ipexpert-ccie-data-center-volume-1-detailed-solution-chapters-1-8.pdf

8/9/2019 IPexpert-CCIE-Data-Center-Volume-1-Detailed-Solution-Chapters-1-8.pdf

1/513

Pexperts Lab Preparation Detailed Solution Guid

for the Cisco CCIE Data Center v1.0 Lab Exa

Volume

Authored by: Rick Mur - CCIE3 #21946 (R&S / SP / Storage), JNCIE-SP #851


2/513

CCIE Data Center Lab Preparation Detailed Solution Guide

Copyright by IPexpert. All rights reserved. 1

IPexpertsLab Preparation Detailed Solution Guide for

Ciscos CCIE Data Center Lab

Before We Begin

This product is part of the IPexpert suite of materials that provide CCIE candidates and network

engineers with a comprehensive training program. For information about the full solution, contact an

IPexpert Training Advisor today.

Telephone: +1.810.326.1444

Email: [email protected]

Congratulations! You now possess one of the ULTIMATE CCIETM Lab preparation and network

operation resources available today! This resource was produced by senior engineers, technical

instructors, and author boasting decades of internetworling experience. Although there is no way to

100% guarantee success rate on the CCIE Data Center Lab exam, we feel VERY confident that your

chances of passing the Lab will improve dramatically after completing this industry-recognized

Workbook!

Technical Support from IPexpert, and your CCIE community!


3/513



IPexpert is proud to lead the industry with multiple support options at your disposal free of charge. Our

online communities have attracted a membership of over 20,000 of your peers from around the world!

At blog.ipexpert.com, you can keep up to date with everything IPexpert does and read the latest in

technical articles from world-renowned IPexpert instructors. At OnlineStudyList.com, you may subscribe

to multiple SPAM-free, moderated CCIE-focused email lists.

Feedback

Do you have a suggestion or other feedback regarding this book or other IPexpert products? At IPexpert,

we look to you our valued clients for the real world, frontline evaluation that we believe is necessary

so that we may always improve. Please send an email with your thoughts to [email protected] or

call 1.866.225.8064 (international callers dial +1.810.326.1444).

In addition, for those using this book as CCIETMpreparation, when you pass the CCIETM Lab exam, we

want to hear about it! Email your CCIETM number to [email protected] and let us know how

IPexpert helped you succeed. We would like to send you a gift of thanks and congratulations.

Additional CCIETMPreparation Material

IPexpert, Inc. is committed to developing the most effective Cisco CCIETM

R&S, Security, Voice, Wireless

and Data Center Lab certification preparation tools available. Our team of certified networking

professionals develops the most up-to-date and comprehensive materials for networking certification,

including self-paced workbooks, online Cisco hardware rental, classroom training, online (distance

learning) instructor-led training, audio products, and video training materials. Unlike other certification-

training providers, we employ the most experienced and accomplished teams of experts to create,

maintain, and constantly update our products. At IPexpert, we are focus on making your CCIETM Lab

preparation more effective.

Issues with this Book

This book is carefully edited to ensure the accuracy of all content. Should you find any error whatsoever,

please email a page reference and detailed comment to [email protected]. Your email will be

responded to promptly.


4/513



IPEXPERT END-USER LICENSE AGREEMENT

END USER LICENSE FOR ONE (1) PERSON ONLY

IF YOU DO NOT AGREE WITH THESE TERMS AND CONDITIONS,

DO NOT OPEN OR USE THE TRAINING MATERIALS.

This is a legally binding agreement between you and IPEXPERT, the Licensor, from whom you have

licensed the IPEXPERT training materials (the Training Materials). By using the Training Materials, you

agree to be bound by the terms of this License, except to the extent these terms have been modified by

a written agreement (the Governing Agreement) signed by you (or the party that has licensed the

Training Materials for your use) and an executive officer of Licensor. If you do not agree to the License

terms, the Licensor is unwilling to license the Training Materials to you. In this event, you may not use

the Training Materials, and you should promptly contact the Licensor for return instructions.

The Training Materials shall be used by only ONE (1) INDIVIDUAL who shall be the sole individual

authorized to use the Training Materials throughout the term of this License.

Copyright and Proprietary Rights

The Training Materials are the property of IPEXPERT, Inc. ("IPEXPERT") and are protected by United

States and International copyright laws. All copyright, trademark, and other proprietary rights in the

Training Materials and in the Training Materials, text, graphics, design elements, audio, and all other

materials originated by IPEXPERT at its site, in its workbooks, scenarios and courses (the "IPEXPERT

Information") are reserved to IPEXPERT.

The Training Materials cannot be used by or transferred to any other person. You may not rent, lease,

loan, barter, sell or time-share the Training Materials or accompanying documentation. You may not

reverse engineer, decompile, or disassemble the Training Materials. You may not modify, or create

derivative works based upon the Training Materials in whole or in part. You may not reproduce, store,

upload, post, transmit, download or distribute in any form or by any means, electronic, mechanical,

recording or otherwise any part of the Training Materials and IPEXPERT Information other than printing

out or downloading portions of the text and images for your own personal, non-commercial use without

the prior written permission of IPEXPERT.

You shall observe copyright and other restrictions imposed by IPEXPERT. You may not use the Training

Materials or IPEXPERT Information in any manner that infringes the rights of any person or entity.


5/513



Exclusions of Warranties

THE TRAINING MATERIALS AND DOCUMENTATION ARE PROVIDED AS IS. LICENSOR HEREBY DISCLAIMS

ALL OTHER WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, INCLUDING WITHOUT LIMITATION, THE

IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. SOME STATES

DO NOT ALLOW THE LIMITATION OF INCIDENTAL DAMAGES OR LIMITATIONS ON HOW LONG AN

IMPLIED WARRANTY LASTS, SO THE ABOVE LIMITATIONS OR EXCLUSIONS MAY NOT APPLY TO YOU. This

agreement gives you specific legal rights, and you may have other rights that vary from state to state.

Choice of Law and Jurisdiction

This Agreement shall be governed by and construed in accordance with the laws of the State of

Michigan, without reference to any conflict of law principles. You agree that any litigation or other

proceeding between you and Licensor in connection with the Training Materials shall be brought in the

Michigan state or courts located in Port Huron, Michigan, and you consent to the jurisdiction of such

courts to decide the matter. The parties agree that the United Nations Convention on Contracts for the

International Sale of Goods shall not apply to this License. If any provision of this Agreement is held

invalid, the remainder of this License shall continue in full force and effect.

Limitation of Claims and Liability

ANY ACTION ON ANY CLAIM AGAINST IPEXPERT MUST BE BROUGHT BY THE USER WITHIN ONE (1) YEAR

FOLLOWING THE DATE THE CLAIM FIRST ACCRUED, OR SHALL BE DEEMED WAIVED. IN NO EVENT WILL

THE LICENSORS LIABILITY UNDER, ARISING OUT OF, OR RELATING TO THIS AGREEMENT EXCEED THE

AMOUNT PAID TO LICENSOR FOR THE TRAINING MATERIALS. LICENSOR SHALL NOT BE LIABLE FOR ANY

SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL DAMAGES, HOWEVER CAUSED AND ON ANY

THEORY OF LIABILITY, REGARDLESS OF WHETHER LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF

SUCH DAMAGES. WITHOUT LIMITING THE FOREGOING, LICENSOR WILL NOT BE LIABLE FOR LOST

PROFITS, LOSS OF DATA, OR COSTS OF COVER.


6/513



Entire Agreement

This is the entire agreement between the parties and may not be modified except in writing signed by

both parties.

U.S. Government - Restricted Rights

The Training Materials and accompanying documentation are commercial computer Training

Materials and commercial computer Training Materials documentation, respectively, pursuant to

DFAR Section 227.7202 and FAR Section 12.212, as applicable. Any use, modification, reproduction

release, performance, display, or disclosure of the Training Materials and accompanying documentation

by the U.S. Government shall be governed solely by the terms of this Agreement and shall be prohibited

except to the extent expressly permitted by the terms of this Agreement.

IF YOU DO NOT AGREE WITH THE ABOVE TERMS AND CONDITIONS, DO NOT OPEN OR USE THE

TRAINING MATERIALS AND CONTACT LICENSOR FOR INSTRUCTIONS ON RETURN OF THE TRAINING

MATERIAL


7/513


8/513



Task 1: Layer 3 topology set-up .......................................................................................................... 66

Task 2: Static routing........................................................................................................................... 75

Task 3: EIGRP ....................................................................................................................................... 81

Task 4: OSPF ........................................................................................................................................ 94

Task 5: Redistribution, BFD and ECMP ............................................................................................. 116

Task 6: Layer 3 switching features .................................................................................................... 124

Task 7: FabricPath and OTV .............................................................................................................. 127

Chapter 4: Data Center Networking High Availability (NX-OS) ................................................................. 139

General Rules ........................................................................................................................................ 140

Solutions ............................................................................................................................................... 141

Task 1: Topology set-up ........................................................................................................................ 141

Task 2: Port-Channels ....................................................................................................................... 143

Task 3: Virtual Port-Channels (vPCs) ................................................................................................. 166

Task 4: Graceful Restart / Non-Stop Forwarding .............................................................................. 184

Task 5: HSRP ...................................................................................................................................... 188

Task 6: VRRP ...................................................................................................................................... 198

Task 7: GLBP ...................................................................................................................................... 202

Task 8: Virtual Port-Channels (vPCs) and FabricPath ........................................................................ 206Chapter 5: Data Center Storage Networking ............................................................................................ 210

General Rules ........................................................................................................................................ 211

Solutions ............................................................................................................................................... 212

Task 1: Initial set-up .......................................................................................................................... 212

Task 2: VSANs .................................................................................................................................... 227

Task 3: Zoning ................................................................................................................................... 244

Task 4: FC Domain ............................................................................................................................. 254

Task 5: Fibre Channel Security Features ........................................................................................... 260

Task 6: Advanced Features ............................................................................................................... 271

Chapter 6: Data Center Storage Networking Extension ........................................................................... 276

General Rules ........................................................................................................................................ 277Solutions ............................................................................................................................................... 278

Task 1: Initial set-up .......................................................................................................................... 278

Task 2: FCIP ....................................................................................................................................... 282

Task 3: FCIP Security ......................................................................................................................... 297

Task 4: SAN Extension Tuner ............................................................................................................ 301

Task 5: iSCSI....................................................................................................................................... 304

Task 6: iSLB ........................................................................................................................................ 323

Chapter 7: Data Center Unified Fabric ...................................................................................................... 340

General Rules ........................................................................................................................................ 341

Solutions ............................................................................................................................................... 342

Task 1: Native Fibre Channel on Nexus ............................................................................................. 342

Task 2: Fibre Channel over Ethernet (FCoE) ..................................................................................... 353

Task 3: Multi hop FCoE ..................................................................................................................... 358

Task 4: FCoE Quality of Service (QoS) ............................................................................................... 371

Task 5: N-Port Virtualization (NPV) and N-Port ID Virtualization (NPIV) .......................................... 381

Task 6: FCoE NPV .............................................................................................................................. 391

Chapter 8: Security Features ..................................................................................................................... 393

General Rules ........................................................................................................................................ 394

Solutions ............................................................................................................................................... 395


9/513



Task 1: Port Security ......................................................................................................................... 395

Task 2: DHCP Snooping, DAI, IP Source Guard .................................................................................. 412

Task 3: Access Control Lists ............................................................................................................... 419

Task 4: AAA services.......................................................................................................................... 435

Task 5: 802.1X ................................................................................................................................... 448

Task 6: Cisco TrustSec ....................................................................................................................... 451

Chapter 9: Management Features ............................................................................................................ 455

General Rules ........................................................................................................................................ 456

Solutions ............................................................................................................................................... 457

Task 1: Role Based Access Control (RBAC) ........................................................................................ 457

Task 2: Traffic monitoring ................................................................................................................. 470

Task 3: NetFlow ................................................................................................................................. 474

Task 4: Management protocols ........................................................................................................ 479

Task 5: Device management ............................................................................................................. 493

Task 6: Smart Call Home and GOLD .................................................................................................. 503


10/513



Default Lab Topology

Default passwords and IP addresses

Default management username / password: admin / IPexpert123

Other passwords: ipexpert

Management IP addressing: 172.16.100.0/24

Management Default Gateway: 172.16.100.254


11/513



Chapter 1:

Introduction to CCIE

Data Center

Chapter 1: Introduction to CCIE Data Center introduces the team of authors, consultants, and editors

that completed this book and describes the books purpose. This chapter also provides suggestions for

the usage of this written work.


12/513



Who Should Read this Book?

This workbooks primary audience is for those CCIE candidates that are searching for the most

comprehensive and error-free materials available covering the CCIE Data Center practical lab exam.

These students should possess a home rack of equipment for CCIE-level command-line practice, they

should possess an equipment emulator (for certain parts of the topology), or they should rent

equipment from a company likewww.proctorlabs.com.The authors and technical editors exhaustively

tested all of the demonstrations found throughout the technology tasks, troubleshooting- and full-scale

lab exercises against all practice rack options described earlier. Where issues arise with popular

equipment emulators, the text makes note. This book is the most remarkably thorough and technically

accurate book written on the CCIE Data Center lab exam to date.

How to Use this Book

This book breaks all specific CCIE Data Center technologies down on a chapter-by-chapter basis for a

complete and thorough review of this broad set of topics. Each chapter is broken down is various tasksregarding the subject. Following this, the Detailed Solutions Guide provided with this workbook provides

an intense examination of the operation of the tasks, including key aspects of troubleshooting for the

specific technology. After this, the book presents some of the most common issues that can result with a

particular technology-set, and most importantly, details the simple troubleshooting tools and steps that

succeed for remediation.

The final chapters conclude the book with sample lab scenarios that provide a full scale lab exam as you

will see it when you take the actual test. The Detailed Solutions Guide then provides a well-designed

approach for troubleshooting each major task and offers detailed explanations. The text provides

reference guides for the most popular and powerful showand debugcommands for a specific

technology.

Each chapter uses specific initial configurations on the specific chapter. Readers may download initial

configurations, or install them in a simple Graphical User Interface (GUI) onwww.proctorlabs.com.

Students are encouraged to follow along on a rack of equipment for every section of every chapter. This

really enhances and strengthens the learning process.

An Introduction to CCIE Data Center

Since the release of the Nexus platform there has been talk about when these platforms were to be

introduced in a CCIE track. With the introduction of UCS in 2009 this became an even higher request

especially since UCS really took off in sales.
http://www.proctorlabs.com/http://www.proctorlabs.com/http://www.proctorlabs.com/http://www.proctorlabs.com/http://www.proctorlabs.com/http://www.proctorlabs.com/http://www.proctorlabs.com/http://www.proctorlabs.com/


13/513



The scope of the exam is pretty much based on the usual suspects, so in summary you should be aware

of the:

UCS B-series blade systems

UCS C-series rackmount systems connected to UCS Manager via FEX

Virtual Interface Cards (virtualized NICs and HBAs) in all servers Nexus 7000 with all features like VDC, OTV, FabricPath, etc.

Nexus 5500 with all features like FCoE, FEX

Nexus 2000 connected to either the 5k or the 7k

Nexus 1000V distributed virtual switch in ESX

o There is no mention of any VMware product in the blueprint, so expect ESX and vCenterto be pre-installed on the UCS blades and FC boot to pre-configured disks

MDS 9222i for connecting FC storage to UCS

ACE appliance

DCNM management software

Availability

The live exam is available from September 1st

.

Currently there are no dates when the lab is available.

Written exam

The written exam has an extensive blueprint published to Cisco Learning Network (CLN) including a

reading list.

The current published reading list:

Data Center Fundamentals (ISBN-10: 1-58705-023-4)

NX-OS and Cisco Nexus Switching (ISBN-10: 1-58705-892-8)

Cisco Unified Computing System (UCS) (ISBN-10: 1-58714-193-0)

I/O Consolidation in the Data Center (ISBN-10: 1-58705-888-X)
http://www.ciscopress.com/bookstore/product.asp?isbn=1587050234http://www.ciscopress.com/bookstore/product.asp?isbn=1587050234http://www.ciscopress.com/bookstore/product.asp?isbn=1587058928http://www.ciscopress.com/bookstore/product.asp?isbn=1587058928http://www.ciscopress.com/bookstore/product.asp?isbn=1587141930http://www.ciscopress.com/bookstore/product.asp?isbn=1587141930http://www.ciscopress.com/bookstore/product.asp?isbn=158705888Xhttp://www.ciscopress.com/bookstore/product.asp?isbn=158705888Xhttp://www.ciscopress.com/bookstore/product.asp?isbn=158705888Xhttp://www.ciscopress.com/bookstore/product.asp?isbn=1587141930http://www.ciscopress.com/bookstore/product.asp?isbn=1587058928http://www.ciscopress.com/bookstore/product.asp?isbn=1587050234


14/513



Storage Networking Fundamentals (ISBN-10: 1-58705-162-1)

Please find the extensive blueprint published by Cisco on the bottom of this blog post.

Lab exam

There is not much information available regarding the lab exam. Availability is not mentioned. There is

however information regarding the hardware list and this is an immense list of expensive hardware you

require:

Software Versions

NXOS v6.0(2) on Nexus 7000 Switches


NXOS v4.2(1) on Nexus 1000V

NXOS v5.2(2) on MDS 9222i Switches

UCS Software release 2.0(1x) for UCS-6248 Fabric Interconnect and all UCS systems

Software Release A5(1.0) on ACE4710

Cisco Data Center Manager software v5.2(2)

CCIE Storage?

There are currently no plans for replacing CCIE Storage for CCIE Datacenter. Because of this, there will

not be a large focus on MDS/FC configuration as there is another track for that.

What about P and A tracks?

A CCNA Data Center and CCNP Data Center will be released soon!
http://www.ciscopress.com/bookstore/product.asp?isbn=1587051621http://www.ciscopress.com/bookstore/product.asp?isbn=1587051621http://www.ciscopress.com/bookstore/product.asp?isbn=1587051621


15/513



Troubleshooting

Troubleshooting will be a big part of the exam, which is also pretty clear in the blueprint. There is no

confirmation yet how this will be introduced, either using tickets in the CCIE R&S or just by pre-

configuration on the lab. I can imagine that they pre-configured a broken Nexus 1000V on an ESX

installation on one of the JBODs. More information on how this troubleshooting is done will be available

during other Q&A sessions. The implication is that it might be trouble tickets like the CCIE R&S.

An Introduction to the Proctor Labs CCIE Data Center hardware rack

The IPexpert CCIE Data Center rack will support 100% of the features that are tested on the lab! We

have based the topology to be close as possible on the CCIE Data Center rack layout, but have ensured

that all features and functionality is there.

Our CCIE Data Center rack layout is based on the very limited information that has been made available

by Cisco. IPexpert has been in close contact with the people involved in creating this lab exam, and

therefore the layout of the rack is based on some early examples and the published components and

software version blueprint.

As you will see the topology is very much based on a common datacenter design and has more 'static'

layout than other CCIE tracks.

The blueprint specified the following components to be in the lab:

First is the NX-OS Networking equipment.

Nexus7009 (with licensing)

o (1) Sup

o (1) 32 Port 10Gb (F1 Module)

o (1) 32 Port 10Gb (M1 Module)

Nexus5548

Nexus2232

The Nexus 7000 will be configured with VDC's to simulate various different topologies and create

multiple 'core switch' layers within the network.


16/513


17/513



not being replaced by the CCIE Data Center the focus on Storage Networking (SAN) features is not that

big. The major topics are more in the features that aren't tested in any other CCIE track.

The JBODs mentioned in this list represent just plain simple hard-disks that are connected via F ibre

Channel. They are used later as shared storage for the UCS system.

The third major component within the hardware blueprint is the Unified Computing System (UCS).

UCS-6248 Fabric Interconnects

UCS-5108 Blade Chassis

o B200 M2 Blade Servers

o Palo/VIC mezzanine card

o Menlo/Emulex mezzanine card

UCS C200 Series Server = Connected to Fabric Interconnectso VIC card for C-series

This is based on the C-series rackmount servers, connected to the Fabric Interconnects so the C-series

can also be managed from the central UCS manager the same as the Blade chassis is managed.

The blades are equipped with different NICs. This also means a little different configuration. The VIC

cards are the most interesting ones as they can virtualize NICs to present to the OS.

Ones inside the blades there is a pre-installed VMware ESX(i) environment with a Nexus 1000v

distributed virtual switch. As this is a Cisco lab exam, you are not required to know anything about

VMware. Of course you will need to be able to install this environment in your possible own lab, but

when you step into the lab you will face a pre-installed VMware and 1000V. After that, the switch is not

configured and you are required to configure it.

The final topic on the blueprint is called ANS (Application Networking Services). This means an ACE

appliance is in your lab that you will need to configure. There is not much very interesting going on there

and you will not see a lot of points on that appliance. You will need to know the topics as described onthe lab blueprint and our workbook will focus a whole section on these specific topics.

The last components are used for management. You will not be configuring these devices, but just using

them from your student workstation to access the network.


18/513



Cisco Catalyst Switch 3750 = management ethernet connections

Cisco 2511 Terminal Server = console lines

What is not mentioned on the hardware blueprint list is that you will also need to be able to configure

(or set-up) the DCNM software as is being given by Cisco when you purchase enough Nexus equipment.

Again this is not extremely difficult, but you need to be aware of the basic configuration items related to

this software.

Software Versions



NXOS v4.2(1) on Nexus 1000v

NXOS v5.2(2) on MDS 9222i Switches UCS Software release 2.0(1x) for UCS-6248 Fabric Interconnect and UCS system

Software Release A5(1.0) for ACE 4710

Cisco Data Center Manager software v5.2(2)

Above you'll find a reference overview of the used software versions. The exact versions are still

unknown where we might be using newer software versions as our IPexpert lab will be using quite new

hardware for virtualization purposes. Within the Nexus 7000 we will be using the new Supervisor 2E,

meaning that we are able to build 8 VDC's and 1 management VDC meaning we have enough flexibility

for some challenging topologies!

The next chapter of this workbook, Chapter 2: Data Center Networking Layer 2 Infrastructure (NX-OS)

begins with the initial topic on the CCIE Data Center Blueprint regarding layer 2 switching, VLANs,

Private-VLANs, Spanning-Tree and other layer 2 features on the NX-OS platform.


19/513



Chapter 2: DataCenter Networking

Layer 2

Infrastructure

(NX-OS)

Chapter 2: Data Center Networking Layer 2 Infrastructure (NX-OS)is intended to let you be familiar

with the NX-OS CLI on the Nexus switches and afterwards configure Layer 2 Ethernet features on the

physical Nexus switches within the topology as shown at the beginning of this workbook. We highly

recommend to create your own diagram at the beginning of each lab so you are able to draw on your

own diagram, making it much easier when you step into the real lab. Our devices start with a blank

configuration, which will not be the case when you are in the real lab. Then devices are staged with

configuration containing usernames/passwords, management IP addressing, core IP addressing and

(possible) errors.


20/513



Generic Lab topology


21/513



Introduction

This first lab is intended to let you be familiar with the NX-OS CLI on the Nexus switches and afterwards

configure Layer 2 Ethernet features on the physical Nexus switches within the topology as shown at the

beginning of this workbook.

We highly recommend to create your own diagram at the beginning of each lab so you are able to drawon your own diagram, making it much easier when you step into the real lab.

Our devices start with a blank configuration, which will not be the case when you are in the real lab.

Then devices are staged with configuration containing usernames/passwords, management IP

addressing, core IP addressing and (possible) errors.

General Rules

Try to diagram out the task. Draw your own connections the way you like it

Create a checklist to aid as you work thru the lab

Take a very close read of the tasks to ensure you dont miss any points during grading!

Take your time. This is not a Mock Lab, so no time constraints are in place for finishing this

particular chapter

Estimated Time to Complete: 3 hours


22/513



Solutions

Task 1: General set-up

The writecommand is no longer available within NX-OS, though you need to use write erase to

erase the configuration from all boxes. When rebooting from empty configuration you are asked to

configure base defaults to manage the system.

Nexus1# write eraseWarning: This command will erase the startup-configuration.

Do you wish to proceed anyway? (y/n) [n] y

Nexus1# reloadThis command will reboot the system. (y/n)? [n] y

2012 Aug 26 19:04:24 Nexus1 %$ VDC-1 %$ %PLATFORM-2-PFM_SYSTEM_RESET:Manual system restart from Command Line Interface

writing reset reason 9,

NX7 SUP Ver 3.22.0Serial Port Parameters from CMOSPMCON_1: 0x200

PMCON_2: 0x0PMCON_3: 0x3aPM1_STS: 0x101

Performing Memory Detection and TestingTotal mem found : 4096 MB

Performing memory test... Passed.NumCpus = 2.Status 61: PCI DEVICES Enumeration Started

Status 62: PCI DEVICES Enumeration Ended

Status 9F: Dispatching Drivers

Status 9E: IOFPGA Found

Status 9A: Booting From Primary ROMStatus 98: Found Cisco IDE

Status 98: Found Cisco IDEStatus 90: Loading Boot Loader

Reset Reason Registers: 0x0 0x10

Filesystem type is ext2fs, partition type 0x83

GNU GRUB version 0.97

Autobooting bootflash:/n7000-s1-kickstart.5.1.5.bin bootflash:/n7000-s1-

dk9.5.1

.5.bin...Filesystem type is ext2fs, partition type 0x83

Booting kickstart image: bootflash:/n7000-s1-kickstart.5.1.5.bin..............................................................................

.........................Image verification OK

INIT: version 2

Checking all filesystems..r.r.r..r done.Loading system software


23/513



/bootflash//n7000-s1-dk9.5.1.5.bin read done

Uncompressing system image: bootflash:/n7000-s1-dk9.5.1.5.bin Sun Aug 2619:08:10 UTC 2012

blogger: nothing to do.

..done Sun Aug 26 19:08:13 UTC 2012

Load plugins that defined in image conf: /isan/plugin_img/img.confLoading plugin 0: core_plugin...

num srgs 10: swid-core-supdc3, swid-core-supdc3num srgs 1

0: swid-supdc3-ks, swid-supdc3-ks

INIT: Entering runlevel: 3

2012 Aug 26 19:08:38 %$ VDC-1 %$ %DAEMON-2-SYSTEM_MSG: Power supply 1 present but all AC/DC inputs are

not connected, power redundancy might be affected - platform[2674]2012 Aug 26 19:08:38 %$ VDC-1 %$ %DAEMON-2-SYSTEM_MSG: Power supply 2 is absent/shutdown, ps-redundancy might be

affected - platform[2674]2012 Aug 26 19:08:38 %$ VDC-1 %$ %DAEMON-2-SYSTEM_MSG: Power supply 3 is absent/shutdown, ps-redundancy might beaffected - platform[2674]

2012 Aug 26 19:08:38 %$ VDC-1 %$ %DAEMON-2-SYSTEM_MSG: Power supply 4 is absent/shutdown, ps-redundancy might beaffected - platform[2674]

2012 Aug 26 19:08:52 %$ VDC-1 %$ %CMPPROXY-2-LOG_CMP_UP: ConnectivityManagement processor(on module 9) is now UP

2012 Aug 26 19:08:58 %$ VDC-1 %$ %IDEHSD-2-MOUNT: logflash: online2012 Aug 26 19:09:09 %$ VDC-1 %$ %COPP-2-COPP_NO_PINST: Control-plane is

unprotected.

2012 Aug 26 19:09:12 %$ VDC-1 %$ %VDC_MGR-2-VDC_ONLINE: vdc 1 has comeonline

---- System Admin Account Setup ----

Do you want to enforce secure password standard (yes/no) [y]: 2012 Aug 26

19:09:14 switch %$ VDC-1 %$ %PLATFORM-2-PS_OK: Power supply 1 ok (Serialnumber DTM1437011H)

2012 Aug 26 19:09:14 switch %$ VDC-1 %$ %PLATFORM-2-PS_FANOK: Fan in Powersupply 1 ok

2012 Aug 26 19:09:15 switch %$ VDC-1 %$ %PLATFORM-2-XBAR_DETECT: Xbar 1detected (Serial number JAF1524AKTF)

2012 Aug 26 19:09:23 switch %$ VDC-1 %$ %PLATFORM-2-MOD_DETECT: Module 3

detected (Serial number JAF1448BPGN) Module-Type 10 Gbps Ethernet ModuleModel N7K-M132XP-12

2012 Aug 26 19:09:23 switch %$ VDC-1 %$ %PLATFORM-2-MOD_PWRUP: Module 3powered up (Serial number JAF1448BPGN)2012 Aug 26 19:09:25 switch %$ VDC-1 %$ %PLATFORM-2-MOD_DETECT: Module 5

detected (Serial number JAF1448BBDK) Module-Type 10/100/1000 MbpsEthernet Module Model N7K-M148GT-11

2012 Aug 26 19:09:25 switch %$ VDC-1 %$ %PLATFORM-2-MOD_PWRUP: Module 5powered up (Serial number JAF1448BBDK)


24/513



2012 Aug 26 19:09:38 switch %$ VDC-1 %$ %PLATFORM-2-FANMOD_FAN_OK: Fanmodule 1 (Fan1(sys_fan1) fan) ok

2012 Aug 26 19:09:38 switch %$ VDC-1 %$ %PLATFORM-2-FANMOD_FAN_OK: Fanmodule 2 (Fan2(sys_fan2) fan) ok

2012 Aug 26 19:11:51 switch %$ VDC-1 %$ %XBAR-2-XBAR_INSUFFICIENT_XBAR_BANDWIDTH: Module in slot 3 has insufficient xbar-

bandwidth.

Enter the password for "admin": IPexpert123Confirm the password for "admin": IPexpert123

---- Basic System Configuration Dialog VDC: 1 ----

This setup utility will guide you through the basic configuration ofthe system. Setup configures only enough connectivity for managementof the system.

Please register Cisco Nexus7000 Family devices promptly with your

supplier. Failure to register may affect response times for initial

service calls. Nexus7000 devices must be registered to receiveentitled support services.

Press Enter at anytime to skip a dialog. Use ctrl-c at anytime

to skip the remaining dialogs.

Would you like to enter the basic configuration dialog (yes/no): no

User Access Verification

switch login: adminPassword:

Cisco Nexus Operating System (NX-OS) SoftwareTAC support: http://www.cisco.com/tacCopyright (c) 2002-2011, Cisco Systems, Inc. All rights reserved.

The copyrights to certain works contained in this software areowned by other third parties and used and distributed under

license. Certain components of this software are licensed under

the GNU General Public License (GPL) version 2.0 or the GNULesser General Public License (LGPL) Version 2.1. A copy of each

such license is available athttp://www.opensource.org/licenses/gpl-2.0.php and

http://www.opensource.org/licenses/lgpl-2.1.phpswitch#

Hostnames are configured using the switchnameor hostnamecommand. Initially the hostnamecommand was not available when NX-OS was first forked from SAN-OS. Since this caused a lot of

confusion the hostname command has been ported back into NX-OS. When configured, the one that is

last used will be shown in the configuration. Pay attention to this as this might be a requirement during

the lab.

switch# conf t

Enter configuration commands, one per line. End with CNTL/Z.
http://www.cisco.com/tachttp://www.opensource.org/licenses/gpl-2.0.phphttp://www.opensource.org/licenses/lgpl-2.1.phphttp://www.opensource.org/licenses/lgpl-2.1.phphttp://www.opensource.org/licenses/gpl-2.0.phphttp://www.cisco.com/tac


25/513



switch(config)# hostname SW1-1SW1-1(config)# sh run | in SW1

hostname SW1-1vdc SW1-1 id 1

SW1-1(config)# switchname SW1-1SW1-1(config)# sh run | in SW1switchname SW1-1

vdc SW1-1 id 1SW1-1(config)# ip domain-name ipexpert.com

SW1-1(config)# no ip domain-lookupSW1-1(config)#

Configuring the domain-name and DNS lookups is equal as to how its done within IOS.

To ensure both SSH and Telnet connections are allowed towards the management (mgmt0) interface of

the Nexus you should enable Telnet using the feature command. SSH is the default mechanism to

manage the Nexus switch and therefore the Telnet feature needs to be re-enabled. By default the switch

rejects any attempts of telnet.

To save your configuration using the wr command. The only option is to create a CLI alias, which can be

executed from anywhere in the CLI. The write command is reserved for the erasing of the configuration

as we did at the beginning of the lab, so we need to use an abbreviation for that (what most engineers

use in real-life as well).

SW1-1(config)# sh run int mgmt0

!Command: show running-config interface mgmt0

!Time: Sun Aug 26 19:24:59 2012

version 5.1(5)

interface mgmt0ip address 10.160.48.241/24

SW1-1(config)# feature telnetSW1-1(config)# cli alias name write copy run start

Invalid alias name. Reserved word.

SW1-1(config)# cli alias name wr copy run startSW1-1(config)# wr

[########################################] 100%Copy complete, now saving to disk (please wait)...SW1-1(config)#

Note: The management IP address wasnt erased during the erase of the configuration. This doesnt

mean you can just erase your configuration and reload from the Ethernet management connection,

because you are required to set a password for the admin user. Meaning you cant log-in using the SSH

connection that is by default enabled.

By default the SSH log-in is enabled.


26/513



IPexpert:~ rick$ ssh [email protected] authenticity of host '10.160.48.241 (10.160.48.241)' can't be

established.RSA key fingerprint is 95:23:75:04:1c:2e:59:f1:be:a1:e5:f7:ff:62:6d:80.

Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '10.160.48.241' (RSA) to the list of known

hosts.

User Access VerificationPassword:

Last login: Sun Aug 26 19:13:54 2012Bad terminal type: "xterm-256color". Will assume vt100.Cisco Nexus Operating System (NX-OS) Software

TAC support: http://www.cisco.com/tac

Copyright (c) 2002-2011, Cisco Systems, Inc. All rights reserved.

The copyrights to certain works contained in this software areowned by other third parties and used and distributed underlicense. Certain components of this software are licensed under

the GNU General Public License (GPL) version 2.0 or the GNULesser General Public License (LGPL) Version 2.1. A copy of each

such license is available at

http://www.opensource.org/licenses/gpl-2.0.php andhttp://www.opensource.org/licenses/lgpl-2.1.php

SW1-1# exitConnection to 10.160.48.241 closed.

RetinaRick:~ rick$ telnet 10.160.48.241Trying 10.160.48.241...telnet: connect to address 10.160.48.241: Connection refused

telnet: Unable to connect to remote host

Only after enabling the Telnet feature on the CLI you are able to establish a Telnet connection to the

device.

IPexpert:~ rick$ telnet 10.160.48.241Trying 10.160.48.241...

Connected to 10.160.48.241.

Escape character is '^]'.Password:

telnet> q

Connection closed.IPexpert:~ rick$

Configure the other tasks by just navigating through the configuration. You will never remember all

options available within the OS, but by just navigating using keywords you should be seeing a lot of hints

pointing to the right solution according to what was asked in the task.

SW1-1(config)# cdp format device-id ?mac-address Mac-address of the Chassis

serial-number Chassis Serial Number/OUIsystem-name System name/Fully Qualified Domain Name (Default)

SW1-1(config)# cdp format device-id serial-numberSW1-1(config)# cdp advertise v2

SW1-1(config)# int mgmt0
http://www.cisco.com/tachttp://www.opensource.org/licenses/gpl-2.0.phphttp://www.opensource.org/licenses/lgpl-2.1.phphttp://www.opensource.org/licenses/lgpl-2.1.phphttp://www.opensource.org/licenses/gpl-2.0.phphttp://www.cisco.com/tac


27/513



SW1-1(config-if)# no cdp enableSW1-1(config-if)# sh run int mgmt0

!Command: show running-config interface mgmt0

!Time: Sun Aug 26 19:56:49 2012

version 5.1(5)

interface mgmt0

no cdp enableip address 10.160.48.241/24

SW1-1(config-if)# rate-limit cpu direction ?

both Set max input and output packet rate

input Set max input packet rateoutput Set max output packet rate

SW1-1(config-if)# rate-limit cpu direction both pps 999 action logSW1-1(config-if)# sh run int mgmt0

!Command: show running-config interface mgmt0!Time: Sun Aug 26 19:57:20 2012

version 5.1(5)

interface mgmt0no cdp enable

ip address 10.160.48.241/24rate-limit cpu direction both pps 999 action log

Task 2: Implement VLANs

The first task tells you to configure all inter switch links (as seen on the topology drawing) to be

configured as layer 2 trunks with 802.1Q encapsulation. Besides that you should only allow a certain

number of vlans, meaning the allowed vlans command should be used.

SW1-1(config)# default interface e3/1

SW1-1(config)# int e3/1SW1-1(config-if)# sh run int e3/1

!Command: show running-config interface Ethernet3/1!Time: Thu Sep 6 20:24:28 2012

version 5.1(5)

interface Ethernet3/1

SW1-1(config-if)# switchportSW1-1(config-if)# sw mode trunk

SW1-1(config-if)# sw trunk allowed vlan 100-499

This will cause VLANS to be overwritten. Continue anyway? [yes] yes


28/513



Because this command caused a lot of outages in the world, Cisco implemented a security to ask you if

you are really sure that you want this command to be entered.

SW1-1(config-if)# sh run int e3/1


version 5.1(5)


switchportswitchport mode trunk

switchport trunk allowed vlan 100-499

In Classic IOS you only saw the shutdowncommand under the interface. Within NX-OS the opposite is

true and you only see theno shutdown. Dont think the port is enabled when you see this

configuration. You really need to see the no shutdowncommand under the interface before it really

works!

SW1-1(config-if)# no shut


!Command: show running-config interface Ethernet3/1

!Time: Thu Sep 6 20:24:47 2012

version 5.1(5)


switchport

switchport mode trunkswitchport trunk allowed vlan 100-499no shutdown

SW1-1(config-if)#

To remove a specific range (or one VLAN) from the allowed range, you dont need to enter the whole

range again as you would need to in older IOS releases. NX-OS supports the removecommand and an

exceptcommand.

Be aware when using the exceptcommand, because this will remove all VLANs from the trunk without

warning you! Besides its not what the task asked you. You should remove the VLAN from the allowed

range without specifying it. We do this with the removecommand.

SW1-1(config-if)# switchport trunk allowed vlan except 333




29/513



version 5.1(5)

interface Ethernet3/1switchport

switchport mode trunkswitchport trunk allowed vlan 1-332,334-3967,4048-4093no shutdown

SW1-1(config-if)# sw trunk allowed vlan 100-499

This will cause VLANS to be overwritten. Continue anyway? [yes]SW1-1(config-if)# sw trunk allowed vlan remove 333SW1-1(config-if)# sh run int e3/1

!Command: show running-config interface Ethernet3/1

!Time: Thu Sep 6 20:30:05 2012

version 5.1(5)


switchport

switchport mode trunkswitchport trunk allowed vlan 100-332,334-499

no shutdown

SW1-1(config-if)#

Of course the proctor will never be able to verify if you used this single command, but this workbook

prepares you for the lab and every possible question. So this task shows you the possibilities of the OS.

The next tasks will be about configuring the VTP protocol. This protocol ensures all VLANs are

distributed throughout the network. As with almost all features within NX-OS you need to enable it first

before configuring it. The tasks in the workbook will push you to configure about every feature VTP hasand the following configuration will show you all those steps.

If you check the Cisco Documentation about Layer 2 Switching you will see similar configuration

examples which is also what you will see when you sit the lab. Most questions can be related to the

Documentation as that was used during the creation of the lab itself.

SW1-1(config)# feature vtp

Once enabled the VTP command becomes available. When you check the options

you have, you will see about every task can be answered with thesecommands.

SW1-1(config)# vtp ?domain Set the name of the VTP administrative domain

file Set the name of the VTP file namemode Configure VTP device modepassword Set the password for the VTP administrative domain

pruning Set the adminstrative domain to permit pruning


30/513



version Set the adminstrative domain to VTP version

SW1-1(config)# vtp domain IPexpertSW1-1(config)# vtp pruning

VTP pruning is the option to allow VLANs to be removed from switches where they are not required.

This limits the broadcast domains created (automatically) using VTP. This is also the main reason whyVTP is not recommended to be used in large datacenters.

SW1-1(config)# vtp version ?

Set the adminstrative domain to VTP version

The task asks you to configure the latest version. Which is the highest number?

SW1-1(config)# vtp version 2

SW1-1(config)# vtp file ?bootflash: URI for vlan.dat

usb1: URI for vlan.datusb2: URI for vlan.dat

Vlan.dat has historically been the VLAN database. Today its the VTP database which is separately stored

on the flash. When you erase the configuration of a NX-OS device, the VTP information will remain on

the flash and will be configured again when re-enabled.

SW1-1(config)# vtp file ipexpert.datSW1-1(config)# vtp mode server

The mode we are looking for in the task is that SW1 is the VTP server for the network, while SW2 and

SW3 are the clients. This way SW2 and SW3 are not able to create vlans. When you try to do this, you

will get an error message.

SW1-1(config)# vtp password ipexpert

Verify that everything is properly configured

SW1-1(config)# sh vtp status

VTP Status Information

----------------------VTP Version : 2 (capable)Configuration Revision : 4

Maximum VLANs supported locally : 1005

Number of existing VLANs : 9VTP Operating Mode : Server

VTP Domain Name : IPexpertVTP Pruning Mode : Enabled (Operationally Enabled)VTP V2 Mode : Enabled

VTP Traps Generation : Disabled


31/513



MD5 Digest : 0xF3 0xA6 0x62 0x7A 0xB1 0x85 0x77 0x40Configuration last modified by 0.0.0.0 at 8-26-12 21:14:51

Local updater ID is 0.0.0.0VTP version running : 2

To verify the VTP password a different command is required

SW1-1(config)# show vtp passwordVTP password: ipexpert

After creating the VLANs in the next task you should verify on all switches if VTP pushed the information

to those switches. After configuring the names of the VLANs, verify again, as VTP should be pushing that

information towards all switches as well.

SW1-1(config)# vlan 101-104SW1-1(config-vlan)# exit

SW1-1(config)# vlan 101SW1-1(config-vlan)# name IPexpertVLAN101

SW1-1(config-vlan)# vlan 102SW1-1(config-vlan)# name IPexpertVLAN102SW1-1(config-vlan)# vlan 103

SW1-1(config-vlan)# name IPexpertVLAN103SW1-1(config-vlan)# vlan 104

SW1-1(config-vlan)# name IPexpertVLAN104

SW1-1(config-vlan)# sh vlan

VLAN Name Status Ports---- -------------------------------- --------- --------------------------

-----1 default active

101 IPexpertVLAN101 active Eth3/1102 IPexpertVLAN102 active Eth3/1

103 IPexpertVLAN103 active Eth3/1

104 VLAN0104 active Eth3/11002 fddi-default suspended

1003 token-ring-default suspended1004 fddinet-default suspended1005 trnet-default suspended

VLAN Type Vlan-mode

---- ----- ----------

1 enet CE101 enet CE


104 enet CE1002 enet CE1003 enet CE


Remote SPAN VLANs


32/513



-------------------------------------------------------------------------------

Primary Secondary Type Ports

------- --------- --------------- -------------------------------------------

As you can see the name of VLAN 104 hasnt been changed yet. This is caused by the fact that VLANs are

still located in some sort of database within the configuration. You first need to exit out of the VLAN

configuration before the changes are applied

SW1-1(config-vlan)# exitSW1-1(config)# sh vlan

VLAN Name Status Ports---- -------------------------------- --------- --------------------------

-----

1 default active101 IPexpertVLAN101 active Eth3/1



104 IPexpertVLAN104 active Eth3/11002 fddi-default suspended1003 token-ring-default suspended

1004 fddinet-default suspended1005 trnet-default suspended

VLAN Type Vlan-mode

---- ----- ----------


102 enet CE103 enet CE104 enet CE


1004 enet CE

1005 enet CE

Remote SPAN VLANs--------------------------------------------------------------------------

-----


------- --------- --------------- -------------------------------------------

SW1-1(config)#


33/513



Now verify the VLANs on all 3 switches to ensure that everything has been synchronized using VTP.

The last option to configure in this task is a special case. You really need to pay attention to the fact

what is happening in the show command.

Pay close attention that in the IGMP snooping show command VLAN 105 is shown, while in the show

vlan, you dont see this 105. You probably need to check the Cisco Documentation for this feature, but

its meant for pre-staging VLANs without creating them first.

This means its possible to enable IGMP snooping on a VLAN before its created and applying this

configuration immediately when deployed.

Its a corner-case feature, but Cisco is known to use those particular features in 1 or 2 point tasks within

the CCIE lab. So this could be easy points to get when you know what they are looking for, or you could

easily loose points when you dont and also have no clue where to look for. Again looking at Cisco

Documentation helps a lot in this case and it should be easy to spot this feature in the layer 2

documentation guide.

SW1-1(config)# vlan configuration 105

SW1-1(config-vlan-config)# ?ip Configure IP features

no Negate a command or set its defaults

service-policy Configure service policy for an interfaceend Go to exec mode

exit Exit from command interpreterpop Pop mode from stack or restore from name

push Push current mode to stack or save it under name

where Shows the cli context you are in

SW1-1(config-vlan-config)# ip igmp snooping

Another feature to configure is a service-policy in this section. With this policy you can apply QoS

markings or Policing at VLAN level instead of port-level. Be aware that you will mark and police ALL

traffic entering and exciting the VLAN on this switch.

SW1-1(config-vlan-config)# service-policy type qos

After enabling the IGMP snooping this shows up in the show output of IGMP snooping just like the taskrequired you to. Still the VLAN hasnt been created yet.

SW1-1(config)# exitSW1-1# wr

[########################################] 100%Copy complete, now saving to disk (please wait)...

SW1-1#


34/513



Save your configuration before moving on with the next task. Frequently saving you configuration might

save you a lot of trouble when you are configuring features that might cause the box to crash. Or you

reload the box without saving and you lose precious points!

Task 3: Implement Private-VLANs

The assignments in this task are created in such a way that you are building a private VLAN based

network. The assignments are becoming quite clear when you read the full task before starting the

configuration as the assignments individually can be a little difficult to understand, but the entire picture

is much clearer.

Private VLANs are set-up in such a way that traffic is protected between certain ports. There is a Primary

VLAN which only contains the so-called Promiscuous ports. These ports can receive all traffic from all

ports that are associated with this primary VLAN. This means that the client ports are in other VLANs

than the promiscuous port.

The secondary VLANs can be create in 2 ways. The Isolated and Community VLANs are these 2 types

of secondary VLANs. The Isolated version means that all ports that are configured in these VLANs cannot

communicate to each other. As pointed out in the drawing below. Within the layer 2 domain of this

particular VLAN ports will never communicate with each other, but can only talk to the promiscuous

port in the primary VLAN which they are associated with. The second type is the Community VLANs. All

interfaces in these VLANs can communicate to each other within the same Community VLAN. This

means that hosts in different community VLANs cannot communicate to each other. Again these

community VLANs are able to talk to the promiscuous port in the primary VLAN which they are

associated with.

The drawing below illustrates the possible (and impossible) traffic flows.


35/513



The associations / mappings between primary and secondary VLANs need to be manually configured on

the switch ports. The final step is that its also possible to trunk Private VLANs between different

switches. This means that a promiscuous port doesnt need to be on the same switch as the host ports.

Therefore a whole isolated section of your network can be created on different switches.

The promiscuous port doesnt have to be a fixed Ethernet port. Its also possible to create a VLAN

interface (SVI) which is the promiscuous port for that particular Primary VLAN.

The first assignment point you to create a promiscuous port for an external firewall which will receive all

traffic connected to Primary VLAN 200.

As with all features within the NX-OS platform the private VLAN feature also needs to be activated first,

before any commands are available within the CLI.

SW1-1(config)# feature private-vlan

Then the VLAN needs to be created and the VLAN needs to be made primary. Which we do under the

VLAN configuration.


36/513



SW1-1(config)# vlan 200SW1-1(config-vlan)# private-vlan ?

association Configure association between private VLANscommunity Configure the VLAN as community private VLAN

isolated Configure the VLAN as isolated private VLANprimary Configure the VLAN as primary private VLAN

SW1-1(config-vlan)# private-vlan primarySW1-1(config-vlan)# sh vlan private-vlan

Primary Secondary Type Ports------- --------- --------------- -------------------------------------------

Still we dont see anything, but this is due to the fact that we need to exit out of the VLAN configuration

before its applied to the switch.

SW1-1(config-vlan)# exit

ERROR: Private VLANs can only be configured in VTP transparent/off modes

We receive an error that VTP is not possible to carry private VLAN information. This is true for the

supported versions of VTP on the NX-OS platform. Older Catalyst switches running IOS or even CatOS

also support VTP version 3, which is capable of carrying the private VLAN configuration. This code is

currently not implemented in NX-OS.

SW1-1(config)# vtp mode transparentSW1-1(config)# vlan 200

SW1-1(config-vlan)# private-vlan primarySW1-1(config-vlan)# exit

SW1-1(config-if)# int e3/19

SW1-1(config-if)# switchportSW1-1(config-if)# sw mode private-vlan promiscuous

When we change VTP to transparent mode we do see that the changes are applied and that we enabled

a primary VLAN. We dont have to create any mappings yet as that will come in the following

assignments.

SW1-1(config)# sh vlan private-vlanPrimary Secondary Type Ports------- --------- --------------- -------------------------------------

------200 primary E3/19

The next assignment is a combination of enabling isolated ports on the same switch. Before they are

able to communicate to the promiscuous port and the firewall some mappings need to be created.


37/513



SW1-1(config)# vlan 201SW1-1(config-vlan)# private-vlan isolated

SW1-1(config)# vlan 200SW1-1(config-vlan)# private-vlan association 201

SW1-1(config-vlan)# exitSW1-1(config)# sh vlan private-vlanPrimary Secondary Type Ports

------- --------- --------------- -------------------------------------------

200 201 isolatedSW1-1(config)#SW1-1(config-if)# int e3/19

SW1-1(config-if)# sw private-vlan ?

association Private vlan trunk association

host-association Set the private VLAN host associationmapping Set the private VLAN trunk promiscuous mappingtrunk Set the private vlan trunking configuration

SW1-1(config-if)# sw private-vlan mapping ?

Primary private VLAN

trunk Private-vlan trunk promiscuous

SW1-1(config-if)# sw private-vlan mapping 200 ? Secondary VLAN IDs

add Add a VLAN to private VLAN listremove Remove a VLAN from private VLAN list

SW1-1(config-if)# sw private-vlan mapping 200 201

After the creation of the new isolated VLAN a mapping needs to be made between the primary and

secondary VLANs. This is done under the primary VLAN configuration and under the promiscuous port.

This model of having to create the mapping on multiple places is sometimes a bit difficult to rememberevery spot where the mapping needs to be done, but in real life you will see you get a lot of flexibility

with this model and you are able to create almost any topology with this flexibility.

Now the final step is to create the same mapping on the isolated host ports.

SW1-1(config)# int ethernet 3/20-21

SW1-1(config-if-range)# switchport mode private-vlan ?

host Port mode pvlan hostpromiscuous Port mode pvlan promiscuous

trunk Private-vlan trunk promiscuous

SW1-1(config-if-range)# switchport mode private-vlan host

ERROR: Ethernet3/20-21: requested config change not allowed


38/513



Dont forget to enable the port on the Nexus 7000 as switchport, as by default the ports are in non

switching mode.

SW1-1(config-if-range)# int e3/20SW1-1(config-if)# switchport

SW1-1(config-if)# switchport mode private-vlan hostSW1-1(config-if)# switchport private-vlan host-association ? Primary VLAN ID

SW1-1(config-if)# switchport private-vlan host-association 200 ? Secondary VLAN ID

SW1-1(config-if)# switchport private-vlan host-association 200 201

SW1-1(config-if)#SW1-1(config-if)# int e3/21SW1-1(config-if)# switchport

SW1-1(config-if)# switchport mode private-vlan hostSW1-1(config-if)# sw priv host-association 200 201

SW1-1(config-if)# exit

SW1-1(config)#SW1-1(config)# sh vlan private-vlan

Primary Secondary Type Ports------- --------- --------------- -------------------------------------

------200 201 isolated Eth3/19, Eth3/20, Eth3/21

After the mapping has been created on all 3 ports (promiscuous and host ports) you will see this

mapping in the show vlan. Here all 3 ports are shown, but this doesnt mean that ports can

communicate to each other. The type of isolate means that this is not possible for the host ports

and only for the promiscuous port.

The following 2 assignments point you in the direction of community VLANs. These VLANs are able to

communicate to each other, but not between different community VLANs and of course they are able to

communicate towards the promiscuous port.

Remember that all traffic on this promiscuous port is untagged. So its not possible to distinguish traffic

between different secondary VLANs on the firewall (virtually connected to port Ethernet 3/19).

SW1-1(config)# vlan 202

SW1-1(config-vlan)# private-vlan communitySW1-1(config-vlan)# vlan 203

SW1-1(config-vlan)# private-vlan communitySW1-1(config-vlan)# vlan 200SW1-1(config-vlan)# private-vlan association add 202-203

SW1-1(config-vlan)# sh vlan privatePrimary Secondary Type Ports

------- --------- --------------- -------------------------------------------

200 201 isolated Eth3/19, Eth3/20, Eth3/21

202 community203 community


39/513



When the new community VLANs are added, again the mapping needs to be created between the

primary and the secondary VLAN.

The following is that the interfaces need to be assigned to the correct community.

SW1-1(config-vlan)# int e3/22-23SW1-1(config-if-range)# switch

SW1-1(config-if-range)# switchport mode private-vlan host

SW1-1(config-if-range)# switchport private host 200 202

Next are the second set of ports that are not allowed to communicate to hosts in VLAN 202

SW1-1(config-if-range)# int e3/24-25SW1-1(config-if-range)# switchSW1-1(config-if-range)# switchport mode private-vlan host

SW1-1(config-if-range)# switchport private host 200 203SW1-1(config-if-range)# sh vlan private


------- --------- --------------- -------------------------------------------

200 201 isolated Eth3/19, Eth3/20, Eth3/21200 202 community Eth3/22, Eth3/23

200 203 community Eth3/24, Eth3/25

And finally dont forget to add the community VLANs to the promiscuous port, otherwise they wont be

able to communicate with the firewall!

Dont forget the add keyword in the command; otherwise you will overwrite all current enabled VLANs

just like it is possible with thetrunk allowed vlancommand!

SW1-1(config-if-range)# int e3/19

SW1-1(config-if)# sw private mapping 200 add 202-203

SW1-1(config-if)# sh vlan private

Primary Secondary Type Ports------- --------- --------------- -------------------------------------

------200 201 isolated Eth3/19, Eth3/20, Eth3/21200 202 community Eth3/19, Eth3/22, Eth3/23

200 203 community Eth3/19, Eth3/24, Eth3/25SW1-1(config-if)#

The next task requires you to create a different primary VLAN. This primary VLAN will not be configured

towards a physical interface, but will be configured under a layer 3 interface on the core switch (SW1-1).

This is a virtual promiscuous port. Configuration however is basically the same as a physical interface!

SW1-1(config)# vlan 204SW1-1(config-vlan)# private-vlan primary

SW1-1(config-vlan)# exitSW1-1(config)# interface vlan 204

^


40/513



Invalid interface format at '^' marker.

On the NX-OS platform its not possible to configure VLAN interfaces (SVIs) right away. Again you need

to enable the feature first!

SW1-1(config)# feature interface-vlanSW1-1(config)# interface vlan 204

SW1-1(config-if)# ip address 10.1.10.254/24SW1-1(config-if)# no shut

SW1-1(config-if)# private-vlan mapping 205SW1-1(config-if)# exit

On the SVI the private VLAN mapping to the primary VLAN needs to be configured.

SW1-1(config)# sh int vlan 204 private-vlan mapping

Interface Secondary VLAN

--------- ----------------------------------------------------------------

For the next task another isolated VLAN needs to be created. This VLAN is associated with the special

primary VLAN. After that configuration the mapping is visible on the SVI of VLAN 204.

SW1-1(config)# vlan 205

SW1-1(config-vlan)# private-vlan isolatedSW1-1(config-vlan)# vlan 204SW1-1(config-vlan)# private-vlan association 205

SW1-1(config-vlan)# exitSW1-1(config)# sh int vlan 204 private-vlan mapping

Interface Secondary VLAN--------- ----------------------------------------------------------------

vlan204 205

The next task requires the use of so-called private VLAN trunk links as the hosts are not connected

directly to the SW1-1, but to SW2. Private-VLAN trunk links can carry traffic for normal VLANs and

private VLANs at the same time.

The configuration can be to transfer primary VLANs to multiple switches or to transfer secondary VLANs

across multiple switches. In this task we configure the first trunk link to pass only secondary VLANs.

SW1-1

SW1-1(config)# int e3/1SW1-1(config-if)# sw mode private-vlan trunk ?

promiscuous Port mode trunk promiscuoussecondary Port mode trunk isolated

SW1-1(config-if)# sw mode private-vlan trunk secondarySW1-1(config-if)# sw private-vlan trunk allowed vlan 205

SW1-1(config-if)# sw privat association trunk 204 205


41/513



SW2

SW2(config)# feature private-vlanSW2(config)# vtp mode transparant

SW2(config)# vlan 205

SW2(config-vlan)# private-vlan isolatedSW2(config-vlan)# exit

SW2(config)# int e1/1

SW2(config-if)# sw mode private-vlan trunk secondarySW2(config-if)# sw private-vlan trunk allowed vlan 205

When configuring private VLAN trunks you dont need to change the normaltrunk allowed vlan

command, as the private VLANs on theprivate-vlan trunk allowed listare automatically

added to the normal VLAN allowed list. On SW2 the same configuration is required to transfer the

secondary VLAN.

As SW2 does not know VLAN 204 (the Primary VLAN) its not necessary to create the association,

because the mapping for this is done on SW1-1.

Next are the hosts that need to be configured in the newly created secondary VLAN on SW2. Remember

that VTP is disabled for this use so you need to manually create the private VLAN on SW2. The host

association does need to be made to ensure the interface is a member of VLAN 205.

SW2(config)# int e1/21-23

SW2(config-if-range)# switchportSW2(config-if-range)# sw mode private-vlan hostSW2(config-if-range)# sw private-vlan host-association 204 205

SW2(config-if-range)# no shut

Final task is that a second trunk link needs to be enabled to extend the current VLANs. You are required

to use a different trunk link for this use. There are 2 ways to solve this case. The easiest way is to just

extend the secondary VLANs, just like we did in the previous assignment. The other solution is to extend

the primary private VLAN to SW2 and create a new VLAN 201 and 202 to connect those special hosts.

The problem which is created then is that the community VLAN on SW2 is not the same as the

community VLAN on SW1, which means that your connectivity is broken and you are not completing the

requirements of this task successfully.

SW1-1

SW1-1(config)# int e3/2

SW1-1(config-if)# sw mode private-vlan trunk secondarySW1-1(config-if)# sw private-vlan trunk allowed vlan 201-202

SW1-1(config-if)# sw privat association trunk 200 201SW1-1(config-if)# sw privat association trunk 200 202

SW2

SW2(config)# vlan 201

SW2(config-vlan)# private-vlan isolatedSW2(config-vlan)# exit


42/513



SW2(config)# vlan 202SW2(config-vlan)# private-vlan community

SW2(config-vlan)# exit

SW2(config)# int e1/2SW2(config-if)# sw mode private-vlan trunk secondarySW2(config-if)# sw private-vlan trunk allowed vlan 201-202

SW2(config)# int e1/24-25



SW2(config)# int e1/26



Now you have successfully completed task 3!

Task 4: Implement Rapid Spanning-Tree protocol

The Rapid Per-VLAN Spanning-Tree protocol is by default enabled on NX-OS systems. This

implementation is a Cisco proprietary method of working with Rapid Spanning-Tree (IEEE 802.1w).

Classical spanning-tree is no longer supported. Still Rapid-PVST+ (Ciscos implementation) is supporting a

backwards compatibility with classic STP.

One important difference with classical STP is that Rapid-PVST+ assumes that network (core) links are

configured point-to-point without any hops in between (hubs). This assumption ensures a much quicker

convergence time and is interrupt driven instead of timer driven like in classical STP.

The spanning-tree port type is an important command which you should configure wisely! It can help

you convergence both for host and network links a lot when this is properly configured. When host ports

are configured as Edge ports they are also not able to start a Topology Change (TC) towards the network

which initiates spanning-tree convergence. The flap of an edge interface therefore does not start a

topology change in the network. Keeping the spanning-tree network much more stable!

The first task tells you to configure all host connecting ports should be configured as edge ports so they

arent generating topology changes. Do this by using a range command will ease up your life and save

you precious CCIE lab time.

SW2

SW2(config)# interface e1/10-15SW2(config-if-range)# spanning-tree port type ?

edge Consider the interface as edge port (enable portfast)network Consider the interface as inter-switch linknormal Consider the interface as normal spanning tree port


43/513



SW2(config-if-range)# spanning-tree port type edgeWarning: edge port type (portfast) should only be enabled on ports

connected to a singlehost. Connecting hubs, concentrators, switches, bridges, etc... to this

interface when edge port type (portfast) is enabled, can cause temporarybridging loops.Use with CAUTION

Edge Port Type (Portfast) will be configured in 6 interfaces due to the

range commandbut will only have effect when the interfaces are in a non-trunkingmode.

SW2(config-if-range)#

SW3

SW3(config)# interface e1/10-15SW3(config-if-range)# spanning-tree port type edge

SW3(config-if-range)#

The command warns you that it will only have effect when the ports are configures in switchport

mode accessplus that spanning-tree portfast is enabled so interfaces will come up fast when hosts

are connected.

The second assignment requires you to configure a root configuration for the spanning-tree instance in

VLAN 101. There are 2 ways to do this, but there is no indication which one needs to be used. Then use

whatever you think is your favorite way to configure this.

The first way is by configuring manual priority values. Choose low values for this, just as a best practice.

There are fixed values that you are able to use for configuring the spanning-tree priority. Dont mind if

you dont reminder these from the top of your head. When you type it in wrong, the CLI will

automatically tell you which values are possible to fill-in.

SW2(config)# spanning-tree vlan 101 priority 4093ERROR: % Bridge priority must be in increments of 4096

Allowed values are:

0 4096 8192 12288 16384 20480 24576 2867232768 36864 40960 45056 49152 53248 57344 61440

SW2(config)# spanning-tree vlan 101 priority 4096

SW2(config)#

The next, and currently preferred, way is by enabling the root functionality by using the dedicated

commands for this. This means that the switch will configure a dedicated priority for both the root and

backup root bridge. The default root priority value is25476. When there is already a bridge on the

network with a lower priority than this (meaning its the current spanning-tree root bridge) the switch

will choose a priority value of 4096lower than the current lowest priority value in the network, so

when using this command the switch will always become the root bridge. Of course this is not


44/513



maintained and when a new switch with a lower value comes online, that will become the root bridge.

This is a single configuration task so at the moment you enter the command, the switch will become the

root.

For the backup root bridge this fixed value is 28672without a fallback mechanism to ensure its always

the backup root. The switch cant determine the backup root bridge priority value as this is unknown onthe local switch.

The next assignment tells you to ensure that the timers of the Rapid-PVST+ process for VLAN 101. You

can easily configure lower timers for this, but you will you know what the best timer values for this

network are? Well thats quite difficult. Therefore NX-OS has an automatic way of configuring this by

using the special diameter command. This diameter command automatically calculates the best

timer values based on the maximum amount of hops between 2 hosts of the network. As our network

consists of 3 layer 2 switches, so the diameter should be configured on 3.

SW2

SW2(config)# spanning-tree vlan 101 root primary diameter 3

SW3

SW3(config)# spanning-tree vlan 101 root secondary diameter 3

For assignment 4 and 5 of this task its required to read these together, otherwise you might be

configuring the same thing twice, which will cost you time. The task is that SW1 is the root bridge for

VLAN 102. Together with that, any new (unknown) switch may become the root bridge of the network.

Of course you will never know what the pre-configuration of that new switch might look like, but we can

take some assumptions here and ensure that the priority values are as low as possible. The key point inassignment 5 is that the switch will be configured with default spanning-tree priority values. The default

spanning-tree priority value is 32768, which means we need to configure our network for values lower

than that and ensuring SW1 will be the primary root bridge for VLAN 102.

SW1

SW1-1(config)# spanning-tree vlan 101 priority 8192

SW2


SW3


The next assignment is about steering traffic within the spanning-tree network. This means that we are

going to change spanning-tree costs to alter the layer 2 path through the network and influence which

link is going to be blocked. By default Rapid-PVST+ on NX-OS is using the so calledshort path-cost


45/513


Copyr

ipexpert-ccie-data-center-volume-1-detailed-solution-chapters-1-8.pdf

Documents