Pages

network cisco ccna gns3 certification arteq

network cisco ccna gns3 certification arteq
a network runs through it

Search insearchofthecert

Monday, April 30, 2012

anki is here...

if you have not checked out this study aid, you are missing out...

http://ankisrs.net/

if you are chasing a cert, you need anki... it's free, it works on all platforms, and you need this now...  in the last hour i just scraped the entire "do i know this already q&a" from an ocg into a deck of flashcards in anki...

the beauty of this thing is that it's interactive...  you rate the questions on the cards, don't cheat yourself, and the difficult ones will pop up sooner than the easy ones over time...  this method will insure long term memory retention...

think of the possibilities...  ios commands, osi model theory, stp enhancements, diagrams, audio, timer values, ad's, subnetting, you name it... and there are already sets that can be downloaded which have been built by others...  i have no idea about the legality of this, but if you own the book i don't see an argument, and if you're not selling them, what is the infringement...

here's what i did... i opened two copies of the book... one copy was opened to the questions, and the other copy was opened to the answers... i scraped the question into the top of the card, and the answer into the bottom... i did 200  questions from the horses mouth in less than an hour...

this is just perfect for the ccent/ccna, ccnp even ccie candidate...

i'm not going to show you how to use it, you can figure it out...

i know i mentioned flash cards about a month ago, but this is a quantum leap ahead of that...

get it now and build your own study aid... concentrate on your weaknesses, hammer away...

auto qos...

either auto qos or manual configuration, never both...

remove manual qos before implementing auto qos

auto qos runs a macro that makes assumption about the network and configures according to those assumptions

auto qos:

   globally enables qos

   configures the switch port for incoming cos parameters

   globally configures thresholds and queues

   configures traffic shaping for the port on which it is enabled


dls1#sh run int f0/15
Building configuration...

Current configuration : 58 bytes
!
interface FastEthernet0/15
 switchport mode access
end

dls1(config)#int f0/15
dls1(config-if)#auto qos voip cisco-phone
dls1(config-if)#do sh run int f0/15
Building configuration...

Current configuration : 399 bytes
!
interface FastEthernet0/15
 switchport mode access
 mls qos trust device cisco-phone
 mls qos trust cos
 auto qos voip cisco-phone
 wrr-queue bandwidth 10 20 70 1
 wrr-queue min-reserve 1 5
 wrr-queue min-reserve 2 6
 wrr-queue min-reserve 3 7
 wrr-queue min-reserve 4 8
 wrr-queue cos-map 1 0 1
 wrr-queue cos-map 2 2 4
 wrr-queue cos-map 3 3 6 7
 wrr-queue cos-map 4 5
 priority-queue out
end

dls1#sh mls qos int f0/15
FastEthernet0/15
trust state: trust cos
trust mode: trust cos
COS override: dis
default COS: 0
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: cisco-phone

Sunday, April 29, 2012

mls qos...

enabling mls qos globally...

dls1#config t
Enter configuration commands, one per line.  End with CNTL/Z.
dls1(config)#mls qos
QoS: ensure flow-control on all interfaces are OFF for proper operation.
dls1(config)#do sho mls qos
QoS is enabled
dls1(config)#end
dls1#sh mls qos int f0/15
FastEthernet0/15
trust state: not trusted
trust mode: not trusted
COS override: dis
default COS: 0
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: none

dls1#

note by default the trust state is untrusted, therefore QoS markings sent by a connected device are untrusted... in other words, the receiving switch will re-mark all inbound frames to a CoS value of 0

a trust boundary is the line in the sand whereby a switch will not trust incoming QoS labels, ie, between itself and a connected pc.  however,  voice phones should be trusted, whereas the pc connected to the phone will not be trusted

the ip phone is seen as another switch, therefore trusted...

below, i've put mls qos trust cos, then in the next statement i added device cisco-phone... the trust state is not trusted because no phone is attached...

dls1(config-if)#mls qos trust dev cisco-phone
dls1(config-if)#do sh mls qos int f0/15      
FastEthernet0/15
trust state: not trusted
trust mode: trust cos
COS override: dis
default COS: 0
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: cisco-phone

but now i connect the phone...

dls1(config-if)#do sh mls qos int f0/15
FastEthernet0/15
trust state: trust cos
trust mode: trust cos
COS override: dis
default COS: 0
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: cisco-phone


and the state moves to trusted...

jitter...

the perfect definition...

"jitter is the variation in delay between consecutive packets. jitter is often referred to as variation delay." browning, switch simplified...

three quarters the way through browning's book now, switch simplified, and it is a milestone in network texts... i've read quite a few along the way, but this has got to be one of the best ever

i'm sure farai tafa had a lot to do with the excellence of this read...

the kindle delivery i am not thrilled with, however...  reading on this ipad is annoying at best...

this is far and away superior to anything else out there i have read on switch...

rest assured i will be getting their ccnp route book when it is time...

3 QoS models...



best effort delivery
   (BE) what it says, no guarantees, all traffic treated equally, the lack of QoS

integrated services
   (IntServ) rfc 1633, end-to-end QoS for real-time applications such as voice and     video; explicit management of network resources for specific user packet streams

differentiated services
   (DiffServ) unlike IntServ, no advance reservations required. preferred

see below for ToS evolution (this is a great intro which quickly goes deep; take human bites)

 http://fengnet.com/book/ios_mpls/ch13lev1sec1.html


Figure 13-1 shows the IPv4 packet header with an 8-bit type of service (ToS) field. The ToS field was conventionally used to provide QoS in IP networks. However, since the advent of the Diff-Serv model, it has been replaced by the implementation of IP Precedence or DSCP values.



Figure 13-1. IP Packet Header

The higher order 3 bits in the TOS field, shown in Figure 13-1, map to the IP Precedence value assigned to the IP packet. The predefined values used to identify the IP Precedence are shown in Table 13-1.

Table 13-1. IP Precedence Values
IP Precedence Value
Binary Value
Priority
0
000
Routine
1
001
Priority
2
010
Immediate
3
011
Flash
4
100
Flash Override
5
101
Critical
6
110
Internetwork Control
7
111
Network Control

mvap, multi-vlan access port...

not a trunk...

a mulit-vlan access port is an access port set up for an ip phone that is connected to a pc

the PVID identifies the native vlan for data traffic, and the VVID (voice vlan identifier) identfifies an AUXILIARY vlan for voice. the switch uses CDP to communicate the VVID to the phone...

naturally, since 802.1q doesn't tag the native vlan, the data frames will be untagged, whereas the voice frames will carry dot1q tags. within the tagged frames there is a user priority field which contains quality of service information
by simply configuring a VVID for the phone an l2 CoS value of 5 is included

dls1(config)#int f0/13
dls1(config-if)#sw mode acc
dls1(config-if)#sw acc vlan 50
% Access VLAN does not exist. Creating vlan 50
dls1(config-if)#sw voice vlan 55
% Voice VLAN does not exist. Creating vlan 55
dls1(config-if)#sw mode acc
dls1(config-if)#spann portf
dls1(config-if)#end
dls1#sh int f0/13 sw
Name: Fa0/13
Switchport: Enabled
Administrative Mode: static access
Operational Mode: down
Administrative Trunking Encapsulation: negotiate
Negotiation of Trunking: Off
Access Mode VLAN: 50 (VLAN0050)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: 55 (VLAN0055)

hsrp version 2... why?

because the default is version 1? warning:  ver 1 and ver 2 are not compatible...

dls1(config-if)#do sh stand
Vlan1 - Group 1
  State is Active
    3 state changes, last state change 3d14h
  Virtual IP address is 172.16.1.3
  Active virtual MAC address is 0000.0c07.ac01
    Local virtual MAC address is 0000.0c07.ac01 (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 1.436 secs
  Preemption enabled
  Active router is local
  Standby router is 172.16.1.2, priority 90 (expires in 3.432 sec)
  Priority 150 (configured 150)
  IP redundancy name is "hsrp-Vl1-1" (default)
Vlan10 - Group 1
  State is Active
    3 state changes, last state change 3d14h
  Virtual IP address is 172.16.10.3


dls1(config-if)#standby ver 2
dls1(config-if)#do sh standby
Vlan1 - Group 1 (version 2)
  State is Active
    3 state changes, last state change 3d14h
  Virtual IP address is 172.16.1.3
  Active virtual MAC address is 0000.0c9f.f001
    Local virtual MAC address is 0000.0c9f.f001 (v2 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 0.204 secs
  Preemption enabled
  Active router is local
  Standby router is unknown
  Priority 150 (configured 150)
  IP redundancy name is "hsrp-Vl1-1" (default)
Vlan10 - Group 1
  State is Active
    3 state changes, last state change 3d14h
  Virtual IP address is 172.16.10.3
  Active virtual MAC address is 0000.0c07.ac01
    Local virtual MAC address is 0000.0c07.ac01 (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 2.220 secs
 --More--

i set the hsrp version as 2 for vlan 1 only... you'll have to do this for each interface...

version 2 supports groups from 0 to 4095 (vlans anybody?)
although if your network needs to support that many vlans, you may have other concerns...

also ver 2 multicasts hello's to 224.0.0.102 allowing cgmp  (cisco's proprietary  igmp) to function properly

it can advertise and learn millisecond timer values, and includes a 6 byte field identifying the sender of the message

and it says version 2... version 1 doesn't say version 1... i like when versions say what they are...

note: version 1 shows up as 0 in a pcap...

Saturday, April 28, 2012

fallback bridging...

i suspect that there shouldn't be a mention of this for ccnp certification, since most indications that i'm seeing have it at ccie, even if there...  but the idea is interesting...

this is simple enough... create a bridge group for legacy non-routable protocols to pass between  svi's or l3 interfaces, such as decnet...  (is that even out there anymore?)

dls1(config)#bridge 1 protocol vlan-bridge
dls1(config)#

that statement turns it on, then configure svi's (int vlan x) into a bridge group, say 1...

dls1(config)#int vlan 10
dls1(config-if)#bridge-group 1
dls1(config-if)#end
dls1#sh bridge
Br Group    Mac Address       State      Type        Ports
--------    -----------       -----      ----        -----
   1        0009.b73f.ce87    Forward    DYNAMIC     Vl10 Po1
dls1#


this is very exciting...  chances are you'll never need it nowadays... however, i was alarmed when i read that 3550's might treat ipv6 as a non-routable protocol (read, not ipv4) in older versions of ios...

but no, arteq, you say, this simply cannot be...

dls1#sh ipv6 proto

dls1#




good Lord...

dls1(config)#ipv6 unicast-routing
dls1(config)#do sh ipv6 proto
IPv6 Routing Protocol is "connected"
dls1(config)#

good 3550...

sh ip cef adjacency ?


null - adjacency state for packets destined for the Null0 interface that will be dropped or silently discarded

glean - adjacency state for destinations attached via a broadcast network for which no MAC rewrite strings are available

punt - adjacency state for packets forwarded to L3 for processing, typically ip exceptions (packets with ip options)

drop - adjacency state that drops packets because they can't be cef-switched or punted to l3

discard - similar to drop, also applies to policy filtered (ie, acl's)

more from wiki: http://en.wikipedia.org/wiki/Cisco_Express_Forwarding


The adjacency table maintains layer 2 or switching information linked to a particular FIB entry, avoiding the need for an ARP request for each table lookup. There are several types of adjacencies. Some are listed below:
  • Cache adjacency: This type of entry contains the correct outbound interface and the correct MAC address for its FIB entry. The MAC address is the IP address's MAC address if the destination's subnet is directly connected to the router, or is the MAC address of the router that the packet needs to be sent to if the destination's subnet is not directly connected to the router currently processing the packet.
  • Receive adjacency: This type of entry handles packets whose final destinations include the router itself. This includes packets whose IP addresses are assigned to the router itself, broadcast packets, and multicasts that have set up the router itself as one of the destinations.
  • Null adjacency: Handles packets destined to a NULL interface. Packets with FIB entries pointing to NULL adjacencies will normally be dropped.
  • Punt adjacency: Deals with packets that require special handling or can not be switched by CEF. Such packets are forwarded to the next switching layer (generally fast switching) where they can be forwarded correctly.
  • Glean adjacency: This adjacency is created when the router knows that either the destination IP's subnet is directly connected to the router itself and it does not know that destination device's MAC address, or the router knows the IP address of the router to forward a packet to for a destination, but it does not know that router's MAC address. Packets that trigger this entry will generate an ARP request.
  • Discard adjacency: FIB entries pointing to this type of adjacency will be discarded.
  • Drop adjacency: Packets pointing to this entry are dropped, but the prefix will be checked.

dls1#sh ip cef adj null 0 172.16.1.2
% No adjacency for 172.16.1.2 on Null0
dls1#sh ip cef adj glean           
Prefix               Next Hop             Interface
172.16.1.0/24        attached             Vlan1
172.16.10.0/24       attached             Vlan10
172.16.20.0/24       attached             Vlan20
172.16.30.0/24       attached             Vlan30
192.168.1.0/24       attached             FastEthernet0/24
dls1#sh ip cef adj punt 
Prefix               Next Hop             Interface
dls1#sh ip cef adj drop
Prefix               Next Hop             Interface
240.0.0.0/4          drop
dls1#sh ip cef adj discard
Prefix               Next Hop             Interface
dls1#

sh ip cef...


dls1#sh ip cef
Prefix               Next Hop             Interface
0.0.0.0/0            no route
0.0.0.0/32           receive             
172.16.1.0/24        attached             Vlan1
172.16.1.0/32        receive              Vlan1
172.16.1.1/32        receive              Vlan1
172.16.1.2/32        attached             Vlan1
172.16.1.3/32        receive             
172.16.1.101/32      attached             Vlan1
172.16.1.102/32      attached             Vlan1
172.16.1.200/32      attached             Vlan1
172.16.1.255/32      receive              Vlan1
172.16.10.0/24       attached             Vlan10
172.16.10.0/32       receive              Vlan10
172.16.10.1/32       receive              Vlan10
172.16.10.3/32       receive             
172.16.10.255/32     receive              Vlan10
172.16.20.0/24       attached             Vlan20
172.16.20.0/32       receive              Vlan20
172.16.20.1/32       receive              Vlan20
172.16.20.3/32       receive             
172.16.20.255/32     receive              Vlan20
172.16.30.0/24       attached             Vlan30
172.16.30.0/32       receive              Vlan30
172.16.30.1/32       receive              Vlan30
172.16.30.3/32       receive             
172.16.30.255/32     receive              Vlan30
192.168.1.0/24       attached             FastEthernet0/24
192.168.1.0/32       receive              FastEthernet0/24
192.168.1.1/32       attached             FastEthernet0/24
192.168.1.2/32       attached             FastEthernet0/24
192.168.1.8/32       attached             FastEthernet0/24
192.168.1.100/32     receive              FastEthernet0/24
192.168.1.255/32     receive              FastEthernet0/24
224.0.0.0/4          drop
224.0.0.0/24         receive             
240.0.0.0/4          drop
255.255.255.255/32   receive             
dls1#

drop - a match drops the packet
receive - a match gets shipped to the control plane for processing
attached - a match means locally connected
resolved -  a match represents a route to a host on the local subnet, or a remote subnet derived from the control plane
wildcard - does not match FIB entries and gets dropped

MLS synchronicity...


L2 port security notes...


L2 security
(after paul browning, switch simplified)
note: how he ever came up with that title, i'll never know; this book is loaded...

secures switch ports, protects the CAM by limiting the amount of macs learned by a port

two essential attacks

CAM overflow
targets the fixed memory space by flooding it with randomly generated packets

MAC spoofing
spoofs the source MAC, tricks the switch that a host is connected to 2 ports, causes rewrites of mac
table entries resulting in a DoS on legitimate hosts

port security implementation
static secure Mac's stored in the Mac table and switch config
dynamic secure mac's learned by the switch and stored in the Mac table
sticky secure Mac's, a mix of static and dynamic, stored in the Mac table and switch config

violation results
protect – discards frames
shutdown - err-disable send syslog message, increment violation counter
restrict – when address limit is reached, drop frames, send syslog message, increment violation

DAI (dynamic arp inspection)
validates network ARP packets with IP to Mac binding inspection, dropping inspection failures
ARP spoofing happens during ARP request and reply between hosts
can be used in DHCP and non-DHCP environments
associates trust states with each switchport
trusted interfaces bypass inspection
all untrusted interfaces suffer DAI inspection

DHCP snooping and IP source guard
spoofing and starving dhcp address pool to exhaust resources
snooping uses trusted and untrusted interfaces
packets received on untrusted ports are dropped with invalid bindings
IP source guard typically employed with DHCP snooping
IP source guard restricts IP traffic on untrusted ports, and filters based on the binding database
for untrusted ports, filtering modes are source IP, and source IP and Mac address

Vlan hopping
attempts to bypass L3 communication between Vlans
switch spoofing – impersonates a switch by emulating a trunk, exploits the native Vlan
mitigation – disable DTP, disable trunk capabilities on non-trunks, prevent user data from
traversing native Vlan
double tagging – tags frames with 2 dot1q tags
mitigation – ensure trunk native Vlan is different from user access Vlan

configure native Vlan to tag all traffic

IBNS (Identity Based Networking Services)
access control and policy enforcement that is identity based
uses 802.1x, EAP and RADIUS

PVLANS
segregates traffic at L2, makes a broadcast segment NBMA
3 types of ports – community, isolated and promiscuos
3 types of Vlans – Primary Vlan, Isolated Vlans, and Community Vlan
3 elements – the PVLAN, secondary Vlans (Community and Isolated) and the promiscuous port

Port ACL's and Vlan ACL's
PACL's are supported physically and on Etherchannel interfaces, perform access control only for
ingress in hardware only (not routed in software, creates an ACL TCAM entry
VACL's control both bridged and routed packets, apply to both ingress and egress indiscriminately

OTHER
Storm Control protects networks from stroms and floods
Protected ports are similar to Pvlans
Port Blocking blocks unknown Unicasts and Multicats

Friday, April 27, 2012

ip sla responder...

the most difficult part was getting ios versions to support this...


set up dls1 as the collector...

ip sla 1 
icmp-echo 172.16.1.10
ip sla schedule 1 life forever start-time now
ip sla 2
udp-jitter 172.16.1.10 5000
ip sla schedule 2 life forever start-time now

set up an als2 as the responder for device 172.16.1.10 (pc)


ip sla responder
ip sla responder udp-echo ipaddress 172.16.1.1 port 5000

then look at the output...

dls1#sh ip sla stat
IPSLAs Latest Operation Statistics

IPSLA operation id: 1
        Latest RTT: 1 milliseconds
Latest operation start time: 13:52:32 UTC Fri Apr 27 2012
Latest operation return code: OK
Number of successes: 17
Number of failures: 6
Operation time to live: Forever
 
IPSLA operation id: 2
Type of operation: udp-jitter
        Latest RTT: NoConnection/Busy/Timeout
Latest operation start time: 13:51:47 UTC Fri Apr 27 2012
Latest operation return code: No connection
RTT Values:
        Number Of RTT: 0                RTT Min/Avg/Max: 0/0/0 milliseconds
Latency one-way time:
        Number of Latency one-way Samples: 0
        Source to Destination Latency one way Min/Avg/Max: 0/0/0 milliseconds
        Destination to Source Latency one way Min/Avg/Max: 0/0/0 milliseconds
Jitter Time:
        Number of SD Jitter Samples: 0
        Number of DS Jitter Samples: 0
        Source to Destination Jitter Min/Avg/Max: 0/0/0 milliseconds
        Destination to Source Jitter Min/Avg/Max: 0/0/0 milliseconds
Packet Loss Values:
        Loss Source to Destination: 0
        Source to Destination Loss Periods Number: 0
        Source to Destination Loss Period Length Min/Max: 0/0
        Source to Destination Inter Loss Period Length Min/Max: 0/0
        Loss Destination to Source: 0
        Destination to Source Loss Periods Number: 0
        Destination to Source Loss Period Length Min/Max: 0/0
        Destination to Source Inter Loss Period Length Min/Max: 0/0
        Out Of Sequence: 0      Tail Drop: 0
        Packet Late Arrival: 0  Packet Skipped: 0
Voice Score Values:
        Calculated Planning Impairment Factor (ICPIF): 0
        Mean Opinion Score (MOS): 0
Number of successes: 0
Number of failures: 23
Operation time to live: Forever
dls1#


the icmp output is useful describing successes and failures and round trip time... i don't have a phone set up so the jitter statistics are meaningless, other than no connection.. although, i can see real world usage for this in problematic phone diagnoses... this is very exciting, i know...


word is this is resource intensive so use sparingly...

ping macro...

for older code and unsupported hardware try, in global config mode... (end with @, it is saved)

dls1#sh run | beg macro
macro name ping
do ping 172.16.1.1
do ping 172.16.1.101 re 5
do ping 172.16.1.102 re 10
@

dls1(config)#macro global apply ping

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.101, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 172.16.1.102, timeout is 2 seconds:
!!!!!!!!!!
Success rate is 100 percent (10/10), round-trip min/avg/max = 1/3/9 ms
dls1(config)#

basic ping tcl script...

dls1(tcl)#foreach VAR {
+>172.16.1.1
+>172.16.1.101
+>172.16.1.102
+>172.16.100.1
+>172.16.200.1
+>} { puts [exec "ping $VAR"] }
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.101, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.102, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.100.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.200.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

dls1(tcl)#

+> is the tcl prompt...

Thursday, April 26, 2012

add hsrp and test...

set the priorities on one side first all the same... the higher priority... keep it simple... once you know it's working then adjust... after a few times hsrp becomes manual labor... develop patterns for working these things out...

we know we have vlan 1 on dls1 at 172.16.1.1 and vlan 1 on dls2 as 172.16.1.2... so what virtual ip address will you pick... in the net acad lab they have you bust the ip's, ie. 172.16.1.3 and 1.4 on dls1 and dls2, just so you can have 172.16.1.1 as the virtual ip... who gives a shit... how about 172.16.1.3 or .5... i like 5 because it's glaring... 

interface Vlan1
 ip address 172.16.1.1 255.255.255.0
 standby 1 ip 172.16.1.5
 standby 1 priority 110
 standby 1 preempt
!
interface Vlan10
 ip address 172.16.10.1 255.255.255.0
 shutdown
 standby 1 ip 172.16.10.5
 standby 1 priority 110
 standby 1 preempt
!
interface Vlan20
 ip address 172.16.20.1 255.255.255.0
 standby 1 ip 172.16.20.5
 standby 1 priority 110
 standby 1 preempt
!
interface Vlan30
 ip address 172.16.30.1 255.255.255.0
 standby 1 ip 172.16.30.5
 standby 1 priority 110
 standby 1 preempt

dls2#sh standby brie
                     P indicates configured to preempt.
                     |
Interface   Grp  Pri P State   Active          Standby         Virtual IP
Vl1            1    90  P Standby 172.16.1.1      local           172.16.1.5
Vl10          1    90  P Standby 172.16.10.1     local           172.16.10.5
Vl20          1    90  P Standby 172.16.20.1     local           172.16.20.5
Vl30          1    90  P Standby 172.16.30.1     local           172.16.30.5
dls2#

i also like putting in the priority 90 as opposed to allowing the default 100 which doesn't show up in sh run...

dls1#sh standby brie
                     P indicates configured to preempt.
                     |
Interface   Grp  Pri P State   Active          Standby         Virtual IP
Vl1           1    110 P Active  local           172.16.1.2      172.16.1.5
Vl10         1    110 P Active  local           172.16.10.2     172.16.10.5
Vl20         1    110 P Active  local           172.16.20.2     172.16.20.5
Vl30         1    110 P Active  local           172.16.30.2     172.16.30.5
dls1#

 dls1(config)#int vlan 10
dls1(config-if)#shut
dls1(config-if)#
*Mar  2 07:17:05.305: %HSRP-5-STATECHANGE: Vlan10 Grp 1 state Active -> Init
*Mar  2 07:17:07.310: %LINK-5-CHANGED: Interface Vlan10, changed state to admini
stratively down
*Mar  2 07:17:07.318: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, ch
anged state to down

dls2#sh stand brie
                     P indicates configured to preempt.
                     |
Interface   Grp  Pri P State   Active          Standby         Virtual IP
Vl1           1    90  P Standby 172.16.1.1      local           172.16.1.5
Vl10         1    90  P Active  local           unknown         172.16.10.5
Vl20         1    90  P Standby 172.16.20.1     local           172.16.20.5
Vl30         1    90  P Standby 172.16.30.1     local           172.16.30.5
dls2#

once we destroyed vlan 10 on dls1,  vlan 10 on dls2 came to the rescue...  don't forget when you add hosts to the access switches use the virtual ip 172.16.10.5 or whatever associated vlan...

and of course you realize that there is no new standby because vlan 10 on dls1 is still down...

warm up switch lab exercise...

does my ass look big in these ellipses...



prep

a. dls1 ports 1,2 to ports 1,2 on als1
    dls1 ports 3,4 to ports 3,4 on dls2
    dls1 ports 5,6 to ports 5,6 on als2

    dls2 ports 1,2 to ports 1,2 on als2
    dls2 ports 5,6 to ports 5,6 on als1

    als1ports 3,4 to ports 3,4 on als2

b. delete vlan.dat, erase start and  reload all switches

c. console each switch, set hostnames, enable secret, line cons 0 and vty's, give each vlan 1 interface 172.16.x.x /24

d. set console back to dls1

if possible open multiple telnet windows... start timer, begin

1.  set dls2, als1 and als2 as clients in vtp domain test, version 2
2.  set dls1 as vtp server
3.  on dls1 create vlans 10,20, 30 named ten, twenty and thirty
4.  verify vlans in the domain
5. on dls1 create svi's for each vlan and make all vlans root primary
6. on dls2 create svi's for each vlan and make all vlans root secondary
7. hard code trunks on every switch, dot1q where necessary, do not allow dtp
8. verify trunking
9. bundle all links between switches using only group numbers 1,2 and 3, with lacp... ensure that the numbers match on both sides of the channels... verify
10. equally distribute all non-trunked ports into vlans 10,20 and 30 on every switch... make them access ports and limit the impact of stp

verify vtp, vlans, vlan membership, trunking, channels, svi's

done

this should take less than a half hour...

   

mesh...

this is a meshed network...



ether channel links all the way around, 2 ports each, how to label them...

this speaks to design, comfort, logic, economy and sanity...

how i would label them (knowing full well that the etherchannel numbers are only locally significant)

dls1 --> als1  1 to 1 (counter clockwise)
als1 --> als2  2 to 2
als2 --> dls2  1 to 1
dls2 --> dls1  2 to 2

dls1 --> als2  3 to 3
dls2 --> als1  3 to 3

is this correct, by the cisco book...  maybe, but who cares..

the point here is that this kind of thing, your logic, your method, is the correct method in a time pressure situation...

if you are not given specifics for the implementation, then have your own logic in place before you sit, stick to that logic... reuse that logic in practice  so you don't waste valuable time coming up with a plan...

like an ip addressing scheme... dls1 is always 172.16.1.1 and dls2 is always 172.16.1.2... or 192.168.1.1 and 1.2 unless otherwise stipulated...

and als1 is always 1.101 and als2 is always 1.102, and so on...

make things that you can, automatic...

Wednesday, April 25, 2012

etherchannel numbering...

the net acad lab wants you to label the three prong switch lab etherchannels as 1,1 2,2 and 2,1...

dls1#config t
Enter configuration commands, one per line.  End with CNTL/Z.
dls1(config)#int rang f0/7 - 8
dls1(config-if-range)#channel-g 1 mode active
Creating a port-channel interface Port-channel 1
dls1(config)#int rang f0/9 - 10
dls1(config-if-range)#channel-g 2 mode active
Creating a port-channel interface Port-channel 2



so dls1 has 2 channels, 1 goes to als1 and 2 goes to als2...
then the channel from als1 to als 2 is set as channel 2 connecting to channel 1...

i don't like it...

als1#sh ether summ                                                             
omitted 
Group  Port-channel  Protocol    Ports                                         
------+-------------+-----------+-----------------------------------------------
1      Po1(SU)         LACP      Fa0/7(Pd)   Fa0/8(P)                          
2      Po2(SU)         LACP      Fa0/11(Pd)  Fa0/12(P)   

als2#sh ether summ
omitted
Group  Port-channel  Protocol    Ports
------+-------------+-----------+-----------------------------------------------
1      Po1(SU)         LACP      Fa0/11(Pd)  Fa0/12(P)  
2      Po2(SU)         LACP      Fa0/9(Pd)   Fa0/10(P)  
 

i prefer the channels connecting to each other with a measure of sanity... als1 to als2 should be 3 to 3

dls1 to als1 channel 1
dls1 to als2 channel 2
als1 to als2 channel 3

so sue me... make the numbers meaningful, not confusing...


Tuesday, April 24, 2012

more acro's...

plus rfc's... thanks wiki... http://en.wikipedia.org/wiki/List_of_information_technology_acronyms

Acronym Meaning Primary Applicability[4] Normative Reference
ACK Acknowledgement Transport and other layers TCP/IP, for example. RFC 793
ACL Access control list Security, application layer Access control list, Cisco overview
ADSL Asymmetric digital subscriber line Telecom ITU-T G.992.5 Annex M, for example
AES Advanced Encryption Standard Security U.S. FIPS PUB 197
ANSI American National Standards Institute Organization ANSI
ARP Address Resolution Protocol Link layer RFC 1122
ATM Asynchronous Transfer Mode Telecom ATM cell description
BGP Border Gateway Protocol (routing protocol) Application layer, Routers RFC 4271
BSS Basic service set (Wi-Fi) Wireless IEEE Std 802.11-2007
CAT Category (e.g. CAT-5 cable) Physical layer ANSI/TIA/EIA-568-B.1-2001
CCITT (obs.) Standards organization that has been replaced by ITU-T Organization ITU-T
CHAP Challenge-Handshake Authentication Protocol (PPP) Security, telecom RFC 1994
CIDR Classless Inter-Domain Routing Architecture RFC 1518 RFC 1519
CIR Committed Information Rate (Frame Relay) Telecom RFC 1490 RFC 1973 RFC 2427
CLI Command line interpreter Hardware Catalyst 6500 Series Command Reference, 7.6, for example
CPE Customer premises equipment Telecom Telecom Glossary
CRC Cyclical redundancy check Link and other layers 24 References here.
CRC-16-CCITT Cyclical redundancy check (X.25, HDLC) Link layers Reference on CRC page.
CSMA/CA Carrier sense multiple access / collision avoidance Wireless IEEE Std 802.11 Downloads
CSMA/CD Carrier sense multiple access / collision detection Physical layer IEEE Std 802.3TM-2002
CSU/DSU Channel service unit / data service unit Telecom Telecom Glossary
DCE Data communications equipment Telecom Telecom Glossary
DEC (obs.) Digital Equipment Corporation Organization Purchased by Compaq in 1998. Merged with Hewlett-Packard 2002.
DES Data Encryption Standard (obs. See AES) Security Federal Information Processing Standard (FIPS) FIPS-46-3
DHCP Dynamic Host Configuration Protocol Application layer, Internet Layer RFC 2131 and others
DNS Domain Name System Application layer Over 30 RFCs here.
DRAM Dynamic random-access memory Hardware
DSL Digital Subscriber Line Telecom Telecom Glossary
DSLAM Digital Subscriber Line Access Muliplexor Telecom Telecom Glossary (proposed)
DTE Data Terminal Equipment Telecom Telecom Glossary
EHA Ethernet Hardware Address (MAC address) Link layer IEEE Std 802 IEEE OUI Assignments
EIA Electronics Industry Alliance Organization EIA
EIGRP Enhanced Interior Gateway Routing Protocol Internet Layer Cisco Doc ID: 16406
EOF End Of Frame (HDLC, etc.) Link layer HDLC framing
ESS Extended service set (Wi-Fi group) Wireless IEEE Std 802.11-2007
FCC Federal Communications Commission (US) Organization US FCC
FCS Frame check sequence (Ethernet) Link layer Ethernet Frame IEEE Std 802.3
FDDI Fiber Distributed Data Interface Link layer American National Standards Institute X3T9.5 (now X3T12), ISO/IEC 9314-x
FTP File Transfer Protocol Application layer RFC 959 and others
GBIC Gigabit interface converter Hardware Seagate Specification
Gbps Gigabit per second Physical layer Gigabit per second
HDLC High-level Data Link Control Link layer ISO 13239
http HyperText Transfer Protocol Application layer W3C Change History for HTTP
https HyperText Transfer Protocol Secure Transport and other layers SSL 3.0 Specification
IANA Internet Assigned Number Authority Organization IANA
ICMP Internet Control Message Protocol Internet Layer RFC 792
IDF Intermediate distribution frame Physical layer Structured cabling or Telecom Glossary
IDS Intrusion Detection System Security Cisco Product Index
IEC Commission Electrotechnique Internationale (French) Organization IEC
IEEE Institute for Electrical and Electronic Engineers Organization IEEE
IETF Internet Engineering Task Force Organization IETF
IMAP Internet Message Access Protocol Application layer RFC 3501
IP Internet Protocol Internet Layer RFC 791 RFC 1606
IPS Intrusion prevention system Security "NIST - Guide to Intrusion Detection and Prevention Systems (IDPS)". 2007-02. Retrieved 2010-08-24.
IS-IS Intermediate System to Intermediate System (routing protocol) Internet Layer ISO/IEC 10589:2002
ISDN Integrated Services Digital Network Telecom IEC Area 716-xx
ISP Internet service provider Telecom Telecom Glossary
ITU-T International Telecommunications Union Organization http://www.itu.int
kbps Kilobit per second Physical layer Kilobit_per_second
LAN Local area network Link and other layers Telecom Glossary
LAPB Link Access Procedure, Balanced (x.25) Telecom ITU-T Recommendation X.222
LAPF Link-access procedure for frame relay Telecom RFC 1490
LLC Logical link control Link layer Telecom Glossary
MAC Media access control Link layer IEEE Std 802.3 and 802.11, for example
MAN Metropolitan area network Telecom Telecom Glossary
Mbps Megabits per second Physical layer Megabit_per_second
MC Multiple choice IT Professional Certification About certification exams
MDF Main distribution frame Physical layer Glossary See also Structured cabling
MIB Management information base (SNMP) Application layer RFC 3418
MPLS Multiprotocol Label Switching network technology
MTU Maximum Transmission Unit Multiple layers
NAC Network access control Link and other layers IEEE 802.1x
NAT Network Address Translation Internet Layer Cisco Internet Protocol Journal: A look Inside Network Address Translators
NBMA Non-Broadcast Multiple Access (e.g. Frame Relay ATM) Telecom See ATM, Frame Relay and X.25, for examples.
NIC Network Interface Card Physical layer Telecom Glossary
NRZ Non-return-to-zero Physical layer Federal Standard 1037C
NRZI Non-return to zero inverted Physical layer Federal Standard 1037C
NVRAM Non-volatile RAM Hardware Sample vendor data here
OSI Open System Interconnect (joint ISO and ITU standard) Organization ISO/IEC 9594-5:2005 Open Systems Interconnection Protocol Specifications
OSPF Open Shortest Path First (routing protocol) Internet Layer RFC 2238
OUI Organization Unique Identifier Link and other layers IEEE OUI Assignments
PAP Password authentication protocol Security RFC 1334
PAT Port address translation Internet Layer RFC 1918
PC Personal computer (host) Hardware
PCM Pulse-code modulation Physical layer ITU-T G.711
PDU Protocol data unit (such as segment, packet, frame, etc.) Multiple layers Fed Std 1037C
POP3 Post Office Protocol, version 3 Application layer RFC 1939
POP Point of presence Telecom Telecom Glossary
POST Power-on self test Hardware Cisco Catalyst 2800 User Guide, for example
POTS Plain old telephone service Telecom Telecom Glossary
PPP Point-to-point Protocol Telecom RFC 1661
PPTP Point-to-Point Tunneling Protocol Telecom RFC 2637
PTT Public Telephone and Telegraph Telecom Telecom Glossary or Free Dictionary
PVST Per-VLAN Spanning Tree Link layer Cisco's introduction to Spanning Tree Protocol
RADIUS Remote Authentication Dial-In User Service Security RFC 2865
RAM Random Access Memory Physical layer Telecom Glossary
RARP Reverse ARP Link layer RFC 903
RFC Request for Comments Multiple layers IETF's RFC Index
RIP Routing Information Protocol Internet Layer RFC 2453, for RIP version 2
RLL Run-Length Limited Physical layer RLL is used in a wide range of encodings.
ROM Read-Only Memory Hardware Telecom Glossary
RSTP Rapid Spanning Tree Protocol Link layer IEEE 802.1w - Rapid Reconfiguration of Spanning Tree
RTP Real-time Transport Protocol Application layer RFC 3550
SDLC Synchronous Data Link Control Link layer Cisco Technology Handbook: SDLC and Derivatives
SFD Start-of-frame delimiter (Ethernet, HDLC, etc.) Link layer IEEE 802.3 (Ethernet), or RFC 2687 (HDLC), for examples
SFP Small form-factor pluggable Hardware Seagate Specification
S-HTTP Secure HTTP (rarely used) Transport and other layers RFC 2660 See also https
SLARP Serial Line ARP (Address Resolution Protocol) Link and other layers Archived Cisco Serial Line Encapulation extension
SLIP Serial Line Internet Protocol (obs.) Telecom RFC 1055
SMTP Simple Mail Transfer Protocol Application layer RFC 5321
SNA Systems Network Architecture (IBM) Multiple layers SNA Protocol Suite
SNAP SubNet Access Protocol Link layer IEEE 802 Overview and Architecture
SNMP Simple Network Management Protocol Application layer RFC 1155, RFC 3410 thru RFC 3418 and others
SOF Start of frame Link layer IEEE 802.3 (Ethernet), or RFC 2687 (HDLC), for examples
SRAM Static random access memory Hardware PC Guide's Definition
SSH Secure shell Application layer RFC 4252
SSID Service set identifier (Wi-Fi) Wireless IEEE 802.11
STP Spanning Tree Protocol Link layer Cisco's Introduction to Spanning Tree Protocol
SYN (TCP) Synchronization Link and other layers RFC 793 and many others
TCP/IP Transmission Control Protocol/Internet Protocol Transport layer RFC 793 and many others
TDM Time-division multiplexing Physical layer Fed Std 1037C
TFTP Trivial File Transfer Protocol Application layer RFC 1350
TIA Telecommunications Industry Alliance Organization Telecommunications Industry Association
UDP User Datagram Protocol Transport layer RFC 768
USB Universal Serial Bus Physical and other layers USB 3.0 Specification
UTP Unshielded twisted pair Physical Many versions are defined by TIA, such as: TIA-568-B
VC Virtual circuit Transport and other layers Telecom Glossary
VLAN Virtual local area network Link layer IEEE 802.1Q
VLSM Variable-length subnet masking Architecture RFC 1518 RFC 1519
VPN Virtual private network Application layer Virtual Private Network Consortium
W3C World Wide Web Consortium Organization W3C
WAN Wide-area network Telecom Telecom Glossary
WEP Wired Equivalent Privacy Wireless IEEE 802.11
Wi-Fi IEEE 802.11 (Wi-Fi Alliance) Wireless Wi-Fi Alliance
WPA Wi-Fi Protected Access Security IEEE 802.11i
www World Wide Web Architecture W3C Consortium