INE Workbook Vol1 Bridging/Switching

'show interface [interface] pruning' will show you what vlans have been pruned from that particular interface, or all interfaces with the absence of an interface in the command. I didn't know you could set which VLANs were prune eligible...


Rack24SW1(config-if)#do sh run int f0/13
Building configuration...

Current configuration : 183 bytes
!
interface FastEthernet0/13
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 146
 switchport trunk pruning vlan 2-6,8-1001
 switchport mode dynamic desirable

With QinQ tunneling, I always forget the command for l2 tunneling. It's simply the interface-level 'l2protocol-tunnel [protocol]' command. To enable QinQ tunneling, set the switch access VLAN, set the mode the dot1q tunnel and apply any applicable l2 tunneling. You may also need to set the system MTU to 1504 to accommodate the additional 4-byte dot1q tag. You may also need to disable CDP on the switch interface if you do not want the switch to show up in your CDP neighbors list.

UDLD will not by default shut-down the port and will only mark the port as 'undetermined'. Aggressive mode will err-disable the port.

Spanning tree uses the designated (upstream) port-priority as a tie breaker if the end-to-end cost is the same on multiple ports to the same upstream switch. Remember that spanning-tree cost is calculated end-to-end.

When MST is enabled, RSTP is automatically enabled. Assign 'edge' port role using 'spanning-tree portfast'.

The 'switchport priority extend [trust|cos]' will either trust the COS markings or set the COS markings for the devices attached to the appliance; ie Cisco phone. Don't confuse this with 'mls qos cos 1 and mls qos cos override' which will wipe out the phone markings.

There are several built-in switchport macros that can be applied. View with 'show parser macro' command. Cool stuff. Includes a global macro, desktop template, router, switch, phone, etc. Built-in macros can be applied like so...


Rack24SW1(config-if-range)#int fa0/10
% Command exited out of interface range and its sub-modes.
  Not executing the command for second and later interfaces
Rack24SW1(config-if)#macro appl
Rack24SW1(config-if)#macro apply cisco-desktop $access_vlan 10
%Warning: portfast should only be enabled on ports connected to a single
 host. Connecting hubs, concentrators, switches, bridges, etc... to this
 interface  when portfast is enabled, can cause temporary bridging loops.
 Use with CAUTION


%Portfast has been configured on FastEthernet0/10 but will only
 have effect when the interface is in a non-trunking mode.
Rack24SW1(config-if)#do sh run int fa0/10
Building configuration...


Current configuration : 332 bytes
!
interface FastEthernet0/10
 switchport access vlan 10
 switchport mode access
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 macro description cisco-desktop
 spanning-tree portfast
 spanning-tree bpduguard enable


Very cool. I do quite a lot of LAN refresh projects and these may just come in handy.

Flex Links use the 'backup' interface command and are pretty self explanatory. When the line protocol of the primary interface goes down, the backup interface is brought up. You can also the preemption mode, delay and other features.


SW1(config-if)#do sh run int po1
Building configuration...


Current configuration : 243 bytes
!
interface Port-channel1
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport backup interface Fa0/16
 switchport backup interface Fa0/16 preemption mode forced
 switchport backup interface Fa0/16 preemption delay 20

I don't know why fallback bridging was always so difficult. Fallback bridging works to bridge non-ip protocols such as IPX or sometimes IPv6 (depending on switch model and SDM template). All you have to do is create the bridge, and add the interfaces to the bridge. This is even simpler than CRB or IRB.


Private VLAN are pretty self-explanatory, but can be confusing to construct. First you create and map the VLAN through vlan configuration mode, and then you need to set the private-vlan mode per interface, and create the promiscuous, host, or private vlan mapping per interface. I always forget to set the mode....


vlan 100
  private-vlan primary
  private-vlan association 1000,2000,3000
!
vlan 1000
  private-vlan community
!
vlan 2000
  private-vlan community
!
vlan 3000
  private-vlan isolated
!         
interface FastEthernet0/2
 switchport private-vlan host-association 100 1000
 switchport mode private-vlan host
!
interface FastEthernet0/4
 switchport private-vlan host-association 100 2000
 switchport mode private-vlan host
!
interface FastEthernet0/6
 switchport private-vlan host-association 100 3000
 switchport mode private-vlan host


Verify with 'show vlan private'. A quick way to test is to ping the broadcast address, with a ping repeat of 1. You may need to do this more than once if an ARP lookup is required.


SW1(config-if)#do sh vlan priv


Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
100     1000      community         Fa0/1, Fa0/3
100     2000      community         Fa0/1, Fa0/5
100     3000      isolated          Fa0/1



R1#ping 255.255.255.255 rep 1


Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 255.255.255.255, timeout is 2 seconds:


Reply to request 0 from 100.0.0.5, 4 ms
Reply to request 0 from 100.0.0.2, 4 ms
Reply to request 0 from 100.0.0.3, 4 ms
Reply to request 0 from 100.0.0.6, 4 ms
Reply to request 0 from 100.0.0.4, 4 ms



You can use a radius server for authentication without using the global radius-server command.


R4(config)#aaa group server radius TST
R4(config-sg-radius)#server-private 155.1.146.100 key CISCO

You will also see a 'server' keyword under the configuration above. This simply references the global defined 'radius-server'. Now we can attach this 'private' radius server to our PPP authentication.

aaa authentication ppp PPPAUTH group TST local
interface Serial0/1/0
ppp authentication pap chap PPPAUTH

Now our PPP authentication will use the private-radius server and local usernames as a fall-back.You can also, like other authentication mechanisms, set the default authentication.

aaa authentication ppp default group tacacs local

Ok, now something new. PPPoE. On the client side, we need to create a dialer interface, set the ip to dhcp and enter any PPP authentication information here. Then on the physical interface, we enable pppoe and attach the dialer pool. This seems pretty easy...


interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Dialer1
 ip address dhcp
 encapsulation ppp
 dialer pool 1
 ppp chap hostname R3PPP
 ppp chap password 0 CISCO

Now on the server side it is a little more difficult. On the physical interface, enable pppoe and attach to the bba group (broadband aggregation - where does cisco come up with this? They couldn't use pppoe-group? Thanks Cisco for creating another useless TLA). Under the bba-group, specify the virtual-template to clone and set any session options. Now on the virtual template, set the ip address, encapsulation and authentication parameters. INE has also used a 'trick' to use DHCP to assign the IP address.


ip dhcp excluded-address 155.1.35.1 155.1.35.2
ip dhcp excluded-address 155.1.35.4 155.1.35.254
ip dhcp pool PPPOE
   network 155.1.35.0 255.255.255.0
bba-group pppoe PPPOE
 virtual-template 1
 sessions per-mac throttle 10 60 300
interface FastEthernet0/1.35
 encapsulation dot1Q 35
 pppoe enable group PPPOE
interface Virtual-Template1
 ip address 155.1.35.1 255.255.255.0
 ppp authentication chap PPPOE

Well, that's it for Bridging/switching as well as INE volume 1. Overall, bridging and switching was pretty easy. I mostly just picked up a few tips along the way - nothing I didn't really already know. I have really enjoyed the INE volume 1 and appreciate how they cover some topics that other vendors don't, and how they are complete and thorough. Not that other vendors are bad - and I know INE doesn't cover items that other vendors do. In short, I'm saying it's best to study with two vendors to become a fully-rounded CCIE candidate.

My only issue is how they present the scenarios - they sometimes word them in such a way that it's easy to figure out exactly what they are asking for. Well, I think that is all for today. It's been a long week and I need some R&R. Hoping to fire up the lab this weekend to do Narbik's MPLS labs, and then start on INE Volume 2 (full labs) and Volume 4 (troubleshooting). I plan to hit labs that are graded a 7 or higher. Hopefully I can cover one lab every two days to start, and squeeze in a few troubleshooting scenarios throughout the week. Then as I get closer to my date, I plan to do a full lab in a day, and alternate day-to-day between full labs and troubleshooting. Man, at least I don't have to worry about studying for the stupid OEQ too.......