PT LAB: DHCP Snooping

dhcp-snooping

1- Configure DHCP Snooping and trust the second server for DHCP assignment only

Switch#config t

Switch(config)#ip dhcp snooping

Switch(config)#ip dhcp snooping vlan 20

Switch(config)#int fa 0/3

Switch(config-if)#ip dhcp snooping trust

Switch(config-if)#exit

2- Now, to check the IP DHCP Snooping binding DB

Switch#show ip dhcp snooping binding

MacAddress IpAddress Lease(sec) Type VLAN Interface

—————— ————— ———- ————- —- —————–

Total number of bindings: 0

Switch#show ip dhcp snooping binding

MacAddress IpAddress Lease(sec) Type VLAN Interface

—————— ————— ———- ————- —- —————–

00:60:70:59:2B:16 192.168.20.90 86400 dhcp-snooping 20 FastEthernet0/2

Total number of bindings: 1

 

Switch#show ip dhcp snooping

Switch DHCP snooping is enabled

DHCP snooping is configured on following VLANs:

20

Insertion of option 82 is enabled

Option 82 on untrusted port is not allowed

Verification of hwaddr field is enabled

Interface Trusted Rate limit (pps)

———————– ——- —————-

FastEthernet0/2 no unlimited

FastEthernet0/3 yes unlimited

FastEthernet0/1 no unlimited

3-  I want to generate DHCP traffic form the un-trusted server

Switch(config)#int fa 0/3

Switch(config-if)#shut

Switch#show interfaces fa 0/1

FastEthernet0/1 is up, line protocol is up (connected)

Hardware is Lance, address is 0005.5e6e.0101 (bia 0005.5e6e.0101)

 

-> I wanted to test IP Source Guard and DAI using the same lab, but sadly they are not supported in PT yet. So will just stuck with DHCP snooping for this port 😦

 

Posted in Cisco- R&S | Leave a comment

PT LAB: Bringing up Nours small network – IP address and VLAN routing

Now, for my small network; I will keep going with DHCP, I want to assign dynamic IP address to my PCs and enable VLAN routing using router on a stick

1- Enable router on a stick for core_2 and my router

core_2(config)#int gig 1/1
core_2(config-if)#switchport mode trunk
core_2(config-if)#switchport trunk native vlan 1
core_2(config-if)#exit

Nour_router(config-if)#int gig0/0.1
Nour_router(config-subif)#encapsulation dot1Q 1 native
Nour_router(config-subif)#ip address 192.168.1.1 255.255.255.0
Nour_router(config-subif)#exit
Nour_router(config)#int gig0/0.10
Nour_router(config-subif)#encapsulation dot1Q 10
Nour_router(config-subif)#ip address 192.168.10.1 255.255.255.0
Nour_router(config-subif)#exit

Nour_router(config)#int gig0/0
Nour_router(config-if)#no shut

2- Create DHCP pool

Nour_router(config)#ip dhcp pool Sales
Nour_router(dhcp-config)#network 192.168.20.0 255.255.255.0
Nour_router(dhcp-config)#default-router 192.168.20.1
Nour_router(dhcp-config)#exit

3- Check the DHCP entries

Nour_router#show ip dhcp binding
IP address Client-ID/ Lease expiration Type
Hardware address
192.168.10.2 0040.0BC4.5B26 — Automatic
192.168.10.3 0002.1740.4478 — Automatic
192.168.10.4 0002.16DB.C558 — Automatic
192.168.30.3 0001.42CB.09E7 — Automatic
192.168.30.2 00D0.5894.300B — Automatic
192.168.30.4 0040.0B64.4353 — Automatic
192.168.20.2 00D0.5866.AD2C — Automatic
192.168.20.4 0007.ECC1.D7EB — Automatic
192.168.20.3 0002.4AC5.0A4A — Automatic
192.168.20.5 0002.1736.1829 — Automatic

 

Posted in Cisco- R&S | Leave a comment

PT LAB: Bringing up Nours small network – Access layer

Now, I want to continue bringing up my tiny network which I started in the previous post.

https://me2learn.wordpress.com/2014/09/28/pt-lab-bringing-up-nours-small-network/

For this post, I want to concentrate in the access layer, set the ports/ vlans/ port security

First thing is to set all the used ports to be access with port security to 1 and shut down upon violation

access_1(config)#int range fa 0/1 – 3
access_1(config-if-range)#switchport

access_1(config-if-range)#switchport port-security
access_1(config-if-range)#switchport mode access
access_1(config-if-range)#switchport port-security maximum 1
access_1(config-if-range)#switchport port-security mac-address sticky
access_1(config-if-range)#switchport port-security violation shutdown

Second thing is to shut down the unused ports in the switch

access_1(config)#int range fa 0/4 – 19
access_1(config-if-range)#shutdown

Third thing is to fix the vlans for the PCs

access_1(config)#int fa 0/1
access_1(config-if)#description Marketing-Tom
access_1(config-if)#switchport access vlan 10

access_1#show port-security int fa 0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address:Vlan : 0002.16DB.C558:10
Security Violation Count : 0

 

Posted in Cisco- R&S | Tagged , | Leave a comment

PT LAB: Bringing up Nours small network

Its a quite boring Sunday, so I decided to create a small network and add some configurations  🙂  – for this post network I will be using my old friend (Packet tracer)!

I will start with the basics and add some “enhancements in the future”, so this is how I am going to start.

  • VLANs: Marketing (10), Sales (20), mgmt (30), servers (40) & native (777)
  • Three lays, Access – distribution and core

Nour-network

 

 

First step: Set the right trunk ports for each switch in distribution and core level using Dynamic trunking protocol (DTP)

I am using 2960 switches that only use dot1q encapsulation — keep this in mind

dist_1(config)#int range fa 0/20 – 24
dist_1(config-if-range)#switchport trunk native vlan 777
%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on FastEthernet0/24 (777), with Switch FastEthernet0/24 (1).
dist_1(config-if-range)#switchport mode ?
access             Set trunking mode to ACCESS unconditionally
dynamic         Set trunking mode to dynamically negotiate access or trunk mode
trunk              Set trunking mode to TRUNK unconditionally
dist_1(config-if-range)#switchport mode dynamic ?
auto                Set trunking mode dynamic negotiation parameter to AUTO
desirable       Set trunking mode dynamic negotiation parameter to DESIRABLE
dist_1(config-if-range)#switchport mode dynamic desirable

After I made this to the switches, let me verify that the links are trunk

core_2#show int fa 0/20 switchport
Name: Fa0/20
Switchport: Enabled
Administrative Mode: dynamic desirable
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 777 (Inactive)

 

Second Step: Create the VLAN – and ofc I am going to use VTP to make my life easier

Core_1 will be my server and the rest are the clients

core_1#config t
core_1(config)#vtp domain Nour
core_1(config)#vtp password nnn
core_1(config)#vtp mode server
Device mode already VTP SERVER.
core_1(config)#exit

core_2#config t
core_2(config)#vtp mode client
Setting device to VTP CLIENT mode.
core_2(config)#vtp domain Nour
Changing VTP domain name from NULL to Nour
core_2(config)#vtp password nnn
Setting device VLAN database password to nnn
core_2(config)#^Z

core_2#show vtp status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 255
Number of existing VLANs : 5
VTP Operating Mode : Client
VTP Domain Name : Nour
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0x5F 0x4C 0xC5 0x74 0x36 0x52 0xB2 0xE4
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00

Then, I create the vlans in core_1

core_2#debug sw-vlan vtp events

Third step: STP is enabled for all my VLAN, but I want to have core_2 as the root and core_1 as the secondary

core_2#show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 0000.0C75.6B76
Cost 38
Port 21(FastEthernet0/21)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 0002.1740.A017
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 20

Interface Role Sts Cost Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Fa0/20 Desg FWD 19 128.20 P2p
Fa0/21 Root FWD 19 128.21 P2p
Fa0/22 Altn BLK 19 128.22 P2p

 

core_2(config)#spanning-tree vlan 1-800 root primary

For each VLAN, will see the same information

core_2#show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 0002.1655.DDD2
Cost 19
Port 22(FastEthernet0/22)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 0002.1740.A017
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 20

Interface Role Sts Cost Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Fa0/10 Desg FWD 19 128.10 P2p
Fa0/11 Desg FWD 19 128.11 P2p
Fa0/20 Desg FWD 19 128.20 P2p
Fa0/21 Desg FWD 19 128.21 P2p
Fa0/22 Root FWD 19 128.22 P2p

core_1(config)#spanning-tree vlan 1-8000 root secondary

 

Fourth step: Enable EtherChannel between the two core switches

I had previous post about: LAB: Layer 2 EtherChannel

core_1(config)#int range fa 0/10 – 11
core_1(config-if-range)#channel-group 1 mode desirable

core_1(config-if-range)#channel-protocol pagp

core_1#show ip int bri

Port-channel 1 unassigned YES manual down down

core_1#show spanning-tree
Interface Role Sts Cost Prio.Nbr Type

—————- —- — ——— ——– ——————————–
Fa0/1 Desg FWD 19 128.1 P2p
Fa0/2 Desg FWD 19 128.2 P2p
Fa0/10 Root FWD 19 128.10 P2p
Fa0/11 Altn BLK 19 128.11 P2p
Fa0/20 Desg FWD 19 128.20 P2p
Fa0/21 Desg FWD 19 128.21 P2p
Fa0/22 Desg FWD 19 128.22 P2p

core_1(config)#int port-channel 1

core_1(config-if)#switchport trunk native vlan 777

After bringing the port channel up from both sides, the Fa 0/11 is no longer in blocking state

core_1#show spanning-tree
VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 24577
Address 0002.1740.A017
Cost 9
Port 27(Port-channel 1)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 28673 (priority 28672 sys-id-ext 1)
Address 000A.F3C6.E701
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 20

Interface Role Sts Cost Prio.Nbr Type
—————- —- — ——— ——– ——————————–
Fa0/1 Desg FWD 19 128.1 P2p
Fa0/2 Desg FWD 19 128.2 P2p
Fa0/20 Desg FWD 19 128.20 P2p
Fa0/21 Desg FWD 19 128.21 P2p
Fa0/22 Desg FWD 19 128.22 P2p
Po1 Root FWD 9 128.27 Shr

Posted in Cisco- R&S | 3 Comments

LAB: VTP basic

In this simple lab, I have a small new deployment I want to use VTP to create the following VLANS

  • vlan 10: Marketing
  • vlan 20: Sales
  • vlan 30: management (mgmt)
  • vlan 40: servers

The core switch is going to be the VTP server, rest are clients

VTP

 

From the server:

core_switch(config)#vtp domain nour
Changing VTP domain name from NULL to nour
*Sep 14 14:02:11.303: %SW_VLAN-6-VTP_DOMAIN_NAME_CHG: VTP domain name changed to nour.
core_switch(config)#vtp mode server
Device mode already VTP Server for VLANS.
core_switch(config)#vtp version 2
core_switch(config)#vtp password nour123
Setting device VTP password to nour123
core_switch(config)#exit

For the rest of switches (clients):

dist-layer-1#show vlan bri
VLAN              Name                         Status            Ports
—-    ——————————– ——— ———————
1                     default                         active      Et1/2, Et1/3
1002              fddi-default act/unsup
1003             trcrf-default                  act/unsup
1004             fddinet-default             act/unsup
1005             trbrf-default                 act/unsup
dist-layer-1#config t
Enter configuration commands, one per line. End with CNTL/Z.
dist-layer-1(config)#vtp domain nour
Domain name already set to nour.
dist-layer-1(config)#vtp password nour123
Setting device VTP password to nour123
dist-layer-1(config)#vtp mode client
Setting device to VTP Client mode for VLANS.
dist-layer-1(config)# vtp pruning 
access-layer-2#show vtp status
VTP Version : 3 (capable)
Configuration Revision : 9
Maximum VLANs supported locally : 1005
Number of existing VLANs : 5
VTP Operating Mode : Client
VTP Domain Name : nour
VTP Pruning Mode : Disabled (Operationally Disabled)
VTP V2 Mode : Enabled
VTP Traps Generation : Disabled
MD5 digest : 0xD4 0x78 0x4E 0x7C 0xE6 0x37 0xB0 0xB7
Configuration last modified by 0.0.0.0 at 9-14-14 14:02:31
VTP version running : 2

And now, I will go ahead and create the VLANs in the server

core_switch#show vlan

VLAN Name Status Ports
—- ——————————– ——— ——————————-
1 default active Et1/0, Et1/1, Et1/2, Et1/3
10 marketing active
20 sales active
30 mgmt active
40 servers active

then the new VLAN exists in all switches !

dist-layer-1#show vlan
VLAN Name Status Ports
—- ——————————– ——— ——————————-
1 default active Et1/2, Et1/3
10 marketing active
20 sales active
30 mgmt active
40 servers active
Posted in Cisco- R&S | Tagged , , | Leave a comment

LAB: Layer 2 EtherChannel

Two possible ways to have Layer 2 EtherChannel, configure them manually to be EtherChannel or allow the negotiation between them.

In this lab I wish to use 4 etherchannel ports connected between core and distribution switch using all the negotiations two methods : PAgP & LACP

core_switch#show ip in bri
Interface          IP-Address      OK?    Method        Status     Protocol
Ethernet0/0   unassigned      YES       unset             up              up
Ethernet0/1    unassigned      YES       unset             up             up
Ethernet0/2    unassigned     YES       unset             up              up
Ethernet0/3    unassigned     YES       unset             up              up

First step is to set the interfaces to be the same, I want them to be trunk

core_switch(config)#int ran e 0/0-3
core_switch(config-if-range)#switchport
core_switch(config-if-range)#switchport trunk encapsulation dot1q
core_switch(config-if-range)#switchport trunk native vlan 1
core_switch(config-if-range)#switchport mode trunk

Using port aggregation protocol (PAgP):

core_switch(config)#int ran e0/0-3
core_switch(config-if-range)#channel-protocol pagp
core_switch(config-if-range)#channel-group 1 mode desirable
Creating a port-channel interface Port-channel 1

core_switch#show ip int bri
Interface        IP-Address      OK?         Method        Status       Protocol
Ethernet0/0    unassigned    YES          unset               up              up
Ethernet0/1     unassigned    YES          unset               up              up
Ethernet0/2    unassigned    YES          unset                up              up
Ethernet0/3    unassigned    YES          unset                up              up
Port-channel1 unassigned    YES          unset          down        down

After applying the configuration to the other swith, port-channel 1 came up

dist_switch(config)#do show ip int bri
Interface        IP-Address      OK?         Method        Status       Protocol
Ethernet0/0    unassigned    YES          unset               up              up
Ethernet0/1     unassigned    YES          unset               up              up
Ethernet0/2    unassigned    YES          unset                up              up
Ethernet0/3    unassigned    YES          unset                up              up
Port-channel1 unassigned    YES          unset                up              up

These packets can be seen using the filter (pagp)

pagp

Interesting commands to verify and troubleshoot:

 

core_switch#show pagp neighbor
Flags: S – Device is sending Slow hello. C – Device is in Consistent state.
A – Device is in Auto mode. P – Device learns on physical port.
Channel group 1 neighbors
Partner Partner Partner Partner Group
Port    Name    Device ID    Port       Age   Flags     Cap.
Et0/3  dist_switch aabb.cc00.0100 Et0/3 24s SC 10001
core_switch#show etherchannel port  // This will show for each group and port in details  == core_switch#show etherchannel detail
Channel-group listing:
———————–
 Group: 1
———-
Ports in the group:
——————-
Port: Et0/0
————
Port state = Up Sngl-port-Bndl Mstr Not-in-Bndl
Channel group = 1 Mode = Desirable-Sl Gcchange = 0
Port-channel = null GC = 0x00010001 Pseudo port-channel = Po1
Port index = 0 Load = 0x00 Protocol = PAgP
Flags: S – Device is sending Slow hello. C – Device is in Consistent state.
A – Device is in Auto mode. P – Device learns on physical port.
d – PAgP is down.
Timers: H – Hello timer is running. Q – Quit timer is running.
S – Switching timer is running. I – Interface timer is running.
Local information:
Hello Partner PAgP Learning Group
Port Flags State Timers Interval Count Priority Method Ifindex
Et0/0 U4/S4 H 30s 0 128 Any 2
Age of the port in the current state: 0d:00h:25m:25s

Using Link aggregation control protocol (LCAP):

core_switch(config)#no int port-channel 1

core_switch(config)#int ran e0/0-3
core_switch(config-if-range)#channel-protocol lacp
core_switch(config-if-range)#channel-group 1 mode active
Creating a port-channel interface Port-channel 1

 

Just for fun, remember that I didn’t change the distribution switch (mismatch)!

*Sep 14 12:02:03.087: %LINK-3-UPDOWN: Interface Port-channel1, changed state to down
*Sep 14 12:02:03.095: %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel1, changed state to down
*Sep 14 12:00:12.351: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to down
*Sep 14 12:00:12.351: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/1, changed state to down
*Sep 14 12:00:12.351: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/2, changed state to down
*Sep 14 12:00:12.351: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/3, changed state to down
core_switch#show cdp neighbors
Capability Codes: R – Router, T – Trans Bridge, B – Source Route Bridge
S – Switch, H – Host, I – IGMP, r – Repeater, P – Phone,
D – Remote, C – CVTA, M – Two-port Mac Relay
Device ID Local Intrfce Holdtme Capability Platform Port ID

 

core_switch#show ip int bri
Interface     IP-Address    OK?     Method      Status             Protocol
Ethernet0/0 unassigned YES unset administratively down down
Ethernet0/1 unassigned YES unset administratively down down
Ethernet0/2 unassigned YES unset administratively down down
Ethernet0/3 unassigned YES unset administratively down down

 

From both switches, port channel 1 is now down, sadly the two switches are totally disconnected now 😦

Now, fixing the config from the other switch .. the mismatch is fixed

dist_switch(config)#no int port-channel 1
dist_switch(config)#exit
dist_switch#
*Sep 14 12:14:32.403: %LINK-5-CHANGED: Interface Port-channel1, changed state to administratively down
dist_switch#
dist_switch#
*Sep 14 12:14:33.831: %SYS-5-CONFIG_I: Configured from console by console
*Sep 14 12:14:34.391: %LINK-5-CHANGED: Interface Ethernet0/0, changed state to administratively down
*Sep 14 12:14:34.391: %LINK-5-CHANGED: Interface Ethernet0/1, changed state to administratively down
*Sep 14 12:14:34.391: %LINK-5-CHANGED: Interface Ethernet0/2, changed state to administratively down
*Sep 14 12:14:34.391: %LINK-5-CHANGED: Interface Ethernet0/3, changed state to administratively down
*Sep 14 12:14:35.395: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to down
*Sep 14 12:14:35.395: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/1, changed state to down
*Sep 14 12:14:35.395: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/2, changed state to down
*Sep 14 12:14:35.395: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/3, changed state to down
Fix the configurations and manually bring interfaces up (FROM BOTH)
core_switch(config)#int ran e0/0-3
core_switch(config-if-range)#no shut
core_switch(config-if-range)#exit

To Change the priority:

dist_switch#show lacp sys-id
32768,aabb.cc00.0100
dist_switch#config t
dist_switch(config)#lacp system-priority ?
<0-65535> Priority value
Posted in Cisco- R&S | Tagged , | 1 Comment

LAB: use WLC internal DHCP to give IP address for access points

Cisco WLC internal DHCP can be used as DHCP for the access points … true!

Simple network:

WLC <–> switch <–> Access point

Switch side:

Configure the port as access  with the (management VLAN) 

Switch(config)#in FastEthernet0/3
Switch(config-if)#switchport access vlan 5
Switch(config-if)#exit

WLC Side:

Create the internal DHCP scope using the management VLAN subnet

GUI -> controller -> internal DHCP server -> DHCP scope

Fix the management interface to use the management IP as DHCP and set proxy to be enabled  (GUI -> controller -> interface -> management)

Now, we are ready … I am showing some of the AP logs while joining:

*May 31 17:44:05.383: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 192.168.5.10, mask 255.255.255.0, hostname AP001d.a1fc.8124

*May 31 17:44:56.012: %CAPWAP-3-ERRORLOG: Go join a capwap controller

*Aug 26 17:17:06.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.5.3 peer_port: 5246
*Aug 26 17:17:07.435: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.5.3 peer_port: 5246
*Aug 26 17:17:07.436: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.5.3
*Aug 26 17:17:08.502: %CAPWAP-5-JOINEDCONTROLLER: AP has joined controller Cisco_a5:a1:84

This is the AP taking the IP from internal DHCP

leased

and this is to confirm that this MAC is for this AP 😉

AP-joined

Cheers,

Nour

Posted in Cisco-Wireless, WLC Feature | Tagged , , | Leave a comment