CCNP 300-115 Switch study (commands to use on lab questions)

Commands to use during Lab questions

SW# show running-config
SW# show interfaces trunk
SW# show cdp neighbor
SW# show ip dhcp snooping
SW# show spanning-tree
SW# show spanning-tree summary
SW# show spanning-tree vlan 10
SW# show vtp status
SW# show vlan
Sw# show ip int brief
SW# show int Fa0/x switchport
SW# show etherchannel 1 summary
SW# show standby
SW# show standby neighbors
SW# show run int Fa0/x
SW# show int status err-disabled
SW# show errdisable recovery

Configure IEEE 802.1q trunking port

A(config-if)# switchport trunk encapsulation dot1q

Configure permanent trunk

A(config-if)# switchport mode trunk

Configure VLAN 12 as the native VLAN on this trunk

A(config-if)# switchport trunk native vlan 12

Only allow VLANs 1-5, 10-100 on this trunk

A(config-if)# switchport trunk allowed vlan 1-5, 10-100

Only allow native vlan, 13 & 15

SW(config-if)# switchport trunk encapsulation dot1q
SW(config-if)# switchport trunk allowed vlan 1,13,14

Enable interface

A(config-if)# no shutdown

 

EtherChannel

SW# show etherchannel summary

SW A & B form LACP

A(config-if)# channel-group 5 mode active
B(config-if)# channel-group 5 mode active

 

CDP

Enable CDP globally

SW(config)# cdp run

Disable CDP globally

SW(config)# no cdp run

Disable CDP on interface

SW(config-if)# no cdp enable

Change CDP to update every 5 sec. Default is 60 sec

SW(config)# cdp timer 5

Enable rapid error tracking feature

SW(config)# cdp advertise-v2

 

Switch stack

SW# show switch

 

Security

DAI & DHCP snooping

SW# show ip arp inspection
SW# show ip dhcp snooping
SW(config)# ip dhcp snooping
SW(config)# ip dhcp snooping vlan 100,150

Enable Source Guard

#SW(config-if)# ip verify source

Storm-control

SW# show storm-control

sticky

SW(config-if)# switchport port-security mac-address sticky
SW(config-if)# switchport port-security violation shutdown

trunk allowed vlan only 100,150

SW(config-if)# switchport trunk allowed vlan 100,150
SW(config-if)# ip dhcp snooping trust

GLBP

SW(config-if)# glbp 16 ip 10.1.1.100
SW(config-if)# glbp 16 priority 150

option 82

SW(config)# ip dhcp snooping information option allow-untrusted
SW(config-if)# ip dhcp snooping information option allow-untrusted

Root Guard inconsistentports

SW# show spanning-tree inconsistentports

Find out vlan of troubled interface

SW# show spanning-tree
SW# show spanning-tree inconsistentports
SW# show interfaces status err-disabled
SW# show vlan

How many BPDUs have been received on this interface?

SW# show spanning-tree mst detail
SW# show spanning-tree detail

Find IP network used by SVI on port Fa0/22

SW# show vlan 
SW# show ip interface brief

Which VLAN will Fa0/2 use for IP phone?

SW# show interfaces FastEthernet 0/2 switchport
SW# show interfaces Fa0/2 switchport

Which commands has been used for port-security

SW# show port-security
SW# show port-security interface fa0/11

SW(config-if)# switchport mode access
SW(config-if)# switchport port-security
SW(config-if)# switchport port-security maximum 10
SW(config-if)# switchport port-security aging time 100
SW(config-if)# switchport port-security violation protect

Display details of only trunk interface including vlans allowed

SW# show interfaces FastEthernet 0/1 trunk

Enable DAI on vlans 100 & 150

SW(config)# ip arp inspection vlan 100,150

Enable DHCP snooping & DAI on interface

SW(config-if)# ip dhcp snooping trust
SW(config-if)# ip arp inspection trust

Native vlan on trunk

SW(config-if)# switchport trunk encapsulation dot1q
SW(config-if)# switchport mode trunk
SW(config-if)# switchport trunk native vlan 12
SW(config-if)# switchport trunk allowed vlan 1-5,10-100
SW(config-if)# no shutdown

 

AAA Radius

SW1> enable
SW1# configure terminal
SW1(config)# aaa new-model
SW1(config)# radius-server host 172.16.1.x key RadiusPassword123
SW1(config)# aaa authentication dot1x default group radius
SW1(config)# dot1x system-auth-control
SW1(config)# interface fa0/1
SW1(config-if)# switchport mode access
SW1(config-if)# switchport access vlan 20
SW1(config-if)# dot1x port-control auto
SW1(config-if)# exit
SW1# copy running-config startup-config

DS1> enable
DS1# configure terminal
DS1(config)# access-list 10 permit 172.16.1.0 0.0.0.255
DS1(config)# vlan access-map CCNP 10
DS1(config-access-map)# match ip address 10
DS1(config-access-map)# action forward
DS1(config-access-map)# exit
DS1(config)# vlan access-map CCNP 20
DS1(config-access-map)# action drop
DS1(config-access-map)# exit
DS1(config)# vlan filter CCNP vlan-list 20
DS1(config)# end
DS1# copy running-config startup-config

Globally enables port-based authentication 802.1x

SW1(config)# dot1x system-auth-control

Configure Fa0/1 to use 802.1x

SW1(config)# interface FastEthernet 0/1
SW1(config-if)# dot1x port-control auto
! "auto" will force connected PC to authenticate through the 802.1x exchange

Define access list

DS1(config)# ip access-list standard 10
DS1(config-std-nacl)# permit 172.16.1.0 0.0.0.255
DS1(config-std-nacl)# exit

Define access-map which uses access-list above

DS1(config)# vlan access-map MYACCMAP 10
DS1(config-access-map)# match ip address 10
DS1(config-access-map)# action forward
DS1(config-access-map)# exit

DS1(config)# vlan access-map MYACCMAP 20
DS1(config-access-map)# action drop
DS1(config-access-map)# exit

Apply a vlan-map into a vlan

DS1(config)# vlan filter MYACCMAP vlan-list 20

If SIM question states “not to use named ACLs” then use number ACL

DS1(config)# access-list 10 permit 172.16.1.0 0.0.0.255

 

 

Simulation LACP with STP

! Create required vlan!
A(config)# vlan 21
A(config-vlan)# name Marketing
A(config-vlan)# vlan 22
A(config-vlan)# name Sales
A(config-vlan)# vlan 23
A(config-vlan)# name Engineering
A(config-vlan)# exit

! Make switch A root bridge for vlan 11,12,13,21,22,23
A(config)# spanning-tree vlan 11-13,21-23 root primary

!Erase existing config for LACP setup later!
A(config)# interface range fa0/3-4
A(config-if)# shutdown
A(config-if)# no switchport mode access
A(config-if)# no switchport access vlan 98
A(config-if)# channel-group 1 mode active
A(config-if)# channel-protocol lacp
A(config-if)# exit
A(config)# interface port-channel 1
A(config-if)# switchport mode trunk
A(config-if)# switchport trunk native vlan 99
A(config-if)# switchport trunk allowed vlan 1,21-23
A(config-if)# no shutdown

! Create required vlan!
B(config)# vlan 11
B(config-vlan)# name AAA
B(config-vlan)# vlan 12
B(config-vlan)# name BBB
B(config-vlan)# vlan 13
B(config-vlan)# name CCC
B(config-vlan)# vlan 21
B(config-vlan)# name Marketing
B(config-vlan)# vlan 22
B(config-vlan)# name Sales
B(config-vlan)# vlan 23
B(config-vlan)# name Engineering
B(config-vlan)# vlan 98
B(config-vlan)# name Parking
B(config-vlan)# vlan 99
B(config-vlan)# name TrunkNative
B(config-vlan)# exit

! Fa0/9 & Fa0/10!
B(config)# interface range fa0/9-10
B(config-if)# switchport mode access
B(config-if)# switchport access vlan 21
B(config-if)# spanning-tree portfast
B(config-if)# no shutdown

! Fa0/13 & Fa0/14
B(config)# interface range fa0/13-14
B(config-if)# switchport mode access
B(config-if)# switchport access vlan 22
B(config-if)# spanning-tree portfast
B(config-if)# no shutdown

! Fa0/15 & Fa0/16
B(config)# interface range fa0/15-16
B(config-if)# switchport mode access
B(config-if)# switchport access vlan 23
B(config-if)# spanning-tree portfast
B(config-if)# no shutdown

! vtp mode to transparent and rapid pvst
B(config)# vtp mode transparent
B(config)# spanning-tree mode rapid-pvst

! Give SVI an ip address on vlan 1 and default gateway
B(config)# interface vlan 1
B(config-if)# ip address 192.168.1.11 255.255.255.0
B(config-if)# no shutdown
B(config-if)# exit
B(config)# ip default-gateway 192.168.1.1

! setup LACP 
B(config)# interface range fa0/3-4
B(cofig-if)# shutdown
B(config-if)# channel-group 1 mode passive
B(config-if)# channel-protocol lacp
B(config-if)# exit
B(config)# interface port-channel 1
B(config-if)# switchport trunk encapsulation dot1q
B(config-if)# switchport mode trunk
B(config-if)# switchport trunk native vlan 99
B(config-if)# switchport trunk allowed vlan 1,21-23
B(config-if)# no shutdown



! Bring up interfaces for both switch A and B

A(config)# interface range fa0/3-4
A(config-if)# no shutdown
B(config)# interface range fa0/3-4
B(config-if(# no shutdown

! Verify that port channel & vlan 1 are up/up
A# show ip interface brief
B# show ip interface brief

! Verify that port channel is up
A# show etherchannel summary
B# show etherchannel summary

! ping to default gateway and finally save running-config
A# ping 192.168.1.1
A# copy run startup
B# ping 192.168.1.1
B# copy run startup

 

Define interface-range

SW(config)# define interface-range GROUP_IT Fa0/1-4
SW(config)# interface range macro GROUP_IT

Show power consumption for POE device

SW250#show power inline

Voice VLAN

SW(config-if)#switchport mode access
SW(config-if)#switchport access vlan 192
SW(config-if)#switchport voice vlan 300

VTP version 3 (make primary server)

SW# vtp primary

Disable MAC address learning

SW(config)# no mac address-table learning vlan 192

 

Change LACP Priority of each port

SW# show lacp internal
SW# show lacp neighbor
SW# show etherchannel summary

SW(config-if)# lacp port-priority 128

 

Trunk troubleshooting

SW(config)# int range Fa0/1 - 4 
SW(config-if-range)# switchport trunk encapsulation dot1q
SW(config-if-range)# switchport mode trunk
SW(config-if-range)# switchport nonegotiate 


SW# show interfaces Fa0/1 trunk
SW# show interfaces Fa0/1 switchport

 

Change the root port

SW# show spanning-tree vlan 192
SW(config)# interface Gi0/4
SW(config-if)# spanning-tree vlan 192 cost 16
SW(config-if)# spanning-tree vlan 192 port-priority 16

 

Port Security

SW(config-if)# switchport port-security aging time 5   !in minutes!


SW# show port-security
SW# show port-security address
SW# show port-security interface Fa0/1

SW(config)#errdisable recovery cause psecure-violation

SW(config)#errdisable recovery interval 30     !in seconds!
SW# show errdisable recovery

 

Remote-span

SW(config)# vlan 192
SW(config-vlan)# remote-span
SW(config)# monitor session 1 source remote vlan 192
SW(config)# monitor session 1 destination interface Fa0/1
SW# show monitor

 

Storm-control

SW(config-if)# storm-control broadcast level 50 40
SW(config-if)# storm-control multicast level 50 40
SW(config-if)# storm-control unicast level 50 40

SW# show storm-control
SW# show storm-control multicast
SW# show storm-control unicast


SW(config-if)# storm-control action shutdown
SW(config-if)# storm-control action trap

 

VLAN ACL (VACL)
Block first 3 hosts to the rest of the hosts in the same subnet

# ACL
SW(config)# ip access-list extended BLOCK_FIRST_THREE
SW(config-ext-nacl)# permit ip 192.168.32.0 0.0.0.3 192.168.32.0 0.0.0.255

# VACL(Drop matching)
SW(config)# vlan access-map NO_123
SW(config-access-map)# match ip address BLOCK_FIRST_THREE
SW(config-access-map)# action drop


# VACL (Permit any)
SW(config)# vlan access-map NO_123
SW(config-access-map)# action forward

# Check before appying
SW# show vlan access-map

# Apply filter
SW(config)# vlan filter NO_123 vlan-list 192

 

Private VLAN

SW(config)# vtp mode transparent

SW(config)# vlan 100
SW(config-vlan)# private-vlan community

SW(config)# vlan 200
SW(config-vlan)# private-vlan isolated

SW(config)# vlan 300
SW(config-vlan)# private-vlan primary

SW(config-vlan)# private-vlan association 100,200

#Make promiscuous
SW(config)# int Fa0/48
SW(config-if)# switchport mode private-vlan promiscuous

#Map vlan 100 & 200 to primary vlan 300 
SW(config)# int Fa0/48
SW(config-if)# switchport private-vlan mapping 300 100,200


#Assign hosts to private vlan 100
SW(config)# int range Fa0/1 - 5
SW(config-if-range)# switchport mode private-vlan host
SW(config-if)# switchport private-vlan host-association 300 100

#Assign hosts to private vlan 200
SW(config)# int range Fa0/10 - 20
SW(config-if-range)# switchport mode private-vlan host
SW(config-if)# switchport private-vlan host-association 300 200

#View and verify
SW# show vlan
SW# show vlan private-vlan
SW# show interfaces Fa0/48 switchport

 

DHCP

SW(config)#ip dhcp pool HOME_DHCP_TEST
SW(dhcp-config)#network 10.0.0.0 /8
SW(dhcp-config)#domain-name kim.sg
SW(dhcp-config)#dns-server 10.x.x.x
SW(dhcp-config)#default-router 10.1.1.1
SW(dhcp-config)#lease 7

SW(config)#ip dhcp excluded-address 10.0.0.222
SW(config)#ip dhcp excluded-address 10.0.0.0 10.1.1.0

SW#show ip dhcp pool
SW#show ip dhcp binding

#IP Helper
SW(config-if)#no switchport
SW(config-if)#ip helper-address 10.5.1.1
SW(config-if)#ip helper-address 10.5.1.2

DHCP static binding

SW(config)#ip dhcp pool STATIC_BINDING
SW(dhcp-config)#host 10.1.1.3
SW(dhcp-config)#client-identifier mac:address:of:host

SW#show ip dhcp pool
SW#show ip dhcp binding

DHCP Snooping

SW(config)#ip dhcp snooping vlan 192
SW(config)#ip dhcp snooping information option

SW(config)#int fa0/48
SW(config-if)#ip dhcp snooping trust

SW#show ip dhcp snooping

Dynamic ARP Inspection

SW(config)#ip arp inspection vlan 192

SW(config)#int Fa0/45
SW(config-if)#ip arp inspection trust

SW#show ip arp inspection
SW#show ip arp inspection interfaces

IP Source Guard

SW(config)#int Fa0/48
SW(config-if)#ip verify source
SW(config)#ip source binding mac.address.of.host vlan 192 192.168.32.1

SW#show ip verify source

Get connected device info (MAC & IP)

SW#show mac address-table interface Gi1/0/1
SW#show cdp neighbors detail

CDP (01:00:0c:cc:cc:cc)

SW#show cdp
SW(config)#cdp timer xxx   !in sec!
SW#show cdp neighbors detail

SW(config)#int Fa0/5
SW(config-if)#no cdp enable

Disable telnet and use SSH

SW(config)#line vty 0 15
SW(config-line)# login local
SW(config-line)# transport input ssh

SW(config)#username user1 password password1
SW(config)#username user2 password password2

Setup SSH

SW(config)#ip domain-name your.domain.com
SW(config)#crypto key generate rsa

STOP that guy

SW(config)#ip access-list standard STOP_THAT_GUY
SW(config-std-nacl)#deny host 9.9.9.9
SW(config-std-nacl)#permit any
SW(config-std-nacl)#line vty 0 4
SW(config-line)#access-class STOP_THAT_GUY in

Syslog

SW(config)#logging 192.168.32.8
SW(config)#logging trap 5
SW(config)#service timestamps log datetime

Setup NTP server (configure master)

SW(config)#ntp master 8

SW#show ntp status
SW#show ntp associations

Connect to NTP server master

R(config)#ntp server 192.168.32.250 prefer
R#show clock
R#show ntp status
R#show ntp associations

Optional NTP authentication

# Master
SW(config)#ntp authentication-key 1 md5 CCNP
SW(config)#ntp trusted-key 1

# Client
R(config)#ntp authentication-key 1 md5 CCNP
R(config)#ntp trusted-key 1
R(config)#ntp server 192.168.32.250 key 1 
R#show ntp associations detail

Control who can connect to NTP server (Prevent host 10.1.1.3 from getting time synchronized)

# On Master NTP switch
SW(config)#access-list 22 permit host 10.1.1.3
SW(config)#ntp access-group serve 22
SW#debug ntp packet

# debug on client to see time unable to synchronize
R#debug ntp packet

SNMP

SW(config)#snmp-server group BULLDOGS v3 priv
SW(config)#snmp-server user user1 BULLDOGS v3 auth sha Password1 priv aes 128 Ppass
SW(config)#snmp-server host 10.1.1.3 traps version 3 priv user1

SLA (Service Level Agreements)

SW2(config)#ip sla 5
SW2(config-ip-sla)#icmp-echo 192.168.32.250
SW2(config-ip-sla-echo)#frequency xx

SW2(config)#ip sla schedule 5 start-time now
SW2#show ip sla configuration
SW2#show ip sla statistics

SW1(config)#ip sla responder

AAA (dot1x)

SW(config)#aaa new-model
SW(config)#radius-server host 172.120.39.46 key rad123
SW(config)#tacacs-server host 172.120.39.46 key tac123

SW(config)#aaa authentication dot1x default group radius

AAA (fallback to local login)

SW(config)#username user1 password password1
SW(config)#aaa authentication login default group radius local

STP

SW(config)#spanning-tree mst 1 root primary
SW(config)#spanning-tree mst 1 priority 4096

MST

SW(config)#spanning-tree mst configuration
SW(config-mst)#instance 1 vlan 1-100
SW(config)#spanning-tree mode mst

SW#show spanning-tree mst configuration

Standby

SW#show standby
SW#show standby brief

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top