ExtremeXOS Operations and Configuration Lab Guide

ExtremeXOS Operations and Configuration Lab Guide with PuTTY, Rev.12.1

Extreme Networks, Inc. 3585 Monroe Street Santa Clara, California 95051 (888) 257-3000 (408) 579-2800 http://www.extremenetworks.com Part number: DOC-01665 Rev 02

AccessAdapt, Alpine, BlackDiamond, ESRP, Ethernet Everywhere, Extreme Enabled, Extreme Ethernet Everywhere, Extreme Networks, Extreme Standby Router Protocol, Extreme Turbodrive, Extreme Velocity, ExtremeWare, ExtremeWorks, ExtremeXOS, the Go Purple Extreme Solution, Sentriant, ServiceWatch, ScreenPlay, Summit, SummitStack, Unified Access Architecture, Unified Access RF Manager, UniStack, Universal Port, the Extreme Networks logo, the Alpine logo, the BlackDiamond logo, the Extreme Turbodrive logo, the Summit logos, the Powered by ExtremeXOS logo, and the Color Purple, among others, are trademarks or registered trademarks of Extreme Networks, Inc. or its subsidiaries in the United States and/or other countries. Adobe, Flash, and Macromedia are registered trademarks of Adobe Systems Incorporated in the U.S. and/or other countries. AutoCell is a trademark of AutoCell. Avaya is a trademark of Avaya, Inc. Merit is a registered trademark of Merit Network, Inc. Internet Explorer is a registered vctrademark of Microsoft Corporation. Mozilla Firefox is a registered trademark of the Mozilla Foundation. sFlow is a registered trademark of sFlow.org. Solaris and Java are trademarks of Sun Microsystems, Inc. in the U.S. and other countries. Specifications are subject to change without notice. All other registered trademarks, trademarks, and service marks are property of their respective owners. © 2009 Extreme Networks, Inc. All Rights Reserved.

ii

ExtremeXOS™ Operation and Configuration, Rev. 12.1

Table of Contents PuTTY Console Configuration Student Objectives .................................................................................................................... vii Part 1: Clear the Registry........................................................................................................... vii Part 2: Fill the Registry with Extreme’s Saved Sessions................................................................ viii Part 3: Run the PuTTY Executable ............................................................................................... ix Part 4: Establish Initial Connection to the Virtual PC ..................................................................... xi Part 5: Virtual PC Tips ............................................................................................................... xii

Lab 1: Initial Switch Configuration Lab Student Objectives ..................................................................................................................... 1 Part 1: Logging In, Initializing, and Configuring the Switch Name ................................................... 2 Part 2: Adding Users and Saving the Configuration........................................................................ 6 Part 3: Limiting CLI Sessions, Failed Logins, and Telnet Access ..................................................... 8

Lab 2: Switch Management Lab Student Objectives ................................................................................................................... 13 Part 1: Verifying the Switch Status and Configuration .................................................................. 14 Part 2: Configuring IP Access.................................................................................................... 15 Part 3: Backing Up Configuration Files and Downloading Images .................................................. 17 Part 4: Editing ASCII-formatted Configuration Files on a PC ......................................................... 21 Part 5: Editing ASCII-formatted Configuration Files on the Switch ................................................ 23 Part 6: Accessing the Bootstrap and BootRom Menus .................................................................. 26

Lab 3: Layer 1 Configuration Lab Student Objectives ................................................................................................................... 29 Part 1: Setting Up for Auto-Negotiation, Half-Duplex, and Full-Duplex .......................................... 30 Part 2: Auto-Negotiation, Half-Duplex, and Full-Duplex ............................................................... 31 Part 3: Configuring the Client Workstation and Testing the Default Gateway................................... 33 Part 4: Configuring Dynamic Address-based Load Sharing............................................................ 37 Part 5: Enabling the Link-Layer Discovery Protocol ...................................................................... 43

Lab 4: Configuring a Stacked Switch Demonstration........................................................................ 45


iii

Table of Contents

Lab 5: Layer 2 Forwarding Lab Student Objectives ................................................................................................................... 47 Part 1: Setting Up for Populating the Forwarding Database .......................................................... 48 Part 2: Populating the Forwarding Database................................................................................ 49 Part 3: Locking Learning............................................................................................................51 Part 4: Limiting Learning .......................................................................................................... 55 Part 5: Enabling Extreme Link Status Monitoring ........................................................................ 57

Lab 6: Port-based VLAN Configuration Lab Student Objectives ................................................................................................................... 59 Part 1: Setting Up for Creating a Port-Based VLAN...................................................................... 60 Part 2: Creating a Port-Based VLAN ........................................................................................... 61 Part 3: Adding Ports to a VLAN ................................................................................................. 62 Part 4: Configuring the Client Workstation .................................................................................. 63 Part 5: Extending the VLAN Across Multiple Switches ................................................................. 66

Lab 7: Tagged VLAN Configuration Lab Student Objectives ................................................................................................................... 69 Part 1: Setting Up for Configuring a Tagged VLAN and Adding Tagged and Untagged Ports ............. 70 Part 2: Configuring the Client Workstation .................................................................................. 71 Part 3: Configuring a Tagged VLAN and Adding Tagged and Untagged Ports ..................................75 Part 4: Adding a Second Tagged VLAN and Trunked Ports ........................................................... 77 Part 5: Adding Additional Tagged Ports ...................................................................................... 79 Part 6: Reconfiguring the Client Workstation............................................................................... 81

Lab 8: Spanning Tree Configuration Lab Student Objectives ................................................................................................................... 83 Part 1: Setting Up for Spanning Tree Configuration ..................................................................... 85 Part 2: Configuring the Client Workstation .................................................................................. 86 Part 3: Creating and Validating a Spanning Tree Domain.............................................................. 90 Part 4: Changing and Validating Bridge Priority........................................................................... 94

Lab 9: Basic EAPS Configuration Lab Student Objectives ................................................................................................................... 97 Part 1: Creating the EAPS Control VLAN..................................................................................... 99 Part 2: Creating and Configuring the EAPS Domain ................................................................... 101 Part 3: Verifying the EAPS Domain Configuration and Operation ................................................. 102 Part 4: Configuring the Client Workstation ................................................................................ 103 Part 5: Testing the EAPS Configuration .................................................................................... 107

iv


Table of Contents

Lab 10: Static Route/IP Forwarding Configuration Lab Student Objectives .................................................................................................................111 Part 1: Setting Up for Creating Router Interfaces ...................................................................... 112 Part 2: Creating Router Interfaces.............................................................................................113 Part 3: Enabling IP Forwarding and Creating a Default Route ..................................................... 115 Part 4: Configuring the Client Workstation ................................................................................ 117 Part 5: Verifying and Testing IP Forwarding and the Static Route................................................ 121

Lab 11: Routing Information Protocol (RIP) Configuration Lab Student Objectives ................................................................................................................. 123 Part 1: Setting Up for Verifying the Router Interfaces ................................................................ 124 Part 2: Verifying the Router Interfaces...................................................................................... 125 Part 3: Enabling IP Forwarding and Adding VLANs to RIP .......................................................... 126 Part 4: Enabling RIP and Verifying Protocol Operation ............................................................... 128 Part 5: Configuring the Client Workstation ................................................................................ 132 Part 6: Verifying and Testing IP Forwarding and RIP ................................................................. 136

Lab 12: Open Shortest Path First (OSPF) Configuration Lab Student Objectives ................................................................................................................. 139 Part 1: Setting Up for Verifying the Router Interfaces ................................................................ 140 Part 2: Verifying the Router Interfaces...................................................................................... 141 Part 3: Enabling IP Forwarding and Configuring OSPF ............................................................... 142 Part 4: Enabling OSPF and Verifying the Protocol Operation ....................................................... 145 Part 5: Configuring the Client Workstation ................................................................................ 147 Part 6: Verifying and Testing IP Forwarding and OSPF ............................................................... 151

Lab 13: Netlogin Using Local MAC Address Authentication Configuration Lab Student Objectives ................................................................................................................. 155 Part 1: Setting up for Netlogin ................................................................................................ 156 Part 2: Configuring the Client Workstation ................................................................................ 157 Part 3: Displaying the Network Login Configuration ................................................................... 161 Part 4: Configuring the Network Login VLAN............................................................................. 161 Part 5: Configuring MAC Address Authentication ....................................................................... 161 Part 6: Managing the Authorized MAC Addresses ...................................................................... 162 Part 7: Testing the Configuration .............................................................................................163 Part 8: Just in Case.... ............................................................................................................164


v

Table of Contents

Lab 14: Universal Port Configuration Lab Student Objectives .................................................................................................................169 Part 1: Setting Up for Loading and Validating the Netlogin Configuration ....................................170 Part 2: Loading and Validating the Netlogin Configuration.......................................................... 171 Part 3: Configuring the Client Workstations............................................................................... 173 Part 4: Creating the Universal Port Profiles and Binding to an Event ...........................................181 Part 5: Universal Port, Netlogin, and MAC-Based Authentication ................................................ 183 Part 6: Triggering and Validating the Event Profile..................................................................... 184

Lab 15: Quality of Service (QoS) Configuration Lab Student Objectives ................................................................................................................. 189 Part 1: Creating the EAPS Control VLAN................................................................................... 191 Part 2: Configuring the Client Workstations............................................................................... 193 Part 3: Best-Effort Traffic Modeling ......................................................................................... 199 Part 4: Configuring Quality of Service, Assigning it to a VLAN, and Verifying Priority Service ......... 202

Lab 16: Switch Diagnostics Lab Student Objectives ................................................................................................................. 205 Part 1: Resetting the Switch to Factory Default ......................................................................... 206 Part 2: Monitoring Processes................................................................................................... 208 Part 3: Terminating and Restarting Processes ........................................................................... 210 Part 4: Running Normal Diagnostics ........................................................................................ 211 Part 5: Running Extended Diagnostics ..................................................................................... 214

Lab 17: Network Troubleshooting Lab Student Objectives ................................................................................................................. 217 Part 1: Setting Up the Lab Switch ...........................................................................................218 Part 2: Configuring the Client Workstation ................................................................................219 Error Identification and Resolution Worksheet ...........................................................................223

Appendix A: Lab Network Diagrams .............................................................................................. 225

vi


PuTTY Console Configuration PuTTY, developed by Simon Tatham, is a client program for the SSH, Telnet, and Rlogin network protocols that are used to run a remote session on a computer, over a network. PuTTY implements the client end of that session: that is, the end at which the session is displayed, rather than the end at which it runs. We are using SSH and host keys for maximum security. Saved sessions, which contain a full set of configuration options host in name to switches and virtualplus PCsaused the and labs.protocol, have been preconfigured to provide quick access Follow the instructions below to configure PuTTY, which enables access to the lab switches and virtual PCs.

Student Objectives In this lab, you will: ●

Clear the Simon Tatham directory from the registry (do this only if it already exists on your PC).

●

Fill the registry with Extreme’s saved sessions by opening PuTTY_master.reg.

●

Run the PuTTY executable.

●

Load preconfigured PuTTY profile settings and select the proper key.

●

Establish an initial connection to your switch and virtual PC.

Part 1: Clear the Registry 1 The instructor provides the two required PuTTY files via jump drive. Move those files directly onto your desktop. They are extreme_puttyA.reg (or extreme_puttyB.reg) and putty.exe. 2 The instructor provides the remote authentication password and assigns student numbers SS_1 through SS_6. Remote authentication password for this class is: _______________________. You are assigned SS - _____. 3 From the Start Menu, choose Run... In the run window type regedit and click OK.


vii

PuTTY Console Configuration

4 To clear any previous version of Saved Sessions/Keys from the registry. When the Registry Editor window opens look for Simon Tatham in the registry. Navigate to: My Computer > HKEY_CURRENT_USER > Software > Simon Tatham 5 To clear any previous version of Saved Sessions/Keys from the registry - look for Simon Tatham in the registry. If you do not have an entry for Simon Tatham in your registry proceed to step 7. 6 Highlight Simon Tatham; right-click and select Delete.

Part 2: Fill the Registry with Extreme’s Saved Sessions 7 Double-click on the extreme-puttyA.reg (or extreme-puttyB.reg) file on your desktop.

viii



8 When you see this message click Yes.

9 When you see this message click OK.

Part 3: Run the PuTTY Executable 10 Double-click on the Putty.exe application on your desktop. Notice that there are many preconfigured Saved Sessions as shown below:


ix


11 Using the number assigned to you by the instructor, SS-1 through SS-6, double-click on SS- {your number} in the Saved Sessions window. 12 When you see the PuTTY Security Alert window open- click Yes.

13 When the switch console window opens, enter [the remote authentication password obtained from your instructor] then press Enter twice. 14 To log on to the switch, enter the following:

Login: admin password: no password -- press Enter again, this brings up SS-X ( Student Switch-1 shown).

x



Part 4: Establish Initial Connection to the Virtual PC The RD-X Saved Session allows you to tunnel through and connect to your Virtual PCs. 15 Double-click on Putty.exe then double-click on RD-X in Saved Sessions.

Enter [the remote authentication password obtained from your instructor ] then press Enter twice.. When the $ appears the Remote Desktop Connection Tunnel is open. Leave this window open.

16 Go to your Start Menu > Programs > Accessories > Remote Desktop Connection . 17 In the Computer: window enter: 127.0.0.1:101X, where X is the number assigned by your instructor (1-6), and select Connect. This example shows Student One's Virtual PC.

18 When Log On to Windows prompt appears, type User Name: student and Password: student


xi


Once connected, you can control your Virtual PC as long as the RD-X tunnel remains open. This completes the initial connection to your switch and a Virtual PC. You will use this pre-configured connection throughout the course. Proceed with the lab when directed by your instructor.

Part 5: Virtual PC Tips Closing the virtual machine connection: ●

If you choose to close the remote desktop connection to 127.0.0.101 X, the best practice is to logoff the virtual PC using Start Menu > Logoff.

Rebooting the virtual machine(ALT-CTRL-END): ●

xii

If for some reason the virtual machine needs to be rebooted, hold down on the ALT-CTRL-END keys and then select the Shutdown tab and choose restart.


1

Initial Switch Configuration Lab

Student Objectives This lab provides you with hands-on experience using the Command Line Interface (CLI) to configure secure user accounts. At the end of this lab, you will be able to: ● Login to the switch ●

Assign a name to the switch

●

Create a new user account

●

Save changes to the active switch configuration

●

Change, test, verify, and reset user access settings

●

Change and verify SNMP access privileges

●

Change and verify Telnet settings

Figure 1: Initial Switch Configuration Lab

Refer to the values in Table 1 to configure switch parameters for this lab.


1


Table 1: Lab Groups and Switch Names La b G r o up N u m b e r 1 2 3 4 5 6

Fu n c t io n a l N a m e

Sales Management Executive Staff

S w it c h N a m e

SAM_1 EXC_2

Accounting

ACT_3

Manufacturing Floor Engineering

MFG_4 ENG_5

Human Resources

HUR_6

Part 1: Logging In, Initializing, and Configuring the Switch Name In this exercise you will enter configuration parameters for your switch. 1 Maximize the switch console window or launch your switch’s saved session profile and login with the credentials admin and no password, press the Enter key.

2 At the command prompt enter: unconfigure switch all

3 Enter

2

y

when asked this question:

Restore all factory defaults and reboot? (y/N)



4 A switch that is in the process of booting, displays the following: Loading EXOS Image ...| Running Image ... Starting ExtremeXOS 12.1.0b61 Copyright (C) 1996-2008 Extreme Networks. All rights reserved. Protected by US Patent Nos: 6,678,248; 6,104,700; 6,766,482; 6,618,388; 6,034,957; 6,859,438; 6,912,592; 6,954,436; 6,977,891; 6,980,550; 6,981,174; 7,003,705; 7,017,082; 7,046,665; 7,126,923; 7,142,509; 7,149,217; 7,152,124; 7,154,861; 7,245,619; 7,245,629; 7,269,135. (pending-AAA) login:

The (pending-AAA) login: prompt is a restricted login made available while the switch is still in the process of loading remaining software components. Logging in at this point will not provide access to switch management and configuration, and attempting to use standard login accounts will result in failure. Wait until you see the following prompt before proceeding: Authentication Serv ice (AAA) on the maste r node is now availa ble for login.

5 Press the 6 Enter

Enter key

until the system displays the login prompt .

admin.

The password prompt displays. 7 The switch will not have an admin password configured. Press the

Enter key.

The following displays: This switch currently has all management methods enabled for security reasons. Please answer these questions about the security settings you would like to use. Telnet is enabled by default. Telnet is unencrypted and has been the trget of security exploits in the past. Would you like to disab le Telnet? [y/N]

8 Enter

n

and press the

Enter

key.

The following displays: SNMP access is enabled by default. SNMP uses no encryption, SNMPv3 can be configured to eliminate this problem. Would you like to disable SNMP? [y/N]:

9 Enter

y

and press the

Enter

key.

10 The following displays: All ports are enabled by d efault. In some secure ap plications, it maybe more desirable for the port s to be turned off. Would you like unconfigured ports to be turned off b y default? [y/N]:

11 Enter

y

and press the

Enter

key.


3


12 When asked to change the default failsafe account username and password, enter no and press the Enter key. 13 When asked if you would like to permit failsafe account access via the management port enter no.

A message outlining actions that would increase the security of your network follows, then the command line prompt appears again. 14 Display the default switch management configuration, by entering the following command: show management

The following displays: CLI idle timeout

: Enabled (20 minutes)

CLI max number of login attempts : 3 CLI max number of sessions : 8 CLI paging : Enabled (this session only) CLI space-completion : Disabled (this session only) CLI configuration logging : Disabled CLI scripting : Disabled (this session only) CLI scripting error mode : Ignore-Error (this session only) CLI persistent mode : Persistent (this session only) Telnet access : Enabled (tcp port 23 vr all) : Access Profile : not set SSH access : Disabled (Key invalid, tcp port 22 vr all) : Access Profile : not set Total Read Only Communities : 1 Total Read Write Communities : 1 RMON : Disabled SNMP access : Disabled : Access Profile Name : not set SNMP Traps : Enabled SNMP v1/v2c TrapReceivers : None SNMP stats: 0 SNMP traps:

InPkts 0 Gets Sent

0 0

OutPkts

0

Errors 0

GetNexts 0 Sets AuthTraps Enabled

AuthErrors

0

15 Configure the SNMP system name of the switch, by entering the following command: configure snmp sysname

Where
name>

is the switch name identified for your lab group in Table 1.

16 The command line prompt with the new system name displays. * X450a-24t.2 # configure snmp sysname * .3 #

17 Verify that all the data ports are disabled, by entering the following command: show ports configuration

4



The system displays the configurable physical attributes for each port on the switch as shown below: Port Configuration Monitor Wed Feb 20 20:43:20 2008 Port Virtual Port Link Auto Speed Duplex Flow Load Media router State State Neg Cfg Actual Cfg Actual Cntrl Master Pri Red =============================================================================== 1 VR-Default D R ON AUTO AUTO UTP 2 VR-Default D R ON AUTO AUTO UTP 3 VR-Default D R ON AUTO AUTO UTP 4 VR-Default D R ON AUTO AUTO UTP 5 VR-Default D R ON AUTO AUTO UTP 6 VR-Default D R ON AUTO AUTO UTP 7 VR-Default D R ON AUTO AUTO UTP 8 VR-Default D R ON AUTO AUTO UTP 9 VR-Default D R ON AUTO AUTO UTP 10 VR-Default D R ON AUTO AUTO UTP 11 VR-Default D R ON AUTO AUTO UTP 12 VR-Default D R ON AUTO AUTO UTP 13 VR-Default D R ON AUTO AUTO UTP 14 VR-Default D R ON AUTO AUTO UTP 15 VR-Default D R ON AUTO AUTO UTP 16 VR-Default D R ON AUTO AUTO UTP =============================================================================== Link Status : A-Active, R-Ready, NP-Port Not Present, L-Loopback Port State: D-Disabled, E-Enabled, Media: !-Unsupported Optic Module 0->Clear Counters U->page up D->page down ESC->exit

18 Press the Esc key. Display the login session, by entering the following command: show session

The switch reports all active sessions, including the user name, they type of access, and the level of authorization as shown below: CLI # Login Time User Type Auth Auth Location ================================================================================ *1 Wed Feb 20 20:36:31 2008 admin console local dis serial

19 Enable SNMP access to the switch, by entering the following command: enable snmp access

20 Display the switch management configuration, by entering the following command: show management


5


The following displays: CLI idle timeout : Enabled (20 minutes) CLI max number of login attempts : 3 CLI max number of sessions : 8 CLI paging : Enabled (this session only) CLI space-completion : Disabled (this session only) CLI configuration logging : Disabled CLI scripting : Disabled (this session only) CLI scripting error mode : Ignore-Error (this session only) CLI persistent mode : Persistent (this session only) Telnet access : Enabled (tcp port 23 vr all) : Access Profile : not set SSH access : Disabled (Key invalid, tcp port 22 vr all) : Access Profile : not set Total Read Only Communities : 1 Total Read Write Communities RMON SNMP access SNMP Traps SNMP v1/v2c TrapReceivers SNMP stats: SNMP traps:

InPkts 0 Gets 0 Sent 0

1 : :Disabled : Enabled : Access Profile Name : not set : Enabled : None OutPkts 0 Errors 0 GetNexts 0 Sets 0 AuthTraps Enabled

AuthErrors 0

21 Notice the new configuration setting for SNMP access, it is now enabled.

Part 2: Adding Users and Saving the Configuration In this exercise you will create additional users and save your configuration as the primary. 1 Create a new administrator level user account, by entering the following command: create account admin ADMIN_X

Where X is your lab group number assigned in Table 1. The system displays the following prompt: Password:

2 Leave the password blank by pressing the

Enter key

again.

The following prompt displays: Reenter Password:

3 Press the

Enter key

again.

4 Verify the new user account information by entering the following command: show accounts

6



The user account information displays: User Name

Access LoginOK

Failed

-------------------------------admin

R/W

user

RO

ADMIN_X

R/W

------ ------1 0

------

0 0

0

0

5 Save the configuration to nonvolatile storage, by entering the following command: save primary

6 The following displays: No default configuration database has been selected to boot up the system. Save configuration will set the new configuration as the default database. The configuration file primary.cfg already exists. Do you want to save configuration to primary.cfg and overwrite it? (y/n)

7 Enter y.

The following displays: Saving configuration ........ done! Configuration saved to primary.cfg successfully.

8 Log out of the switch, by entering the following command: logout

The login prompt displays. 9 Login as the new user, ADMIN_X, created in Part 2, Step 1 above.

Remember that both login names and passwords are case-sensitive. 10 Display the login session, by entering the following command: show session

The following displays: CLI #

Login Time

User

Type

Auth

Auth Location

================================================================================ *2

Mon Aug 25 10:26:47 2008 ADMIN_X


console local

dis

serial

7


Part 3: Limiting CLI Sessions, Failed Logins, and Telnet Access In this exercise you will set controls for login sessions. This includes setting the maximum number of CLI sessions per user, the number of times a user can log in incorrectly, and Telnet access parameters. 1 Display the switch management configuration, by entering the following command: show management CLI idle timeout : Enabled (20 minutes) CLI max number of login attempts : 3 CLI paging max number of sessions CLI CLI space-completion CLI configuration logging CLI scripting CLI scripting error mode CLI persistent mode Telnet access

8 : :Enabled (this session only) : Disabled (this session only) : Disabled : Disabled (this session only) : Ignore-Error (this session only) : Persistent (this session only) : Enabled (tcp port 23 vr all) : Access Profile : not set : Disabled (Key invalid, tcp port 22 vr all) : Access Profile : not set : 1 : 1 : Disabled : Enabled : Access Profile Name : not set : Enabled : None

SSH access Total Read Only Communities Total Read Write Communities RMON SNMP access SNMP Traps SNMP v1/v2c TrapReceivers SNMP stats: SNMP traps:


OutPkts 0 Errors 0 GetNexts 0 Sets 0 AuthTraps Enabled

2

Notice the configuration settings for sessions , and Telnet acces s.

AuthErrors 0

CLI max number of login attempts CLI max number of ,

3 Limit the number of CLI sessions to 2, by entering the following command: configure cli max-sessions 2

4 Limit the number of login attempts to two, by entering the following command: configure cli max-failed-logins 2

5 Limit Telnet connections to the virtual router VR-MGMT, by entering the following command: configure telnet vr vr-mgmt

6 Enable the lockout on login failure feature, by entering the following command: configure account ADMIN_X password-policy lockout-on-login-failures on

Where

8

ADMIN_X is

the name of the account created in Part 2, Step 1.



7 Display the switch management configuration, by entering the following command: show management CLI idle timeout : Enabled (20 minutes) CLI max number of login attempts : 2 CLI max number of sessions : 2 CLI paging : Enabled (this session only) CLI space-completion : Disabled (this session only) CLI configuration logging : Disabled CLI scripting : Disabled (this session only) CLI scripting error mode : Ignore-Error (this session only) CLI persistent mode : Persistent (this session only) Telnet access : Enabled (tcp port 23 vr VR-Mgmt) : Access Profile : not set SSH access : Disabled (Key invalid, tcp port 22 vr all) : Access Profile : not set Total Read Only Communities : 1 Total Read Write Communities : 1 RMON : Disabled SNMP access : Enabled : Access Profile Name : not set SNMP Traps : Enabled SNMP v1/v2c TrapReceivers : None SNMP stats: SNMP traps:


OutPkts 0 Errors 0 GetNexts 0 Sets 0 AuthTraps Enabled

AuthErrors 0

8 Notice the configuration changes between this display and the previous for CLI max number of login attempts, CLI max number of sessions, and Telnet access. 9 Save the configuration to nonvolatile storage, by entering the following command: save primary

The following displays: The configuration file primary.cfg already exists. Do you want to save configuration to primary.cfg and overwrite it? (y/n)

10 Enter y.



The system displays the login prompt. 12 Attempt to log in as the new user created in Part 2, Step 1 above, but use an invalid password (the current password is null).

Remember that both login names and passwords are case-sensitive. 13 Repeat the login attempt with an invalid password.

After the second failed login attempt, the following message displays: Login incorrect Maximum number of login attempts reached! Account locked out! Please contact the administrator to remove the lock.


9


14 Log back in using the srcinal admin credentials:

user name: admin password: 15 Display the user account information for the switch by entering the following command: show accounts

The system displays the user account information as shown below: User Name

Access LoginOK

-------------------------------admin

R/W

user

RO

ADMIN_X*

2

------

0

0

R/W

Failed

------ ------0 1

2

(*) - Account locked

16 Clear the lock on the flagged account by entering the following command: clear account ADMIN_X lockout

17 Restore the number of CLI sessions to 8, by entering the following command: configure cli max-sessions 8

18 Restore Telnet connections to the all virtual routers, by entering the following command: configure telnet vr all

19 Display the switch management configuration, by entering the following command: show management

The following displays: CLI idle timeout : Enabled (20 minutes) CLI max number of login attempts : 2 CLI paging max number of sessions CLI CLI space-completion CLI configuration logging CLI scripting CLI scripting error mode CLI persistent mode Telnet access SSH access Total Read Only Communities Total Read Write Communities RMON SNMP access SNMP Traps SNMP v1/v2c TrapReceivers SNMP stats: SNMP traps:


8 :: Enabled (this session only) : Disabled (this session only) : Disabled : Disabled (this session only) : Ignore-Error (this session only) : Persistent (this session only) : Enabled (tcp port 23 vr all) : Access Profile : not set : Disabled (Key invalid, tcp port 22 vr all) : Access Profile : not set : 1 : 1 : Disabled : Enabled : Access Profile Name : not set : Enabled : None OutPkts 0 Errors 0 GetNexts 0 Sets 0 AuthTraps Enabled

AuthErrors 0

20 Notice the entries for CLI max number of sessions and Telnet access. 21 Save the configuration to nonvolatile storage, by entering the following command: save primary

10



The following displays:

No default configuration database has been selected to boot up the system. Save configuration will set the new configuration as the default database. The configuration file primary.cfg already exists. Do you want to save configuration to primary.cfg and overwrite it? (y/N)

22 Enter y.




11


12


2

Switch Management Lab

Student Objectives This lab provides you with a hands-on experience configuring the switch for basic IP management and to transfer configuration files. At the end of this lab, you will be able to: ● Identify ExtremeXOS software, switch boot images, and configuration files. ●

Save the switch configuration.

●

Assign an IP address to a VLAN.

●

Backup the switch configuration.

●

Upload the current configuration as a command script.

●

Edit and load command scripts.

●

Download a software image.

Figure 1: Switch Management Lab


13


Refer to the values in Table 1 to configure switch parameters for this lab.

Table 1: Lab Groups an d VLAN IP Ad dresses La b G r o u p

Fu n c t i o n a l N a m e

S w it c h N a m e

VLA N N a m e

V LA N I P A d d r ess

1

SalesManagement

SAM_1

Mgmt

192.168.0.11/24

2

ExecutiveStaff

EXC_2

Mgmt

192.168.0.12/24

3

Accounting

4

ManufacturingFloor

5

Engineering

6

HumanResources

ACT_3 MFG_4 ENG_5 HUR_6

Mgmt Mgmt Mgmt Mgmt

192.168.0.13/24 192.168.0.14/24 192.168.0.15/24 192.168.0.16/24

Part 1: Verifying the Switch Status and Configuration 1 Log into the switch and load the baseline configuration for this lab by entering the following command: use configuration Lab_ECF02-X

Where X is your lab group number found in Table 1. 2 Reboot the switch by entering the following command: reboot

If there were any unsaved changes on the switch, indicated with an asterisk (*) preceding the command line label, the system will display the following: Do you want to save configuration changes to currently selected configuration file (XXXXXX.cfg) and reboot? (y - save and reboot, n - reboot without save, - cancel command)

3 Enter n to reboot without save.

If there were no unsaved changes on the switch, the system will display the following:

Are you sure you want to reboot the switch? (y/N)

4 Enter y to reboot the switch if this message appears.

When the boot process is complete, the switch displays the following: Authentication Service (AAA) on the master node is now available for login.

5 Press the Enter key to bring up the login prompt. Enter admin and press the Enter key. The switch will then display the following prompt for the password: login: admin password:

6 Press the Enter key again (by default, there is no password). You are now ready to begin configuring the switch.

14



7 Display the switch status by entering the

following

command:

show switch

The following is a generic example of the system display: SysName: SysLocation: SysContact: System MAC:

SysHealth check: Recovery Mode: System Watchdog:

Enabled (Normal) All Enabled

Current Time: Timezone: Boot Time: Boot Count: Next Reboot:

Wed Feb 20 00:37:24 2008 [Auto DST Disabled] GMT Offset: 0 minutes, name is UTC. Fri Feb 15 00:00:00 2008 1 None scheduled

Current State: Image Selected: Image Booted: Primary ver: Secondary ver:

OPERATIONAL primary primary 12.1.0.0 12.1.0.0

Config Selected: Config Booted:

primary.cfg Factory Default

primary.cfg

support@extremenet works.com, +1 888 257 3000 NN:NN:NN:NN:NN:NN

Created by Extreme XOS version 12.1.0. 0 99316 bytes saved on Tue Feb 19 16:34:27 2008

8 For your switch, notice the entries for the following parameters: system name, MAC address, system boot time, software image selected, software image booted, switch configuration selected, switch configuration booted, and the date the primary configuration was last saved .

Part 2: Configuring IP Access This exercise shows you how to assign an IP address to the management VLAN and save the configuration. 1 Display the status of the dedicated management VLAN by entering the following command: show vlan mgmt


15


The following displays: VLAN Interface with name Mgmt created by user Admin State:

Enabled

Tagging:

802.1Q Tag 4095

Virtual router: VR-Mgmt IPv6:

None

STPD:

None Protocol:

Match all unfiltered protocols

Loopback:

Disabled

NetLogin:

Disabled

QosProfile:

None configured

Flood Rate Limit QosProfile: Ports:

1.

None configured

(Number of active ports=1)

Untag: Mgmt-port on Mgmt is down

2 Assign an IP address to VLAN Mgmt by entering the following command: configure vlan mgmt ipaddress 192.168.0.1X/24

Where X is the value assigned to each lab group in Table 1. Correctly configuring the interface results in the following message being displayed: IP interface for VLAN Mgmt has been created.

3 Verify the IP address and mask of VLAN Mgmt by entering the following command: show vlan mgmt

Now the default VLAN configuration displays with the Primary IP address and mask: VLAN Interface with name Mgmt created by user Admin State:

Enabled

Tagging:

802.1Q Tag 4095

Virtual router: VR-Mgmt Primary IP IPv6:

: 192.168.0.1X/24

None

STPD:

None Protocol:


Loopback:

Disabled

NetLogin:

Disabled

QosProfile:

None configured

Flood Rate Limit QosProfile: Ports:

1.

None configured


Untag: Mgmt-port on Mgmt is active

4 Use PING to test for IP connectivity between the lab switch and the TFTP server. At the command prompt, enter the following: ping vr vr-mgmt 192.168.0.101

5 Notice that, because the mgmt VLAN is not a member of the default virtual router, the virtual router vr-mgmt must be specified in the command. 6 Display the history of commands for the current session by entering the following command: history

The command history displays. 7 Use the command recall function by pressing the up arrow key to display the show switch command again and press the Enter key. The switch management configuration displays.

16



8 Save the base lab configuration to nonvolatile storage, by entering the following command: save configuration switch_X

Where X is your lab group number found in Table 1. If the system informs you that this config already exists and asks if you wish to save it - enter yes.

The configuration file switch_X.cfg already exists. Do you want to save configuration to switch_X.cfg and overwrite it? (y/N) Yes Saving configuration on master ......... done! Configuration saved to switch_X.cfg successfully.

9 Enter

n

at the following prompt because we do not want to make this the default configuration:

The current selected default configuration database to boot up the system (Lab_ECF02-X.cfg) is different than the one just saved (switch_X.cfg). Do you want to make switch_4.cfg the default database? (y/N) No

The following displays: Default configuration database selection cancelled.

Part 3: Backing Up Configuration Files and Downloading Images In this exercise you will use the copy command to back up files and download configuration files from a TFTP server. 1 Copy the primary configuration file used in the Initial Switch Configuration Lab by entering the following command: cp primary.cfg switch_X.cfg

Where X is the value assigned to your group in Table 1. 2 Enter

y

at the following prompt:

Copy config primary.cfg to config switch_X.cfg on switch? (y/N) Yes

3 Verify the file has been created by entering the following command: ls


17


The following is a sample file list display: -rw-rw-rw-

1 root

0

136986 Jun 13 08:09 Lab_IGP06-4.cfg

-rw-rw-rw-

1 root

0

117497 Aug 20 09:26 Lab_NTLGN-4.cfg

-rw-r--r--

1 root

0

-rw-r--r--

1 root

0

-rw-rw-rw-

1 root

0

-rw-r--r--

1 root

0

67 Jul 11 02:44 pim-crp.pol

-rw-rw-rw-

1 root

0

114231 Aug 25 09:58 primary.cfg

-rw-rw-rw-

1 root

0

114231 Aug 28 11:12 switch_X.cfg

1400 Jul 28 14:20 MFG_4a.xsf 2341 Jul 28 14:22 MFG_4b.xsf 114209 Aug

8 08:37 TFTPMAN-4.cfg

4 Rename the test file, by entering the following command: mv switch_X.cfg newname.cfg

5 Enter y at the following prompt: Rename config switch_X.cfg to config newname.cfg on switch? (y/N) Yes

6 Verify the file has been created by entering the following command: ls

The list of files displays: -rw-rw-rw-

1 root

0

136986 Jun 13 08:09 Lab_IGP06-4.cfg

-rw-rw-rw-

1 root

0


-rw-r--r--

1 root

0

-rw-r--r--

1 root

0

-rw-rw-rw-

1 root

0

114209 Aug

-rw-rw-rw-

1 root

0

114231 Aug 28 11:12 newname.cfg

-rw-r--r--

1 root

0

67 Jul 11 02:44 pim-crp.pol

-rw-rw-rw-

1 root

0


1400 Jul 28 14:20 MFG_4a.xsf 2341 Jul 28 14:22 MFG_4b.xsf 8 08:37 TFTPMAN-4.cfg

7 Remove the file by entering the following command: rm newname.cfg

Enter

y


Remove newname.cfg from switch? (y/n)

8 Verify the file has been removed, by entering the following command: ls

The list of files displays:

18

-rw-rw-rw-

1 root

0

136986 Jun 13 08:09 Lab_IGP06-4.cfg

-rw-rw-rw-

1 root

0


-rw-r--r--

1 root

0

-rw-r--r--

1 root

0

-rw-rw-rw-rw-r--r--

1 root 1 root

0 0

114209 Aug 8 08:37 TFTPMAN-4.cfg 67 Jul 11 02:44 pim-crp.pol

-rw-rw-rw-

1 root

0


1400 Jul 28 14:20 MFG_4a.xsf 2341 Jul 28 14:22 MFG_4b.xsf



9 Backup the current configuration to a TFTP server by entering the following command: tftp 192.168.0.101 -v vr-mgmt -p -l primary.cfg -r upload_X.cfg

The file transfer progress displays: Uploading upload_X.cfg to 192.168.0.101 ......done!

NOTE Wait here until the instructor verifies that the configuration file has been successfully copied to the TFTP upload directory.

10 Upon the instructor’s direction, download the first image file by entering the following command: download image 192.168.0.101 summitX450-11.6.4.11.xos vr vr-mgmt secondary

Enter

n


Do you want to install image after downloading? (y - yes, n - no, - cancel)

The following displays: Downloading to Switch.....................................................

11 Verify that the secondary software image version is on the switch by entering the following command: show switch

12 Install the downloaded image to the secondary image location by entering the following command: install image summitX450-11.6.4.11.xos secondary

The following displays: Installing to Switch............................................................... ................................................................................... ...................................................................................

13 Verify the secondary software image version on the switch by entering the following command: show switch


19


The following displays: SysName:

SAM_1

SysLocation: SysContact:

[email protected], +1 888 257 3000

System MAC:

00:04:96:27:B7:57

System Type:

X450a-24t

SysHealth check:

Enabled (Normal)

Recovery Mode:

All

System Watchdog:

Enabled

Current Time:

Thu Aug 28 14:44:04 2008

Timezone:

[Auto DST Disabled] GMT Offset: 0 minutes, name is UTC.

Boot Time:

Thu Aug 28 09:04:44 2008

Boot Count:

233

Next Reboot:

None scheduled

System UpTime:

5 hours 39 minutes 20 seconds

Current State:

OPERATIONAL

Image Selected:

secondary

Image Booted:

primary

Primary ver:

12.1.1.4

Secondary ver:

11.6.4.11

14 Restore the current image by entering the following command to download the second image file: download image 192.168.0.101 summitX-12.1.1.4.xos vr vr-mgmt secondary

Enter

n


Do you want to install image after downloading? (y - yes, n - no, - cancel)

The following displays: Downloading to Switch...............................................

15 Verify that the secondary software image version is on the switch by entering the following command: show switch

16 Install the downloaded image to the secondary image location by entering the following command: install image summitX-12.1.1.4.xos secondary

The following displays: Installing to Switch............................................................... ................................................................................... ...................................................................................

17 Verify the secondary software image version on the switch by entering the following command: show switch

20



The following displays: SysName:

SAM_1



System MAC:

00:04:96:27:B7:57

System Type:

X450a-24t

SysHealth check:

Enabled (Normal)

Recovery Mode:

All

System Watchdog:

Enabled

Current Time:

Thu Aug 28 14:44:04 2008

Timezone:


Boot Time:

Thu Aug 28 09:04:44 2008

Boot Count:

233

Next Reboot:

None scheduled

System UpTime:


Current State:

OPERATIONAL

Image Selected:

secondary

Image Booted:

primary

Primary ver:

12.1.1.4

Secondary ver:

12.1.1.4

Part 4: Editing ASCII-formatted Configuration Files on a PC In this exercise you will learn how to edit your configuration files and change your system contact information. 1 Upload the current configuration in ASCII format to a TFTP server on your network by entering the following command: upload configuration 192.168.0.101 DL-switch_X.xsf vr vr-mgmt

Where X is the value assigned to your group in Table 1. The following displays: Uploading DL-switch_X.xsf to 192.168.0.101 ... done!

NOTE The instructor will demonstrate how to use a text editor to edit the configuration and change the system contact (SysContact) information in an uploaded file.

2 Download a pre-modified configuration file by entering the following command: tftp get 192.168.0.101 vr vr-mgmt ECF02_test_download.xsf ECF02.xsf


21



Downloading ECF02.xsf to switch... done!

3 Show the list of files on the switch and verify that ECF02.xsf is there: ls

4 Verify the current system contact by entering the following command: show switch

The following display is an example from Lab Group 1’s switch: SysName:

SAM_1



System MAC:

00:04:96:27:B7:57

System Type:

X450a-24t

SysHealth check:

Enabled (Normal)

Recovery Mode:

All

System Watchdog:

Enabled

Current Time:

Thu Aug 28 14:44:04 2008

Timezone:


Boot Time:

Thu Aug 28 09:04:44 2008

Boot Count:

233

Next Reboot:

None scheduled

System UpTime:


Current State:

OPERATIONAL

Image Selected: Image Booted:

primary primary

Primary ver:

12.1.1.4

5 Load the ASCII-formatted configuration file on the switch, by entering the following command which is case-sensitive: load script ECF02.xsf

Commands in the script display. Ignore any error messages. 6 Verify the new system contact by entering the following command: show switch

22




SAM_1


Extreme Networks tames chaos at the edge!

System MAC:

00:04:96:27:B6:61

System Type:

X450a-24t

SysHealth check:

Enabled (Normal)

Recovery Mode:

All

System Watchdog:

Enabled

Current Time:

Thu Aug 28 14:21:31 2008

Timezone:


Boot Time:

Thu Aug 28 09:04:28 2008

Boot Count:

547

Next Reboot:

None scheduled

System UpTime:


Current State:

OPERATIONAL

Image Selected:

primary

Image Booted:

primary

7 Delete the script file by entering the following command: rm ECF02.xsf

Enter y at the following prompt: Remove ECF02.xsf from switch? (y/N)

Part 5: Editing ASCII-formatted Configuration Files on the Switch 1 Create a new command script by entering the following command: edit script newscript.xsf

2 This will launch the on-switch vi editor. Type i to begin inserting text. Immediately after, enter the following and use quotes around the functional name: configure snmp syslocation “”

Where is one of the six found posted at the beginning of this lab in Table 1 (“Sales Management”, “Executive Staff”, “Manufacturing Floor”, “Accounting”, “Engineering”, “Human Resources”). Press the Esc key to enter vi command mode; then exit and save the file by entering the vi command :wq 3 Display all the files on the switch to verify the new file was created by entering the following command: ls


23



-rw-r--r--

1 root

0

-rw-r--r--

1 root

0

47 Aug 28 14:18 newscript.xsf 67 Jul 11 02:44 pim-crp.pol

-rw-rw-rw-

1 root

0


4 Verify the current system location by entering the following command: show switch


SAM_1



System MAC:

00:04:96:27:B6:61

System Type:

X450a-24t

SysHealth check:

Enabled (Normal)

Recovery Mode:

All

System Watchdog:

Enabled

Current Time:

Thu Aug 28 14:21:31 2008

Timezone:


Boot Time:

Thu Aug 28 09:04:28 2008

Boot Count:

547

Next Reboot:

None scheduled

System UpTime:


Current State:

OPERATIONAL

Image Selected:

primary

Image Booted:

primary

5 Load the newscript.xsf script by entering the following command: load script newscript.xsf

6 Verify the new system location by entering the following command: show switch

24




SAM_1

SysLocation:

Sales Management

SysContact:


System MAC:

00:04:96:27:B6:61

System Type:

X450a-24t

SysHealth check:

Enabled (Normal)

Recovery Mode:

All

System Watchdog:

Enabled

Current Time:

Thu Aug 28 14:27:28 2008

Timezone:


Boot Time:

Thu Aug 28 09:04:28 2008

Boot Count:

547

Next Reboot:

None scheduled

System UpTime:

5 hours 23 minutes

Current State:

OPERATIONAL

Image Selected:

primary

Image Booted:

primary

Primary ver:

12.1.1.4

7 Delete the script file by entering the following command: rm newscript.xsf

Enter

y


Remove newscript.xsf from switch? (y/N)

8 Save the configuration to nonvolatile memory by entering the following command: save primary

Enter

y


Do you want to save configuration to primary.cfg and overwrite it? (y/N) Yes Saving configuration on master ....... done! Configuration saved to primary.cfg successfully.

Enter

y


The current selected default configuration database to boot up the system (Lab_ECF02-X.cfg) is different than the one just saved (primary.cfg). Do you want to make primary.cfg the default database? (y/N) Yes The selected configuration will take effect after the next switch reboot.


25


Part 6: Accessing the Bootstrap and BootRom Menus In this exercise you will reboot the switch and access the bootstrap and bootrom menus to load an alternate image. 1 Reboot the switch by entering the following command: reboot

2 Enter

y


Are you sure you want to reboot the switch? (y/n)

The following displays: Sending SIGTERM to all processes. Sending SIGKILL to all processes. Please stand by while rebooting the system.

3 While the switch is rebooting, hold down the SPACE key. The switch resets and displays the following bootstrap prompt: BootStrap>

4 Enter h to display the help menu: boot enable h help ? loader reboot rz

boot a loader enable features on-line help on-line help on-line help Sets which BootLoader BootStrap will boot Reboot system (hard reset) zmodem download

5 Boot the switch by entering the following command: boot


Starting Default Bootloader ...

6 While the switch is rebooting, hold down the SPACE key. The switch resets and displays the following bootRom prompt: BootRom>

26



7 Enter h to display the help menu: boot loader reboot rz show config enable h help ? hi dir cd pwd ping configip showip download

boot an image Sets which BootLoader BootStrap will boot Reboot system (hard reset) zmodem download display information select configuration enable features on-line help on-line help on-line help display command history list contents of CF directory change working CF directory print working CF directory ping remote host configure the bootloader ip address show the configuration of the bootloader ip address download an image

8 Boot the switch by entering the following command: boot

The switch completes a normal boot cycle.


27


28


3

Layer 1 Configuration Lab

Student Objectives This lab provides you with hands-on experience to configure physical port parameters, create a dynamic Link Aggregation group that uses the address-based aggregation algorithm, and enable LLDP. At the end of this lab, you will be able to: ● Configure and test auto-negotiation and port duplexing ●

Create a dynamic Link Aggregation group that uses the address-based algorithm

●

Verify the Link Aggregation operation

●

Enable LLDP

●

Verify LLDP operation

Figure 1: Layer 1 Configuration Lab


29


Refer to the values listed in Table 1 to configure switch parameters for this lab.

Table 1: Lab Groups an d VLAN IP Ad dresses La b G r o u p

S w it c h N a m e

1

SAM_1

V LAN Na m e Default

10.0.1.11/24

V L A N I P A d d r e ss

L a b G r o u p P C I P A d d r es s 10.0.1.21/24

2

EXC_2

Default

10.0.1.12/24

10.0.1.22/24

3

ACT_3

Default

10.0.1.13/24

10.0.1.23/24

4

MFG_4

Default

10.0.1.14/24

10.0.1.24/24

5

ENG_5

Default

10.0.1.15/24

10.0.1.25/24

6

HUR_6

Default

10.0.1.16/24

10.0.1.26/24

Part 1: Setting Up for Auto-Negotiation, Half-Duplex, and Full-Duplex 1 Log into the switch and load the baseline configuration for this lab by entering the following command: use configuration Lab_ECF03-X








30





Part 2: Auto-Negotiation, Half-Duplex, and Full-Duplex 1 Assign your IP address to the Default VLAN by entering the following command: configure vlan default ipaddress 10.0.1.1X/24

Where X is the address and subnet mask assigned to VLAN Default for your lab group as shown in Table 1. 2 Enable port 13 by entering the following command: enable ports 13

3 Use the PING command to verify that the switch can communicate with Core Switch A by entering the following: ping 10.0.1.1

The following displays: Ping(ICMP) 10.0.1.1: 4 packets, 8 data bytes, interval 1 second(s). 16 bytes from 10.0.1.1: icmp_seq=0 ttl=255 time=10 ms 16 bytes from 10.0.1.1: icmp_seq=1 ttl=255 time=7.051 ms 16 bytes from 10.0.1.1: icmp_seq=2 ttl=255 time=1.933 ms 16 bytes from 10.0.1.1: icmp_seq=3 ttl=255 time=2.007 ms

4 Turn off auto negotiation, set the speed to 10 Mbps, and set the duplex to half by entering the following command: configure port 13 auto off speed 10 duplex half

5 Use the PING command again to test if the switch can still communicate with the upstream switch: ping 10.0.1.1

The following displays: Ping(ICMP) 10.0.1.1: 4 packets, 8 data bytes, interval 1 second(s). 44 bytes from 10.0.1.11: icmp_seq=3 Destination Host Unreachable --- 10.0.1.1 ping statistics --4 packets transmitted, 0 received, 100% loss round-trip min/avg/max = 0/0/0 ms

6 Turn auto negotiation back on, by entering the following command: configure port 13 auto on


31


7 Use the PING command again to see if connectivity to Core Switch A has been restored: ping 10.0.1.1

The following displays: Ping(ICMP) 10.0.1.1: 4 packets, 8 data bytes, interval 1 second(s). 16 bytes from 10.0.1.1: icmp_seq=0 ttl=255 time=7.494 ms 16 bytes from 10.0.1.1: icmp_seq=1 ttl=255 time=1.811 ms 16 bytes from 10.0.1.1: icmp_seq=2 ttl=255 time=6.866 ms 16 bytes from 10.0.1.1: icmp_seq=3 ttl=255 time=6.970 ms --- 10.0.1.1 ping statistics --4 packets transmitted, 4 received, 0% loss round-trip min/avg/max = 1/5/7 ms

32



Part 3: Configuring the Client Workstation and Testing the Default Gateway The following instructions will guide you in setting up the client workstation. If your RD-X connection to PC 127.0.0.1:101X is still open but minimized, skip to step 6. 1 From your laptop, launch the PuTTY utility:

2 Launch the remote desktop tunnel by double-clicking on the RD_X saved session.

3 The utility opens a secure session window displaying the student login ID and the public key. The tunnel is complete when the $ prompt appears:


33


4 From your computer's Start menu, open the Accessories folder and launch the Remote Desktop Connection utility:

5 Enter the combined IP address and unique port number identifying the target lab PC in the format 127.0.0.1:101X, where X is the lab group number assigned in Table 1:

6 Enter the login and password credentials. For all lab stations, the User Name is student and the Password is student:

34



7 From the Lab PC desktop, open the Lab Networking Addressing folder. Double-click on the Config_ECF03-X batch file, where X is your lab group number assigned in Table 1

This batch file will automatically configure the PC IP address. The following screen will appear while the file executes, and then close automatically when it terminates:

8 To confirm the workstation IP address, from the Start menu, click on the Run option. In the Run dialog box enter cmd to open a Command window:


35


9 In the command window, display the IP interface information on the PC by entering the following command: ipconfig

The system displays the following:

Notice that the Lab Network interface has been assigned your lab group PC's IP address and mask found in Table 1. This completes the setup of the Lab Group PC.

36



Part 4: Configuring Dynamic Address-based Load Sharing In this exercise you will create a dynamic link aggregation group and verify that dynamic load sharing is configured and operating correctly. 1 Wait until the instructor has loaded the config file for this part of the lab before proceeding. 2 On instructor’s direction enable switch port 24, the port connected to the lab PC, by entering the following command: enable ports 24

3 Open a DOS window on the Lab Group PC and use the PING command to verify that the PC can communicate with the lab switch by entering the following: ping 10.0.1.1X

Where X is your lab group number found in Table 1. The following displays: Pinging 10.0.1.1X with 32 bytes of data: Reply from 10.0.1.1X: bytes=32 time=2ms TTL=255 Reply from 10.0.1.1X: bytes=32 time<1ms TTL=255 Reply from 10.0.1.1X: bytes=32 time<1ms TTL=255 Reply from 10.0.1.1X: bytes=32 time<1ms TTL=255

4 To create a port share group with only port 13 as a member, enter the following command: enable sharing 13 grouping 13 algorithm address-based L3_L4 lacp

The options after the algorithm parameter above specify that the link aggregation control protocol is used to manage the port group. The following displays: Warning: Any config on the master port is lost (STP, IGMP Filter, IGMP Static Group, MAC-Security, etc. etc.)

5 Configure the LACP priority by entering the following command: configure sharing 13 lacp system-priority X

Where X is your lab group number found in Table 1. 6 Enable port 15 by entering the following command: enable ports 15

7 Add port 15 to the link aggregation group by entering the following command: configure sharing 13 add ports 15


37


8 Verify that the load share group is up and enabled by entering the following command: show lacp

The following displays, notice that LACP is Up and Enabled (MAC addresses will vary): LACP Up

: Yes

LACP Enabled

: Yes

System MAC

: 00:04:96:27:b6:49

LACP PDUs dropped on non-LACP ports : 1145 Lag

Actor Sys-Pri

Actor

Key

Partner

MAC

Partner Sys-Pri

Partner

Key

Agg

Count

-------------------------------------------------------------------------------13

X 0x03f5

00:04:96:27:bc:ce

X 0x03e9

2

================================================================================

9 Verify the dynamic link aggregation configuration by entering the following command: show lacp lag 13

The following displays: Lag

Actor Sys-Pri

Key

Actor

Partner

MAC

Partner Sys-Pri

Partner

Key

Agg

Count

-------------------------------------------------------------------------------13

X 0x03f5

00:04:96:27:bc:ce

X 0x03e9

2

Port list: Member

Port

Rx

Sel

Mux

Actor

Partner

Port

Priority

State

Logic

State

Flags

Port

-------------------------------------------------------------------------------13

0

Current

Selected

Collect-Dist

A-GSCD--

100X

15

0

Current

Selected

Collect-Dist

A-GSCD--

101X

================================================================================ Actor Flags: A-Activity, T-Timeout, G-Aggregation, S-Synchronization C-Collecting, D-Distributing, F-Defaulted, E-Expired

10 Verify the identity of the load sharing master port by entering the following command: show ports configuration no-refresh

38



The following displays, notice the settings for ports 13, 15, and 24: Port Configuration Port

Virtual router

Port

Link

Auto

State State Neg

Speed

Duplex

Flow

Load

Media

Cfg Actual Cfg Actual Cntrl Master Pri Red

================================================================================ 1

VR-Default

D

R

ON

AUTO

AUTO

UTP

2

VR-Default

D

R

ON

AUTO

AUTO

UTP

3

VR-Default

D

R

ON

AUTO

AUTO

UTP

4

VR-Default

D

R

ON

AUTO

AUTO

UTP

5

VR-Default

D

R

ON

AUTO

AUTO

UTP

6

VR-Default

D

R

ON

AUTO

AUTO

UTP

7

VR-Default

D

R

ON

AUTO

AUTO

UTP

8 9

VR-Default VR-Default

D D

R R

ON ON

AUTO AUTO

AUTO AUTO

UTP UTP

10

VR-Default

D

R

ON

AUTO

AUTO

UTP

11

VR-Default

D

R

ON

AUTO

AUTO

UTP

12

VR-Default

D

R

ON

AUTO

AUTO

13

VR-Default

E

A

ON

AUTO

1000 AUTO FULL

14

VR-Default

D

R

ON

AUTO

AUTO

15

VR-Default

E

A

ON

AUTO

1000 AUTO FULL

16

VR-Default

D

R

ON

AUTO

AUTO

UTP

17

VR-Default

D

R

ON

AUTO

AUTO

UTP

18

VR-Default

D

R

ON

AUTO

AUTO

UTP

19

VR-Default

D

R

ON

AUTO

AUTO

UTP

20

VR-Default

D

R

ON

AUTO

AUTO

UTP

21

VR-Default

D

R

ON

AUTO

AUTO

NONE UTP

22

VR-Default

D

R

ON

AUTO

AUTO

NONE UTP

23

VR-Default

D

R

ON

AUTO

AUTO

24

VR-Default

E

A

ON

AUTO

25

VR-Default

D

NP

OFF 10000

FULL

NONE

26

VR-Default

D

NP

OFF 10000

FULL

NONE

UTP SYM

13 UTP

SYM

13 UTP

UTP

NONE UTP

100 AUTO FULL

SYM

UTP

NONE

================================================================================ > indicates Port Display Name truncated past 8 characters Link State: A-Active R-Ready NP- Port not present L-Loopback Port State: D-Disabled, E-Enabled Media: !-Unsupported Optic Module Media Red: * - use "show port info detail" for redundant media type

11 Verify the load sharing trunk configuration by entering the following command: show ports sharing

The following displays: Load Sharing Monitor Config

Current

Agg

Ld Share

Ld Share

Agg

Link

Link Up

Master

Master

Control

Algorithm

Group

Mbr

State

transitions

============================================================================== 13

13

LACP L3_L4

L3_L4

13 15

Y Y

A

A

6 1

============================================================================== Link State: A-Active, D-Disabled, R-Ready, NP-Port not present, L-Loopback Load Sharing Algorithm: (L2) Layer 2 address based, (L3_L4) Layer 3 address and Layer 4 port based Note: Layer 4 ports are not used for distribution for traffic ingressing ports on X450-24t and X450-24x switches. Default algorithm: L2

Number of load sharing trunks: 1


39


12 Verify the link aggregation activity by entering the following command: show lacp counters

The following displays: LACP PDUs dropped on non-LACP ports : 1145 LACP Bulk checkpointed msgs sent

: 0

LACP Bulk checkpointed msgs recv

: 0

LACP PDUs checkpointed sent

: 0

LACP PDUs checkpointed recv

: 0

Lag

Member

Rx

Rx Drop

Rx Drop

Rx Drop

Group

Port

Ok

PDU Err

Not Up

Same MAC Sent Ok

Tx

Tx Xmit Err

-------------------------------------------------------------------------------13 13 36 0 0 0 36 0 15

33

0

0

0

34

0

================================================================================

13 From the Lab Group PC, open a command prompt window and use the following command to generate a continuous stream of ping packets to Core Switch B: ping –t 10.0.1.2

The following displays: Pinging 10.0.1.2 with 32 bytes of data: Reply from 10.0.1.2: bytes=32 time<1ms TTL=255 Reply from 10.0.1.2: bytes=32 time<1ms TTL=255 Reply from 10.0.1.2: bytes=32 time<1ms TTL=255 Reply from 10.0.1.2: bytes=32 time<1ms TTL=255

14 From the Lab Group PC, open a second command prompt window and use the following command to generate a continuous stream of ping packets to Core Switch A: ping –t 10.0.1.1

The following displays: Pinging 10.0.1.1 with 32 bytes of data: Reply from 10.0.1.1: bytes=32 time<1ms TTL=255 Reply from 10.0.1.1: bytes=32 time<1ms TTL=255 Reply from 10.0.1.1: bytes=32 time<1ms TTL=255 Reply from 10.0.1.1: bytes=32 time<1ms TTL=255

15 On the switch, display the port activity by entering the following command: show ports stat

40



16 Press the 0 key to clear the table.

The following displays: Port Statistics Port

Link State

Mon Aug 11 17:05:00 2008 Tx Pkt

Count

Tx Byte Count

Rx Pkt Count

Rx Byte Rx Pkt Rx Pkt Count

Bcast

Mcast

================================================================================ 1

R

0

0

0

0

0

0

2

R

0

0

0

0

0

0

3

R

0

0

0

0

0

0

4

R

0

0

0

0

0

0

5

R

0

0

0

0

0

0

6

R

0

0

0

0

0

0

7

R

0

0

0

0

0

0

8

R

0

0

0

0

0

0

9

R

0

0

0

0

0

0

10

R

0

0

0

0

0

0

11

R

0

0

0

0

0

0

12

R

0

0

0

0

0

0

13

A

0

0

0

0

0

0

14

R

0

0

0

0

0

0

15

A

0

0

0

0

0

0

16

R

0

0

0

0

0

0

================================================================================ Link State: A-Active, R-Ready, NP-Port Not Present L-Loopback 0->Clear Counters U->page up

D->page down ESC->exit

17 Monitor the activity for ports 13 and 15 over a period of time to verify that the ping traffic is being distributed across the aggregated ports. If configured correctly, the results look similar to this: Port Statistics Port

Link State

Mon Aug 11 17:05:00 2008 Tx Pkt

Count

Tx Byte Count

Rx Pkt Count


Bcast

Mcast

================================================================================ 1

R

0

0

0

0

0

0

2

R

0

0

0

0

0

0

3

R

0

0

0

0

0

0

4

R

0

0

0

0

0

0

5

R

0

0

0

0

0

0

6

R

0

0

0

0

0

0

7

R

0

0

0

0

0

0

8

R

0

0

0

0

0

0

9

R

0

0

0

0

0

0

10

R

0

0

0

0

0

0

11

R

0

0

0

0

0

0

12

R

0

0

0

0

0

0

13

A

89

7340

97

0

11

14

R

0

0

0

0

0

15

A

87

7276

92

0

6

8485 0 8168

16 R 0 0 0 0 0 0 ================================================================================ Link State: A-Active, R-Ready, NP-Port Not Present L-Loopback 0->Clear Counters U->page up



41


18 Press the Esc key. Verify that the configured load sharing algorithm operates correctly by entering the following command: show ports info

The following displays, notice the settings for ports 13 and 15 below: Port

Flags

Link State

Link Num Num ELSM UPS

Num

Jumbo QOS

STP VLAN Proto Size

Load

profile Master

================================================================================= 1

Dm------e--fMB- ready

-

0

0

0

0

9216

none

2


-

0

0

0

0

9216

none

3


-

0

0

0

0

9216

none

4 5

Dm------e--fMB- ready Dm------e--fMB- ready

-

0 0

0 0

0 0

0 0

9216 9216

none none

6


-

0

0

0

0

9216

none

7


-

0

0

0

0

9216

none

8


-

0

0

0

0

9216

none

9


-

0

0

0

0

9216

none

10


-

0

0

0

0

9216

none

11


-

0

0

0

0

9216

none

12


-

0

0

0

0

9216

none

13

Em-la---e--fMB- active

-

0

1

1

1

9216

none

14


-

0

0

0

0

9216

none

15

Em-la---e--fMB- active

-

0

1

1

1

9216

none

16


-

0

0

0

0

9216

none

17


-

0

0

0

0

9216

none

18


-

0

0

0

0

9216

none

19


-

0

0

0

0

9216

none

20


-

0

0

0

0

9216

none

21


-

0

0

0

0

9216

none

22


-

0

0

0

0

9216

none

23


-

0

0

0

0

9216

none

24

Em------e--fMB- active

-

0

1

1

1

9216

none

25

Dm------e--fMB- NotPresent -

0

0

0

0

9216

none

26

Dm------e--fMB- NotPresent -

0

0

0

0

9216

none

13 a 13 a

=================================================================================== Flags : a - Load Sharing Algorithm address-based, D - Port Disabled, e - Extreme Discovery Protocol Enabled, E - Port Enabled, l - Load Sharing Enabled, m - MACLearning Enabled, f - Unicast Flooding Enabled,M - Multicast Flooding Enabled, B - Broadcast Flooding Enabled

19 Notice that the ports in the load share group are flagged to use address-based load sharing. 20 Verify all lacp-related configuration parameters by displaying the section of the configuration file related to lacp by entering the following command: show configuration lacp

The following displays: # # Module lacp configuration. # configure sharing 13 lacp system-priority X

42



Part 5: Enabling the Link-Layer Discovery Protocol In this exercise you will enable ports to receive Link-Layer Discovery Protocol (LLDP) information, advertise their own system information, and verify that each is configured correctly. 1 Enable LLDP on port 13 by entering the following command: enable lldp ports 13

2 Verify the LLDP configuration by entering the following command: show lldp port 13 detailed

The following displays: LLDP transmit interval

: 30 seconds

LLDP transmit hold multiplier LLDP transmit delay

: 4

(used TTL = 120 seconds)

: 2 seconds

LLDP SNMP notification interval LLDP reinitialize delay

: 5 seconds : 2 seconds

LLDP-MED fast start repeat count : 3

LLDP Port Configuration: Port

Rx Mode

Tx Mode

SNMP

Optional enabled transmit TLVs

Notification

LLDP

802.1

802.3

MED

AvEx

============================================================================ 13

Enabled

Enabled

--

VLAN: Default

--D------

---

---

----

----

----

----

----

----

============================================================================ Notification: (L) lldpRemTablesChange, (M) lldpXMedTopologyChangeDetected LLDP Flags

: (P) Port Description, (N) System Name, (D) System Description

(C) System Capabilities, (M) Mgmt Address 802.1 Flags : (P) Port VLAN ID, (p) Port & Protocol VLAN ID, (N) VLAN Name 802.3 Flags : (M) MAC/PHY Configuration/Status, (P) Power via MDI (L) Link Aggregation, (F) Frame Size MED Flags

: (C) MED Capabilities, (P) Network Policy, (L) Location Identification, (p) Extended Power-via-MDI

AvEx Flags

: (P) PoE Conservation Request, (C) Call Server, (F) File Server

(Q) 802.1Q Framing

3 Enable the advertisement of the system name by entering the following command: configure lldp ports 13 advertise system-name

4 Verify the LLDP advertisement of the system name, by entering the following command: show lldp port 13 detailed


43


The following displays: LLDP transmit interval

: 30 seconds

LLDP transmit hold multiplier LLDP transmit delay

: 4

(used TTL = 120 seconds)

: 2 seconds

LLDP SNMP notification interval LLDP reinitialize delay

: 5 seconds : 2 seconds

LLDP-MED fast start repeat count : 3

LLDP Port Configuration: Port

Rx

Tx

Mode

Mode

SNMP

Optional enabled transmit TLVs

Notification

LLDP

802.1

802.3

MED

AvEx

============================================================================ 13

Enabled

Enabled

--

VLAN: Default

-ND------

---

---

----

----

----

----

----

----

============================================================================ Notification: (L) lldpRemTablesChange, (M) lldpXMedTopologyChangeDetected LLDP Flags

: (P) Port Description, (N) System Name, (D) System Description (C) System Capabilities, (M) Mgmt Address

802.1 Flags : (P) Port VLAN ID, (p) Port & Protocol VLAN ID, (N) VLAN Name 802.3 Flags : (M) MAC/PHY Configuration/Status, (P) Power via MDI (L) Link Aggregation, (F) Frame Size MED Flags

: (C) MED Capabilities, (P) Network Policy, (L) Location Identification, (p) Extended Power-via-MDI

AvEx Flags

: (P) PoE Conservation Request, (C) Call Server, (F) File Server

(Q) 802.1Q Framing

5 Verify the LLDP neighbor information, by entering the following command: show lldp neighbor detailed


----------------------------------------------------------------------------LLDP Port 13 detected 1 neighbor Neighbor: 00:04:96:27:BC:CE/1, age 11 seconds - Chassis ID type: MAC address (4) Chassis ID

: 00:04:96:27:BC:CE

- Port ID type: ifName (5) Port ID

: "1"

- Time To Live: 120 seconds - System Name: "CS-A" - System Description: "ExtremeXOS version 12.1.1.4 v1211b4 by release-ma\ nager on Tue Apr 29 17:46:58 PDT 2008"

44


4

Configuring a Stacked Switch Demonstration

Overview You will watch a short presentation on how to set up and configure a stacked switch using SummitStack™. Your instructor will add information and answer questions throughout the presentation.


45

Configuring a Stacked Switch Demonstration

46


5

Layer 2 Forwarding Lab

Student Objectives This lab provides you with hands-on experience to create FDB entries, enable and verify the locklearning feature, and enable and verify the limit-learning feature. At the end of this lab, you will be able to: ● Populate, display, and interpret the FDB table. ●

Enable the lock-learning feature.

●

Test the operation of the lock-learning feature.

●

Enable the limit-learning feature.

●

Test the operation of the limit-learning feature.

Figure 1: Layer 2 Forwarding Lab


47


Refer to the values list in Table 1to configure switch parameters for this lab.

Table 1: Lab Groups an d VLAN IP Ad dresses La b G r o u p N u m b er

Func tio nal Name

Switc h N ame

1

SalesManagement

SAM_1

Default

VLAN N ame

10.0.1.11/24

2

ExecutiveStaff

EXC_2

Default

10.0.1.12/24

3

Accounting

4

ManufacturingFloor

5

Engineering

6

HumanResources

ACT_3

Default

MFG_4

Default

ENG_5

Default

HUR_6

Default


10.0.1.13/24 10.0.1.14/24 10.0.1.15/24 10.0.1.16/24

Part 1: Setting Up for Populating the Forwarding Database 1 Log into the switch and load the baseline configuration for this lab by entering the following command: use configuration Lab_ECF04-X








5 Press the Enter key to bring up the login prompt. Enter admin and press the Enter key. The switch

will then display the following prompt for the password: login: admin password:

48




Part 2: Populating the Forwarding Database In this exercise you will populate the forwarding database and verify that it is correctly configured. 1 On the switch, use the PING command to verify that the switch can communicate with Core Switch A by entering the following: ping 10.0.1.1

2 Use the PING command to verify that the switch can communicate with each of the configured neighbor lab groups switches by entering the following: ping

Example: ping 10.0.1.1X

Where X is each neighbor lab group number in Table 1. The following is the ping reply for the neighbor with the vlan ip address 10.0.1.12: Ping(ICMP) 10.0.1.12: 4 packets, 8 data bytes, interval 1 second(s). 16 bytes from 10.0.1.12: icmp_seq=0 ttl=255 time=2.940 ms 16 bytes from 10.0.1.12: icmp_seq=1 ttl=255 time=6.312 ms 16 bytes from 10.0.1.12: icmp_seq=2 ttl=255 time=7.023 ms 16 bytes from 10.0.1.12: icmp_seq=3 ttl=255 time=2.003 ms --- 10.0.1.12 ping statistics --4 packets transmitted, 4 received, 0% loss round-trip min/avg/max = 2/4/7 ms

3 Display the layer 2 forwarding database by entering the following command: show fdb

The following display is an example from Lab Group 1’s switch: Mac

Vlan

Age

Flags

Port / Virtual Port List

----------------------------------------------------------------------------00:04:96:27:b6:61

Default(0001) 0024 d m

00:04:96:27:b7:57


13 13

00:04:96:27:bc:ce


13

00:04:96:27:bd:0b


13

00:04:96:34:cb:5c


13

00:04:96:34:cb:64


13

Flags : d - Dynamic, s - Static, p - Permanent, n - NetLogin, m - MAC, i - IP, x - IPX, l - lockdown MAC, L - lockdown-timeout MAC, M- Mirror, B - Egress Blackhole, b - Ingress Blackhole, v - MAC-Based VLAN, P - Private VLAN, T - VLAN translation, D - drop packet. Total: 6 Static: 0

Perm: 0

Dyn: 6

Dropped: 0

Locked: 0

Locked with Timeout: 0

FDB Aging time: 300


49


4 Notice that all entries appear in the VLAN Default and are flagged as dynamically-learned MAC addresses. 5 Display the switch’s IP ARP table by entering the following command: show iparp

The following display is an example from Lab Group 1’s switch: VR

Destination

Mac

Age

Static

VLAN

VID

Port

VR-Default

10.0.1.1

00:04:96:27:bc:ce

1

NO

Default

1

13

VR-Default

10.0.1.12

00:04:96:27:bd:0b

1

NO

Default

1

13

VR-Default

10.0.1.13

00:04:96:27:b7:57

1

NO

Default

1

VR-Default

10.0.1.14

00:04:96:27:b6:61

1

NO

Default

1

13

VR-Default

10.0.1.15

00:04:96:34:cb:64

1

NO

Default

1

13

VR-Default

10.0.1.16

00:04:96:34:cb:5c

1

NO

Default

1

Dynamic Entries

:

6

Static Entries

:

13

13 0

Pending Entries

:

0

In Request

:

26

In Response

:

13

Out Request

:

25

Out Response

:

5

Failed Requests

:

2

Proxy Answered

:

0

Rx Error

:

0

Rejected Count

:

Rejected Port

:

Max ARP entries

:

ARP address check: Timeout

:

4096 Enabled

Dup IP Addr

:

Rejected IP

:

Rejected I/F

:

Max ARP pending entries ARP refresh

0.0.0.0

: :

256 Enabled

20 minutes

6 Use the IP/MAC address pairs in the IP ARP table to determine which MAC address belongs to which lab group.

50



Part 3: Locking Learning In this exercise you will clear the forwarding database (FDB) of all entries, repopulate the FDB, lock the addresses that have been learned, and verify that this each command has been executed correctly. 1 Clear the forwarding database of all dynamic entries by entering the following command: clear fdb

2 Verify that the FDB is clear by entering the following: show fdb

The following displays: Mac

Vlan

Age

Flags


----------------------------------------------------------------------------Flags : d - Dynamic, s - Static, p - Permanent, n - NetLogin, m - MAC, i - IP, x - IPX, l - lockdown MAC, L - lockdown-timeout MAC, M- Mirror, B - Egress Blackhole, b - Ingress Blackhole, v - MAC-Based VLAN, P - Private VLAN, T - VLAN translation, D - drop packet. Total: 0 Static: 0

Perm: 0

Dyn: 0

Dropped: 0

Locked: 0


FDB Aging time: 300

NOTE Depending upon network activity, the fbd table may contain entries even though you issued the clear fdb command. This is due to the fact that some devices on the network transmitted packets between the time you cleared the fdb and subsequently displayed it.

3 Use the PING command to re-populate the FDB with the MAC address of Core Switch A: ping 10.0.1.1

NOTE Your switch may have already repopulated the fbd due to other students or network activities.

The following displays: Ping(ICMP) 10.0.1.1: 4 packets, 8 data bytes, interval 1 second(s). 16 bytes from 10.0.1.1: icmp_seq=0 ttl=255 time=9.190 ms 16 bytes from 10.0.1.1: icmp_seq=1 ttl=255 time=7.129 ms 16 bytes from 10.0.1.1: icmp_seq=2 ttl=255 time=7.359 ms 16 bytes from 10.0.1.1: icmp_seq=3 ttl=255 time=1.996 ms --- 10.0.1.1 ping statistics --4 packets transmitted, 4 received, 0% loss round-trip min/avg/max = 1/6/9 ms

4 Verify that only the Core Switch A MAC address is in the FDB by entering the following: show fdb


51



Vlan

Age

Flags


----------------------------------------------------------------------------00:04:96:27:bc:ce


13

Flags : d - Dynamic, s - Static, p - Permanent, n - NetLogin, m - MAC, i - IP, x - IPX, l - lockdown MAC, L - lockdown-timeout MAC, M- Mirror, B - Egress Blackhole, b - Ingress Blackhole, v - MAC-Based VLAN, P - Private VLAN, T - VLAN translation, D - drop packet. Total: 1 Static: 0

Perm: 0

Dyn: 1

Dropped: 0

Locked: 0


FDB Aging time: 300

5 Clear the fdb again and the lock the MAC address learned on port 13 by entering the following: clear fdb ping 10.0.1.1 configure ports 13 vlan default lock-learning

NOTE In order to minimize the number of entries that find their way into the fdb, we recommend that you cut and paste the three commands above into the cli interface on the switch. However, even if you take this precaution, you may find that the locking feature captures more then just the MAC address of Core Switch A.

6 Verify the configuration by entering the following command: show vlan default security

The following displays for port 13 and port 24:

Port

Limit

13 24

Unlimited Locked Unlimited Unlocked

State

Learned

Blackholed

0 0

5 0

Locked 1 0

NOTE In the example above, notice that 5 MAC addresses are designated as Blackhole entries. Any MAC addresses seen after the lock is activated will be blackholed.

7 Verify that the permanent entry and lock learning flags are set for port 13 by entering the following command: show fdb

52



The following is an example display from Lab Group 1’s switch: Mac

Vlan

Age

Flags


----------------------------------------------------------------------------00:04:96:27:b7:57


00:04:96:27:bc:ce

Default(0001) 0000 spm

00:04:96:34:cb:5c


Bb

13 l

Bb

13 13

Flags : d - Dynamic, s - Static, p - Permanent, n - NetLogin, m - MAC, i - IP, x - IPX, l - lockdown MAC, L - lockdown-timeout MAC, M- Mirror, B - Egress Blackhole, b - Ingress Blackhole, v - MAC-Based VLAN, P - Private VLAN, T - VLAN translation, D - drop packet.

Total: 3 Static: 1 Perm: 1 FDB Aging time: 300

Dyn: 2

Dropped: 0

Locked: 1


FDB VPLS Aging time: 300

8 Use the PING command to try to communicate with each of the configured neighbor lab groups switches by entering the following: ping


Where X is each neighbor lab group number in Table 1. The following displays the ping reply, Destination Host Unreachable, when Lab Group 1 pings the neighbor with the VLAN IP address 10.0.1.12: Ping(ICMP) 10.0.1.12: 4 packets, 8 data bytes, interval 1 second(s). 44 bytes from 10.0.1.11: icmp_seq=3 Destination Host Unreachable --- 10.0.1.12 ping statistics --4 packets transmitted, 0 received, 100% loss round-trip min/avg/max = 0/0/0 ms

NOTE All ping attempts to neighboring switches should fail. However, this is dependent upon the entries in the fdb table.

9 Display the forwarding database by entering the following command: show fdb


53



Vlan

Age

Flags


----------------------------------------------------------------------------00:04:96:27:b6:61


Bb

00:04:96:27:b7:57


Bb

13

00:04:96:27:bc:ce

Default(0001) 0000 spm

00:04:96:27:bd:0b


Bb

00:04:96:34:cb:5c


Bb

13

00:04:96:34:cb:64


Bb

13

13 l

13 13


Total: 6 Static: 1

Perm: 1

Dyn: 5

Dropped: 0

Locked: 1


FDB Aging time: 300 FDB VPLS Aging time: 300

10 Notice in the example above, that the MAC addresses for all 5 neighbor switches have been flagged as Blackhole for both ingress and egress. Your fdb table may vary slightly from this example. 11 Remove MAC address lock down by entering the following command: configure ports 13 vlan default unlock-learning

12 Show the forwarding database and verify that the lockdown has been removed by entering the following command: show fdb


Vlan

Age

Flags


----------------------------------------------------------------------------Flags : d - Dynamic, s - Static, p - Permanent, n - NetLogin, m - MAC, i - IP, x - IPX, l - lockdown MAC, L - lockdown-timeout MAC, M- Mirror, B - Egress Blackhole, b - Ingress Blackhole, v - MAC-Based VLAN, P - Private VLAN, T - VLAN translation, D - drop packet.

Total: 0 Static: 0

Perm: 0

Dyn: 0

Dropped: 0

Locked: 0



13 Notice that unlocking learning will clear the FDB of all entries.

54



Part 4: Limiting Learning In this exercise you will clear the forwarding data base entries and configure selected ports to limit learning. You will confirm that limit learning is operating correctly and then remove the limits you previously set. 1 Clear the forwarding database of all dynamic entries by entering the following command: clear fdb

2 Confirm that the FDB is clear by entering the following: show fdb

The following is an example of a typical display: Mac

Vlan

Age

Flags


----------------------------------------------------------------------------Flags : d - Dynamic, s - Static, p - Permanent, n - NetLogin, m - MAC, i - IP, x - IPX, l - lockdown MAC, L - lockdown-timeout MAC, M- Mirror, B - Egress Blackhole, b - Ingress Blackhole, v - MAC-Based VLAN, P - Private VLAN, T - VLAN translation, D - drop packet.

Total: 0 Static: 0

Perm: 0

Dyn: 0

Dropped: 0

Locked: 0



NOTE Depending upon network activity you may have entries quickly repopulate even after you clear the fdb.

3 Limit the MAC address learning on port 13 to three entries by entering the following commands: clear fdb configure ports 13 vlan default limit-learning 3

4 Verify the configuration by entering the following command: show vlan default security

The following displays: Port

Limit

State

Learned

13

3

Unlocked

0

24

Unlimited Unlocked

0

Blackholed 0 0

Locked 0 0

5 Display the MAC security information for the specified port by entering the following command: show ports 13 information detail


55


The following displays: Port:

13

Virtual-router: VR-Default Type:

UTP Random Early drop: Admin state:

Unsupported

Enabled with

ELSM Link State:

auto-speed sensing

auto-duplex

Up

Link State:

Active, 1Gbps, full-duplex

Link Counter: Up

2 time(s)

VLAN cfg: Name: Default, Internal Tag = 1, MAC-limit = 3,Action = blackhole,Virtual router: VR-Default

6 Use the PING command to try to communicate with each of the configured neighbor lab groups switches and Core Switch A. Because the neighbor lab groups may be performing this same step simultaneously or even before you, three or fewer PINGs may actually work. Enter the following: ping


Where X is each neighbor lab group number in Table 1. 7 Confirm which MAC addresses were permitted and which were blocked by displaying the forwarding database with the following command: show fdb

The following is an example display from Lab Group 1’s switch:

Mac

Vlan

Age

Flags


----------------------------------------------------------------------------00:04:96:27:b6:61


00:04:96:27:b7:57


Bb

00:04:96:27:bc:ce


Bb

00:04:96:27:bd:0b


00:04:96:34:cb:5c


00:04:96:34:cb:64


13 13 13 13 13 Bb

13


Total: 6 Static: 0

Perm: 0

Dyn: 6

Dropped: 0

Locked: 0



8 Notice that the MAC addresses for 2 neighbor switches and Core Switch A have been flagged as Blackhole for both ingress and egress in the example above. 9 Remove the limit learning on the port by entering the following command: configure ports 13 vlan default unlimited-learning

56



Part 5: Enabling Extreme Link Status Monitoring In this exercise you will enable Extreme Link Status Monitoring (ELSM) on selected ports, verify that it is operating correctly. You will observe link state changes during a core switch reboot. 1 Enable Extreme Link Status Monitoring (ELSM) on the port connecting to the other switches by entering the following command: enable elsm ports 13

2 Verify the status of the port with ELSM enabled by entering the following command: show elsm ports 13

The following displays: ELSM Info Port 13 Link State ELSM Link State ELSM State

: Active : Up : Up

Hello Transmit State

: HelloRx(+)

Hello Time

: 1 sec

Hold Threshold

: 2

UpTimer Threshold Auto Restart Down Timeout Up Timeout

: 6 : Enabled : 4.0 sec : 6.0 sec

Hello+ Rx

: 19496

HelloRx

: 1

Hello+ Tx

: 19497

HelloTx

: 0

ELSM Up/Down Count

: UP: 0

DOWN: 0

3 Notice both the Link State and the ELSM Link State for this port.

NOTE Wait here while Core Switch A is rebooted to simulate link state change.

4 Wait until the instructor gives the class direction to move forward. 5 While Core Switch A is rebooting, re-verify the status of the port by entering the following command: show elsm ports 13


57


While the switch is rebooting the system will eventually display the following: ELSM Info Port 13 Link State ELSM Link State ELSM State

: Ready : Down : Down

Hello Transmit State

: HelloRx(-)

Hello Time

: 1 sec

Hold Threshold

: 2


: 6 : Enabled : 4.0 sec : 6.0 sec

Hello+ Rx

: 19588

HelloRx

: 1

Hello+ Tx

: 19589

HelloTx

: 0

ELSM Up/Down Count

: UP: 0

DOWN: 1

6 Notice the changes to the port Link State, ELSM Link State, ELSM State, Hello Transmit State, and ELSM Up/Down Count. 7 After the switch has fully re-booted, verify the status of the port by entering the following command again: show elsm ports 13

When the link stabilizes, the following displays: ELSM Info Port 13 Link State ELSM Link State ELSM State Hello Transmit State

: Active : Up : Up : HelloRx(+)

Hello Time

: 1 sec

Hold Threshold

: 2


: 6 : Enabled : 4.0 sec : 6.0 sec

Hello+ Rx

: 19593

HelloRx

: 1

Hello+ Tx

: 19593

HelloTx

: 1

ELSM Up/Down Count

: UP: 1

DOWN: 1

8 Notice again, the changes to the port Link State, ELSM Link State, ELSM State, Hello Transmit State, and ELSM Up/Down Count.

58


6

Port-based VLAN Configuration Lab

Student Objectives A common approach to deploying Voice-Over-IP on a converged network is to configure a single, layer 2 broadcast domain (VLAN) dedicated to the voice-enabled devices (phones, call managers, call gateways, etc.). This lab provides you with hands-on experience to create port-based VLANs, add ports to the VLANs, and extend the VLANs across multiple switches. At the end of this lab, you will be able to: ●

Create one port-based VLAN

●

Add ports to the VLAN

●

Interconnect the VLAN across multiple switches

Figure 1: Port-based VLAN Con figuration Lab


59



Table 1: Group, Switch, VLAN Names and IP addresses La b G r o u p N u m b er

S w it c h N a m e

V LA N N a m e

V L AN I P A d d r es s

Lab Group PC IP Address

1

SAM_1

Voice

10.0.2.11/24

10.0.2.101/24

2

EXC_2

Voice

10.0.2.12/24

10.0.2.102/24

3

ACT_3

Voice

10.0.2.13/24

10.0.2.103/24

4

MFG_4

Voice

10.0.2.14/24

10.0.2.104/24

5

ENG_5

Voice

10.0.2.15/24

10.0.2.105/24

6

HUR_6

Voice

10.0.2.16/24

10.0.2.106/24

Part 1: Setting Up for Creating a Port-Based VLAN 1 Log into the switch and load the baseline configuration for this lab by entering the following command: use configuration Lab_ECF05-X








60





Part 2: Creating a Port-Based VLAN In this exercise you will create a VLAN, assign it an IP address, and verify that it is recognized by your switch. 1 Create a VLAN named voice by entering the following command: create vlan voice

2 Verify that the VLAN voice has been created by entering the following command: show vlan voice

The following displays: VLAN Interface with name voice created by user Admin State:

Enabled

Tagging:Untagged (Internal tag 4094)

Virtual router: VR-Default IPv6:

None

STPD:

None Protocol:


Loopback: NetLogin:

Disabled Disabled

QosProfile:

None configured

Egress Rate Limit Designated Port: None configured Flood Rate Limit QosProfile: Ports:

0.

None configured


3 Notice that a newly-created VLAN has no ports assigned. 4 Assign an IP address and subnet mask to the voice VLAN, by entering the following command: configure vlan voice ipaddress {}

Example: configure vlan voice ipaddress 10.0.2.1X/24

Use the address and subnet mask as listed in Table 1 for your lab group. 5 Verify the IP address and subnet mask of the voice VLAN, by entering the following command: show vlan voice


61


The voice VLAN configuration displays: VLAN Interface with name voice created by user Admin State:

Enabled


Virtual router: VR-Default Primary IP IPv6:

: 10.0.2.1X/24

None

STPD:

None Protocol:


Loopback:

Disabled

NetLogin:

Disabled

QosProfile:

None configured

Egress Rate Limit Designated Port: None configured Flood Rate Limit QosProfile: None configured Ports:

0.


Part 3: Adding Ports to a VLAN In this exercise you will delete ports from the VLAN default and add ports to your VLAN. 1 Delete port 13 and 24 from the VLAN default by entering the following command: configure vlan default delete ports 13,24

2 Add port 13 and 24 to the VLAN voice by entering the following command: configure vlan voice add ports 13,24

3 Verify the port assignments for VLAN voice by entering the following command: show vlan voice

The system displays the voice VLAN configuration: VLAN Interface with name voice created by user Admin State:

Enabled



: 10.0.2.1X/24

None

STPD:

None Protocol:


Loopback:

Disabled

NetLogin:

Disabled

QosProfile:

None configured

Egress Rate Limit Designated Port: None configured Flood Rate Limit QosProfile: Ports: Untag: Flags:

2.

None configured

(Number of active ports=0) !13,

!24

(*) Active, (!) Disabled, (g) Load Sharing port (b) Port blocked on the vlan, (m) Mac-Based port (a) Egress traffic allowed for NetLogin (u) Egress traffic unallowed for NetLogin

4 Notice that the assigned ports are not active, they are disabled(!) and untagged.

62



Part 4: Configuring the Client Workstation The following instructions will guide you in setting up the client workstation. If your RD-X connection to PC 127.0.0.1:101X is still open but minimized, skip to step 6. 1 From your laptop, launch the PuTTY utility:




63





64



7 From the Lab PC desktop, open the Lab Networking Addressing folder. Double-click on the Config_ECF05-X batch file, where X is your lab group number assigned in Table 1:




65




Note that the Lab Network interface has been assigned your lab group PC's IP address and mask found in Table 1. This completes the setup of the Lab Group PC. Minimize this window now and return to the switch.

Part 5: Extending the VLAN Across Multiple Switches In this exercise you will enable ports to extend your VLAN across multiple switches and verify that your switch can communicate with each of the other neighbor switches. 1 On your switch, enable port 13 to permit forwarding by entering the following command: Enable ports 13

NOTE Stop and wait here until all students in the class reach this point!

66



2 Upon the instructor’s direction, turn to your switch and use the PING command to verify that the switch can communicate with each of the configured neighbor lab groups switches by entering the following: ping


Where X is each neighbor lab group number in Table 1. The following is an example reply from Lab Group 1’s switch while pinging Lab Group’s 2 switch:

* SAM_1.26 # ping 10.0.2.12 Ping(ICMP) 10.0.2.12: 4 packets, 8 data bytes, interval 1 second(s). 16 bytes from 10.0.2.12: icmp_seq=0 ttl=255 time=9.773 ms 16 bytes from 10.0.2.12: icmp_seq=1 ttl=255 time=2.004 ms 16 bytes from 10.0.2.12: icmp_seq=2 ttl=255 time=7.072 ms 16 bytes from 10.0.2.12: icmp_seq=3 ttl=255 time=7.054 ms

3 On your switch, enable port 24 by entering the following command: enable ports 24

This is the port connected to the Lab Group PC. NOTE Stop and wait here until all students in the class reach this point!

4 Upon the instructor’s direction, return to your Lab Group PC’s desktop and open a DOS window. Use the PING command to verify that the PC can communicate with the other configured neighbor Lab Group PCs by entering the following: ping


Where X is each neighbor lab group number in Table 1. The following is an example reply from Lab Group 1’s PC while pinging Lab Group’s 2 PC: C:\Documents and Settings\student>ping 10.0.2.102 Pinging 10.0.2.102 with 32 bytes of data: Reply from 10.0.2.102: bytes=32 time<1ms TTL=128 Reply from 10.0.2.102: bytes=32 time<1ms TTL=128 Reply from 10.0.2.102: bytes=32 time<1ms TTL=128 Reply from 10.0.2.102: bytes=32 time<1ms TTL=128 Ping statistics for 10.0.2.102: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms


67


5 On the switch, examine how VLAN information is displayed in the forwarding database by entering the following command on your switch: show fdb

The system displays the following: Mac

Vlan

Age

Flags


----------------------------------------------------------------------------00:04:96:27:b6:61

voice(4094) 0020 d m

13

00:04:96:27:b7:57

voice(4094) 0017 d m

13

00:04:96:27:bd:0b

voice(4094) 0078 d m

13

00:04:96:34:cb:5c

voice(4094) 0005 d m

13

00:04:96:34:cb:64

voice(4094) 0006 d m

13

00:0c:29:0e:4a:80 00:0c:29:1b:33:21

voice(4094) 0208 d m voice(4094) 0076 d m

13 13

00:0c:29:60:ef:ba

voice(4094) 0092 d m

13

00:0c:29:7d:7c:a3

voice(4094) 0129 d m

13

00:0c:29:aa:d6:8c

voice(4094) 0088 d m

24

00:0c:29:fa:60:9c

voice(4094) 0108 d m

13


Total: 11 Static: 0

Perm: 0

Dyn: 11

Dropped: 0

Locked: 0



6 Notice that all learned MAC addresses in the example above are from the VLAN voice.

68


7

Tagged VLAN Configuration Lab

Student Objectives Frequently, today’s voice-over-IP desk sets incorporate a second Ethernet port that provides connectivity for a PC through the same switch port as the phone. However you often see the traffic for both devices separated into VLANs, or distinct collision domains. This lab provides you with hands-on experience to create tagged VLANs for each traffic type, add ports to the VLANs, and extend the VLANs across multiple switches using a single physical link. At the end of this lab, you will be able to: ●

Convert a untagged voice VLAN to a tagged VLAN.

●

Verify the operation of the tagged VLAN.

●

Integrate a data VLAN into the network and verify the operation of the entire network.

Figure 1: Tagged VLA N Conf iguration La b


69



Table 1: Group, Switch, VLAN Names and IP Addresses La b G r o u p N u m b er

Switc h N ame

V LAN Na m e


La b G r o u p P C I P A d d r es s

1

SAM_1

Voice

10.0.2.11/24

10.0.2.101/24

Data

10.0.3.11/24

10.0.3.101/24

2

EXC_2

Voice

10.0.2.12/24

10.0.2.102/24

Data

10.0.3.12/24

10.0.3.102/24

Voice

10.0.2.13/24

10.0.2.103/24

Data

10.0.3.13/24

10.0.3.103/24

Voice

10.0.2.14/24

10.0.2.104/24

Data

10.0.3.14/24

10.0.3.104/24

Voice

10.0.2.15/24

10.0.2.105/24

Data

10.0.3.15/24

10.0.3.105/24

Voice

10.0.2.16/24

10.0.2.106/24

Data

10.0.3.16/24

10.0.3.106/24

3

4

5

6

ACT_3

MFG_4

ENG_5

HUR_6

Part 1: Setting Up for Configuring a Tagged VLAN and Adding Tagged and Untagged Ports 1 Log into the switch and load the baseline configuration for this lab by entering the following command: use configuration Lab_ECF06-X







70









71



4 From your computer's Start menu, open the Accessories folder and launch the Remote Desktop Connect utility:


72




7 From the Lab PC desktop, open the Lab Networking Addressing folder. Double-click on the Config_ECF06a-X batch file, where X is your lab group number assigned in Table 1:

This batch file will automatically configure the PC IP address. The following screen will appear while the file executes, and then close automatically when it terminates


73



9 In the command window, display the IP interface information on the PC by entering the following

command:

ipconfig


Note that the Lab interface hasinbeen assigned your Lab Group PC's IP address and mask associated with theNetwork VLAN voice found Table 1. This completes the first setup of the Lab Group PC. Minimize this window now and return to the switch.

74



Part 3: Configuring a Tagged VLAN and Adding Tagged and Untagged Ports In this exercise you will configure a tagged VLAN and add tagged and untagged ports to it. 1 On the switch, assign an IP address and subnet mask to the voice VLAN, by entering the following command: configure vlan voice ipaddress {}

Example: configure vlan voice ipaddress 10.0.2.1X/24

Use the address and subnet mask as listed in Table 1. 2 Configure the VLAN voice with a tag value of 10 by entering the following command: configure vlan voice tag 10

3 Verify that the tag has been added successfully by entering the following command: show vlan voice


Enabled

Tagging:

802.1Q Tag 10


: 10.0.2.1X/24

None

STPD:

None Protocol:


Loopback:

Disabled

NetLogin:

Disabled

QosProfile:

None configured

Egress Rate Limit Designated Port: None configured Flood Rate Limit QosProfile: Ports: Untag: Flags:

2.

None configured


*13,

*24

(*) Active, (!) Disabled, (g) Load Sharing port (b) Port blocked on the vlan, (m) Mac-Based port (a) Egress traffic allowed for NetLogin (u) Egress traffic unallowed for NetLogin (t) Translate VLAN tag for Private-VLAN (s) Private-VLAN System Port, (L) Loopback port (e) Private-VLAN End Point Port

4 Notice that all ports are currently untagged in the VLAN. 5 Re-assign the port that interconnects the switches for VLAN voice as a tagged port by entering the following command: configure vlan voice add ports 13 tagged


75


Type yes to the warning message that appears: Adding an existing untagged member port of vlan voice as tagged can cause STP configuration loss. Do you really want to add these ports? (y/N)

6 Verify that port 13 is now tagged in VLAN voice by entering the following command: show vlan voice


Enabled

Tagging:

802.1Q Tag 10


: 10.0.2.1X/24

None

STPD:

None Protocol:


Loopback:

Disabled

NetLogin:

Disabled

QosProfile:

None configured

Egress Rate Limit Designated Port: None configured Flood Rate Limit QosProfile: Ports: Untag: Tag: Flags:

2.

None configured


*24 *13 (*) Active, (!) Disabled, (g) Load Sharing port (b) Port blocked on the vlan, (m) Mac-Based port (a) Egress traffic allowed for NetLogin (u) Egress traffic unallowed for NetLogin (t) Translate VLAN tag for Private-VLAN (s) Private-VLAN System Port, (L) Loopback port (e) Private-VLAN End Point Port

7 Notice that port 24 participates untagged in the VLAN. 8 Enable port 24 on the switch by entering the following command: enable ports 24

This is the port connected to the Lab Group PC. NOTE Stop and wait here, do not proceed until all students have enabled port 24.

9 Upon the instructor’s direction, turn to the Lab Group PC and open a DOS window. Use the PING command to verify that the PC can communicate with the other neighbor Lab Group PCs configured in the same subnet by entering the following: ping 10.0.2.10X

Where X is the lab group number assigned to each Lab Group in Table 1.

76



10 On the switch, use the PING command to verify that the switch can communicate with the interface assigned to the voice subnet on each of the lab groups switches by entering the following: ping 10.0.2.1X

Where X is each lab group number assigned to each Lab Group in Table 1. 11 Display the layer 2 forwarding database by entering the following command: show fdb

The following is an example display with all 6 Lab Groups participating on the classroom network: Mac

Vlan

Age

Flags


----------------------------------------------------------------------------00:04:96:27:b6:61

voice(0010) 0060 d m

13

00:04:96:27:b7:57

voice(0010) 0020 d m

13

00:04:96:27:bd:0b

voice(0010) 0008 d m

13

00:04:96:34:cb:5c

voice(0010) 0030 d m

13

00:04:96:34:cb:64

voice(0010) 0024 d m

13

00:0c:29:0e:4a:80

voice(0010) 0262 d m

13

00:0c:29:1b:33:21

voice(0010) 0032 d m

13

00:0c:29:60:ef:ba

voice(0010) 0051 d m

13

00:0c:29:7d:7c:a3

voice(0010) 0039 d m

13

00:0c:29:aa:d6:8c

voice(0010) 0041 d m

24

00:0c:29:fa:60:9c

voice(0010) 0176 d m

13

Flags : d - Dynamic, m - MAC Total: 11 Static: 0

Perm: 0

Dyn: 11

Dropped: 0

Locked: 0



12 Notice that all learned MAC addresses are from the VLAN voice.

Part 4: Adding a Second Tagged VLAN and Trunked Ports In this exercise you will create a second VLAN for data, add its IP address, add the correct tag and verify that it is integrated into the network. 1 Create a second VLAN named data by entering the following command: create vlan data

2 Assign an IP address and subnet mask to VLAN data by entering the following command: configure vlan data ipaddress {}

Example: configure vlan data ipaddress 10.0.3.1X/24

Use the address and subnet mask identified in Table 1 for your lab group. 3 Verify that VLAN data has been created and the IP address is assigned correctly by entering the following command: show vlan


77


The following displays: Name

VID

Protocol Addr

Flags

Proto

Ports

Vir

Active rou /Total -------------------------------------------------------------------------------data

4093 10.0.3.1X

Default

1

------------------------------------------- ANY

0 /0

Mgmt

4095 ------------------------------------------- ANY

1 /1

voice

10

10.0.2.1X

/24

/24

----------------------- ANY

0 /0

----------------------- ANY

2 /2

V V V V

--------------------------------------------------------------------------------

4 Configure VLAN data with a tag value of 20 by entering the following command: configure vlan data tag 20

5 Configure port 13 as a trunk port for both VLAN voice and VLAN data by adding it as tagged in VLAN data with the following command: configure vlan data add ports 13 tagged

6 Verify by entering the following command: show vlan

The following displays: Name

VID

Protocol Addr

Flags

Proto

Ports

Vir

Active rou /Total -------------------------------------------------------------------------------data

20

10.0.3.1X

Default

1

------------------------------------------- ANY

/24

----------------------- ANY

0 /0 0 /0

V V

Mgmt

4095 ------------------------------------------- ANY

1 /1

V

voice 10 10.0.2.1X /24 ----------------------- ANY 2 /2 V --------------------------------------------------------------------------------

CAUTION Be careful to add the port as tagged to the second VLAN. For example, if you try to add the port untagged (configure vlan data add ports 13 ) you will see the following error display:

Error: Protocol conflict when adding untagged port 13. Either add this port as tagged or assign another protocol to this VLAN.

78



Part 5: Adding Additional Tagged Ports Voice-over-IP device interfaces are more likely to be configured for a tag than those used for laptops or desktop PCs. The normal deployment is to assign the shared attached port as tagged in the VLAN voice, and untagged in the VLAN data. Port 24 is connected to the Lab Group PC. In this lab scenario, both the telephone desk set and the PC share the port, but you separate their traffic into two VLANs. Since the port is currently only assigned to VLAN voice, you need to add the port to VLAN data. Notice that since Port 24 already belongs untagged to VLAN voice, it cannot be added as untagged to any other VLAN. It can only be added with an explicit tag to a VLAN (tagged), or to a protocol-based VLAN. 1 On the switch, re-assign the device-connected port in VLAN voice as a tagged port by entering the following command: configure vlan voice add ports 24 tagged

Type yes to the warning message that appears: Adding an existing untagged member port of vlan voice as tagged can cause STP configuration loss. Do you really want to add these ports? (y/N)

2 Assign the device-connected port to VLAN data, untagged, by entering the following command: configure vlan data add ports 24 untagged

3 Verify the detailed configuration of VLAN data by entering the following command: show vlan data

The following displays: VLAN Interface with name data created by user Admin State: Enabled Tagging:

802.1Q Tag 20


: 10.0.3.1X/24

None

STPD:

None Protocol:


Loopback:

Disabled

NetLogin:

Disabled

QosProfile:

None configured


1.

Untag:

None configured


*24 Tag:

Flags:

*13 (*) Active, (!) Disabled, (g) Load Sharing port (b) Port blocked on the vlan, (m) Mac-Based port (a) Egress traffic allowed for NetLogin (u) Egress traffic unallowed for NetLogin (t) Translate VLAN tag for Private-VLAN (s) Private-VLAN System Port, (L) Loopback port

(e) Private-VLAN End Point Port


79


4 In the previous section, PINGs to the neighbor PCs and switches populated the FDB with entries from VLAN voice. Clear the FDB of all dynamic entries with the following command: clear fdb

5 On the Lab Group PC, return to the open Command Prompt window and use the PING command to verify that the PC can still communicate with each of the configured neighbor Lab Group PCs in the 10.0.2.0/24 network by entering the following: ping 10.0.2.10X

Where X is each lab group number assigned in Table 1. 6 On the switch, enter the following command to view the VLAN information displayed in the forwarding database: show fdb


Vlan

Age

Flags


----------------------------------------------------------------------------00:04:96:27:b6:61

voice(0010) 0050 d m

13

00:04:96:27:bd:0b

voice(0010) 0032 d m

13

00:04:96:34:cb:64

voice(0010) 0049 d m

13

00:04:96:34:cb:64

data(0020) 0027 d m

13

00:0c:29:0e:4a:80

data(0020) 0026 d m

13

00:0c:29:1b:33:21

data(0020) 0016 d m

13

00:0c:29:60:ef:ba

data(0020) 0012 d m

13

00:0c:29:7d:7c:a3

data(0020) 0024 d m

13

00:0c:29:aa:d6:8c

data(0020) 0051 d m

24

00:0c:29:fa:60:9c

data(0020) 0044 d m

13

Flags : d - Dynamic, s - Static, p - Permanent, n - NetLogin, m - MAC, i - IP, x - IPX, l - lockdown MAC, L - lockdown-timeout MAC, M- Mirror, B - Egress Blackhole,b Ingress Blackhole, v - MAC-Based VLAN, P - Private VLAN, T - VLAN translation,D - drop packet. Total: 10 Static: 0

Perm: 0

Dyn: 10

Dropped: 0

Locked: 0



7 On the Lab Group PC, return to the open Command Prompt window and, using the PING command, try to ping the interface assigned to the voice subnet on each of the configured lab groups switches by entering the following: ping 10.0.2.1X

Where X is each lab group number assigned in Table 1. All of these pings fail. This is because the port to which the PCs are attached, port 24, is now associated with the VLAN data, while the switch addresses are associated with the VLAN voice. Traffic cannot cross the boundary between two VLANs without enabling layer 3 routing. 8 Now, return to the Lab Group PC with the open DOS window and PING the interface assigned to the data subnet on each of the configured lab groups switches by entering the following: ping 10.0.3.1X

All of these pings fail also. PINGing the IP address assigned to VLAN data from the Lab Group PC also fails because these two devices are not in the same IP network even though they are in the same broadcast domain (VLAN).

80



Part 6: Reconfiguring the Client Workstation To correct the above fault, re-configure the Group Lab PC production interface with the PC IP address for VLAN data assigned in Table 1. From the Lab PC desktop, open the Lab Networking Addressing folder. Double-click on the Config_ECF06b-X batch file, where X is your lab group number assigned in Table 1:


1 To confirm the workstation IP address, from the Start menu, click on the Run option. Enter cmd to open a Command window:



81



Note that the Lab Network interface has been assigned your lab group PC's IP address and mask associated with the VLAN data found in Table 1. This completes the reconfiguration of the Lab Group PC. NOTE Stop and wait here, do not proceed until all students in the class have reconfigured their Lab Group PCs.

1 Upon the Instructor’s direction, return to the Lab Group PC and use the PING command to verify that the PC can communicate with all configured switch IP addresses in VLAN data: ping 10.0.3.1X

Where X is each lab group number assigned in Table 1. 2 Finally, use the PING command to verify that the PC can communicate with each of the configured neighbor Lab Group PCs in the 10.0.3.0/24 network by entering the following: ping 10.0.3.10X

Where X is each lab group number assigned in Table 1.

82


8

Spanning Tree Configuration Lab

Student Objectives One deployment strategy for edge switches in a production wiring closet is to build a dual-home, layer 2 loop to the upstream aggregation or core switches. This uses a redundant router protocol like VRRP to forward traffic between VLANs or out to the Internet ( Figure 1). When you use Spanning Tree Protocol resolve the the down failover two upstream paths is faster than if you extended the layer to 3 protocol all loop, the way to between the edge the switch.

Figure 1: Spanning Tree Configuration Lab

In addition you will configure the core switches for six independent spanning tree domains. In this configuration there are only six loops to resolve, as opposed to the much larger number of potential loops that would need to be addressed if all of the links were managed by a single STPD (Figure 2). This further reduces convergence time in the event of a lost link.


83


Figure 2: Individual Loops Conf iguration

Focusing only on the layer-2 loop-resolution component, this lab provides with hands-on experience to configure, enable, and verify the Spanning Tree Protocol (STP). In this lab, you will: ●

Create and configure a new spanning tree domain (STPD)

●

Verify the STPD configurations

●

Verify the STPD operation

●

Configure the STPD bridge priority and port cost

●

Test the STPD failure recovery


Table 1: Group, Switch, OSPF VLA N, OSPF an d RIP Edge a nd Interface Names

84

Lab Group Number

Switch Name

1

SAM_1

2

EXC_2

3

VLAN Tags

Group STPD

sales

10

sam_st

10.0.1.1/24

10.0.1.2/24

10.0.1.101/24

executive

20

exc_st

10.0.2.1/24

10.0.2.2/24

10.0.2.101/24

ACT_3

accounting

30

act_st

10.0.3.1/24

10.0.3.2/24

10.0.3.101/24

4

MFG_4

manufacturing

40

mfg_st

10.0.4.1/24

10.0.4.2/24

10.0.4.101/24

5

ENG_5

engineering

50

eng_st

10.0.5.1/24

10.0.5.2/24

10.0.5.101/24

6

HUR_6

human_resources

60

hur_st

10.0.6.1/24

10.0.6.2/24

10.0.6.101/24

G ro u p V LA N

CS - A I P A d d r e s s

Lab Group PC C S - B I P A d d r e s sIP Address



Part 1: Setting Up for Spanning Tree Configuration 1 Log into the switch and load the baseline configuration for this lab by entering the following command: use configuration Lab_ECF09-X











85





86







87





88





Note that the Lab Network interface has been assigned your lab group PC's IP address and mask found in Table 1. This completes the setup of the Lab Group PC.


89


Part 3: Creating and Validating a Spanning Tree Domain 1 Confirm the group VLAN configuration by entering the following command: show vlan

The following displays: --------------------------------------------------------------------------------------Name

VID

Protocol Addr

Flags

Proto

Ports

Virtual

Active router /Total --------------------------------------------------------------------------------------Default

1

Mgmt

------------------------------------------- ANY

4095 ------------------------------------------- ANY

XX

-------------------------------------------- ANY

0 /0 1 /1 0 /3

VR-Default VR-Mgmt VR-Default

--------------------------------------------------------------------------------------Flags : (C) EAPS Control VLAN, (d) NetLogin Dynamically created VLAN, (D) VLAN Admin Disabled, (E) ESRP Enabled, (f) IP Forwarding Enabled, (F) Learning Disabled, (i) ISIS Enabled, (L) Loopback Enabled, (l) MPLS Enabled, (m) IPmc Forwarding Enabled, (M) Translation Member VLAN or Subscriber VLAN, (n) IP Multinetting Enabled, (N) Network Login VLAN, (o) OSPF Enabled, (O) Flooding Disabled, (p) PIM Enabled, (P) EAPS protected VLAN, (r) RIP Enabled, (R) Sub-VLAN IP Range Configured, (s) Sub-VLAN, (S) Super-VLAN, (t) Translation VLAN or Network VLAN, (T) Member of STP Domain, (V) VPLS Enabled, (v) VRRP Enabled Total number of VLAN(s) : 3

Where
VLAN>is

the group VLAN name and XX is the VLAN tag assigned to your lab group

2 Create the group-specific spanning tree domain by entering the following command: create stpd

Where
STPD>is

the one assigned to your lab group in Table 1.

3 Configure the operational mode for the group STP domain to be 802.1w, by entering the following command: configure stpd mode dot1w

4 Add the group VLAN and the ports interconnecting the switches to the group spanning tree protocol domain by entering the following command: configure stpd add vlan ports 13,14

Example using Lab Group Number 4: configure stpd mfg_st add vlan manufacturing ports 13,14

5 Assign the same 802.1q tag to the spanning tree domain as is assigned to the member VLAN by entering the following command: configure stpd tag

Example using Lab Group Number 4: configure stpd mfg_st tag 40

Where
90

STPD>and are

the ones assigned to your lab group in Table 1.



6 Enable the spanning tree function for the group STPD by entering the following command: enable stpd

7 Show the status of the ports participating in spanning tree by entering the following command: show stpd ports


Mode

13

EMISTP DISABLED

State

Cost

20000 e?pp-w--- 128

Flags

Priority Port ID Designated Bridge 800d

00:00:00:00:00:00:00:00

14

EMISTP DISABLED

20000 e?pp-w--- 128

800e

00:00:00:00:00:00:00:00

Total Ports: 2 ------------------------- Flags: 1:

----------------------------

e=Enable, d=Disable

2: (Port role)

R=Root, D=Designated, A=Alternate, B=Backup, M=Master

3: (Config type)

b=broadcast, p=point-to-point, e=edge, a=auto

4: (Oper. type)

b=broadcast, p=point-to-point, e=edge

5:

p=proposing, a=agree

6: (partner mode) d = 802.1d, w = 802.1w, m = mstp 7: 8:

i = edgeport inconsistency S = edgeport safe guard active s = edgeport safe guard configured but inactive

9:

B = Boundary, I = Internal

8 Notice that both ports are currently disabled. 9 Enable ports 13, 14, and 24 by entering the following command: enable ports 13,14,24


91


10 Show the STPD port status again by entering the following command: show stpd ports


Mode

13

EMISTP FORWARDING 20000 eDpp-w--- 128

State

Cost

Flags


80:00:00:04:96:27:b6:49

14


800e

80:00:00:04:96:27:b6:49

Total Ports: 2 ------------------------- Flags: 1:

----------------------------

e=Enable, d=Disable

2: (Port role)


3: (Config type)


4: (Oper. type)


5:


6: (partner mode) d = 802.1d, w = 802.1w, m = mstp 7:

i = edgeport inconsistency

8:

S = edgeport safe guard active s = edgeport safe guard configured but inactive

9:


11 Notice that both ports are now in the FORWARDING state. 12 Verify the spanning tree domain configuration by entering the following command: show stpd

The following is an example of the display from Lab Group 1’s switch: Stpd: sam_st

Stp: ENABLED

Number of Ports: 2

Rapid Root Failover: Disabled Operational Mode: 802.1W

Default Binding Mode: EMISTP

802.1Q Tag: 10 Ports: 13,14 Participating Vlans: sales Auto-bind Vlans: (none) Bridge Priority: 32768 BridgeID:

80:00:00:04:96:27:b6:49

Designated root:

80:00:00:04:96:27:b6:49

RootPathCost: 0

Root Port: ----

MaxAge: 20s

HelloTime: 2s

CfgBrMaxAge: 20s

CfgBrHelloTime: 2s

Topology Change Time: 35s Topology Change Detected: FALSE

ForwardDelay: 15s CfgBrForwardDelay: 15s Hold time: 1s Topology Change: FALSE

Number of Topology Changes: 2 Time Since Last Topology Change: 38s

13 Notice that the BridgeID and Designated Root are the same, indicating that the switch is the root bridge for this spanning tree domain.

92



14 Return to the Lab Group PC with the PC IP Address assigned in Part 2. (10.0.X.101/24)

Open a Command Prompt window and use the PING command to verify that the PC can communicate with the two core switches interfaces in the same subnet by entering the following: ping 10.0.X.1 ping 10.0.X.2

Where X is your lab group number assigned in Table 1. The following displays: C:\Documents and Settings\student>ping 10.0.X.1 Pinging 10.0.X.1 with 32 bytes of data: Reply from 10.0.X.1: bytes=32 time=2ms TTL=255 Reply from 10.0.X.1: bytes=32 time<1ms TTL=255 Reply from 10.0.X.1: bytes=32 time<1ms TTL=255 Reply from 10.0.X.1: bytes=32 time<1ms TTL=255 Ping statistics for 10.0.X.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 2ms, Average = 0ms C:\Documents and Settings\student>ping 10.0.X.2 Pinging 10.0.X.2 with 32 bytes of data: Reply from 10.0.X.2: bytes=32 time=1ms TTL=255 Reply from 10.0.X.2: bytes=32 time<1ms TTL=255 Reply from 10.0.X.2: bytes=32 time<1ms TTL=255 Reply from 10.0.X.2: bytes=32 time<1ms TTL=255 Ping statistics for 10.0.X.2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 1ms, Average = 0ms

15 On the switch, use the PING command to also verify that the switch cannot communicate with any of the interfaces assigned to each of the configured neighbor PC IP interfaces by entering the following: ping 10.0.X.101

Where X is each of the neighbor lab group numbers assigned in Table 1. The following is an example display that should occur with each ping: Ping(ICMP) 10.0.X.101: 4 packets, 8 data bytes, interval 1 second(s). Packet transmit error; Destination unreachable Packet transmit error; Destination unreachable Packet transmit error; Destination unreachable Packet transmit error; Destination unreachable --- 10.0.X.101 ping statistics --0 packets transmitted, 0 received, 0% loss round-trip min/avg/max = 0/0/0 ms


93


Part 4: Changing and Validating Bridge Priority 1 Review the spanning tree domain configuration by entering the following command: show stpd

The following is an example display of Lab Group 1’s switch: Stpd: sam_st

Stp: ENABLED

Number of Ports: 2




80:00:00:04:96:27:b6:49

Designated root:

80:00:00:04:96:27:b6:49

RootPathCost: 0

Root Port: ----

MaxAge: 20s

HelloTime: 2s

CfgBrMaxAge: 20s

CfgBrHelloTime: 2s

ForwardDelay: 15s

Topology Change Time: 35s

CfgBrForwardDelay: 15s Hold time: 1s

Topology Change Detected: FALSE

Topology Change: FALSE


In Part 3 above, we noted that because the BridgeID and Designated Root MAC addresses were the same, this switch is the root bridge in this spanning tree domain. One aspect of a root bridge is that all ports will be in the FORWARDING state; any blocked ports will be resolved on the non-root bridges. 2 Confirm that the STPD ports are in the FORWARDING state by entering the following command: show stpd ports


Mode

13


State

Cost

Flags


80:00:00:04:96:27:b6:49

14


800e

80:00:00:04:96:27:b6:49

Total Ports: 2 ------------------------- Flags: ---------------------------1:

e=Enable, d=Disable

2: (Port role)


3: (Config type)


4: (Oper. type)


5:


6: (partner mode) d = 802.1d, w = 802.1w, m = mstp 7: 8:

i = edgeport inconsistency S = edgeport safe guard active s = edgeport safe guard configured but inactive

9:

94




3 The reason the lab switch is the root bridge is because the Bridge Priority on both CS-A and CS-B have been set higher than the default value, 32768. Change the bridge priority of your switch so that it is no longer the Root Bridge by entering the following command: configure stpd priority 49152

NOTE For 802.1w spanning tree domains, the bridge priority can be a value between 0 and 61440, configured in increments of 4096.

4 Confirm that the switch is no longer the root bridge by entering the following command: show stpd

The following display is an example from Lab Group 1’s switch: Stpd: sam_st

Stp: ENABLED

Number of Ports: 2




c0:00:00:04:96:27:b6:49

Designated root:

a0:00:00:04:96:27:bc:ce

RootPathCost: 20000

Root Port: 13

MaxAge: 20s

HelloTime: 2s

CfgBrMaxAge: 20s

CfgBrHelloTime: 2s

ForwardDelay: 15s

Topology Change Time: 35s

CfgBrForwardDelay: 15s Hold time: 1s

Topology Change Detected: FALSE

Topology Change: FALSE


5 Notice that the BridgeID is no longer the same as the MAC address of the Designated root and the Bridge Priority is now 49152. 6 Confirm that the STPD ports are in the FORWARDING state by entering the following command: show stpd ports


Mode

13

EMISTP FORWARDING 20000 eRppaw--- 128

State

Cost

Flags


a0:00:00:04:96:27:bc:ce

14

EMISTP BLOCKING

800e

b0:00:00:04:96:27:b7:11

20000 eAppaw--- 128

Total Ports: 2

7 Notice that one of the ports is now in the BLOCKING state to prevent a loop in the STP domain.

NOTE Stop and wait here until all the students in class reach this point and the Instructor disables port 23 on CS-A.


95


When the instructor disables port 23 on core switch CS-A, this effectively creates a fault condition in all configured spanning tree domains in the classroom network. 8 After the instructor confirms that the port on CS-A is disabled, check the state of the local STPD ports by entering the following command: show stpd ports


Mode

13

EMISTP FORWARDING 20000 eRppaw--- 128

State

Cost

Flags


a0:00:00:04:96:27:bc:ce

14


800e

c0:00:00:04:96:27:b6:49

Total Ports: 2

9 Notice that both ports are now FORWARDING to ensure connectivity between all of the switches in the domain (the student switch, CS-A, and CS-B).

96


9

Basic EAPS Configuration Lab

This lab tests your ability to configure two EAPS domains on top of a single ring topology. A common strategy for edge switches in a production wiring closet is to use a Layer 2 loop resolution protocol for local traffic in combination with a redundant router protocol like VRRP to forward traffic between VLANs at the core or out to the Internet (Figure 1).


Create EAPS domains.

●

Add control VLAN and any protected VLANs to the domains.

●

Configure your switch to be the master node in the EAPS rings.

●

Configure the inter-switch ports (1,2) to be primary or secondary ports.

●

Enable EAPS globally.

●

Enable the EAPS domains.

●

Verify the EAPS configuration and status.

●

Test the ring recovery.

Figure 1: EAPS Configuration Lab


97


By deploying the Extreme Networks Ethernet Automatic Protection Switching protocol (EAPS), a more precise failure recovery scheme can be achieved than is even possible with spanning tree or by extending the Layer 3 protocol all the way down to the edge switch (Figure 2).

Figure 2: EAPS Topology

Refer to the values listed in Table 1 to configure specific switch parameters throughout the course of the lab.

Table 1: Lab Group Number, Switch Name, Protected VLAN, PV Tag, Control VLAN, CV Tag, and EAPS Domain

98

Lab Group N u m b er

Switc h N ame

1

SAM_1

closet_1

101

ctrl_1

111

ed_1

10.100.1.101/24

2

EXC_2

closet_2

201

ctrl_2

211

ed_2

10.100.2.101/24

3

ACT_3

closet_3

301

ctrl_3

311

ed_3

10.100.3.101/24

4

MFG_4

closet_4

401

ctrl_4

411

ed_4

10.100.4.101/24

5

ENG_5

closet_5

501

ctrl_5

511

ed_5

10.100.5.101/24

6

HUR_6

closet_6

601

ctrl_6

611

ed_6

10.100.6.101/24

Pr o t ec t e d VL A N

PV Tag

C o n t r o l V LA N

EAPS CV T a g D om a in

La b P C I P A d d res s



Part 1: Creating the EAPS Control VLAN 1 Log into the switch and load the baseline configuration for this lab by entering the following command: use configuration Lab_ECF10-X











99


7 Confirm the Protected VLAN configurations by entering the following command: show vlan

The system displays the following: --------------------------------------------------------------------------------------Name

VID

Protocol Addr

Flags

Proto

Ports

Virtual

Active router /Total closet_X

X01

ctrl_X

X11

------------------------------------------- ANY

0 /2

VR-Default

Default

1

------------------------------------------- ANY

------------------------------------------- ANY

0 /0

0 /2

VR-Default

VR-Default

Mgmt

4095 ------------------------------------------- ANY

1 /1

VR-Mgmt

--------------------------------------------------------------------------------------Total number of VLAN(s) : 4

8 Examine the details of the Protected and the Control VLAN by entering the following commands: show vlan closet_X show vlan ctrl_X

The following is an example display for VLAN closet_X: VLAN Interface with name closet_X created by user Admin State:

Enabled

Protocol:

Tagging:

802.1Q Tag X01


Loopback:

Disabled

NetLogin:

Disabled

QosProfile:

None configured

Egress Rate Limit Designated Port: None configured Flood Rate Limit QosProfile: Ports: Tag:

2. !13,

Flags:

None configured

(Number of active ports=0) !14

(*) Active, (!) Disabled, (g) Load Sharing port

The following is an example display for VLAN ctrl_X: VLAN Interface with name ctrl_X created by user Admin State:

Enabled

Protocol:

Tagging:

802.1Q Tag X11


Loopback:

Disabled

NetLogin:

Disabled

QosProfile:

None configured

Egress Rate Limit Designated Port: None configured Flood Rate Limit QosProfile: Ports: Tag: Flags:

100

2.

None configured


!13,

!14

(*) Active, (!) Disabled, (g) Load Sharing port



Part 2: Creating and Configuring the EAPS Domain 1 Create an EAPS domain by entering the following commands: create eaps ed_X

Where X is the lab group number assigned in Table 1. 2 Configure your switch as the EAPS master node by entering the following commands: configure eaps ed_X mode master

NOTE Both core switches CS-A and CS-B are pre-configured as transit switches for both of these EAPS domains.

3 Configure port 13 as the primary (unblocked) port to the ed_X EAPS domain: configure eaps ed_X primary port 13

4 Configure port 14 as the secondary (blocked) port: configure eaps ed_X secondary port 14

5 Verify the configuration for the EAPS domain by entering the following command: show eaps ed_X

The system displays the following: Name: ed_X State: Idle Enabled: No Primary port:

Running: No Mode: Master 13

Secondary port: 14 Hello timer interval: 1

sec

Fail timer interval:

sec

3

Port status: Unknown

Tag status: Undetermined

Port status: Unknown

Tag status: Undetermined

0

millisec

Fail Timer expiry action: Send alert Last valid EAPS update: None till now. EAPS Domain's Controller Vlan: Unassigned EAPS Domain's Protected Vlan(s): Unassigned Number of Protected Vlans: 0

6 Add the ports that will participate in the EAPS ring, tagged, to the control VLAN: configure vlan ctrl_X add ports 13,14 tagged


7 Enter y. 8 Add the control VLAN to the EAPS domain by entering the following command: configure eaps ed_X add control vlan ctrl_X

9 Add the protected VLAN by entering the following command: configure eaps ed_X add protected vlan closet_X


101


10 Enable EAPS globally by entering the following command: enable eaps

11 Enable EAPS for the specific domain by entering the following command: enable eaps ed_X

Part 3: Verifying the EAPS Domain Configuration and Operation 1 Enable the ports assigned to the EAPS ring by entering the following command: enable ports 13,14,24

2 Verify the status for the EAPS domain by entering the following command: show eaps ed_X

The system displays the following: Name: ed_X State: Complete Enabled: Yes Primary port:

Running: Yes Mode: Master 13

Port status: Up Tag status: Tagged

Secondary port: 14

Port status: Blocked

Hello timer interval: 1

sec


sec

3

0

Tag status: Tagged

millisec

Fail Timer expiry action: Send alert Last update: From Master Id 00:04:96:27:b6:49, at Thu Aug 14 18:06:03 2008 EAPS Domain has following Controller Vlan: Vlan Name ctrl_X

VID X11

EAPS Domain has following Protected Vlan(s): Vlan Name closet_X

VID X01

Number of Protected Vlans: 1

3 Notice that the EAPS state is Complete and the secondary port is blocked to prevent a Layer 2 loop.

102



Part 4: Configuring the Client Workstation The following instructions will guide you in setting up the client workstation to test the functionality of the first EAPS domain. If your RD-X connection to PC 127.0.0.1:101 X is still open but minimized, skip to step 6. 1 From your laptop, launch the PuTTY utility:




103





104







105




10 Notice that the Lab Network interface has been assigned your lab group's IP address and mask associated with the first EAPS domain found in Table 1. 11 On the switch, add the switch port connected to the Lab Group PC to the protected VLAN by entering the following command: configure vlan closet_X add ports 24 untagged

Where X is your lab group number found in Table 1. 12 Display the port statistics for both ring ports and the client port by entering the following command: show port 13,14,24 statistics

The following displays: Port Statistics Port

Link State

Tue Aug 19 11:25:12 2008 Tx Pkt

Count

Tx Byte Count

Rx Pkt Count


Bcast

Mcast

================================================================================ 13

A

157

18656

7

1396

0

14

A

6

1788

157

18656

4

3 1

24

A

5

1056

11

2060

4

1

NOTE Ports 13 and 14 are incrementing at the rate of 1 per second, consistent with the EAPS hello packet polling interval.

106



Part 5: Testing the EAPS Configuration 1 On the Lab Group PC open a Command Window. Launch a continuous PING to the Lab_Target_A PC IP address by entering the following command: ping -t 10.100.0.101

The system displays the following: C:\Documents and Settings\student>ping -t 10.100.0.101 Pinging 10.100.0.101 with 32 bytes of data: Reply from 10.100.0.101: bytes=32 time=13ms TTL=127 Reply from 10.100.0.101: bytes=32 time<1ms TTL=127 Reply from 10.100.0.101: bytes=32 time<1ms TTL=127 Reply from 10.100.0.101: bytes=32 time<1ms TTL=127 Reply from 10.100.0.101: bytes=32 time<1ms TTL=127 Reply from 10.100.0.101: bytes=32 time<1ms TTL=127 Reply from 10.100.0.101: bytes=32 time<1ms TTL=127 Reply from 10.100.0.101: bytes=32 time<1ms TTL=127 Reply from 10.100.0.101: bytes=32 time<1ms TTL=127 Reply from 10.100.0.101: bytes=32 time<1ms TTL=127 Reply from 10.100.0.101: bytes=32 time<1ms TTL=127 Reply from 10.100.0.101: bytes=32 time<1ms TTL=127

2 Display the port statistics for both ring ports and the client port by entering the following command: show port 13,14,24 statistics

3 Reset the counters by pressing the 0 key. The system displays the following: Port Statistics Port Link State

Tx Pkt

Count

Tx Byte Count

Rx Pkt Count

Thu Aug 14 18:24:28 2008 Rx Byte Rx Pkt Rx Pkt Count

Bcast

Mcast

================================================================================ 13

A

18

1764

11

1334

0

0

14

A

0

0

9

1026

0

0

24

A

9

702

9

702

0

0

4 Notice that port 13, the active port on the ring, is reporting almost twice the traffic of ports 14 and 24. This is because port 24 is only seeing PING traffic (at the rate of 1 per second) and port 14 is only seeing EAPS hello packets (also at the rate of 1 per second), but port 13 is seeing both the PING and EAPS hello packets. NOTE Wait here for the instructor to simulate a link failure between the transit switches in the core.


107


5 Upon the instructor's direction, display the status for the EAPS domain by entering the following command: show eaps

The following displays: EAPS Enabled: Yes EAPS Fast-Convergence: Off EAPS Display Config Warnings: On Number of EAPS instances: 1 # EAPS domain configuration : -------------------------------------------------------------------------------Domain

State

Mo

En

Pri

Sec

Control-Vlan VID

Count

-------------------------------------------------------------------------------ed_X

Failed

M

Y

13

14

ctrl_X

(X11 ) 1

-------------------------------------------------------------------------------:

6 Display the status for the EAPS domain ed_X by entering the following command: show eaps ed_X

The following displays: Name: ed_X State: Failed Enabled: Yes Primary port:

Running: Yes Mode: Master 13


Secondary port: 14


Hello timer interval: 1

sec


sec

3

0

millisec

Fail Timer expiry action: Send alert Last update: From Master Id 00:04:96:27:b6:49, at Thu Aug 14 18:28:01 2008 EAPS Domain has following Controller Vlan: Vlan Name VID ctrl_X

X11 EAPS Domain has following Protected Vlan(s):

Vlan Name closet_X

VID X01

Number of Protected Vlans: 1

NOTE The ring state is now Failed and the secondary port status has been changed to Up.

7 Display the port statistics for both ring ports and the client port by entering the following command: show port 13,14,24 statistics

108



Reset the counters again by pressing the 0 key; the system displays the following: Port Statistics Port

Link State

Tue Aug 19 11:35:55 2008 Tx Pkt

Count

Tx Byte Count

Rx Pkt Count


Bcast

Mcast

================================================================================ 13

A

40

4320

19

1558

0

0

14

A

0

0

2

596

0

0

24

A

21

1978

19

1482

0

0

8 Notice that port 13 is still incrementing at twice the rate of the client port, 24, indicating that the primary path to the target device is unchanged. This is because the break in the ring did not occur between the source and the target. Note also that port 14 is no longer receiving any packets, further indication that there is a fault in the ring.


109


110


10 Static Routing/IP Forwarding Configuration Lab Layer 3 of the OSI model enables traffic from a device in one VLAN domain may cross the layer 2 boundary to communicate with devices in a different VLAN. This allows network architects to not only manage traffic within a single enterprise network, but also to connect networks across town, across the country, or around the world. When designing an internet where dynamic routing is unnecessary or impractical, it is not uncommon to connect the various networks with static routes. This lab provides you with hands-on experience to create router interfaces, enable IP forwarding, configure multiple static routes, and verify the routing functionality.


Assign IP addresses to existing VLANs

●

Enable IP forwarding

●

Configure static routes

●

Verify and test the IP forwarding operation

Figure 1: Static Ro uting/IP Forw arding La b


111

Static Routing/IP Forwarding Configuration Lab


Table 1: Group, Switch, WAN VLAN, User VLAN Names and Interface Numbers Lab Group Number

Switch Name

1

NC_1

wan_1

10.0.1.2/24

data_1

10.0.101.1/24

10.0.101.11/24

2

OSBU_2

wan_2

10.0.2.2/24

data_2

10.0.102.1/24

10.0.102.11/24

3

EC_3

wan_3

10.0.3.2/24

data_3

10.0.103.1/24

10.0.103.11/24

4

RA_4

wan_4

10.0.4.2/24

data_4

10.0.104.1/24

10.0.104.11/24

5

SC_5

wan_5

10.0.5.2/24

data_5

10.0.105.1/24

10.0.105.11/24

6

WC_6

wan_6

10.0.6.2/24

data_6

10.0.106.1/24

10.0.106.11/24

W A N V LA N

WAN VLAN I n t er f a c e

U ser V LA N

User VLAN Interface


Part 1: Setting Up for Creating Router Interfaces 1 Log into the switch and load the baseline configuration for this lab by entering the following command: use configuration Lab_ECF11-X









112




Part 2: Creating Router Interfaces This exercise begins with both the WAN and User VLANs configured on each switch. 1

Confirm the VLAN configuration by entering the following summary command: show vlan


VID

Protocol Addr

Flags

Proto

Ports

Virtual

Active router /Total --------------------------------------------------------------------------------------data_X

4094 ------------------------------------------- ANY

0 /1

VR-Default

Default

1

------------------------------------------- ANY

0 /0

VR-Default

Mgmt

4095 ------------------------------------------- ANY

1 /1

VR-Mgmt

wan_X

4093 ------------------------------------------- ANY

0 /1

VR-Default


2 Notice that both VLANs have assigned ports, but do not have tags nor IP addresses. 3 Before a VLAN can function at layer 3, you must first associate it with an IP network by assigning it an IP address. Assign an IP address to the VLAN wan_X by entering the following command: configure vlan ipaddress

Example: configure vlan wan_X ipaddress 10.0.X.2/24

Where X is your lab group number assigned in Table 1. 4 Assign an IP address to the VLAN data_X by entering the following command: configure vlan ipaddress

Example: configure vlan data_X ipaddress 10.0.10X.1/24

Where X is your lab group number assigned in Table 1.


113


5 Confirm that the IP addresses were successfully added by entering the following summary command: show vlan


VID

Protocol Addr

Flags

Proto

Ports

Virtual


4094 10.0.10X.1

----------------------- ANY

0 /1

Default Mgmt

1 ------------------------------------------- ANY 4095 ------------------------------------------- ANY

/24

0 /0 1 /1

wan_X

4093 10.0.X.2

/24

----------------------- ANY

0 /1

VR-Default VR-Default VR-Mgmt VR-Default


6 Display the switch route table by entering the following summary command: show iproute

The following displays: Ori d d

Destination

10.0.X.0/24 10.0.10X.0/24

Gateway 10.0.X.2 10.0.10X.1

Mtr 1 1

Flags

VLAN

-------um--- wan_X -------um--- data_X

Duration 0d:0h:2m:14s 0d:0h:1m:29s

Origin(Ori): (d) Direct

Flags: (m) Multicast,(u) Unicast Mask distribution: 2 routes at length 24 Route Origin distribution: 2 routes from Direct Total number of routes = 2 Total number of compressed routes = 0

7 Notice that, even without IP forwarding enabled, the route table still displays directly-connected interfaces (in this case, the User and WAN VLANs).

114



Part 3: Enabling IP Forwarding and Creating a Default Route 1 Enable IP forwarding specifically for both the User and WAN VLANs by entering the following commands: enable ipforwarding wan_X enable ipforwarding data_X

2 Confirm that forwarding is enabled for the VLANs named by entering the following summary command: show vlan


VID

Protocol Addr

Flags

Proto

Ports

Virtual


4094 10.0.10X.1

/24

-f--------------------- ANY

0 /1

VR-Default

Default

1

------------------------------------------- ANY

0 /0

VR-Default

Mgmt

4095 ------------------------------------------- ANY

1 /1

VR-Mgmt

wan_X

4093 10.0.X.2

/24

-f--------------------- ANY

0 /1

VR-Default


3 Notice that both the User and WAN VLANs have been assigned the flag f, indicating that IP forwarding is enabled on these interfaces. NOTE The default route is a special type of static route. It instructs the switch to forward all traffic destined to unknown routes (routes not present in the switch route table) to a specified IP address. In a single-connected, star-hub network configuration like the one described in this lab, using the default route saves the administrator from having to configure individual static routes for each of the five neighbor User VLANs. This way, each edge switch only needs to forward non-local traffic to the Main Campus switch; forwarding between these networks will be managed in the hub.

4 Add a default route to the IP route table by entering the following command: configure iproute add default 10.0.X.1

Where X is your lab group number assigned in Table 1. 5 Notice that this IP address is in the same network assigned to WAN VLAN.


115


6 Confirm that the default route has been added to the switch route table by entering the following summary command: show iproute

The following displays: Ori s d

Destination

Default Route 10.0.X.0/24

d

10.0.10X.0/24

Gateway

Mtr

10.0.X.1

1

10.0.X.2

1

10.0.10X.1

Flags

VLAN

-G---S-um--- wan_X -------um--- wan_X

1

-------um--- data_X

Duration 0d:0h:0m:17s 0d:0h:12m:30s 0d:0h:11m:46s

Origin(Ori): (d) Direct, (s) Static Flags: (G) Gateway,(S) Static,(u) Unicast,(m) Multicast Mask distribution: 1 default routes

2 routes at length 24

Route Origin distribution: 2 routes from Direct

1 routes from Static

Total number of routes = 3 Total number of compressed routes = 0

7 Again, notice that the Default Route is associated with the WAN VLAN. Even though the mask is not declared when the route is configured, the IP address is assumed to be part of the same network.

116







117





118



7 From the Lab PC desktop, open the Lab Networking Addressing folder. Double-click on the Config_ECF011-X batch file, where X is your lab group number assigned in: Table 1:




119




Note that the Lab Network interface has been assigned your Lab Group PC's IP address and mask found in Table 1. This completes the setup of the Lab Group PC.

120



Part 5: Verifying and Testing IP Forwarding and the Static Route 1 Enable the port connected to the Main Campus switch and the port connected to the Lab Group PC by entering the following command: Enable ports 13,24

2 On the Lab Group PC, open a Command Prompt window and use the PING command to verify that the PC can communicate with each of the local switch interfaces (WAN and User), the default gateway, and each of the configured neighbor lab PC’s by entering the following: ping

Example: ping 10.0.X.2 ping

Example: ping 10.0.10X.1 ping


Example: ping 10.0.10x.11

Where X is your lab group number and x is the lab group number of each neighbor lab group.


121


122


11 Routing Information Protocol (RIP) Configuration Lab Student Objectives Dynamic routing protocols are especially useful when there is more than one path available between networks and their attached devices. Unlike static routes, a dynamic protocol can detect when a preferred route has become sub-optimal or is no longer valid. When a change to the routing domain is detected, the protocol re-converges on the routes to prevent service interruption.enable This lab provides you with hands-on experience to available create router interfaces, enable IP forwarding, RIP, and verify the routing functionality. In this lab, you will: ●

Enable IP forwarding and RIP

●

Verify and test the IP forwarding operation

Figure 1: Routing Information Protocol Configuration Lab


Table 1: Group, Switch, VLAN, Interface Names, and VLAN and PC addre sses Lab Group #

Switch Name

WAN VLAN

WAN VLAN Interface

WAN_BU VLAN

WAN_BU VLAN User Interface VLAN

User VLAN Interface

1

NC_1

wan_1

10.0.1.2/24

wanbu_1

10.0.11.2/24 data_1

10.0.101.1/24

10.0.101.11/24

2

OSBU_2

wan_2

10.0.2.2/24

wanbu_2

10.0.12.2/24 data_2

10.0.102.1/24

10.0.102.11/24

3 4

EC_3 RA_4

wan_3 wan_4

10.0.3.2/24 10.0.4.2/24

wanbu_3 wanbu_4

10.0.13.2/24 data_3 10.0.14.2/24 data_4

10.0.103.1/24 10.0.104.1/24

10.0.103.11/24 10.0.104.11/24

5

SC_5

wan_5

10.0.5.2/24

wanbu_5

10.0.15.2/24 data_5

10.0.105.1/24

10.0.105.11/24

6

WC_6

wan_6

10.0.6.2/24

wanbu_6

10.0.16.2/24 data_6

10.0.106.1/24

10.0.106.11/24


PC IP Address

123

Routing Information Protocol (RIP) Configuration Lab

Part 1: Setting Up for Verifying the Router Interfaces 1 Log into the switch and load the baseline configuration for this lab by entering the following command: use configuration Lab_ECF12-X








5 Press the Enter key to bring up the login prompt. Enter admin and press the Enter key. The switch will then display the following prompt for the password:

login: admin password:


124



Part 2: Verifying the Router Interfaces This exercise begins with the WAN, WAN Backup, and User VLANs configured on each switch. 1 Confirm the VLAN configuration by entering the following summary command: show vlan


VID

Protocol Addr

Flags

Proto

Ports

Virtual


4094 10.0.10X.1

----------------------- ANY

0 /1

Default

1

------------------------------------------- ANY

/24

0 /0


Mgmt

4095 ------------------------------------------- ANY

1 /1

VR-Mgmt

wan_X

4093 10.0.X.2

/24

----------------------- ANY

0 /1

VR-Default

wanbu_X

4092 10.0.1X.2

/24

----------------------- ANY

0 /1

VR-Default


2 Notice that all VLANs have pre-assigned ports and IP addresses. 3 Display the switch route table by entering the following summary command: show iproute

The following displays: Ori d

Destination

10.0.X.0/24

Gateway 10.0.X.2

Mtr 1

Flags

VLAN

-------um--- wan_X

Duration 0d:0h:9m:47s

d

10.0.1X.0/24

10.0.1X.2

1

-------um--- wanbu_X

0d:0h:9m:47s

d

10.0.10X.0/24

10.0.10X.1

1

-------um--- data_X

0d:0h:9m:47s

Origin(Ori): (d) Direct, Flags: (m) Multicast, (u) Unicast Mask distribution: 3 routes at length 24 Route Origin distribution: 3 routes from Direct


4 Notice there are three directly connected networks representing the three VLANs with assigned IP addresses in the example above.


125


Part 3: Enabling IP Forwarding and Adding VLANs to RIP 1 Enable IP forwarding specifically for the User(data_X), WAN(wan_X), and WAN Backup(wanbu_x) VLANs by entering the following commands: enable ipforwarding data_X enable ipforwarding wan_X enable ipforwarding wanbu_X

Where X is your lab group number in Table 1. 2 Confirm that forwarding is enabled for the VLANs named by entering the following summary command: show vlan


VID

Protocol Addr

Flags

Proto

Ports

Virtual


4094 10.0.10X.1

Default

1

/24

-f--------------------- ANY

0 /1

------------------------------------------- ANY

0 /0


Mgmt

4095 ------------------------------------------- ANY

1 /1

VR-Mgmt

wan_X

4093 10.0.X.2

/24

-f--------------------- ANY

0 /1

VR-Default

wanbu_X

4092 10.0.1X.2

/24

-f--------------------- ANY

0 /1

VR-Default

--------------------------------------------------------------------------------------Flags : (C) EAPS Control VLAN, (d) NetLogin Dynamically created VLAN, (D) VLAN Admin Disabled, (E) ESRP Enabled, (f) IP Forwarding Enabled

Total number of VLAN(s) : 5

3 Notice that the three VLANs have been assigned the flag f , indicating that IP forwarding is enabled on these interfaces. 4 Configure RIP on each IP interface by entering the following commands: configure rip add vlan data_X configure rip add vlan wan_X configure rip add vlan wanbu_X

Where X is your lab group number in Table 1. 5 Confirm that the VLANs were added to the RIP protocol by entering the following summary command: show vlan

126




VID

Protocol Addr

Flags

Proto

Ports

Virtual


4094 10.0.10X.1

Default

1

/24 -f--------r------------ ANY

0 /1

------------------------------------------ ANY

0 /0

VR-Default

Mgmt

4095 ------------------------------------------ ANY

1 /1

VR-Mgmt

wan_X

4093 10.0.X.2

/24 -f--------r------------ ANY

0 /1

VR-Default

wanbu_X

4092 10.0.1X.2

/24 -f--------r------------ ANY

0 /1

VR-Default

VR-Default

--------------------------------------------------------------------------------------Flags : (f) IP Forwarding Enabled, (r) RIP Enabled Total number of VLAN(s) : 5

6 Notice that the three VLANs have been assigned the flag r, indicating that RIP will dynamically learn routes on these interfaces. 7 In this scenario, the second Main Campus switch will only forward traffic when the primary path to the first switch through port 13 fails. To ensure this performance, increase the cost associated with the secondary path by entering the following command: configure rip wanbu_X cost 10

Where X is your lab group number in Table 1. 8 Confirm that the cost metric is changed for this VLAN by entering the following summary command: show rip interface wanbu_X

The following displays: VLAN

: wanbu_X

Interface

: 10.0.1X.2/24

RouterRIP

: Disabled

Cost

: 10

TxMode

: V2

Input Policy

: None

Output Policy

Trusted GW Policy

: None

Sent Trig. Updates

Rcved Packets

: 0

Sent Packets

: 0

Rcved Bad Packets

: 0

Rcved Bad Routes

: 0

RxMode

: V1orV2 : None : 0

Secondary Interfaces: Rcvd PeerIPAddress

Age Ver

Rcvd Pkts

Rcvd Updts

Rcvd BadPkts

BadRouts

--------------------------------------------------------------------------------


127


Part 4: Enabling RIP and Verifying Protocol Operation 1 Enable the ports connected to the two Main Campus switches and the Lab Group PC by entering the following command: enable ports 13,14,24

2 Enable RIP, by entering the following command: enable rip

3 Confirm that RIP is enabled by entering the following command: show rip

The following displays: RIP Routing

: Enabled

Split Horizon

: Enabled

Poison Reverse

: Enabled

Triggered Updates: Enabled

Aggregation

: Disabled

Update Interval

: 30

Route Timeout

: 180

Garbage Timeout

: 120

Router Alert

: Disabled

Originate Default: Disabled Sys Import-Policy: None Redistribute: Protocol

Status

Cost Tag Policy

----------------------------------------------------------Direct

Disabled

0

0

none

Static

Disabled

0

0

none

OSPFIntra

Disabled

0

0

OSPFInter

Disabled

0

0

none

OSPFExt1

Disabled

0

0

none

OSPFExt2

Disabled

0

0

none

none

E-BGP I-BGP

Disabled Disabled

0 0

0 0

none none

ISISL1

Disabled

0

0

none

ISISL2

Disabled

0

0

none

ISISL1Ext

Disabled

0

0

none

ISISL2Ext

Disabled

0

0

none

4 Confirm that learned routes are being added to the IP route table by entering the following command: show iproute

128



If all of the neighbor switches have been properly configured, the route table will look similar to the following data from Lab Group 6’s switch: Ori

Destination

Gateway

Mtr

Flags

#r

10.0.1.0/24

10.0.6.1

2

UG-D---um--f wan_6

VLAN


#r

10.0.2.0/24

10.0.6.1

2

UG-D---um--f wan_6

0d:0h:3m:25s

#r

10.0.3.0/24

10.0.6.1

2

UG-D---um--f wan_6

0d:0h:3m:25s

#r

10.0.4.0/24

10.0.6.1

2

UG-D---um--f wan_6

0d:0h:3m:25s

#r

10.0.5.0/24

10.0.6.1

2

UG-D---um--f wan_6

0d:0h:3m:25s

#d

10.0.6.0/24

10.0.6.2

1

U------um--f wan_6

0d:0h:46m:57s

#r

10.0.11.0/24

10.0.16.1

11

UG-D---um--f wanbu_6

0d:0h:3m:25s

#r

10.0.12.0/24

10.0.16.1

11


0d:0h:3m:25s

#r

10.0.13.0/24

10.0.16.1

11


0d:0h:3m:25s

#r

10.0.14.0/24

10.0.16.1

11


0d:0h:3m:25s

#r

10.0.15.0/24

10.0.16.1

11


0d:0h:3m:25s

#d

10.0.16.0/24

10.0.16.2

1

U------um--f wanbu_6

0d:0h:46m:57s

#r

10.0.101.0/24

10.0.6.1

3

UG-D---um--f wan_6

0d:0h:3m:25s

#r

10.0.102.0/24

10.0.6.1

3

UG-D---um--f wan_6

0d:0h:3m:25s

#r

10.0.103.0/24

10.0.6.1

3

UG-D---um--f wan_6

0d:0h:3m:25s

#r

10.0.104.0/24

10.0.6.1

3

UG-D---um--f wan_6

0d:0h:3m:25s

#r

10.0.105.0/24

10.0.6.1

3

UG-D---um--f wan_6

0d:0h:3m:25s

#d

10.0.106.0/24

10.0.106.1

1

U------um--f data_6

0d:0h:46m:58s

Origin(Ori): (b) BlackHole, (be) EBGP, (bg) BGP, (bi) IBGP, (bo) BOOTP (ct) CBT, (d) Direct, (df) DownIF, (dv) DVMRP, (e1) ISISL1Ext (e2) ISISL2Ext, (h) Hardcoded, (i) ICMP, (i1) ISISL1 (i2) ISISL2 (is) ISIS, (mb) MBGP, (mbe) MBGPExt, (mbi) MBGPInter, (mp) MPLS Lsp (mo) MOSPF (o) OSPF, (o1) OSPFExt1, (o2) OSPFExt2 (oa) OSPFIntra, (oe) OSPFAsExt, (or) OSPFInter, (pd) PIM-DM, (ps) PIM-SM (r) RIP, (ra) RtAdvrt, (s) Static, (sv) SLB_VIP, (un) UnKnown (*) Preferred unicast route (@) Preferred multicast route (#) Preferred unicast and multicast route Flags: (B) BlackHole, (D) Dynamic, (G) Gateway, (H) Host Route (L) Matching LDP LSP, (l) Calculated LDP LSP, (m) Multicast (P) LPM-routing, (R) Modified, (S) Static, (s) Static LSP (T) Matching RSVP-TE LSP, (t) Calculated RSVP-TE LSP, (u) Unicast, (U) Up (f) Provided to FIB (c) Compressed Route Mask distribution: 18 routes at length 24 Route Origin distribution: 3 routes from Direct

15 routes from RIP


5 Notice that, except for the directly-connected VLAN, all of the edge data network entries are learned

via the wan_X VLAN.


129


6 Simulate a fault in the network and force the edge networks to be learned via the wanbu_X VLAN interface by increasing the cost associated with the primary path. Enter the following command: configure rip wan_X cost 12

Where X is your lab group number in Table 1. 7 Confirm that the cost metric is changed for this VLAN by entering the following summary command: show rip interface wan_X

The following displays: VLAN RouterRIP

: wan_X : Enabled

Interface Cost

: 10.0.X.2/24 : 12

TxMode

: V2

RxMode

: V1orV2

Input Policy

: None

Output Policy

Trusted GW Policy

: None

Sent Trig. Updates

Rcved Packets

: 31

Sent Packets

: 32

Rcved Bad Packets

: 0

Rcved Bad Routes

: 0

: None : 2

Secondary Interfaces: Rcvd PeerIPAddress

Rcvd

Age Ver

Pkts

Rcvd Updts

Rcvd BadPkts

BadRouts

-------------------------------------------------------------------------------10.0.X.1

25

2

31

31

0

0

8 Confirm that edge routes are now being learned through the backup interface by entering the following command: show iproute

130



A route table similar to the following displays: Ori

Destination

Gateway

Mtr

Flags

#r

10.0.1.0/24

10.0.6.1

13

UG-D---um--f wan_6

VLAN


#r

10.0.2.0/24

10.0.6.1

13

UG-D---um--f wan_6

0d:0h:7m:9s

#r

10.0.3.0/24

10.0.6.1

13

UG-D---um--f wan_6

0d:0h:7m:9s

#r

10.0.4.0/24

10.0.6.1

13

UG-D---um--f wan_6

0d:0h:7m:9s

#r

10.0.5.0/24

10.0.6.1

13

UG-D---um--f wan_6

0d:0h:7m:9s

#d

10.0.6.0/24

10.0.6.2

1

U------um--f wan_6

0d:1h:3m:27s

#r

10.0.11.0/24

10.0.16.1

11


0d:0h:19m:55s

#r

10.0.12.0/24

10.0.16.1

11


0d:0h:19m:55s

#r

10.0.13.0/24

10.0.16.1

11


0d:0h:19m:55s

#r #r

10.0.14.0/24 10.0.15.0/24

10.0.16.1 10.0.16.1

11 11

UG-D---um--f wanbu_6 UG-D---um--f wanbu_6

0d:0h:19m:55s 0d:0h:19m:55s

#d

10.0.16.0/24

10.0.16.2

1

U------um--f wanbu_6

0d:1h:3m:27s

#r

10.0.101.0/24

10.0.16.1

12


0d:0h:6m:40s

#r

10.0.102.0/24

10.0.16.1

12


0d:0h:6m:40s

#r

10.0.103.0/24

10.0.16.1

12


0d:0h:6m:40s

#r

10.0.104.0/24

10.0.16.1

12


0d:0h:6m:40s

#r

10.0.105.0/24

10.0.16.1

12


0d:0h:6m:40s

#d

10.0.106.0/24

10.0.106.1

1

U------um--f data_6

0d:1h:3m:28s

Origin(Ori): (b) BlackHole, (be) EBGP, (bg) BGP, (bi) IBGP, (bo) BOOTP (ct) CBT, (d) Direct, (df) DownIF, (dv) DVMRP, (e1) ISISL1Ext (e2) ISISL2Ext, (h) Hardcoded, (i) ICMP, (i1) ISISL1 (i2) ISISL2 (is) ISIS, (mb) MBGP, (mbe) MBGPExt, (mbi) MBGPInter, (mp) MPLS Lsp (mo) MOSPF (o) OSPF, (o1) OSPFExt1, (o2) OSPFExt2 (oa) OSPFIntra, (oe) OSPFAsExt, (or) OSPFInter, (pd) PIM-DM, (ps) PIM-SM (r) RIP, (ra) RtAdvrt, (s) Static, (sv) SLB_VIP, (un) UnKnown (*) Preferred unicast route (@) Preferred multicast route (#) Preferred unicast and multicast route Flags: (B) BlackHole, (D) Dynamic, (G) Gateway, (H) Host Route (L) Matching LDP LSP, (l) Calculated LDP LSP, (m) Multicast (P) LPM-routing, (R) Modified, (S) Static, (s) Static LSP (T) Matching RSVP-TE LSP, (t) Calculated RSVP-TE LSP, (u) Unicast, (U) Up (f) Provided to FIB (c) Compressed Route Mask distribution: 18 routes at length 24 Route Origin distribution: 3 routes from Direct

15 routes from RIP


9 Restore the network by decreasing the cost associated with the primary path. Enter the following command: configure rip wan_X cost 1

Where X is your lab group number.


131





132







133





134







135


Part 6: Verifying and Testing IP Forwarding and RIP 1 Confirm the IP configuration parameters by entering the following summary command: show ipconfig

The following displays: Use Redirects : Disabled IpOption LSRR : Enabled IpOption SSRR : Enabled IpOption RR : Enabled IpOption TS : Enabled IpOption RA : Enabled Route Sharing : Disabled Originated Packets : Don't require ipforwarding IP Fwding into LSP : Disabled Unicast Reverse Path : Disabled Max Shared Gateways : Current: 4

Configured: 4

IRDP: Advertisement Address: 255.255.255.255 Minimum Interval: 450

Lifetime: 1800

Maximum Interval: 600 Preference: 0

VLAN

IP Address

data_X

10.0.10X.1

/24 EUf---MPuRX-------

Flags

nSIA 0

wan_X

10.0.X.2

/24 EUf---MPuRX-------

0

wanbu_X

10.0.1X.2

/24 EUf---MPuRX-------

0

Flags: (A) Address Mask Reply Enabled (B) BOOTP Enabled (b) Broadcast Forwarding Enabled, (E) Interface Enabled (f) Forwarding Enabled (g) Ignore IP Broadcast Enabled (h) Directed Broadcast Forwarding by Hardware Enabled (I) IRDP Advertisement Enabled, (M) Send Parameter Problem Enabled (m) Multicast forwarding Enabled, (n) Multinetted VLAN (nSIA ) Number of Secondary IP Addresses (P) Send Port Unreachables Enabled, (R) Send Redirects Enabled (T) Time Stamp Reply Enabled, (U) Interface Up (u) Send Unreachables Enabled, (X) Send Time Exceeded Enabled (v) VRRP Enabled

2 Confirm which VLANs have been added to RIP and display any associated statistics by entering the following summary command: show rip interface

136




IP Address

Flags Packets

Sent

Packets

Rcvd

Triggered Cost

Updates

data_X

10.0.10X.1

/24 rif-

72

0

9

1

wan_X

10.0.X.2

/24 rif-

69

64

6

1

wanbu_X

10.0.1X.2

/24 rif-

67

77

4

10

Flags: (f) Interface Forwarding Enabled, (i) Interface RIP Enabled (n) Multinetted VLAN, (r) Router RIP Enabled

3 Display all routes associated with or learned via RIP by entering the following command: show rip routes

The system displays data similar to the following example which is from Lab Group 6’s switch: Ori

Destination

Peer

Mtr State VLAN

Age Next-hop

>r

10.0.1.0/24

10.0.6.1

2

wan_6

3

0.0.0.0

>r

10.0.2.0/24

10.0.6.1

2

wan_6

3

0.0.0.0

>r

10.0.3.0/24

10.0.6.1

2

wan_6

3

0.0.0.0

>r

10.0.4.0/24

10.0.6.1

2

wan_6

3

0.0.0.0

>r

10.0.5.0/24

10.0.6.1

2

wan_6

3

0.0.0.0

>r

10.0.6.0/24

0.0.0.0

1

wan_6

0

0.0.0.0

>r

10.0.11.0/24

10.0.16.1

11

wanbu_6

14

0.0.0.0

>r

10.0.12.0/24

10.0.16.1

11

wanbu_6

14

0.0.0.0

>r

10.0.13.0/24

10.0.16.1

11

wanbu_6

14

0.0.0.0

>r

10.0.14.0/24

10.0.16.1

11

wanbu_6

14

0.0.0.0

>r

10.0.15.0/24

10.0.16.1

11

wanbu_6

14

0.0.0.0

>r

10.0.16.0/24

0.0.0.0

10

wanbu_6

0

0.0.0.0

>r

10.0.101.0/24

10.0.6.1

3

wan_6

3

0.0.0.0

>r

10.0.102.0/24

10.0.6.1

3

wan_6

3

0.0.0.0

>r

10.0.103.0/24

10.0.6.1

3

wan_6

3

0.0.0.0

>r

10.0.104.0/24

10.0.6.1

3

wan_6

3

0.0.0.0

>r

10.0.105.0/24

10.0.6.1

3

wan_6

3

0.0.0.0

>r

10.0.106.0/24

0.0.0.0

1

data_6

0

0.0.0.0

Origin(Ori): (be) EBGP, (bi) IBGP, (d) Direct, (o1) OSPFExt1, (o2) OSPFExt2, (oe) OSPFAsExt, (or) OSPFInter, (s) Static (e1) ISISL1Ext, (e2) ISISL2Ext, (i1) ISISL1, (i2) ISISL2 (>) active route (St) route state: C=Changed, D=Deleted, U=Update system import policy pending Total number of routes matching request: 18


137


4 Open a DOS window on the group lab PC and use the PING command to verify that the PC can communicate with the wan_X VLAN Interface, wanbu_X VLAN Interface, data_X VLAN Interface, and PC IP address for each of the configured neighbor lab groups by entering the following for each group: ping




Example: ping 10.0.10X.11

Where X is the lab group number of each neighbor lab group.

138


12 Open Shortest Path First (OSPF) Configuration Lab Student Objectives Dynamic routing protocols are especially useful when there is more than one path available between networks and their attached devices. Unlike static routes, a dynamic protocol can detect when a preferred route has become sub-optimal or is no longer valid. When a change to the routing domain is detected, the protocol will re-converge on the available routes to prevent service interruption. This lab will guide you through the process of creating router interfaces, enabling IP forwarding, enabling OSPF, and verifying the routing functionality. In this lab, you will: ●

Enable IP forwarding

●

Configure and enable OSPF

●

Verify and test the IP forwarding and OSPF functionality

Figure 1: OSPF Configuration Lab


139

Open Shortest Path First (OSPF) Configuration Lab


Table 1: Group, Switch, VLAN, Interface Names, and VLAN and PC addre sses Lab Group Switch Number Name

WAN VLAN

WAN VLAN Interface

WAN_BU VLAN

WAN_BU VLAN User Interface VLAN

1

NC_1

wan_1

10.0.1.2/30

wanbu_1

10.0.1.6/30

closet_1 10.1.1.1/24

10.1.1.11/24

2

OSBU_2 wan_2

10.0.2.2/30

wanbu_2

10.0.2.6/30

closet_2 10.2.1.1/24

10.2.1.11/24

3

EC_3

wan_3

10.0.3.2/30

wanbu_3

10.0.3.6/30

closet_3 10.3.1.1/24

10.3.1.11/24

4

RA_4

wan_4

10.0.4.2/30

wanbu_4

10.0.4.6/30

closet_4 10.4.1.1/24

10.4.1.11/24

5

SC_5

wan_5

10.0.5.2/30

wanbu_5

10.0.5.6/30

closet_5 10.5.1.1/24

10.5.1.11/24

6

WC_6

wan_6

10.0.6.2/30

wanbu_6

10.0.6.6/30

closet_6 10.6.1.1/24

10.6.1.11/24

User VLAN Interface

PC IP Address

Part 1: Setting Up for Verifying the Router Interfaces This exercise begins with the specific group VLAN pre-configured on each switch. 1 Log into the switch and load the baseline configuration for this lab by entering the following command: use configuration Lab_ECF13-X








140





Part 2: Verifying the Router Interfaces This exercise begins with the WAN, WAN BackUp, and User VLANs configured on each switch. 1 Confirm the VLAN configuration by entering the following summary command: show vlan


VID

Protocol Addr

Flags

Proto

Ports

Virtual

Active router /Total --------------------------------------------------------------------------------------closet_X

4094 10.X.1.1

/24

----------------------- ANY

0 /0

VR-Default

Default

1

------------------------------------------- ANY

0 /0

Mgmt

4095 ------------------------------------------- ANY

1 /1

wan_X

4093 10.0.X.2

/30

----------------------- ANY

0 /1

VR-Default

VR-Default

wanbu_X

4092 10.0.X.6

/30

----------------------- ANY

0 /1

VR-Default

VR-Mgmt


2 Notice that all VLANs have pre-assigned ports and IP addresses.


141


3 Display the switch route table by entering the following summary command: show iproute


d d d

Ori Destination 10.0.X.0/30 10.0.X.4/30 10.X.1.0/24

Gateway 10.0.X.2 10.0.X.6 10.X.1.1

1 1 1

Mtr Flags VLAN -------um--- wan_X -------um--- wanbu_X -------um--- closet_X

Duration 0d:0h:10m:38s 0d:0h:10m:38s 0d:0h:10m:38s

Origin(Ori): (b) BlackHole, (be) EBGP, (bg) BGP, (bi) IBGP, (bo) BOOTP (ct) CBT, (d) Direct, (df) DownIF, (dv) DVMRP, (e1) ISISL1Ext (e2) ISISL2Ext, (h) Hardcoded, (i) ICMP, (i1) ISISL1 (i2) ISISL2 (is) ISIS, (mb) MBGP, (mbe) MBGPExt, (mbi) MBGPInter, (mp) MPLS Lsp (mo) MOSPF (o) OSPF, (o1) OSPFExt1, (o2) OSPFExt2 (oa) OSPFIntra, (oe) OSPFAsExt, (or) OSPFInter, (pd) PIM-DM, (ps) PIM-SM (r) RIP, (ra) RtAdvrt, (s) Static, (sv) SLB_VIP, (un) UnKnown (*) Preferred unicast route (@) Preferred multicast route (#) Preferred unicast and multicast route Flags: (B) BlackHole, (D) Dynamic, (G) Gateway, (H) Host Route (L) Matching LDP LSP, (l) Calculated LDP LSP, (m) Multicast (P) LPM-routing, (R) Modified, (S) Static, (s) Static LSP (T) Matching RSVP-TE LSP, (t) Calculated RSVP-TE LSP, (u) Unicast, (U) Up (f) Provided to FIB (c) Compressed Route Mask distribution: 1 routes at length 24


Route Origin distribution: 3 routes from Direct Total number of routes = 3 Total number of compressed routes = 0

4 Notice there are three directly connected networks representing the three VLANs with assigned IP addresses.

Part 3: Enabling IP Forwarding and Configuring OSPF 1 Enable IP forwarding specifically for the User, WAN, and WAN BackUp VLANs by entering the following commands: enable ipforwarding closet_X enable ipforwarding wan_X enable ipforwarding wanbu_X

Where X is your lab group number assigned in Table 1.

142



2 Confirm that forwarding is enabled for the VLANs named by entering the following summary command: show vlan


VID

Protocol Addr

Flags

Proto

Ports

Virtual


4094 10.X.1.1

/24

-f-------------------- ANY

0 /0

Default Mgmt

1 ------------------------------------------ ANY 4095 ------------------------------------------ ANY

0 /0 1 /1

VR-Default

wan_X

4093 10.0.X.2

/30

-f-------------------- ANY

0 /1

VR-Default

wanbu_X

4092 10.0.X.6

/30

-f-------------------- ANY

0 /1

VR-Default

VR-Default VR-Mgmt

--------------------------------------------------------------------------------------Flags : (C) EAPS Control VLAN, (d) NetLogin Dynamically created VLAN, (D) VLAN Admin Disabled, (E) ESRP Enabled, (f) IP Forwarding Enabled, (F) Learning Disabled, (i) ISIS Enabled, (L) Loopback Enabled, (l) MPLS Enabled, (m) IPmc Forwarding Enabled, (M) Translation Member VLAN or Subscriber VLAN, (n) IP Multinetting Enabled, (N) Network Login VLAN, (o) OSPF Enabled, (O) Flooding Disabled, (p) PIM (P) EAPS protected VLAN, (r) RIP Enabled, (R) Sub-VLAN IP Range Configur (s) Sub-VLAN, (S) Super-VLAN, (t) Translation VLAN or Network VLAN, (T) Member of STP Domain, (V) VPLS Enabled, (v) VRRP Enabled Total number of VLAN(s) : 5

3 Notice that the three VLANs have been assigned the flag f, indicating that IP forwarding is enabled on these interfaces. 4 Configure OSPF on each IP interface by entering the following commands: configure ospf add vlan closet_X area 0.0.0.0 configure ospf add vlan wan_X area 0.0.0.0 configure ospf add vlan wanbu_X area 0.0.0.0

Where X is your lab group number assigned in Table 1. 5 Confirm that the VLANs were added to the OSPF protocol by entering the following summary command: show vlan


143



VID

Protocol Addr

Flags

Proto

Ports

Virtual


4094 10.X.1.1

Default

1

/24

-f------o-------------- ANY

0 /0

------------------------------------------- ANY

0 /0


Mgmt

4095 ------------------------------------------- ANY

1 /1

VR-Mgmt

wan_X

4093 10.0.X.2

/30

-f------o-------------- ANY

0 /1

VR-Default

wanbu_X

4092 10.0.X.6

/30

-f------o-------------- ANY

0 /1

VR-Default

--------------------------------------------------------------------------------------Flags : (C) EAPS Control VLAN, (d) NetLogin Dynamically created VLAN, (D) VLAN Admin Disabled, (E) ESRP Enabled, (f) IP Forwarding Enabled, (F) Learning Disabled, (i) ISIS Enabled, (L) Loopback Enabled, (l) MPLS Enabled, (m) IPmc Forwarding Enabled, (M) Translation Member VLAN or Subscriber VLAN, (n) IP Multinetting Enabled, (N) Network Login VLAN, (o) OSPF Enabled, (O) Flooding Disabled, (p) PIM (P) EAPS protected VLAN, (r) RIP Enabled, (R) Sub-VLAN IP Range Configur (s) Sub-VLAN, (S) Super-VLAN, (t) Translation VLAN or Network VLAN, (T) Member of STP Domain, (V) VPLS Enabled, (v) VRRP Enabled Total number of VLAN(s) : 5

6 Notice that the three VLANs have been assigned the flag o, indicating that OSPF will dynamically learn routes on these interfaces. 7 In this scenario, you want the switch to only forward traffic along the wanbu_X VLAN when the primary path through port 13 of the wan_X VLAN fails. To ensure this performance, increase the cost associated with the secondary path by entering the following command: configure ospf wanbu_X cost 20

Where X is the name assigned to your lab group in Table 1. 8 Confirm that the cost metric is changed for this VLAN by entering the following summary command: show ospf interface


IP Address

closet_X wan_X wanbu_X

10.X.1.1 10.0.X.2 10.0.X.6

AREA ID /24 0.0.0.0 /30 0.0.0.0 /30 0.0.0.0

Flags

Cost State

--if--if--if-

Neighbors

10/A ----10/A ----20/C -----

0 0 0

Flags : f - Interface Forwarding Enabled, i - Interface OSPF Enabled, n - Multinetted VLAN, p - Passive Interface, r - Router OSPF Enable, A - Automatic Cost, C - Configured Cost.

144



Part 4: Enabling OSPF and Verifying the Protocol Operation 1 Add port 24 to the closet-X VLAN. Enter the following command: configure vlan closet_X add port 24

2 Enable the ports connected to the two Main Campus switches and the Lab Group PC by entering the following command: enable ports 13,15,24

3 Enable OSPF by entering the following command: enable ospf

4 Confirm that OSPF is enabled by entering the following command: show ospf

The following displays: OSPF : Enabled RouterId : 10.X.1.1 ASBR : No ExtLSA : 0 OriginateNewLSA : 6 SpfHoldTime : 3 CapabilityOpaqueLSA : Enabled 10M Cost : 10 1000M Cost (1G) : 4 Router Alert : Disabled ASExternal LSALimit : Disabled Originate Default : Disabled Redistribute: Protocol direct

Status cost Disabled 0

static Disabled 0 rip Disabled 0 e-bgp Disabled 0 i-bgp Disabled 0 isis-level-1 Disabled 0 isis-level-2 Disabled 0 isis-level-1-external Disabled 0 isis-level-2-external Disabled 0

MPLS LSP as Next-Hop: No RouterId Selection : Automatic ABR : No ExtLSAChecksum : 0x0 ReceivedNewLSA : 21 Lsa Batch Interval : 30s 100M Cost : 5 10000M Cost (10G) : 2 Import Policy File : Timeout (Count) : Disabled (0)

Type Tag 0 0

Policy None

0 0 0 0 0 0 0 0

None None None None None None None None

0 0 0 0 0 0 0 0

5 Notice that, in the absence of an explicitly-configured value, the protocol assigns the highest-order IP address of all configured OSPF interfaces as the RouterID. 6 Confirm that OSPF learned routes are being added to the IP route table by entering the following command: show iproute


145


If all of the neighbor switches have been properly configured, the route table will look similar to the following which shows data from Lab Group 6’s switch: * WC_6.21 # show iproute Ori #oa

Destination 10.0.1.0/30

Gateway 10.0.6.1

Mtr 8

Flags VLAN UG-D---um--f wan_6


#oa #oa #oa

10.0.1.4/30 10.0.2.0/30 10.0.2.4/30

10.0.6.1 10.0.6.1 10.0.6.1

8 8 8

UG-D---um--f wan_6 UG-D---um--f wan_6 UG-D---um--f wan_6

0d:0h:3m:1s 0d:0h:3m:1s 0d:0h:3m:1s

#oa #oa #oa #oa

10.0.3.0/30 10.0.3.4/30 10.0.4.0/30 10.0.4.4/30

10.0.6.1 10.0.6.1 10.0.6.1 10.0.6.1

8 8 8 8

UG-D---um--f UG-D---um--f UG-D---um--f UG-D---um--f

0d:0h:3m:1s 0d:0h:3m:1s 0d:0h:3m:1s 0d:0h:3m:1s

#oa 10.0.5.0/30 #oa 10.0.5.4/30 #d 10.0.6.0/30 #d 10.0.6.4/30 oa 10.0.6.4/30 #oa 10.1.1.0/24 #oa 10.2.1.0/24 #oa 10.3.1.0/24

10.0.6.1 10.0.6.1 10.0.6.2 10.0.6.6 10.0.6.1 10.0.6.1 10.0.6.1 10.0.6.1

8 8 1 1

#oa #oa #d

10.4.1.0/24 10.5.1.0/24 10.6.1.0/24

8

10.0.6.1 10.0.6.1 10.6.1.1

wan_6 wan_6 wan_6 wan_6

UG-D---um--f wan_6 0d:0h:3m:2s UG-D---um--f wan_6 0d:0h:3m:2s U------um--f wan_6 0d:1h:23m:32s U------um--f wanbu_6 0d:1h:23m:32s UG-D---um--- wan_6 0d:0h:3m:2s 13 UG-D---um--f wan_6 0d:0h:3m:2s 13 UG-D---um--f wan_6 0d:0h:3m:2s 13 UG-D---um--f wan_6 0d:0h:3m:2s

13 13 1

UG-D---um--f wan_6 UG-D---um--f wan_6 U------um--f closet_6

0d:0h:3m:2s 0d:0h:3m:2s 0d:1h:23m:32s

Origin(Ori): (b) BlackHole, (be) EBGP, (bg) BGP, (bi) IBGP, (bo) BOOTP (ct) CBT, (d) Direct, (df) DownIF, (dv) DVMRP, (e1) ISISL1Ext (e2) ISISL2Ext, (h) Hardcoded, (i) ICMP, (i1) ISISL1 (i2) ISISL2 (is) ISIS, (mb) MBGP, (mbe) MBGPExt, (mbi) MBGPInter, (mp) MPLS Lsp (mo) MOSPF (o) OSPF, (o1) OSPFExt1, (o2) OSPFExt2 (oa) OSPFIntra, (oe) OSPFAsExt, (or) OSPFInter, (pd) PIM-DM, (ps) PIM-SM (r) RIP, (ra) RtAdvrt, (s) Static, (sv) SLB_VIP, (un) UnKnown (*) Preferred unicast route (@) Preferred multicast route (#) Preferred unicast and multicast route Flags: (B) BlackHole, (D) Dynamic, (G) Gateway, (H) Host Route (L) (P) (T) (f)

Matching LDP LSP, (l) Calculated LDP LSP, (m) Multicast LPM-routing, (R) Modified, (S) Static, (s) Static LSP Matching RSVP-TE LSP, (t) Calculated RSVP-TE LSP, (u) Unicast, (U) Up Provided to FIB (c) Compressed Route

Mask distribution: 6 routes at length 24

Route Origin distribution: 3 routes from Direct


16 routes from OSPFIntra


7 Notice that, except for the directly-connected VLAN, all of the edge data network entries are learned via the wan_X VLAN.

146







147





148







149





150



Part 6: Verifying and Testing IP Forwarding and OSPF 1 Confirm the IP configuration parameters by entering the following summary command: show ipconfig

The following displays: Use Redirects : Disabled IpOption LSRR : Enabled IpOption SSRR : Enabled IpOption RR : Enabled IpOption TS : Enabled IpOption RA : Enabled Route Sharing : Disabled Originated Packets IP Fwding into LSP Unicast Reverse Path Max Shared Gateways

: : : :

Don't require ipforwarding Disabled Disabled Current: 4 Configured: 4

IRDP: Advertisement Address: 255.255.255.255 Minimum Interval: 450 Lifetime: 1800

Maximum Interval: 600 Preference: 0

VLAN closet_X wan_X

IP Address 10.X.1.1 10.0.X.2

Flags /24 EUf---MPuRX------/30 EUf---MPuRX-------

nSIA 0 0

wanbu_X

10.0.X.6

/30 EUf---MPuRX-------

0

Flags: (E) Interface Enabled, (U)Interface Up, f) Forwarding Enabled, (M) Send Parameter Problem Enabled, (P) Send Port Unreachables Enabled, (u) Send Unreachables Enabled, (R) Send Redirects Enabled,(X) Send Time Exceeded Enabled

2

Confirm which VLANs have been added to OSPF and display any associated statistics by entering the following summary command: show ospf interface

The following displays: VLAN IP closet_X wan_X wanbu_X

Address 10.X.1.1 10.0.X.2 10.0.X.6

AREA ID /24 0.0.0.0 /30 0.0.0.0 /30 0.0.0.0

Flags -rif-rif-rif-

Cost State 5/A DR 4/A DR 20/C DR

Neighbors 0 1 1

Flags : f - Interface Forwarding Enabled, i - Interface OSPF Enabled, n - Multinetted VLAN, p - Passive Interface, r - Router OSPF Enable, A - Automatic Cost, C - Configured Cost.


151


3 Additional, area-specific OSPF interface information can be displayed by entering the following summary command: show ospf area 0.0.0.0

The following displays: Area: 0.0.0.0 Type: Normal Router Id: 10.X.1.1 Spf Runs: 5 Num ABR: 0 Num ASBR: 0 Num LSA: 19 LSA Chksum:0x9b8c5 Interfaces: IP addr 10.X.1.1

Ospf /24 E

State DR

DR IP addr 10.X.1.1

10.0.X.2 /30 E DR 10.0.X.6 /30 E DR Inter-Area route Filter: External route Filter: Configured Address Ranges:

BDR IP addr 0.0.0.0

10.0.X.2 10.0.X.6

10.0.X.1 10.0.X.5

4 Notice that the area specified can be any area configured on the switch.

5 Open a Command Prompt window on the Lab Group PC and use the PING command to verify that the PC can communicate with the wan_X VLAN Interface, wanbu_X VLAN Interface, closet_X Interface, and PC IP address for each of the configured neighbor lab groups by entering the following for each group: ping



Example: ping 10.X.1.1 ping

Example: ping 10.X.1.11

Where X is the lab group number of each neighbor lab group.

152



The following displays the output from pinging Lab Group 6: C:\Documents and Settings\student>ping 10.0.6.2 Pinging 10.0.6.2 with 32 bytes of data: Reply from 10.0.6.2: bytes=32 time=2ms TTL=255 Reply from 10.0.6.2: bytes=32 time<1ms TTL=255 Reply from 10.0.6.2: bytes=32 time<1ms TTL=255 Reply from 10.0.6.2: bytes=32 time<1ms TTL=255 Ping statistics for 10.0.6.2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 2ms, Average = 0ms C:\Documents and Settings\student>ping 10.0.6.6 Pinging 10.0.6.6 with 32 bytes of data: Reply from 10.0.6.6: bytes=32 time<1ms TTL=255 Reply from 10.0.6.6: bytes=32 time<1ms TTL=255 Reply from 10.0.6.6: bytes=32 time<1ms TTL=255 Reply from 10.0.6.6: bytes=32 time<1ms TTL=255 Ping statistics for 10.0.6.6: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms C:\Documents and Settings\student>ping 10.6.1.1 Pinging 10.6.1.1 with 32 bytes of data: Reply from 10.6.1.1: bytes=32 time<1ms TTL=255 Reply from 10.6.1.1: bytes=32 time<1ms TTL=255 Reply from 10.6.1.1: bytes=32 time<1ms TTL=255 Reply from 10.6.1.1: bytes=32 time<1ms TTL=255 Ping statistics for 10.6.1.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms C:\Documents and Settings\student>ping 10.6.1.11 Pinging 10.6.1.11 with 32 bytes of data: Reply from 10.6.1.11: bytes=32 time<1ms TTL=128 Reply from 10.6.1.11: bytes=32 time<1ms TTL=128 Reply from 10.6.1.11: bytes=32 time<1ms TTL=128 Reply from 10.6.1.11: bytes=32 time<1ms TTL=128 Ping statistics for 10.6.1.11: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms


153


154


13 Netlogin using Local MAC Address Authentication Configuration Lab Student Objectives This lab will guide you through the process of supporting an enterprise customer who is preparing to install IP phones in the lobby of their corporate headquarters. These phones will be in publicly accessible locations. Corporate Security would like to protect the Ethernet port to which the phones will connect allowing devices address access tosecurity the network. havetodecided Extremes’ Networkfrom Login feature any withother Local-MAC is the They best way providethat thisusing security. In this lab, you will complete the following tasks: ●

Enable the Network Login Service

●

Configure local MAC address authentication

●

Verify that the configuration works

You and your team will be configuring switches to accommodate the IP phones. Since the phones are not yet onsite, you will be testing the solutions using a PC. Refer to the values listed in Table 1 to understand the configuration parameters for this lab.

Table 1: Lab Group, Station, Remote PC IP Address , Lab Group PC IP Addr ess, Location, Gateway Lab Group

Remote PC

Lab Group PC

N u m b er 1

S t a t io n 1a

IP Address 10.209.10.11/24

I P A d d r ess 192.168.1.31/24

Lo c at io n Phone 11

G a t ew a y 192.168.1.1/24

2

2a

10.209.10.12/24

192.168.2.31/24

Phone 21

192.168.2.1/24

3

3a

10.209.10.13/24

192.168.3.31/24

Phone 31

192.168.3.1/24

4

4a

10.209.10.14/24

192.168.4.31/24

Phone 41

192.168.4.1/24

5

5a

10.209.10.15/24

192.168.5.31/24

Phone 51

192.168.5.1/24

6

6a

10.209.10.16/24

192.168.6.31/24

Phone 61

192.168.6.1/24


155

Netlogin using Local MAC Address Authentication Configuration Lab

Part 1: Setting up for Netlogin This exercise begins with loading the specific group pre-configuration on each switch. 1 Log into the switch and load the baseline configuration for this lab by entering the following command: use configuration Lab_NTLGN-X







When the boot process is complete, the switch displays the following:

Authentication Service (AAA) on the master node is now available for login.


6 Press the Enter key again (by default, there is no password). You are now ready to begin configuring the switch. 7 View the VLAN configuration, enter the following command: show vlan

156



The following displays: -----------------------------------------------------------------------------------Name

VID

Protocol Addr

Flags

Proto

Ports Active

Virtual router

/Total -----------------------------------------------------------------------------------Default

1

Mgmt

4095 -------------------------------------- ANY

192.168.X.1

/24

-----------T------ ANY

1 /1 1 /1

VR-Default VR-Mgmt

-----------------------------------------------------------------------------------Flags : (T) Member of STP Domain Total number of VLAN(s) : 2

Part 2: Configuring the Client Workstation The following instructions will guide you in setting up the client workstation. If your RD-X connection to PC 127.0.0.1:101X is still open but minimized, skip to step 6. 1 From your laptop, launch the PuTTY utility. 2 Launch the remote desktop tunnel by double-clicking on the RD_X saved session.



157





158



7 From the Lab PC desktop, open the Lab Networking Addressing folder. Double-click on the Config_NTLGN-X batch file, where X is your lab group number assigned in Table 1:

This batch file will automatically configure the PC IP address. The following screen appears while the file executes, follow the instructions on the screen:


159


Using Lab Group 1 as an example below, the system displays the following ip configuration:

8 Notice that the Lab Network interface has been assigned your Lab Group PC's IP address and mask found in Table 1. 9 Verify the setup by pinging the default gateway from the vPC. C:\>ping 192.168.X.1

Pinging 192.168.X.1 with 32 bytes of data: Reply from 192.168.X.1: bytes=32 time<1ms TTL=128 Reply from 192.168.X.1: bytes=32 time<1ms TTL=128 Reply from 192.168.X.1: bytes=32 time<1ms TTL=128 Reply from 192.168.X.1: bytes=32 time<1ms TTL=128 Ping statistics for 192.168.X.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms

This completes the setup of the Lab Group PC.

160



Part 3: Displaying the Network Login Configuration 1 On the switch, verify that the MAC-based Network Login service is not configured. show netlogin mac

The following displays: NetLogin Auth Mode : web-based DISABLED; 802.1x DISABLED; mac-based DISABLED NetLogin VLAN NetLogin move-fail-action

: : Deny

NetLogin Client Aging Time

: 5 minutes

Dynamic VLAN Creation

: Disabled

Dynamic VLAN Uplink Ports

: None

-----------------------------------------------MAC Mode Global Configuration -----------------------------------------------Re-authentication period

: 0 (Re-authentication disabled)

Authentication Database

: Radius, Local-User database

------------------------------------------------

2 Verify that the local MAC database (the list of MAC addresses that is stored on the switch) is empty. show netlogin mac-list

The following displays: SS-0X.3 # show netlogin mac-list SS-0X.4 #

Part 4: Configuring the Network Login VLAN The Network Login VLAN is an internal VLAN that enables the system to access the Network Login Service. You will not add any ports to this VLAN, however, later in this lab, you will configure ports to use the Network Login Service. 1 Create a VLAN to support the Network Login service. create vlan netlogin_vlan

2 Associate the VLAN to the Network Login Service. configure netlogin vlan netlogin_vlan

Part 5: Configuring MAC Address Authentication 1 Enable MAC address authentication option of the Network Login Service. enable netlogin mac


161


2 Configure the MAC address authentication process to use the local database. The options available are local and radius. The system will search either the local database and the RADIUS database in the order in which the options are entered. If the local option is entered first, then the local database will be interrogated before the RADIUS database. You may also configure the system to only search local or RADIUS databases by only entering one of the two options.

Enter the following command: configure netlogin mac authentication database-order local

3 On the Lab Group PC, verify that the PC can ping the gateway. C:\>ping 192.168.X.1

4 On your switch, select the ports that will subscribe to the Network Login Service. enable netlogin ports 24 mac

5 On the Lab Group PC, verify that the PC is now unable to ping the gateway. C:\>ping 192.168.X.1 Pinging 192.168.X.1 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 192.168.X.1: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Part 6: Managing the Authorized MAC Addresses There are two parts to managing the authorized MAC Addresses. The first part is to create an entry in the MAC address database. The second part is to create a corresponding entry in the user database for the configured MAC address. 1 On the Lab Group PC, determine the MAC (physical) address of the Lab Network Ethernet Adapter by entering the following at the Command Prompt: ipconfig /all

The following displays: Ethernet adapter Lab Network: Connection-specific DNS Suffix

. :

Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter Physical Address. . . . . . . . . : 00-50-56-00-00-FB Dhcp Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.X.31 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.X.1

In the example above, the MAC address for the Lab Network Ethernet Adapter is 00-50-56-00-00-FB.

162



2 On the switch, add that MAC addresses to the local database. MAC addresses are entered using the colon as a separator. All alphabetic characters should be entered in upper case. configure netlogin add mac-list

Example: 00:50:56:00:00:FB configure netlogin add mac-list 3 On your switch, add MAC-based users to the local database. When entering the following command, you will substitute the user-name and password options with the MAC address of the IP phone. When entering the MAC address, enter the MAC address used in the last step, omitting the colon (:) character. create netlogin local-user

All alphabetic characters should be entered in upper case. The MAC address from the example above would be entered as 0050560000FB 0050560000FB for the and in the command. Example: 0050560000FB 0050560000FB create netlogin local-user

Part 7: Testing the Configuration 1 On the Lab Group PC, verify that the system is configured correctly by pinging the default gateway. C:\>ping 192.168.X.1

The following displays: Pinging 192.168.X.1 with 32 bytes of data: Request timed out. Reply from 192.168.X.1: bytes=32 time<1ms TTL=128 Reply from 192.168.X.1: bytes=32 time<1ms TTL=128 Reply from 192.168.X.1: bytes=32 time<1ms TTL=128 Reply from 192.168.X.1: bytes=32 time<1ms TTL=128 Ping statistics for 192.168.X.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms

NOTE The reply may not take effect immediately, if you get ‘request timed out’ - wait a minute, and then try again.


163


Part 8: Just in Case.... If you should encounter problems, there are a few commands that you can execute to help you in diagnosing the problem. 1 Display the general Network Login service configuration by using the following command: show netlogin

164



The following displays: NetLogin Authentication Mode : web-based DISABLED; 802.1x DISABLED; mac-based ENABLED NetLogin VLAN

: "netlogin_vlan"

NetLogin move-fail-action

: Deny


: 5 minutes


: Disabled


: None

-----------------------------------------------Web-based Mode Global Configuration -----------------------------------------------Base-URL

: network-access.com

Default-Redirect-Page

: ENABLED; http://www.extremenetworks.com

Logout-privilege

: YES

Netlogin Session-Refresh : ENABLED; 3 minute(s) 0 second(s) Refresh failures allowed : 0 Reauthenticate on refresh: Disabled Authentication Database

: Radius, Local-User database

Proxy Ports : 80(http),443(https) -----------------------------------------------802.1x Mode Global Configuration -----------------------------------------------Quiet Period

: 60

Supplicant Response Timeout

: 30

Re-authentication period

: 3600

Max Re-authentications

: 3

RADIUS server timeout

: 30

EAPOL MPDU version to transmit

: v1


: Radius

------------------------------------------------

-----------------------------------------------MAC Mode Global Configuration -----------------------------------------------MAC Address/Mask

Password (encrypted)

-------------------00:0C:29:AA:D6:8C/48

Port(s)

-----------------------------

-----------------------any




: Local-User database

-----------------------------------------------Port: 24,

Vlan: Default,

State: Enabled,

Authentication: mac-based

Guest Vlan : Disabled Authentication Failure Vlan : Disabled Authentication Service-Unavailable Vlan : Disabled Authenticated

Type

00:0c:29:aa:d6:8c

MAC

IP address 192.168.1.31

Yes, Locally

MAC

00:e0:2b:00:00:01

0.0.0.0

No


MAC

ReAuth-Timer 0

User 000C29AAD68C

0

165


2 To focus in on just the Network Login MAC related parameters, enter the following command: show netlogin mac

The following displays: NetLogin Authentication Mode : web-based DISABLED;802.1x DISABLED; mac-based ENABLED NetLogin VLAN

: "netlogin_vlan"


: Deny


: 5 minutes


: Disabled


: None



--------------------

------------------------------

Port(s)

00:0C:29:AA:D6:8C/48

-----------------------any





-----------------------------------------------Port: 24,

Vlan: Default,

State: Enabled,


Guest Vlan : Disabled Authentication Failure Vlan : Disabled Authentication Service-Unavailable Vlan : Disabled Type

ReAuth-Timer User

00 : 0 c : 2 9: aa: d6 : 8c

MAC

IP address 1 92 . 1 6 8 . 1. 3 1

Authenticated Y e s , L oc al l y

MA C

0

00:e0:2b:00:00:01

0.0.0.0

No

MAC

0

00 0 C 2 9A A D 6 8 C

3 To view the Network Login configuration of the port, enter the following command: show netlogin port 24


: 24

Port Restart

: Disabled

Allow Egress

: None

Vlan

: Default

Authentication

: mac-based

Port State

: Enabled

Guest Vlan

: Disabled

Auth Failure Vlan

: Disabled

Auth Service-Unavailable Vlan : Disabled MAC

166

Authenticated

Type

00:0c:29:aa:d6:8c

IP address 192.168.1.31

Yes, Locally

MAC

00:e0:2b:00:00:01

0.0.0.0

No

MAC

ReAuth-Timer User 0

000C29AAD68C

0



4 To view the default VLAN, enter the following command: show vlan default

5 Finally, you can interrogate the message log to view the activity of the Network Login service. show log messages memory-buffer


08/22/2008 20:42:19.49 Network Login MAC user 000C29AAD68C logged in MAC 00:0C:29:AA:D6:8C port 24 VLAN(s) "Default", authentication Locally 8/22/2008 20:41:47.31 Network Login framework has been initialized 8/22/2008 20:33:30.99 Mac authentication was initiated, but mac-list for virtual router VR-Default is empty


167


168


14 Universal Port Configuration Lab Universal Port is a powerful framework for event driven activation of CLI scripts or profiles. The ExtremeXOS™ Universal Port framework enables the switch to take actions based on such criteria as a detected device, a user authenticated (or unauthenticated), or a user-configured timer. Universal Port is primarily used for simplifying edge configuration. Added security is gained by enabling Network Login for authentication prior to granting the device or user access to the network. In its simplest form, Universal Portand provides theExtremeXOS ability to automatically parameters–ports, IP addresses, QoS on switches. configure network interface


Verify an existing Netlogin configuration

●

Create a Universal Port profile

●

Bind the profile to a pre-defined event

●

Associate the profile with a specific user

●

Test and validate that the profile is applied when the user authenticates

Figure 1: Universal Po rt Conf iguration


169

Universal Port Configuration Lab

Refer to the values listed in Table 1to configure switch parameters for this lab.

Table 1: Group, Switch, VLAN Names, Tags and IP addresses Lab Group #

Switch Data Name VLAN

Data VLAN Tag

Data VLAN IP Address

Data PC IP Address

Voice VLAN

Voice VLAN Tag

Voice VLAN IP Voice PC IP Address Address

1

SAM_1 data_1

1011

10.0.11.1/24

10.0.11.101

voice_1

1012

10.0.12.1/24

10.0.12.101

2

EXC_2

data_2

1021

10.0.21.1/24

10.0.21.101

voice_2

1022

10.0.22.1/24

10.0.22.101

3

ACT_3

data_3

1031

10.0.31.1/24

10.0.31.101

voice_3

1032

10.0.32.1/24

10.0.32.101

4

MFG_4 data_4

1041

10.0.41.1/24

10.0.41.101

voice_4

1042

10.0.42.1/24

10.0.42.101

5 6

ENG_5 data_5 HUR_6 data_6

1051 1061

10.0.51.1/24 10.0.61.1/24

10.0.51.101 voice_5 10.0.61.101 voice_6

1052 1062

10.0.52.1/24 10.0.52.101 10.0.62.1/24 10.0.62.101

Part 1: Setting Up for Loading and Validating the Netlogin Configuration This exercise begins with the specific group VLAN pre-configured on each switch. 1 Log into the switch and load the baseline configuration for this lab by entering the following command: use configuration Lab_ECF19-X







When the boot process is complete, the switch displays the following:

Authentication Service (AAA) on the master node is now available for login.

170





Part 2: Loading and Validating the Netlogin Configuration 1 Review the existing VLAN configuration by entering the following command: show vlan


VID

Protocol Addr

Flags

Proto

Ports

Virtual


10X1 ------------------------------------------- ANY

0 /1

VR-Default

Default

1

------------------------------------------- ANY

0 /0

VR-Default

Mgmt

4095 ------------------------------------------- ANY

1 /1

VR-Mgmt

nl_vlan

4093 ----------------------LN------------------- ANY

0 /1

VR-Default

voice_X

10X2 ------------------------------------------- ANY

0 /1

VR-Default

--------------------------------------------------------------------------------------Flags : (L) Loopback Enabled,(N) Network Login VLAN Total number of VLAN(s) : 5

2 Notice that each switch is configured with a netlogin vlan, nl_vlan, and that all VLANs are already associated with a single port (port 24). 3 Review the existing MAC-based netlogin configuration by entering the following command: show netlogin mac


171


The system displays the following: NetLogin Authentication Mode : web-based DISABLED; 802.1x DISABLED; mac-based DISABLED NetLogin VLAN

: "nl_vlan"


: Deny


: 5 minutes


: Disabled


: None



Port(s)

--------------------

------------------------------

AA:AA:AA:AA:AA:AA/48

24

------------------------

BB:BB:BB:BB:BB:BB/48

24





------------------------------------------------

4 Notice that mac-based authentication is DISABLED, but is pre-configured for two MAC addresses one for each of your two lab PC's.

Also notice that the authentication database is set for the Local-User database. Because we are not using a RADIUS server in this exercise, this will become an important factor later in the lab.

172



Part 3: Configuring the Client Workstations The following instructions will guide you in setting up the client workstations. If your RD-X connection to PC 127.0.0.1:101X is still open but minimized, skip to step 6. 1 From your laptop, launch the PuTTY utility:




173





174



7 From the Lab PC desktop, open the Lab Networking Addressing folder. Double-click on the Config_ECF19-Xa batch file, where X is your lab group number assigned in Table 1:

This batch file will automatically configure the PC IP address. The following screen appears while the file executes, and then closes automatically when it terminates:



175


9 In the command window, display the IP interface information on the PC by entering the following command: ipconfig /all

Using Lab Group 1 as an example, the system displays the following:

10 Notice that the Lab Network interface for this PC has been assigned an IP address on the network associated with the Data PC IP Address ( 127.0.0.1:101X) found in Table 1 (where X is your Lab Group number). 11 From the Data PC desktop, right-click on My Network Places and select Properties from the menu:

176



12 Highlight the Lab Network icon:

13 To block the station from sending any packets prior to testing, select Disable this network device from the Network Tasks menu:

This completes the setup of your first PC. 14 To set up the second lab PC, Enter the combined IP address and unique port number identifying the target lab PC in the format 127.0.0.1:10 2X, where X is the lab group number assigned in Table 1:

This will be configured as the Voice PC and assigned the respective IP address found in Table 1 for your lab group.


177



16 From the PC desktop, open the Lab Networking Addressing folder:. Double-click on the Config_ECF19-Xb batch file, where X is your lab group number assigned in Table 1:

This batch file will automatically configure the PC IP address. The following screen appears while the file executes, and then close automatically when it terminates:

17 Open a Command window:

178



18 In the command window, display the IP interface information on the PC by entering the following command: ipconfig /all

Using Lab Group 1 as an example, the system displays the following:

19 Notice that the Lab Network interface for this PC has been assigned an IP address the network

associated with the Voice PC IP Address (127.0.0.1:102X) found in Table 1 (where X is your Lab Group number). 20 From the PC desktop, right-click on My Network Places and select Properties from the menu:


179


21 Highlight the Lab Network icon:

22 To block the station from sending any packets prior to testing, select Disable this network device from the Network Tasks menu:

180



Part 4: Creating the Universal Port Profiles and Binding to an Event 1 Profiles can be assigned to specific users. For this exercise, we will create two profiles, one for each supplicant. On the switch, create the first profile by entering the following command: create upm profile ecf-19-Xa

Where X is your lab group number found in Table 1. The system displays the following: Start typing the profile and end with a . as the first and the only character on a line. Use - edit upm profile - for block mode capability

2 Enter the following commands: configure vlan data_X ipaddress 10.0.X1.1/24 .

Where X is your lab group number, and the ip address is the value assigned to your group for the VLAN data_X found in Table 1. Note that the second line, . , terminates the editing function of the create command. 3 Create the second profile by entering the following command: create upm profile ecf-19-Xb

Where X is your lab group number found in Table 1. The system displays the following: Start typing the profile and end with a . as the first and the Use - edit upm profile - for block mode capa bility

only chara cter on a li ne.

4 Enter the following commands: configure vlan voice_X ipaddress 10.0.X2.1/24 .

Where X is your lab group number, and is the value assigned to your group for the VLAN data_X found in Table 1. Note that the second line, ., terminates the editing function of the create command. 5 Display summary information for the profiles by entering the following command: show upm profile

The system displays the following: ================================================================================ UPM Profile

Events

Flags Ports

================================================================================ ecf-19-Xa

e

ecf-19-Xb

e

================================================================================ Number of UPM Profiles: 2 Number of UPM Events in Queue for execution: 0 Flags: d - disabled, e - enabled Event name: log-message(Log filter name) - Truncated to 20 chars


181


6 Bind each profile to the user-authentication event by entering the following commands: configure upm event user-authenticate profile ecf-19-Xa ports 24 configure upm event user-authenticate profile ecf-19-Xb ports 24

Where X is your lab group number found in Table 1. 7 Confirm that the profiles were correctly bound by entering the following command: show upm event user-authenticate

The system displays the following: ------------------------------------------------------------------UPM Profile PortList ------------------------------------------------------------------ecf-19-Xa

24

ecf-19-Xb

24

-------------------------------------------------------------------

8 This can also be validated with the summary profile information, shown by entering the following command: show upm profile

The system displays the following: ================================================================================ UPM Profile

Events

Flags Ports

================================================================================ ecf-19-Xa

user-authenticated

e

24

ecf-19-Xb

user-authenticated

e

24

================================================================================ Number of UPM Profiles: 2 Number of UPM Events in Queue for execution: 0 Flags: d - disabled, e - enabled Event name: log-message(Log filter name) - Truncated to 20 chars

182



Part 5: Universal Port, Netlogin, and MAC-Based Authentication In order for authentication to work without an external database (like RADIUS), each user needs to be added to Netlogin's local user database. When using MAC-based authentication, the MAC address of the end station is used for both the user name and the password. 1 The two Lab PC's configured in Part 3 have already been added to the database. Confirm this configuration by entering the following command: show netlogin local-users

The system displays the following: Netlogi n Local User Name Extended-VL AN VSA Security Profile ------------------------------------------------------------------------AAAAAAA AAAAA BBBBBBB BBBBB

2 Notice that the MAC address is entered without delimiters, and all alpha characters are capitalized. 3 An additional requirement of local authorization is to bind the Universal Port profile to the specific Netlogin user by entering the following commands: configure netlogin local-user security-profile ecf-19-Xa configure netlogin local-user security-profile ecf-19-Xb

Example: configure netlogin local-user 000C29AAD68C security-profile ecf-19-1a configure netlogin local-user 000C296BAF67 security-profile ecf-19-1b

Replace and with their respective MAC addresses as displayed in step 1 above, and X with your lab group number found in Table 1. 4 Confirm that the profiles were correctly associated with the user accounts by entering the following command: show netlogin local-users


Netlogin Local User Name

Extended-VLAN VSA

------------------------

-----------------------------

Security Profile ----------------------

AAAAAAAAAAAA

ecf-19-Xa

BBBBBBBBBBBB

ecf-19-Xb


183


Part 6: Triggering and Validating the Event Profile 1 Enable Netlogin for MAC-based authentication by entering the following command: enable netlogin mac

2 Display the MAC-based authentication Netlogin information by entering the following command: show netlogin mac

Notice that MAC-based Netlogin is enabled and configured for the two PC MAC addresses, but that none have been authenticated on any of the displayed VLANs. NetLogin Authentication Mode : web-based DISABLED; NetLogin VLAN NetLogin move-fail-action

802.1x DISABLED;

mac-based ENABLED

: "nl_vlan" : Deny


: 5 minutes


: Disabled


: None



--------------------

Port(s)

------------------------------

------------------------

AA:AA:AA:AA:AA:AA/48

24

BB:BB:BB:BB:BB:BB/48

24





-----------------------------------------------Port: 24,

Vlan: data_X,

State: Enabled,


Guest Vlan : Disabled Authentication Failure Vlan : Disabled Authentication Service-Unavailable Vlan : Disabled MAC

IP address

Authenticated

Type

ReAuth-Timer

User

----------------------------------------------Port: 24,

Vlan: nl_vlan,

State: Enabled,



IP address

Authenticated

Type

ReAuth-Timer

User

----------------------------------------------Port: 24,

Vlan: voice_X,

State: Enabled,



IP address

Authenticated

Type

ReAuth-Timer

User

-----------------------------------------------

3 Enable the port connecting to the Lab Group PCs by entering the following command: enable ports 24

4 Display the summary VLAN information by entering the following command: show vlan

184




VID

Protocol Addr

Flags

Proto

Ports

Virtual


10X1 ------------------------------------------- ANY

1 /1

VR-Default

Default

1

------------------------------------------- ANY

0 /0

VR-Default

Mgmt

4095 ------------------------------------------- ANY

1 /1

VR-Mgmt

nl_vlan

4093 ----------------------LN------------------- ANY

1 /1

VR-Default

voice_X

10X2 ------------------------------------------- ANY

1 /1

VR-Default

--------------------------------------------------------------------------------------Flags : (L) Loopback Enabled,(N) Network Login VLAN

5 Notice that neither the data_X nor the voice_X VLANs have been assigned IP addresses. 6 On the Data PC desktop(127.0.0.1:101X), from Network Connections, re-enable the Lab Network interface by selecting Enable this network device from the Network Tasks menu:

7 On the Data PC desktop(127.0.0.1:101X), open a Command Window and launch a PING to the Data_X VLAN IP address by entering the following command: ping 10.0.X1.1

Where X is your lab group number found in Table 1. The system displays the following: C:\Documents and Settings\student>ping 10.0.X1.1 Reply from 10.0.X1.1: bytes=32 time=1ms TTL=255 Reply from 10.0.X1.1: bytes=32 time<1ms TTL=255 Reply from 10.0.X1.1: bytes=32 time<1ms TTL=255 Reply from 10.0.X1.1: bytes=32 time<1ms TTL=255 Ping statistics for 10.0.X1.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 1ms, Average = 0ms

8 On the switch, display the MAC-based authentication Netlogin information by entering the

following command: show netlogin mac


185


The following display is an example from Lab Group 1’s switch: NetLogin Authentication Mode : web-based DISABLED;802.1x DISABLED; mac-based ENABLED NetLogin VLAN

: "nl_vlan"


: Deny


: 5 minutes


: Disabled


: None



-------------------00:0C:29:6B:AF:67/48

---------------------------------------------------- 24

Port(s)

00:0C:29:AA:D6:8C/48

24





-----------------------------------------------Port: 24,

Vlan: data_1,

State: Enabled,



IP address

00:0c:29:aa:d6:8c

10.0.11.101

Authenticated

Type

Yes, Locally

MAC

ReAuth-Timer 0

User 000C29AAD68C

----------------------------------------------Port: 24,

Vlan: nl_vlan,

State: Enabled,


Guest Vlan : Disabled Authentication Failure Vlan : Disabled Authentication Service-Unavailable Vlan : Disabled

MAC 00:e0:2b:00:00:01

IP address 0.0.0.0

Authenticated No

Type MAC

ReAuth-Timer 0

User

----------------------------------------------Port: 24,

Vlan: voice_1,

State: Enabled,



IP address

Authenticated

Type

ReAuth-Timer

User

-----------------------------------------------

9 Notice that the MAC address for the Data PC (127.0.0.1:101X)has been authenticated on the data_X VLAN. 10 On the switch, display the summary VLAN information by entering the following command: show vlan

186




VID

Protocol Addr

Flags

Proto

Ports

Virtual


10X1 10.0.X1.1

/24

----------------------- ANY

1 /1

VR-Default

Default

1

------------------------------------------- ANY

0 /0

VR-Default

Mgmt

4095 ------------------------------------------- ANY

1 /1

VR-Mgmt

nl_vlan

4093 ----------------------LN------------------- ANY

1 /1

VR-Default

voice_X

10X2 ------------------------------------------- ANY

1 /1

VR-Default

---------------------------------------------------------------------------------------

Total number of VLAN(s) : 5

11 Notice that the data_X VLAN has been assigned the IP address sent a PING. 12 On the Voice PC desktop(127.0.0.1:102X), from Network Connections, re-enable the Lab Network interface by selecting Enable this network device from the Network Tasks menu:

13 On the Voice PC desktop(127.0.0.1:102X), open a Command Window and launch a PING to the voice_X VLAN IP address by entering the following command: ping 10.0.X2.1

Where X is your lab group number found in Table 1. The system displays the following: C:\Documents and Settings\student>ping 10.0.X2.1 Reply from 10.0.X2.1: bytes=32 time=1ms TTL=255 Reply from 10.0.X2.1: bytes=32 time<1ms TTL=255 Reply from 10.0.X2.1: bytes=32 time<1ms TTL=255 Reply from 10.0.X2.1: bytes=32 time<1ms TTL=255 Ping statistics for 10.0.X2.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 1ms, Average = 0ms

14 On the switch, display the MAC-based authentication Netlogin information by entering the

following command: show netlogin mac


187


The system displays the following example from Lab Group 1’s switch for the vlan voice_X segment of the output: ----------------------------------------------Port: 24,

Vlan: voice_1,

State: Enabled,



IP address

00:0c:29:6b:af:67

10.0.12.101

Authenticated

Type

Yes, Locally

MAC

ReAuth-Timer

User

0

000C296BAF67

-----------------------------------------------

15 Notice that the MAC address for the Voice PC(127.0.0.1:102X) has been authenticated on the voice_X VLAN. 16 Display the summary VLAN information by entering the following command: show vlan


VID

Protocol Addr

Flags

Proto

Ports

Virtual


10X1 10.0.X1.1

/24

----------------------- ANY

1 /1

VR-Default

Default

1

------------------------------------------- ANY

0 /0

VR-Default

Mgmt

4095 ------------------------------------------- ANY

1 /1

VR-Mgmt

nl_vlan

4093 ----------------------LN------------------- ANY

1 /1

voice_X

10X2 10.0.X2.1

/24

----------------------- ANY

1 /1



17 Notice that the voice_X VLAN has been assigned the IP address sent a PING.

188


15 Quality of Service (QoS) Configuration Lab Student Objectives When network traffic needs a guarantee of underlying network performance, QoS provides a solution. QoS is a set of protocols and mechanisms that facilitate the delivery of delay and bandwidth sensitive material across data networks. This typically relates to the amount of bandwidth required, but other factors, as priority, areanalso taken into account. QoS in the networks is creatingsuch unequal access in essentially equal access network. InEthernet this environment, anfundamentally application is assured that its requirement for bandwidth, priority, latency and delay are met. Policy-based Quality of Service (QoS) is a feature of Extreme XOS and the Extreme Networks switch architecture that allows you to specify different service levels for traffic traversing the switch. Policybased QoS allows you to protect bandwidth for important categories of applications or to specifically limit the bandwidth associated with less critical traffic. Using Policy-based QoS, you can specify the service level that a particular traffic type receives. The main benefit of QoS is that it allows you to have control over the types of traffic that receive enhanced service from the system. For example, if voice-over-IP (VoIP) traffic requires a reserved amount of bandwidth to function properly. You can use policy-based QoS to reserve sufficient bandwidth critical to this type of application. In this lab, you will implement this feature by assigning a strict service priority by configuring two or more hardware queues to contend for transmission on the same physical port. In this lab, you will: ●

Confirm the baseline VLAN configuration

●

Verify the data forwarding model for unconstrained traffic flows

●

Configure VLAN-based QoS with strict priority queuing

●

Verify the QoS configuration

●

Test the QoS configuration


189

Quality of Service (QoS) Configuration Lab

Figure 1: QoS Configuration Lab


Table 1: Group, Switch, VLAN Names, CV Tags, Ports and PC, and Target VLAN Addresses Lab Group Number 1

2

3

4

5

6

190

VLAN

Target VLAN IP Address on Target Switches

192.168.1.101/24

target_1a

192.168.101.1/24

14u

101

192.168.11.101/24

target_1b

192.168.111.1/24

16u

102

13t, 24u

192.168.2.101/24

target_2a

192.168.102.1/24

14u

201

22

13t, 23u

192.168.22.101/24

target_2b

192.168.122.1/24

16u

202

closet_3a

31

13t, 24u

192.168.3.101/24

target_3a

192.168.103.1/24

14u

301

closet_3b

32

13t, 23u

192.168.33.101/24

target_3b

192.168.133.1/24

16u

302

MFG_4 closet_4a

41

13t, 24u

192.168.4.101/24

target_4a

192.168.104.1/24

14u

401

closet_4b

42

13t, 23u

192.168.44.101/24

target_4b

192.168.144.1/24

16u

402

ENG_5 closet_5a

51

13t, 24u

192.168.5.101/24

target_5a

192.168.105.1/24

14u

501

closet_5b

52

13t, 23u

192.168.55.101/24

target_5b

192.168.155.1/24

16u

502

HUR_6 closet_6a

61

13t, 24u

192.168.6.101/24

target_6a

192.168.106.1/24

14u

601

closet_6b

62

13t, 23u

192.168.66.101/24

target_6b

192.168.166.1/24

16u

602

CV Switch Closet CV Name VLAN (CV) Tag Ports

Lab Group PC IP Addresses

SAM_1 closet_1a

11

13t, 24u

closet_1b

12

13t, 23u

closet_2a

21

closet_2b

EXC_2

ACT_3

Target

TV

TV Ports Tag



Part 1: Creating the EAPS Control VLAN 1 Log into the switch and load the baseline configuration for this lab by entering the following command: use configuration Lab_ECF17-X











191


7 Confirm the configuration of the two edge VLANs, closet_Xa and closet_Xb, and the two target interfaces, target_Xa and target_Xb (where X is the lab group number assigned in Table 1) by entering the following command: show vlan


VID

Protocol Addr

Flags

Proto

Ports

Virtual

Active router /Total --------------------------------------------------------------------------------------closet_Xa closet_Xb

X1 X2

------------------------------------------- ANY ------------------------------------------- ANY

2 /2 2 /2


Default

1

------------------------------------------- ANY

0 /0

VR-Default

Mgmt

4095 ------------------------------------------- ANY

1 /1

VR-Mgmt

target_Xa

X01

192.168.10X.1

/24

----------------------- ANY

1 /1

VR-Default

target_Xb

X02

192.168.1XX.1

/24

----------------------- ANY

1 /1

VR-Default


8 Notice that ports have been assigned and enabled. Also, both target VLANs are configured with IP addresses. This will be the destination IP addresses used to test the QoS feature later in the lab.

192



Part 2: Configuring the Client Workstations The following instructions will guide you in setting up the first client workstation. If your RD-X connection to PC 127.0.0.1:101X is still open but minimized, skip to step 6. 1 From your laptop, launch the PuTTY utility:




193





194



7 From the 127.0.0.1:101X Lab Group PC desktop, open the Lab Networking Addressing folder. Double-click on the Config_ECF17-Xa batch file, where X is your lab group number assigned in Table 1:

This batch file will automatically configure the Lab Group PC IP address. The following screen appears while the file executes, and then closes automatically when it terminates.



195


9 Enter the following command in the command window to display the IP interface information on the Lab Group PC. ipconfig

The system displays the following information.

10 Notice that the ethernet adapter Untagged has been assigned your first Lab Group PC IP Address and mask found in Table 1. 11 For the second Lab Group PC (127.0.0.1:10 2X), open the Accessories folder again and re-launch the Remote Desktop Connect utility.

196



12 Enter the combined IP address and unique port number identifying the second target Lab Group PC in the format 127.0.0.1:102X, where X is the lab group number assigned in Table 1.

13 Enter the login and password credentials. For all lab stations, the User Name is student and the Password is student.

14 From the 127.0.0.1:10 2X Lab Group PC desktop, open the Lab Networking Addressing folder. Double click on the Config_ECF17-Xb batch file, where X is the lab group number assigned in Table 1.

This batch file will automatically configure the Lab Group PC IP address. The following screen will appear while the file executes, and then close automatically when it terminates:


197


15 From the Start menu, click on the Run option to confirm the IP address and static routes. Enter to open a Command window:

cmd

16 Enter the following command in the command window to display the IP interface information on the Lab Group PC: ipconfig

The system displays the following information:

17 Notice that the ethernet adapter Untagged has been assigned your second Lab Group PC IP Address and mask found in Table 1.

198



Part 3: Best-Effort Traffic Modeling Both Lab Group PCs have default gateways configured on the core switch CS-A, and reachable only via the single uplink port, port 13. This means that any traffic sent to destinations across a routing boundary in another subnet will be forwarded out the uplink port, and any traffic sent simultaneously by both systems will contend for outbound bandwidth and priority. 1 From the first Lab Group PC desktop(127.0.0.1:10 1X), open the folder named iPerf for Windows and launch the batch file Lab_ECF17-Xa where X is the lab group number assigned in Table 1.

This batch file will send a 5MB UDP stream for fifty minutes (3000 seconds) to the target address 192.168.10X.1. 2 Show the port utilization for the first Lab Group PC port (port 24) and the uplink port to CS-A (port 13) by entering the following command on your switch: show ports 13,24 utilization

Change the display by pressing the SPACE bar on your keyboard until you are viewing the Link Utilization Averages screen.

The system displays the following: Link Utilization Averages Port

Link State

Link Speed

Wed Aug 27 09:23:24 2008

Receive % bandwidth

Peak Rx % bandwidth

Transmit % bandwidth

Peak Transmit % bandwidth

================================================================================ 13

A

10

0.05

0.06

40.11

42.27

24

A

100

4.01

4.21

0.01

0.01

================================================================================ > indicates Port Display Name truncated past 8 characters Link State: A-Active, R-Ready, NP-Port Not Present, L-Loopback Spacebar->toggle screen U->page up


3 Notice that, in this example, the Receive % bandwidth for port 24 is equal to the Transmit % bandwidth for port 13. Note also that port 13 has been configured for 10MB, so the UDP stream from the first Lab Group PC accounts for over 40% of the port’s total capacity.


199


4 From the second Lab Group PC desktop(127.0.0.1:10 2X), open the folder named iPerf for Windows and launch the batch file Lab_ECF17-Xb where X is the lab group number assigned in Table 1.

This batch file will send a 10MB UDP stream for fifty minutes (3000 seconds) to the target address 192.168.1XX.1. 5 Show the port utilization for the first Lab Group PC port (port 24), the second Lab Group PC port (port 23), and the uplink port to CS-A (port 13) by entering the following command: show ports 13,23,24 utilization

Change the display by pressing the SPACE bar on your keyboard until you are viewing the Link Utilization Averages screen. The system displays the following: Link Utilization Averages Port

Link State

Link Speed

Wed Aug 27 09:38:12 2008

Receive % bandwidth

Peak Rx % bandwidth



================================================================================ 13

A

10

0.11

0.11

99.04

100.00

23

A

100

6.90

6.90

0.01

0.01

24

A

100

3.60

3.86

0.01

0.01



6 Notice that, in this example, the Receive % Bandwidth for port 23 is at the expected 10Mbyte (the size of the UDP transmitted stream), and that the Transmit % Bandwidth for port 13 is now hovering at 100% utilization. 7 No QoS has been configured, so the traffic streams are being forwarded by the default, best-effort profile, QP1. Confirm that all traffic is being service by QP1 by showing the QoS monitor statistics for the uplink port, Port 13, with the following command: show port 13 qosmonitor

200



The system displays the following: Qos Monitor Req Summary Port

QP1

Pkt

Pkt

Xmts

Wed Aug 27 09:43:15 2008

QP2

QP3 Pkt

Xmts

QP4 Pkt

Xmts

QP5 Pkt

Xmts

QP6 Pkt

Xmts

QP7 Pkt

Xmts

QP8 Pkt

Xmts

Xmts

================================================================================ 13

98437

0

0

0

0

0

0

4

The actual target interfaces, 192.168.10 X.1 and 192.168.1XX.1, are configured on the student switch. The streams are forwarded to the first core switch, CS-A, where they cross the routing boundary and pass to the second core switch, CS-B via the cross-connect with CS-A. The two streams are then sent back via layer-2 to the student switch on two separate links, port 14 and port 16. 8 You can get a sense of how the best-effort servicing on port 14 affects the amount of traffic forwarded from either stream by displaying the port utilization information for these two inbound ports with the following command: show ports 14,16 utilization

9 Change the display by pressing the SPACE bar on your keyboard until you are viewing the Link Utilization Averages screen.


Link State

Link Speed

Wed Aug 27 09:57:33 2008

Receive % bandwidth

Peak Rx % bandwidth



================================================================================ 14

A

10

35.81

39.55

0.05

0.06

16

A

10

67.83

69.71

0.05

0.06

10 Notice that, in this example, while the srcinal bandwidth for the first Lab Group PC was 5MB, the Receive % bandwidth for port 14 shows that only approximately 35%, or roughly 3.5MB, is reaching the target. Notice also, a similar situation for the traffic sent from the second Lab Group PC is occurring. Of the 10MB srcinal stream, only 6.7MB arrives at the target.

This information is consistent with what you know of the size of the srcinal streams and QoS profile that is servicing them. The combined streams from the first and second Lab Group PC total 15MB. This means that the first Lab Group PC accounts for approximately one third of the total, and the second Lab Group PC accounts for, approximately, the remaining two thirds. Since all of the traffic is being forwarded by the same QoS queue, the traffic is forwarded according to the percentage of the total, resulting in the numbers you see being received on ports 14 and 16 in the above illustration.


201


Part 4: Configuring Quality of Service, Assigning it to a VLAN, and Verifying Priority Service 1 In our scenario, you want to ensure that the entire smaller stream from the first Lab Group PC arrives at its target, and that the stream from the second Lab Group PC continues to receive besteffort delivery. The switch has two QoS profiles configured by default: QP1 for best-effort and QP8 for management traffic. Confirm this by entering the following command: show qosprofile


QP1

Weight =

1

Max Buffer Percent = 100

QP8

Weight =

1


2 Since the traffic from the first Lab Group PC is only a production stream and you do not want to arbitrarily assign it to your management traffic queue. Begin by first creating the QoS profile QP2 for the smaller stream by entering the following command: create qosprofile qp2

3 Confirm that you successfully created the new profile by entering the following command: show qosprofile


QP1

Weight =

1


QP2

Weight =

1


QP8

Weight =

1


4 Since we want to guarantee that the traffic from the first Lab Group PC arrives at its destination, enter the following command to implement strict priority queue scheduling: configure qosscheduler strict-priority

5 Notice that the queues will now be serviced only in order of priority and the profile weight be ignored. 6 Assign the newly-created profile QP2 to the VLAN servicing the smaller data stream, closet_Xa, by entering the following command: configure closet_Xa qosprofile qp2

Where X is your lab group number found in Table 1. 7 Confirm that the qosprofile is correctly assigned to the VLAN by entering the following command: show vlan closet_Xa

202



The system displays the following: VLAN Interface with name closet_Xa created by user Admin State:

Enabled

Tagging:

802.1Q Tag X1

Virtual router: VR-Default IPv6:

None

STPD:

None Protocol:


Loopback:

Disabled

NetLogin:

Disabled

QosProfile:

QP2


2.

Untag:

None configured


*24

Tag:

*13

Flags:

(*) Active, (!) Disabled, (g) Load Sharing port (b) Port blocked on the vlan, (m) Mac-Based port (a) Egress traffic allowed for NetLogin (u) Egress traffic unallowed for NetLogin (t) Translate VLAN tag for Private-VLAN (s) Private-VLAN System Port, (L) Loopback port (e) Private-VLAN End Point Port

8 If necessary, restart the iPerf utility to ensure that both Lab Group PCs are transmitting their respective UDP streams. Confirm that the traffic on the uplink port, port 13, is now being serviced by queues 1 and 2 with the following command: show port 13 qosmonitor

NOTE

If the iPerf timer on the batch file on either PC has expired, re-launch the utility.

9 Clear the counters by pressing the 0 key.

The system displays the following: Qos Monitor Req Summary Port Pkt Xmts

QP1

QP2 Pkt Xmts

Wed Aug 27 13:12:13 2008 QP3

Pkt

QP4 Pkt

Xmts

QP5 Pkt

Xmts

QP6 Pkt

Xmts

QP7 Pkt

Xmts

QP8 Pkt

Xmts

Xmts

================================================================================ 13

629319

34123

0

0

0

0

0

32

10 While the above confirms that both QP1 and QP2 are servicing the streams equally, it is impossible to tell anything about the actual traffic flow. We can get more insight into how the traffic is moving through the switch by displaying the port utilization information for the four inbound ports (ports 14, 16, 23, and 24) and one outbound port (port 13) with the following command: show ports 13,14,16,23,24 utilization


203


11 Change the display by pressing the SPACE bar on your keyboard until you are viewing the Link Utilization Averages screen.


Link State

Link Speed

Wed Aug 27 13:15:54 2008

Receive % bandwidth

Peak Rx % bandwidth



================================================================================ 13

A

10

0.11

0.11

100.00

100.00

14

A

10

39.65

39.65

0.06

0.06

16

A

10

69.33

69.33

0.06

0.06

23

A

100

7.93

7.93

0.01

0.01

24

A

100

3.98

3.98

0.01

0.01


D->page down ESC->exit0

12 Notice that, in this example, as expected, the information for inbound ports 23 and 24, and outbound port 13, remain unchanged.

The highlighted statistics for the inbound ports 14 and 16, however, is very different than in the best-effort trial. In this case, port 14 and port 16 are showing roughly the same utilization approximately 40% and approximately 60% of a 10MB port, or approximately 5MB of utilization. This proves that all of the higher priority traffic from the smaller stream is now being forwarded out the oversubscribed uplink port, port 13. The remaining bandwidth (approximately 5MB) is used by the lower-priority stream from the second Lab Group PC.

Ensure to clear the configuration on both Lab Group PCs by running the cleanup config file. 13 From the 127.0.0.1:101X Lab Group PC desktop, open the Lab Networking Addressing folder. Double-click on the Config_cleanup_ECF17-Xa batch file, where X is your lab group number assigned in Table 1. 14 From the 127.0.0.1:10 2X Lab Group PC desktop, open the Lab Networking Addressing folder. Double click on the Config_cleanup_ECF17-Xb batch file, where X is the lab group number assigned in Table 1.

204


16 Switch Diagnostics Lab Student Objectives This lab provides you with hands-on experience to use the Extreme Networks system diagnostic features. In this lab, you will: ● Verify system memory and process operation. ●

Terminate and restart a process.

●

Verify that the system health check is enabled.

●

Display the system log.

●

Run normal and extended diagnostics.

●

Verify diagnostic results.

Figure 1: Switch Diagnostics Lab


205

Switch Diagnostics Lab

Part 1: Resetting the Switch to Factory Default 1 Press the Enter key until the system displays the login prompt. 2 Enter

admin

to login to the switch with administrator privilege.

3 The switch should not have an admin password configured. Press the Enter key. 4 The system displays the command line prompt. 5 Reset the switch to the factory default configuration by entering the following command: unconfigure switch all

The following displays: Restore all factory defaults and reboot? (y/N)

6 Enter y and press the Enter key.

The boot process is complete when the following displays: Authentication Service (AAA) on the master node is now available for login.

7 Press the Enter key until the system displays the login prompt. 8 Enter

admin

to login to the switch with administrator privilege.

9 The switch should not have an admin password configured. Press the Enter key.

The system displays the command line prompt. Because it has been reset to the factory default, the switch will prompt for several security settings. First, the following displays: Telnet is enabled by default. Telnet is unencrypted and has been the target of security exploits in the past. Would you like to disable Telnet? [y/N]:

10 Enter n and press the Enter key.

Then the following displays: :

SNMP access is enabled by default. SNMP uses no encryption, SNMPv3 can be configured to eliminate this problem. Would you like to disable SNMP? [y/N]:


The following message appears: All ports are enabled by default. In some secure applications, it maybe more desirable for the ports to be turned off. Would you like unconfigured ports to be turned off by default? [y/N]:

206




The following prompt then displays regarding the failsafe login and password: Changing the default failsafe account username and password is highly recommended. If you choose to do so, please remember the username and password as this information cannot be recovered by Extreme Networks. Would you like to change the failsafe account username and password now? [y/N]:


Finally, the following displays: Would you like to permit failsafe account access via the management port? [y/N]:

14 Enter n and press the Enter key. 15 Save the configuration to the default configuration location by entering the following command: save

The following displays: No default configuration database has been selected to boot up the system. Save configuration will set the new configuration as the default database. The configuration file primary.cfg already exists. Do you want to save configuration to primary.cfg and overwrite it? (y/N)


The following then displays: Saving configuration on master ........... done! Configuration saved to primary.cfg successfully. The selected configuration will take effect after the next switch reboot.


207


Part 2: Monitoring Processes 1 Display system processes, by entering the following command: show process

The switch should display approximately 60 different processes. The following is an example of the command output: Process Name Version Restart State Start Time ------------------------------------------------------------------------aaa 3.0.0.3 0 Ready Tue Mar 11 22:33:48 2008 acl 3.0.0.2 0 Ready Tue Mar 11 22:33:52 2008 bgp 3.0.0.2 0 Ready Tue Mar 11 22:33:50 2008 brm 1.0.0.0 0 Ready Tue Mar 11 22:33:56 2008 cfgmgr 3.0.0.21 0 Ready Tue Mar 11 22:33:47 2008 cli 3.0.0.22 0 Ready Tue Mar 11 22:33:47 2008 devmgr 3.0.0.2 0 Ready Tue Mar 11 22:33:47 2008 . . . vlan 3.1.0.2 0 Ready Tue Mar 11 22:33:48 2008 vrrp 3.0.0.5 0 Ready Tue Mar 11 22:33:53 2008 xmld 1.0.0.0 0 Ready Tue Mar 11 22:33:55 2008

2 Display the memory use for the specific process CLI by entering the following command: show memory process cli

The following displays: System Memory Information ------------------------Total DRAM (KB): 262144 System (KB): 17380 User (KB): 95176 Free (KB): 149588 Memory Utilization Statistics ----------------------------Process Name Memory (KB) ----------------------------cli 17848

3 Display detailed information for the CLI processes by entering the following command: show process cli detail

208



The following displays: Name PID Path Type Link Date Build By Peer -------------------------------------------------------------------------------cli 409 ./cliMaster App Mon Feb 25 15:45:31 PST 2008 release-manager 29 Virtual Router(s): -------------------------------------------------------------------------------Configuration: Start Priority SchedPolicy Stack TTY CoreSize Heartbeat StartSeq -------------------------------------------------------------------------------1 0 0 0 0 0 1 1 Memory Usage Configuration: Memory(KB) Zones: Green Yellow Orange Red -------------------------------------------------------------------------------0

0

0

0

0

Recovery policies -------------------------------------------------------------------------------failover-reboot -------------------------------------------------------------------------------Statistics: ConnectionLost Timeout Start Restart Kill Register Signal Hello Hello Ack -------------------------------------------------------------------------------0 0 0 0 0 1 0 0 175 Memory Zone Green Yellow Orange Red -------------------------------------------------------------------------------Green 0 0 0 0 -------------------------------------------------------------------------------Commands: Start Stop Resume Shutdown Kill -------------------------------------------------------------------------------0 0 0 0 0 -------------------------------------------------------------------------------Resource Usage: UserTime SysTime PageReclaim PageFault Up Since Up Date Up Time -------------------------------------------------------------------------------11.94 2.25 19682 544 Tue Mar 11 22:33:47 2008 00/00/0 0 00:17:46 -------------------------------------------------------------------------------Thread Name

Pid

Tid

Delay

Timeout Count

-------------------------------------------------------------------------------main 409 1024 6 0 --------------------------------------------------------------------------------

4 Display the heartbeat for the CLI process by entering the following command: show heartbeat process cli

The following displays: Process Name Hello HelloAck Last Heartbeat Time ---------------------------------------------------------------------cli 0 215 Tue Mar 11 22:55:32 2008

5 Display the CPU usage for all running processes by entering the following command: top


209


The following displays: Mem: 224196K used, 20568K free, 0K shrd, 1468K buff, 127256K cached Load average: 3.11, 3.03, 2.61 (State: S=sleeping R=running, W=waiting) PID 632 409 621 620 622 405 480 569 481 508

USER root root root root root root root root root root

STATUS R S S S S S < S < S < S < S <

RSS 880 17M 17M 17M 17M 11M 11M 11M 11M 11M

510 511 512 528 530 531 544 546 547

root root root root root root root root root

S S S S S S S S S

11M 11M 11M 11M 11M 11M 11M 11M 11M

N < < < < < < < <

PPID %CPU %MEM COMMAND 631 3.0 0.3 top -d 3 1 0.0 7.2 ./cliMaster 620 0.0 7.2 ./cliMaster 409 0.0 7.2 ./cliMaster 620 0.0 7.2 ./cliMaster 1 0.0 4.7 ./hal 405 0.0 4.7 ./hal 480 0.0 4.7 ./hal 480 0.0 4.7 ./hal 480 0.0 4.7 ./hal 480 480 480 480 480 480 480 480 480

0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0

4.7 4.7 4.7 4.7 4.7 4.7 4.7 4.7 4.7

./hal ./hal ./hal ./hal ./hal ./hal ./hal ./hal ./hal

6 Notice that, in this example, the PID for the CLI process, 409, indicates that the process is not currently consuming any CPU resource, but that it is using 7.2% of memory. 7 Use Ctrl-C to return to the command line.

Part 3: Terminating and Restarting Processes 1 Display a description of what a processes does, by entering the following command: show process description

The following displays: Process Name Description ---------------------------------------------------------------------aaa Authentication, Authorization, and Accounting Server acl Access Control List Manager bgp Border Gateway Protocol . . . tftpd Tftp server thttpd Web Server upm Universal Port Manager vlan VLAN Manager - L2 Switching application vrrp Virtual Router Redundancy Protocol (RFC 3768) xmld XML server

2 Terminate the TFTP process by entering the following command: terminate process tftpd graceful ■

Enter Yes to the tftpd config warning message that asks if you want to continue.

The following displays: Successful graceful termination for tftpd

210



3 Verify the state of the TFTP process by entering the following command: show process tftpd

The following displays: Process Name Version Restart State Start Time ------------------------------------------------------------------------tftpd 3.0.0.2 0 Stopped Tue Mar 11 22:33:54 2008

4 Notice that, in this example, the Restart count is set to 0 and the State is Stopped. 5 Re-start the TFTP process, by entering the following command: start process tftpd

The following displays: Started tftpd successfully

6 Verify the state of the TFTP process, by entering the following command: show process tftpd

The following displays: Process Name Version Restart State Start Time ------------------------------------------------------------------------tftpd 3.0.0.2 1 Ready Tue Mar 11 23:27:30 2008

Part 4: Running Normal Diagnostics 1 Verify that the system health check is enabled by entering the following command: show switch

The following displays: SysName: SysLocation: SysContact: System MAC: System Type:

[email protected], +1 888 257 3000 00:04:96:27:BD:0B X450a-24t

X450a-24t

SysHealth check: Recovery Mode: System Watchdog:

Enabled (Normal) All Enabled

. . .

2 Display the system log by entering the following command: show log


211


The following displays: 03/11/2008 03/11/2008 03/11/2008 03/11/2008 03/11/2008 03/11/2008 03/11/2008 03/11/2008 . . .

23:55:15.49 23:55:13.53 23:51:33.11 23:27:30.49 23:27:30.17 23:15:53.81 23:15:53.81 23:15:35.62

: Login passed for user admin through serial : Login failed for user sh swi through serial : User admin logout from serial : **** tftpd started ***** : Requested process tftpd start : Unknown Process tftpd : Requested process tftpd shutdown : Process tftpd Stopped

3 Verify that the log indicates no system errors. 4 Clear the system log by entering the following command: clear log

5 Run the normal diagnostics by entering the following command: run diagnostics normal

The system displays: Running Diagnostics will disrupt network traffic. Are you sure you want to continue? (y/N)

Enter y and press the Enter key. 6 The system reboots and begins the diagnostic process and the following displays: SummitX Diagnostics Mode Enabled, Starting Diagnostics.... Motherboard CPLD Revision: 2 Starting operational diagnostics DIAGNOSTIC PASS: run test i2c environment DIAGNOSTIC PASS: run test memory nvram DIAGNOSTIC PASS: run test memory flash compact internal scratch DIAGNOSTIC PASS: run test memory sdram DIAGNOSTIC PASS: run test loopback eth DIAGNOSTIC PASS: run test register mac DIAGNOSTIC PASS: run test memory mac DIAGNOSTIC PASS: run test loopback pci DIAGNOSTIC PASS: run test loopback interface lb-mac DIAGNOSTIC PASS: run test loopback interface lb-phy copper DIAGNOSTIC PASS: run test loopback interface lb-phy fiber DIAGNOSTIC PASS: run test snake interface internal

Summit Diagnostics completed, rebooting system...

7 Highlight any failures and report them to the instructor.

212



8 Login and display the summary results of the test by entering the following command: show diagnostics

The following displays: Last Test Date: Mar-12-2008 Summary: Diagnostics Pass


The following displays: 03/12/2008 03/12/2008 03/12/2008 03/12/2008 03/12/2008 03/12/2008 03/12/2008 03/12/2008 03/12/2008 03/12/2008 03/12/2008 03/12/2008 03/12/2008 03/12/2008 03/12/2008 03/12/2008 03/12/2008 03/12/2008 03/12/2008 03/12/2008 03/12/2008

00:35:12.26 00:13:51.48 00:13:51.32 00:13:45.96 00:13:41.56 00:13:36.73 00:13:26.66 00:13:23.61 00:13:21.68 00:13:21.08 00:13:17.58 00:13:17.58 00:13:16.52 00:13:16.50 00:13:15.47 00:13:13.33 00:13:09.96 00:13:09.95 00:13:09.41 00:13:07.71 00:05:52.91

Login passed for user admin through serial Internal power sup ply operational. Switch is operati onal System is stable. Change to warm reset mode Watchdog enabled DOS protect application started successfully **** telnetd started ***** **** tftpd started ***** Network Login framework has been initialized Node State[3] = OPERATIONAL Node State[2] = STANDBY Node INIT DONE .... Node State[1] = INIT telnetd listening on port 23 Hal initialization done. Starting hal initi alization .... DM started NM started EPM Started Changing to watchdog warm reset mode Rebooting with reason User requested reboot to run diagnostics

10 Verify that the log indicates no system errors.


213


Part 5: Running Extended Diagnostics 1 Run the normal diagnostics by entering the following command: run diagnostics extended

The system displays: Running Diagnostics will disrupt network traffic. Are you sure you want to continue? (y/N)

Enter y and press the Enter key. 2 The system reboots and begins the diagnostic process and the following displays: SummitX Diagnostics Mode Enabled, Starting Diagnostics.... Motherboard CPLD Revision: 2 Starting operational diagnostics DIAGNOSTIC PASS: run test i2c environment DIAGNOSTIC PASS: run test memory nvram DIAGNOSTIC PASS: run test memory flash compact internal scratch DIAGNOSTIC PASS: run test memory sdram DIAGNOSTIC PASS: run test loopback eth iterations 50 pps-rate fast DIAGNOSTIC PASS: run test register mac DIAGNOSTIC PASS: run test memory mac fill-data hex byte 0x55 DIAGNOSTIC PASS: run test memory mac fill-data hex byte 0xAA DIAGNOSTIC PASS: run test loopback pci iterations 10 DIAGNOSTIC PASS: run test loopback interface lb-mac iterations 50 pps-rate fast DIAGNOSTIC PASS: run test loopback interface lb-phy copper iterations 50 pps-rate fast DIAGNOSTIC PASS: run test loopback interface lb-phy fiber iterations 50 pps-rate fast DIAGNOSTIC PASS: run test snake interface internal duration 60

Summit Diagnostics completed, rebooting system...

3 Notice that there is one more test in extended diagnostics than in normal diagnostics, and that several tests display more detailed test information. Highlight any failures and report them to the instructor. 4 Login and display the summary results of the test by entering the following command: show diagnostics

The following displays: Last Test Date: Mar-12-2008 Summary: Diagnostics Pass


214



The following displays: 03/12/2008 03/12/2008 03/12/2008 03/12/2008 03/12/2008 03/12/2008 03/12/2008 03/12/2008 03/12/2008 03/12/2008 03/12/2008 03/12/2008 03/12/2008 03/12/2008 03/12/2008 03/12/2008 03/12/2008 03/12/2008 03/12/2008 03/12/2008 03/12/2008 A

6

tot al

of

01:05:26.0 00:54:09.75 00:54:09.44 00:54:03.79 00:53:59.50 00:53:55.35 00:53:45.50 00:53:42.8 00:53:40.36 00:53:39.8 00:53:36.86 00:53:36.86 00:53:35.7 00:53:35.62 00:53:34.73 00:53:32.32 00:53:29.04 00:53:28.93 00:53:28.42 00:53:26.7 00:45:25.7 21

log

0 Login passed for user admin through serial Internal power supply operational. Switch is operational System is stable. Change to warm reset mode Watchdog enabled **** telnetd started ***** DOS protect application started successfully 4 **** tftpd started ***** Node State[3] = OPERATIONAL 8 Network Login framework has been initialized Node State[2] = STANDBY Node INIT DONE .... 8 Node State[1] = INIT telnetd listening on port 23 Hal initialization done. Starting hal initialization .... NM started DM started EPM Started 2 Changing to watchdog warm reset mode 0 Rebooting with reason U ser requested reboot to run

me ssag es

diagnostics

wer e d is pla yed .

Verify that the log indicates no system errors.


215


216


17 Network Troubleshooting Lab Student Objectives This lab provides you with hands-on experience to use the systematic troubleshooting process and verify the operation of the network at the physical, datalink, and network layers. In this lab, you will: ● Load a pre-configured configuration file with embedded configuration errors. ●

Use appropriate commands, learned throughout this course, to identify faults.

●

Resolve any errors introduced by the configuration file.

●

Document the commands used to restore the simple OSPF network.

Figure 1: Network Troubleshooting Lab


217

Network Troubleshooting Lab

Refer to the values listed in Table 1 and Table 2 to configure switch parameters for this lab.

Table 1: Lab Groups and Switch Names Lab Group Number

1

2

3

4

5

6

Switch Name

NC_1

OSBU_2

EC_3

RA_4

SC_5

WC_6

Table 2: Valid VLAN Names, Ports, IP Addresses and OSPF Areas V LA NN a m e

Po rts

I PA d d r e ss

OS P FA r e a

wan_X wanbu_X

13 15

10.0.X.2/24 10.0.1X.2/24

0.0.0.0 0.0.0.0

data_X

24

10.0.10X.1/24

0.0.0.0


10.0.10X.101/24

Table 2 contains the correct values required for the network you are troubleshooting. X is your lab group number found in Table 1. In this exercise your lab group has been assigned eight embedded configuration errors. These represent some of the most common problems found in a production environment. 1 Use the information in the tables above and the appropriate commands to help identify these faults. 2 Record each error on the Fault Description side of the worksheet as you discover them. 3 Apply the changes and record the configuration command that you use to correct the error on the Command side of the worksheet.

Part 1: Setting Up the Lab Switch 1 Log into the switch and load the baseline configuration for this lab by entering the following command: use configuration Lab_ECF14-X




If there were no unsaved changes on the switch, the system will display the following: Are you sure you want to reboot the switch? (y/N)

218







Part 2: Configuring the Client Workstation The following instructions will guide you in setting up the client workstation. If your RD-X connection to PC 127.0.0.1:101X is still open but minimized, skip to step 6. 1 From your laptop, launch the PuTTY utility. 2 Launch the remote desktop tunnel by double-clicking on the RD_X saved session.



219





220







221




Note that the Lab Network interface has been assigned your lab group PC's IP address and mask found in Table 2. This completes the setup of the Lab Group PC. Minimize this window and return to the switch now.

222



Error Identification and Resolution Worksheet Compare the values in Tables 1and 2 with the output received when using appropriate commands. Identify the eight faults embedded in the troubleshooting configuration and restore the network. No.

F a u lD t esc r ip t i o n

Co m m a n d

1

2

3

4

5

6

7

8


223


224


18 Appendix A: Lab Network Diagrams


225

Appendix A: Lab Network Diagrams

226




227


228




229


230




231


232




233


234




235


236




237


238




239


240




241


242


ExtremeXOS Operations and Configuration Lab Guide

Recommend Documents