioridad de 101 en HSRP que es mayor que
95 de R3, y se convierte nuevamente en el router activo.


R2(config)#interface serial 1/0
R2(config-if)#no shutdown

R2#show standby all brief
P indicates configured to preempt.
Interface Grp Pri P State Active Standby Virtual IP
Fa0/0 10 101 P Active local 172.16.1.3 172.16.1.100


Para corregir el problema y mantener conectividad entre los sitios podemos utilizar una combinación de IP SLA y
tracking. IP SLA nos permiten en esta sección sondear las seriales de nuestros vecinos, vale decir, la actividad que
se produce a través de todo el enlace FR.
La forma de configurar SLA varía entre plataformas. La que presentamos aquí corresponde al IOS 12.4(20)T


R2
ip sla 10
icmp-echo 10.1.24.4
frequency 5
ip sla schedule 10 life forever start-time now

track 10 ip sla 10 reachability

interface FastEthernet0/0
standby 10 preempt delay minimum 1
standby 10 track 10 decrement 10

R3
ip sla 10
icmp-echo 10.1.35.5
frequency 5
ip sla schedule 10 life forever start-time now

track 10 ip sla 10 reachability

interface FastEthernet0/0
standby 10 preempt delay minimum 1
standby 10 track 10 decrement 10


R4
ip sla 10
icmp-echo 10.1.24.2
frequency 5
CCNP Guía SWITCH v2.0


@ 2013
143
ip sla schedule 10 life forever start-time now

track 10 ip sla 10 reachability

interface FastEthernet0/0
standby 10 preempt delay minimum 1
standby 10 track 10 decrement 10

R5
ip sla 10
icmp-echo 10.1.35.3
frequency 5
ip sla schedule 10 life forever start-time now

track 10 ip sla 10 reachability

interface FastEthernet0/0
standby 10 preempt delay minimum 1
standby 10 track 10 decrement 10

R2(config-if)#int s1/0
R2(config-if)#shutdown
R2(config-if)#
%TRACKING-5-STATE: 23 interface Se1/0 line-protocol Up->Down
R2(config-if)#
%LINK-5-CHANGED: Interface Serial1/0, changed state to administratively down
R2(config-if)#
%ENTITY_ALARM-6-INFO: ASSERT INFO Se1/0 Physical Port Administrative State Down
R2(config-if)#
%HSRP-5-STATECHANGE: FastEthernet0/0 Grp 10 state Active -> Speak
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to down
R2(config-if)#
%TRACKING-5-STATE: 10 ip sla 10 reachability Up->Down
R2(config-if)#
%HSRP-5-STATECHANGE: FastEthernet0/0 Grp 10 state Speak -> Standby


Como podemos ver R2 y R4 cambian de estado Active a Standby. R3 y R5 cambian de estado Standby a Active. Es
el comportamiento deseado.


R2#show standby
FastEthernet0/0 - Group 10
State is Standby
9 state changes, last state change 00:01:56
Virtual IP address is 172.16.1.100
Active virtual MAC address is 0000.0c07.ac0a
Local virtual MAC address is 0000.0c07.ac0a (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 1.904 secs
Preemption enabled, delay min 1 secs
Active router is 172.16.1.3, priority 95 (expires in 10.896 sec)
Standby router is local
Priority 81 (configured 101)
CCNP Guía SWITCH v2.0


@ 2013
144
Track object 10 state Down decrement 10
Group name is "hsrp-Fa0/0-10" (default)

R3#show standby all brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Fa0/0 10 95 P Active local 172.16.1.2 172.16.1.100

R4#show standby all brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Fa0/0 10 91 P Standby 172.16.2.5 local 172.16.2.100


R5#show standby all brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Fa0/0 10 95 P Active local 172.16.2.4 172.16.2.100


Generamos nuevamente tráfico con un ping desde R1 a R6. Esta vez solo existe un pequeño retardo y luego R3
actúa como GW y R1 puede alcanzar a R6.


R1#ping 172.16.2.6 repeat 10000
Type escape sequence to abort.
Sending 10000, 100-byte ICMP Echos to 172.16.2.6, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!.........!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.
Success rate is 88 percent (123/139), round-trip min/avg/max = 32/98/180 ms

R2#show ip sla statistics
IPSLAs Latest Operation Statistics

IPSLA operation id: 10
Latest RTT: NoConnection/Busy/Timeout
Latest operation start time: *22:38:46.546 UTC Wed Mar 17 2010
Latest operation return code: Timeout
Number of successes: 0
Number of failures: 177
Operation time to live: Forever

R3#show ip sla statistics
IPSLAs Latest Operation Statistics

IPSLA operation id: 10
Latest RTT: 52 milliseconds
Latest operation start time: *22:38:21.254 UTC Wed Mar 17 2010
Latest operation return code: OK
Number of successes: 347
Number of failures: 0
CCNP Guía SWITCH v2.0


@ 2013
145
Operation time to live: Forever

R4#show ip sla statistics
IPSLAs Latest Operation Statistics

IPSLA operation id: 10
Latest RTT: NoConnection/Busy/Timeout
Latest operation start time: *22:39:16.122 UTC Wed Mar 17 2010
Latest operation return code: Timeout
Number of successes: 0
Number of failures: 177
Operation time to live: Forever

R5#show ip sla statistics
IPSLAs Latest Operation Statistics

IPSLA operation id: 10
Latest RTT: 32 milliseconds
Latest operation start time: *22:39:39.830 UTC Wed Mar 17 2010
Latest operation return code: OK
Number of successes: 357
Number of failures: 0
Operation time to live: Forever

Rehabilitamos el enlace R2/R4

R2(config)#interface serial 1/0
R2(config-if)#no shutdown
R2(config-if)#
%TRACKING-5-STATE: 23 interface Se1/0 line-protocol Down->Up
R2(config-if)#
%LINK-3-UPDOWN: Interface Serial1/0, changed state to up
R2(config-if)#
%ENTITY_ALARM-6-INFO: CLEAR INFO Se1/0 Physical Port Administrative State Down
R2(config-if)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to up
R2(config-if)#
%TRACKING-5-STATE: 10 ip sla 10 reachability Down->Up
R2#
%HSRP-5-STATECHANGE: FastEthernet0/0 Grp 10 state Standby -> Active

R1#traceroute 172.16.2.6
1 172.16.1.2 84 msec 72 msec 28 msec
2 10.1.24.4 76 msec 40 msec 72 msec
3 172.16.2.6 120 msec * 100 msec



CCNP Guía SWITCH v2.0


@ 2013
146
HSRP Balanceo



 Configure direccionamiento mostrado (incluyendo la red Broadcast). Configure FR p2p entre R1-R2 y R1-R3
respetando el esquema de direccionamiento que aparece en la figura.


R1
interface Serial1/0
encapsulation frame-relay
no shut

interface Serial1/0.12 point-to-point
ip address 10.1.12.1 255.255.255.0
frame-relay interface-dlci 102

interface Serial1/0.13 point-to-point
ip address 10.1.13.1 255.255.255.0
CCNP Guía SWITCH v2.0


@ 2013
147
frame-relay interface-dlci 103

R2
interface Serial1/0
encapsulation frame-relay
no shut

interface Serial1/0.12 point-to-point
ip address 10.1.12.2 255.255.255.0
frame-relay interface-dlci 201

R3
interface Serial1/0
encapsulation frame-relay
no shut

interface Serial1/0.13 point-to-point
ip address 10.1.13.3 255.255.255.0
frame-relay interface-dlci 301

R1#show frame-relay map
Serial1/0.12 (up): point-to-point dlci, dlci 102(0x66,0x1860), broadcast
status defined, active
Serial1/0.13 (up): point-to-point dlci, dlci 103(0x67,0x1870), broadcast
status defined, active

R1#show frame-relay pvc | i STATUS
DLCI = 102, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial1/0.12
DLCI = 103, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial1/0.13

R1#ping 10.1.12.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.12.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/34/48 ms

R1#ping 10.1.13.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.13.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/40/60 ms

R2
interface FastEthernet0/0
ip address 10.1.100.2 255.255.255.0
no shut

R3
interface FastEthernet0/0
ip address 10.1.100.3 255.255.255.0
no shut

CCNP Guía SWITCH v2.0


@ 2013
148
R4
interface FastEthernet0/0
ip address 10.1.100.4 255.255.255.0
no shut

R5
interface FastEthernet0/0
ip address 10.1.100.5 255.255.255.0
no shut

R4#ping 255.255.255.255 repeat 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 255.255.255.255, timeout is 2 seconds:
Reply to request 0 from 10.1.100.5, 60 ms
Reply to request 0 from 10.1.100.2, 124 ms
Reply to request 0 from 10.1.100.3, 120 ms


 En R1 configure una ruta estátiva apuntando a la red LAN 10.1.100.0/24 a través de R2.
 En R1 configure una ruta estátiva apuntando a la red LAN 10.1.100.0/24 a través de R2.
 En R2 configure una ruta estática apuntando a la IP 100.1.1.1.
 En R3 configure una ruta estática apuntando a la IP 100.1.1.1.
 R4 y R5 deben crear una ruta por defecto apuntando a la IP virtual 10.1.100.10.


R1
ip route 10.1.100.0 255.255.255.0 10.1.12.2
ip route 10.1.100.0 255.255.255.0 10.1.13.3

R2
ip route 100.1.1.1 255.255.255.255 10.1.12.1

R3
ip route 100.1.1.1 255.255.255.255 10.1.13.1

R4
ip route 0.0.0.0 0.0.0.0 10.1.100.10

R5
ip route 0.0.0.0 0.0.0.0 10.1.100.10



 Configure HSRP de manera que R2 sea el router activo y R3 el router stand-by. Utilizar IP virtual
10.1.100.10. Utilizar grupo 1. R3 debe mantener su prioridad por defecto.
 Probar conectividad entre R4-R5 e IP virtual luego conectividad a IP 100.1.1.1. Utilice ping y tracert.


R2
interface FastEthernet0/0
standby 1 ip 10.1.100.10
standby 1 priority 200

CCNP Guía SWITCH v2.0


@ 2013
149
R3
interface FastEthernet0/0
standby 1 ip 10.1.100.10

R2#show standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Fa0/0 1 200 Active local 10.1.100.3 10.1.100.10

R3#show standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Fa0/0 1 100 Standby 10.1.100.2 local 10.1.100.10

R4#ping 100.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/43/88 ms

R4#traceroute 100.1.1.1 probe 1
Type escape sequence to abort.
Tracing the route to 100.1.1.1
1 10.1.100.2 52 msec
2 10.1.12.1 84 msec

R5#ping 100.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/101/204 ms

R5#traceroute 100.1.1.1 probe 1
Type escape sequence to abort.
Tracing the route to 100.1.1.1
1 10.1.100.2 32 msec
2 10.1.12.1 60 msec


 Configure autentificación HSRP entre R2 y R3. Utilice password duoc.com. Utilizar método más seguro.


R2
key chain ZZTOP
key 1
key-string duoc.com

interface FastEthernet0/0
standby 1 authentication md5 key-chain ZZTOP


CCNP Guía SWITCH v2.0


@ 2013
150
R3
key chain ZZTOP
key 1
key-string duoc.com

interface FastEthernet0/0
standby 1 authentication md5 key-chain ZZTOP

R2#show standby
FastEthernet0/0 - Group 1
State is Active
2 state changes, last state change 00:38:57
Virtual IP address is 10.1.100.10
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.144 secs
Authentication MD5, key-chain "ZZTOP"
Preemption disabled
Active router is local
Standby router is 10.1.100.3, priority 100 (expires in 9.600 sec)
Priority 200 (configured 200)
Group name is "hsrp-Fa0/0-1" (default)


 R3 y R2 deben tomar el rol activo después de finalizado el holdtime.


R2
interface FastEthernet0/0
standby 1 preempt

R3
interface FastEthernet0/0
standby 1 preempt

R2#show standby
FastEthernet0/0 - Group 1
State is Active
2 state changes, last state change 00:45:45
Virtual IP address is 10.1.100.10
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.528 secs
Authentication MD5, key-chain "ZZTOP"
Preemption enabled
Active router is local
Standby router is 10.1.100.3, priority 100 (expires in 8.704 sec)
Priority 200 (configured 200)
Group name is "hsrp-Fa0/0-1" (default)



CCNP Guía SWITCH v2.0


@ 2013
151
 Modificar los interveslos hello y holdtime a 2 y 6 segundos respectivamente


R2
interface FastEthernet0/0
standby 1 timers 2 6

R3
interface FastEthernet0/0
standby 1 timers 2 6

R2#show standby | include Hello
Hello time 2 sec, hold time 6 sec


 Crear una nueva DG con la IP virtual 10.1.100.11. Utilice grupo 2.
 Configurar R4 para que su DG sea la IP 10.1.100.11. R4 debe utilizar a R3 para alcanzar la IP 100.1.1.1.


R2
interface FastEthernet0/0
standby 2 ip 10.1.100.11
standby 2 priority 95
standby 2 preempt

R3
interface FastEthernet0/0
standby 2 ip 10.1.100.11
standby 2 priority 105
standby 2 preempt

R2#show standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Fa0/0 1 200 P Active local 10.1.100.3 10.1.100.10
Fa0/0 2 95 P Standby 10.1.100.3 local 10.1.100.11

R3#show standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Fa0/0 1 100 P Standby 10.1.100.2 local 10.1.100.10
Fa0/0 2 105 P Active local 10.1.100.2 10.1.100.11

R4
no ip route 0.0.0.0 0.0.0.0 10.1.100.10
ip route 0.0.0.0 0.0.0.0 10.1.100.11


CCNP Guía SWITCH v2.0


@ 2013
152
R4#traceroute 100.1.1.1 probe 1
Type escape sequence to abort.
Tracing the route to 100.1.1.1
1 10.1.100.3 36 msec
2 10.1.13.1 80 msec

R5#traceroute 100.1.1.1 probe 1
Type escape sequence to abort.
Tracing the route to 100.1.1.1
1 10.1.100.2 64 msec
2 10.1.12.1 52 msec


 Los routers deben enviar traps HSRP al NNS con la dirección 172.16.1.1


R2
snmp-server enable traps hsrp
snmp-server host 172.16.1.1 public hsrp

R3
snmp-server enable traps hsrp
snmp-server host 172.16.1.1 public hsrp




CCNP Guía SWITCH v2.0


@ 2013
153
VRRP utilizando Routers



Pre LAB
Construir el laboratorio mostrado en el diagrama.
Las configuraciones base/iniciales deben cargarse antes de continuar con el laboratorio.

Utilizaremos equilibrado de carga (Load-Sharing)


 Formar conectividad entre sitios utilizando enrutamiento estático.
 R1 debe apuntar a la puerta de enlace 172.16.1.100 (IP Virtual)
 R6 debe apuntar a la puerta de enlace 172.16.2.100 (IP Virtual)


R1
ip route 0.0.0.0 0.0.0.0 172.16.1.100

R2
ip route 100.1.1.1 255.255.255.255 172.16.1.1
ip route 172.16.2.0 255.255.255.0 10.1.24.4
ip route 100.6.6.6 255.255.255.255 10.1.24.4

R3
ip route 100.1.1.1 255.255.255.255 172.16.1.1
ip route 172.16.2.0 255.255.255.0 10.1.35.5
ip route 100.6.6.6 255.255.255.255 10.1.35.5



CCNP Guía SWITCH v2.0


@ 2013
154
Sitio2

R6
ip route 0.0.0.0 0.0.0.0 172.16.2.100

R4
ip route 100.6.6.6 255.255.255.255 172.16.2.6
ip route 172.16.1.0 255.255.255.0 10.1.24.2
ip route 100.1.1.1 255.255.255.255 10.1.24.2

R5
ip route 100.6.6.6 255.255.255.255 172.16.2.6
ip route 172.16.1.0 255.255.255.0 10.1.35.3
ip route 100.1.1.1 255.255.255.255 10.1.35.3



 Configurar R2 como Master VRRP y R3 Backup para la ip address 172.16.1.100
 Configurar R2 como Master VRRP y R3 Backup para la ip address 172.16.2.100


R2
interface FastEthernet0/0
vrrp 10 ip 172.16.1.100
vrrp 10 priority 150
vrrp 10 preempt

R3
interface FastEthernet0/0
vrrp 10 ip 172.16.1.100
vrrp 10 priority 100
vrrp 10 preempt

R2#show vrrp
FastEthernet0/0 - Group 10
State is Master
Virtual IP address is 172.16.1.100
Virtual MAC address is 0000.5e00.010a
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 150
Master Router is 172.16.1.2 (local), priority is 150
Master Advertisement interval is 1.000 sec
Master Down interval is 3.414 sec

R3#show vrrp
FastEthernet0/0 - Group 10
State is Backup
Virtual IP address is 172.16.1.100
Virtual MAC address is 0000.5e00.010a
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 100
Master Router is 172.16.1.2, priority is 150
CCNP Guía SWITCH v2.0


@ 2013
155
Master Advertisement interval is 1.000 sec
Master Down interval is 3.609 sec (expires in 3.253 sec)

R4
interface FastEthernet0/0
vrrp 10 ip 172.16.2.100
vrrp 10 priority 150
vrrp 10 preempt

R5
interface FastEthernet0/0
vrrp 10 ip 172.16.2.100
vrrp 10 priority 100
vrrp 10 preempt

R4#show vrrp
FastEthernet0/0 - Group 10
State is Master
Virtual IP address is 172.16.2.100
Virtual MAC address is 0000.5e00.010a
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 150
Master Router is 172.16.2.4 (local), priority is 150
Master Advertisement interval is 1.000 sec
Master Down interval is 3.414 sec

R5#show vrrp
FastEthernet0/0 - Group 10
State is Backup
Virtual IP address is 172.16.2.100
Virtual MAC address is 0000.5e00.010a
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 100
Master Router is 172.16.2.4, priority is 150
Master Advertisement interval is 1.000 sec
Master Down interval is 3.609 sec (expires in 3.545 sec)

R1#ping 172.16.1.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/46/80 ms

R2 es el Master VRRP por tanto es el GW de salida para alcanzar a R6.


R1#traceroute 172.16.2.6
Type escape sequence to abort.
Tracing the route to 172.16.2.6

1 172.16.1.2 128 msec 64 msec 28 msec
2 10.1.24.4 72 msec 60 msec 52 msec
CCNP Guía SWITCH v2.0


@ 2013
156
3 172.16.2.6 108 msec * 116 msec


Un router de respaldo debe tomar el rol activo si:
 El enlace HDLC en el router activo no presenta señal de línea (L2)
 El router activo deja de funcionar.

Esta tarea requiere utilizar el comando track para determinar el estado de la interface serial. Considerar que el
valor de decremento de VRRP para el track es de 10, este valor no es suficiente para que el router Backup asuma el
papel de Master. Lo modificamos a 60 en R2 y R4.


R2
track 10 interface Serial1/0 line-protocol
carrier-delay

interface FastEthernet0/0
vrrp 10 track 10 decrement 60

R3
track 10 interface Serial1/0 line-protocol
carrier-delay

interface FastEthernet0/0
vrrp 10 track 10

R4
track 10 interface Serial1/0 line-protocol
carrier-delay

interface FastEthernet0/0
vrrp 10 track 10 decrement 60

R5
track 10 interface Serial1/0 line-protocol
carrier-delay

interface FastEthernet0/0
vrrp 10 track 10


Verificación

R2(config)#interface serial 1/0
R2(config-if)#shutdown
R2(config-if)#
%LINK-5-CHANGED: Interface Serial1/0, changed state to administratively down
%ENTITY_ALARM-6-INFO: ASSERT INFO Se1/0 Physical Port Administrative State Down
R2(config-if)#
%TRACKING-5-STATE: 10 interface Se1/0 line-protocol Up->Down
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1/0, changed state to down
R2(config-if)#
%VRRP-6-STATECHANGE: Fa0/0 Grp 10 state Master -> Backup

CCNP Guía SWITCH v2.0


@ 2013
157

R2#show vrrp
FastEthernet0/0 - Group 10
State is Backup
Virtual IP address is 172.16.1.100
Virtual MAC address is 0000.5e00.010a
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 90 (cfgd 150)
Track object 10 state Down decrement 60
Master Router is 172.16.1.3, priority is 100
Master Advertisement interval is 1.000 sec
Master Down interval is 3.414 sec (expires in 2.918 sec)

R3#show vrrp
FastEthernet0/0 - Group 10
State is Master
Virtual IP address is 172.16.1.100
Virtual MAC address is 0000.5e00.010a
Advertisement interval is 1.000 sec
Preemption enabled
Priority is 100
Track object 10 state Up decrement 10
Master Router is 172.16.1.3 (local), priority is 100
Master Advertisement interval is 1.000 sec
Master Down interval is 3.609 sec


Los routers R2 y R4 bajan su prioridad al no detectar señal , por tanto el camino (path) que sigue R1 para alcanzar
a R6 es ahora a través del enlace R3/R5.
Tanto R2 como R4 ahora son Backup. Notar que el decremento de las prioridades en ambos es de 90. Como R3 y
R5 tienen la prioridad por defecto 100 son ahora routers VRRP Masters.


R1#traceroute 172.16.2.6
Type escape sequence to abort.
Tracing the route to 172.16.2.6
1 172.16.1.3 68 msec 60 msec 40 msec
2 10.1.35.5 84 msec 40 msec 60 msec
3 172.16.2.6 124 msec * 104 msec


CCNP Guía SWITCH v2.0


@ 2013
158
Load Sharing

 Borrar configuración VRRP anterior y subir interface serial de R2.



En R2/R3/R4/R5
(config-if)#no vrrp 10

R2(config-if)#int s1/0
R2(config-if)#no shutdown


 Configurar R2 como Master VRRP y R3 Backup para la dirección IP 172.16.1.100.
 Configurar R2 como Backup VRRP y R3 Master para la dirección IP 172.16.1.101.
 Configurar R4 como Master VRRP y R5 Backup para la dirección IP 172.16.2.100.
 Configurar R4 como Backup VRRP y R5 Master para la dirección IP 172.16.2.101.

R1 y R6 deben tener dos rutas estaticas con igual distancia administrativa (AD 69)para que exista balance de carga.


R1
ip route 0.0.0.0 0.0.0.0 172.16.1.101 69
ip route 0.0.0.0 0.0.0.0 172.16.1.100 69

R1#sh ip route static
S* 0.0.0.0/0 [69/0] via 172.16.1.101
[69/0] via 172.16.1.100

R6
ip route 0.0.0.0 0.0.0.0 172.16.2.101 69
ip route 0.0.0.0 0.0.0.0 172.16.2.100 69

R6#sh ip route static
S* 0.0.0.0/0 [69/0] via 172.16.2.101
[69/0] via 172.16.2.100


Para lograr que la carga se comparta entre los dos puntos de salida, debemos crear dos procesos en VRRP. Un
router actúa para un proceso como Master y para el otro como Backup.


R2
interface FastEthernet0/0
vrrp 10 ip 172.16.1.100
vrrp 10 priority 200
vrrp 20 ip 172.16.1.101
no vrrp 20 preempt

R3
interface FastEthernet0/0
vrrp 10 ip 172.16.1.100
no vrrp 10 preempt
CCNP Guía SWITCH v2.0


@ 2013
159
vrrp 20 ip 172.16.1.101
vrrp 20 priority 200

R2#show vrrp brief
Interface Grp Pri Time Own Pre State Master addr Group addr
Fa0/0 10 200 3218 Y Master 172.16.1.2 172.16.1.100
Fa0/0 20 100 3609 Backup 172.16.1.3 172.16.1.101

R3#show vrrp brief
Interface Grp Pri Time Own Pre State Master addr Group addr
Fa0/0 10 100 3609 Backup 172.16.1.2 172.16.1.100
Fa0/0 20 200 3218 Y Master 172.16.1.3 172.16.1.101

R4
interface FastEthernet0/0
vrrp 10 ip 172.16.2.100
vrrp 10 priority 200
vrrp 20 ip 172.16.2.101
no vrrp 20 preempt

R5
interface FastEthernet0/0
vrrp 10 ip 172.16.2.100
no vrrp 10 preempt
vrrp 20 ip 172.16.2.101
vrrp 20 priority 200

R4#show vrrp brief
Interface Grp Pri Time Own Pre State Master addr Group addr
Fa0/0 10 200 3218 Y Master 172.16.2.4 172.16.2.100
Fa0/0 20 100 3609 Backup 172.16.2.5 172.16.2.101


R5#show vrrp brief
Interface Grp Pri Time Own Pre State Master addr Group addr
Fa0/0 10 100 3609 Backup 172.16.2.4 172.16.2.100
Fa0/0 20 200 3218 Y Master 172.16.2.5 172.16.2.101


Verificamos que el trafico fluya a través de ambos routers R2/R3 en Sitio1


R1#traceroute 172.16.2.6
Type escape sequence to abort.
Tracing the route to 172.16.2.6

1 172.16.1.3 120 msec
172.16.1.2 60 msec
172.16.1.3 44 msec
2 10.1.24.4 44 msec
10.1.35.5 48 msec
10.1.24.4 44 msec
3 172.16.2.6 168 msec * 176 msec

CCNP Guía SWITCH v2.0


@ 2013
160

Verificamos que el trafico fluya a través de ambos routers R4/R5 en Sitio2


R6#traceroute 172.16.1.1
Type escape sequence to abort.
Tracing the route to 172.16.1.1

1 172.16.2.4 64 msec
172.16.2.5 108 msec
172.16.2.4 44 msec
2 10.1.35.3 56 msec
10.1.24.2 88 msec
10.1.35.3 68 msec
3 172.16.1.1 180 msec * 128 msec

Seguridad L2

Overflow Attack
Habilite el puerto FastEthernet 0/24 de ALS1 como puerto de acceso para la VLAN 10


ALS1
vlan 10

interface FastEthernet0/24
switchport access vlan 10
switchport mode Access

ALS1#show vlan brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/16
Fa0/17, Fa0/18, Fa0/19, Fa0/20
Fa0/21, Fa0/22, Fa0/23, Gi0/1
Gi0/2
10 VLAN0010 active Fa0/24

ALS1
interface Vlan10
ip address 10.1.3.1 255.255.255.0
CCNP Guía SWITCH v2.0


@ 2013
161
no shutdown

ALS1#show mac-address-table interface fastEthernet 0/24
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
10 50b7.c307.a19d DYNAMIC Fa0/24
Total Mac Addresses for this criterion: 1

PC1
Adaptador de Ethernet Ethernet:

Sufijo DNS específico para la conexión. . :
Descripción . . . . . . . . . . . . . . . : Realtek PCIe GBE Family Controlle
r
Dirección física. . . . . . . . . . . . . : 50-B7-C3-07-A1-9D
DHCP habilitado . . . . . . . . . . . . . : sí
Configuración automática habilitada . . . : sí
Vínculo: dirección IPv6 local. . . : fe80::e01f:70bc:4361:24fc%12(Preferido)

Dirección IPv4 de configuración automática: 169.254.36.252(Preferido)
Máscara de subred . . . . . . . . . . . . : 255.255.0.0
Puerta de enlace predeterminada . . . . . :
IAID DHCPv6 . . . . . . . . . . . . . . . : 266863514
DUID de cliente DHCPv6. . . . . . . . . . : 00-01-00-01-19-20-34-FE-50-B7-C3-
07-A1-9D
Servidores DNS. . . . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS sobre TCP/IP. . . . . . . . . . . : habilitado


 Habilitamos MACOF.


ALS1#show mac-address-table count
Mac Entries for Vlan 1:
---------------------------
Dynamic Address Count : 1
Static Address Count : 0
Total Mac Addresses : 1
Mac Entries for Vlan 10:
---------------------------
Dynamic Address Count : 1
Static Address Count : 0
Total Mac Addresses : 1
Total Mac Address Space Available: 7948


CCNP Guía SWITCH v2.0


@ 2013
162





ALS1#show mac-address-table interface fastEthernet 0/24
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
10 0009.7252.ac80 DYNAMIC Fa0/24
10 000d.ce5e.a8d8 DYNAMIC Fa0/24
10 000d.dd6d.9634 DYNAMIC Fa0/24
10 0010.6a35.66b9 DYNAMIC Fa0/24
10 0012.c941.7800 DYNAMIC Fa0/24
10 0013.2974.8c4d DYNAMIC Fa0/24
10 0019.f71a.0e80 DYNAMIC Fa0/24
10 001a.1d32.baee DYNAMIC Fa0/24
10 0026.3a54.0e86 DYNAMIC Fa0/24
10 0027.922f.791a DYNAMIC Fa0/24
10 0029.165f.a6e2 DYNAMIC Fa0/24
10 0032.c36d.57e4 DYNAMIC Fa0/24
CCNP Guía SWITCH v2.0


@ 2013
163
10 0035.b663.a1c7 DYNAMIC Fa0/24
10 0039.8211.5365 DYNAMIC Fa0/24
10 003a.9a53.15ef DYNAMIC Fa0/24
10 003a.ce27.57a2 DYNAMIC Fa0/24
10 003c.374c.2505 DYNAMIC Fa0/24
10 003c.b762.b981 DYNAMIC Fa0/24
10 003d.6c70.3de3 DYNAMIC Fa0/24

ALS1#show mac-address-table count
Mac Entries for Vlan 1:
---------------------------
Dynamic Address Count : 5
Static Address Count : 0
Total Mac Addresses : 5
Mac Entries for Vlan 10:
---------------------------
Dynamic Address Count : 8067
Static Address Count : 0
Total Mac Addresses : 8067
Total Mac Address Space Available: 0


 En el puerto FastEthernet 0/24 solo permitir una sola MAC origen. En caso de superar el número de MACs
la interface debe quedar en estado err-disable.
Nota: Al configurar port-security sin argumentos solo pemrite una sola dirección MAC por la interface configurada.


ALS1#clear mac-address-table dynamic

ALS1#show mac-address-table count
Mac Entries for Vlan 1:
---------------------------
Dynamic Address Count : 5
Static Address Count : 0
Total Mac Addresses : 5
Mac Entries for Vlan 10:
---------------------------
Dynamic Address Count : 1
Static Address Count : 0
Total Mac Addresses : 1

Total Mac Address Space Available: 7544

ALS1#show running-config interface fastEthernet 0/24
Building configuration...

Current configuration : 122 bytes
!
interface FastEthernet0/24
switchport access vlan 10
switchport mode access
switchport port-security
end

CCNP Guía SWITCH v2.0


@ 2013
164
 Habilitamos MACOF y comprobamos que a través del puerto FastEhternet 0/24



ALS1#
%PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/24, putting Fa0/24 in err-disable state
%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 16f2.b324.6763 on
port FastEthernet0/24.
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/24, changed state to down
%LINK-3-UPDOWN: Interface FastEthernet0/24, changed state to down

ALS1#show interfaces status err-disabled
Port Name Status Reason
Fa0/24 err-disabled psecure-violation

ALS1#show mac-address-table interface fastEthernet 0/24
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----

ALS1#show port-security interface fastEthernet 0/24
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 50b7.c307.a19d:10
Security Violation Count : 1

ALS1#show port-security address
Secure Mac Address Table
------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
10 50b7.c307.a19d SecureDynamic Fa0/24 -
------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 8192

CCNP Guía SWITCH v2.0


@ 2013
165
 Permita 10 MAC origen en la interface fastEthernet 0/24, en caso que se supere este número el proceso la
interface se debe mantener activa pero no procesando las MACs adicionales.
Nota: para volver a activar el puerto debemos entrar a la interface y resetearla.


ALS1
interface FastEthernet0/24
switchport port-security maximum 10
switchport port-security
switchport port-security violation protect

ALS1#show interfaces status | begin Fa0/24
Fa0/24 connected 10 a-full a-100 10/100BaseTX
Gi0/1 notconnect 1 auto auto 10/100/1000BaseTX
Gi0/2 notconnect 1 auto auto 10/100/1000BaseTX

ALS1#show interfaces fastEthernet 0/24 summary
*: interface is up
IHQ: pkts in input hold queue IQD: pkts dropped from input queue
OHQ: pkts in output hold queue OQD: pkts dropped from output queue
RXBS: rx rate (bits/sec) RXPS: rx rate (pkts/sec)
TXBS: tx rate (bits/sec) TXPS: tx rate (pkts/sec)
TRTL: throttle count

Interface IHQ IQD OHQ OQD RXBS RXPS TXBS TXPS TRTL
-------------------------------------------------------------------------
* FastEthernet0/24 0 0 0 0 0 0 0 0 0



 Habilitamos MACOF
Nota. Podemos observar el LED del switch para el puerto en cuestión con mucha actividad en cuanto se aplica
MACOF.



ALS1#show mac-address-table interface fastEthernet 0/24
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
10 0800.2731.0471 STATIC Fa0/24
10 2a14.a76a.7db9 STATIC Fa0/24
10 4ce5.e74d.8fe7 STATIC Fa0/24
10 501b.7b6d.b8f2 STATIC Fa0/24
10 50b7.c307.a19d STATIC Fa0/24
CCNP Guía SWITCH v2.0


@ 2013
166
10 548e.e961.71e5 STATIC Fa0/24
10 56ac.330b.57d3 STATIC Fa0/24
10 7223.943d.3829 STATIC Fa0/24
10 9ece.7d5c.4520 STATIC Fa0/24
10 a270.a12a.e326 STATIC Fa0/24
Total Mac Addresses for this criterion: 10


 Permita 10 MAC origen en la interface fastEthernet 0/24, en caso que se supere este número el proceso la
interface se debe mantener activa y enviar mensajes de consola y SNMP.
Nota: Al activar switchport port-security violation restrict se enviará un mensaje a la consola cada 5 segundos.
Además de enviar traps en caso que SNMP esté configurado.


ALS1
interface FastEthernet0/24
switchport port-security maximum 10
switchport port-security
switchport port-security violation restrict

ALS1#show interfaces status | begin Fa0/24
Fa0/24 connected 10 a-full a-100 10/100BaseTX
Gi0/1 notconnect 1 auto auto 10/100/1000BaseTX
Gi0/2 notconnect 1 auto auto 10/100/1000BaseTX

ALS1#show ip interface brief fastEthernet 0/24
Interface IP-Address OK? Method Status Protocol
FastEthernet0/24 unassigned YES unset up up



 Habilitamos MACOF




ALS1#
03:28:39: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address
1037.c012.148d on port FastEthernet0/24.
ALS1#
03:28:44: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address
c0e0.5b15.8406 on port FastEthernet0/24.
ALS1#
03:28:49: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address
78ad.b573.942d on port FastEthernet0/24.
ALS1#
CCNP Guía SWITCH v2.0


@ 2013
167
03:28:54: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address
2e44.ad42.0a4a on port FastEthernet0/24.

ALS1#show mac-address-table interface fastEthernet 0/24 vlan 10
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
10 0800.2731.0471 STATIC Fa0/24
10 2a14.a76a.7db9 STATIC Fa0/24
10 4ce5.e74d.8fe7 STATIC Fa0/24
10 501b.7b6d.b8f2 STATIC Fa0/24
10 50b7.c307.a19d STATIC Fa0/24
10 548e.e961.71e5 STATIC Fa0/24
10 56ac.330b.57d3 STATIC Fa0/24
10 7223.943d.3829 STATIC Fa0/24
10 9ece.7d5c.4520 STATIC Fa0/24
10 a270.a12a.e326 STATIC Fa0/24
Total Mac Addresses for this criterion: 10

Switch Spoofing

Habilite Yersinia para DTP de manera que se forme un trunk entre el PC y el puerto FasEthernet0/24 del switch.
Para que se forme el trunk debemos utilizar DTP. Si una interface está habilitada con Dynamic Trunk Protocol (valor
por defecto) Yersinia puede formar un trunk y recibir información que transporta el mismo (VLANs).
Para que se forme el trunk la interface debe estar en modo dynamic auto o dynamic desirable. El valor por defecto
para el Catalyst 2960 es Administrative Mode: dynamic auto. Una manera de evitar este problema es deshabilitar
DTP.

ALS1
default interface fastEthernet 0/24

PC
Adaptador de Ethernet Ethernet:
Dirección física. . . . . . . . . . . . . : 50-B7-C3-07-A1-9D



CCNP Guía SWITCH v2.0


@ 2013
168
ALS1#show interfaces fastEthernet 0/24 trunk
Port Mode Encapsulation Status Native vlan
Fa0/24 auto 802.1q not-trunking 1
Port Vlans allowed on trunk
Fa0/24 1
Port Vlans allowed and active in management domain
Fa0/24 1
Port Vlans in spanning tree forwarding state and not pruned
Fa0/24 none

ALS1#sh interfaces fa0/24 switchport
Name: Fa0/24
Switchport: Enabled
Administrative Mode: dynamic auto
Operational Mode: static Access

La salida anterior nos muestra el modo administrativo del puerto Fa0/24 además de el status del trunk not-
trunking. Ahora, al activar el modo enabling trunking en Yersinia se formará un trunk utilizando DTP.


ALS1#sh debugging
DTP:
DTP events debugging is on

*Mar 1 00:27:38.226: DTP-event:Fa0/24:Received packet event ../dyntrk/dyntrk _process.c:2200
*Mar 1 00:27:39.233: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/24, changed state to
down
*Mar 1 00:27:39.283: DTP-event:Fa0/24:Received packet event ../dyntrk/dyntrk _process.c:2200
*Mar 1 00:27:40.340: DTP-event:Fa0/24:Received packet event ../dyntrk/dyntrk _process.c:2200
*Mar 1 00:27:42.252: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/24, changed state to up
ALS1#
CCNP Guía SWITCH v2.0


@ 2013
169
*Mar 1 00:28:12.074: DTP-event:Fa0/24:Received packet event ../dyntrk/dyntrk_process.c:2200
*Mar 1 00:28:44.873: DTP-event:Fa0/24:Received packet event ../dyntrk/dyntrk_process.c:2200
*Mar 1 00:29:17.664: DTP-event:Fa0/24:Received packet event ../dyntrk/dyntrk_process.c:2200
*Mar 1 00:29:50.456: DTP-event:Fa0/24:Received packet event ../dyntrk/dyntrk_process.c:2200
*Mar 1 00:30:23.247: DTP-event:Fa0/24:Received packet event ../dyntrk/dyntrk_process.c:2200

ALS1#sh interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/24 auto 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/24 1-4094
Port Vlans allowed and active in management domain
Fa0/24 1
Port Vlans in spanning tree forwarding state and not pruned
Fa0/24 1
ALS1#

Para evitar este ataque podemos establecer el puerto en modo acceso.

ALS1
interface FastEthernet0/24
switchport mode access
switchport nonegotiate

ALS1#sh interfaces fastEthernet 0/24 switchport
Name: Fa0/24
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native

ALS1#sh interfaces fastEthernet 0/24 trunk
Port Mode Encapsulation Status Native vlan
Fa0/24 off 802.1q not-trunking 1
Port Vlans allowed on trunk
Fa0/24 1
Port Vlans allowed and active in management domain
Fa0/24 1
Port Vlans in spanning tree forwarding state and not pruned
Fa0/24 1












CCNP Guía SWITCH v2.0


@ 2013
170
CDP Attack

 Habilite CDP attack utilizando Yersinia.
Este ataque degrada enormemente el desempeño del switch puesto que inunda con miles de entradas CDP
colapsando la memoria. En este ejmplo se ha utilizado el Catalyst 2960 dejándolo inoperable mientras es atacado.
EL indicador de puerto comienza a parpadear rápidamente, luego pasa a ambar y finalmente cae.



ALS1#show debugging
Generic VLAN Manager:
vlan manager packets debugging is on

Condition 1: interface Fa0/24 (1 flags triggered)
Flags: Fa0/24

ALS1#
04:35:17204524532: %SYS-3-CPUHOG: Task is running for (2138)msecs, more than (2000)msecs (132/26),process =
HLFM address learning process.
-Traceback= 4C92C8 3A2D24 3A3244 BDD138 BD470C
04:35:30064771072: %SYS-3-CPUHOG: Task is running for (4275)msecs, more than (2000)msecs (235/26),process =
HLFM address learning process.
-Traceback= 3C7718 3C8528 3C949C 3AD0C8 12A574 12BC74 3A6DF8 3A715C 3A7290 3A3094 3A3244 BDD138
BD470C
04:35:42949672992: %SYS-3-CPUHOG: Task is running for (6415)msecs, more tha
ALS1#n (2000)msecs (343/26),process = HLFM address learning process.
-Traceback= 355738 355B28 5AECBC 3AD2F8 12A574 12BC74 3A6DF8 3A715C 3A7290 3A3094 3A3244 BDD138
BD470C
04:35:56673435648: %SYS-3-CPUHOG: Task is running for (8551)msecs, more than (2000)msecs (444/26),process =
HLFM address learning process.
-Traceback= 3BD898 3C888C 3C89A0 3C8A8C 3C94E4 3AD378 12A574 12BC74 3A6DF8 3A715C 3A7290 3A3094
3A3244 BDD138 BD470C
CCNP Guía SWITCH v2.0


@ 2013
171
04:35:68719476736: %SYS-3-CPUHOG: Task is running for (10688)msecs, more than (200
ALS1#0)msecs (547/26),process = HLFM address learning process.
-Traceback= 3BD518 3C8528 3C949C 3AD0C8 12A574 12BC74 3A6DF8 3A715C 3A7290 3A3094 3A3244 BDD138
BD470C
04:35:81629033244: %SYS-3-CPUHOG: Task is running for (12809)msecs, more than (2000)msecs (608/26),process
= HLFM address learning process.
-Traceback= B99038 B99438 3C8E74 3C7200 3AD3AC 12A574 12BC74 3A6DF8 3A715C 3A7290 3A3094 3A3244
BDD138 BD470C
04:35:90218967836: %SYS-3-CPUHOG: Task is running for (14906)msecs, more than (2000)msecs (608
ALS1#/26),process = HLFM address learning process.
-Traceback= B99030 B99438 3C8E74 3C7200 3AD3AC 12A574 12BC74 3A6DF8 3A715C 3A7290 3A3094 3A3244
BDD138 BD470C
04:35:23: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up

ALS1#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID Local Intrfce Holdtme Capability Platform Port ID
222JJJX Fas 0/24 216 R T S H I yersinia Eth 0
2EEEWWW Fas 0/24 184 B I yersinia Eth 0
3KKKXXX Fas 0/24 185 H I yersinia Eth 0
222EEEW Fas 0/24 186 T B S I r yersinia Eth 0
2IIWWWE Fas 0/24 184 B H yersinia Eth 0
444LLLY Fas 0/24 184 I r yersinia Eth 0
3KKKYYY Fas 0/24 185 T S H I yersinia Eth 0
444LLLZ Fas 0/24 185 R S H yersinia Eth 0
EEEWWW0 Fas 0/24 184 R T B r yersinia Eth 0
DVVV000 Fas 0/24 186 R B r yersinia Eth 0
5MMMZZZ Fas 0/24 184 R T B H yersinia Eth 0
YCCCUU9 Fas 0/24 185 T I yersinia Eth 0
1DDDVVV Fas 0/24 185 R T S I r yersinia Eth 0
1DDVVVD Fas 0/24 184 R B S H I r yersinia Eth 0
5LLLZZZ Fas 0/24 184 R T B H yersinia Eth 0
EVVV000 Fas 0/24 184 R B r yersinia Eth 0
111DDDV Fas 0/24 183 R B S I r yersinia Eth 0
555LLLZ Fas 0/24 183 R I r yersinia Eth 0
111EEEW Fas 0/24 184 T yersinia Eth 0
ARRR000 Fas 0/24 183 R S H I r yersinia Eth 0
--More—


 Deshabilitar CDP en la interface Fa0/24
Nota: una manera de mitigar un ataque CDP es deshabilitar CDP ya sea globalmente o por puerto. Se verá actividad
por parte del LED del puerto sin embargo el switch podrá seguir operando.


ALS1
interface FastEthernet0/24
no cdp enable

ALS1#show running-config interface fastEthernet 0/24
Building configuration...

CCNP Guía SWITCH v2.0


@ 2013
172
Current configuration : 49 bytes
!
interface FastEthernet0/24
no cdp enable
end

STP Root Guard

Con aplicaciones como Yersinia podemos asumir el rol de STP root desde el PC. Primero veamos el
comportamiento utilizando ataque STP Claiming Root Role. Antes verificamos el rol de ALS1.

ALS1#show spanning-tree vlan 1
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 0022.5689.5d80
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 0022.5689.5d80
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300
Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/24 Desg FWD 19 128.24 P2p

ALS1#debug spanning-tree root
Spanning Tree root changes debugging is on



CCNP Guía SWITCH v2.0


@ 2013
173
ALS1#
STP: VLAN0001 new root is 32769, 0022.5688.5d80 on port Fa0/24, cost 19

ALS1#show spanning-tree root detail
VLAN0001
Root ID Priority 32769
Address 0022.5688.5d80
Cost 19
Port 24 (FastEthernet0/24)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec


La salida anterior nos muestra que tanto el PC como el catalyst ALS1 tienen la misma prioridad, sin embargo el
valor de la MAC (quien determina el desempate) es menor en el PC:

ALS1  0022.5689.5d80
PC  0022.5688.5d80

Por lo tanto el PC asume el rol de Root. El comando show spanning-tree root detail nos muestra que ALS1 ya no
es el Roor Bridge.

 Configure una característica de STP para paliar este problema.
El comando guard root en la interface evita que un

ALS1
interface FastEthernet0/24
spanning-tree guard root

ALS1#show spanning-tree root detail
VLAN0001
Root ID Priority 32769
Address 0022.5689.5d80
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

05:58:16: %SPANTREE-2-ROOTGUARD_CONFIG_CHANGE: Root guard enabled on port FastEthernet0/24.
STP: VLAN0001 we are the spanning tree root
05:58:17: %SPANTREE-2-ROOTGUARD_BLOCK: Root guard blocking port FastEthernet0/24 on VLAN0001.
05:58:18: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down

ALS1#show spanning-tree interface fastEthernet 0/24 detail
Port 24 (FastEthernet0/24) of VLAN0001 is forwarding
Port path cost 19, Port priority 128, Port Identifier 128.24.
Designated root has priority 32769, address 0022.5689.5d80
Designated bridge has priority 32769, address 0022.5689.5d80
Designated port id is 128.24, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
Link type is point-to-point by default
Root guard is enabled on the port
BPDU: sent 347, received 0

CCNP Guía SWITCH v2.0


@ 2013
174
STP PortFast

Configure el puerto FasEthernet 0/24 de ALS1 de manera que el puerto levante inmediatamente evitando los
estados STP.
EN caso que no configuremos portfast el puerto demora 30 segundo en estar operativo (15 segundos en estado
listening + 15 segundos en estado learning antes de pasar al forwarding). Antes de configurar la interface
notaremos que al conectar el PC al puerto este transita por distintos estados.

ALS1#debug spanning-tree events
Spanning Tree event debugging is on

setting bridge id (which=3) prio 32769 prio cfg 32768 sysid 1 (on) id 8001.0022.5689.5d80
set portid: VLAN0001 Fa0/24: new port id 8018
STP: VLAN0001 Fa0/24 -> listening
ALS1#
06:19:18: %LINK-3-UPDOWN: Interface FastEthernet0/24, changed state to up
06:19:20: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/24, changed state to up
ALS1#
STP: VLAN0001 Fa0/24 -> learning
ALS1#
STP: VLAN0001 Fa0/24 -> forwarding
06:19:48: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up


 Configure una característica de STP que evite la transision de Listening y Learning y pase inmediatamente a
envío (Forwarding).
Nota. Al configurar portfast el proceso no advierte que solo debemos conectar host o podríamos generar loops en
caso de conectar hubs, switchs…


ALS1
interface FastEthernet0/24
spanning-tree portfast

%Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc... to this
interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION

%Portfast has been configured on FastEthernet0/24 but will only
have effect when the interface is in a non-trunking mode.

ALS1#show spanning-tree interface fastEthernet 0/24 detail
Port 24 (FastEthernet0/24) of VLAN0001 is forwarding
Port path cost 19, Port priority 128, Port Identifier 128.24.
Designated root has priority 32769, address 0022.5689.5d80
CCNP Guía SWITCH v2.0


@ 2013
175
Designated bridge has priority 32769, address 0022.5689.5d80
Designated port id is 128.24, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
The port is in the portfast mode
Link type is point-to-point by default
Root guard is enabled on the port
BPDU: sent 347, received 0

STP BPDU Filter

Los Catalyst están constantemente enviando BGPU por todas las interfaces activas, incluso en los puertos de
acceso, los host reciben paquetes que no saben como interpretar. Utilizando WIreshark podemos observar que el
PC recibe paquetes STP:





 Configure una característica de STP de manera que el Catalyst no envie BPDUs a los hosts.


ALS1
interface FastEthernet0/24
spanning-tree bpdufilter enable

ALS1#show spanning-tree interface fastEthernet 0/24 detail
CCNP Guía SWITCH v2.0


@ 2013
176
Port 24 (FastEthernet0/24) of VLAN0001 is forwarding
Port path cost 19, Port priority 128, Port Identifier 128.24.
Designated root has priority 32769, address 0022.5689.5d80
Designated bridge has priority 32769, address 0022.5689.5d80
Designated port id is 128.24, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
The port is in the portfast mode
Link type is point-to-point by default
Bpdu filter is enabled
Root guard is enabled on the port
BPDU: sent 1007, received 0



CCNP Guía SWITCH v2.0


@ 2013
177
Si activamos el analizador de de protocolos veremos que al configurar BGPU FIlter los paquetes STP no se envían
por el puerto configurado.




 Configure la interface FastEthernet0/24 de manera que si se recibe una BPDU por el puerto este quede en
estado err-disable.

En algunos casos se pueden recibir BPDU como parte de un ataque. Para deshabilitarlo utilizamos BPDU Guard.
Utilizando Yersinia enviaremos BPDUs de manera que el puerto se desactive.

ALS1
interface FastEthernet0/24
spanning-tree portfast
spanning-tree bpduguard enable

ALS1#show spanning-tree interface fastEthernet 0/24 detail
Port 24 (FastEthernet0/24) of VLAN0001 is forwarding
Port path cost 19, Port priority 128, Port Identifier 128.24.
Designated root has priority 32769, address 0022.5689.5d80
Designated bridge has priority 32769, address 0022.5689.5d80
Designated port id is 128.24, designated path cost 0
Timers: message age 0, forward delay 0, hold 0
Number of transitions to forwarding state: 1
The port is in the portfast mode
Link type is point-to-point by default
Bpdu guard is enabled
Bpdu filter is enabled
Root guard is enabled on the port
BPDU: sent 1007, received 0



CCNP Guía SWITCH v2.0


@ 2013
178
Iniciamos el ataque con Yersinia enviando BPDUs y verificamos en el switch el comportamiento.
Nota: Debemos tener deshabilitado BGPDU Filter.

ALS1#debug spanning-tree bpdu receive
Spanning Tree BPDU Received debugging is on



ALS1
interface FastEthernet0/24
no spanning-tree bpdufilter enable

ALS1#show debugging
Spanning Tree:
Spanning Tree BPDU Received debugging is on
Condition 1: interface Fa0/24 (1 flags triggered)
Flags: Fa0/24

07:15:38: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port FastEthernet0/24 with BPDU Guard
enabled. Disabling port.
07:15:38: %PM-4-ERR_DISABLE: bpduguard error detected on Fa0/24, putting Fa0/24 in err-disable state
07:15:39: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/24, changed state to down
07:15:39: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down
ALS1(config-if)#
07:15:40: %LINK-3-UPDOWN: Interface FastEthernet0/24, changed state to down

ALS1#show interfaces status | include Fa0/24|Status
Port Name Status Vlan Duplex Speed Type
Fa0/24 err-disabled 1 auto auto 10/100BaseTX







CCNP Guía SWITCH v2.0


@ 2013
179


VLANs ACLs v/s Seguridad en sesiones Telnet
 Configure Portchannel mostrado en la figura. Utilizar LACP y 802.1q como protocolo de trunking.
 En DLS1 crear la VLAN 10 y comprobar que se propaga a DLS2.
 Configurar los puertos de acceso para la VLAN10. Utilice portfast.



DLS1
default interface range fastEthernet 0/6-7

interface range fastEthernet 0/6-7
channel-group 3 mode active
exit

interface Port-channel3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10
switchport mode trunk

vlan 10
vtp domain cisco

DLS2
default interface range fastEthernet 0/6-7

interface range fastEthernet 0/6-7
channel-group 3 mode active
exit

interface Port-channel3
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,10
switchport mode trunk



CCNP Guía SWITCH v2.0


@ 2013
180
DLS1#sh etherchannel summary
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator

M - not in use, minimum links not met
u - unsuitable for bundling
w - waiting to be aggregated
d - default port
Number of channel-groups in use: 1
Number of aggregators: 1
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
3 Po3(SU) LACP Fa0/6(P) Fa0/7(P)

DLS2#show vlan brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4
Fa0/5, Fa0/8, Fa0/9, Fa0/10
Fa0/11, Fa0/12, Fa0/13, Fa0/14
Fa0/15, Fa0/16, Fa0/17, Fa0/18
Fa0/19, Fa0/20, Fa0/21, Fa0/22
Fa0/23, Fa0/24, Gi0/1, Gi0/2
10 VLAN0010 active

DLS1
interface FastEthernet0/1
switchport access vlan 10
switchport mode access
switchport host

DLS2
interface FastEthernet0/1
switchport access vlan 10
switchport mode access
switchport host

R1
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
no shut

R2
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
no shut

R1#ping 10.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.2, timeout is 2 seconds:
!!!!!
CCNP Guía SWITCH v2.0


@ 2013
181
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/61/80 ms


 Configurar los routers con el direccionamiento mostrado y habilite telnet. En R1 se permite sesiones de
entrada de la IP 100.2.2.2. En R2 se permite sesiones de entrada de la IP 100.1.1.1. Si existe un intento de
conexión telnet desde una dirección de origen distinta se debe enviar un log a la consola indicándolo.
 Formar adyacencia OSPF 1 area 0entre R1 y R2. No debe existir elección DR/BDR.
 Crear y publicar la loopback0 100.1.1.1/24 en R1 y la loopback0 100.2.2.2/24 utilizando OSPF. Comprobar
que se publiquen con sus máscaras correctas.


R1
interface Loopback0
ip address 100.1.1.1 255.255.255.0
ip ospf 1 area 0
ip ospf network point-to-point

interface FastEthernet0/0
ip ospf network point-to-point
ip ospf 1 area 0

R2
interface Loopback0
ip address 100.2.2.2 255.255.255.0
ip ospf 1 area 0
ip ospf network point-to-point

interface FastEthernet0/0
ip ospf network point-to-point
ip ospf 1 area 0

R2#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
100.1.1.1 0 FULL/ - 00:00:33 10.1.1.1 FastEthernet0/0

R2#sh ip route ospf
Gateway of last resort is not set
100.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
O 100.1.1.0/24 [110/2] via 10.1.1.1, 00:00:25, FastEthernet0/0

R2#ping 100.1.1.1 source 100.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 100.2.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/60/68 ms



CCNP Guía SWITCH v2.0


@ 2013
182
R1
access-list 10 permit 100.2.2.0 0.0.0.255
access-list 10 deny any log

line vty 0 4
access-class 10 in
exec-timeout 0 0
password cisco
login
transport input telnet
transport output telnet

R2
access-list 10 permit 100.1.1.0 0.0.0.255
access-list 10 deny any log

line vty 0 4
access-class 10 in
exec-timeout 0 0
password cisco
login
transport input telnet
transport output telnet


R1#telnet 100.2.2.2
Trying 100.2.2.2 ...
% Connection refused by remote host

R2#
*Jun 13 13:53:58.599: %SEC-6-IPACCESSLOGNP: list 10 denied 0 10.1.1.1 -> 0.0.0.0, 1 packet

R1#telnet 100.2.2.2 /source-interface loo0
Trying 100.2.2.2 ... Open

User Access Verification

Password:cisco
R2>en
Password:cisco




CCNP Guía SWITCH v2.0


@ 2013
183
 En DLS2 utilice VLAN Access-list para bloquear todo el tráfico ICMP y HTML . Se debe permitir el tráfico
telnet.


DLS2
ip access-list extended ICMP
permit icmp any any

vlan access-map DROP-ICMP 10
match ip address ICMP
action drop

vlan access-map DROP-ICMP 20
action forward

R1#ping 100.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/64/100 ms


Como podemos ver en la salida anterior, aun es posible utilizar el ping. Para activar las políticas restrictivas
debemos utilizar el comando vlan filter indicando la VLAN sobre la que tendrá influencia el filtro; en nuestro caso
se trata de la VLAN 10.
Luego de hacer la última configuración podemos ver que no es posible el trafico icmp entre sitios, sin embargo aun
podemos ingresar a través de telnet.


DLS2
vlan filter DROP-ICMP vlan-list 10


R1#ping 100.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.2.2.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)


R1#telnet 100.2.2.2 /source-interface loo0
Trying 100.2.2.2 ... Open

User Access Verification
Password:
R2>en
Password:







CCNP Guía SWITCH v2.0


@ 2013
184
SSH
 Configure SSH en DLS2 utilizando las siguientes políticas:
- Domain: duoc.cl
- Key: 1024
- Authentication: Debería ser realizada en base a la base de datos local.
- Username: U1
- Password: cisco
- Puertos: Debería ser activa la autenticación para los puertos VTY.
- Restricciones: Solo se permiten conexiones SSH en DLS2.


DLS2
ip domain name duoc.cl

DLS2(config)#crypto key zeroize rsa
% All RSA keys will be removed.
% All router certs issued using these keys will also be removed.
Do you really want to remove these keys? [yes/no]: yes
DLS2(config)#
*Mar 1 06:11:47.245: %SSH-5-DISABLED: SSH 1.99 has been disabled
DLS2(config)#crypto key generate rsa usage-keys
The name for the keys will be: DLS2.duoc.cl
Choose the size of the key modulus in the range of 360 to 4096 for your
Signature Keys. Choosing a key modulus greater than 512 may take
a few minutes.

How many bits in the modulus [512]: 1024
Choose the size of the key modulus in the range of 360 to 4096 for your
Encryption Keys. Choosing a key modulus greater than 512 may take
a few minutes.

How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 5 seconds)
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 6 seconds)

DLS2(config)#
*Mar 1 06:12:15.012: %SSH-5-ENABLED: SSH 1.99 has been enabled



La siguiente configuración habilita los servicios AAA


DLS2
aaa new-model
username U1 password duoc
aaa authentication login LOCAL local

line vty 0 4
login authentication LOCAL
transport input ssh
CCNP Guía SWITCH v2.0


@ 2013
185
DLS1#ssh -l U1 -c aes128-cbc 1.1.1.2

Password:cisco

DLS2>en
Password:duoc


SPAN
 En DLS1 crear las VLANs 10, 20, 99.
 Formar trunk entre Switches directamente conectados (utilice dos enlaces entre dispositivos). Se deben
permitir únicamente las VLANs recién creadas más la VLAN por defecto. Utilizar protocolo de trunk
estándar.
 DLS1 es el server para el dominio VTP duoc, el resto de los switches tienen el rol de client. Comprobar que
las VLANs se han propagado en cada uno los switches.
 DLS1 debe ser root para las VLANs 1, 10 y 20. Y Root secundario para la VLAN 99
 DLS2 debe ser root para la VLAN 99. Y Root secundario para las VLANs 1, 10 y 20.



DLS1
interface range fastEthernet 0/2-7
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 1,10,20,99

DLS2
interface range fastEthernet 0/13-20
shutdown

interface range fastEthernet 0/2-7
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 1,10,20,99

ALS1
interface range fastEthernet 0/13-20
shutdown

interface range fastEthernet 0/2-7
switchport mode trunk
switchport trunk allowed vlan 1,10,20,99

ALS2
interface range fastEthernet 0/2-7
switchport mode trunk
switchport trunk allowed vlan 1,10,20,99





CCNP Guía SWITCH v2.0


@ 2013
186


DLS1#sh interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/2 on 802.1q trunking 1
Fa0/3 on 802.1q trunking 1
Fa0/4 on 802.1q trunking 1
Fa0/5 on 802.1q trunking 1
Fa0/6 on 802.1q trunking 1
Fa0/7 on 802.1q trunking 1

Port Vlans allowed on trunk
Fa0/2 1,10,20,99
Fa0/3 1,10,20,99
Fa0/4 1,10,20,99
Fa0/5 1,10,20,99
Fa0/6 1,10,20,99
Fa0/7 1,10,20,99

DLS2#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/2 on 802.1q trunking 1
Fa0/3 on 802.1q trunking 1
Fa0/4 on 802.1q trunking 1
Fa0/5 on 802.1q trunking 1
Fa0/6 on 802.1q trunking 1
Fa0/7 on 802.1q trunking 1

Port Vlans allowed on trunk
Fa0/2 1,10,20,99
Fa0/3 1,10,20,99
Fa0/4 1,10,20,99
Fa0/5 1,10,20,99
Fa0/6 1,10,20,99
Fa0/7 1,10,20,99

ALS1#show interfaces trunk
Port Mode Encapsulation Status Native vlan
Fa0/2 on 802.1q trunking 1
Fa0/3 on 802.1q trunking 1
Fa0/4 on 802.1q trunking 1
Fa0/5 on 802.1q trunking 1
Fa0/6 on 802.1q trunking 1
Fa0/7 on 802.1q trunking 1

Port Vlans allowed on trunk
Fa0/2 1,10,20,99
Fa0/3 1,10,20,99
Fa0/4 1,10,20,99
Fa0/5 1,10,20,99
Fa0/6 1,10,20,99
Fa0/7 1,10,20,99


CCNP Guía SWITCH v2.0


@ 2013
187
DLS2
vtp mode client

ALS1
vtp mode client

ALS2
vtp mode client

DLS1
vtp mode server
vtp domain duoc

vlan 10,20,99

DLS1#sh vlan brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/8, Fa0/9, Fa0/10
Fa0/11, Fa0/12, Fa0/13, Fa0/14
Fa0/15, Fa0/16, Fa0/17, Fa0/18
Fa0/19, Fa0/20, Fa0/21, Fa0/22
Fa0/23, Fa0/24, Gi0/1, Gi0/2
10 VLAN0010 active
20 VLAN0020 active
99 VLAN0099 active


DLS2#show vlan brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/8, Fa0/9, Fa0/10
Fa0/11, Fa0/12, Fa0/13, Fa0/14
Fa0/15, Fa0/16, Fa0/17, Fa0/18
Fa0/19, Fa0/20, Fa0/21, Fa0/22
Fa0/23, Fa0/24, Gi0/1, Gi0/2
10 VLAN0010 active
20 VLAN0020 active
99 VLAN0099 active


ALS1#show vlan brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/8, Fa0/9, Fa0/10
Fa0/11, Fa0/12, Fa0/13, Fa0/14
Fa0/15, Fa0/16, Fa0/17, Fa0/18
Fa0/19, Fa0/20, Fa0/21, Fa0/22
Fa0/23, Fa0/24, Gi0/1, Gi0/2
10 VLAN0010 active
20 VLAN0020 active
99 VLAN0099 active

CCNP Guía SWITCH v2.0


@ 2013
188
ALS2#show vlan brief | exclude unsup
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/8, Fa0/9, Fa0/10
Fa0/11, Fa0/12, Fa0/13, Fa0/14
Fa0/15, Fa0/16, Fa0/17, Fa0/18
Fa0/19, Fa0/20, Fa0/21, Fa0/22
Fa0/23, Fa0/24, Gi0/1, Gi0/2
10 VLAN0010 active
20 VLAN0020 active
99 VLAN0099 active


DLS1
spanning-tree vlan 1,10,20 root primary diameter 3
spanning-tree vlan 99 root secondary diameter 3

DLS2
spanning-tree vlan 99 root primary diameter 3
spanning-tree vlan 1,10,20 root secondary diameter 3

DLS2#show spanning-tree vlan 99
VLAN0099
Spanning tree enabled protocol ieee
Root ID Priority 24675
Address 3037.a6eb.d580
This bridge is the root
Hello Time 2 sec Max Age 12 sec Forward Delay 9 sec

Bridge ID Priority 24675 (priority 24576 sys-id-ext 99)
Address 3037.a6eb.d580
Hello Time 2 sec Max Age 12 sec Forward Delay 9 sec
Aging Time 9

Interface Role Sts Cost Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/2 Desg LRN 19 128.4 P2p
Fa0/3 Desg LRN 19 128.5 P2p
Fa0/4 Desg LRN 19 128.6 P2p
Fa0/5 Desg LRN 19 128.7 P2p
Fa0/6 Desg FWD 19 128.8 P2p
Fa0/7 Desg LRN 19 128.9 P2p



CCNP Guía SWITCH v2.0


@ 2013
189
 En ALS2 instalar un analizador de protocolos en el Puerto Fa0/1 y sondear el tráfico que se genera en el
mismo switch pero en el puerto de acceso Fa0/11 donde se encuentra un PC abriendo una sesión telnet
apuntando a la SVI1 (1.1.1.X).



ALS2
interface FastEthernet0/1
switchport mode access
switchport access vlan 1
spanning-tree portfast

interface FastEthernet0/11
switchport mode access
switchport access vlan 1
spanning-tree portfast

monitor session 1 source interface fastEthernet 0/11 both
monitor session 1 destination interface fastEthernet 0/1

TELNET
C:\>telnet 1.1.1.1

User Access Verification

Password:
DLS1>en
Password:
DLS1#


CCNP Guía SWITCH v2.0


@ 2013
190
Remote SPAN (RSPAN)
 En DLS2 instalar un analizador de protocolos en el Puerto Fa0/1 y sondear el tráfico que se genera en DLS1
Puerto de acceso Fa0/8 donde se encuentra un PC abriendo una sesión telnet apuntando a la SVI1
(1.1.1.X). La VLAN 99 debe ser configurada como VLAN SPAN.
Nota: Podemos enviar el tráfico que se genera en la Fa0/1 de DLS1 en cualquier switch que tenga acceso a la VLAN
99, la RSPAN. En este ejemplo solo utilizamos DLS2 como receptor pero podrían ser además ALS1 y ALS2.


DLS1
vlan 99
remote-span

DLS1#sh vlan remote-span
Remote SPAN VLANs
------------------------------------------------------------------------------
99

DLS2#show vlan remote-span
Remote SPAN VLANs
------------------------------------------------------------------------------
99

ALS1#show vlan remote-span
Remote SPAN VLANs
------------------------------------------------------------------------------
99

ALS2#sh vlan remote-span
Remote SPAN VLANs
------------------------------------------------------------------------------
99

DLS1
monitor session 2 source interface fastEthernet 0/8
monitor session 2 destination remote vlan 99


CCNP Guía SWITCH v2.0


@ 2013
191
DLS1#sh monitor session 2
Session 2
---------
Type : Remote Source Session
Source Ports :
Both : Fa0/8
Dest RSPAN VLAN : 99


DLS2
monitor session 2 source remote vlan 99
monitor session 2 destination interface fastEthernet 0/1

DLS1
interface FastEthernet0/8
switchport mode access
spanning-tree portfast


DLS2
interface FastEthernet0/1
switchport mode access
spanning-tree portfast

TELNET
C:\>telnet 1.1.1.1

User Access Verification

Password:
DLS1>en
Password:
DLS1#




CCNP Guía SWITCH v2.0


@ 2013
192


Syslog
 Crear PortChannel 3 entre DLS1 y DLS2, no utilizar PAgP o LACP. Habilitar interfaces para conectividad L 3.
Y configurar direccionamiento mostrado. Verificar que existe conectividad entre ambos dispositivos L3.


DLS1
ip routing

interface Port-channel3
no switchport
ip address 10.1.12.1 255.255.255.0

interface FastEthernet0/6
no switchport
channel-group 3 mode on

interface FastEthernet0/7
no switchport
channel-group 3 mode on

DLS2
ip routing

interface Port-channel3
no switchport
ip address 10.1.12.2 255.255.255.0

interface FastEthernet0/6
no switchport
channel-group 3 mode on

interface FastEthernet0/7
no switchport
channel-group 3 mode on

DLS2#ping 10.1.12.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.12.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms



CCNP Guía SWITCH v2.0


@ 2013
193
 Configure EIGRP 1 como muestra la figura. Publicar además la loopback0 de cada switch.
 La red 172.16.1.0/24 debe ser redistribuida dentro de EIGRP.


DLS1
interface Loopback0
ip address 10.1.1.1 255.255.255.0

router eigrp 1
network 10.0.0.0
no auto-summary

DLS2
interface Loopback0
ip address 10.2.2.2 255.255.255.0

router eigrp 1
network 10.0.0.0
no auto-summary

DLS2#sh ip route eigrp
10.0.0.0/24 is subnetted, 3 subnets
D 10.1.1.0 [90/143360] via 10.1.12.1, 00:00:12, Port-channel3

DLS2
interface FastEthernet0/1
no switchport
ip address 172.16.1.1 255.255.255.0

router eigrp 1
redistribute connected metric 1 1 1 1 1

DLS1#sh ip route eigrp
172.16.0.0/24 is subnetted, 1 subnets
D EX 172.16.1.0 [170/2560002816] via 10.1.12.2, 00:00:36, Port-channel3
10.0.0.0/24 is subnetted, 3 subnets
D 10.2.2.0 [90/143360] via 10.1.12.2, 00:03:47, Port-channel3


 Configure DLS1 de manera que todos los mensajes logs se envíen al servidor Syslog 172.16.1.2.


DLS1
logging on
logging trap 7
logging source-interface Loopback0
logging 172.16.1.2
logging host 172.16.1.2



CCNP Guía SWITCH v2.0


@ 2013
194
06-26-2012 14:27:00 Local7.Debug 10.1.1.1 62: *Mar 1 00:42:05.767: EIGRP: Packet from
ourselves ignored
06-26-2012 14:27:00 Local7.Debug 10.1.1.1 61: *Mar 1 00:42:05.767: AS 1, Flags 0x0, Seq 0/0
interfaceQ 0/0
06-26-2012 14:27:00 Local7.Debug 10.1.1.1 60: *Mar 1 00:42:05.767: EIGRP: Received HELLO
on Loopback0 nbr 10.1.1.1
06-26-2012 14:27:00 Local7.Debug 10.1.1.1 59: *Mar 1 00:42:05.767: AS 1, Flags 0x0, Seq 0/0
interfaceQ 0/0 iidbQ un/rely 0/0
06-26-2012 14:27:00 Local7.Debug 10.1.1.1 58: *Mar 1 00:42:05.767: EIGRP: Sending HELLO on
Loopback0
06-26-2012 14:27:00 Local7.Debug 10.1.1.1 57: *Mar 1 00:42:05.700: AS 1, Flags 0x0, Seq 0/0
interfaceQ 0/0 iidbQ un/rely 0/0
06-26-2012 14:27:00 Local7.Debug 10.1.1.1 56: *Mar 1 00:42:05.700: EIGRP: Sending HELLO on
Port-channel3
06-26-2012 14:27:00 Local7.Debug 10.1.1.1 55: *Mar 1 00:42:05.549: AS 1, Flags 0x0, Seq 0/0
interfaceQ 0/0 iidbQ un/rely 0/0 peerQ un/rely 0/0
06-26-2012 14:27:00 Local7.Debug 10.1.1.1 54: *Mar 1 00:42:05.549: EIGRP: Received HELLO
on Port-channel3 nbr 10.1.12.2
06-26-2012 14:25:18 Local7.Info 10.1.1.1 53: *Mar 1 00:40:24.492: %SYS-6-
LOGGINGHOST_STARTSTOP: Logging to host 172.16.1.2 Port 514 started - CLI initiated
06-26-2012 14:25:17 Local7.Notice 10.1.1.1 52: *Mar 1 00:40:18.485: %SYS-5-CONFIG_I:
Configured from console by vty0 (10.1.12.2)
06-26-2012 14:22:30 Local7.Debug 127.0.0.1 Kiwi Syslog Server - Test message number 0002
06-26-2012 14:19:55 Local7.Info 10.1.12.1 51: *Mar 1 00:35:03.149: %SYS-6-
LOGGINGHOST_STARTSTOP: Logging to host 172.16.1.2 Port 514 started - CLI initiated
06-26-2012 14:19:54 Local7.Notice 10.1.12.1 50: *Mar 1 00:35:02.092: %SYS-5-CONFIG_I:
Configured from console by vty0 (10.1.12.2)
06-26-2012 14:17:17 Local7.Debug 127.0.0.1 Kiwi Syslog Server - Test message number 0001



CCNP Guía SWITCH v2.0


@ 2013
195
Port-Security utilizando MACROs
 Antes de comenzar este laboratorio debemos borrar la configuración del switch.
 Configure ALSx de manera que los puertos de la fastethernet 0/10 a fastethernet 0/16 solo permitan una
dirección MAC. En caso de que se detecte más de una MAC el switch debe descartar el tráfico para esa
MAC no permitida.
 Utilizar una MACRO
 Comprobar conectando PC.

El siguiente comando define un rango de puertos del switch con el nombre UNA-MAC.

ALSx
define interface-range UNA-MAC fastEthernet 0/10-16
macro name SECURITY
Enter macro commands one per line. End with the character '@'.
switchport mode access
switchport port-security
switchport port-security maximum 1
switchport port-security violation protect
@

interface range macro UNA-MAC
macro apply SECURITY

ALS2#show running-config interface fastEthernet 0/11
Building configuration...

Current configuration : 167 bytes
!
interface FastEthernet0/11
switchport mode access
switchport port-security
switchport port-security violation protect
macro description SECURITY

ALS2#show interfaces fastEthernet 0/11 switchport
Name: Fa0/11
Switchport: Enabled
Administrative Mode: static access
Operational Mode: down
Administrative Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
CCNP Guía SWITCH v2.0


@ 2013
196
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none

Blocking UNICAST/MULTICAST
 Configure los puertos anteriores de manera que bloqueen las tramas de unicast/multicast desconocidos
(unknowns).

Nota: Por defecto los switches inundan con direcciones MAC destino desconocidas en todos los puertos para la
misma VLAN. Algunos puertos no lo requieren porque por ejemplo tienen asignada una MAC estática.


ALSx
interface range fastEthernet 0/10-16
switchport block multicast
switchport block unicast

ALS2#show interfaces fastEthernet 0/11 switchport
Name: Fa0/11
Switchport: Enabled
Administrative Mode: static access
Operational Mode: down
Administrative Trunking Encapsulation: dot1q
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: enabled
Unknown multicast blocked: enabled
Appliance trust: none

CCNP Guía SWITCH v2.0


@ 2013
197
Filtro MAC
 Configure en ALSx un filtro para MAC unicast de manera que el switch descarte paquetes que tengan la
dirección origen o destino 0000.1234.DC10. Si un paquete se recibe por cualquier puerto que está asociado
a la VLAN por defecto, este debe ser descartado (drops).
 Comprobar configurando la MAC 0000.1234.DC10 en la interface f0/0 del Router (o PC) y conectarlo al
puerto f0/23 del switch ALS1.

ALS1
mac-address-table static 0000.1234.DC10 vlan 1 drop

ALS2#show mac-address-table static address 0000.1234.DC10
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
1 0000.1234.dc10 STATIC Drop
Total Mac Addresses for this criterion: 1

ALS1
interface FastEthernet0/23
switchport mode access
spanning-tree portfast

R1
interface FastEthernet0/0
mac-address 0000.1234.dc10
ip address 10.1.1.10 255.255.255.0





CCNP Guía SWITCH v2.0


@ 2013
198
VACLs
Setup: Configure DLS1 con la SVI 110  11.1.1.1/24. El PC debe conectarse a la interface Fa0/1. DLS1 debe ser
DHCP server y enviar la dirección IP 11.1.1.12/24 al PC. Habilite telnet en DLS1.

 Configure un filtro VACL de manera que permita al PC conectado al DLS1 acceder a este mismo switch
utilizando telnet pero no se permite pruebas ICMP. Utilice VACL. Cualquier otro tráfico es permitido.

PC1
Adaptador de Ethernet Ethernet:

Sufijo DNS específico para la conexión. . :
Descripción . . . . . . . . . . . . . . . : Realtek PCIe GBE Family Controlle
r
Dirección física. . . . . . . . . . . . . : 50-B7-C3-07-A1-9D
DHCP habilitado . . . . . . . . . . . . . : sí
Configuración automática habilitada . . . : sí
Vínculo: dirección IPv6 local. . . : fe80::e01f:70bc:4361:24fc%12(Preferido)

Dirección IPv4. . . . . . . . . . . . . . : 11.1.1.12(Preferido)
Máscara de subred . . . . . . . . . . . . : 255.255.255.0
Concesión obtenida. . . . . . . . . . . . : domingo, 09 de junio de 2013 11:3
9:59
La concesión expira . . . . . . . . . . . : lunes, 10 de junio de 2013 11:39:
58C:\>


Antes de seguir con el laboratorio comprobaremos si existe acceso via telnet e ICMP.


PC
C:\>ping 11.1.1.1
Haciendo ping a 11.1.1.1 con 32 bytes de datos:
Respuesta desde 11.1.1.1: bytes=32 tiempo=5ms TTL=255
Respuesta desde 11.1.1.1: bytes=32 tiempo=3ms TTL=255
Respuesta desde 11.1.1.1: bytes=32 tiempo=3ms TTL=255
Respuesta desde 11.1.1.1: bytes=32 tiempo=2ms TTL=255
Estadísticas de ping para 11.1.1.1:
Paquetes: enviados = 4, recibidos = 4, perdidos = 0
(0% perdidos),
Tiempos aproximados de ida y vuelta en milisegundos:
Mínimo = 2ms, Máximo = 5ms, Media = 3ms

PC
C:\>telnet 11.1.1.1

DLS1>enable
DLS1#sh users
Line User Host(s) Idle Location
0 con 0 idle 00:08:27
* 1 vty 0 idle 00:00:00 11.1.1.12

Interface User Mode Idle Peer Address

CCNP Guía SWITCH v2.0


@ 2013
199
DLS1
access-list 100 permit tcp any any eq 23
access-list 101 permit icmp any any

vlan access-map FILTRO 10
action forward
match ip address 100

vlan access-map FILTRO 20
action drop
match ip address 101

vlan access-map FILTRO 30
action forward

vlan filter FILTRO vlan-list 110







CCNP Guía SWITCH v2.0


@ 2013
200


DLS1#sh vlan filter
VLAN Map FILTRO is filtering VLANs:
110

DLS1#sh vlan access-map
Vlan access-map "FILTRO" 10
Match clauses:
ip address: 100
Action:
forward
Vlan access-map "FILTRO" 20
Match clauses:
ip address: 101
Action:
drop
Vlan access-map "FILTRO" 30
Match clauses:
Action:
forward

DLS1#ping 11.1.1.12
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 11.1.1.12, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

DLS1#copy startup-config tftp:
Address or name of remote host []? 11.1.1.12
Destination filename [dls1-confg]?
!!
5448 bytes copied in 0.100 secs (54480 bytes/sec)




CCNP Guía SWITCH v2.0


@ 2013
201


DHCP Snooping
 DLS1 debe tener el rol VTP Server en el dominio duoc.cl. ALS1 debe ser client VTP.
 DLS1 debe crear la VLAN 100 llamada DHCP. Comprobar que se propague a ALS1.
 Crear PortChannel 1 entre DLS1 y ALS1, no utilizar PAgP o LACP . Habilitar trunking utilizando 802.1q y
permitir las VLANs 1 y 100. Deshabilitar DTP.


DLS1
vtp mode server
vtp domain duoc.cl
vlan 100
name DHCP

interface range fastEthernet 0/2-3
channel-group 1 mode on

interface Port-channel1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,100
switchport mode trunk
switchport nonegotiate

ALS1
vtp mode client

interface range fastEthernet 0/2-3
CCNP Guía SWITCH v2.0


@ 2013
202
channel-group 1 mode on

interface Port-channel1
switchport trunk allowed vlan 1,100
switchport mode trunk
switchport nonegotiate

ALS1#show etherchannel summary
Flags: D - down P - in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
u - unsuitable for bundling
w - waiting to be aggregated
d - default port
Number of channel-groups in use: 1
Number of aggregators: 1

Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
1 Po1(SU) - Fa0/2(P) Fa0/3(P)


 En DLS1 SVI 100 utilizando la IP address 100.1.1.1/24.
 Configurar DHCP en DLS1 con las siguientes características:
- Pool ABCD 100.1.1.0/24
- Default Router 100.1.1.1
- Arriendo 4 días, 10 horas, 30 minutos.
- Se debe excluir el rango 100.1.1.1 a 100.1.1.20

 En ALS1 asignar al puerto Fa0/23 la VLAN 100 (puerto de acceso).


DLS1
interface Vlan100
ip address 100.1.1.1 255.255.255.0
no shutdown

ip dhcp excluded-address 100.1.1.1 100.1.1.20

ip dhcp pool ABCD
network 100.1.1.0 255.255.255.0
default-router 100.1.1.1
lease 4 10 30




CCNP Guía SWITCH v2.0


@ 2013
203
ALS1
interface FastEthernet0/23
switchport access vlan 100
switchport mode access
spanning-tree portfast

interface FastEthernet0/21
switchport access vlan 100
switchport mode access
spanning-tree portfast

DLS1#sh ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
100.1.1.21 0100.2622.706d.df Mar 05 1993 11:37 AM Automatic


 Configurar R1 con el mismo esquema DHCP


R1
ip dhcp excluded-address 100.1.1.1 100.1.1.20

ip dhcp pool ABCD
network 100.1.1.0 255.255.255.0
default-router 100.1.1.1
lease 4 10 30

interface FastEthernet0/0
ip address 100.1.1.1 255.255.255.0
no shutdown


 Deshabilitar PortChannel 1 y comprobar que el PC aprende desde el Pool DHCP del Router.


ALS1
interface port-channel 1
shutdown



 Configurar DHCP Snooping de manera que solo la interface confiable sea la que comunica con el server
DHCP DLS1.
 Limitar a solo 3 paquetes los puertos no confiables.


ALS1#debug ip dhcp snooping event
DHCP Snooping Event debugging is on


CCNP Guía SWITCH v2.0


@ 2013
204
ALS1
ip dhcp snooping
ip dhcp snooping vlan 100
ip dhcp snooping information option

interface FastEthernet0/21
ip dhcp snooping limit rate 3

interface FastEthernet0/23
ip dhcp snooping limit rate 3

interface Port-channel1
ip dhcp snooping trust

ALS1#show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
100
DHCP snooping is configured on the following Interfaces:

Insertion of option 82 is enabled
circuit-id format: vlan-mod-port
remote-id format: MAC
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Interface Trusted Rate limit (pps)
------------------------ ------- ----------------
FastEthernet0/21 no 3
FastEthernet0/23 no 3
Port-channel1 yes unlimited



CCNP Guía SWITCH v2.0


@ 2013
205
ARP Spoofing (Poisoning).
ARP corre sobre Ethernet (typoe 0x0806). Este protocolo ser creó en 1982, tiempo en que los problemas de
seguridad eran escasos, por lo tanto no posee mecanismos de autentificación lo que lo hace un protocolo
que puede ser atacado.
Si un host reemplaza su tarjeta de red envía un ARP no solicitado a todos los host del segmento para que
actualicen su tabla MAC, también conocido como gratiutous ARP.
Problemas ARP:
Sin autenticación: puede exiatir suplantación de identidad (Spoofing)
Fuga de datos: Todos los hosts en un segmento se enteran que se iniciará una conversación entre dos
hosts.
Ataque por Disponibilidad: puesto que los hosts en un segmento deben responder a una petición ARP,
un atacante puede envíar miles de peticiones ARP lo que conlleva a que los hosts del segmento deban
responder con ARP reply.