Saturday, 24 December 2011

10 Real Exam Questions.

Question No. 1:


Question No. 2:



Question No. 3:


Question No. 4:


Question No. 5:


VTP Lab 2

Question:

Acme is a small export company that has an existing enterprise network comprised of 5 switches;
CORE,DSW1,DSW2,ASW1 and ASW2. The topology diagram indicates their desired pre-VLAN spanning tree mapping.
Previous configuration attempts have resulted in the following issues:
– CORE should be the root bridge for VLAN 20; however, DSW1 is currently the root bridge for VLAN 20.
– Traffic for VLAN 30 should be forwarding over the gig 1/0/6 trunk port between DSW1 and DSW2. However VLAN 30 is currently using gig 1/0/5.
– Traffic for VLAN 40 should be forwarding over the gig 1/0/5 trunk port between DSW1 and DSW2. However VLAN 40 is currently using gig 1/0/6.

You have been tasked with isolating the cause of these issuer and implementing the appropriate solutions. You task is complicated by the fact that you only have full access to DSW1, with isolating the cause of these issues and implementing the appropriate solutions. Your task is complicated by the fact that you only have full access to DSW1, with the enable secret password cisco. Only limited show command access is provided on CORE, and DSW2 using the enable 2 level with a password of acme. No configuration changes will be possible on these routers. No access is provided to ASW1 or ASW2.



Answer and Explanation:
1) “CORE should be the root bridge for VLAN 20; however, DSW1 is currently the root bridge for VLAN 20″ -> We need to make CORE switch the root bridge for VLAN 20.

By using the “show spanning-tree” command as shown above, we learned that DSW1 is the root bridge for VLAN 20 (notice the line “This bridge is the root”).

DSW1>enable
DSW1#show spanning-tree


To determine the root bridge, switches send and compare their priorities and MAC addresses with each other. The switch with the lowest priority value will have highest priority and become the root bridge. Therefore, we can deduce that the priority of DSW1 switch is lower than the priority of the CORE switch so it becomes the root bridge. To make the CORE the root bridge we need to increase the DSW1′s priority value, the best value should be 61440 because it is the biggest value allowed to assign and it will surely greater than of CORE switch. (You can use another value but make sure it is greater than the CORE priority value by checking if the CORE becomes the root bridge or not; and that value must be in increments of 4096).

(Notice that the terms bridge and switch are used interchangeably when discussing STP)

DSW1#configure terminal
DSW1(config)#spanning-tree vlan 20 priority 61440

2) “Traffic for VLAN 30 should be forwarding over the gig 1/0/6 trunk port between DSW1 and DSW2. However VLAN 30 is currently using gig 1/0/5″

DSW1 is the root bridge for VLAN 30 (you can re-check with the show spanning-tree command as above), so all the ports are in forwarding state for VLAN 30. But the question said that VLAN 30 is currently using Gig1/0/5 so we can guess that port Gig1/0/6 on DSW2 is in blocking state (for VLAN 30 only), therefore all traffic for VLAN 30 will go through port Gig1/0/5.

The root bridge for VLAN 30, DSW1, originates the Bridge Protocol Data Units (BPDUs) and switch DSW2 receives these BPDUS on both Gig1/0/5 and Gig1/0/6 ports. It compares the two BPDUs received, both have the same bridge-id so it checks the port cost, which depends on the bandwidth of the link. In this case both have the same bandwidth so it continues to check the sender’s port id (includes port priority and the port number of the sending interface). The lower port-id value will be preferred so the interface which received this port-id will be the root and the other interface (higher port-id value) will be blocked.

In this case port Gig1/0/6 of DSW2 received a Priority Number of 128.6 (means that port priority is 128 and port number is 6) and it is greater than the value received on port Gig1/0/5 (with a Priority Number of 128.5) so port Gig1/0/6 will be blocked. You can check again with the “show spanning-tree” command. Below is the output (notice this command is issued on DSW1 – this is the value DSW2 received and used to compare).

Therefore, all we need to do is to change the priority of port Gig1/0/6 to a lower value so the neighboring port will be in forwarding state. Notice that we only need to change this value for VLAN 30, not for all VLANs.

DSW1(config)#interface g1/0/6
DSW1(config-if)#spanning-tree vlan 30 port-priority 64
DSW1(config-if)#exit

3) “Traffic for VLAN 40 should be forwarding over the gig 1/0/5 trunk port between DSW1 and DSW2. However VLAN 40 is currently using gig 1/0/6″

Next we need to make sure traffic for VLAN 40 should be forwarding over Gig1/0/5 ports. It is a similar job, right? But wait, we are not allowed to make any configurations on DSW2, how can we change its port-priority for VLAN 40? There is another solution for this…

Besides port-priority parameter, there is another value we can change: the Cost value (or Root Path Cost). Although it depends on the bandwidth of the link but a network administrator can change the cost of a spanning tree, if necessary, by altering the configuration parameter in such a way as to affect the choice of the root of the spanning tree.

Notice that the Root Path Cost is the cost calculated by adding the cost in the received hello to the cost of the interface the hello BPDU was received. Therefore if you change the cost on an interface of DSW1 then only DSW1 will learn the change.

By default, the cost of a 100Mbps link is 19 but we can change this value to make sure that VLAN 40 will use interface Gig1/0/5.

DSW1(config)#interface g1/0/5
DSW1(config-if)#spanning-tree vlan 40 cost 1

DSW1(config-if)#end

You should re-check to see if everything was configured correctly:

DSW1#show spanning-tree

Save the configuration:

DSW1#copy running-config startup-config

(Notice: Many reports said the copy running-config startup-config didn’t work but they still got the full mark)

VTP Lab

The headquarter offices for a book retailer are enhancing their wiring closets with Layer3 switches. The new distribution-layer switch has been installed and a new access-layer switch cabled to it. Your task is to configure VTP to share VLAN information from the distribution-layer switch to the access-layer devices. Then, it is necessary to configure interVLAN routing on the distribution layer switch to route traffic between the different VLANs that are configured on the access-layer switches; however, it is not necessary for you to make the specific VLAN port assignments on the access-layer switches. Also, because VLAN database mode is being deprecated by Cisco, all VLAN and VTP configurations are to be completed in the global configuration mode. Please reference the following table for the VTP and VLAN information to be configured:














Requirements:

VTP Domain name: cisco
VLAN Ids: 20 21
IP Addresses: 172.16.71.1/24 172.16.132.1/24
These are your specific tasks:

1. Configure the VTP information with the distribution layer switch as the VTP server
2. Configure the VTP information with the access layer switch as a VTP client
3. Configure VLANs on the distribution layer switch
4. Configure inter-VLAN routing on the distribution layer switch
5. Specific VLAN port assignments will be made as users are added to the access layer switches in the future.
6. All VLANs and VTP configurations are to completed in the global configuration. To configure the switch click on the host icon that is connected to the switch be way of a serial console cable.



Answer and Explanation:

1) Configure the VTP information with the distribution layer switch as the VTP server:


DLSwitch#configure terminal
DLSwitch(config)#vtp mode server
DLSwitch(config)#vtp domain cisco (use cisco, not CISCO because it is case sensitive)

(Requirement 2 will be solved later)
3) Configure VLANs on the distribution layer switch

To create VLANs on a switch, use the vlan vlanID# command:
DLSwitch(config)#vlan 20
DLSwitch(config)#vlan 21

Configure Ip addresses for Vlans:

DLSwitch(config)#interface vlan 20
DLSwitch(if-config)#ip address 172.16.71.1 255.255.255.0
DLSwitch(if-config)#no shutdown
DLSwitch(if-config)#interface vlan 21
DLSwitch(if-config)#ip address 172.16.132.1 255.255.255.0
DLSwitch(if-config)#no shutdown
DLSwitch(if-config)#exit

4) Configure inter-VLAN routing on the distribution layer switch

DLSwitch(config)#ip routing
DLSwitch(config)#exit
DLSwitch#copy running-config startup-config

2) Configure the VTP information with the access layer switch as a VTP client

ALSwitch#configure terminal
ALSwitch(config)#vtp mode client
ALSwitch(config)#vtp domain cisco
ALSwitch(config)#exit

ALSwitch#copy running-config startup-config

(Notice: Many reports said the copy running-config startup-config didn’t work but they still got the full mark)

LACP with STP Simulation
















Each of these vlans has one host each on its port
SVI on vlan 1 - ip 192.168.1.11 with snm

Port 15 connected to Port on Router.
Tasks to do
1. Use non proprietary mode of aggregation with Switch B being the initiator
-- Assumed use LACP with B being in Active mode
2. Use non proprietary trunking and no negotiation
-- Assumed use switchport mode trunk and switchport trunk encapsulation dot1q
3. Restrict only to vlans needed
-- Assumed either vtp pruning or allowed vlan list. vtp pruning command did not seem to work on
the simulator so landed using allowed vlan list
4. SVI on vlan 1 with some ip and subnet given
5. Configure switch A so that nodes other side of Router C are accessible
-- Assumed this to mean that on switch A default gatway has to be configured.
6. Make switch B the root
-- Could not get this to work. Exam hung when I tried the command
spanning-tree vlan 1,21-23 priority 4096.


Explanation:
on Switch A verify with show run if you need to create vlans 21-23

int range fa0/9 - 10
switchport mode access
switchport access vlan 21
spanning-tree portfast
no shut

int range fa0/13 - 14
switchport mode access
switchport access vlan 22
spanning-tree portfast
no shut

int range fa0/16- 16
switchport mode access
switchport access vlan 23
spanning-tree portfast
no shut

int range fa0/3 - 4
channel-protocol lacp
channel group 1 mode passive
no shut

int port-channel 1
switchport mode trunk
switchport trunk encapsulation dot1q
spanning-tree allowed vlans 1,21-23
no shut

int vlan 1
ip address x.y.z.11 255.a.b.c
no shut

SW B ---> the one at the left (not connected to router
conf t
interface rang fastethernet 0/9-10
switchport mode access
switchport accress vlan 21
spanning-tree portfast
no shut

interface rang fastethernet 0/13-14
switchport mode access
switchport accress vlan 22
spanning-tree portfast
no shut

interface rang fastethernet0/15-16
switchport mode access
switchport accress vlan 23
spanning-tree portfast
no shut

interface range fastethernet 0/3-4
switchport trunk encapsulation dot1q
switchport trunk native vlan 99
switchport trunk allowed vlan 1,21-23,99
switchport mode trunk
channel-protocol lacp
channel-group 1
mode passsive
no shut

// port-channel 1 automatically created and nothing needs to be configured under it.

ip default-gateway 10.10.10.1

// VLAN 1 already configured nothing more to be done on it

SWA ---> the one connected to the router as in the exam
vlan 21
vlan 22
vlan 23
interface range fastethernet 0/3-4
switchport trunk native vlan 99
switchport trunk allowed vlan 1,21-23,99
switchport mode trunk
channel-protocol lacp
channel-group 1 mode active
no shut
spanning-tree vlan 1,21-23,99 root primary

MLS and EIGRP Simulation

Question:
Configure the Multilayer Switch so that PCs from VLAN 2 and VLAN 3 can communicate with the
Server?



















mls> enable
mls# configure terminal
mls(config)# int gi0/1
mls(config-if)# no switchport -> not sure

about this command line, but you should use this command if the simulator does not let you assign IP address on Gi0/1 interface.

mls(config-if)# ip address 10.10.10.2 255.255.255.0
mls(config-if)#no shutdown
mls(config-if)# exit
mls(config)# int vlan 2
mls(config-if)# ip address 190.200.250.33 255.255.255.224
mls(config-if)# no shutdown
mls(config-if)# int vlan 3
mls(config-if)# ip address 190.200.250.65 255.255.255.224
mls(config-if)# no shutdown
mls(config-if)# exit
mls(config)# ip routing

(Notice: MLS will not work without this command)

mls(config)# router eigrp 650
mls(configrouter)#network 10.10.10.0 0.0.0.255
mls(config-router)# network 190.200.250.32 0.0.0.31
mls(config-router)# network 190.200.250.64 0.0.0.31

NOTE : THE ROUTER IS CORRECTLY CONFIGURED, so you will not miss within it in the exam , also don't modify/delete any port just do the above configuration.
in order to complete the lab , you should expect the ping to SERVER to succeed from the MLS ,
and from the PCs as well.
If the above configuration does not work, you should configure EIGRP with "no auto-summary"
command : no auto-summary

AAAdot1x Lab

Acme is a small shipping company that has an existing enterprise network comprised of 2
switches;DSW1 and
ASW2. The topology diagram indicates their layer 2 mapping. VLAN 40 is a new VLAN that will be
used to provide the shipping personnel access to the server. For security reasons, it is necessary
to restrict access to
VLAN 20 in the following manner:
- Users connecting to ASW1's port must be authenticate before they are given access to the
network.
-Authentication is to be done via a Radius server:
- Radius server host: 172.120.39.46
- Radius key: rad123
- Authentication should be implemented as close to the host device possible.
- Devices on VLAN 20 are restricted to in the address range of 172.120.40.0/24.
- Packets from devices in the address range of 172.120.40.0/24 should be passed on VLAN 20.
- Packets from devices in any other address range should be dropped on VLAN 20.
- Filtering should be implemented as close to the server farm as possible.
The Radius server and application servers will be installed at a future date. You have been tasked with implementing the above access control as a pre-condition to installing the servers. You must use the available IOS switch features.














Explanation:
The configuration:
Step1: Console to ASW1 from PC console 1
ASW1( config)#aaa new-model
ASW1( config)#radius-server host 172.120.39.46 key rad123
ASW1( config)#aaa authentication dot1x default group radius
ASW1( config)#dot1x system-auth-control
ASW1( config)#inter fastEthernet 0/1
ASW1( config-if)#swithcport mode access
ASW1( config-if)#dot1x port-control auto
ASW1( config-if)#exit
ASW1#copy run start

Step2: Console to DSW1 from PC console 2
DSW1( config)#ip access-list standard 10
DSW1( config-ext-nacl)#permit 172.120.40.0 0.0.0.255
DSW1( config-ext-nacl)#exit
DSW1( config)#vlan access-map PASS 10
DSW1( config-access-map)#match ip address 10
DSW1( config-access-map)#action forward
DSW1( config-access-map)#exit
DSW1( config)#vlan access-map PASS 20
DSW1( config-access-map)#action drop
DSW1( config-access-map)#exit
DSW1( config)#vlan filter PASS vlan-list 20
DSW1#copy run start