ipexpert-ccie-data-center-volume-1-detailed-solution-chapters-1-8.pdf
TRANSCRIPT
-
8/9/2019 IPexpert-CCIE-Data-Center-Volume-1-Detailed-Solution-Chapters-1-8.pdf
1/513
Pexperts Lab Preparation Detailed Solution Guid
for the Cisco CCIE Data Center v1.0 Lab Exa
Volume
Authored by: Rick Mur - CCIE3 #21946 (R&S / SP / Storage), JNCIE-SP #851
-
8/9/2019 IPexpert-CCIE-Data-Center-Volume-1-Detailed-Solution-Chapters-1-8.pdf
2/513
CCIE Data Center Lab Preparation Detailed Solution Guide
Copyright by IPexpert. All rights reserved. 1
IPexpertsLab Preparation Detailed Solution Guide for
Ciscos CCIE Data Center Lab
Before We Begin
This product is part of the IPexpert suite of materials that provide CCIE candidates and network
engineers with a comprehensive training program. For information about the full solution, contact an
IPexpert Training Advisor today.
Telephone: +1.810.326.1444
Email: [email protected]
Congratulations! You now possess one of the ULTIMATE CCIETM Lab preparation and network
operation resources available today! This resource was produced by senior engineers, technical
instructors, and author boasting decades of internetworling experience. Although there is no way to
100% guarantee success rate on the CCIE Data Center Lab exam, we feel VERY confident that your
chances of passing the Lab will improve dramatically after completing this industry-recognized
Workbook!
Technical Support from IPexpert, and your CCIE community!
-
8/9/2019 IPexpert-CCIE-Data-Center-Volume-1-Detailed-Solution-Chapters-1-8.pdf
3/513
CCIE Data Center Lab Preparation Detailed Solution Guide
Copyright by IPexpert. All rights reserved. 2
IPexpert is proud to lead the industry with multiple support options at your disposal free of charge. Our
online communities have attracted a membership of over 20,000 of your peers from around the world!
At blog.ipexpert.com, you can keep up to date with everything IPexpert does and read the latest in
technical articles from world-renowned IPexpert instructors. At OnlineStudyList.com, you may subscribe
to multiple SPAM-free, moderated CCIE-focused email lists.
Feedback
Do you have a suggestion or other feedback regarding this book or other IPexpert products? At IPexpert,
we look to you our valued clients for the real world, frontline evaluation that we believe is necessary
so that we may always improve. Please send an email with your thoughts to [email protected] or
call 1.866.225.8064 (international callers dial +1.810.326.1444).
In addition, for those using this book as CCIETMpreparation, when you pass the CCIETM Lab exam, we
want to hear about it! Email your CCIETM number to [email protected] and let us know how
IPexpert helped you succeed. We would like to send you a gift of thanks and congratulations.
Additional CCIETMPreparation Material
IPexpert, Inc. is committed to developing the most effective Cisco CCIETM
R&S, Security, Voice, Wireless
and Data Center Lab certification preparation tools available. Our team of certified networking
professionals develops the most up-to-date and comprehensive materials for networking certification,
including self-paced workbooks, online Cisco hardware rental, classroom training, online (distance
learning) instructor-led training, audio products, and video training materials. Unlike other certification-
training providers, we employ the most experienced and accomplished teams of experts to create,
maintain, and constantly update our products. At IPexpert, we are focus on making your CCIETM Lab
preparation more effective.
Issues with this Book
This book is carefully edited to ensure the accuracy of all content. Should you find any error whatsoever,
please email a page reference and detailed comment to [email protected]. Your email will be
responded to promptly.
-
8/9/2019 IPexpert-CCIE-Data-Center-Volume-1-Detailed-Solution-Chapters-1-8.pdf
4/513
CCIE Data Center Lab Preparation Detailed Solution Guide
Copyright by IPexpert. All rights reserved. 3
IPEXPERT END-USER LICENSE AGREEMENT
END USER LICENSE FOR ONE (1) PERSON ONLY
IF YOU DO NOT AGREE WITH THESE TERMS AND CONDITIONS,
DO NOT OPEN OR USE THE TRAINING MATERIALS.
This is a legally binding agreement between you and IPEXPERT, the Licensor, from whom you have
licensed the IPEXPERT training materials (the Training Materials). By using the Training Materials, you
agree to be bound by the terms of this License, except to the extent these terms have been modified by
a written agreement (the Governing Agreement) signed by you (or the party that has licensed the
Training Materials for your use) and an executive officer of Licensor. If you do not agree to the License
terms, the Licensor is unwilling to license the Training Materials to you. In this event, you may not use
the Training Materials, and you should promptly contact the Licensor for return instructions.
The Training Materials shall be used by only ONE (1) INDIVIDUAL who shall be the sole individual
authorized to use the Training Materials throughout the term of this License.
Copyright and Proprietary Rights
The Training Materials are the property of IPEXPERT, Inc. ("IPEXPERT") and are protected by United
States and International copyright laws. All copyright, trademark, and other proprietary rights in the
Training Materials and in the Training Materials, text, graphics, design elements, audio, and all other
materials originated by IPEXPERT at its site, in its workbooks, scenarios and courses (the "IPEXPERT
Information") are reserved to IPEXPERT.
The Training Materials cannot be used by or transferred to any other person. You may not rent, lease,
loan, barter, sell or time-share the Training Materials or accompanying documentation. You may not
reverse engineer, decompile, or disassemble the Training Materials. You may not modify, or create
derivative works based upon the Training Materials in whole or in part. You may not reproduce, store,
upload, post, transmit, download or distribute in any form or by any means, electronic, mechanical,
recording or otherwise any part of the Training Materials and IPEXPERT Information other than printing
out or downloading portions of the text and images for your own personal, non-commercial use without
the prior written permission of IPEXPERT.
You shall observe copyright and other restrictions imposed by IPEXPERT. You may not use the Training
Materials or IPEXPERT Information in any manner that infringes the rights of any person or entity.
-
8/9/2019 IPexpert-CCIE-Data-Center-Volume-1-Detailed-Solution-Chapters-1-8.pdf
5/513
CCIE Data Center Lab Preparation Detailed Solution Guide
Copyright by IPexpert. All rights reserved. 4
Exclusions of Warranties
THE TRAINING MATERIALS AND DOCUMENTATION ARE PROVIDED AS IS. LICENSOR HEREBY DISCLAIMS
ALL OTHER WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, INCLUDING WITHOUT LIMITATION, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. SOME STATES
DO NOT ALLOW THE LIMITATION OF INCIDENTAL DAMAGES OR LIMITATIONS ON HOW LONG AN
IMPLIED WARRANTY LASTS, SO THE ABOVE LIMITATIONS OR EXCLUSIONS MAY NOT APPLY TO YOU. This
agreement gives you specific legal rights, and you may have other rights that vary from state to state.
Choice of Law and Jurisdiction
This Agreement shall be governed by and construed in accordance with the laws of the State of
Michigan, without reference to any conflict of law principles. You agree that any litigation or other
proceeding between you and Licensor in connection with the Training Materials shall be brought in the
Michigan state or courts located in Port Huron, Michigan, and you consent to the jurisdiction of such
courts to decide the matter. The parties agree that the United Nations Convention on Contracts for the
International Sale of Goods shall not apply to this License. If any provision of this Agreement is held
invalid, the remainder of this License shall continue in full force and effect.
Limitation of Claims and Liability
ANY ACTION ON ANY CLAIM AGAINST IPEXPERT MUST BE BROUGHT BY THE USER WITHIN ONE (1) YEAR
FOLLOWING THE DATE THE CLAIM FIRST ACCRUED, OR SHALL BE DEEMED WAIVED. IN NO EVENT WILL
THE LICENSORS LIABILITY UNDER, ARISING OUT OF, OR RELATING TO THIS AGREEMENT EXCEED THE
AMOUNT PAID TO LICENSOR FOR THE TRAINING MATERIALS. LICENSOR SHALL NOT BE LIABLE FOR ANY
SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL DAMAGES, HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, REGARDLESS OF WHETHER LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES. WITHOUT LIMITING THE FOREGOING, LICENSOR WILL NOT BE LIABLE FOR LOST
PROFITS, LOSS OF DATA, OR COSTS OF COVER.
-
8/9/2019 IPexpert-CCIE-Data-Center-Volume-1-Detailed-Solution-Chapters-1-8.pdf
6/513
CCIE Data Center Lab Preparation Detailed Solution Guide
Copyright by IPexpert. All rights reserved. 5
Entire Agreement
This is the entire agreement between the parties and may not be modified except in writing signed by
both parties.
U.S. Government - Restricted Rights
The Training Materials and accompanying documentation are commercial computer Training
Materials and commercial computer Training Materials documentation, respectively, pursuant to
DFAR Section 227.7202 and FAR Section 12.212, as applicable. Any use, modification, reproduction
release, performance, display, or disclosure of the Training Materials and accompanying documentation
by the U.S. Government shall be governed solely by the terms of this Agreement and shall be prohibited
except to the extent expressly permitted by the terms of this Agreement.
IF YOU DO NOT AGREE WITH THE ABOVE TERMS AND CONDITIONS, DO NOT OPEN OR USE THE
TRAINING MATERIALS AND CONTACT LICENSOR FOR INSTRUCTIONS ON RETURN OF THE TRAINING
MATERIAL
-
8/9/2019 IPexpert-CCIE-Data-Center-Volume-1-Detailed-Solution-Chapters-1-8.pdf
7/513
-
8/9/2019 IPexpert-CCIE-Data-Center-Volume-1-Detailed-Solution-Chapters-1-8.pdf
8/513
CCIE Data Center Lab Preparation Detailed Solution Guide
Copyright by IPexpert. All rights reserved. 7
Task 1: Layer 3 topology set-up .......................................................................................................... 66
Task 2: Static routing........................................................................................................................... 75
Task 3: EIGRP ....................................................................................................................................... 81
Task 4: OSPF ........................................................................................................................................ 94
Task 5: Redistribution, BFD and ECMP ............................................................................................. 116
Task 6: Layer 3 switching features .................................................................................................... 124
Task 7: FabricPath and OTV .............................................................................................................. 127
Chapter 4: Data Center Networking High Availability (NX-OS) ................................................................. 139
General Rules ........................................................................................................................................ 140
Solutions ............................................................................................................................................... 141
Task 1: Topology set-up ........................................................................................................................ 141
Task 2: Port-Channels ....................................................................................................................... 143
Task 3: Virtual Port-Channels (vPCs) ................................................................................................. 166
Task 4: Graceful Restart / Non-Stop Forwarding .............................................................................. 184
Task 5: HSRP ...................................................................................................................................... 188
Task 6: VRRP ...................................................................................................................................... 198
Task 7: GLBP ...................................................................................................................................... 202
Task 8: Virtual Port-Channels (vPCs) and FabricPath ........................................................................ 206Chapter 5: Data Center Storage Networking ............................................................................................ 210
General Rules ........................................................................................................................................ 211
Solutions ............................................................................................................................................... 212
Task 1: Initial set-up .......................................................................................................................... 212
Task 2: VSANs .................................................................................................................................... 227
Task 3: Zoning ................................................................................................................................... 244
Task 4: FC Domain ............................................................................................................................. 254
Task 5: Fibre Channel Security Features ........................................................................................... 260
Task 6: Advanced Features ............................................................................................................... 271
Chapter 6: Data Center Storage Networking Extension ........................................................................... 276
General Rules ........................................................................................................................................ 277Solutions ............................................................................................................................................... 278
Task 1: Initial set-up .......................................................................................................................... 278
Task 2: FCIP ....................................................................................................................................... 282
Task 3: FCIP Security ......................................................................................................................... 297
Task 4: SAN Extension Tuner ............................................................................................................ 301
Task 5: iSCSI....................................................................................................................................... 304
Task 6: iSLB ........................................................................................................................................ 323
Chapter 7: Data Center Unified Fabric ...................................................................................................... 340
General Rules ........................................................................................................................................ 341
Solutions ............................................................................................................................................... 342
Task 1: Native Fibre Channel on Nexus ............................................................................................. 342
Task 2: Fibre Channel over Ethernet (FCoE) ..................................................................................... 353
Task 3: Multi hop FCoE ..................................................................................................................... 358
Task 4: FCoE Quality of Service (QoS) ............................................................................................... 371
Task 5: N-Port Virtualization (NPV) and N-Port ID Virtualization (NPIV) .......................................... 381
Task 6: FCoE NPV .............................................................................................................................. 391
Chapter 8: Security Features ..................................................................................................................... 393
General Rules ........................................................................................................................................ 394
Solutions ............................................................................................................................................... 395
-
8/9/2019 IPexpert-CCIE-Data-Center-Volume-1-Detailed-Solution-Chapters-1-8.pdf
9/513
CCIE Data Center Lab Preparation Detailed Solution Guide
Copyright by IPexpert. All rights reserved. 8
Task 1: Port Security ......................................................................................................................... 395
Task 2: DHCP Snooping, DAI, IP Source Guard .................................................................................. 412
Task 3: Access Control Lists ............................................................................................................... 419
Task 4: AAA services.......................................................................................................................... 435
Task 5: 802.1X ................................................................................................................................... 448
Task 6: Cisco TrustSec ....................................................................................................................... 451
Chapter 9: Management Features ............................................................................................................ 455
General Rules ........................................................................................................................................ 456
Solutions ............................................................................................................................................... 457
Task 1: Role Based Access Control (RBAC) ........................................................................................ 457
Task 2: Traffic monitoring ................................................................................................................. 470
Task 3: NetFlow ................................................................................................................................. 474
Task 4: Management protocols ........................................................................................................ 479
Task 5: Device management ............................................................................................................. 493
Task 6: Smart Call Home and GOLD .................................................................................................. 503
-
8/9/2019 IPexpert-CCIE-Data-Center-Volume-1-Detailed-Solution-Chapters-1-8.pdf
10/513
CCIE Data Center Lab Preparation Detailed Solution Guide
Copyright by IPexpert. All rights reserved. 9
Default Lab Topology
Default passwords and IP addresses
Default management username / password: admin / IPexpert123
Other passwords: ipexpert
Management IP addressing: 172.16.100.0/24
Management Default Gateway: 172.16.100.254
-
8/9/2019 IPexpert-CCIE-Data-Center-Volume-1-Detailed-Solution-Chapters-1-8.pdf
11/513
CCIE Data Center Lab Preparation Detailed Solution Guide
Copyright by IPexpert. All rights reserved. 10
Chapter 1:
Introduction to CCIE
Data Center
Chapter 1: Introduction to CCIE Data Center introduces the team of authors, consultants, and editors
that completed this book and describes the books purpose. This chapter also provides suggestions for
the usage of this written work.
-
8/9/2019 IPexpert-CCIE-Data-Center-Volume-1-Detailed-Solution-Chapters-1-8.pdf
12/513
CCIE Data Center Lab Preparation Detailed Solution Guide
Copyright by IPexpert. All rights reserved. 11
Who Should Read this Book?
This workbooks primary audience is for those CCIE candidates that are searching for the most
comprehensive and error-free materials available covering the CCIE Data Center practical lab exam.
These students should possess a home rack of equipment for CCIE-level command-line practice, they
should possess an equipment emulator (for certain parts of the topology), or they should rent
equipment from a company likewww.proctorlabs.com.The authors and technical editors exhaustively
tested all of the demonstrations found throughout the technology tasks, troubleshooting- and full-scale
lab exercises against all practice rack options described earlier. Where issues arise with popular
equipment emulators, the text makes note. This book is the most remarkably thorough and technically
accurate book written on the CCIE Data Center lab exam to date.
How to Use this Book
This book breaks all specific CCIE Data Center technologies down on a chapter-by-chapter basis for a
complete and thorough review of this broad set of topics. Each chapter is broken down is various tasksregarding the subject. Following this, the Detailed Solutions Guide provided with this workbook provides
an intense examination of the operation of the tasks, including key aspects of troubleshooting for the
specific technology. After this, the book presents some of the most common issues that can result with a
particular technology-set, and most importantly, details the simple troubleshooting tools and steps that
succeed for remediation.
The final chapters conclude the book with sample lab scenarios that provide a full scale lab exam as you
will see it when you take the actual test. The Detailed Solutions Guide then provides a well-designed
approach for troubleshooting each major task and offers detailed explanations. The text provides
reference guides for the most popular and powerful showand debugcommands for a specific
technology.
Each chapter uses specific initial configurations on the specific chapter. Readers may download initial
configurations, or install them in a simple Graphical User Interface (GUI) onwww.proctorlabs.com.
Students are encouraged to follow along on a rack of equipment for every section of every chapter. This
really enhances and strengthens the learning process.
An Introduction to CCIE Data Center
Since the release of the Nexus platform there has been talk about when these platforms were to be
introduced in a CCIE track. With the introduction of UCS in 2009 this became an even higher request
especially since UCS really took off in sales.
http://www.proctorlabs.com/http://www.proctorlabs.com/http://www.proctorlabs.com/http://www.proctorlabs.com/http://www.proctorlabs.com/http://www.proctorlabs.com/http://www.proctorlabs.com/http://www.proctorlabs.com/ -
8/9/2019 IPexpert-CCIE-Data-Center-Volume-1-Detailed-Solution-Chapters-1-8.pdf
13/513
CCIE Data Center Lab Preparation Detailed Solution Guide
Copyright by IPexpert. All rights reserved. 12
The scope of the exam is pretty much based on the usual suspects, so in summary you should be aware
of the:
UCS B-series blade systems
UCS C-series rackmount systems connected to UCS Manager via FEX
Virtual Interface Cards (virtualized NICs and HBAs) in all servers Nexus 7000 with all features like VDC, OTV, FabricPath, etc.
Nexus 5500 with all features like FCoE, FEX
Nexus 2000 connected to either the 5k or the 7k
Nexus 1000V distributed virtual switch in ESX
o There is no mention of any VMware product in the blueprint, so expect ESX and vCenterto be pre-installed on the UCS blades and FC boot to pre-configured disks
MDS 9222i for connecting FC storage to UCS
ACE appliance
DCNM management software
Availability
The live exam is available from September 1st
.
Currently there are no dates when the lab is available.
Written exam
The written exam has an extensive blueprint published to Cisco Learning Network (CLN) including a
reading list.
The current published reading list:
Data Center Fundamentals (ISBN-10: 1-58705-023-4)
NX-OS and Cisco Nexus Switching (ISBN-10: 1-58705-892-8)
Cisco Unified Computing System (UCS) (ISBN-10: 1-58714-193-0)
I/O Consolidation in the Data Center (ISBN-10: 1-58705-888-X)
http://www.ciscopress.com/bookstore/product.asp?isbn=1587050234http://www.ciscopress.com/bookstore/product.asp?isbn=1587050234http://www.ciscopress.com/bookstore/product.asp?isbn=1587058928http://www.ciscopress.com/bookstore/product.asp?isbn=1587058928http://www.ciscopress.com/bookstore/product.asp?isbn=1587141930http://www.ciscopress.com/bookstore/product.asp?isbn=1587141930http://www.ciscopress.com/bookstore/product.asp?isbn=158705888Xhttp://www.ciscopress.com/bookstore/product.asp?isbn=158705888Xhttp://www.ciscopress.com/bookstore/product.asp?isbn=158705888Xhttp://www.ciscopress.com/bookstore/product.asp?isbn=1587141930http://www.ciscopress.com/bookstore/product.asp?isbn=1587058928http://www.ciscopress.com/bookstore/product.asp?isbn=1587050234 -
8/9/2019 IPexpert-CCIE-Data-Center-Volume-1-Detailed-Solution-Chapters-1-8.pdf
14/513
CCIE Data Center Lab Preparation Detailed Solution Guide
Copyright by IPexpert. All rights reserved. 13
Storage Networking Fundamentals (ISBN-10: 1-58705-162-1)
Please find the extensive blueprint published by Cisco on the bottom of this blog post.
Lab exam
There is not much information available regarding the lab exam. Availability is not mentioned. There is
however information regarding the hardware list and this is an immense list of expensive hardware you
require:
Software Versions
NXOS v6.0(2) on Nexus 7000 Switches
NXOS v5.1(3) on Nexus 5000 Switches
NXOS v4.2(1) on Nexus 1000V
NXOS v5.2(2) on MDS 9222i Switches
UCS Software release 2.0(1x) for UCS-6248 Fabric Interconnect and all UCS systems
Software Release A5(1.0) on ACE4710
Cisco Data Center Manager software v5.2(2)
CCIE Storage?
There are currently no plans for replacing CCIE Storage for CCIE Datacenter. Because of this, there will
not be a large focus on MDS/FC configuration as there is another track for that.
What about P and A tracks?
A CCNA Data Center and CCNP Data Center will be released soon!
http://www.ciscopress.com/bookstore/product.asp?isbn=1587051621http://www.ciscopress.com/bookstore/product.asp?isbn=1587051621http://www.ciscopress.com/bookstore/product.asp?isbn=1587051621 -
8/9/2019 IPexpert-CCIE-Data-Center-Volume-1-Detailed-Solution-Chapters-1-8.pdf
15/513
CCIE Data Center Lab Preparation Detailed Solution Guide
Copyright by IPexpert. All rights reserved. 14
Troubleshooting
Troubleshooting will be a big part of the exam, which is also pretty clear in the blueprint. There is no
confirmation yet how this will be introduced, either using tickets in the CCIE R&S or just by pre-
configuration on the lab. I can imagine that they pre-configured a broken Nexus 1000V on an ESX
installation on one of the JBODs. More information on how this troubleshooting is done will be available
during other Q&A sessions. The implication is that it might be trouble tickets like the CCIE R&S.
An Introduction to the Proctor Labs CCIE Data Center hardware rack
The IPexpert CCIE Data Center rack will support 100% of the features that are tested on the lab! We
have based the topology to be close as possible on the CCIE Data Center rack layout, but have ensured
that all features and functionality is there.
Our CCIE Data Center rack layout is based on the very limited information that has been made available
by Cisco. IPexpert has been in close contact with the people involved in creating this lab exam, and
therefore the layout of the rack is based on some early examples and the published components and
software version blueprint.
As you will see the topology is very much based on a common datacenter design and has more 'static'
layout than other CCIE tracks.
The blueprint specified the following components to be in the lab:
First is the NX-OS Networking equipment.
Nexus7009 (with licensing)
o (1) Sup
o (1) 32 Port 10Gb (F1 Module)
o (1) 32 Port 10Gb (M1 Module)
Nexus5548
Nexus2232
The Nexus 7000 will be configured with VDC's to simulate various different topologies and create
multiple 'core switch' layers within the network.
-
8/9/2019 IPexpert-CCIE-Data-Center-Volume-1-Detailed-Solution-Chapters-1-8.pdf
16/513
-
8/9/2019 IPexpert-CCIE-Data-Center-Volume-1-Detailed-Solution-Chapters-1-8.pdf
17/513
CCIE Data Center Lab Preparation Detailed Solution Guide
Copyright by IPexpert. All rights reserved. 16
not being replaced by the CCIE Data Center the focus on Storage Networking (SAN) features is not that
big. The major topics are more in the features that aren't tested in any other CCIE track.
The JBODs mentioned in this list represent just plain simple hard-disks that are connected via F ibre
Channel. They are used later as shared storage for the UCS system.
The third major component within the hardware blueprint is the Unified Computing System (UCS).
UCS-6248 Fabric Interconnects
UCS-5108 Blade Chassis
o B200 M2 Blade Servers
o Palo/VIC mezzanine card
o Menlo/Emulex mezzanine card
UCS C200 Series Server = Connected to Fabric Interconnectso VIC card for C-series
This is based on the C-series rackmount servers, connected to the Fabric Interconnects so the C-series
can also be managed from the central UCS manager the same as the Blade chassis is managed.
The blades are equipped with different NICs. This also means a little different configuration. The VIC
cards are the most interesting ones as they can virtualize NICs to present to the OS.
Ones inside the blades there is a pre-installed VMware ESX(i) environment with a Nexus 1000v
distributed virtual switch. As this is a Cisco lab exam, you are not required to know anything about
VMware. Of course you will need to be able to install this environment in your possible own lab, but
when you step into the lab you will face a pre-installed VMware and 1000V. After that, the switch is not
configured and you are required to configure it.
The final topic on the blueprint is called ANS (Application Networking Services). This means an ACE
appliance is in your lab that you will need to configure. There is not much very interesting going on there
and you will not see a lot of points on that appliance. You will need to know the topics as described onthe lab blueprint and our workbook will focus a whole section on these specific topics.
The last components are used for management. You will not be configuring these devices, but just using
them from your student workstation to access the network.
-
8/9/2019 IPexpert-CCIE-Data-Center-Volume-1-Detailed-Solution-Chapters-1-8.pdf
18/513
CCIE Data Center Lab Preparation Detailed Solution Guide
Copyright by IPexpert. All rights reserved. 17
Cisco Catalyst Switch 3750 = management ethernet connections
Cisco 2511 Terminal Server = console lines
What is not mentioned on the hardware blueprint list is that you will also need to be able to configure
(or set-up) the DCNM software as is being given by Cisco when you purchase enough Nexus equipment.
Again this is not extremely difficult, but you need to be aware of the basic configuration items related to
this software.
Software Versions
NXOS v6.0(2) on Nexus 7000 Switches
NXOS v5.1(3) on Nexus 5000 Switches
NXOS v4.2(1) on Nexus 1000v
NXOS v5.2(2) on MDS 9222i Switches UCS Software release 2.0(1x) for UCS-6248 Fabric Interconnect and UCS system
Software Release A5(1.0) for ACE 4710
Cisco Data Center Manager software v5.2(2)
Above you'll find a reference overview of the used software versions. The exact versions are still
unknown where we might be using newer software versions as our IPexpert lab will be using quite new
hardware for virtualization purposes. Within the Nexus 7000 we will be using the new Supervisor 2E,
meaning that we are able to build 8 VDC's and 1 management VDC meaning we have enough flexibility
for some challenging topologies!
The next chapter of this workbook, Chapter 2: Data Center Networking Layer 2 Infrastructure (NX-OS)
begins with the initial topic on the CCIE Data Center Blueprint regarding layer 2 switching, VLANs,
Private-VLANs, Spanning-Tree and other layer 2 features on the NX-OS platform.
-
8/9/2019 IPexpert-CCIE-Data-Center-Volume-1-Detailed-Solution-Chapters-1-8.pdf
19/513
CCIE Data Center Lab Preparation Detailed Solution Guide
Copyright by IPexpert. All rights reserved. 18
Chapter 2: DataCenter Networking
Layer 2
Infrastructure
(NX-OS)
Chapter 2: Data Center Networking Layer 2 Infrastructure (NX-OS)is intended to let you be familiar
with the NX-OS CLI on the Nexus switches and afterwards configure Layer 2 Ethernet features on the
physical Nexus switches within the topology as shown at the beginning of this workbook. We highly
recommend to create your own diagram at the beginning of each lab so you are able to draw on your
own diagram, making it much easier when you step into the real lab. Our devices start with a blank
configuration, which will not be the case when you are in the real lab. Then devices are staged with
configuration containing usernames/passwords, management IP addressing, core IP addressing and
(possible) errors.
-
8/9/2019 IPexpert-CCIE-Data-Center-Volume-1-Detailed-Solution-Chapters-1-8.pdf
20/513
CCIE Data Center Lab Preparation Detailed Solution Guide
Copyright by IPexpert. All rights reserved. 19
Generic Lab topology
-
8/9/2019 IPexpert-CCIE-Data-Center-Volume-1-Detailed-Solution-Chapters-1-8.pdf
21/513
CCIE Data Center Lab Preparation Detailed Solution Guide
Copyright by IPexpert. All rights reserved. 20
Introduction
This first lab is intended to let you be familiar with the NX-OS CLI on the Nexus switches and afterwards
configure Layer 2 Ethernet features on the physical Nexus switches within the topology as shown at the
beginning of this workbook.
We highly recommend to create your own diagram at the beginning of each lab so you are able to drawon your own diagram, making it much easier when you step into the real lab.
Our devices start with a blank configuration, which will not be the case when you are in the real lab.
Then devices are staged with configuration containing usernames/passwords, management IP
addressing, core IP addressing and (possible) errors.
General Rules
Try to diagram out the task. Draw your own connections the way you like it
Create a checklist to aid as you work thru the lab
Take a very close read of the tasks to ensure you dont miss any points during grading!
Take your time. This is not a Mock Lab, so no time constraints are in place for finishing this
particular chapter
Estimated Time to Complete: 3 hours
-
8/9/2019 IPexpert-CCIE-Data-Center-Volume-1-Detailed-Solution-Chapters-1-8.pdf
22/513
CCIE Data Center Lab Preparation Detailed Solution Guide
Copyright by IPexpert. All rights reserved. 21
Solutions
Task 1: General set-up
The writecommand is no longer available within NX-OS, though you need to use write erase to
erase the configuration from all boxes. When rebooting from empty configuration you are asked to
configure base defaults to manage the system.
Nexus1# write eraseWarning: This command will erase the startup-configuration.
Do you wish to proceed anyway? (y/n) [n] y
Nexus1# reloadThis command will reboot the system. (y/n)? [n] y
2012 Aug 26 19:04:24 Nexus1 %$ VDC-1 %$ %PLATFORM-2-PFM_SYSTEM_RESET:Manual system restart from Command Line Interface
writing reset reason 9,
NX7 SUP Ver 3.22.0Serial Port Parameters from CMOSPMCON_1: 0x200
PMCON_2: 0x0PMCON_3: 0x3aPM1_STS: 0x101
Performing Memory Detection and TestingTotal mem found : 4096 MB
Performing memory test... Passed.NumCpus = 2.Status 61: PCI DEVICES Enumeration Started
Status 62: PCI DEVICES Enumeration Ended
Status 9F: Dispatching Drivers
Status 9E: IOFPGA Found
Status 9A: Booting From Primary ROMStatus 98: Found Cisco IDE
Status 98: Found Cisco IDEStatus 90: Loading Boot Loader
Reset Reason Registers: 0x0 0x10
Filesystem type is ext2fs, partition type 0x83
GNU GRUB version 0.97
Autobooting bootflash:/n7000-s1-kickstart.5.1.5.bin bootflash:/n7000-s1-
dk9.5.1
.5.bin...Filesystem type is ext2fs, partition type 0x83
Booting kickstart image: bootflash:/n7000-s1-kickstart.5.1.5.bin..............................................................................
.........................Image verification OK
INIT: version 2
Checking all filesystems..r.r.r..r done.Loading system software
-
8/9/2019 IPexpert-CCIE-Data-Center-Volume-1-Detailed-Solution-Chapters-1-8.pdf
23/513
CCIE Data Center Lab Preparation Detailed Solution Guide
Copyright by IPexpert. All rights reserved. 22
/bootflash//n7000-s1-dk9.5.1.5.bin read done
Uncompressing system image: bootflash:/n7000-s1-dk9.5.1.5.bin Sun Aug 2619:08:10 UTC 2012
blogger: nothing to do.
..done Sun Aug 26 19:08:13 UTC 2012
Load plugins that defined in image conf: /isan/plugin_img/img.confLoading plugin 0: core_plugin...
num srgs 10: swid-core-supdc3, swid-core-supdc3num srgs 1
0: swid-supdc3-ks, swid-supdc3-ks
INIT: Entering runlevel: 3
2012 Aug 26 19:08:38 %$ VDC-1 %$ %DAEMON-2-SYSTEM_MSG: Power supply 1 present but all AC/DC inputs are
not connected, power redundancy might be affected - platform[2674]2012 Aug 26 19:08:38 %$ VDC-1 %$ %DAEMON-2-SYSTEM_MSG: Power supply 2 is absent/shutdown, ps-redundancy might be
affected - platform[2674]2012 Aug 26 19:08:38 %$ VDC-1 %$ %DAEMON-2-SYSTEM_MSG: Power supply 3 is absent/shutdown, ps-redundancy might beaffected - platform[2674]
2012 Aug 26 19:08:38 %$ VDC-1 %$ %DAEMON-2-SYSTEM_MSG: Power supply 4 is absent/shutdown, ps-redundancy might beaffected - platform[2674]
2012 Aug 26 19:08:52 %$ VDC-1 %$ %CMPPROXY-2-LOG_CMP_UP: ConnectivityManagement processor(on module 9) is now UP
2012 Aug 26 19:08:58 %$ VDC-1 %$ %IDEHSD-2-MOUNT: logflash: online2012 Aug 26 19:09:09 %$ VDC-1 %$ %COPP-2-COPP_NO_PINST: Control-plane is
unprotected.
2012 Aug 26 19:09:12 %$ VDC-1 %$ %VDC_MGR-2-VDC_ONLINE: vdc 1 has comeonline
---- System Admin Account Setup ----
Do you want to enforce secure password standard (yes/no) [y]: 2012 Aug 26
19:09:14 switch %$ VDC-1 %$ %PLATFORM-2-PS_OK: Power supply 1 ok (Serialnumber DTM1437011H)
2012 Aug 26 19:09:14 switch %$ VDC-1 %$ %PLATFORM-2-PS_FANOK: Fan in Powersupply 1 ok
2012 Aug 26 19:09:15 switch %$ VDC-1 %$ %PLATFORM-2-XBAR_DETECT: Xbar 1detected (Serial number JAF1524AKTF)
2012 Aug 26 19:09:23 switch %$ VDC-1 %$ %PLATFORM-2-MOD_DETECT: Module 3
detected (Serial number JAF1448BPGN) Module-Type 10 Gbps Ethernet ModuleModel N7K-M132XP-12
2012 Aug 26 19:09:23 switch %$ VDC-1 %$ %PLATFORM-2-MOD_PWRUP: Module 3powered up (Serial number JAF1448BPGN)2012 Aug 26 19:09:25 switch %$ VDC-1 %$ %PLATFORM-2-MOD_DETECT: Module 5
detected (Serial number JAF1448BBDK) Module-Type 10/100/1000 MbpsEthernet Module Model N7K-M148GT-11
2012 Aug 26 19:09:25 switch %$ VDC-1 %$ %PLATFORM-2-MOD_PWRUP: Module 5powered up (Serial number JAF1448BBDK)
-
8/9/2019 IPexpert-CCIE-Data-Center-Volume-1-Detailed-Solution-Chapters-1-8.pdf
24/513
CCIE Data Center Lab Preparation Detailed Solution Guide
Copyright by IPexpert. All rights reserved. 23
2012 Aug 26 19:09:38 switch %$ VDC-1 %$ %PLATFORM-2-FANMOD_FAN_OK: Fanmodule 1 (Fan1(sys_fan1) fan) ok
2012 Aug 26 19:09:38 switch %$ VDC-1 %$ %PLATFORM-2-FANMOD_FAN_OK: Fanmodule 2 (Fan2(sys_fan2) fan) ok
2012 Aug 26 19:11:51 switch %$ VDC-1 %$ %XBAR-2-XBAR_INSUFFICIENT_XBAR_BANDWIDTH: Module in slot 3 has insufficient xbar-
bandwidth.
Enter the password for "admin": IPexpert123Confirm the password for "admin": IPexpert123
---- Basic System Configuration Dialog VDC: 1 ----
This setup utility will guide you through the basic configuration ofthe system. Setup configures only enough connectivity for managementof the system.
Please register Cisco Nexus7000 Family devices promptly with your
supplier. Failure to register may affect response times for initial
service calls. Nexus7000 devices must be registered to receiveentitled support services.
Press Enter at anytime to skip a dialog. Use ctrl-c at anytime
to skip the remaining dialogs.
Would you like to enter the basic configuration dialog (yes/no): no
User Access Verification
switch login: adminPassword:
Cisco Nexus Operating System (NX-OS) SoftwareTAC support: http://www.cisco.com/tacCopyright (c) 2002-2011, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained in this software areowned by other third parties and used and distributed under
license. Certain components of this software are licensed under
the GNU General Public License (GPL) version 2.0 or the GNULesser General Public License (LGPL) Version 2.1. A copy of each
such license is available athttp://www.opensource.org/licenses/gpl-2.0.php and
http://www.opensource.org/licenses/lgpl-2.1.phpswitch#
Hostnames are configured using the switchnameor hostnamecommand. Initially the hostnamecommand was not available when NX-OS was first forked from SAN-OS. Since this caused a lot of
confusion the hostname command has been ported back into NX-OS. When configured, the one that is
last used will be shown in the configuration. Pay attention to this as this might be a requirement during
the lab.
switch# conf t
Enter configuration commands, one per line. End with CNTL/Z.
http://www.cisco.com/tachttp://www.opensource.org/licenses/gpl-2.0.phphttp://www.opensource.org/licenses/lgpl-2.1.phphttp://www.opensource.org/licenses/lgpl-2.1.phphttp://www.opensource.org/licenses/gpl-2.0.phphttp://www.cisco.com/tac -
8/9/2019 IPexpert-CCIE-Data-Center-Volume-1-Detailed-Solution-Chapters-1-8.pdf
25/513
CCIE Data Center Lab Preparation Detailed Solution Guide
Copyright by IPexpert. All rights reserved. 24
switch(config)# hostname SW1-1SW1-1(config)# sh run | in SW1
hostname SW1-1vdc SW1-1 id 1
SW1-1(config)# switchname SW1-1SW1-1(config)# sh run | in SW1switchname SW1-1
vdc SW1-1 id 1SW1-1(config)# ip domain-name ipexpert.com
SW1-1(config)# no ip domain-lookupSW1-1(config)#
Configuring the domain-name and DNS lookups is equal as to how its done within IOS.
To ensure both SSH and Telnet connections are allowed towards the management (mgmt0) interface of
the Nexus you should enable Telnet using the feature command. SSH is the default mechanism to
manage the Nexus switch and therefore the Telnet feature needs to be re-enabled. By default the switch
rejects any attempts of telnet.
To save your configuration using the wr command. The only option is to create a CLI alias, which can be
executed from anywhere in the CLI. The write command is reserved for the erasing of the configuration
as we did at the beginning of the lab, so we need to use an abbreviation for that (what most engineers
use in real-life as well).
SW1-1(config)# sh run int mgmt0
!Command: show running-config interface mgmt0
!Time: Sun Aug 26 19:24:59 2012
version 5.1(5)
interface mgmt0ip address 10.160.48.241/24
SW1-1(config)# feature telnetSW1-1(config)# cli alias name write copy run start
Invalid alias name. Reserved word.
SW1-1(config)# cli alias name wr copy run startSW1-1(config)# wr
[########################################] 100%Copy complete, now saving to disk (please wait)...SW1-1(config)#
Note: The management IP address wasnt erased during the erase of the configuration. This doesnt
mean you can just erase your configuration and reload from the Ethernet management connection,
because you are required to set a password for the admin user. Meaning you cant log-in using the SSH
connection that is by default enabled.
By default the SSH log-in is enabled.
-
8/9/2019 IPexpert-CCIE-Data-Center-Volume-1-Detailed-Solution-Chapters-1-8.pdf
26/513
CCIE Data Center Lab Preparation Detailed Solution Guide
Copyright by IPexpert. All rights reserved. 25
IPexpert:~ rick$ ssh [email protected] authenticity of host '10.160.48.241 (10.160.48.241)' can't be
established.RSA key fingerprint is 95:23:75:04:1c:2e:59:f1:be:a1:e5:f7:ff:62:6d:80.
Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '10.160.48.241' (RSA) to the list of known
hosts.
User Access VerificationPassword:
Last login: Sun Aug 26 19:13:54 2012Bad terminal type: "xterm-256color". Will assume vt100.Cisco Nexus Operating System (NX-OS) Software
TAC support: http://www.cisco.com/tac
Copyright (c) 2002-2011, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained in this software areowned by other third parties and used and distributed underlicense. Certain components of this software are licensed under
the GNU General Public License (GPL) version 2.0 or the GNULesser General Public License (LGPL) Version 2.1. A copy of each
such license is available at
http://www.opensource.org/licenses/gpl-2.0.php andhttp://www.opensource.org/licenses/lgpl-2.1.php
SW1-1# exitConnection to 10.160.48.241 closed.
RetinaRick:~ rick$ telnet 10.160.48.241Trying 10.160.48.241...telnet: connect to address 10.160.48.241: Connection refused
telnet: Unable to connect to remote host
Only after enabling the Telnet feature on the CLI you are able to establish a Telnet connection to the
device.
IPexpert:~ rick$ telnet 10.160.48.241Trying 10.160.48.241...
Connected to 10.160.48.241.
Escape character is '^]'.Password:
telnet> q
Connection closed.IPexpert:~ rick$
Configure the other tasks by just navigating through the configuration. You will never remember all
options available within the OS, but by just navigating using keywords you should be seeing a lot of hints
pointing to the right solution according to what was asked in the task.
SW1-1(config)# cdp format device-id ?mac-address Mac-address of the Chassis
serial-number Chassis Serial Number/OUIsystem-name System name/Fully Qualified Domain Name (Default)
SW1-1(config)# cdp format device-id serial-numberSW1-1(config)# cdp advertise v2
SW1-1(config)# int mgmt0
http://www.cisco.com/tachttp://www.opensource.org/licenses/gpl-2.0.phphttp://www.opensource.org/licenses/lgpl-2.1.phphttp://www.opensource.org/licenses/lgpl-2.1.phphttp://www.opensource.org/licenses/gpl-2.0.phphttp://www.cisco.com/tac -
8/9/2019 IPexpert-CCIE-Data-Center-Volume-1-Detailed-Solution-Chapters-1-8.pdf
27/513
CCIE Data Center Lab Preparation Detailed Solution Guide
Copyright by IPexpert. All rights reserved. 26
SW1-1(config-if)# no cdp enableSW1-1(config-if)# sh run int mgmt0
!Command: show running-config interface mgmt0
!Time: Sun Aug 26 19:56:49 2012
version 5.1(5)
interface mgmt0
no cdp enableip address 10.160.48.241/24
SW1-1(config-if)# rate-limit cpu direction ?
both Set max input and output packet rate
input Set max input packet rateoutput Set max output packet rate
SW1-1(config-if)# rate-limit cpu direction both pps 999 action logSW1-1(config-if)# sh run int mgmt0
!Command: show running-config interface mgmt0!Time: Sun Aug 26 19:57:20 2012
version 5.1(5)
interface mgmt0no cdp enable
ip address 10.160.48.241/24rate-limit cpu direction both pps 999 action log
Task 2: Implement VLANs
The first task tells you to configure all inter switch links (as seen on the topology drawing) to be
configured as layer 2 trunks with 802.1Q encapsulation. Besides that you should only allow a certain
number of vlans, meaning the allowed vlans command should be used.
SW1-1(config)# default interface e3/1
SW1-1(config)# int e3/1SW1-1(config-if)# sh run int e3/1
!Command: show running-config interface Ethernet3/1!Time: Thu Sep 6 20:24:28 2012
version 5.1(5)
interface Ethernet3/1
SW1-1(config-if)# switchportSW1-1(config-if)# sw mode trunk
SW1-1(config-if)# sw trunk allowed vlan 100-499
This will cause VLANS to be overwritten. Continue anyway? [yes] yes
-
8/9/2019 IPexpert-CCIE-Data-Center-Volume-1-Detailed-Solution-Chapters-1-8.pdf
28/513
CCIE Data Center Lab Preparation Detailed Solution Guide
Copyright by IPexpert. All rights reserved. 27
Because this command caused a lot of outages in the world, Cisco implemented a security to ask you if
you are really sure that you want this command to be entered.
SW1-1(config-if)# sh run int e3/1
!Command: show running-config interface Ethernet3/1!Time: Thu Sep 6 20:24:39 2012
version 5.1(5)
interface Ethernet3/1
switchportswitchport mode trunk
switchport trunk allowed vlan 100-499
In Classic IOS you only saw the shutdowncommand under the interface. Within NX-OS the opposite is
true and you only see theno shutdown. Dont think the port is enabled when you see this
configuration. You really need to see the no shutdowncommand under the interface before it really
works!
SW1-1(config-if)# no shut
SW1-1(config-if)# sh run int e3/1
!Command: show running-config interface Ethernet3/1
!Time: Thu Sep 6 20:24:47 2012
version 5.1(5)
interface Ethernet3/1
switchport
switchport mode trunkswitchport trunk allowed vlan 100-499no shutdown
SW1-1(config-if)#
To remove a specific range (or one VLAN) from the allowed range, you dont need to enter the whole
range again as you would need to in older IOS releases. NX-OS supports the removecommand and an
exceptcommand.
Be aware when using the exceptcommand, because this will remove all VLANs from the trunk without
warning you! Besides its not what the task asked you. You should remove the VLAN from the allowed
range without specifying it. We do this with the removecommand.
SW1-1(config-if)# switchport trunk allowed vlan except 333
SW1-1(config-if)# sh run int e3/1
!Command: show running-config interface Ethernet3/1!Time: Thu Sep 6 20:29:42 2012
-
8/9/2019 IPexpert-CCIE-Data-Center-Volume-1-Detailed-Solution-Chapters-1-8.pdf
29/513
CCIE Data Center Lab Preparation Detailed Solution Guide
Copyright by IPexpert. All rights reserved. 28
version 5.1(5)
interface Ethernet3/1switchport
switchport mode trunkswitchport trunk allowed vlan 1-332,334-3967,4048-4093no shutdown
SW1-1(config-if)# sw trunk allowed vlan 100-499
This will cause VLANS to be overwritten. Continue anyway? [yes]SW1-1(config-if)# sw trunk allowed vlan remove 333SW1-1(config-if)# sh run int e3/1
!Command: show running-config interface Ethernet3/1
!Time: Thu Sep 6 20:30:05 2012
version 5.1(5)
interface Ethernet3/1
switchport
switchport mode trunkswitchport trunk allowed vlan 100-332,334-499
no shutdown
SW1-1(config-if)#
Of course the proctor will never be able to verify if you used this single command, but this workbook
prepares you for the lab and every possible question. So this task shows you the possibilities of the OS.
The next tasks will be about configuring the VTP protocol. This protocol ensures all VLANs are
distributed throughout the network. As with almost all features within NX-OS you need to enable it first
before configuring it. The tasks in the workbook will push you to configure about every feature VTP hasand the following configuration will show you all those steps.
If you check the Cisco Documentation about Layer 2 Switching you will see similar configuration
examples which is also what you will see when you sit the lab. Most questions can be related to the
Documentation as that was used during the creation of the lab itself.
SW1-1(config)# feature vtp
Once enabled the VTP command becomes available. When you check the options
you have, you will see about every task can be answered with thesecommands.
SW1-1(config)# vtp ?domain Set the name of the VTP administrative domain
file Set the name of the VTP file namemode Configure VTP device modepassword Set the password for the VTP administrative domain
pruning Set the adminstrative domain to permit pruning
-
8/9/2019 IPexpert-CCIE-Data-Center-Volume-1-Detailed-Solution-Chapters-1-8.pdf
30/513
CCIE Data Center Lab Preparation Detailed Solution Guide
Copyright by IPexpert. All rights reserved. 29
version Set the adminstrative domain to VTP version
SW1-1(config)# vtp domain IPexpertSW1-1(config)# vtp pruning
VTP pruning is the option to allow VLANs to be removed from switches where they are not required.
This limits the broadcast domains created (automatically) using VTP. This is also the main reason whyVTP is not recommended to be used in large datacenters.
SW1-1(config)# vtp version ?
Set the adminstrative domain to VTP version
The task asks you to configure the latest version. Which is the highest number?
SW1-1(config)# vtp version 2
SW1-1(config)# vtp file ?bootflash: URI for vlan.dat
usb1: URI for vlan.datusb2: URI for vlan.dat
Vlan.dat has historically been the VLAN database. Today its the VTP database which is separately stored
on the flash. When you erase the configuration of a NX-OS device, the VTP information will remain on
the flash and will be configured again when re-enabled.
SW1-1(config)# vtp file ipexpert.datSW1-1(config)# vtp mode server
The mode we are looking for in the task is that SW1 is the VTP server for the network, while SW2 and
SW3 are the clients. This way SW2 and SW3 are not able to create vlans. When you try to do this, you
will get an error message.
SW1-1(config)# vtp password ipexpert
Verify that everything is properly configured
SW1-1(config)# sh vtp status
VTP Status Information
----------------------VTP Version : 2 (capable)Configuration Revision : 4
Maximum VLANs supported locally : 1005
Number of existing VLANs : 9VTP Operating Mode : Server
VTP Domain Name : IPexpertVTP Pruning Mode : Enabled (Operationally Enabled)VTP V2 Mode : Enabled
VTP Traps Generation : Disabled
-
8/9/2019 IPexpert-CCIE-Data-Center-Volume-1-Detailed-Solution-Chapters-1-8.pdf
31/513
CCIE Data Center Lab Preparation Detailed Solution Guide
Copyright by IPexpert. All rights reserved. 30
MD5 Digest : 0xF3 0xA6 0x62 0x7A 0xB1 0x85 0x77 0x40Configuration last modified by 0.0.0.0 at 8-26-12 21:14:51
Local updater ID is 0.0.0.0VTP version running : 2
To verify the VTP password a different command is required
SW1-1(config)# show vtp passwordVTP password: ipexpert
After creating the VLANs in the next task you should verify on all switches if VTP pushed the information
to those switches. After configuring the names of the VLANs, verify again, as VTP should be pushing that
information towards all switches as well.
SW1-1(config)# vlan 101-104SW1-1(config-vlan)# exit
SW1-1(config)# vlan 101SW1-1(config-vlan)# name IPexpertVLAN101
SW1-1(config-vlan)# vlan 102SW1-1(config-vlan)# name IPexpertVLAN102SW1-1(config-vlan)# vlan 103
SW1-1(config-vlan)# name IPexpertVLAN103SW1-1(config-vlan)# vlan 104
SW1-1(config-vlan)# name IPexpertVLAN104
SW1-1(config-vlan)# sh vlan
VLAN Name Status Ports---- -------------------------------- --------- --------------------------
-----1 default active
101 IPexpertVLAN101 active Eth3/1102 IPexpertVLAN102 active Eth3/1
103 IPexpertVLAN103 active Eth3/1
104 VLAN0104 active Eth3/11002 fddi-default suspended
1003 token-ring-default suspended1004 fddinet-default suspended1005 trnet-default suspended
VLAN Type Vlan-mode
---- ----- ----------
1 enet CE101 enet CE
102 enet CE103 enet CE
104 enet CE1002 enet CE1003 enet CE
1004 enet CE1005 enet CE
Remote SPAN VLANs
-
8/9/2019 IPexpert-CCIE-Data-Center-Volume-1-Detailed-Solution-Chapters-1-8.pdf
32/513
CCIE Data Center Lab Preparation Detailed Solution Guide
Copyright by IPexpert. All rights reserved. 31
-------------------------------------------------------------------------------
Primary Secondary Type Ports
------- --------- --------------- -------------------------------------------
As you can see the name of VLAN 104 hasnt been changed yet. This is caused by the fact that VLANs are
still located in some sort of database within the configuration. You first need to exit out of the VLAN
configuration before the changes are applied
SW1-1(config-vlan)# exitSW1-1(config)# sh vlan
VLAN Name Status Ports---- -------------------------------- --------- --------------------------
-----
1 default active101 IPexpertVLAN101 active Eth3/1
102 IPexpertVLAN102 active Eth3/1
103 IPexpertVLAN103 active Eth3/1
104 IPexpertVLAN104 active Eth3/11002 fddi-default suspended1003 token-ring-default suspended
1004 fddinet-default suspended1005 trnet-default suspended
VLAN Type Vlan-mode
---- ----- ----------
1 enet CE101 enet CE
102 enet CE103 enet CE104 enet CE
1002 enet CE1003 enet CE
1004 enet CE
1005 enet CE
Remote SPAN VLANs--------------------------------------------------------------------------
-----
Primary Secondary Type Ports
------- --------- --------------- -------------------------------------------
SW1-1(config)#
-
8/9/2019 IPexpert-CCIE-Data-Center-Volume-1-Detailed-Solution-Chapters-1-8.pdf
33/513
CCIE Data Center Lab Preparation Detailed Solution Guide
Copyright by IPexpert. All rights reserved. 32
Now verify the VLANs on all 3 switches to ensure that everything has been synchronized using VTP.
The last option to configure in this task is a special case. You really need to pay attention to the fact
what is happening in the show command.
Pay close attention that in the IGMP snooping show command VLAN 105 is shown, while in the show
vlan, you dont see this 105. You probably need to check the Cisco Documentation for this feature, but
its meant for pre-staging VLANs without creating them first.
This means its possible to enable IGMP snooping on a VLAN before its created and applying this
configuration immediately when deployed.
Its a corner-case feature, but Cisco is known to use those particular features in 1 or 2 point tasks within
the CCIE lab. So this could be easy points to get when you know what they are looking for, or you could
easily loose points when you dont and also have no clue where to look for. Again looking at Cisco
Documentation helps a lot in this case and it should be easy to spot this feature in the layer 2
documentation guide.
SW1-1(config)# vlan configuration 105
SW1-1(config-vlan-config)# ?ip Configure IP features
no Negate a command or set its defaults
service-policy Configure service policy for an interfaceend Go to exec mode
exit Exit from command interpreterpop Pop mode from stack or restore from name
push Push current mode to stack or save it under name
where Shows the cli context you are in
SW1-1(config-vlan-config)# ip igmp snooping
Another feature to configure is a service-policy in this section. With this policy you can apply QoS
markings or Policing at VLAN level instead of port-level. Be aware that you will mark and police ALL
traffic entering and exciting the VLAN on this switch.
SW1-1(config-vlan-config)# service-policy type qos
After enabling the IGMP snooping this shows up in the show output of IGMP snooping just like the taskrequired you to. Still the VLAN hasnt been created yet.
SW1-1(config)# exitSW1-1# wr
[########################################] 100%Copy complete, now saving to disk (please wait)...
SW1-1#
-
8/9/2019 IPexpert-CCIE-Data-Center-Volume-1-Detailed-Solution-Chapters-1-8.pdf
34/513
CCIE Data Center Lab Preparation Detailed Solution Guide
Copyright by IPexpert. All rights reserved. 33
Save your configuration before moving on with the next task. Frequently saving you configuration might
save you a lot of trouble when you are configuring features that might cause the box to crash. Or you
reload the box without saving and you lose precious points!
Task 3: Implement Private-VLANs
The assignments in this task are created in such a way that you are building a private VLAN based
network. The assignments are becoming quite clear when you read the full task before starting the
configuration as the assignments individually can be a little difficult to understand, but the entire picture
is much clearer.
Private VLANs are set-up in such a way that traffic is protected between certain ports. There is a Primary
VLAN which only contains the so-called Promiscuous ports. These ports can receive all traffic from all
ports that are associated with this primary VLAN. This means that the client ports are in other VLANs
than the promiscuous port.
The secondary VLANs can be create in 2 ways. The Isolated and Community VLANs are these 2 types
of secondary VLANs. The Isolated version means that all ports that are configured in these VLANs cannot
communicate to each other. As pointed out in the drawing below. Within the layer 2 domain of this
particular VLAN ports will never communicate with each other, but can only talk to the promiscuous
port in the primary VLAN which they are associated with. The second type is the Community VLANs. All
interfaces in these VLANs can communicate to each other within the same Community VLAN. This
means that hosts in different community VLANs cannot communicate to each other. Again these
community VLANs are able to talk to the promiscuous port in the primary VLAN which they are
associated with.
The drawing below illustrates the possible (and impossible) traffic flows.
-
8/9/2019 IPexpert-CCIE-Data-Center-Volume-1-Detailed-Solution-Chapters-1-8.pdf
35/513
CCIE Data Center Lab Preparation Detailed Solution Guide
Copyright by IPexpert. All rights reserved. 34
The associations / mappings between primary and secondary VLANs need to be manually configured on
the switch ports. The final step is that its also possible to trunk Private VLANs between different
switches. This means that a promiscuous port doesnt need to be on the same switch as the host ports.
Therefore a whole isolated section of your network can be created on different switches.
The promiscuous port doesnt have to be a fixed Ethernet port. Its also possible to create a VLAN
interface (SVI) which is the promiscuous port for that particular Primary VLAN.
The first assignment point you to create a promiscuous port for an external firewall which will receive all
traffic connected to Primary VLAN 200.
As with all features within the NX-OS platform the private VLAN feature also needs to be activated first,
before any commands are available within the CLI.
SW1-1(config)# feature private-vlan
Then the VLAN needs to be created and the VLAN needs to be made primary. Which we do under the
VLAN configuration.
-
8/9/2019 IPexpert-CCIE-Data-Center-Volume-1-Detailed-Solution-Chapters-1-8.pdf
36/513
CCIE Data Center Lab Preparation Detailed Solution Guide
Copyright by IPexpert. All rights reserved. 35
SW1-1(config)# vlan 200SW1-1(config-vlan)# private-vlan ?
association Configure association between private VLANscommunity Configure the VLAN as community private VLAN
isolated Configure the VLAN as isolated private VLANprimary Configure the VLAN as primary private VLAN
SW1-1(config-vlan)# private-vlan primarySW1-1(config-vlan)# sh vlan private-vlan
Primary Secondary Type Ports------- --------- --------------- -------------------------------------------
Still we dont see anything, but this is due to the fact that we need to exit out of the VLAN configuration
before its applied to the switch.
SW1-1(config-vlan)# exit
ERROR: Private VLANs can only be configured in VTP transparent/off modes
We receive an error that VTP is not possible to carry private VLAN information. This is true for the
supported versions of VTP on the NX-OS platform. Older Catalyst switches running IOS or even CatOS
also support VTP version 3, which is capable of carrying the private VLAN configuration. This code is
currently not implemented in NX-OS.
SW1-1(config)# vtp mode transparentSW1-1(config)# vlan 200
SW1-1(config-vlan)# private-vlan primarySW1-1(config-vlan)# exit
SW1-1(config-if)# int e3/19
SW1-1(config-if)# switchportSW1-1(config-if)# sw mode private-vlan promiscuous
When we change VTP to transparent mode we do see that the changes are applied and that we enabled
a primary VLAN. We dont have to create any mappings yet as that will come in the following
assignments.
SW1-1(config)# sh vlan private-vlanPrimary Secondary Type Ports------- --------- --------------- -------------------------------------
------200 primary E3/19
The next assignment is a combination of enabling isolated ports on the same switch. Before they are
able to communicate to the promiscuous port and the firewall some mappings need to be created.
-
8/9/2019 IPexpert-CCIE-Data-Center-Volume-1-Detailed-Solution-Chapters-1-8.pdf
37/513
CCIE Data Center Lab Preparation Detailed Solution Guide
Copyright by IPexpert. All rights reserved. 36
SW1-1(config)# vlan 201SW1-1(config-vlan)# private-vlan isolated
SW1-1(config)# vlan 200SW1-1(config-vlan)# private-vlan association 201
SW1-1(config-vlan)# exitSW1-1(config)# sh vlan private-vlanPrimary Secondary Type Ports
------- --------- --------------- -------------------------------------------
200 201 isolatedSW1-1(config)#SW1-1(config-if)# int e3/19
SW1-1(config-if)# sw private-vlan ?
association Private vlan trunk association
host-association Set the private VLAN host associationmapping Set the private VLAN trunk promiscuous mappingtrunk Set the private vlan trunking configuration
SW1-1(config-if)# sw private-vlan mapping ?
Primary private VLAN
trunk Private-vlan trunk promiscuous
SW1-1(config-if)# sw private-vlan mapping 200 ? Secondary VLAN IDs
add Add a VLAN to private VLAN listremove Remove a VLAN from private VLAN list
SW1-1(config-if)# sw private-vlan mapping 200 201
After the creation of the new isolated VLAN a mapping needs to be made between the primary and
secondary VLANs. This is done under the primary VLAN configuration and under the promiscuous port.
This model of having to create the mapping on multiple places is sometimes a bit difficult to rememberevery spot where the mapping needs to be done, but in real life you will see you get a lot of flexibility
with this model and you are able to create almost any topology with this flexibility.
Now the final step is to create the same mapping on the isolated host ports.
SW1-1(config)# int ethernet 3/20-21
SW1-1(config-if-range)# switchport mode private-vlan ?
host Port mode pvlan hostpromiscuous Port mode pvlan promiscuous
trunk Private-vlan trunk promiscuous
SW1-1(config-if-range)# switchport mode private-vlan host
ERROR: Ethernet3/20-21: requested config change not allowed
-
8/9/2019 IPexpert-CCIE-Data-Center-Volume-1-Detailed-Solution-Chapters-1-8.pdf
38/513
CCIE Data Center Lab Preparation Detailed Solution Guide
Copyright by IPexpert. All rights reserved. 37
Dont forget to enable the port on the Nexus 7000 as switchport, as by default the ports are in non
switching mode.
SW1-1(config-if-range)# int e3/20SW1-1(config-if)# switchport
SW1-1(config-if)# switchport mode private-vlan hostSW1-1(config-if)# switchport private-vlan host-association ? Primary VLAN ID
SW1-1(config-if)# switchport private-vlan host-association 200 ? Secondary VLAN ID
SW1-1(config-if)# switchport private-vlan host-association 200 201
SW1-1(config-if)#SW1-1(config-if)# int e3/21SW1-1(config-if)# switchport
SW1-1(config-if)# switchport mode private-vlan hostSW1-1(config-if)# sw priv host-association 200 201
SW1-1(config-if)# exit
SW1-1(config)#SW1-1(config)# sh vlan private-vlan
Primary Secondary Type Ports------- --------- --------------- -------------------------------------
------200 201 isolated Eth3/19, Eth3/20, Eth3/21
After the mapping has been created on all 3 ports (promiscuous and host ports) you will see this
mapping in the show vlan. Here all 3 ports are shown, but this doesnt mean that ports can
communicate to each other. The type of isolate means that this is not possible for the host ports
and only for the promiscuous port.
The following 2 assignments point you in the direction of community VLANs. These VLANs are able to
communicate to each other, but not between different community VLANs and of course they are able to
communicate towards the promiscuous port.
Remember that all traffic on this promiscuous port is untagged. So its not possible to distinguish traffic
between different secondary VLANs on the firewall (virtually connected to port Ethernet 3/19).
SW1-1(config)# vlan 202
SW1-1(config-vlan)# private-vlan communitySW1-1(config-vlan)# vlan 203
SW1-1(config-vlan)# private-vlan communitySW1-1(config-vlan)# vlan 200SW1-1(config-vlan)# private-vlan association add 202-203
SW1-1(config-vlan)# sh vlan privatePrimary Secondary Type Ports
------- --------- --------------- -------------------------------------------
200 201 isolated Eth3/19, Eth3/20, Eth3/21
202 community203 community
-
8/9/2019 IPexpert-CCIE-Data-Center-Volume-1-Detailed-Solution-Chapters-1-8.pdf
39/513
CCIE Data Center Lab Preparation Detailed Solution Guide
Copyright by IPexpert. All rights reserved. 38
When the new community VLANs are added, again the mapping needs to be created between the
primary and the secondary VLAN.
The following is that the interfaces need to be assigned to the correct community.
SW1-1(config-vlan)# int e3/22-23SW1-1(config-if-range)# switch
SW1-1(config-if-range)# switchport mode private-vlan host
SW1-1(config-if-range)# switchport private host 200 202
Next are the second set of ports that are not allowed to communicate to hosts in VLAN 202
SW1-1(config-if-range)# int e3/24-25SW1-1(config-if-range)# switchSW1-1(config-if-range)# switchport mode private-vlan host
SW1-1(config-if-range)# switchport private host 200 203SW1-1(config-if-range)# sh vlan private
Primary Secondary Type Ports
------- --------- --------------- -------------------------------------------
200 201 isolated Eth3/19, Eth3/20, Eth3/21200 202 community Eth3/22, Eth3/23
200 203 community Eth3/24, Eth3/25
And finally dont forget to add the community VLANs to the promiscuous port, otherwise they wont be
able to communicate with the firewall!
Dont forget the add keyword in the command; otherwise you will overwrite all current enabled VLANs
just like it is possible with thetrunk allowed vlancommand!
SW1-1(config-if-range)# int e3/19
SW1-1(config-if)# sw private mapping 200 add 202-203
SW1-1(config-if)# sh vlan private
Primary Secondary Type Ports------- --------- --------------- -------------------------------------
------200 201 isolated Eth3/19, Eth3/20, Eth3/21200 202 community Eth3/19, Eth3/22, Eth3/23
200 203 community Eth3/19, Eth3/24, Eth3/25SW1-1(config-if)#
The next task requires you to create a different primary VLAN. This primary VLAN will not be configured
towards a physical interface, but will be configured under a layer 3 interface on the core switch (SW1-1).
This is a virtual promiscuous port. Configuration however is basically the same as a physical interface!
SW1-1(config)# vlan 204SW1-1(config-vlan)# private-vlan primary
SW1-1(config-vlan)# exitSW1-1(config)# interface vlan 204
^
-
8/9/2019 IPexpert-CCIE-Data-Center-Volume-1-Detailed-Solution-Chapters-1-8.pdf
40/513
CCIE Data Center Lab Preparation Detailed Solution Guide
Copyright by IPexpert. All rights reserved. 39
Invalid interface format at '^' marker.
On the NX-OS platform its not possible to configure VLAN interfaces (SVIs) right away. Again you need
to enable the feature first!
SW1-1(config)# feature interface-vlanSW1-1(config)# interface vlan 204
SW1-1(config-if)# ip address 10.1.10.254/24SW1-1(config-if)# no shut
SW1-1(config-if)# private-vlan mapping 205SW1-1(config-if)# exit
On the SVI the private VLAN mapping to the primary VLAN needs to be configured.
SW1-1(config)# sh int vlan 204 private-vlan mapping
Interface Secondary VLAN
--------- ----------------------------------------------------------------
For the next task another isolated VLAN needs to be created. This VLAN is associated with the special
primary VLAN. After that configuration the mapping is visible on the SVI of VLAN 204.
SW1-1(config)# vlan 205
SW1-1(config-vlan)# private-vlan isolatedSW1-1(config-vlan)# vlan 204SW1-1(config-vlan)# private-vlan association 205
SW1-1(config-vlan)# exitSW1-1(config)# sh int vlan 204 private-vlan mapping
Interface Secondary VLAN--------- ----------------------------------------------------------------
vlan204 205
The next task requires the use of so-called private VLAN trunk links as the hosts are not connected
directly to the SW1-1, but to SW2. Private-VLAN trunk links can carry traffic for normal VLANs and
private VLANs at the same time.
The configuration can be to transfer primary VLANs to multiple switches or to transfer secondary VLANs
across multiple switches. In this task we configure the first trunk link to pass only secondary VLANs.
SW1-1
SW1-1(config)# int e3/1SW1-1(config-if)# sw mode private-vlan trunk ?
promiscuous Port mode trunk promiscuoussecondary Port mode trunk isolated
SW1-1(config-if)# sw mode private-vlan trunk secondarySW1-1(config-if)# sw private-vlan trunk allowed vlan 205
SW1-1(config-if)# sw privat association trunk 204 205
-
8/9/2019 IPexpert-CCIE-Data-Center-Volume-1-Detailed-Solution-Chapters-1-8.pdf
41/513
CCIE Data Center Lab Preparation Detailed Solution Guide
Copyright by IPexpert. All rights reserved. 40
SW2
SW2(config)# feature private-vlanSW2(config)# vtp mode transparant
SW2(config)# vlan 205
SW2(config-vlan)# private-vlan isolatedSW2(config-vlan)# exit
SW2(config)# int e1/1
SW2(config-if)# sw mode private-vlan trunk secondarySW2(config-if)# sw private-vlan trunk allowed vlan 205
When configuring private VLAN trunks you dont need to change the normaltrunk allowed vlan
command, as the private VLANs on theprivate-vlan trunk allowed listare automatically
added to the normal VLAN allowed list. On SW2 the same configuration is required to transfer the
secondary VLAN.
As SW2 does not know VLAN 204 (the Primary VLAN) its not necessary to create the association,
because the mapping for this is done on SW1-1.
Next are the hosts that need to be configured in the newly created secondary VLAN on SW2. Remember
that VTP is disabled for this use so you need to manually create the private VLAN on SW2. The host
association does need to be made to ensure the interface is a member of VLAN 205.
SW2(config)# int e1/21-23
SW2(config-if-range)# switchportSW2(config-if-range)# sw mode private-vlan hostSW2(config-if-range)# sw private-vlan host-association 204 205
SW2(config-if-range)# no shut
Final task is that a second trunk link needs to be enabled to extend the current VLANs. You are required
to use a different trunk link for this use. There are 2 ways to solve this case. The easiest way is to just
extend the secondary VLANs, just like we did in the previous assignment. The other solution is to extend
the primary private VLAN to SW2 and create a new VLAN 201 and 202 to connect those special hosts.
The problem which is created then is that the community VLAN on SW2 is not the same as the
community VLAN on SW1, which means that your connectivity is broken and you are not completing the
requirements of this task successfully.
SW1-1
SW1-1(config)# int e3/2
SW1-1(config-if)# sw mode private-vlan trunk secondarySW1-1(config-if)# sw private-vlan trunk allowed vlan 201-202
SW1-1(config-if)# sw privat association trunk 200 201SW1-1(config-if)# sw privat association trunk 200 202
SW2
SW2(config)# vlan 201
SW2(config-vlan)# private-vlan isolatedSW2(config-vlan)# exit
-
8/9/2019 IPexpert-CCIE-Data-Center-Volume-1-Detailed-Solution-Chapters-1-8.pdf
42/513
CCIE Data Center Lab Preparation Detailed Solution Guide
Copyright by IPexpert. All rights reserved. 41
SW2(config)# vlan 202SW2(config-vlan)# private-vlan community
SW2(config-vlan)# exit
SW2(config)# int e1/2SW2(config-if)# sw mode private-vlan trunk secondarySW2(config-if)# sw private-vlan trunk allowed vlan 201-202
SW2(config)# int e1/24-25
SW2(config-if-range)# switchportSW2(config-if-range)# sw mode private-vlan hostSW2(config-if-range)# sw private-vlan host-association 200 201
SW2(config-if-range)# no shut
SW2(config)# int e1/26
SW2(config-if-range)# switchportSW2(config-if-range)# sw mode private-vlan hostSW2(config-if-range)# sw private-vlan host-association 200 202
SW2(config-if-range)# no shut
Now you have successfully completed task 3!
Task 4: Implement Rapid Spanning-Tree protocol
The Rapid Per-VLAN Spanning-Tree protocol is by default enabled on NX-OS systems. This
implementation is a Cisco proprietary method of working with Rapid Spanning-Tree (IEEE 802.1w).
Classical spanning-tree is no longer supported. Still Rapid-PVST+ (Ciscos implementation) is supporting a
backwards compatibility with classic STP.
One important difference with classical STP is that Rapid-PVST+ assumes that network (core) links are
configured point-to-point without any hops in between (hubs). This assumption ensures a much quicker
convergence time and is interrupt driven instead of timer driven like in classical STP.
The spanning-tree port type is an important command which you should configure wisely! It can help
you convergence both for host and network links a lot when this is properly configured. When host ports
are configured as Edge ports they are also not able to start a Topology Change (TC) towards the network
which initiates spanning-tree convergence. The flap of an edge interface therefore does not start a
topology change in the network. Keeping the spanning-tree network much more stable!
The first task tells you to configure all host connecting ports should be configured as edge ports so they
arent generating topology changes. Do this by using a range command will ease up your life and save
you precious CCIE lab time.
SW2
SW2(config)# interface e1/10-15SW2(config-if-range)# spanning-tree port type ?
edge Consider the interface as edge port (enable portfast)network Consider the interface as inter-switch linknormal Consider the interface as normal spanning tree port
-
8/9/2019 IPexpert-CCIE-Data-Center-Volume-1-Detailed-Solution-Chapters-1-8.pdf
43/513
CCIE Data Center Lab Preparation Detailed Solution Guide
Copyright by IPexpert. All rights reserved. 42
SW2(config-if-range)# spanning-tree port type edgeWarning: edge port type (portfast) should only be enabled on ports
connected to a singlehost. Connecting hubs, concentrators, switches, bridges, etc... to this
interface when edge port type (portfast) is enabled, can cause temporarybridging loops.Use with CAUTION
Edge Port Type (Portfast) will be configured in 6 interfaces due to the
range commandbut will only have effect when the interfaces are in a non-trunkingmode.
SW2(config-if-range)#
SW3
SW3(config)# interface e1/10-15SW3(config-if-range)# spanning-tree port type edge
SW3(config-if-range)#
The command warns you that it will only have effect when the ports are configures in switchport
mode accessplus that spanning-tree portfast is enabled so interfaces will come up fast when hosts
are connected.
The second assignment requires you to configure a root configuration for the spanning-tree instance in
VLAN 101. There are 2 ways to do this, but there is no indication which one needs to be used. Then use
whatever you think is your favorite way to configure this.
The first way is by configuring manual priority values. Choose low values for this, just as a best practice.
There are fixed values that you are able to use for configuring the spanning-tree priority. Dont mind if
you dont reminder these from the top of your head. When you type it in wrong, the CLI will
automatically tell you which values are possible to fill-in.
SW2(config)# spanning-tree vlan 101 priority 4093ERROR: % Bridge priority must be in increments of 4096
Allowed values are:
0 4096 8192 12288 16384 20480 24576 2867232768 36864 40960 45056 49152 53248 57344 61440
SW2(config)# spanning-tree vlan 101 priority 4096
SW2(config)#
The next, and currently preferred, way is by enabling the root functionality by using the dedicated
commands for this. This means that the switch will configure a dedicated priority for both the root and
backup root bridge. The default root priority value is25476. When there is already a bridge on the
network with a lower priority than this (meaning its the current spanning-tree root bridge) the switch
will choose a priority value of 4096lower than the current lowest priority value in the network, so
when using this command the switch will always become the root bridge. Of course this is not
-
8/9/2019 IPexpert-CCIE-Data-Center-Volume-1-Detailed-Solution-Chapters-1-8.pdf
44/513
CCIE Data Center Lab Preparation Detailed Solution Guide
Copyright by IPexpert. All rights reserved. 43
maintained and when a new switch with a lower value comes online, that will become the root bridge.
This is a single configuration task so at the moment you enter the command, the switch will become the
root.
For the backup root bridge this fixed value is 28672without a fallback mechanism to ensure its always
the backup root. The switch cant determine the backup root bridge priority value as this is unknown onthe local switch.
The next assignment tells you to ensure that the timers of the Rapid-PVST+ process for VLAN 101. You
can easily configure lower timers for this, but you will you know what the best timer values for this
network are? Well thats quite difficult. Therefore NX-OS has an automatic way of configuring this by
using the special diameter command. This diameter command automatically calculates the best
timer values based on the maximum amount of hops between 2 hosts of the network. As our network
consists of 3 layer 2 switches, so the diameter should be configured on 3.
SW2
SW2(config)# spanning-tree vlan 101 root primary diameter 3
SW3
SW3(config)# spanning-tree vlan 101 root secondary diameter 3
For assignment 4 and 5 of this task its required to read these together, otherwise you might be
configuring the same thing twice, which will cost you time. The task is that SW1 is the root bridge for
VLAN 102. Together with that, any new (unknown) switch may become the root bridge of the network.
Of course you will never know what the pre-configuration of that new switch might look like, but we can
take some assumptions here and ensure that the priority values are as low as possible. The key point inassignment 5 is that the switch will be configured with default spanning-tree priority values. The default
spanning-tree priority value is 32768, which means we need to configure our network for values lower
than that and ensuring SW1 will be the primary root bridge for VLAN 102.
SW1
SW1-1(config)# spanning-tree vlan 101 priority 8192
SW2
SW2(config)# spanning-tree vlan 101 priority 16384
SW3
SW3(config)# spanning-tree vlan 101 priority 16384
The next assignment is about steering traffic within the spanning-tree network. This means that we are
going to change spanning-tree costs to alter the layer 2 path through the network and influence which
link is going to be blocked. By default Rapid-PVST+ on NX-OS is using the so calledshort path-cost
-
8/9/2019 IPexpert-CCIE-Data-Center-Volume-1-Detailed-Solution-Chapters-1-8.pdf
45/513
CCIE Data Center Lab Preparation Detailed Solution Guide
Copyr