Monday, July 14, 2008

IPExpert Workbook 1 - Section 2: Quad Catalyst (PVST+) Switch Configuration

Summary:

  • Time to Complete the Lab: 8h10m
  • Times looked at DocCD: 32 (all tasks) 
  • Times looked at Proctor Guide: 1 (Task 2.27)
  • Tasks skipped: 0 (none)
  • Rack Used: Notepad :)

Change of Plans:

I´m following a different approach after checking the CCIE Tips and Strategy Video from my IPExpert BLS! One of the many advices over there was to check EVERY task (even the ones you know) in the DocCD!

Fair enough! Seens right! So I decided to change a little bit my approach, instead of jumping into a Rack (by the way, ProctorLabs Rack Rental is great!) I decided to open a notepad (yep, notepad! I do not have Routers and Switches at my disposal, so to avoid loosing precious Rack time, I did most of the job in the notepad so far!), and try to solve the tasks in it using the DocCD.

Hmmmm, it was really tough! I´ve searched DocCD for hours and hours! And look, this is pretty much the Switching portion of the book, but that´s ok! I need to find my way through the DocCD, and really, in the end, I was taking like 10min to find a task in the DocCD! It´s really helping me out! I suggest you try it also, at least one time!

I read alot, and that took me sometime too! But, it´s Workbook Volume 1, and that´s what I´m suppose to do, right?! Learn technologies, and that´s pretty much I´m doing right now!

Things get really easier when you have someone with experience enough to guide you! My coach!? IPExpert CCIE R&S Blended Learning Solutions, I´m following most of the tips! It can take more time than I predicted in the beginning, but, for sure, I´ll learn a LOT more by doing exactly like that!

About the Lab:

Lab started easy, with some minor tasks, like VTP, Passwords, Etherchannel, Trunks, task 2.5 for example was asking to configure trunks, and to have every packet that traverses the link tagged with it´s VLAN ID, no exceptions! Nice! We can do that with the command vlan dot1q tag native ! Things got really interesting also in tasks 2.9, 2.10 and 2.11 regarding 802.1x, there´s a good advice to avoid locking yourself out (and most important, to avoid lock the proctor out of the equipment). I´ve saw somebody at Group Study, or Sadikhov asking about that a while ago, so I decided to depict here every single word used at the Proctor Guide regarding this specific task:

-> Dot1x needs to be turned on.

dot1x system-auth-control
aaa new-model
aaa authentication dot1x default group radius
radius-server host 150.100.220.100 key ipexpert

-> To avoid further complications with any port using "login" you´ll want to create a workaround. The Proctor will NOT do password recovery for grading you! So let´s change the above:

aaa authentication login MyVTY line
aaa authentication login MyCon none
!
line con 0
login authentication MyCon
!
line vty 0 4
login authentication MyVTY

-> The bottom line is that while it is very irritating to lock yourself out of a switch it is MUCh better than locking the Proctor out!

-> Another thing you may do is "reload in 10" on the switch. If you haven´t validated your config and cancelled the reload, then at least you will fix things yourself!

-> (Do NOT save unvalidated configurations!!!)

That can save our lab! For sure somebody did it already and paid a $1400.00 lunch to Cisco!

Everything were pretty straight-forward at this lab, another great piece of advice from Proctor Guide is always check the Command Reference Guide at the DocCD if you need the default value of anything, it´s always there! Cool!

Task 2.21 was all about Smart Port Macros! Wow! Never did it before! But again, not too much to worry about, easy to find in DocCD, and also easy to achieve the goal! Not that difficult, but again, nice one!

I´m not used to SNMP, so task 2.24 took me a while to understand and figure out in the DocCD what to do! But what really KILLED me was task 2.27, take a look at this trick question:

Task 2.27

Ensure that only the following traffic is allowed to pass through VLAN12:

  • All non-IP frames sourced from MAC-adress 000b.cd96.cc4f destined to any host;
  • OSPF traffic and ICMP traffic
  • All other frames should be denied

Ok, seens simple right?! I thought it also! But indeed it´s not!

Breaking it down, step-by-step, we would have an MAC Access-List + Extended Access-List + VLAN Filter, right?! It´ll look pretty much like that:

mac access-list extended FilterMe
permit 000b.cd96.cc4f any
!
access-list 101 permit ospf any any
access-list 101 permit icmp any any
!
vlan access-map Filter-VL12 10
action forward
match mac address FilterMe
!
vlan access-map Filter-VL12 20
action forward
match ip address 101
!
vlan access-map Filter-VL12 30
action drop
!
vlan filter Filter-VL12 vlan-list 12

Now... try to ping any address from VLAN12... it worked?! Check the ARP table! Yeah! Now you see! We need to allow ARP, and also SPT to avoid any inconsistency in our network, final configuration would include those two lines in the MAC Access-List:

permit any any 0x0806 0x0000
permit any any lsap 0xAAAA 0x0000

Here follows the Ethertypes  available in this lab at Proctor Guide (good to have those in mind when creating VLAN Access Maps):

  • 0x0806 = ARP
  • lsap 0xAAAA = PVST+
  • 0x4242 = STP and PVST
  • 0x86DD = IPv6

This task alone took me 1h30m! I was trying to look at the DocCD, but I haven´t found those Ethertype values anywhere! It was really good to learn! We need to see every task´s "Big Picture"! What happens if we only allow the MAC Address of the Host to pass through?! Nothing! Without ARP nothing! So I need to pay more attention to those little details and take care to not underestimate the question! Ouch!

Final considerations:

This lab is seens to be really easy to accomplish, but, believe me, it´s not! Also, the many hidden issues, tricks and experience you get from it is HUGE! I would suggest doing it a couple times (I´ll do it again this weekend, but now, in live equipments).

VLAN Access Maps questions were the BEST ones in my opinion, the explanations at Proctor Guide really tell us to think about the "Full Picture" and not just to accomplish what was asked word-by-word! This is the key difference between who understand the technologies, and the guy who knows the commands! ;)

I´m also very happy with this new approach I´m using, trying to find every single task in the DocCD, and using Notepad for the first time (prior to the Rack Rental)!

Things that I need to improve myself after this Lab:

  1. 802.1x;
  2. SNMP;
  3. VLAN Access Maps;
  4. Still need to understand better what the task is REALLY asking  for instead of guessing it!

Next Steps:

  1. Do the same thing with Workbook Volume I - Section 3: Quad Catalyst - MST;
  2. Do those two labs (Section 2 + Section 3) in real equipments from ProctorLabs.com;
  3. Watch VoD Chapters 3 (PPP), 4 (Bridging) and 5 (Switching).

No comments: