from switch simplified...
"when talking about switches, the bandwidth of the switch refers to the capacity of the switch fabric (or backplane) and not to the cumulative bandwidth of the ports, as is often mistakenly assumed..."
there's one to write home about...
read more about the history of switch fabric here:
http://etherealmind.com/what-is-the-definition-of-switch-fabric/
why isn't vlan 0 used?
actually vlan 0 is used but is not configurable... vlan 0 is reserved for 802.1p priority tagging for voice traffic...
Wednesday, May 30, 2012
Monday, May 28, 2012
nice site...
http://www.networkclasses.in/2011/02/spanning-tree-enhancements/
sometimes you just need to read it a different way...
he's got some great stuff there...
sometimes you just need to read it a different way...
he's got some great stuff there...
hsrp quick scrape...
dls1
int vlan 1
standby 1 ip 172.16.1.5
standby 1 prio 110
standby 1 pre
int vlan 100
standby 100 ip 172.16.100.5
standby 100 pri 110
standby 100 pre
int vlan 200
standby 200 ip 172.16.200.5
standby 200 pri 110
standby 200 pre
int vlan 300
standby 255 ip 172.16.255.5
standby 255 pri 110
standby 255 pre
dls2
int vlan 1
standby 1 ip 172.16.1.5
stand 1 pri 90
stand 1 pre
int vlan 100
stan 100 ip 172.16.100.5
stan 100 pri 90
stan 100 pre
int vl 200
stan 200 ip 172.16.200.5
stan 200 pri 90
stan 200 pre
int vl 300
stan 255 ip 172.16.255.5
stan 255 pri 90
stan 255 pre
ospf vrf...
i wanted to get fancy this morning, so i added loopbacks and ospf to have multiple routing tables with ospf... r1 and r2 are ce's, r3 is the pe
Gateway of last resort is not set
5.0.0.0/32 is subnetted, 1 subnets
O 5.5.5.5 [110/65] via 10.1.1.1, 00:02:53, Serial0/0
7.0.0.0/24 is subnetted, 1 subnets
C 7.7.7.0 is directly connected, Loopback7
9.0.0.0/24 is subnetted, 1 subnets
C 9.9.9.0 is directly connected, Loopback9
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.1.1.0/24 is directly connected, Serial0/0
C 10.1.1.1/32 is directly connected, Serial0/0
r2#ping 5.5.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
r2#
r1#sh ip route
Codes: omitted
Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, Loopback0
3.0.0.0/32 is subnetted, 1 subnets
O 3.3.3.3 [110/2] via 10.1.1.1, 00:04:12, FastEthernet0/0
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, FastEthernet0/0
11.0.0.0/24 is subnetted, 1 subnets
C 11.1.1.0 is directly connected, Loopback1
r1#ping 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
r1#
so i built loopbacks and ospf processes as seen below:
r3#sh run int lo3
Building configuration...
Current configuration : 83 bytes
!
interface Loopback3
ip vrf forwarding r1
ip address 3.3.3.3 255.255.255.0
end
r3#sh run int lo5
Building configuration...
Current configuration : 83 bytes
!
interface Loopback5
ip vrf forwarding r2
ip address 5.5.5.5 255.255.255.0
end
r3#
r3#sh run | begin ospf
router ospf 2 vrf r2
log-adjacency-changes
capability vrf-lite
network 3.3.3.0 0.0.0.255 area 0
network 5.5.5.0 0.0.0.255 area 0
network 10.1.1.0 0.0.0.255 area 0
!
router ospf 1 vrf r1
log-adjacency-changes
capability vrf-lite
network 3.3.3.0 0.0.0.255 area 0
network 5.5.5.0 0.0.0.255 area 0
network 10.1.1.0 0.0.0.255 area 0
!
as you can see i tried to route both loopbacks to both vrf's but that didn't seem to work, and i'm not that terribly interested... the router would only let me assign one address to one loopback vrf... maybe you could figure it out...
see below for the route tables per vrf...
Gateway of last resort is not set
5.0.0.0/24 is subnetted, 1 subnets
C 5.5.5.0 is directly connected, Loopback5
7.0.0.0/32 is subnetted, 1 subnets
O 7.7.7.7 [110/65] via 10.1.1.2, 00:23:17, Serial0/0
9.0.0.0/32 is subnetted, 1 subnets
O 9.9.9.9 [110/65] via 10.1.1.2, 00:23:17, Serial0/0
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.1.1.2/32 is directly connected, Serial0/0
C 10.1.1.0/24 is directly connected, Serial0/0
r3#
r3#ping vrf r2 9.9.9.9
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 9.9.9.9, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
r3#ping vrf r1 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
r3#
and of course there are still no global routes, only vrf routes...
r3#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
r3#
r2#sh ip route
Codes: omitted
Codes: omitted
Gateway of last resort is not set
5.0.0.0/32 is subnetted, 1 subnets
O 5.5.5.5 [110/65] via 10.1.1.1, 00:02:53, Serial0/0
7.0.0.0/24 is subnetted, 1 subnets
C 7.7.7.0 is directly connected, Loopback7
9.0.0.0/24 is subnetted, 1 subnets
C 9.9.9.0 is directly connected, Loopback9
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.1.1.0/24 is directly connected, Serial0/0
C 10.1.1.1/32 is directly connected, Serial0/0
r2#ping 5.5.5.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 5.5.5.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
r2#
Codes: omitted
Gateway of last resort is not set
1.0.0.0/24 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, Loopback0
3.0.0.0/32 is subnetted, 1 subnets
O 3.3.3.3 [110/2] via 10.1.1.1, 00:04:12, FastEthernet0/0
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, FastEthernet0/0
11.0.0.0/24 is subnetted, 1 subnets
C 11.1.1.0 is directly connected, Loopback1
r1#ping 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
r1#
so i built loopbacks and ospf processes as seen below:
r3#sh run int lo3
Building configuration...
Current configuration : 83 bytes
!
interface Loopback3
ip vrf forwarding r1
ip address 3.3.3.3 255.255.255.0
end
r3#sh run int lo5
Building configuration...
Current configuration : 83 bytes
!
interface Loopback5
ip vrf forwarding r2
ip address 5.5.5.5 255.255.255.0
end
r3#
r3#sh run | begin ospf
router ospf 2 vrf r2
log-adjacency-changes
capability vrf-lite
network 3.3.3.0 0.0.0.255 area 0
network 5.5.5.0 0.0.0.255 area 0
network 10.1.1.0 0.0.0.255 area 0
!
router ospf 1 vrf r1
log-adjacency-changes
capability vrf-lite
network 3.3.3.0 0.0.0.255 area 0
network 5.5.5.0 0.0.0.255 area 0
network 10.1.1.0 0.0.0.255 area 0
!
as you can see i tried to route both loopbacks to both vrf's but that didn't seem to work, and i'm not that terribly interested... the router would only let me assign one address to one loopback vrf... maybe you could figure it out...
see below for the route tables per vrf...
r3#sh ip route vrf r1
Routing Table: r1
Codes: omitted
Routing Table: r1
Codes: omitted
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
O 1.1.1.1 [110/2] via 10.1.1.2, 00:25:03, FastEthernet0/0
3.0.0.0/24 is subnetted, 1 subnets
C 3.3.3.0 is directly connected, Loopback3
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, FastEthernet0/0
11.0.0.0/32 is subnetted, 1 subnets
O 11.1.1.1 [110/2] via 10.1.1.2, 00:25:03, FastEthernet0/0
r3#
1.0.0.0/32 is subnetted, 1 subnets
O 1.1.1.1 [110/2] via 10.1.1.2, 00:25:03, FastEthernet0/0
3.0.0.0/24 is subnetted, 1 subnets
C 3.3.3.0 is directly connected, Loopback3
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, FastEthernet0/0
11.0.0.0/32 is subnetted, 1 subnets
O 11.1.1.1 [110/2] via 10.1.1.2, 00:25:03, FastEthernet0/0
r3#
r3#sh ip route vrf r2
Routing Table: r2
Codes: omitted
Routing Table: r2
Codes: omitted
Gateway of last resort is not set
5.0.0.0/24 is subnetted, 1 subnets
C 5.5.5.0 is directly connected, Loopback5
7.0.0.0/32 is subnetted, 1 subnets
O 7.7.7.7 [110/65] via 10.1.1.2, 00:23:17, Serial0/0
9.0.0.0/32 is subnetted, 1 subnets
O 9.9.9.9 [110/65] via 10.1.1.2, 00:23:17, Serial0/0
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.1.1.2/32 is directly connected, Serial0/0
C 10.1.1.0/24 is directly connected, Serial0/0
r3#
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 9.9.9.9, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
r3#ping vrf r1 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
r3#
and of course there are still no global routes, only vrf routes...
r3#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
r3#
Sunday, May 27, 2012
vrf... the road to mpls...
this is the beginning of what would later bury frame relay...
notice the diagram... the ip addresses are the same for the clients... virtual route forwarding... see below
r1#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
r1#
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
r1#
r2#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
r2#
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
r2#
r4#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
r4#
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
r4#
each client router (ce, client edge) is connected to r3 (pe, provider edge) with a virtual connection provided by vrf... like frame relay without the hassle of a frame switch... this would later give way to mpls, or frame tagging for the wan...
normally, if you try to assign the same addresses to interfaces the router complains you have overlapping ip's... with a little variable magic, and very little at that, you can change the game...
r3#ping vrf r1 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
r3#ping vrf r2 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
r3#ping vrf r4 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/8 ms
r3#
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
r3#ping vrf r2 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
r3#ping vrf r4 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/8 ms
r3#
first note the rd's (route-distinguishers) in the diagram in global config...
then assign them to the interfaces...
interface FastEthernet0/0
ip vrf forwarding r1
ip address 10.1.1.1 255.255.255.0
speed 100
full-duplex
!
interface Serial0/0
ip vrf forwarding r2
ip address 10.1.1.1 255.255.255.0
encapsulation ppp
no fair-queue
clock rate 1000000
!
interface Serial0/1
ip vrf forwarding r4
ip address 10.1.1.1 255.255.255.0
encapsulation ppp
clock rate 1000000
ip vrf forwarding r1
ip address 10.1.1.1 255.255.255.0
speed 100
full-duplex
!
interface Serial0/0
ip vrf forwarding r2
ip address 10.1.1.1 255.255.255.0
encapsulation ppp
no fair-queue
clock rate 1000000
!
interface Serial0/1
ip vrf forwarding r4
ip address 10.1.1.1 255.255.255.0
encapsulation ppp
clock rate 1000000
of course, it's just the beginning... you are running a separate route table for each vrf... see below
look ma, no global route table...
r3#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
r3#
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
r3#
then...
r3#sh ip route vrf r4
Routing Table: r4
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.1.1.2/32 is directly connected, Serial0/1
C 10.1.1.0/24 is directly connected, Serial0/1
r3#
Routing Table: r4
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.1.1.2/32 is directly connected, Serial0/1
C 10.1.1.0/24 is directly connected, Serial0/1
r3#
so what's the big deal with mpls... it doesn't have to dig into the packet, it labels the packet, it tags it, and uses cef to switch the hell out of it...
Saturday, May 26, 2012
the scrape...
after having erased the switch block and the l2 switches (switch block; a pair of distribution switches that aggregate access layer switches) i wrote the command set on paper? and scraped the configs in one a time... it took about 20 minutes to get everything to a base config; ie passwords, vty's, domain, vtp tansparent, of course, trunks, access ports, vlans, ip addresses, svi's, etc... i won't bore you with those particulars as you should be there by now...
next step was to make all the trunks port channels... i opened 4 telnet sessions at once and scraped the below configs into each (not including the names) since i connect my nix box to dls1 using a single l3 interface, this procedure can be tricky as the channels come up; ie, lags, errdisable, crashing telnet connections, etc... i didn't lose a single telnet session, but po1 on dls1 went into errdisable... once i shut, no shut po1, all channels were good... with a term server this would be less prone to error, no chance of a telnet disconnect...
this took about five minutes
dls1
int rang f0/7 - 8
channel-g 1 mode on
int rang f0/9 - 10
channel-g 3 mode on
int rang f0/11 - 12
channel-g 2 mode on
dls2
int rang f0/7 - 8
channel-g 1 mode on
int rang f0/9 - 10
channel-g 3 mode on
int rang f0/11 - 12
channel-g 2 mode on
als1
int rang f0/7 - 8
channel-g 1 mode on
int rang f0/9 - 10
channel-g 3 mode on
int rang f0/11 - 12
channel-g 2 mode on
als2
int rang f0/7 - 8
channel-g 1 mode on
int rang f0/9 - 10
channel-g 3 mode on
int rang f0/11 - 12
channel-g 2 mode on
after ether summ on dls1
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
1 Po1(SU) - Fa0/7(P) Fa0/8(P)
2 Po2(SU) - Fa0/11(P) Fa0/12(P)
3 Po3(SU) - Fa0/9(P) Fa0/10(P)
dls1#
Labels:
ccnp switch,
pre-buld,
pre-configuration,
switch block
a good practice...
a text editor...
if you have a home lab, or gns3, or even using rack rentals this is a good technique to get used to...
before touching the machine or machines that you want to configure, pre-configure your work using a text editor, then scrape it in and see where it succeeds or fails...
in a production environment, you will almost never have the opportunity to simply configure the machine hot, you will be tasked with pre-configuring your changes, presenting the change to the group, and then be approved (or not) for plugging in your values during the change window...
think of the time you will save, especially with rack rentals, if you pre-configure your work before logging into the system... it will force you to have a plan before beginning the tasks you want to perform... you will ultimately save money if you are on the clock...
this will get your head into the machine before your fingers get into the machine... it will also reinforce what you know, and will glaringly point out what you don't know...
this will also serve to weed out sloppiness, and decrease your time at the console, which for lab testing, is vital...
it is often fun to be sloppy on your home lab, using the ? mark often, mistakenly thinking your making progress when in reality you are only reinforcing bad habits...
try pre-configuring a l3/l2 switch block on paper? first after erasing start and reloading, from the very begiunning... don't just copy a known config, type all the commands without the help of any reference before touching the machine and see where you screw up...
this technique will make you faster and more accurate in your head while reinforcing commands, especially lengthy commands...
consider every pre-config you write to be a test, and time yourself during the process...
if you have a home lab, or gns3, or even using rack rentals this is a good technique to get used to...
before touching the machine or machines that you want to configure, pre-configure your work using a text editor, then scrape it in and see where it succeeds or fails...
in a production environment, you will almost never have the opportunity to simply configure the machine hot, you will be tasked with pre-configuring your changes, presenting the change to the group, and then be approved (or not) for plugging in your values during the change window...
think of the time you will save, especially with rack rentals, if you pre-configure your work before logging into the system... it will force you to have a plan before beginning the tasks you want to perform... you will ultimately save money if you are on the clock...
this will get your head into the machine before your fingers get into the machine... it will also reinforce what you know, and will glaringly point out what you don't know...
this will also serve to weed out sloppiness, and decrease your time at the console, which for lab testing, is vital...
it is often fun to be sloppy on your home lab, using the ? mark often, mistakenly thinking your making progress when in reality you are only reinforcing bad habits...
try pre-configuring a l3/l2 switch block on paper? first after erasing start and reloading, from the very begiunning... don't just copy a known config, type all the commands without the help of any reference before touching the machine and see where you screw up...
this technique will make you faster and more accurate in your head while reinforcing commands, especially lengthy commands...
consider every pre-config you write to be a test, and time yourself during the process...
Wednesday, May 23, 2012
a novel approach...
i was talking to someone today who had a bizarre thought... he's a ccna also, and when i told him i was working on ccnp, he said his boss told him to skip ccnp and go right for ccie... i've never given any thought to such an idea... we know that you don't have to pass ccna to attempt ccie... i've always considered that is cisco simply laying down a nutty challenge... it's crazy for someone to try ccie without ccna, and further without ccnp... but when you start digging into ccie r&s, it's really ccna on acid... so why not?
while i still believe it is only natural to get ccnp first, then attempt ccie, the thought did get me spinning...
that is not to say that will change my path, but it is a hell of an idea, and one i never even thought of...
i believe one builds on the other, but maybe that guy has something... maybe...
while i still believe it is only natural to get ccnp first, then attempt ccie, the thought did get me spinning...
that is not to say that will change my path, but it is a hell of an idea, and one i never even thought of...
i believe one builds on the other, but maybe that guy has something... maybe...
Wednesday, May 16, 2012
bpdu guard, filter...
on portfast enabled ports bpduguard is activated globally with:
if a bpdu is received on the port (a portfast port should not be receiving bpdu's, ie. it shouldn't be connected to a switch) the port is placed in errdisable
at the interface, simply:
dls1(config-if)#spann bpduguard enable
dls1(config-if)#
here too when the port receives a bpdu it goes into errdisable...
it is the difference in the words... guard not filter, guard not filter.. the guard shuts the port down, the filter drops the offenders, however...
dls1(config)#spann portfast bpdufilter default
dls1(config)#
prevents portfast enabled ports from sending or receiving bpdu's... if it receives a bpdu, it loses it's portfast ability and bpdu filtering is disabled...
enabling bpdu filtering is the same as disabling stp on the port, which could make it susceptible to loops... why you would ever want to allow a portfast port to be enabled automatically if it receives a bpdu is beyond me... i have read some half-hearted explanations to use this between isp's and their separate spanning trees, etc...
here is a video that might explain it better... guard seems like a good choice for most networks; use filter at your own risk...
http://www.youtube.com/watch?v=wvF0NFIHAEs
dls1(config)#spann portfast bpduguard default
dls1(config)#
dls1(config)#
if a bpdu is received on the port (a portfast port should not be receiving bpdu's, ie. it shouldn't be connected to a switch) the port is placed in errdisable
at the interface, simply:
dls1(config-if)#spann bpduguard enable
dls1(config-if)#
here too when the port receives a bpdu it goes into errdisable...
it is the difference in the words... guard not filter, guard not filter.. the guard shuts the port down, the filter drops the offenders, however...
dls1(config)#spann portfast bpdufilter default
dls1(config)#
prevents portfast enabled ports from sending or receiving bpdu's... if it receives a bpdu, it loses it's portfast ability and bpdu filtering is disabled...
enabling bpdu filtering is the same as disabling stp on the port, which could make it susceptible to loops... why you would ever want to allow a portfast port to be enabled automatically if it receives a bpdu is beyond me... i have read some half-hearted explanations to use this between isp's and their separate spanning trees, etc...
here is a video that might explain it better... guard seems like a good choice for most networks; use filter at your own risk...
http://www.youtube.com/watch?v=wvF0NFIHAEs
Monday, May 14, 2012
quote of the day... according to doyle...
from routing tcpip, jeff doyle...
the data link/physical layers and the transport/network layers, as defined by the OSI model, perform very similar duties: They provide the means for conveying data from a source to a destination across some path. The difference is that the data link/physical layers provide communications across a physical path, whereas the transport/network layers provide communications across a logical or virtual path made up of a series of data links.
the data link/physical layers and the transport/network layers, as defined by the OSI model, perform very similar duties: They provide the means for conveying data from a source to a destination across some path. The difference is that the data link/physical layers provide communications across a physical path, whereas the transport/network layers provide communications across a logical or virtual path made up of a series of data links.
Sunday, May 13, 2012
eigrp, back to squares...
i've been studying switch almost exclusively since february... i am still in no rush to test; the means is always more important than the end... in that time i've been mostly avoiding route except for how it pertains to switch, and i'm getting weary of it...
routing has always been my strength; my first cisco experience was bringing up a 3640 with an atm connection to replace an existing t1 a long time ago...
in the last two weeks i've bought pdf copies of routing tcpip by jeff doyle, and ccnp route by wendell odom... it's good to get back to wendell as i haven't been a big fan of the hucaby switch ocg... both ebooks on sale at cisco for a greatly discounted price through what was originally ebook of the day, and is now ebook of the week... if you don't keep an eye on those bargains you are not helping yourselves...
so if you haven't noticed, i'm beginning to insinuate route into the posts... at this point there are roughly 2 hundred switch specific posts covering most of the syllabus... time to mix it up a little bit, and as always, the beginning never ends...
eigrp uses 3 basic mechanisms to add routes to its table...
neighbor discovery eigrp sends hello messages in an effort to discover
potential neighbors
topology exchange when the neighborship comes up, full routing tables are
exchanged; thereafter partial updates are in order based on topology changes
route selection eigrp analyzes the topology table, and selects the lowest-cost
route to reach the target subnet
update messages are sent on 224.0.0.10 for multiple routers on the same subnet
routing has always been my strength; my first cisco experience was bringing up a 3640 with an atm connection to replace an existing t1 a long time ago...
in the last two weeks i've bought pdf copies of routing tcpip by jeff doyle, and ccnp route by wendell odom... it's good to get back to wendell as i haven't been a big fan of the hucaby switch ocg... both ebooks on sale at cisco for a greatly discounted price through what was originally ebook of the day, and is now ebook of the week... if you don't keep an eye on those bargains you are not helping yourselves...
so if you haven't noticed, i'm beginning to insinuate route into the posts... at this point there are roughly 2 hundred switch specific posts covering most of the syllabus... time to mix it up a little bit, and as always, the beginning never ends...
eigrp uses 3 basic mechanisms to add routes to its table...
neighbor discovery eigrp sends hello messages in an effort to discover
potential neighbors
topology exchange when the neighborship comes up, full routing tables are
exchanged; thereafter partial updates are in order based on topology changes
route selection eigrp analyzes the topology table, and selects the lowest-cost
route to reach the target subnet
update messages are sent on 224.0.0.10 for multiple routers on the same subnet
design, implementation, verification...
simply...
design: what is to be accomplished
implementation: what needs to be done, and when, to realize the design
verification: did the implemented design work; prove it...
documentation: document ALL changes effected by the above
design: what is to be accomplished
implementation: what needs to be done, and when, to realize the design
verification: did the implemented design work; prove it...
documentation: document ALL changes effected by the above
Saturday, May 12, 2012
why certify?
i'll tell you why...
no matter how much experience you
have, if you don't have ccna, you are not ccna... those who work in the
industry who don't have it secretly wish they did, wish they had the
bag to get it, but tell you they don't need it, because, after all they
can build a nexus, yet they don't know the difference between the
data-link layer and the data-dick layer... they are monkeys whose
knowledge is only locally significant... they go so far as to call
themselves engineers... it's disgusting... i have 20 years experience
supporting networks but that didn't mean jack until i finally got off my
dead ass and got ccna... as i work ccnp i would never dream of
referring to myself as an engineer, and i never will, until i get ccie...
the only people who belittle the certs are those afraid to actually get them...
Friday, May 11, 2012
ccie flash cards...
read em and weep... 870 of them...
http://quizlet.com/5968706/ccie-glossary-terms-flash-cards/
somebody else did the work for you again...
http://quizlet.com/5968706/ccie-glossary-terms-flash-cards/
somebody else did the work for you again...
Thursday, May 10, 2012
protect, restrict, shutdown...
port-sec...
protect drops the frames...
restrict drops the frames, generates an snmp trap and syslog message
shutdown generates an snmp trap and syslog message, errdisables the port
shut, no shut will bring the port back, or speed up the errdisable recovery interval
p before r before s...
protect drops the frames...
restrict drops the frames, generates an snmp trap and syslog message
shutdown generates an snmp trap and syslog message, errdisables the port
shut, no shut will bring the port back, or speed up the errdisable recovery interval
p before r before s...
Labels:
ccnp switch,
port-security,
protect,
restrict,
shutdown
Wednesday, May 9, 2012
cdp neighbor review...
the farther away from home you are, the closer you become...
als2#sh cdp neigh
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone
Device ID Local Intrfce Holdtme Capability Platform Port ID
dls2 Fas 0/7 139 R S I WS-C3550-4Fas 0/7
dls2 Fas 0/8 139 R S I WS-C3550-4Fas 0/8
dls1 Fas 0/10 135 R S I WS-C3550-2Fas 0/10
dls1 Fas 0/9 135 R S I WS-C3550-2Fas 0/9
als1 Fas 0/12 153 S I WS-C2950-2Fas 0/12
als1 Fas 0/11 153 S I WS-C2950-2Fas 0/11
als2#
won't you be my cdp neighbor...
the device id is the remote device name
the local interface is the local switch's interface connected to the remote device
holdtime is the number of seconds the local device will retain the last advertisement received from the remote host
capability code is what type of device the remote host is
platform is its hardware platform
port id is the directly connected remote interface
als2#sh cdp neigh
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone
Device ID Local Intrfce Holdtme Capability Platform Port ID
dls2 Fas 0/7 139 R S I WS-C3550-4Fas 0/7
dls2 Fas 0/8 139 R S I WS-C3550-4Fas 0/8
dls1 Fas 0/10 135 R S I WS-C3550-2Fas 0/10
dls1 Fas 0/9 135 R S I WS-C3550-2Fas 0/9
als1 Fas 0/12 153 S I WS-C2950-2Fas 0/12
als1 Fas 0/11 153 S I WS-C2950-2Fas 0/11
als2#
won't you be my cdp neighbor...
the device id is the remote device name
the local interface is the local switch's interface connected to the remote device
holdtime is the number of seconds the local device will retain the last advertisement received from the remote host
capability code is what type of device the remote host is
platform is its hardware platform
port id is the directly connected remote interface
ttl...
the original intention for the time to live field in a packet was that it'd be decremented by the time in seconds the packet is queued by each router through which it is being forwarded... that had limited practical appeal, and was never actually implemented... instead, routers decrement the packet's ttl field by one no matter the length of time it is queued... when it reaches zero it is dropped...
in ipv6, the corresponding field known as hop limit (more aptly stated) works the same way
so in both ipv4(ttl) and ipv6(hop limit) this idea remains in effect...
in ipv6, the corresponding field known as hop limit (more aptly stated) works the same way
so in both ipv4(ttl) and ipv6(hop limit) this idea remains in effect...
Tuesday, May 8, 2012
Monday, May 7, 2012
clear arp-cache
very useful... arp is a very strong informational, and troubleshooting tool, often overlooked... don't forget to set your service timestamps for debug and log output to datetime... uptime is a waste of time...
dls1#clear arp-cache
dls1#
May 7 18:55:50: IP ARP: sent req src 172.16.100.1 000f.8ffe.0980,
dst 172.16.100.150 e89a.8f98.a703 Vlan100
May 7 18:55:50: IP ARP: sent req src 172.16.200.1 000f.8ffe.0980,
dst 172.16.200.2 000b.5fc9.0000 Vlan200
May 7 18:55:50: IP ARP: sent req src 172.16.200.1 000f.8ffe.0980,
dst 172.16.200.250 984b.e1fb.2940 Vlan200
May 7 18:55:50: IP ARP: sent req src 172.16.1.1 000f.8ffe.0980,
dst 172.16.1.2 000b.5fc9.0000 Vlan1
May 7 18:55:50: IP ARP: sent req src 172.16.1.1 000f.8ffe.0980,
dst 172.16.1.101 0009.b73f.ce80 Vlan1
May 7 18:55:50: IP ARP: sent req src 172.16.100.1 000f.8ffe.0980,
dst 172.16.100.2 000b.5fc9.0000 Vlan100
May 7 18:55:50: IP ARP: sent req src 172.16.1.1 000f.8ffe.0980,
dst 172.16.1.102 0009.b752.d780 Vlan1
May 7 18:55:50: IP ARP: sent rep src 172.16.1.1 000f.8ffe.0980,
dst 172.16.1.1 ffff.ffff.ffff Vlan1
May 7 18:55:50: IP ARP: sent rep src 172.16.1.5 0000.0c07.ac01,
dst 172.16.1.5 ffff.ffff.ffff Vlan1
May 7 18:55:50: IP ARP: sent rep src 172.16.1.5 0000.0c07.ac01,
dst 172.16.1.5 0100.0ccd.cdcd Vlan1
May 7 18:55:50: IP ARP: sent rep src 172.16.100.1 000f.8ffe.0980,
dst 172.16.100.1 ffff.ffff.ffff Vlan100
May 7 18:55:50: IP ARP: sent rep src 172.16.100.5 0000.0c07.ac01,
dst 172.16.100.5 ffff.ffff.ffff Vlan100
May 7 18:55:50: IP ARP: sent rep src 172.16.100.5 0000.0c07.ac01,
dst 172.16.100.5 0100.0ccd.cdcd Vlan100
May 7 18:55:50: IP ARP: sent rep src 172.16.200.1 000f.8ffe.0980,
dst 172.16.200.1 ffff.ffff.ffff Vlan200
May 7 18:55:50: IP ARP: sent rep src 172.16.200.5 0000.0c07.ac01,
dst 172.16.200.5 ffff.ffff.ffff Vlan200
May 7 18:55:50: IP ARP: sent rep src 172.16.200.5 0000.0c07.ac01,
dst 172.16.200.5 0100.0ccd.cdcd Vlan200
May 7 18:55:50: IP ARP: rcvd rep src 172.16.100.150 e89a.8f98.a703, dst 172.16.100.1 Vlan100
May 7 18:55:50: IP ARP: ignored gratuitous arp src 172.16.100.150 e89a.8f98.a703, dst 172.16.100
May 7 18:55:50: IP ARP: creating entry for IP address: 172.16.100.150, hw: e89a.8f98.a703
May 7 18:55:50: IP ARP: rcvd rep src 172.16.200.2 000b.5fc9.0000, dst 172.16.200.1 Vlan200
May 7 18:55:50: IP ARP: ignored gratuitous arp src 172.16.200.2 000b.5fc9.0000, dst 172.16.200.0
May 7 18:55:50: IP ARP: creating entry for IP address: 172.16.200.2, hw: 000b.5fc9.0000
May 7 18:55:50: IP ARP: rcvd rep src 172.16.200.250 984b.e1fb.2940, dst 172.16.200.1 Vlan200
May 7 18:55:50: IP ARP: ignored gratuitous arp src 172.16.200.250 984b.e1fb.2940, dst 172.16.200
May 7 18:55:50: IP ARP: creating entry for IP address: 172.16.200.250, hw: 984b.e1fb.2940
May 7 18:55:50: IP ARP: rcvd rep src 172.16.1.2 000b.5fc9.0000, dst 172.16.1.1 Vlan1
May 7 18:55:50: IP ARP: ignored gratuitous arp src 172.16.1.2 000b.5fc9.0000, dst 172.16.1.1 001
May 7 18:55:50: IP ARP: creating entry for IP address: 172.16.1.2, hw: 000b.5fc9.0000
May 7 18:55:50: IP ARP: rcvd rep src 172.16.1.101 0009.b73f.ce80, dst 172.16.1.1 Vlan1
May 7 18:55:50: IP
dls1# ARP: ignored gratuitous arp src 172.16.1.101 0009.b73f.ce80, dst 172.16.1.1 000f.8ffe.09801
May 7 18:55:50: IP ARP: creating entry for IP address: 172.16.1.101, hw: 0009.b73f.ce80
May 7 18:55:50: IP ARP: rcvd rep src 172.16.100.2 000b.5fc9.0000, dst 172.16.100.1 Vlan100
May 7 18:55:50: IP ARP: ignored gratuitous arp src 172.16.100.2 000b.5fc9.0000, dst 172.16.100.0
May 7 18:55:50: IP ARP: creating entry for IP address: 172.16.100.2, hw: 000b.5fc9.0000
May 7 18:55:50: IP ARP: rcvd rep src 172.16.1.102 0009.b752.d780, dst 172.16.1.1 Vlan1
May 7 18:55:50: IP ARP: ignored gratuitous arp src 172.16.1.102 0009.b752.d780, dst 172.16.1.1 1
May 7 18:55:50: IP ARP: creating entry for IP address: 172.16.1.102, hw: 0009.b752.d780
dls1#
May 7 18:56:05: IP ARP: rcvd req src 172.16.100.150 e89a.8f98.a703, dst 172.16.100.5 Vlan100
May 7 18:56:05: IP ARP: sent rep src 172.16.100.5 0000.0c07.ac01,
dst 172.16.100.150 e89a.8f98.a703 Vlan100
dls1#clear arp-cache
dls1#
May 7 18:55:50: IP ARP: sent req src 172.16.100.1 000f.8ffe.0980,
dst 172.16.100.150 e89a.8f98.a703 Vlan100
May 7 18:55:50: IP ARP: sent req src 172.16.200.1 000f.8ffe.0980,
dst 172.16.200.2 000b.5fc9.0000 Vlan200
May 7 18:55:50: IP ARP: sent req src 172.16.200.1 000f.8ffe.0980,
dst 172.16.200.250 984b.e1fb.2940 Vlan200
May 7 18:55:50: IP ARP: sent req src 172.16.1.1 000f.8ffe.0980,
dst 172.16.1.2 000b.5fc9.0000 Vlan1
May 7 18:55:50: IP ARP: sent req src 172.16.1.1 000f.8ffe.0980,
dst 172.16.1.101 0009.b73f.ce80 Vlan1
May 7 18:55:50: IP ARP: sent req src 172.16.100.1 000f.8ffe.0980,
dst 172.16.100.2 000b.5fc9.0000 Vlan100
May 7 18:55:50: IP ARP: sent req src 172.16.1.1 000f.8ffe.0980,
dst 172.16.1.102 0009.b752.d780 Vlan1
May 7 18:55:50: IP ARP: sent rep src 172.16.1.1 000f.8ffe.0980,
dst 172.16.1.1 ffff.ffff.ffff Vlan1
May 7 18:55:50: IP ARP: sent rep src 172.16.1.5 0000.0c07.ac01,
dst 172.16.1.5 ffff.ffff.ffff Vlan1
May 7 18:55:50: IP ARP: sent rep src 172.16.1.5 0000.0c07.ac01,
dst 172.16.1.5 0100.0ccd.cdcd Vlan1
May 7 18:55:50: IP ARP: sent rep src 172.16.100.1 000f.8ffe.0980,
dst 172.16.100.1 ffff.ffff.ffff Vlan100
May 7 18:55:50: IP ARP: sent rep src 172.16.100.5 0000.0c07.ac01,
dst 172.16.100.5 ffff.ffff.ffff Vlan100
May 7 18:55:50: IP ARP: sent rep src 172.16.100.5 0000.0c07.ac01,
dst 172.16.100.5 0100.0ccd.cdcd Vlan100
May 7 18:55:50: IP ARP: sent rep src 172.16.200.1 000f.8ffe.0980,
dst 172.16.200.1 ffff.ffff.ffff Vlan200
May 7 18:55:50: IP ARP: sent rep src 172.16.200.5 0000.0c07.ac01,
dst 172.16.200.5 ffff.ffff.ffff Vlan200
May 7 18:55:50: IP ARP: sent rep src 172.16.200.5 0000.0c07.ac01,
dst 172.16.200.5 0100.0ccd.cdcd Vlan200
May 7 18:55:50: IP ARP: rcvd rep src 172.16.100.150 e89a.8f98.a703, dst 172.16.100.1 Vlan100
May 7 18:55:50: IP ARP: ignored gratuitous arp src 172.16.100.150 e89a.8f98.a703, dst 172.16.100
May 7 18:55:50: IP ARP: creating entry for IP address: 172.16.100.150, hw: e89a.8f98.a703
May 7 18:55:50: IP ARP: rcvd rep src 172.16.200.2 000b.5fc9.0000, dst 172.16.200.1 Vlan200
May 7 18:55:50: IP ARP: ignored gratuitous arp src 172.16.200.2 000b.5fc9.0000, dst 172.16.200.0
May 7 18:55:50: IP ARP: creating entry for IP address: 172.16.200.2, hw: 000b.5fc9.0000
May 7 18:55:50: IP ARP: rcvd rep src 172.16.200.250 984b.e1fb.2940, dst 172.16.200.1 Vlan200
May 7 18:55:50: IP ARP: ignored gratuitous arp src 172.16.200.250 984b.e1fb.2940, dst 172.16.200
May 7 18:55:50: IP ARP: creating entry for IP address: 172.16.200.250, hw: 984b.e1fb.2940
May 7 18:55:50: IP ARP: rcvd rep src 172.16.1.2 000b.5fc9.0000, dst 172.16.1.1 Vlan1
May 7 18:55:50: IP ARP: ignored gratuitous arp src 172.16.1.2 000b.5fc9.0000, dst 172.16.1.1 001
May 7 18:55:50: IP ARP: creating entry for IP address: 172.16.1.2, hw: 000b.5fc9.0000
May 7 18:55:50: IP ARP: rcvd rep src 172.16.1.101 0009.b73f.ce80, dst 172.16.1.1 Vlan1
May 7 18:55:50: IP
dls1# ARP: ignored gratuitous arp src 172.16.1.101 0009.b73f.ce80, dst 172.16.1.1 000f.8ffe.09801
May 7 18:55:50: IP ARP: creating entry for IP address: 172.16.1.101, hw: 0009.b73f.ce80
May 7 18:55:50: IP ARP: rcvd rep src 172.16.100.2 000b.5fc9.0000, dst 172.16.100.1 Vlan100
May 7 18:55:50: IP ARP: ignored gratuitous arp src 172.16.100.2 000b.5fc9.0000, dst 172.16.100.0
May 7 18:55:50: IP ARP: creating entry for IP address: 172.16.100.2, hw: 000b.5fc9.0000
May 7 18:55:50: IP ARP: rcvd rep src 172.16.1.102 0009.b752.d780, dst 172.16.1.1 Vlan1
May 7 18:55:50: IP ARP: ignored gratuitous arp src 172.16.1.102 0009.b752.d780, dst 172.16.1.1 1
May 7 18:55:50: IP ARP: creating entry for IP address: 172.16.1.102, hw: 0009.b752.d780
dls1#
May 7 18:56:05: IP ARP: rcvd req src 172.16.100.150 e89a.8f98.a703, dst 172.16.100.5 Vlan100
May 7 18:56:05: IP ARP: sent rep src 172.16.100.5 0000.0c07.ac01,
dst 172.16.100.150 e89a.8f98.a703 Vlan100
ip address v binary string...
we know that an ipv4 address is written in dotted decimal format so it is easier for humans to perceive it... 32 bits of 4 8 bit octets... but that is not the router's perception of the address; the router interprets the ipv4 address, not as four one byte octets, but as a single binary string...
so 10.1.1.1 is actually 167837953 in decimal and binary
00001010 00000001 00000001 00000001
the router doesn't see the dots, or the spaces, nor does it care about the decimal equivalent...
the router sees this:
00001010000000010000000100000001
bit count format v decimal (default)
dls1#term ip netmask-format decimal
dls1#sh ip route 172.16.100.0
Routing entry for 172.16.100.0 255.255.255.0
Known via "connected", distance 0, metric 0 (connected, via interface)
Routing Descriptor Blocks:
* directly connected, via Vlan100
Route metric is 0, traffic share count is 1
dls1#term ip netmask-format bit-count
dls1#sh ip route 172.16.100.0
Routing entry for 172.16.100.0/24
Known via "connected", distance 0, metric 0 (connected, via interface)
Routing Descriptor Blocks:
* directly connected, via Vlan100
Route metric is 0, traffic share count is 1
so 10.1.1.1 is actually 167837953 in decimal and binary
00001010 00000001 00000001 00000001
the router doesn't see the dots, or the spaces, nor does it care about the decimal equivalent...
the router sees this:
00001010000000010000000100000001
bit count format v decimal (default)
dls1#term ip netmask-format decimal
dls1#sh ip route 172.16.100.0
Routing entry for 172.16.100.0 255.255.255.0
Known via "connected", distance 0, metric 0 (connected, via interface)
Routing Descriptor Blocks:
* directly connected, via Vlan100
Route metric is 0, traffic share count is 1
dls1#term ip netmask-format bit-count
dls1#sh ip route 172.16.100.0
Routing entry for 172.16.100.0/24
Known via "connected", distance 0, metric 0 (connected, via interface)
Routing Descriptor Blocks:
* directly connected, via Vlan100
Route metric is 0, traffic share count is 1
switch lab cont....
1. set up hsrp on this network...
dls1#sh standby brie
P indicates configured to preempt.
|
Interface Grp Prio P State Active Standby Virtual IP
Vl1 1 110 P Active local 172.16.1.2 172.16.1.5
Vl100 1 110 P Active local 172.16.100.2 172.16.100.5
Vl200 1 110 P Active local 172.16.200.2 172.16.200.5
dls1#
what is the gateway ip?
have i mentioned yet today that i dislike acl's? from a philosophical standpoint, i'm in this business to provide connectivity, not to limit it or take it away... but things as they are, there are countless reasons to inhibit connections. this is the life we have chosen, but i don't have to agree with all of it...
2. create an acl to disallow users from 200 to 100, but 100 can access 200
dls1#sh access-list
Extended IP access list 101
10 permit tcp 172.16.200.0 0.0.0.255 172.16.100.0 0.0.0.255 established
20 permit icmp 172.16.200.0 0.0.0.255 172.16.100.0 0.0.0.255 echo-reply
30 deny ip 172.16.200.0 0.0.0.255 172.16.100.0 0.0.0.255
40 permit ip any any (166 matches)
dls1#sh ip int vlan 100
Vlan100 is up, line protocol is up
Internet address is 172.16.100.1/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.2
Outgoing access list is not set
Inbound access list is 101
Proxy ARP is enabled
omitted
dls1#sh run int vlan 200
Building configuration...
Current configuration : 158 bytes
!
interface Vlan200
ip address 172.16.200.1 255.255.255.0
ip access-group 101 in
standby 1 ip 172.16.200.5
standby 1 priority 110
standby 1 preempt
end
3. do the same for dls2
4. set up a host for 200 on als2, and a host for 100 on als1... ensure conectivity for hosts first, then pull the plug... be sure to set the gateway addresses as the hsrp virtual gateways
dls1#sh standby brie
P indicates configured to preempt.
|
Interface Grp Prio P State Active Standby Virtual IP
Vl1 1 110 P Active local 172.16.1.2 172.16.1.5
Vl100 1 110 P Active local 172.16.100.2 172.16.100.5
Vl200 1 110 P Active local 172.16.200.2 172.16.200.5
dls1#
what is the gateway ip?
have i mentioned yet today that i dislike acl's? from a philosophical standpoint, i'm in this business to provide connectivity, not to limit it or take it away... but things as they are, there are countless reasons to inhibit connections. this is the life we have chosen, but i don't have to agree with all of it...
2. create an acl to disallow users from 200 to 100, but 100 can access 200
dls1#sh access-list
Extended IP access list 101
10 permit tcp 172.16.200.0 0.0.0.255 172.16.100.0 0.0.0.255 established
20 permit icmp 172.16.200.0 0.0.0.255 172.16.100.0 0.0.0.255 echo-reply
30 deny ip 172.16.200.0 0.0.0.255 172.16.100.0 0.0.0.255
40 permit ip any any (166 matches)
dls1#sh ip int vlan 100
Vlan100 is up, line protocol is up
Internet address is 172.16.100.1/24
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1500 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Multicast reserved groups joined: 224.0.0.2
Outgoing access list is not set
Inbound access list is 101
Proxy ARP is enabled
omitted
dls1#sh run int vlan 200
Building configuration...
Current configuration : 158 bytes
!
interface Vlan200
ip address 172.16.200.1 255.255.255.0
ip access-group 101 in
standby 1 ip 172.16.200.5
standby 1 priority 110
standby 1 preempt
end
3. do the same for dls2
4. set up a host for 200 on als2, and a host for 100 on als1... ensure conectivity for hosts first, then pull the plug... be sure to set the gateway addresses as the hsrp virtual gateways
Sunday, May 6, 2012
anki screenshot...
you must help yourself in this...
if you are not using anki, you are not participating in what you study...
http://ankisrs.net/
what i've done lately is make anki's by scraping the q&a's for chapters, as well as glossaries, and any other vital information i come across... rate the cards and review as per the anki schedule... become what you read, don't just read it... it truly helps with things that you thought you knew well, but didn't... reading for comprehension lasts for the short term, anki will provide you with the long term...
become the concept... make it automatic...
if you are not using anki, you are not participating in what you study...
http://ankisrs.net/
what i've done lately is make anki's by scraping the q&a's for chapters, as well as glossaries, and any other vital information i come across... rate the cards and review as per the anki schedule... become what you read, don't just read it... it truly helps with things that you thought you knew well, but didn't... reading for comprehension lasts for the short term, anki will provide you with the long term...
become the concept... make it automatic...
quote of the day...
from routing tcpip, vol 1 second edition, jeff doyle...
A subnet is a subgrouping of a class A, B, or C IP address. Without subnetting, the network part of a major class A, B, or C IP address can only identify a single data link. Subnetting uses some of the host bits of a major IP address as network bits, allowing the single major address to be “subdivided” into multiple network addresses.
Saturday, May 5, 2012
udld...
smoke em if you got em...
dls1(config)#udld enable
dls1(config)#int rang g0/1 - 2
dls1(config-if-range)#udld port aggressive
unidirectional link detection...
when bidirectional links go uni, udld will detect this behavior and shut the link down...
dls1#sh udld g0/1
Interface Gi0/1
---
Port enable administrative configuration setting: Enabled / in aggressive mode
Port enable operational state: Enabled / in aggressive mode
Current bidirectional state: Unknown
Current operational state: Advertisement
Message interval: 7
Time out interval: 5
No neighbor cache information stored
dls1#
aggressive means after eight failed attempts to prove the link is yet bi, the port will be errdiabled
note that sh udld g0/1, does not use interface as an argument...
i prefer bidirectional... links
dls1(config)#int rang g0/1 - 2
dls1(config-if-range)#sw trunk encap dot1q
dls1(config-if-range)#sw mode trunk
dls1(config-if-range)#no shut
dls1(config-if-range)#sw trunk encap dot1q
dls1(config-if-range)#sw mode trunk
dls1(config-if-range)#no shut
dls1(config)#int rang g0/1 - 2
dls1(config-if-range)#udld port aggressive
unidirectional link detection...
when bidirectional links go uni, udld will detect this behavior and shut the link down...
dls1#sh udld g0/1
Interface Gi0/1
---
Port enable administrative configuration setting: Enabled / in aggressive mode
Port enable operational state: Enabled / in aggressive mode
Current bidirectional state: Unknown
Current operational state: Advertisement
Message interval: 7
Time out interval: 5
No neighbor cache information stored
dls1#
aggressive means after eight failed attempts to prove the link is yet bi, the port will be errdiabled
note that sh udld g0/1, does not use interface as an argument...
Subscribe to:
Posts (Atom)