DCNI-1 | Implementing Cisco Data Center Network Infrastructure 1 Version 2.0 Lab Guide ‘Text Part Number: 97-2676-01nese nana arene sana ‘ope asa ome =" stfuettay pease recedes a (seo ES, — i ‘Cacoas more than 200 ecas wordnide Addresses, phone numbers, and fax umber ae etc onthe Caco Wobste ot waw.ieee comvgoietces. {2 ane ne np tan CO Cesar en Ca aur Bp ps we Eesenane a Sten chr ee st Ue Pay rayon Symmes cam taper too Cap Svea oe ene Conc ow Coohoura ta ee nerameuoatrtng Seas cee tors fomsCeossoen se ‘rca yuma nce perms tnt tha ese PetopFasetntogontnr Sptn Spies Nomnet semoenenioe Prveemte mace ‘Siete eer ue Con toners eg tens mg nn Me ea econ tn Sr ea [DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED “AS IS." CISCO MAKES AND YOU RECEIVE NO WARRANTIES IN |CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY OR IN ANY OTHER PROVISION OF [THIS CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO SPECIFICALLY DISCLAIMS ALL IMPLIED )WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. This leaming product may contain carly release [content and while Cisco believes it to be accurate, it falls subject tothe disclaimer above.DCNI-1 Lab Guide Overview This guide presents the instru ns and other information concerning the lab activities for this course. You can find the solutions in the lab activity Answer Key, Outline guide includes these activities: Lab I-l: Deploying and Examining the VSS 1440 Operation Demonstration 1-2: Deploying and Examining Cisco IOS Software Modularity Lab 1-3 Lab 1-4: Lab 1-5; Lab 2-3: Lab 2-4: Lab 3-1: Lab 3-2; Lab 4-1 Deploying QoS Deploying and Examining EEM : Deploying Automated Diagnostics Lab 1-6: Lab 2-1: Lab 2-2: Deploying SPAN Deploying the FWSM in Transparent Mode Deploying Multiple Contexts on FWSM Deploying the FWSM in Routing Mode Deploying the FWSM Failover Deploying the Initial Cisco NAM Configuration Deploying Collection Mechanisms Deploying High Availability on Cisco Catalyst 6500 Series Switeh Answer KeyGeneral Lab Topology Information This section presents the general items that are common to all labs. Accessing Lab The lab pod information is provided by the instructor. Use this information to access the assigned pod to complete the lab exercises. Your Lab Pod Information Information Provided by Your instructor Lab Website Pod Number Username Password Lab Topology The figure shows the general lab topology used for the DCNI-1 lab exercises and course. Lab Devices Each pod consists of the following lab devices: = Two (2) Cisco Catalyst 6500 Series Switches named 6500-1 and 6500-2, each equipped with Cisco Catalyst 6500 Series FWSM and NAM service modules = Two (2) Cisco Catalyst 4900 Series Switches named 4900-1 and 4900-2 2 Implementing Cisco Data Center Network Infrastructure 4 (OCNI-1) v2.0 (© 2008 Cisco Systems, Inc.= Two (2) workstation PCs named PCI and PC6 = Four (4) servers named Server!, Server2, Server3, and Server4 IP Addressing The IP addressing scheme in the following table lists the IP addresses of the PCs and servers used in all lab exercises. The IP addresses of these devices do not change. P in the IP address is your pod number through all lab exercises for PCs, servers, Cisco Catalyst 6500 Series Switch VLAN interfaces, FWSM, and NAM interfaces. Pod Addressing Default | Device Device | IP Subnet ceeemay | | LAN Device IP Pct 10.P.130 | 124 10.P.1325 | 10.131 | 13 Pcs 10P.230 | 124 10.P.2325 | toP.231 | 23 Servert | t0P.11.0 | 124 roP.i1to | tops [11 10.P.11.20 10.P.11.30 10.11.40 Server |10P.120 | 124 10P.12.10 | 10P.121 | 12 10.P.12.20 10.P.12.30 10.P.12.40 Severs |10P21.0 | 124 top2i1o | 10P214 | 21 10.P.21.20 10,P.21.30 10.P.21.40 Servers | 10P.220 | 124 10P.2210 | 10.P.221 | 22 10.P.22.20 10.P.22.30 10.P.22.40 Connecting to Lab Devices Connecting to Cisco Catalyst 6500 and Catalyst 4900 Series Switches The Cisco Catalyst 6500 and Catalyst 4900 Series Switches are running the Cisco IOS operating system. To connect to an individual switch, two options are available: = Console connection via icon on the lab exercise page ‘© Establish a Telnet session from the workstation PC or server once proper VLANs are configured Note ‘The Cisco Catalyst 6500 and Catalyst 4900 Series Switches are initially deployed without ‘any configuration and username/password. Ifa certain switch is configured with usemame/password, consult the instructor. (© 2008 Cisco Systems, Inc. Lab Guide 3Connecting to the Cisco Catalyst 6500 Series FWSM Service Module The Cisco Catalyst 6500 Series FWSM service module is running the FWSM operating system. To connect to the Catalyst 6500 Series FWSM, the following options are available: |= Console connection via Cisco Catalyst 6500 Series Switch using the session slot s/or- number processor 1 command Open a TelnevSSH/ASD session from the workstation PC or server once proper interfaces and access rules are configured To log in via console, use the default password cisco. The default privileged (enable) mode password is blank. To enter the privileged mode, simply press the Enter key when prompted for a password. Note I'@ Catalyst 6500 Series FWSM is configured with a username/password, consult the instructor. Connecting to the NAM Service Module The NAM service module is by default running the NAM application image. To connect to the NAM the following options are available: '™ Console connection via Cisco Catalyst 6500 Series Switch using the session slot s/ot- number processor 1 command = Open a Telnet/SSH session or use a web browser from the workstation PC or server once proper interfaces and access rules are configured To log in via the console, use the default usemame “root” and password “root.” Cisco NAM can also be running a maintenance image. In such cases, the username is “root” and the password is “cisco.” Note I'@ NAM is configured with a username/password, consult the instructor. Connecting to the Desktop PC The desktop PCs are running Microsoft Windows operating systems, To log in to the PC, use the username “administrator” and the password “cisco.” Connecting to the Microsoft Windows Servers The servers are running Microsoft Windows 2003 operating systems. To log in to the server, use the username “administrator and the password “cisco.” 4 Implementing Cisco Data Center Network Infrastructure 1 (OCNI-1) v2.0| (© 2008 Cisco Systems, Inc.Lab 1-1: Deploying and Examining the VSS 1440 Operation Network operators increase network reliability by configuring switches in redundant pairs and by provisioning links to both switches in the redundant pair. A virtual switching system (VSS) combines a pair of Cisco Catalyst 6500 Series Switches into a single network element. The virtual switching system manages the redundant links, which externally act as a single port channel—the Multichassis EtherChannel (MEC). Activity Objective In this activity, you will deploy and monitor VSS and MEC. After completing this activity, you will be able to meet these objectives: © Convert standalone chassis to VSS mode © Deploy and verify the Multichassis EtherChannel © Enhance VSS operation with BFD dual-active detection mechanism = Convert chassis operating in VSS mode back to standalone mode m= Examine and verify VSS operation with appropriate show commands Visual Objective The figure illustrates what you will accomplish in this activity Lab 1-1: Deploying and Examining the VSS 1440 Operation ‘© 2008 Cisco Systems, Inc. Lab Guide 5IP Addressing The IP addressing scheme in the following table lists the IP addresses of the PCs, servers, Cisco Catalyst 6500 Series Switch VLAN interfaces and Layer 3 physical interfaces, where “P” is, your pod number. Pod Addressing Subnet Defautt | Device Device | Subnet | SUN" | Device ip ih PCI roP130 | (24 10P1325 | 10P.134 | 13 Servert | 10P.110 | 124 torat0 |roraia | 1 10.P.11.20 40.11.30 10.P.11.40 Severs |1oP210 | 26 wp2is0 |rop2ia | 21 10.2120 10.21.30 10.21.40 Device | VLAN subnet | SYP | Device IP Mask SS ee ee 6500-1 | 11 T0P.11.0 | 124 1OPatA 65001 | 13 10.130 | 124 10.134 6500-1 | 21 10P.21.0 | 124 1oP21a These are the resources and equipment required to complete this activity: Two (2) = Two (2) Cisco Catalyst 6500 Series Switch Ethernet modules = Two (2) Cisco Catalyst 6500 Series Switch Supervisor 720-10G-3C modules, each with one 10G X2 module Two (2) Cisco Catalyst 4948 Switches isco Catalyst 6500 Series Switches = Microsoft Windows XP client = Two (2) Microsoft Windows 2003 servers 6 Implementing Cisco Data Center Network infrastructure 1 (OCNI-) v2.0 (© 2008 Cisco Systems, IncCommand List The table describes the commands that are used in this activity. Deploying and Examining the VSS 1440 Operation Commands ‘Command Description [no] shutdown [Disables] Enables the interface. [no] switchport ‘Sets the interface operational mode to Layer 3 or Layer 2 {(switchport) bfd interval milliseconds min_rx milliseconds multiplier multiplier- value ‘Sets the Bidirectional Forwarding Detection (BFD) session parameters on an interface. Assigns an interface to an EtherChannel group. The desirable option places a port into an active negotiating state in which the port initiates negotiations with other ports, by sending PAgP packets. -group portchannel Assigns an interface to an EtherChannel group. The on option enables the EtherChannel manually channel-protocol pagp Sets the EtherChannel protocols to PAgP. configure replace filename Replaces the current running configuration with a saved Cisco 10S configuration file. copy running-config startup-config ‘Saves the running configuration to NVRAM. dual-active detection bfd Enables BFD dual-active detection method. dual-active pair interface first-interface interface second-interface bfd Configures the dual-active pair of interfaces. The interfaces ‘must be directly connected (a single Layer 3 hop), interface name Enters the interface configuration mode. interface range list-of- interfaces Enters the interface configuration mode for a list of interfaces. ip address address netmask Sets the IP address on a Layer 3 interface. ping destination Performs ping to the specified destination. show etherchannel portchannel summary ‘Show the operational state of configured EtherChannel and physical interfaces belonging to the EtherChannel. show interfaces status | include connected ‘Shows the interface and protocol status for the connected interfaces only. show ip interface brief | include Vian ‘Shows the Layer 3 VLAN interfaces information. show logging ‘Shows the system logging, show module ‘Shows the module information in standalone mode. show module switch 1|2 ‘Shows the module information in a VSS mode for individual ‘switch. VSS can encompass only two Cisco Catalyst 6500 Series Switches, ‘show mode platform hardware pfc ‘Shows the operational mode of the PFC engine. (© 2008 Cisco Systems, inc. Lab Guide‘Command show power Description ‘Shows the operational mode for power supplies, the available and remaining power. ow running-config interface-type interface- number ‘Shows the configuration for an individual interface, show switch virtual Displays the virtual switch domain number, and the switch umber and role for each of the chassis, show switch virtual dual- active béd Displays information about dual-active detection configuration and status, show switch virtual link Displays the status of the VSL. show switch virtual redundancy Shows the virtual switch redundancy operational mode. show switch virtual role Displays the role, switch number, and priority for each of the chassis in the virtual switching system, show version ‘Shows the running version of Cisco 10S operating system, show vlan ‘Shows Layer 2 VLAN information. switch 1/2 Configures a chassis as virtual switch number 1 or 2 switch accept mode virtual Copies the VSL link configuration from the standby chassis to the active chassis, Prior to performing the action, the VSS displays the configurations that will be copied, and prompts you to Proceed or not. Note that the standby chassis must be in hot standby mode for this command to execute successfully. switch convert mode stand- ‘lone Converts a chassis from a VSS mode to standalone mode. switch convert mode virtual Converts chassis to virtual switch mode. ‘After you enter the command, you are prompted to confirm the action. Enter yes. ‘The system creates a converted configuration file, and saves the file to the RP bootflash switch virtual domain vsd- number Configures the virtual switch domain on a chassis. switch virtual link 1|2 ‘Associates a switch 1 or 2 as owner of port channel used. for VSL. switchport mode trunk Manually sets the interface mode to trunk. switchport nonegotiate Disables the trunking negotiation on an interface. switchport trunk encapsulation dotiq Sets the trunk encapsulation to 802. 1g 8 Implementing Cisco Data Center Network Infrastructure 1 (OCNI1) v2.0 (© 2008 Cisco Systems, IncTask 1: Removing Previous Configurations Ensure that no previous configuration exists on the switches in your pod and apply the initial configurations to the devices. The initial configuration includes settings for the Layer 2 interfaces used—trunking, access VLAN set, etc.; VLAN configuration, Layer 3 VLAN configuration, correct power scheme, etc. The initial configurations are available on the individual device file system as specified in the following steps. Activity Procedure Complete these steps on each s ‘hin your pod: Step1 Connect to the 6500-1 switch via console and apply the following: m= Replace the current running configuration with the configuration from file disk0:denil_labl1_6500-1 using the configure replace disk0:denil_lab11_6500-1 command. When asked to proceed press Y. You should see output similar to the following printout. 6500-1¥configure replace disk0:deni1_1abii_6500-1 ‘This will apply all necessary additions and deletions to replace the current running configuration with the contents of the specified configuration file, which is assumed to be a complete configuration, not a partial configuration. Enter Y if you are sure you want to procéed//?! Incl: y 01:13:28: Rollback:Acquired Configuration lock. Total number of passes: 0 Rollback Done = Verify that the switch is running the 12.2(33) SXHI Cisco IOS image using the show version command. 6500-1#show version Cisco 10s Software, 972033_rp Software (s72033_rp-IPSERVICESK9_WAN-M), Version 12.2(33)SKH1, RELEASE SOFTWARE (£03) Technical Support: http: //wew.cisco.com/techsupport Copyright (c) 1986-2008 by Cisco Systems, Inc. Compiled Thu 17-Jan-08 01:55 by prod_rel team Ifthe switch is nor running the 12.2(33) SXHI Cisco IOS image, save the running configuration to startup configuration and reboot the switch. Step2 Connect to the 6500-2 switch via console and apply the followin; m= Replace the current running configuration with the configuration from file disk0:denil_lab11_ 6500-2 using the configure replace disk0:denii_lab11_6500-2 command. When asked to proceed press Y. You should sce output similar to the output in the previous step. = Verify that the switch is running the 12.2(33) SXHI Cisco IOS image using the show version command. = Ifthe switch is nor running the 12.2(33) SXHI Cisco TOS image, save the running configuration to startup configuration and reboot the switch. ‘© 2008 Cisco Systems, Inc. Lab Guide 9Step3 Connect to the 4900-1 switch via console and apply the following: = Replace the current running configuration with the configuration from file bootflash:dcnil_lab11_4900-1 using the configure replace bootflash:denil_lab11_4900-1 command. When asked to proceed press Y. You should see output similar to the output in Step 1. Step4 Connect to the 4900-2 switch via console and apply the following: = Replace the current running configuration with the configuration from file bootflash:dcni_lab1 1_4900-2 using the configure replace bootflash:denil_lab11_4900-2 command. When asked to proceed press Y. You should see output similar to the output in Step 1 Activity Verification ‘You have completed this task when you attain these results: Step1 Verify that the modules in slots 1 (ACE), 4 (NAM), and 6 (IDSM) on switches 6500-1 and 6500-2 are disabled—the power has been administratively denied for these modules. The output of the show module command should be similar to the following printout. Note ‘Modules in slots 1 (ACE), 4 (NAM), and 6 (IDSM) are not used in this lab exercise and are powered down in order to make the VSS conversion process faster. The module in slot 2 (FWSM) is powered up in order to demonstrate that the VSS-unsupported service modules. ‘are powered down upon conversion process. 6500-1#show module Mod Ports Card Type Model Serial No. 11. Application Control Engine Module ACE10-6500-K9 'SAD103206VA 2 6 Firewall Module WS-SVC-PwM-1 'SAD1033097B 3 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX SAL103931H7 4 8 Network Analysis Module WS-SVC-NAM-2 SAD104602RL S § Supervisor Engine 720 10GE (Active) VS-S720-106 SAD1151054P 6 8 Intrusion Detection system WS-svc-IDsM-2 SAD104400K5 Mod MAC addresses sw Status ‘Unknown ‘PwrDown 6 0019; 0627.b6a3 at 0019.0628.3692 to 0019.0628.3699 4.0 7.2(1) 3.113) ‘ok 0019.55c4.7a50 to 0019.55c4.7a7f 2.5 12.2(14r)S5_ 12.2(33)SKH1 Ok 0019.aaf4.6eSc to 0019.aaf4.6e63 §4.2057.2(1) 3.6 (2) PwrDown O0ie.daaa.d5$8 to OOle.daaa.d5Sf 2.0 8.5(2) 32.2(33) SxH1_Ok 0029.5671.6a66 to 0019.5671.6a6d 6.2” Unknown ‘unknown PweDown Sub-Nodule Model serial Hw = Status Centralized Forwarding Card WS-F6700-CFC SAL10360A68 3.0 Ok 5 Policy Feature Card 3 VS-F6K-PFC3C SAD115103ND 1.0 Ok 5 MSFC3 Daughterboard VS-P6K-MSFC3 SAD115106GD 1.0 Ok Mod Online Diag status Not Applicable Pass Pass Pass 1 2 3 4 Not Applicable 5 6 Not Applicable Implementing Cisco Data Center Network infrastructure 1 (OCNI1) v2.0 (© 2008 Cisco Systems, IncStep2 The power redundancy mode used on 6500-1 and 6500-2 should be combined. The output of the show power command should be similar to the following printout. Note ‘The combined power redundancy scheme has to be used for the individual switch to be able to power the required modules. The it vidual power supply is not capable of powering the required modules; thus the redundancy power scheme cannot be used. 6500-1#show power system power system power system power system power total used = available = 1952.16 Watts 1272.18 watts 679.98 Watts Power-Capacity Watts A @42V Type 2171.38 27.89 1 WS-CAC-3000W 2 WS-CAC-3000W 1171.38 27.89 Pwr-Allocated Fan Type Watts A @42V 98.70 2.35 1 WS-C6506-E-FAN Pwr-Requeated Slot card-type Watts A @42v 1 Acei0-6500-K9 2 Ws-SvC-FwM-1 3 WS-K6748-GR-TK 325.50 7.75 4 WS-SVC-NAM-2 145.74 3.47 3 VS-8720-106 338.10 8.05 6 WS-SVC-IDSN-2- «4338.10 8.05 Step 3 redundancy mode = combined (46.48 (30.28 (16.19 Ps-Fan Status Amps @ Amps @ Amps @ output status 42v) 42v) 42v) oper state OK ook OK OOK oper state oK Pwr-Allocated Admin Oper Watts A @42V State state off (admin request) ieee aOR 171.78 4.09 on on “325.50 7.75 on on =. off off admin request) 338.10 8.05 on on 338.10 8.05 off off (admin request) Verify the configuration of the 6500-1 switch, = The GigabitEthemnet3/3, GigabitEthernet3/13, GigabitEthernet3/14, and ‘TenGigabitEthemet5/4 Layer 2 interfaces should be enabled. @ The GigabitEthemet3/13, GigabitEthernet3/14, and Tent igabitEthernet5/4 interfaces should be configured as trunk interfaces, Note If any other VLANs are configured on the switch, just ignore them. ® GigabitEthernet3/3 is in access VLAN 13. ‘The output of the show interfaces status | include connected command should be similar to the following printout. 6500-1#show interfaces status | @ia/3 se= PCL === 10/100/1000BaseT Gi3/33 4900-1 gi1/13 10/100/1000RaseT Gia/ia 4900-2 gi1/13 10/100/1000BaseT Te5/4 6500-2 tens/4 in connected éonnected 13 a-full a-100 connectea Eran a-full_a-1000 connected =r EK a-full a-1000 connected trunk full 106 10Gbase-tx¢ = The VLAN database should include VLANs 11 (Server1), 13 (PCI), 21 (Server3), and 23 (PC6). The output of the show vlan command should be similar to the following printout. 6500-14show vlan (© 2008 Cisco Systems, Inc. Lab GuideVLAN Name Status Ports 1 default active Gi3/46 21 Server1 active 33° PCL active) Gi3/3 21 Server3 active 23 PCE active 1002 fddi-defaule act/unsup ‘= The following Layer 3 VLAN interfaces should be enabled: — — VLANII with IP address 10.P.11.1/24 — — VLANI3 with IP address 10.P.13.1/24 — — VLAN21 with IP address 10.P.21.1/24 — — VLAN23 with IP address 10.P.23.1/24 The output of the show ip interface brief | include Vian command should be similar to the following printout, 6500-1#show ip interface brief | include Vian Viani unassigned YES NVRAM administratively down down vianit 20.4.42.2 YES NVRAM” up up viani3 20.4.23.2 YES NVRAM up up Vianzi 20.4.21.1 YES manual up ‘up vian23 10.4.23.1 YES manual up. up Note The printout was taken from pod 4 Step4 On the 6500-1 switch, verify that you have connectivity to the following: = PCL at 10.P.13.25 (where “P” is your pod number) m= Server! at 10.P.11.10 (where “P” is your pod number) = Server3 at 10.P.21.10 (where “P” is your pod number) ‘You should see results similar to the following printouts. Note The following printouts show the results of a ping conducted on pod 4 6500-1#ping 10.4.13.25 ‘Type escape sequence to abort Sending 5, 100-byte ICMP Echos to 10.4.13.25, timeout is 2 seconds: i Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms 6500-1#ping 10.4.11.10 ‘Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.4.11.10, timeout is 2 seconds: tL Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ma 6500-1#ping 10.4.21.10 Type escape sequence to abort Sending 5, 100-byte ICMP Echos to 10.4.21.10, timeout is 2 seconds ' Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms 12 Implementing Cisco Data Genter Network infrastructure 1 (OGNI-1) v2.0 (© 2008 Cisco Systems, Inc.Task 2: Converting Standalone Chassis to VSS Mode In this task you will convert the standalone Cisco Catalyst 6500 Series Switch chassis 6500-1 and 6500-2 to the VSS mode. The conversion process includes two major steps: & Applying the Virtual Switch Domain ID and Virtual Switch ID, configuring the Virtual ‘Switch Link (VSL), and verifying the PFC3 operational mode = Starting the conversion process Activity Procedure Complete these steps: Step1 Save the running configurations of the Cisco Catalyst 6500 Series Switches 6500-1 and 6500-2 to NVRAM. Step2 From the configuration mode, assign the 6500-1 switch to a Virtual Switch Domain (VSD). Use number 10 for the domain number. Set the switch to be the first switch in a newly ereated VSD. Step3 Create a port channel interface 1 on 6500-1 and set the switch core number to the switch VSD number 1. Leave the port channel settings at their default values (the port channel protocol and mode of operation). Step4 Manually add an interface TenGigabitEthernet5/4 on 6500-/ to a port channel group 1, set the interface mode to Layer 3 (no switchport), and enable the PortChannel 1 interface. ‘Step From the configuration mode assign the 6500-2 switch to a VSD. Use the same domain number as for 6500-1. Set the switch to be the second switch in a newly created VSD. Step6 Create a port channel interface 2 on 6500-2 and set the switch core number to the switch VSD number 2. Leave the port channel settings at their default values (the port channel protocol and mode of operation). Step7 Manually add an interface TenGigabitEthernet5/4 on 6500-2 to a port channel group 2, set the interface mode to Layer 3 (no switehport), and enable the PortChannel 2 interface. Activity Verification You have completed this task when you attain these results: Step The PFC3 operational mode on the switches that will be converted to a VSS mode ‘would be the same, Verify that PFC3 operational mode on 6500-1 and 6500-2 is PFC3C. The outputs should be similar to the following printouts. 6500-1#show platform hardware pfe mode PFC operating mode + PFCIC 6500-2¥show platform hardware pfe mode PEC operating mode’ PFC3C Step2 Start the VSS mode conversion process on 6500-/ first to ensure the active role in vss. Note asked to confirm the filename for the saved running configuration upon conversion, just press the Enter key. ‘© 2008 Cisco Systems, Inc Lab Guide 13Step 3 Observe the output, which should be similar to the following printout: = The VSS configuration is detected, = The TenGigabitEthernet5/4 is detected to be in the port channel that is dedicated for the VSL. = Modules that are currently unsupported by the VSS functionality (namely in your case, FWSM) are powered down during the conversion process. ™ Since 6500-1 boots before 6500-2 is converted, the VSL link is brought down and the supervisor on 6500-2 is the active supervisor in the VSS domain. Note When converting the switch to the VSS mode, proceed with the 6500-1 switch and wait for the switch to reload and finish the conversion process. Then, proceed with the conversion process on the 6500-2 switch. If you start the conversions at the same time, the switch that finishes the boot process first wll become the active switch, 6500-1¢switch convert mode virtual ‘This command will” convert all interface hanes to naming convention "interface-type switch-numbée/slot/port", save the running config to startup-config and reload the switch, Do you want to proceed? [yea/noli'y Converting interface names Building configuration... fox] Saving converted ‘configuration t6 boot flash! 7: Destination filename {startup-config.converted_vs=20080505-052053]? 5906 bytes copied in 0.436 secs (13546 bytes/sec) 3d02h: $SYS-SP-3-LOGGER FLUSHING: System pausing to ensure console debugging output. 3d02h: $0IR-SP-6-CONSOLE: Changing console ownership to switch processor 3d0zh: 4SYS-SP-3-LOGGER_FLUSHED: System was paused for 00:00:00 to enaure console debugging output. 3d02h: $SPAN-SP-6-SPAN_EGRESS_REPLICATION_MODE_CHANGE: Span Egress HW Replication Node Change Detected. Current replication mode for user ses! is Dis tributed 3d02h: $SPAN-SP-6-SPAN_EGRESS_REPLICATION MODE CHANGE: Span Egress HW Replication Mode Change Detected. Current replication mode for unused asic session 1 is Distributed 3d02h: SP: The PC in slot 2 is shutting down. Please wait . 3d02h: 4SYS-SP-3-LOGGER_ FLUSHING: System pausing to ensure console debugging output. SHUTDOWN WoW --- 3d02h: 4SYS-SP-5-RELOAD: Reload requested 3d02h: 40IR-SP-6-CONSOLE: Changing console ownership to ewitch processor 14 Implementing Cisco Data Center Network Infrastructure 1 (OCNI-1) v2.0, (© 2008 Cisco Systems, Ino3d02h; $SYS-SP-3-LOGGER_PLUSHED: System was paused for 00:00:00 to ensure congole debugging output. System Bootstrap, Version 8.5 (2) Copyright (c) 1994-2007 by cisco Systems, Inc. Caték-Sup720/SP processor with 1048576 Kbytes of main memory Autoboot executing command: "boot bootdisk:/s72033-ipservicesk9_wan-mz.122- 33.SKH1.bin" Loading image, please wait Initializing ATA monitor Library... Self extracting the image... [0K] Self decompressing the image : CETTE TREE HOECHST ETRE ER ERMA HAR HEHE ETRHH RETA EHH ROR REHM (OK) Restricted Rights Legend Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) of the Commercial Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS sec. 252.227-7013. cisco Systems, Inc. 170 West Tasman Drive San Jose, California 95134-1706 Cisco Ios Software, s72033_sp Software (872033_sp-IPSERVICESK9_WAN-M), Version 12.2(33)SKH1, RELEASE SOFTWARE (£c3) Technical Support: http: //www.cisco.com/techsupport Copyright (c) 1986-2008 by Cisco Systems, Inc. Compiled Thu 17-Jan-08 02:10 by prod_rel_team Image text-base; 0x40101328, data-base: 0x41C29670 system detected Virtual switch configuration... Interface TenGigabitethernet 1/5/4 is member of PortChannel 1 00:00:06: ¥S¥S-3-LOGGER_FLUSHING: System pausing to ensure console debugging output. Firmware compiled 19-Dec-07 10:56 by integ Build [100] Earl Card Index= 259 00:00:06: $PFREDUN-6-ACTIVE: Initializing as ACTIVE processor for this switch Initializing as Virtual Switch ACTIVE processor 00:01:44 output. ‘YSYS-3-LOGGER_PLUSHING: System pausing to ensure console debugging 00:00:07: %S¥S-3-LOGGER FLUSHED: Syatem was paused for 00:00:00 to ensure console debugging output. 00100112? “$VSL_BRINGUP=6-MODULE_UP! VSil hodULe in S16E”S switch 1 brought up (© 2008 Cisco Systems, Inc. LabGuide 15PORTA VEDESRSRRET PRS OCT TEURI I PONE ARE ORD NENW ESGETGEAUE DG peer. Resolving role as Active 00:01:44: SVSLP-2-VSL_DOWN: VSL/Linke down and not ready for any trar¢ic 00:01:44: ¥0IR-6-CONSOLE Changing console ownership to route processor System Bootstrap, Version 12.2(17r)SX5, RELEASE SOFTWARE (fc1) Technical Support: http: //www.cisco.com/techsupport Copyright (c) 2006 by cisco Systems, Inc. Catek-Sup720/RP platform with 1048576 Kbytes of main memory Download start PEEP COUPEE EEE eee ren Irrerrrsnn rena) PCO Henne PCCP Heeeenitiiiier PCE HUE PCO OEE Hui POEL EEE u POU CUE Cee eee eee POO PECL POU PEPEUUUEDLUEE LEE tretta Irani Heine Hui Peretti POU eee ee ionneenia POU EEE Ee Download Completed! Booting the image. Self decompressing the image : HHHMRHERRAHHHRRENHHRNNNERRRREEEHNORAHHRAEHHRR EERE RR RNHAHROMHHMRHHERERHHMEEER HHIHRHHEHROHEHRBRHRHER UM EEHRB REHASH SREB ARATE HHHHRORONNNNNHRORONHMHHAHAHRRREHRARERHHRARHHMMORHNRRRNNAURRAHNHEHE REE NOS EHED HaaednAHHEHHHRAEHHERHMRARERREHEHERRBENHEH [OK] re Restricted Rights Legend Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) of the Commercial Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and subparagraph (c) (2) (ii) of the Rights in Technical Data and Computer Software clause at DFARS sec. 252.227-7013. cisco Systems, Inc. 170 West Tasman Drive San Jose, California 95134-1706 Cisco 10s Software, 872033 rp Software (s72033_rp-IPSERVICESK9_WAN-M), Version 12.2(33)SKH1, RELEASE SOPTWARE (fc3) Technical Support: http: //www.cisco.com/techsupport Copyright (c) 1986-2008 by Cisco systems, Inc, Compiled Thu 17-Jan-08 01:55 by prod_rel_ team Image text-base: 0x40101328, data-base: 0x42E74130 This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www. cisco. com/ww1/export /crypto/tool/starg. html 16 Implementing Cisco Data Center Network Infrastructure 1 (DCNI-1) v2.0 (© 2008 Cisco Systems, IncIf you require further assistance please contact us by sending email to [email protected]. cisco WS-C6506-E (R7000) processor (revision 1.1) with 983008K/65536K bytes of memory. Processor board ID SAL1023R121 '§R71000 CPU at 600Mhz, Implementation 0x504, Rev 1.2, 512KB L2 Cache Last reset from s/w reset 1 Virtual Ethernet interface 73 Gigabit Ethernet interfaces 3 Ten Gigabit Ethernet interfaces 917K bytes of non-volatile configuration memory. 192K bytes of packet buffer memory. 65536K bytes of Flash internal sim (Sector size 512K) Press RETURN to get started! 00:03:05: curr is 0x0 00:03:05: RP: Currently running ROMMON from § (Gold) region 00:03:12: ¥SYS-5-CONFIG I: Configured from memory by console 00:03:16: $SYS-5-RESTART: System restarted ~~ Cisco 10 Software, 872033_rp Software (s72033_rp-IPSERVICESK9_WAN-M), Version 12.2(33)SKH1, RELEASE SOPTWARE (fc3) Technical Support: http: //wew.cisco.com/techsupport Copyright (c) 1986-2008 by Cisco Systems, Inc. Compiled Thu 17-Jan-08 01:55 by prod_rel_team Firmware compiled 19-Dec-07 1 16 by integ Build [100] Earl Card Index= 259 00:00:06: $PFREDUN-6-ACTIVE: Initializing as ACTIVE processor for this switch 00:00:07: $SYS-3-LOGGER_PLUSHED: System was paused for 00:00:00 to ensure console debugging output. 0000212 SVSE_BRINGUP=6-NODULE UP! VSL: modulé”in Blot S switch 1 brought up 00:01:44: SVSLP-S-RRP_PEER TIMEOUT; VSLP peer timer expired without detecting peer. Resolving role as Active 00:01:44: WSLP-2-VsL_DOWN: VBt/ Links down and hot eady for any traffic 00:01:44; $0IR-6-CONSOLE: Changing console ownership to route processor 00:03:17: csk_pwr_ie fantray ok returns ok for fan index 1 03:17: c6k_pwr_is_fantray_ok returns ok for fan_index 3 01:45: ¥SYS-3-LOGGER_PLUSHED: System was paused for 00: console debugging output. 100 to ensure sW1_SP: SP: Currently running ROMMON from $ (Gold) region 1 $0IR-SW1_SP-6-INSPS: Power supply inserted in slot 1 + NC6KPWR-SW1_SP-4-PSOK: power supply 1 turned on 4OIR-SW1_SP-6-INSPS: Power supply inserted in slot 2 AC6KPWR-SW1_SP-4-PSOK: power supply 2 turned on. ‘\SYS-SWi_SP-5-RESTART: System restarted -- Cisco 10S Software, 872033 sp Software (s72033_sp-IPSERVICESK9_WAN-M), Version 12.2(33)SXH1, RELEASE SOFTWARE (fc3) Technical Support: http: //www.cisco.com/techsupport Copyright (c) 1986-2008 by Cisco Systems, Inc. Compiled Thu 17-Jan-08 02:10 by prod_rel_team ‘© 2008 Cisco Systems, Inc Lab Guide 1700:03:16: $SYS-SW1_SP-6-BOOTTIME: Time taken to reboot after reload = 262 seconds 00:03:17: SC6KPWR-SW1_SP-4-DISABLED: power to module in slot 6 set off (admin request) 00:03:18: SFABRIC-SWi_SP-5-CLEAR BLOCK: Clear block option is off for the fabric in alot 5. 00:03:18: SFABRIC-SWi_SP-5-FABRIC_MODULE ACTIVE: The Switch Fabric Module in slot 5 becane active 00:03:19: $C6KPWR-SWi_SP-4-DISABLED: power to module in slot 1 set off (admin request) rs 00:03:19: $C6XPWR-SW1_SP-4-UNSUPPORTED: unsupported module in slot 2, power fot allowed: Unsupported module in Virtual Switch system. 00:03:19: SW1_SP: Remote Switch 1 Physical Slot 5 - Module Type LINE_CARD inserted 00:03:20: SWi_SP: Remote Switch 1 Physical Slot 6 - Module Type LINE_CARD inserted 00:03:20: SC6KPWR-SW1_SP-4-DISABLED: power to module in slot 4 set off (admin request) 00:03:20: ¥DIAG-SWi_SP-6-RUN_MININUM: Switch 1 Module 5: Running Minimal Diagnostics 00:03:21: SWi_SP: Remote Switch 1 Physical Slot 1 - Module Type LINE_CARD inserted 00:03:21: SWi_SP: Remote Switch 1 Physical Slot 2 - Module Type LINE_CARD inserted 00:03:21: SW1_SP: Remote Switch 1 Physical Slot 4 inserted Module Type LINE_CARD 00:03:21: SWi_SP: Remote Switch 1 Physical Slot 3 - Module Type LINE_CARD inserted + $DIAG-SW1_SP-6-DIAG_OK: Switch 1 Module 5: Passed Online Diagnostics : $OIR-Swi_SP-6-INSCARD: Card inserted in slot 5, interfaces are now 00:03:45: SWi_SP: Card inserted in Switch_number = 1, physical slot 5, interfaces are now online 00:00:02: DaughterBoard (Centralized Forwarding Card) Firmware compiled 19-Dec-07 10:56 by integ Build [100] 00:00:05: ¥SYS-CFC3-5-RESTART: Syatem restarted -- Cisco 10S Software, célc2 Software (c61c2-SP-M), Version 12.2(33)SKH1, RELEASE SOFTWARE (fc3) Technical Support: http: //www.cisco.com/techaupport Copyright (c) 1986-2008 by Cisco systems, Inc. Compiled Thu 17-Jan-08 01:55 by prod_rel_team May 5 05:27:01.499: CFC3: Currently running ROMMON from § (Gold) region 0 ‘DIAG-SW1_SP-6-RUN_MININUM: Switch 1 Module 3: Running Minimal Diagnostics or ‘DIAG-SW1_SP-6-DIAG OK: Switch 1 Module 3: Passed Online Diagnostics 0 NOIR-SWi_SP-6-INSCARD: Card inserted in slot 3, interfaces are now online 0 423) SWi_SP: Card inserted in Switch number = 1, physical slot 3, interfaces are now online ‘Stop4 —_ Start the VSS mode conversion process on 6500-2 and observe the output, which should be similar to the following printout. Note If asked to confirm the filename for the saved running configuration, just press the Enter key. 18 Implementing Cisco Data Center Network Infrastructure 1 (OCNI-1) v2.0 (©2008 Cisco Systems, Inc.Step Observe the outputs on 6500-2 and 6500-1, which should be similar to the following. printouts: The VSS configuration is detected. m= The TenGigabitEthernet5/4 is detected to be in a port channel that is dedicated for the VSL. = Modules that are currently unsupported by the VSS functionality (namely in your case FWSM) are powered down during the conversion process. = Since 6500-2 has booted before 6500-2 was converted, the 6500-2 becomes the VSS standby chassis Now that both chassis are part of VSD the VSL link is brought up. The console access to the 6500-2 is disabled duc to the standby VSS role. ‘The hostname of the 6500-2 changes to 6500-I-sdby. The power supplies operational mode was changed to redundant during the conversion process, In the output on 6500-7 you should see that module 4 in switch 2 (NAM) had to be powered off, due to insufficient power. = Note that in the output on 6500-1, the final step of conversion process is also indicated—the command switeh accept mode virtual, which merges the configuration from 6500-2 to VSS. Note If asked to confirm the filename forthe saved running configuration, just press the Enter key, 6500-2#ewitch convert mode virtual ‘Thi Conmand will convert all intertace”names to naming convention "interface-type switch-muiitber/s1ot/port", gave the running config to startup-config and reload the switch. Do you want to proéeed? [yes/nél! y Converting interface names Building configuration... (OK) Saving ‘Converted ‘Colifiguration to boot flash: Destination filename [startup-config. converted_vs-20080505-0630251? 5590 bytes copied in 0.436 secs (12821 bytes/sec) 3d03h; ¥SYS-SP-3-LOGGER_PLUSHING: System pausing to ensure console debugging output 3d03h; 4OIR-SP-6-CONSOLE: Changing console ownership to switch processor 3d03h: %S¥S-SP-3-LOGGER_FLUSHED: System was paused for 00:00:00 to ensure console debugging output. 3d03h: $SPAN-SP-6-SPAN_EGRESS_REPLICATION MODE_CHANGE: Span Egress HW Replication Mode Change Detected. Current replication mode for user session 1 is Distributed ad03h: $SPAN-SP-6-SPAN_EGRESS REPLICATION MODE_CHANGE: Span Egress HW Replication Mode Changa Detected. Current replication mode for unused asic session 1 is Distr ibuted ‘© 2008 Cisco Systems, Inc Lab Guide 193d03h: SP: The PC in slot 2 is shutting down. Please wait ... 3d03h: ¥SYS-SP-3-LOGGER_PLUSHING: System pausing to ensure console debugging output, ‘SHUTDOWN NOW --- 3d03h: $SYS-SP-5-RELOAD: Reload requested 3d03h: $OIR-SP-6-CONSOLE: Changing console ownership to switch processor 3d03h: $SYS-SP-3-LOGGER_PLUSHED: System was paused for 01 console debugging output. 0:00 to ensure System Bootstrap, Version 8.5(2) Copyright (c) 1994-2007 by cisco systems, Inc Cat6k-Sup720/SP processor with 1048576 Kbytes of main memory Autoboot executing command: "boot bootdis! 33.SxH1.bin" Loading image, please wait . '872033-ipservicesk9_wan-mz.122- Initializing ATA monitor library.. Self extracting the image... [0K] Self decompressing the image : HHHSHRHRRATHHEMRH NRHN OEDHRAHSEHEREREREHHAERERRAH SEER REHHHHRNHHHHMMENEEMR HES AHHHHRREHHHAEHRERAHHHABARHHEOHRERER RRA HHHR ER ERHHAHEE HHHANEMHHAHEEEMRHEEAREAHHHRE [OK] Restricted Rights Legend Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) of the Commercial Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS sec. 252.227-7013. cisco systems, Inc. 170 West Tasman Drive San Jose, California 95134-1706 Cisco 10s Software, s72033_sp Software (s72033_sp-IPSERVICESK9_WAN-M), Version 12.2(33)SXH1, RELEASE SOPTWARE (fc3) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2008 by Cisco systems, Inc. Compiled Thu 17-Jan-08 02:10 by prod_rel_team Image text-base: 0x40101328, data-base: 0x41C27360 system detected Virtualswiteh contiguration=:) Interface TenGigabitEthernet 2/5/4 is member of PortChannél 2 00:00:06: ¥S¥S-3-LOGGER FLUSHING: System pausing to ensure console debugging output. Firmware compiled 19-Dec-07 10:56 by integ Build [100] Earl Card Index= 259 Implementing Cisco Data Center Network infrastructure 1 (OCNI-1) v2.0 (© 2008 Cisco Systems, Inc.00:00:06: $PFREDUN-6-ACTIVE: Initializing as ACTIVE processor for this switch Initializing as Virtual Switch STANDBY processor 00:00:45: SSYS-SW2_SPSTBY-3-LOGGER_FLUSHING: System pausing to ensure console debugging output. 00:00:07: 4SYS-3-LOGGER_FLUSHED: System wi console debugging output. 00:00:12: $VSL_BRINGUP=6-MODULE_UP: VSL module in slot 5 switch 2 brought up 00:00:40: WSLP-5-VsL_UP: Ready for Role Resolution with Switch=1, MAC=0017.dfd0.2400 over 5/4 paused for 00:00:00 to ensure (00:00/43 2" ¥VSLP=5=RRP_ROLE RESOLVED! Role resolved as STANDBY by VSLP 00:00:43: AVSL-5-VSL_CNTRL_LINK: New VSL Control Link 5/4 00:00:43: §VSUP=S-VSL_UP: Ready for control traffic 00:00:45: SOTR-SW2_SPSTBY-6-CONSOLE: Changing console ownership to route processor system Bootstrap, Version 12.2(17r)SX5, RELEASE SOFTWARE (fc1) Technical Support: http://wxw.cisco.com/techsupport Copyright (c) 2006 by cisco Systems, Inc. Cat6k-Sup720/RP platform with 1048576 Kbytes of main memory Download start rennin Pereeeuueggggiiiey PEPDUEUEEEE ECP EU PEELE EEE iin beneueneegiggiiiineny EEUU Deedee tt ben HPCE rin nin nit bertiny nein teeeeengitiny PEOEEEDenntt tty tie pergeueeggguiertieney PEC eee nm “ Vreeeeseereeaueeneeeggeceeegaiont PEE " ' HeNvereeeeeeeiietieer Peereeeeeeenneegteny i TESUTENSOTISERETTOSECEDOSITICOSIETSSITeee TT eree rest ee ers! Download Completed! Booting the image. Self decompressing the image : SRANUUEHAOAUNUHEARANUUAEOOOAUHHORBOSUNHREOUEHEAEOEREARUNUEEERROHOUNERR ORE EED HRONTHHHAORNTUAHEROHUHAHERRANNHORRSRRHHABR UA KERR RHE EE SAO EHHHEMRNEHHERRAHEHAEHH OH EHHAROAEHEHRHRUUHEH RUE HHMM OM REH RRO R RRR SHHHHHOEEHHHHHEHEHER RHA UHHBR MBM AHH [OK] tn Restricted Rights Legend Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) of the Commercial Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS sec. 252.227-7013, cisco Systems, Inc. 170 West Tasman Drive San Jose, California 95134-1706 Cisco I0s Software, 72033_rp Software (s72033_rp-IPSERVICESK9_WAN-M), Version 12.2(33)SXH1, RELEASE SOPTWARE (fc3) {© 2008 Cisco Systems, Inc. Lab Gude 21Technical Support: http: //www.cisco.com/techsupport Copyright (c) 1986-2008 by Cisco Systems, Inc. Compiled Thu 17-Jan-08 01:55 by prod_rel. team Image text-base: 0x40101328, data-base: 0x42E70CFO ‘This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not. imply third-party authority to import, export, distribute or use encryption Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return thie product inmediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: hep: //www.cisco.com/wwl/export /crypto/tool/starg. html If you require further assistance please contact us by sending email to exportacisco.com. cisco WS-C6506- (R7000) processor (revision 1.1) with 963006K/65536K bytes of memory. Processor board ID SAL1023R110 $R71000 CPU at 600Mhz, Implementation 0x504, Rev 1.2, 512KB L2 Cache Last reset from s/w reset 1 Virtual Bthernet interface M6 Gigabit Ethernet interfac 6 Ten Gigabit Ethernet interfaces 1917K bytes of non-volatile configuration memory. 8192K bytes of packet buffer menory. 65536K bytes of Flash internal SIM (Sector size 512K). % This interface cannot be modified switchport % Invalid input detected at '*' marker shutdown § Incomplete command. no cdp enable % Invalid input detected at '*' marker. slot 1 slot-type 207 port-type 106 number 1 virtual-slot 17 % Invalid input detected at '*' marker. slot 1 slot-type 207 port-type 106 number 1 virtual-slot 33 % Invalid input detected at '*' marker. Pr 18 RETURN to get started! 00:02:02: curr is oxo 00:02:02: RP: Currently running ROMMON from $ (Gold) region 00:02:47: c6k_pwr_is_fantray ok returns ok for fan_index 5 00:02:52: $S¥S-5-RESTART: System restarted -- Cisco 10S Software, s72033_rp Software (s72033_rp-IPSERVICESK9_WAN-M), Version 12.2(33)SXH1, RELEASE SOPTWARE (fc3) Technical Support: http: //www.cisco.com/techsupport Copyright (c) 1986-2008 by Cisco Systems, Inc. Compiled Thu 17-Jan-08 01:55 by prod_rel_team 22 Implementing Cisco Data Canter Network infrastructure 1 (DCNI-1) v2.0, (©2008 Cisco Systems, inc.ss00=1-8aby> Standby console disabled Note The rest of the output (regarding the modules, VSL link initialization, etc.) is shown on 6500- 1, which is the VSS active chassis. You can see the output by looking at the console or issuing the show logging command, 01:10; 081" $VELB=SWiSP*S:VsLLUP/ "Ready fox Role Resolution with Switch=2, NAC=0017.dfd0.3800 aver Te1/5/4 $WSLP-SH1_SP-5-RRP_ROLE_RESOLVED: ROlé resolved’as ACTIVE by VSLP 2: $VSL-SW1_SP-5-VSL_CNTRL_LINK: New VSL Control Link Te1/5/4 01:10:12: $VSLP-SWi_SP-5-VSL_UP: Ready for control traffic 01:11:15¢" WS_MERGE-6-STDBYCFG|MERGE! Use exee command ‘awitch accept mode virtual’ to merge standby VEL configuration 01:11:15: $PFREDUN-SW1_SP-6-ACTIVE: Standby initializing for Ss0 mode 01:11:18; $PPINIT-SW1_SP-5-CONFIG SYNC: Sync'ing the startup configuration to the standby Router. 01:11:47: SW1_SP: Remote Switch 2 Physical Slot 5 - Module Type LINE_CARD inserted 01:12:05: SWi_SP: Card inserted in Switch number = 2 , physical slot 5, interfaces are now online Firmware compiled 19-Dec-07 1 6 by integ Build (100) Barl Card Index= 259 00:00:06: $PFREDUN-6-ACTIV Initializing ae ACTIVE processor for this switch 00:00:07: $S¥S-3-LOGGER_PLUSHED: System was paused for 00: console debugging output 10:00 to ensure 00:00#12¥"WvSU_BRINGUP=6-NODULE_UP? VSL mode iW Slot 5 Bwitch 2 bOUghE Up 00:00:40; $VSLP-S-VSL_UP: Ready for Role Resolution with Switch=1, MAC=0017.dfd0.2400 over 5/4 00100/43 #7 8VSLP-=5-RRP_ROLE_ RESOLVED! "RoLe "Fesd1Ved as STANDRY By VSLP 00:00:43: 4VSL-S-VSi_CNTRL_LINK: New VSL Control Link $/4 00:007437" WVSEP=S=Vst_UP: | Ready for control’ trafic 00:00:45: ¥OIR-SW2_SPSTBY-6-CONSOLE: Changing console ownership to route processor 00:00:46: $S¥S-SW2_SPSTRY-3-LOGGER_FLUSHED: System was paused for 00:00:00 to ensure console debugging output. 00:01:47: SW2_SPSTBY: Bring up standby supervisor as a DFC 00:01:47: ¥$PPREDUN-SW2_SPSTBY-6-STANDBY: Initializing for SSO mode 00:02:11: SW2_SPSTBY: SP: Currently running ROMMON from $ (Gold) region 00:02:16: $C6KPHR-SW2_SPSTBY-4-PSOK: power supply 1 turned on. 00:02:16: ¥C6KPMR-SW2_SPSTBY-4-PSOK: power supply 2 turned on. 00:02:18: $PABRIC-SW2_SPSTBY-5-CLEAR_BLOCK: Clear block option is off for the fabric in slot 5. 00:02:18: $PABRIC-SW2_SPSTRY-S-PABRIC_MODULE_ACTIVE: The Switch Fabric Module in slot 5 became active 00:02:19: $DIAG-SW2_SPSTAY-6-RUN_MINIMUM: Switch 2 Module 5: Running Minimal Diagnostics. ‘© 2008 Cisco Systems, Inc. Lab Gude 2300:02:20: SCONST_DTAG-SW2_SPsTBY-6-DIAG PORT SKIPPED! Nodule'S port 4” is skipped in TestLoopback due to: the port is used as a VSL link. 00:02:24; $CONST_DIAG-SW2_SPSTBY-6-DIAG_PORT SKIPPED: Nodule § port 4 is skipped in TestChannel due to: the port is used as a VSL link. 00:02:34: $DIAG-SW2_SPSTBY-6-DIAG OK: Switch 2 Module 5: Passed Online Diagnostics 00:02:37: SC6KPWR:SW2_SPSTBY-4=PSREDUNDANTMODEY powEY “Supplies set! to redundant mode. 00:02:37: $CéKPWH:SW2_SPSTBY-4-PSREDUNDANTBOTHSUPPLY: in power-redudancy mode, system is operating on both power supplies. 00:02:52: ¥SYS-SW2_SPSTBY-5-RESTART: System restarted -- Cisco 10S Software, 872033_sp Software (s72033_sp-IPSERVICESK9_WAN-M), Version 12.2(33)SXH1, RELEASE SOPTWARE (£c3) Technical Support: http: //www.cisco.com/techsupport Copyright (c) 1966-2008 by Cisco Systems, Inc. Compiled Thu 17-Jan-08 02:10 by prod_rel, team 00:02:52: $PFREDUN-SW2_SPSTBY-6-STANDBY: Ready for SSO mode 01:12:22: SWi_SP: Remote Switch 2 Physical Slot 1 - Module Type LINE_CARD inserted 01:12:23: swi_sP inserted Remote Switch 2 Physical Slot 2 - Module Type LINE_CARD 001021591 WosKPWR-Sw2_SPSTBY-4-UNSUPPORTED! Unsupported module in elot’ 2) power not allowed: Unaupported module in Virtual Switch system. 00:02:53: ¥C6KPWR-SW2_SPSTBY-4-UNSUPPORTED: unsupported module in alot 2, power not allowed: Unsupported module in Virtual Switch system. 00:02:55: ¥C6KPWR-SW2_SPSTEY-4-POWERDENIED: insufficient power, module in slot 4 power denied. ! 00:02:56: ¥C6KPWR:SW2_SPSTBY-4-UNSUPPORTED: tnisupported module in B16t"6) power not allowed: Unsupported module in Virtual Switch system. 00:02:56: $SYS-SW2_SPSTBY-6-BOOTTIME: Time taken to reboot after reload = 235 seconds 01:12:24: SWi_SP: Remote Switch 2 Physical Slot 4 - Module Type LINE_CARD inserted 01:12:24: SW1_SP: Remote Switch 2 Physical Slot 3 - Module Type LINE_CARD inserted 01:12:24: SWi_SP: Remote Switch 2 Physical Slot 6 - Module Type LINE_CARD inserted 00:02:57: ¥SYS-SW2_SPSTBY-3-LOGGER_PLUSHED: System was paused for 00:00:00 to ensure console debugging output. 00:03:15: $C6KPWR-SW2_SPSTBY-4-COULDNOTREPONER: wanted to re-power FRU (slot 4) but could not. 00:00:02: DaughterBoard (Centralized Forwarding Card) Firmware compiled 19-Dec-07 10:56 by integ Build [100] 00:00:05: ¥SYS-CFC3-S-RESTART: System restarted -- Cisco 10S Software, c6lc2 Software (c61c2-SP-M), Version 12.2(33)SKH1, RELEASE SOFTWARE (£c3) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2008 by Cisco syatems, Inc Compiled Thu 17-Jan-08 01:55 by prod_rel_team May 5 06:36:03.264: CFC3: Currently running RONMON from S (Gold) region 0 ‘®DIAG-SW2_SPSTBY-6-RUN_MINIMUM: Switch 2 Module 3: Running Minimal Diagnostics... 0 ‘WDIAG-SW2_SPSTBY-6-DIAG_OK: Switch 2 Module 3: Passed Online 24 Implementing Cisco Data Center Network Infrastructure 1 (DCNM-1) v2.0 (© 2008 Cisco Systems, Inc.Diagnostics 01:13:33: SW1_SP: Card inserted in Switch_number = 2 , physical slot 3, interfaces are now online Step6 Accept the standby virtual switch VSL-related configuration—the command merges the port channel and VSS configuration. This is a one-time task and is necessary only for a first-time conversion, Note that in your case the information regarding the power supply operational mode was also merged. 6500-1#switch accept mode virtual power redundancy-mode combined switch 2 no power enable switch 2 module 1 no power enable switch 2 module 4 no power enable switch 2 module 6 interface Port-channel2 ‘switch virtual link 2 no shutdown interface TenGigabitethernet2/5/4 channel-group 2 mode on no shutdown ‘This command Will populate the above vst. configuration trom the standby switch into the running configuration. The startup configuration will also be updated with the new merged configuration if merging is successful. Do you want to proceed? yes/no]: y Merging the standby VSL. configuration’ 2 module is already disabled and not yet enabled ‘Power admin state updated ‘Power admin state updated ¥ module is already disabled and not yet enabled ‘Power admin state updated 00:18:10: $CGKPHR-SN2_SPSTBY-4-PSCOMBINEDMODE? power éupplies set to combined mode. 00:18:10: SW2_SPSTBY: The PC in slot 4 is shutting down. Please wait . 00:18:10: ¥SCHED-SW2_SPSTBY-7-WATCH: Attempt to monitor uninitialized watched bitfield (address 0) ~Process= "Shutdown", ipl» 0, pid= 414 ~Traceback= 4079B26C 4102F270 407523AC 40752398 Building configuration. . 01:27:46: $VSLP-SW1_SP+5-VSL_UP: Ready for data traffic 01:275532 $BPINTT-GwiSP-5=CONFIG SYNC? Syncing the ‘startup configuration to the standby Router. (0K) Step7 Examine the configuration for the TenGigabitEthemet1/5/4, ‘TenGigabitEthernet2/5/4, Port-channell, and Port-channel2 interfaces. The result of configuration merging is the valid configuration of the interfaces mentioned. 6500-1##how running-config interface TenGigabitetherneti/5/4 Building configuration... Current configuration ; 115 bytes interface! TenGigabititherneti/5/4 no switchport no ip address mls qos trust cos channel-group 1 mode on end 6500-1#show running-config interface TenGigabitsthernet2/5/4 Building configuration. {© 2008 Cisco Systems, Ine Lab Guide 25Current configuration : 115 bytes interface Tencigabitmthernet2/5/4 no switchport no ip address mls qos trust cos ‘ channel-group 2 mode on end 6500-1#show running-config interface Port-channel1 Building configuration... Current configuration : 135 bytes interface Port-channel1 no switchport no ip address switch virtual link 2 mls gos trust cos no mls qos channel-consistency end 6500-1#show running-config interface Port-channel2 Building configuration... Current configuration : 135 bytes interface Port-channel2 nO switchport no ip address switch virtual Link 2 mls gos trust cos no mls qos channel-consistency end Step8 Examine the newly created VSS using the show switch virtual command on the 6500-1 switch. The local switch (6500-1) is the active one with the switch number 1 and the peer switch (6500-2) is the standby switch with the switch number 2. The output should be similar to the following printout. 6500-i#show awitch virtual Switch mode : Virtual switch Virtual switch domain number : 10 Local switch number Pa Local switch operational role: Virtual Switch Active Peer switch number 2 Peer switch operational role : Virtual switch standby Step9 Next examine the status of the Virtual Switch Link (VSL) on 6500-/ using the show switch virtual link command. You should see that the VSL is operational and that the control link of the VSL is interface TenGigabitEthemetS/4 (which by the way is the only interface used for connectivity between the chassis). The output should be \ similar to the following printout, 6500-1#show awitch virtual Link VSL Status : UP VSL Uptime : 30 minutes VSL SCP Ping : Pass Vet ICC Ping : Pass VSL Control Link : Te1/5/4 Step 10 Verify the VSS operational parameters for the participating chassis with the show switch virtual role command. The status for both chassis should be UP, with none of the chassis preempt enabled and priority set to the default value of 100, Note also that currently no dual active detection mechanism is deployed. The output should be similar to the following printout 26 Implementing Cisco Data Center Network infrastructure 1 (DCNI-1) v2.0 (© 2008 Cisco Systems, Inc6500-1¥show switch virtual role Switch Switch Status preempt Priority Role Session ID Number oper (Conf) Oper (Cont) Local Remote LocaL =1—UP FALSE(N) 100(100) ACTIVE 0 o REMOTE 2 UP FALSE(N) 100(100) STANDBY 2163 6871 In dual-active recovery mode: No Step 11 Verify that operational redundancy of the VSS domain is SSO. The switches would revert to RPR mode in case the Cisco IOS versions on the chassis part of the VSS would differ. Notice that for the active chassis both control and data planes are active, whereas for the standby chassis only the data plane is active while the control plane is in standby mode. The output should be similar to the following printout. 6500-1 #show switch virtual redundancy My Switch Id = 1 Peer Switch Id = 2 Last_switchover reason = none Configured Redundancy Mode = sso Operating Redundancy Mode = sso Switch 1 Slot § Processor Information Current Software state = ACTIVE Uptime in current state = 30 minutes Image Version = Cisco I0S Software, s72033_rp Software (872033_xp-IPSERVICESK9_WAN-M), Versi on 12.2(33)SKH, RELEASE SOFTWARE (fc5) Technical Support: http: //www.cisco.com/techsupport copyright (c) 1986-2007 by Cisco Systems, Inc. Compiled Sun 19-Aug-07 07:38 by prod_rel_team BOOT = CONFIG PILE = BOOTLDR = Configuration register = 0x2102 Fabric State = ACTIVE Control Plane State = ACTIVE switeh 2 Slot’ § Processor Information # current Software state = STANDBY HOT (switchover target) uptime in current state = 17 minutes Image Version = Cisco I0S Software, s72033_rp Software (872033_rp-IPSERVICESK9_WAN-M), Versi on 12.2(33)SKH, RELEASE SOPTWARE (fc5) ‘Technical Support: http: //www.cisco.com/techsupport copyright (c) 1986-2007 by Cisco Systems, Inc. Compiled Sun 19-Aug-07 07:38 by prod_rel_team BOOT = CONPIG_FILE = ROOTLDR = Configuration register = 0x2102 Fabric State = ACTIVE Control Plane State = STANDBY Step 12 Examine the module status information for the second chassis (6500-2). Notice that the currently VSS-unsupported modules (FWSM in your case since others are administratively powered down) are powered down, 6500-1#show module switch 2 Switch Number: 2 Role: Virtual Switch Standby Mod Ports Card Type Model jerial No. ‘© 2008 Cisco Systems, Inc. LabGuide (2711. Application Control Engine Module ACE10-6500-K9 saD102905xP 20 6 Firewall Module 000) 7 WS-SVC=FaMeT TT SADI0350279 3 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX | SAL10403VVD 4 8 Network Analysis Module WS-SVC-NAM-2 SAD104602ME 5 5 Supervisor Engine 720 10GE (Hot) vs-8720-106 SAD11510537 6 8 Intrusion Detection system WS-SVC-IDSM-2 SAD104400HB Mod MAC addresses Hw Pw sw status 000a.b871.19b6 to 000a.b872.19bd 1 0018.ba41.4b86 to! 0018.ba4i.abad 4 0019,2£c8.1110 to 0019.2fc8.113f 2 4 2 6 0019.aacc.91c6 to 0019.aacc.91cd 001e.4aaa.dsd0 to 001e.4aaa.d5d7 0019.5671.6a16 to 0019.5671.6a1d Unknown Unknown PwrDown 8.5(2) 12.2(33) SxH1 Ok ‘Unknown Unknown PwrDown 2 0 5 12,2(14r)S5 12.2(33)SXH1 Ok 2 ° 2 output omitted ... Step 13 Verify that you have connectivity between PCI, Server!, and Server’ by issuing ping from PCI to Server! and Server3. Note that upon conversion to VSS mode the configuration for interfaces GigabitEthernet3/13 and GigabitEthernet3/14 on 6500-2 ‘was not copied to 6500-1. C:\Documents and Settings\Adminietrator>ping 10.4.11.10 Pinging 10.4.11.20 with 32 bytes of datai Reply from 10.4.11.10; bytes=32 times3ms TTL=127 Reply from 10.4.11.10: bytes=32 timecims TTL=127 Reply from 10.4.11.10; bytese32 timecims TTL=127 Reply from 10.4.11.10; bytese32 timecims TTh=127 Ping statistics for 10.4.11.10 Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = Oms, Maximum = 3ms, Average = Oms C:\Documents and Settings\Administrator>ping 10.4.21.10 Pinging 10,421.10 with 32) bytes (of data? Request timed out Request timed out. Request timed out Request timed out. Ping statistics for 10.4.21.10: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), Step 14 Set the configura as follows: n for interfaces GigabitEthenet2/3/13 and GigabitEthemnet2/3/14 Set the operational mode to Layer2 (switchport) Set the trunking to 802.14. ‘Manually enable the trunking. ible the negotiation on the interfaces. Enable the interfaces. Step 15 Verify again that you have connectivity between PCI and Server3 by issuing the ping command. This time the ping succeeds. C:\Documents and Settings\Administratorsping 10.4.21.10 ‘Implementing Cisco Data Center Network Infrastructure 1 (OCNI-1) v2.0 ‘© 2008 Cisco Systems, Inc.Pinging 10.4.21.10 with 32 bytes of data: Reply from 10.4.21.10: bytes=32 timecims TTL=127 Reply from 10.4.21.10: bytes=32 timecims Reply from 10.4,21.10: bytes=32 timecims TTL=127 Reply from 10.4.21.10: bytes=32 timecims TTL=127 Ping statistics for 10.4.21.10: Packets: Sent = 4, Received = 4, Lost = 0 (ot loss), Approximate round trip times in milli-seconds: Minimum = Ome, Maximum = Oms, Average = Oms Task 3: Deploying Multichassis EtherChannel In this task you will deploy, verify and test the Multichassis EtherChannel (MEC) between the newly created VSS, 4900-1, and 4900-2 switches. Activity Procedure Complete these steps: Step 1 Create a port channel 10 interface on 4900-1 using the following information: = Add the interfaces GigabitEthemet!/13 and GigabitEthernet1/14 to the channel. © Set the protocol to PAgP and the PAgP mode to desirable. Manually set the trunking mode to 802.19. = Enable the interfaces. Note I you see port mismatch messages when creating the EtherChannel, the physical interfaces ‘are in Layer 2 mode and the port channel interface is in Layer 3 mode. Use the command switchport on the port channel interface to set the port to Layer 2 manually. Step 2 Step 3 Create a port channel 10 interface on the VSS using the following information: m= Add interfaces GigabitEthernet!/3/13 and GigabitEthernet2/3/13 to the channel. Set the protocol to PAgP and the PAgP mode to desirable. = Manually set the trunking mode to 802.19. Create a port channel 20 interface on 4900-2 using the following information: m= Add the interfaces GigabitEthemet1/13 and GigabitEthernet! /14 to the channel. = Set the protocol to PAgP and the PAgP mode to desirable. = Manually set the trunking mode to 802.1q. = Enable the interfaces Note If you see port mismatch messages when creating the EtherChannel, the physical interfaces are in Layer 2 mode and the port channel interface is in Layer 3 mode. Use the command switchport on the port channel interface to set the port to Layer 2 manually. Step 4 Create a port channel 20 interface on the VSS using the following information: m= Add interfaces GigabitE:thernet1/3/14 and GigabitEthernet2/3/14 to the channel = Set the protocol to PAgP and the PAgP mode to desirable, ® = Manually set the trunking mode to 802.1q. {© 2008 Cisco Systems, Inc. LabGuide 20Activity Verification ‘You have completed this task when you attain these results: Step1 Verify the PortChannel 10 operation on 4900-1. You should see that interfaces GigabitEthemnet!/13 and GigabitEthernet!/14 are members of the PortChannel10 group. 4900-i#'show etherchannel 10 summary Flags: D - down P - in port-channel I - stand-alone s - suspended ; R - Layer3 S - Layer2 U - in use £ - failed to allocate aggregator u - unsuitable for bundling w - waiting to be aggregated @- default port Number of channel-groups in use: 1 Number of aggregators: 1 Group Port-channel Protocol Ports. 20) Poto(suy Pag? @i1/23 (Py GLI /24 1b) Step2 Verify the PortChannel 10 operation on 6500-1. You should see that interfaces GigabitEthemet!/1/13 and GigabitEthernet2/1/13 are members of the PortChannell0 group. 6500-1#show etherchannel 10 summary Flags: D - down P - bundled in port-channel I - stand-alone s - suspended H - Hot-standby (LACP only) R - Layer3 S - Layer? U- in use N = not in use, no aggregation f - failed to allocate aggregator not in use, no aggregation due to minimum links not met not in use, port not aggregated due to minimum links not met unsuitable for bundling default port acaz w - waiting to be aggregated Number of channel-groups in use: 6 Number of aggregators: 6 Group Port-channel Protocol Ports 10 PoLdisu) PAgPGi1/3/23(8) 12/3/33 (9) Last applied Wash Distribution Algorithm: Fixed Step3 Verify the PortChannel 20 operation on 4900-2. You should see that interfaces GigabitEthemnet!/13 and GigabitEthernet!/14 are members of the PortChannel20 group. 4900-2H#show etherchannel 20 summary { Flags: D - down P - in port-channel I - stand-alone s - suspended R - Layer3 S - Layer? U - in use f - failed to allocate aggregator u = unsuitable for bundling w ~ waiting to be aggregated d= default port { Number of channel-groups in use: 1 Number of aggregators 1 30 Implementing Cisco Data Center Network Infrastructure 1 (GNI) v2.0 © 2008 Cisco Systems, Inc.Group Port-channel Protocol Ports: 20° -Poi0(su) AQP, @i2/13(P) Gi1/14(P) Step4 Verify the PortChannel 20 operation on 6500-1. You should see that interfaces GigabitEthernet1/1/14 and GigabitEthernet2/1/14 are members of the PortChannel20 group. 6500-1#show etherchannel 20 summary Plags: D - down P - bundled in port-channel I - stand-alone s - suspended H - Hot-standby (LACP only) R - Layer3 s - Layer? U - in use N - not in use, no aggregation £ - failed to allocate aggregator = not in use, no aggregation due to minimum links not met = not in use, port not aggregated due to minimum links not met unsuitable for bundling = default port aca w - waiting to be aggregated Number of channel-groups in use: 6 Mumber of aggregators: ‘ Group Port-channel Protocol Ports 207 Poia(suy Page Gin/3/14(P) Gi2/3/24(P) Last applied Hash Distribution Algorithm: Pixed ‘Step $ Clear the counters on all interfaces on 6500-/ with the clear counters command. Step6 Verify that you have the connectivity between PCI, Server!, and Server3. Issue a continuous ping from PC/ towards Server! and Server3 using the ping destination — t command. Leave the pings running. . output omitted . Reply from 10.4,21.10: bytes=32 timecims TTL=127 Reply from 10.4.21.10: bytes=32 time=2ms TTL=127 Reply from 10.4.21.10: bytes=32 timeclms TTL=127 ++ output omitted ... .++ output omitted Reply from 10.4.11.10: bytes=32 timeclms TTL=127 Reply from 10.4.11.10: bytes=32 timecims TTL=127 Reply from 10.4,11.10: bytes=32 timecims TTL=127 - output omitted Step7 Disable the GigabitEthernet!/14 interface on the 4900-1 switch. 4900-1 (config) #interface Gigabitethernet 1/14 4900-1 (config-if) #shutdown Step8 Verify that the continuous pings from PC/ to Server! and Server? that you enabled previously are still working and that there was only a short period of time without connectivity. - output omitted Reply from 10.4.11.10: bytes=32 timecims TTL=127 Reply from 10.4.11.10: bytes=32 timecims TTL=127 Request timed out. (© 2008 Cisco Systems, Inc. LabGuide 91Reply from 10.4.11.10: bytes=32 timeclms TTL=127 Reply from 10.4.11.10: bytes=32 timeclms TTL=127 + output omitted Step9 Enable back the GigabitEthemet1/14 interface on 4900-1. 4900-1 (concig) #interface GigabitEthernet 1/13 4900-1 (config-if)#no shutdown Deploying BFD Dual-Active Detection Mechanisms In this task you will deploy the BFD dual-active detection mechanism and verify the operation. Activity Procedure ‘Complete these steps: Task Step1 Configure the GigabitEthemet!/3/47 interface using the following information: © Set the interface mode to routed Assign the IP address 10.255.1.1 255.255.255.0 = Set the BFD interval to 100ms, minimum receive interval capability to 100 ms and holddown computing multiplier to 50 = Enable the interface Step2 Next configure the GigabitEthernet2/3/47 interface using the following information: © Set the interface mode to routed = Assign the IP address 10,255.2.1 255.255.255.0 = Sct the BFD interval to 100ms, minimum receive interval capability to 100ms and holddown computing multiplier to SO = Enable the interface Step3 Enable the BFD dual-active detection mechanism using the interfaces GigabitEthemet1/3/47 and GigabitEthemet2/3/47. Upon enabling the BFD, the switch presents the following output: For dual-active operation, please ensure that interface Gil/3/47 and interface Gi2/3/47 are directly connected adding a static route 10.255.2.0 255.255.255.0 Gi1/3/47 for this dual-active pair adding a static route 10.255.1.0 255.255.255.0 Gi2/3/47 for this dual-active pair Activity Verification You have completed this task when you attain these results: Step1 Verify the BFD configuration, 6500-1hshow switch virtual dual-active bfd Bfd dual-active detection enabled: Yes Bfd dual-active interface paira configured: interface-1 Gii/3/14 interface-2 Gi2/3/14 32 Implementing Cisco Data Center Network Infrastructure 1 (OCNI-1) v2.0 (© 2008 Cisco Systems, Inc.Task 5: Converting from VSS to Standalone Mode In this task you will revert the chassis from VSS to standalone mode. Activity Procedure Complete these steps: Step1 Convert the VSS active chassis (formerly 6500-1) to standalone mode. Upon using the switch convert mode stand-alone command you should see output similar to the following printout. 6500-1#switch convert mode stand-alone ‘This command will convert all interface names te ‘convention "interface-type slot /port", save the running config to startup-config and reload the swith, Do you want to proeeaa” {yes/no} y Converting interface names 02:15:56: 8VSLP-SMi_SP-3-VSLP_LMP_PATL REASON: Te1/5/4: Link down 02:15:56: WSLP-SW1_SP-2-VSL_ Dow: Last VSL interface Te1/5/4 went down 02:15:56: 4VSLP-Sw1_SP=2-Vst,_DOWN: | AL1 VSL links went down while switch is in ACTIVE role 02:15:56 02:15:56 removed 2VSL-SW1_SP-3-VSL_SCP_FAIL: SCP operation failed SW1_SP: "Remote Switch 2 Physical Slot 5 - Module Type LINE_CARD 02:15:56: SH1_SP: Remote Switch 2 Physical Slot 1 - Module Type LINE_CARD removed 02:15 Building configuration. 56: SW1_SP: Remote Switch 2 Physical Slot 2 - Module Type LINE_CARD removed ve_1tl_Gore_swid_start_zero: invalid switch id 0 02715;56: SW1_SP: ~TraGeback= 41196CA4 41199E78 4119AEBO 41198414 411A09DC 411A6@A8 411AB41C 407523AC 40752398vs_1t1_core_swid_start_zero: invalid switch ido 02:15:56: SW1_SP: -Traceback= 41196CA4 41199E78 4119AERO 41198414 411A09DC 411A68A8 411A841C 407523AC 40752398Ve_1tl_core_swid_start_zero: invalid switch ido 02:15:56: SW1_SP: ~Traceback= 41196CA4 4119978 4119AERO 41198414 411A09DC 411A6@A8 411A841C 407523AC 40752398vs_1t1_core_swid_start_zero: invalid switch id 0 02:15:56: SW1_SP: -Traceback= 41196CA4 41199878 4119AEBO 41198414 411A09DC AIA6BAB 411A841C 407523AC 40752398vs_1t1_core_swid_start_zero: invalid switch id 0 02:15:56: SW1_SP: -Traceback= 41196CA4 41199E78 4119AEBO 41198414 411A09DC 4LIA68A8 411A841C 407523AC 40752398ve_1tl_core_swid start_zero: invalid switch ido 02:15:56: swi_s ALIAGBAB 4110841 ido 02:15:56: SW1_SP: ~Traceback= 41196CA4 41199E78 4119AEBO 41198414 411A09DC A4LIAGGAB 411A841C 407523AC 40752398va_1tl_core_swid_start_zero: invalid switch id 0 02:15:56; SW1_SP: -Traceback= 41196CA4 41199R78 4119AEBO 41198414 411A09DC 411A6@A8 411A841C 407523AC 40752398vs_1t1_core_swid start_zero: invalid switch ido 02:15:56: SW1_SP: ~Traceback= 41196CA4 41199E78 4119AEBO 41198414 411A09DC 4L1A68A8 411A841C 407523AC 40752398va_1tl_core_swid_start_zero: invalid switch id 0 41196CA4 41199878 4119AEBO 41198414 411A09DC 1 1tl_core_swid start_zero: invalid switch ‘© 2008 Cisco Systems, Inc. Lab Gude 3302:15:56: SW1_SP: ~Tracebacks 41196CA4 41199E78 4119AEBO 41198414 411A09DC 411A68A8 411A841C 407523AC 40752398 02:15:56: SW1_SP: Remote Switch 2 Physical Slot 3 - Module Type LINE_CARD removed 02:15:56: SWi_SP: Remote Switch 2 Physical Slot 4 - Module Type LINE_CARD removed 02:15:56: $PFREDUN-SW1_SP-6-ACTIVE: Standby supervisor removed or reloaded, changing to Simplex mode 02:15:56: SWi_SP: Remote Switch 2 Physical Slot 6 - Module Type LINE_CARD removed [0K] ! |_remove: couldn't sync the event |_SP: remote bay _ps_remove: couldn't sync the event ‘SYS-SW1_SP-3-LOGGER_FLUSHING: System pausing to ensure console debugging output. 02:16:10: ¥0IR-SW1_SP-6-CONSOLE: Changing console ownership to switch processor 02:16:10: ¥SYS-SW1_SP-3-LOGGER_FLUSHED: System was paused for 00:00:00 to ensure console debugging output. 02:16:13: ¥S¥S-SW1_SP-3-LOGGER_FLUSHING: System pausing to ensure console debugging output. SHUTDOWN NOW --- SYS-SW1_SP-5-RELOAD: Reload requested S0IR-SW1_SP-6-CONSOLE: Changing console ownership to switch 02:16:13 processor 02:16:13: ¥SYS-SWi_SP-3-LOGGER_FLUSHED: system was paused for 00:00:00 to ensure console debugging output. System Bootstrap, Version 8.5(2) Copyright (c) 1994-2007 by cisco systems, Inc. Cat6k-Sup720/SP processor with 1048576 Kbytes of main memory Autoboot executing command: "boot bootdis! 33.SXHi.bin" Loading image, please wait '972033-ipservicesk9_wan-mz.122- Initializing ATA monitor library Self extracting the image... [0K] Self decompressing the image : HUHHOHHHRRHHERAHRHENERAANAHR ER ENRRRRHHRERREEAHRRREHERRRHEMRRHEEHRERHEHHHHHHEM HHHHHHERRHERERRREHERREHAHR OR ENER HE RER EBA HHHHAHUDERHRUSEHRRANEERBREERERRHAHHOH [OK] Restricted Rights Legend Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) of the Commercial Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and subparagraph (c) (2) (44) of the Rights in Technical Data and Computer Implementing Cisco Data Center Network infrastructure 1 (OCNI-1) v2.0 (© 2008 Cisco Systems, Inc.Software clause at DFARS sec. 252.227-7013. cisco Systems, Inc. 170 West Tasman Drive San Jose, California 95134-1706 Cisco 10S Software, 972033_sp Software (s72033_sp-IPSERVICESKS_WAN-M), Version 12.2(33)SXH1, RELBASE SOFTWARE (fc3) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2008 by Cisco Systems, Inc. Compiled Thu 17-Jan-08 02:10 by prod_rel_team Image text-base: 0x40101328, data-base: 0x41C229c0 00:00 output. 16: ¥SYS-3-LOGGER_FLUSHING: System pausing to ensure console debugging Firmware compiled 19-Dec-07 10:56 by integ Build [100] Barl Card Index= 259 00:00:06: ¥PFREDUN-6-ACTIVE: Initializing as ACTIVE processor for this switch 00:00:09: ¥S¥S-SP-3-LOGGER FLUSHING: System pausing to ensure console debugging output. 00:00:07: ¥S¥S-3-LOGGER_FLUSHED: System was paused for 00:00:00 to ensure console debugging output. 00:00:09; ¥OIR-SP-6-CONSOLE: Changing console ownership to route processor System Bootstrap, Version 12.2(17r)SXS, RELEASE SOFTWARE (fc1) ‘Technical Support: http://waw.cisco.com/techsupport Copyright (c) 2006 by cisco Systems, Inc. Cat6k-Sup720/RP platform with 1048576 Kbytes of main memory Download Start errr Henin retin HEeeeeeereereeeenninn tiny ' ereneresreevestrrersrrresrrrreanrere reer ery ie eeeEnNTNTTeeTNNereiserereet reeset rer POPPE ' PPrrererrrerereniery) Hieneneniin CCU PUrTeNSTIsTeerTecienisrrrererireen errr enter rine) PEE PEEP eee PEPE E CDEP DE DEDUCE ee PEELE Eee POOP PEEP Pee eee eee PEPPEC CECE EE ECE EEE ELLE Download Completed! Booting the image. Self decompressing the image : HHMHRHHHHHRRRRSHHORROHEHHNONEENEMNGGHRERRREHTHRRRNTHHOMRRERHHBRANNHH OR RERERHS AUNNOOHHAHORRESHRERORHRHHHRANAHERHHERERR RHEE HEUHHHHRRNOERHRHORAEHHNNERHROEEHRERREHHHRBREHERUHREEEMUNBNHHHH BMA RERERHD HUORBOHUAORUSSOHERHREHEREROEHRHRUHHERERRRHEH (OK) Pereeeennieeueeeney bent te bn Restricted Rights Legend Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) of the Commercial Computer Software - Restricted ‘© 2008 Cisco Systems, Inc Lab Guide 35Rights clause at FAR sec. 52,227-19 and subparagraph (c) (2) (ii) of the Rights in Technical Data and Computer Software clause at DFARS sec. 252.227-7013. cisco Systems, Inc. 170 West Tasman Drive San Jose, California 95134-1706 Cisco 10S Software, 872033_rp Software (s72033_rp-IPSERVICESK9_WAN-M), Version 12.2(33)SXH1, RELEASE SOPTWARE (fc3) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2008 by Cisco Systems, Inc. Compiled Thu 17-Jan-08 01:55 by prod_rel_team Image text-base: 0x40101328, data-base: 0x42E75C50 ‘This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product inmediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www. cisco. com/wwl /export /crypto/tool/stqrg. html If you require further assistance please contact us by sending email to exportecisco.com. cisco WS-C6506-E (R700) processor (revision 1.1) with 983008K/65536K bytes of memory Processor board ID SAL1023R121 $R71000 CPU at 600Mhz, Implementation 0x504, Rev 1.2, S12KB L2 Cache Last reset from 9/w reset 1 Virtual Ethernet interface 73 Gigabit Ethernet interfaces 3 Ten Gigabit Ethernet interfaces 1917K bytes of non-volatile configuration memory. 8192K bytes of packet buffer memory. 65536K bytes of Flash internal SINM (Sector size 512K). ¥ This interface cannot be modified ewitchport % Invalid input detected at '*' marker. shutdown ‘Incomplete command. no cdp enable ‘Invalid input detected at '*! marker. Press RETURN to get atarted! 00:01:27: curr is oxo 00:01:27: RP: Currently running ROMMON from § (Gold) region 1:34: ¥SYS-S-CONFIG I: Configured from memory by console ‘SYS-S-RESTART: System restarted -- 36 Implementing Cisco Data Center Network infrastructure 1 (OCNL1) v2.0 (© 2008 Cisco Systems, Inc.Cisco 10s Software, s72033_xp Software (s72033_rp-IPSERVICESK9_WAN-M), Version 12.2(33)SXH1, RELEASE SOPTWARE (fc3) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2008 by Cisco Systems, Inc Compiled Thu 17-Jan-08 01:55 by prod_rel_team Firmware compiled 19-Dec-07 10:56 by integ Buil 6500-124 [100] Earl Card Index= 259 00:00:06: ¥PPREDUN-6-ACTIVE: Initializing as ACTIVE processor for this switch 00:00:07: ¥S¥S-3-LOGGER_PLUSHED: System was paused for 00:00:00 to ensure console debugging output. 00:00:09: $OIR-SP-6-CONSOLE: Changing console ownership to route processor 00:00:09: %S¥S-SP-3-LOGGER_FLUSHED: System was paused for 0| 0 to ensure console debugging output 00:01:24: SP; SP: Currently running ROMMON from $ (Gold) region 133: SC6KPHR-SP-4-PSCOMBINEDMODE: power supplies set to combined mode. 1:38; YOIR-SP-6-INSPS: Power supply inserted in slot 1 1:38: SC6KPHR-SP-4-PSOK: power supply 1 turned on. 38: NOIR-SP-6-INSPS: Power supply inserted in slot 2 8: ¥C6KPWR-SP-4-PSOK: power supply 2 turned on. a: ¥SYS-SP-5-RESTART: System restarted -- Cisco I0S Software, 872033_ep Software (s72033_sp-IPSERVICESK9_WAN-M), Version 12.2(33)SXH1, RELEASE SOPTWARE (fc3) Technical Support: http: //www.cisco.com/techsupport Copyright (c) 1986-2008 by Cisco Systems, Inc. Compiled Thu 17-Jan-08 02:10 by prod_rel_team 00:01:39; 8SYS-SP-6-BOOTTIME: Time taken to reboot after reload = 179 seconds 00:01:41: ¥C6KPWR-SP-4-DISABLED: power to module in slot 1 set off (admin request) 00:01:42: $C6KPWR-SP-4-DISABLED: power to module in slot 4 set off (admin request) 00:01:42: $C6KPHR-SP-4-DISABLED: power to module in slot 6 set off (admin request) 00:01:46: ¥FABRIC-SP-S-CLEAR_BLOCK: Clear block option is off for the fabric in slot 5. 00:01:46: ¥FABRIC-SP-S-PABRIC_MODULE ACTIVE: The Switch Fabric Module in slot 5 became active. 00:01:49: ¥DIAG-SP-6-RUN_MINIMUM: Module 5: Running Minimal Diagnostics Step2 After 6500-1 is converted, the former 6500-2 becomes the VSS active chassis and thus the hostname changes to 6500-1. Observe the output on the console. {¥VSLP*SW2_SPSTBY-3-VSLP_LMP_FATL REASON: Te2/5/4: Link down 01:06:28: $VSLP-SW2_SPSTBY-2-VSL_DOWN: Last VSL interface Te2/S/4 went down 01106128 tVSLP-Sw2_SPSTBY-2-VSL_DOWN: All VSL links went down while switch is in Standby role 01:06:288" SDUAL_ACTIVE-sw2\'sPSTBY-1-Vvst_DOWN: VSL is down = switchover, or possible dual-active situation has occurred 01:06:28: $DUAL_ACTIVE-SW2_SPSTBY-1-VSL_DOKN? VSL is down "switchover, of possible dual-active situation has occurred 01:06:28: $VSL-SW2_SPSTBY-3-VSL_SCP_FAIL: SCP operation failed (01:06:28: $PFREDUN-SW2_SPSTBY-6-ACTIVE: Initializing as Virtual Switch ACTIVE processor ‘© 2008 Cisco Systems, Inc. Lab Guide 3701:06:30: $PIB-SP-4-FIBXDRINV: Invalid format. Port-channell0 Invalid ifindex (176) 01:06:30: SP: Now can post switchover to local slots 01:06 c6k_pwr_is_fantray ok returns ok for fan_index 1 01:06:30: SC6KPWR-SP-4-PSOK: power supply 1 turned on. 01:06:30: SC6KPWR-SP-4-PSOK: power supply 2 turned on 01:06:30: SP: The PC in slot 2 is shutting down. Please wait 01:06:30: SP: The PC in slot 4 is shutting down. Please wait |. 01:06:30: SP: The PC in slot 6 is shutting down. Please wait ... 01:06:30: SOTR-SW2_SP-6-INSCARD: Card inserted in slot 3, interfaces are now online 01:06:30: ¥OTR-SW2_SP-6-INSCARD: Card inserted in slot 5, interfaces are now online 01:08:30: Setting the local_oir_wait_complete boolean to TRUE 01:06:30: remove: Couldn't sync the event 01:06:30 remote_bay_ps_remove: couldn't sync the event 01:06:51 shutdown _pe_process:No response from module 2 01:06:51: shutdown pe_process:No response from module 4 01:06:51: shutdown_pc_process:No response fron module 6 01:07:01: AC6RPWR-SW2_SP-4-UNSUPPORTED: unsupported module in slot 2, power not allowed: Unsupported module in Virtual Switch system. Step3 Convert this chassis (the former 6500-2) also to standalone mode by using the switch convert mode stand-alone command. You should sce the output similar to the following printout. Note that the power supply operational mode is correctly set to combined and that modules in slots 1, 4, and 6 are powered down as they were prior to converting to VSS mode, 6500-1ewitch convert mode stand-alone ‘This command will convert all interface names to naming convention "interface-type slot/port™) save the running config to startup-config and reload the switch. Do you want to proceed?” [yes/no] i) y Converting interface names Building configuration... (ox) 01:14:15: $SYS-SW2_SP-3-LOGGER_FLUSHING: System pausing to ensure console debugging output. 01:14:15: YOIR-SW2_SP-§-CONSOLE: Changing console ownership to switch processor 01:14:15: ¥SYS-SW2_SP-3-LOGGER_FLUSHED: System was paused for 00:00:00 to ensure console debugging output. 01:14:17: $S¥S-SW2_SP-3-LOGGER_PLUSHING: system pausing to ensure console debugging output. 01:14:17: ¥S¥S-SW2_SP-5-RELOAD: Reload requested 01:14:17: $OIR-SW2_SP-6-CONSOLE: Changing console ownership to switch processor 01:14:18: ¥SYS-SW2_SP-3-LOGGER_FLUSHED: System was paused for 00:00:00 to ensure console debugging output System Bootstrap, Version 8.5 (2) Copyright (c) 1994-2007 by cisco Systems, Inc. 38 Implementing Cisco Data Center Network Infrastructure 4 (OCNI-1) v2.0 (© 2008 Cisco Systems, Inc.Cat6k-Sup720/SP processor with 1048576 Kbytes of main memory Autoboot executing command: "boot bootdis) 33.SKH1.bin* Loading image, please wait /972033-ipservicesk9_wan-mz.122- Initializing ATA monitor library. Self extracting the image... [OK] Self decompressing the image : HHUOEHHRHORRERHHSOOHEEHNAEAEROHEHHEHRSERHNHANEREHHREHEHR BR EHHH MRR ERHOR OORT SHCEHHHRURRERERESEEEHHRAHHERHMHHUNAR RRM RHHHH AHO RREHHY SHHHHREEHH HERR HNEHERERHEHHHE [OK] Restricted Rights Legend Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) of the Commercial Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS sec. 252.227-7013. cisco systems, Inc. 170 Weet Tasman Drive San Jose, California 95134-1706 Cisco 108 software, 272033_sp Software (s72033_sp-IPSERVICESK9_WAN-M), Version 12.2(33)SXH1, RELEASE SOFTWARE (fc3) Technical Support: http: //www.cisco.com/techsupport Copyright (c) 1986-2008 by Cisco Systems, Inc. Compiled Thu 17-Jan-08 02:10 by prod_rel_team Image text-base: 0x40101328, data-base: 0x41C2A210 00:00:06: ¥S¥S-3-LOGGER_FLUSHING: System pausing to ensure console debugging output, Firmware compiled 19-Dec-07 10:56 by integ Build [100] Earl Card Index= 259 00:00:06: ¥PPREDUN-6-ACTIVE: Initializing as ACTIVE processor for this switch 00:00:09: ¥S¥S-SP-3-LOGGER_FLUSHING: System pausing to ensure console debugging output. 00:00:07: ¥SYS-3-LOGGER_FLUSHED: System was paused for 00:00:00 to ensure console debugging output. 00:00:09: SOTR-SP-6-CONSOLE: Changing console ownership to route processor system Bootstrap, Version 12.2(17r)SXS, RELEASE SOPTWARE (fc1) Technical Support: http: //wew.cisco.com/techsupport Copyright (c) 2006 by cisco Systems, Inc. Cat6k-Sup720/RP platform with 1048576 Kbytes of main memory Download start ‘© 2008 Cisco Systems, inc LabGude 39rutin rina retnns iri reeneeeniiniey PEELE Lt Ht PEPPCUEEEE eee eeentiee eeebeettgnggggtiee HeUeeeeeretinerrgeiniiitt POE bene Henn rennin Penni HEDELUCttdeeeeetoeeegia PEOPLE EEE Eee rn Henrie POEL PUUOEE EE EEE CEUUTEL LEE Download Completed! Booting the image Self decompressing the image : SHHRAHRHHHARHRHRHA URAHARA EHHAHREREMHHEHHUR BR HHHHARERERRAHURERREHHHOR BR ERHRUAHE SHHHRORHHHRRREHRRREHEHRHANHHHR RN HHHHANHHRORRERERR REE SHHHREHAHAR RENAN REHHHRAAHHAAAENEHHHEHEOR OR EHHRAREHREEAHAHRRRRHHOR BO EHHRHHRE AHHHEHHHHREREHEHAEREMHHR RHEE OHHH [OK] tent ey Henneneetaueneeereeegggs POPPED eee Henenoertir iinet PEOPLE 1 toon riueeents Pentre Pennetta Restricted Rights Legend Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) of the Commercial Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and subparagraph (c) (1) (44) of the Rights in Technical Data and Computer Software clause at DPARS sec, 252.227-7013. cisco Systems, Inc 170 West Tasman Drive San Jose, California 95134-1706 Cisco 10S Software, s72033_rp Software (872033_rp-IPSERVICESK9_WAN-M), Version 12.2(33)SXH1, RELEASE SOPTWARE (fc3) Technical Support: http: //www.cisco.com/techsupport. Copyright (c) 1986-2008 by Cisco Systems, Inc. Compiled Thu 17-Jan-08 01:55 by prod_rel team Image text-base: 0x40101328, data-base: 0x42E69890 ‘This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product inmediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http: //www.cisco.com/wwl /export /crypto/tool/starg. html. If you require further assistance please contact us by sending email to exportscisco.com, cisco WS-C6506-B (R7000) processor (revision 1.1) with 983008K/65536K bytes of memory. Processor board ID SAL1023R110 'SR71000 CPU at 600Mnz, Implementation 0x504, Rev 1.2, 512KB L2 Cache Last reset from s/w reset 1 Virtual Ethernet interface 73 Gigabit Ethernet interfaces 3 Ten Gigabit Ethernet interfaces 1917K bytes of non-volatile configuration memory. Implementing Cisco Data Center Network infrastructure 1 (OCNI-1) v2.0 (© 2008 Cisco Systems, Inc.192K bytes of packet buffer memory. 65536K bytes of Flash internal Simm (Sector size 512K). ¥ This interface cannot be modified switchport 4 Invalid input detected at '** marker shutdown % Incomplete command. no cdp enable % Invalid input detected at '*! marker. Press RETURN to get started! 00:01:30: curr is oxo 00 RP: Currently running ROMMON from $ (Gold) region 00 $SYS-5-CONFIG_I: Configured from memory by console 00 $SYS-5-RESTART: System restarted ~~ Cisco 10S Software, #72033_rp Software (s72033_rp-IPSERVICESK9_WAN-M), Version 12.2(33)SXH1, RELBASE SOPTWARE (fc3) Technical Support: http: //www.cisco.com/techsupport Copyright (c) 1986-2008 by Cisco Systems, Inc. Compiled Thu 17-Jan-08 01:55 by prod_rel_team Firmware compiled 19-Dec-07 1 6 by integ Build [100] Barl Card Indexs 259 00:00:06; ¥PFREDUN-6-ACTIVE: Initializing as ACTIVE processor for this switch 00:00:07: 4SYS-3-LOGGER_PLUSHED: System was paused for 00:00:00 to ensure console debugging output 00:00:09: ¥OIR-SP-6-CONSOLE: Changing console ownership to route processor 00:00:09: ¥S¥S-SP-3-LOGGER_FLUSHED: System was paused for 00:00: console debugging output 0 to ensure 00:01:27: SP: SP: Currently running ROMMON from $ (Gold) region 00:01:36: ¥C6KPWR-SP-4-PSCOMBINEDMODE: power supplies set to combined mode. 00:01:41: ¥OIR-SP-6-INSPS: Power supply inserted in slot 1 00:01:41: YC6KPWR-SP-4-PSOK: power supply 1 turned on. 00:01:41: ¥OIR-SP-6-INSPS: Power supply inserted in slot 2 (00:01:41: ¥C6KPHR-SP-4-PSOK: power supply 2 turned on 00:01:41: ¥SYS-SP-S-RESTART: System restarted -- Cisco 10S Software, 872033_sp Software (s72033_sp-IPSERVICESK9_WAN-M), Version 12.2(33)SXH, RELEASE SOFTWARE (fc3) Technical Support: http: //www.cisco.com/techsupport Copyright (c) 1986-2008 by Cisco Systems, Inc. Compiled Thu 17-Jan-08 02:10 by prod_rel_team 00:01:42: ¥SYS-SP-6-BOOTTIME: Time taken to reboot after reload = 181 seconds 00:01:45: $C6KPWR-SP-4-DISABLED: power to module in slot 1 set off (admin request) 00:01:45; $C6KPWR-SP-4-DISABLED: power to module in slot 4 set off (admin request) (© 2008 Cisco Systems, Inc. Lab Guide 4100:01:45: $C6KPWR-SP-4-DISABLED: power to module in slot 6 set off (admin request) 00:01:50: ¥FABRIC-SP-S-CLEAR BLOCK: Clear block option is off for the fabric in alot 5 00:01:50: $PABRIC-SP-S-FABRIC_MODULE_ACTIVE: The Switch Fabric Module in slot 5 became active 00:01:52: $DIAG-SP-6-RUN MINIMUM: Module 5: Running Minimal Diagnostics 00:02:11: $DIAG-SP-6-DIAG_OK: Module 5: Passed Online Diagnostics 00:02:13: ¥OIR-SP-6-INSCARD: Card inserted in slot 5, interfaces are now online Activity Verification You have completed this task when you attain these results: Step _Verify the switch operational mode on 6500-7 and 6500-2 by issuing the show switch virtual command, The operational mode should be standalone as indicated in the following printout. 6500-14show switch virtual Switch Mode : Standalone 42 Implementing Cisco Data Center Network Infrastructure 1 (OCNI-1) v2.0 (© 2008 Cisco Systems, IncDemonstration 1-2: Deploying and Examining Cisco |OS Software Modularity The Cisco Catalyst 6500 Series Switch IOS Software Modularity minimizes downtime and boosts operational efficiency through evolutionary software infrastructure advancements. Activity Objective In this activity, the instructor will demonstrate how the Cisco Catalyst 6500 Series Switch is upgraded to support Cisco IOS modularity and how patching can be applied. Note ‘Some tasks and steps are not demonstrated since the demonstrations would take too much time. The procedure and the outputs are included in the lab exercise for your convenience. After completing this activity, you will be able to meet these objectives: m= Upgrade the Cisco Catalyst 6500 Series Switch to support Cisco IOS modularity Activate the patching Install and activate maintenance pack Define tag Roll back to a defined tag Delete a tag Repackage Cisco 10S image Examine and verify Cisco 10S Software Modularity actions with appropriate show ‘commands ‘© 2008 Cisco Systems, Inc. Lab Guide 43Visual Objective ‘The figure illustrates what you will accomplish in this activity Demonstration 1-2: Deploying and Examining Cisco |OS Software Modularity nat aisane pce, IP Addressing ‘The IP addressing scheme in the following table lists the IP addresses of the PCs, serv Catalyst 6500 Series Switch VLAN interfaces and Layer 3 physical interfaces, where your pod number. Pod Addressing ‘Subnet Default | Device Device IP Subnet Mask Device IP Gateway | VLAN Servert | 10P.110 | 726 toP.1110 | t0P.t14 | 14 10.P.11.20 10.P.11.30 10.P.11.40 Device VLAN IP Subnet eae Device IP Mask 6500-1 | 14 10.110 | rea TOPA1A 44 Implementing Cisco Data Center Network Infrastructure 1 (OGNI-1) v2.0 (© 2008 Cisco Systems, nc.Required Resources These are the resources and equipment required to complete this activity: ™ Cisco Catalyst 6500 Series Switches Cisco Catalyst 4948 Switch Microsoft Windows 2003 server Command List Cisco Catalyst 6500 Series Switch Ethernet module Cisco Catalyst 6500 Series Switch Supervisor 720-10G-3C module ‘The table describes the commands that are used in this activity. ‘Command Description boot ayatem flash filesystem: /I0S-image Sets the boot variable to the specified Cisco 10S image. Upon reload the specified image will be loaded, configure replace filename Replaces the current running configuration with a saved Cisco IOS configuration file. copy running-config startup- config ‘Saves the running configuration to NVRAM. dix disk0: Lists the content ofthe disk0: fle system. install activate disk0:/sys ‘Activates the installed maintenance pack to diskO/sys, inatall bind disk0:/sys Sets the boot variable to the activated (unpacked) Cisco 10S modularity image on disk0:/sys. install commit disk0:/sys tag- Defines a tag upon maintenance pack installation to diskO:/sys. install file disk0:/file-name disk0:/sys ‘Activates (unpacks) the Cisco OS modularity image to diskO:/sys. install file filesystem: /patch- file disk0:/sys Installs the maintenance pack to disk0:/sys, install prune disk0:/sys tag- name Deletes a tag for the installed maintenance pack. install repackage disk0:/sys filesystem:/ filename Repackages base image and installed maintenance packs from disk0:/sys to a single file dnatall rollback disk0:/sys tag-name Rolls back to a defined tag for the maintenance pack installed in the disk0:/sys. no boot system flash filesystem: /filename Deletes the boot option from the configuration, process restart process-name Restarts the process, reload Reloads the switch, {© 2008 Cisco Systems, Inc. Lab Guide‘Command Description show bootvar ‘Shows the boot variable, show install diskO:/sys ‘Shows the installed (unpacked) base Cisco IOS ‘modularity image in the disk0:/sys. show install running ‘Shows the installed base Cisco |S modularity image and maintenance packs. show install tags running ‘Shows the user-defined tags. show process cpu show proce detailed process-name ‘Shows information about the running processes. ‘Shows detailed information about the running processes. show version ‘Shows the version of the booted Cisco |OS operating system. 46 Implementing Cisco Data Center Network Infrastructure 1 (OCNI-1) v2.0 (© 2008 Cisco Systems, ncTask 1 (Demonstration): Removing Previous Configurations Ensure that no previous configuration exists on the switches in your pod and apply the initial configurations to the devices. The initial configuration includes settings for the Layer 2 interfaces used—trunking, access VLAN set, etc.; VLAN configuration, Layer 3 VLAN configuration, correct power scheme, etc. The initial configurations are available on the individual device file system as specified in the following steps. Note The instructor will demonstrate this task. The outputs are for your reference. Activity Procedure Complete these steps on the 6500-1 switch in your pod: Step1 Connect to the 6500-1 switch via console and apply the following: ‘Replace the current running configuration with the configuration from file diskO:dcnil_lab12_6500-1 using the configure replace disk0:denit_lab12_6500-1 command. When asked to proceed press Y. You should see output similar to the following printout, 6500-1HconEigure replace disk0:deni1 1abii_6500-2 ‘This will apply all necessary additions and deletions to replace the current running configuration with the contents of the specified configuration file, which is assumed to be a complete configuration, not a partial configuration. Enter ¥ if you are sure you want to proceed. ? [no]: ¥ 01:13:28: Rollback:Acquired Configuration lock. Total number of passes: 0 Rollback Done Step 2 Reload the 6500-1 switch with the reload command. Activity Verification The task is completed when the 6500-1 is rebooted. Task 2 (Demonstration): Upgrading to Cisco IOS Modularity Image In this task 6500-1 switch i: upgraded to the Cisco IOS Software Modularity image. Note ‘Since reload is time-consuming, the steps in this task have been already completed. The stops and outputs are available for your reference. Activity Procedure ‘Complete these steps: Step 1 The first step in upgrading the Cisco Catalyst 6500 Series Switch is to acquire the Cisco IOS Software Modularity image. It can be acquired via Cisco.com, where the MODULAR keyword beside the image denotes the Cisco 1OS Modularity image. ‘© 2008 Cisco Systems, In. LabGuide 47For lab purposes, the Cisco IOS Modularity image already resides on disk0: The image name is s72033-ipservicesk9_wan-vz, 122-33,SXH.bin. Step2 Set the boot system variable to boot the s72033-ipservicesk9_wan-vz.122- 33.SXH.bin Cisco IOS image upon the next reload, Step3 Reload the 6500-1 switch. Activity Verification You have completed this task when you attain these results: Step1 Verify the running Cisco IOS image. Notice that patching is not available since it has not been activated. 6500-1#show version Cisco IOS Software, 972033_rp Software (872033_rp-IPSERVICESK9_WAN-VM) , Version 12.2(33)8KH, RELEASE SOFTWARE (fc5) ‘Technical Support: http://www.ciaco.con/techsupport Copyright (c) 1986-2007 by Cisco systems, Inc. Compiled sun 19-Aug-07 13:29 by prod_rel'team ROM: System Bootstrap, Version 12.2(17r)SX5, RELEASE SOFTWARE (fcl) 6500-1 uptime is 18 minutes Uptime for this control processor is 17 minutes Time since 6500-1 switched to active is 17 minutes System returned to ROM by reload at 12:51:18 UTC Sat Mar 18 2008 (SP by reload) System image file is "disk0i872033-ipservicesk9_wan-V2.122-33.SxH.bin* ‘This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not’ imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product inmediately, A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www. cisco.com/wwl /export /crypto/tool/starg. html If you require further exportecisco.com. sistance please contact us by sending email to cisco WS-C6506-E (R700) processor (revision 1.1) with 1040384K/8192K bytes of memory . Processor board ID SAL1023R121 8R71000 CPU at 600Mhz, Implementation 1284, Rev 1.2, 512KB L2 Cache Last reset from s/w reset 5 Virtual sthernet interfaces 73 Gigabit Ethernet interfaces 3 Ten Gigabit Ethernet interfaces 1917K bytes of non-volatile configuration memory. 65536K bytes of Flash internal SINM (Sector size 512K). Configuration register is 0x2102 Patching is not available since the system is not running from an installed image. To install please use the "install file" command Step2 Examine the output of the show process epu command, Notice that it changed after the Cisco IOS Software Modularity image was used. 6500-1#show proc 98 pL 48 Implementing Cisco Data Center Network infrastructure 1 (GNI) v2.0 (© 2008 Cisco Systems, Inc.CPU utilization for five seconds: 34; one minute: 2%; five minutes: 2% PID Ssec 1Min —SMin Process. t 1.08 0.2% 0.18 kernel 3 0.0% 0.08 0.0% deve-pty 4 0.08 0.08 0.08 deve-mistral.proc 5 0.0% 0.08 +0. 08 pipe 4102 0.0% 0.0% 0.08 dumper.proc 4103 0.0% 0.08 0.08 pemcia_driver.proc 4104 0.0% 0.0% 0,08 bf lash_driver.proc 12297 0.08 «0.08 0.08 mqueue. 12298 = 0.08 0.08~—0. 0% flashfs_hes.proc 12299 0.0% +—«0.08+~—=—0.08 df's_bootdisk.proc 12300 0.08 += 0.08 += 0.08 Idcache. proc 12301 «0.08 +~—««0.08 +=. 08 watchdog. proc 12302 «0.0% «0.08 ~——0.0% syslogd. proc 12303 0.08 ~—0.08 = 0.0% name_svr.proc 12304 0.3% += 0.08 +008 wdsyamon.. proc 12305 0.08 += «0.08 -~—=0. 0% sysngr.proc 16386 0.0% + 0.08 ~——0.0% chkptd.proc 16402 0.08 +~—0.08 0.0% sysngr.proc 16403 0.0% + 0.08 ~—0.0% ‘syslog_dev.proc 16404 0.08 «0.08~—0. 08% trace. 16405 0.08 += 0.08 +0. 0% packet -proc Step3 Examine the information for the syslogd.proc process. Executable name: syslogd.proc Executable Path: sbin/syslogd.proc Instance ID: 1 Respawn: ON Respawn count: 1 Respawn since last patch: 1 Max. spawns per minute: 30 Laat started: Sat Mar 20 13:0% Process state: Run Active ‘SHAREDMEM MATNMEM Max. core: 0 Level: 23 Mandatory: ON Last restart userid: Related Processe: 1 2008 PID TID Stack pri state Blked HR: MSEC FLAGS NAME 12302 1 20K 10 Receive 1 0. 0028 00000000 syslogd.proc 12302 2 20K 10 Receive 7 0 2000 09000000 syslogd.proc 12302 3 20K 10 Sigwaitinfo 0: 0000 00000000 syslogd. proc 12302 4 20K 10 Condvar = 7A73F_ 0. 0000 00000000 syslogd.proc Task 3 (Demonstration): Activating Patching Functionality In this task you will enable the patching functionality on the 6500-1 switch, Note ‘Since activating the patching functionality is a lengthy process, the Cisco |OS Modularity image is pre-unpacked and activated. The steps and outputs are available for your reference. ‘©2008 Cisco Systems, Inc. Lab Guide 49Activity Procedure Complete these steps: ‘Step1 Examine the disk0: file system on 6500-1. Notice the Cisco IOS image used. 6500-1#dix dieko: Directory of disk0:/ 1 -rwx 11359 Mar 21 2008 23:09:58 ace_scripts_A2_i.tgz 2 -rwx 4897 Mar 18 2008 06:21:16 vas=config 3. -rwx 30292535 Mar 21 2008 23:13:50 +00:00 c6ace-tik9-mz.A2_1.bin 4 -rwx 5063 Mar 20 2008 12:57:20 +00:00 iosmodular-config 5 =xwx 118601380 Mar 18 2008 16:00:52 +00:00 872033-ipservicesk9 wan vz.122-33,SXH.bin 6 drwx © Mar 18 2008 22:35:18 +00:00 MODULAR 1024589824 bytes total (754122752 bytes free) Step2 Activate the patching functionality by expanding the packaged Cisco IOS Software Modularity image s72033-ipservicesk9_wan-vz.122-33.SXH.bin. Note that the image is not yet active. 6500-1#install file disk0:/s72033-ipservicesk9_wan-vz.122-33.SxH.bin disko:/sys Source filename [s72033-ipservicesk9_wan-vz.122-33.SXH.bin)? IVI renner rrr POU eee <...part of the output omitted...» PEELED Cee eee mn POEL Verifying checksums of extracted files Verifying installation compatibility Finalizing installation PEEPOCUEETO DUE EDEL COE <...part of the output omitted. ..> PEPEPCCCOE OEE UEP EEOC Peony Computing and verifying file checksums POCO OEE COPE Oe eee ee IUSUTAOSUSERSUOSEORIUSUEPUSUUCERUOOUESEONOUSONOOO TESST TOSS S ITTY <..-part of the output omitted...> PEC FENCED EEE ttt tonuueetigity PELE PEEP TELE eee en teeny Writing installation meta-data. Please wait . NOTE: The néwly added base! image is not yet active. To activate the new base image, perform an ‘install bind! in config mode followed by a ‘reload’. (owe) Activity Verification ‘You have completed this task when you attain these result Step1 Verify that the s72033-ipservicesk9_wan-vz.122-33.SXH.bin Cisco IOS image has been expanded to the disk0'/sys directory. 6500-1#ddr disko Directory of disk0:/ 2 -rwx 21359 Mar 21 2008 23:09:58 +00:00 ace_scripts_A2_1.tgz 2 -rwx 4897 Mar 19 2008 0 vss-config 3 -rwx 30292535 Mar 21 2008 2 c6ace-t1k9-mz.A2_1.bin 50 Implementing Cisco Data Center Network infrastructure 1 (OCNI-1) v2.0 (© 2008 Cisco Systems, Inc4 -rwx 5063 Mar 19 2008 12:57:20 +00:00 iosmodular-config 5 -rwx 118601380 Mar 18 2008 16:00:52 +00:00 872033-ipservicesk9_wan- v2.122-33.SxH-bin 10. drwx P50 Mar 19 2008 13:37:06 +00:00. sys 6 drwx 0 Mar 18 2008 22:35:18 +00:00 MODULAR 1024589824 bytes total (597557248 bytes free) Step2 Remove the old boot system option from the configuration. Add the new one pointing to the disk0:/sys directory where the expanded Cisco IOS image resides. Save the running configuration. no boot system flash disk’ 33.SXH.bin install bind disk0:/sys : copy running-config startup-config Step 3 Examine the expanded Cisco IOS image on the disk0:/sys directory. 6500-1'show install disk0:/sys B Active —_disk0: /sys/s72033/base/s72033-ipservicesk9_wan-vm - Version 12.2(33) SxH B Active —disk0: /sys/aboot /base/LCP_ABOOT 172033-ipservicesk9_wan-vz.122- B Active —_disk0: /sys/ax1000/base/LCP_AX1000 B Active —_disk0: /sys/ax10100/base/LCP_AX10100 B Active :/sys/boot/base/LCP_BOOT B Active sys /c2_1c/base/C2LC B Active sys/chévysic/base/CHEVYS-LC B Active :/sys/cpl0g/base/LCP_CP10G B Active di sk0: /sys/cpfab/base/LCP_CPPAB B Active :/ays/cpgbit/base/LCP_CPGBIT B Active /sys/epmbit /base/LCP_CPMBIT B Active :/ays/cpmbit2/base/LCP_CPMBIT2 B Active :/sys/cpxbit/base/LCP_CPXBIT B Retive sys/cwpa2/base/CMPA2_version 10.10 B Active :/sys/cupa2_fpd/base/CWPA2_FPD_version 10.10 B Active :/sys/1x1000/base/LCP_LX1000 B Active :/sys/1x10100/base/LCP_LX10100 B Active ‘sys/972033_rp/base/DRACO2_MP B Active ‘sya/sipi/base/SIP1_version_10.10 B Active _disk0:/sys/sip2/base/STP2_version_10.10 B Active —_disk0: /sys/smsc/base/SMSC_version_10.10 LEGEND: B/P/MP - (B)ase image, (P)atch, or (M)aintenance (P)ack tct - (C)ommitted Pruned - This file has been pruned from the system Active - This file is active in the system PendInst - This file is set to be made available to run on the aystem after next activation. Pendkoll - This file is set to be rolled back after next activation. InstPRel - This file will run on the system after next reload Rol1PRel - This file will be removed from the system after next reload RPRPndin - This file is both rolled back pending a reload, and pending installation. On reload, this file will not run and will move to Pendinst atate. If ‘install activate' is done before reload, pending removal and install cancel each other and file simply remains active IPRPndRo - This file is both installed pending a reload, and pending rollback Tf the card reloads, it will be active on the system pending a rollback Tf ‘install activate’ is done before a reload, the pending install and removal with cancel each other and the file will simply be removed occluded - This file has been occluded from the system, a newer version of itself has superceded it (© 2008 Cisco Systems, Inc. Lab Guide 81Step4 Verify that the boot variable points to the expanded Cisco IOS image, save the running configuration, and reload the switch. 6500-1#show bootvar BOOT variable = disk0:/sys/s?2033/base/s72033-ipservicesk9_wan-vm,12; CONFIG FILE variable = BOOTLDR variable = Configuration register is ox2102 Standby is not present. Step Reload the 6500-1 switch, and after it has booted, verify that patching functionality is available. The last lines indicate that patching is available. 6500-1#show version Cisco 10S Software, 872033_rp Software (s72033_rp-IPSERVICESK9_WAN-VM) , Version 12.2(33)SXH, RELEASE SOFTWARE 5) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2007 by Cisco systems, Inc. Compiled Sun 19-Aug-07 13:29 by prod_rel. team ROM: System Bootstrap, Version 12.2(17r)SX5S, RELEASE SOFTWARE (fc1) <.,.part of the output omitted...> 3 Ten Gigabit Ethernet interfaces 1917K bytes of non-volatile configuration memory. 65536K bytes of Flash internal SIMM (Sector size 512K) Configuration register is 0x2102 System is currently running from installed software For further information use "show install running* Step Examine the running expanded image. 6500-1#show install running B/P.C State _—Filename Software running on card installed at location 872033 - Slot 5 B Active —disk0:/sys/s72033/base/s72033-ipservicesk9_wan-vm - Version 212.2 (33) SxH Software running on’ card ‘installed at location 672033_ep = Slot Si B Active disk0:/sys/s72033_rp/base/DRACO2_NP Software running on card installed at location c2_le - Slot 3 B Active —disk0:/sys/c2_1c/base/C2LC EGE B/P/MP - (B)ase image, (P)atch, or (M)aintenance (P)ack ‘ct ~ (C)ommitted Pruned - This file has been pruned from the system Active - This file is active in the system Pendinst - This file is set to be made available to run on the system after next activation. PendRoll - This file is set to be rolled back after next activation. InstPRel - This file will run on the system after next reload Rol1PRel - This file will be removed from the system after next reload RPRPndIn - This file is both rolled back pending a reload, and pending installation. On reload, this file will not run and will move to Pendinst state. If ‘install activate’ is done before reload, pending removal and install cancel each other and file simply remains active IPRPndRo - This file is both installed pending a reload, and pending rollback. If the card reloads, it will be active on the system pending a rollback 52 Implementing Cisco Data Center Network Infrastructure 1 (OCNI-1) v2.0 (© 2008 Cisco Systems, Inc.If ‘install activate’ is done before a reload, the pending install and removal with cancel each other and the file will simply be removed Oceluded - This file has been occluded from the system, ‘a newer version of itself has superceded it. Task 4 (Demonstration): Installing Maintenance Packs and Setting Tags In this task you will install and activate a maintenance pack, define tags and perform a manual process restart Note ‘The instructor will demonstrate this task, The outputs are for your reference. The 6500-1 was reloaded with the initial configuration and activated Cisco IOS image. Activity Procedure Complete these steps: Step1 The maintenance packs can be downloaded from http://www.cisco.com/go/pn. For lab purposes, two maintenance packs have been downloaded to the isk0:/MODULAR directory: ‘= s72033-demo_mp001-p.122-33.SXH: CDP demo_mp-001.122-33.SXH maintenance pack © s72033-demo_mp002-p.122-33.SX! maintenance pack : IP Routing demo_mp-002.122-33.SXH_ Step2 Verify that the files are present on isk0:/MODULAR folder. 6500-1#dir diskO: /MODULAR Directory of disk0:/MODULAR/ 100° =rwx! 153600" Mar 18 2008 22:36:16 400100 °872033-demo_mpoo1~p.122- 33.8xH 101 “ewe /)'2734080° Mar/18 200822136130 400/00) 672033-demo)mpoo2-p. 122+ 33.8xH 102 -rwx 118601380 Mar 18 2008 22:43:46 +00:00 872033-ipservicesk9_wan- v2.122-33.SxH.bin 1024589824 bytes total (597704704 bytes free) Step 3 _Install the s72033-demo_mp001-p.122-33.SXH maintenance pack to the disk0:/sys folder. 6500-1#4nstall file disk0: /MODULAR/s72033-demo_mp001-p.122-33.SKH disk0: /sys Source filename [/MODULAR/s72033-demo_mp001-p.122-33.SKH]? iin Verifying checksums of extracted files Verifying installation compatibility Gathering information for location #72033_rp - Slot 5 rt TEPPOUeCHeTeoeeggeeeeeegeetneny renin rns Hint Hy Hepeuereeeendteny becneneogetenneiny ‘the following Install changeset is currently pending for this location i Pending Install : patch/patch-2AA3373-patch-cdp_n.so ‘© 2008 Cisco Systems, Inc Lab Guide 83Finalizing installation ... Computing and verifying file checksums ui NOTH: The newly added patch is not yet active. Use ‘install activate’ to activate the patch in the currently running system. (wove) Step4 Verify that the maintenance pack was installed. You should notice that the pack is installed but pending since it has not been activated and that only the edp2.iosproc process will be affected by this patch. 6500-1#show install running B/PC State Filename Software running on card installed at location 872033 - slot 5 B Active disk0: /sys/s72033/base/s72033-ipservicesk9_wan-vm - Version 12.2 (33) SxH Software running on card installed at location 972033_xp - slot 5 : B Active disk0: /sys/s72033_rp/base/DRACO2_MP MP Maintenance Pack demo_mp001 P Pendinst di sk0:/sys/#72033_rp/patch/patch-2AA3373-patch-cdp_n.86 Software running on card installed at location c2_le - Slot 3 B Active — disk0:/sys/c2_1c/base/C2LC LEGEND: B/P/MP - (B)ase image, (P)atch, or (M)aintenance (P)ack ‘cr = (C)ommitted Pruned - This file has been pruned from the system Active - This file is active in the system Pendinst - This file is set to be made available to run on the system after next activation PendRoll - This file is set to be rolled back after next activation. InstPRel - This file will run on the system after next reload Rol1PRel - This file will be removed from the system after next reload RPRPndIn - This file is both rolled back pending a reload, and pending installation. On reload, this file will not run and will move to PendInst state. If ‘install activate’ is done before reload, pending removal and install cancel each other and file simply remains active IPRPndRo - This file is both installed pending a reload, and pending rollback. I€ the card reloads, it will be active on the system pending a rollback If ‘install activate’ is done before a reload, the pending install and removal with cancel each other and the file will simply be removed Occluded - This file has been occluded from the system, a newer version of itself has superceded it. Step Connect to PC/ and issue a continuous ping to Server! Step6 Activate the maintenance pack. When asked to continue, choose YES, Notice that the continuous ping issued from PCI to Server! is not affected by the edp2.iosproc process restart. 6500-1#instal activate disko:/sys Determining processes to restart at location s72033_xp - Slot 5 PCCP ee eT eee HEEL mt u Implementing Cisco Data Center Network Infrastructure 1 (OCNI-1) v2.0 (© 2008 Cisco System:teseueiggguene Heeceneenogegttine Eeitneetiae ‘he following Install changeset is currently pending for this location : Pending Install : patch/patch-2AA3373-patch-cdp_n.so ‘The following processes will be restarted! cdp2.iosproc Do you want to continue with activating this change set...? [yes/no]: yes Proceeding with activation, writing installer meta-data ... updating more installer meta-data Beginning process restarts . PHIEULEtedLifeeigibeeie Affected processes restarted. (DONE 6500-18 00:24: 291) ¥SYSMGR=6-RESPAWN: Process cdp2.fosproc:1 has been respawned Step7 Set the PATCHI-cdp tag for the installed maintenance pack. 6500-1#4nstall commit diskO:/sys PATCHI-cap (ox) Step8 Verify that the tag has been defined. 6500-1Vshow install tags running tags defined over software running on location 572033 - Slot 5 : Tagname # of Files Date Committed PATCH1-cdp 1 14:35:38 UTC Mar 19 2008 Tags defined over software running on location s72033_rp - Slot $ : ‘Tagname # of Files Date Committed PATCH1-cdp 2 14:35:38 UTC Mar 19 2008 tags defined over software running on location ¢2_1¢ - Slot 3 : Tagname # of Piles Date Committed PATCHI-cdp 1 14:35:38 UTC Mar 19 2008 Step9 Manually restart the syslogd. proc process. Like in the previous case, the continuous ping issued from PC/ to Server! has not been disrupted. 6500-1#process restart syslogd.proc Restarting process sysload.proc 6500-19 00:26:44: $SYSMGR-6-RESPAWN: Proc Task 5 (Demonstration): Rolling Back to a Defined Tag In this task you will install another maintenance pack, define a new tag, perform a rollback toa previously defined tag, delete a tag, and repackage the installed base image and maintenance pack to a Cisco IOS binary image. ayslogd.proc:1 has been respawned Note ‘The instructor will demonstrate this task. The outputs are for your reference. (© 2008 Cisco Systems, Inc. Lab Guide 55Activity Procedure Complete these steps: Step1 Install the s72033-demo_mp002-p.122-33,SXH maintenance pack to disk0:/sys Notice that patch name patch-ZAA3373-patch-cdp_n.so is skipped during installation since it was part of the first pack installed. 6500-1#inatall file disk0: /MODULAR/s72033-demo mp002-p.122-33.SxH disk: /sys Source filename [/MODULAR/Ss72033-demo_mp002-p.122-33.SXH]? PEEEUUCU EEE ULE PELE ELLE LEE Henny Verifying checksums of extracted files 7 Skipped install of 872033_rp/patch/patch=ZAA3373-pateh-cdp n.eo because it was already installed. Verifying installation compatibility Gathering information for location s72033 - slot 5 rrr PEED PU UEC LEE LOYD EU EEE EEE POCO PEO CUE eee The following Install changeset is currently pending for this location : Pending Install : patch/patch-ZAA3359-patch-iprouting_n.so Activation will not affect any processes Gathering information for non-running card of type chevysle PECEOUOUT ECDC eee eee POU eee ‘The following Install changeset is currently pending for this location : Pending Install : patch/patch-2AA3359-patch-iprouting_n.so Activation will not affect any processes. Gathering information for location c2_le - Slot 3 POUPUUECUOC YY PEE UCUPEUUT CUA C ECE YEU TELEEET EL CCUC CLEP EEUU LEED EEUU Eee LEE PEC eee ‘The following Install changeset is currently pending for this location : Pending Install : patch/patch-2AA3359-patch-iprouting_n.so Activation will not affect any processes. Gathering information’ for 1ecation é nn VEU eee eee OEE Eee PE eee Petit PEELE 2033_xp = Slots benny Heennnnuny ‘The following Install ‘changeset is currently pending for this location y Pending Install : patch/patch-ZAA3359-patch-iprouting_n.so Activation of the! pending changes listed above will affect the following processes: iprouting. tespree Finalizing installation IT in POE Computing and verifying file checksums PECEOUEETEO CUCU CCEEUUUCCUEUECECUEE CECE ELE LOUUEE LEU E ECE DU EEE EEU CEE E Ene i NOTE: ‘The hewly added patch ie not yet active, Use ‘install activate’ to activate the patch in the currently running system. (Done) 56 Implementing Cisco Data Center Network infrastructure 1 (OCNI-1) v2.0 (© 2008 Cisco Systems, IncStep2 Verify that the maintenance pack was installed. You should notice that the pack is. installed but pending since it has not been activated and that only the iprouting.iosproc process will be affected by this patch. 6500-1#show install running B/P.C State Filename Software running on card installed at location s72033 - Slot 5 + B * Active disk0:/sys/s72033/base/s72033-ipservicesk9_wan-vm - Version 32.2(33) SXH MP Maintenance Pack demo_mp0o2 P PendInat’ —diek0: /sys/s72033/patch/patch-2AA3359-patch-iprout ing _n.80 Software running on card installed at location 872033_rp - Slot 5 : B * Active disk0: /sys/s72033_rp/base/DRACO2_MP mp Maintenance Pack demo_mp001 P * Active disk0: /sys/s72033_rp/patch/patch-2AA3373-patch-cdp_n.so mp Maintenance Pack demo_mp0oo2 P _Pendinst —_disk0: /sys/s72033_rp/patch/patch-ZAA3359-patch- iprout ing_n.8o Software running on card installed at location c2_1c - Slot 3 : B ‘Active disk0:/eys/c2_1c/base/C2Lc wp Maintenance Pack demo_mp002 P PendInst —disk0:/sys/c2_1¢/patch/patch-2AA3359-patch-iprouting_n.so LEGEND: B/P/MP - (B)ase image, (P)atch, or (M)aintenance (P)ack tc! = (C)ommitted Pruned - This file has been pruned from the system Active - Thia file is active in the system Pendinst - This file ie set to be made available to run on the system after next activation. srest of the output omitted...> Step 3 Connect to PC/ and issue a continuous ping to Server!. Step4 Activate the maintenance pack. When asked to continue, choose YES. Notice that the continuous ping issued from PC/ to Server! is not affected by the iprouting iosproc process restart. 6500-1#inatall activate disk0:/sys Determining processes to restart at location s72033_rp - Slot 5 renner Tiuiiueeieiegot PParrerennrnenrrersnreereennr irri rarer Hnnrniiittent ‘The following Install changeset’ is currently pending for this location : Pending Install : patch/patch-2Aa3359-patch-iprouting_n.so ‘The following processes will be restarted: Aprouting.iosproc Some config that affects the processes above has not yet been checkpointed Tf you choose to continue this activation when prompted, some config may be lost. You should choose not to continue this activation when prompted. You should checkpoint your Determining processes affected for non-running card of type chevyslc POPPE PCE OPE EEC eee ene PeErPrneeetiee PEO ‘The following Install changeset is currently pending for this location Pending Install : patch/patch-ZAA3359-patch-iprouting_n.so ‘© 2008 Cisco Systems, Inc. Lab Guide 87No processes will be restarted. Determining processes to restart at location c2_lc - Slot 3 PUEDE eee PEO EEC ‘The following Install changeset is currently pending for this location : Pending Install : patch/patch-2AA3359-patch-iprouting_n.eo No processes will be restarted. Determining processes to restart at location s72033 - slot 5 POE Pee eet Pe POU E eee reneuuieiinn rennin ‘The following Install changeset is currently pending for thie location + Pending Install : patch/patch-2AA3359-patch-iprouting_n.so No processes will be restarted. Do you want’ to continue With activating this change set v7) {yes/no}: yea Proceeding with activation, writing installer meta-data . Updating more installer meta-data ... Beginning process restarts’. VU 00:51:24: tkern-6-SYSLOG_GEN: <30>SLOTO:00:51:24: ;1206802408.687: syamgr .proc[69]: Some config for process iprouting.iosproc:1 has not yet been checkpointed and may be lost Af fected processes restarted 00:51:26: $SYSMGR+6-RESPAHN: Process iprouting, {osprocil has been respawned (DoNE} Step5 Set the PATCH2-iprouting tag for the installed maintenance pack. 6500-1#install commit disk0:/sys PATCH2-iprouting (ox) Step6 Verify that the patch has been activated. 6500-1¥show install running B/PC State Filename Software running on card installed at location 972033 - slot 5 B * Active disk0:/sys/s72033/base/s72033-ipservicesk9_wan-vm - Version 12.2(33) SxH MP Maintenance Pack demo_mp002 P * Active disk0: /sys/s72033/patch/patch-ZAA3359-patch-iprouting_n.so Software running on card installed at location s72033_rp - Slot 5 B_* Active disk0:/sys/s72033_rp/base/DRACO2_MP HP Maintenance Pack demo_mp001 P * Active ‘disk0:/sys/s72033_xp/patch/patch=2AA3373-patch-Gap_n.66 Me ‘Maintenance Pack defio_mp002 P+ Active -disk0:/sys/s72033_rp/patch/patch=2AA3359-pateh= iprouting_n.so Software running on card installed at location c2_lc - Slot 3 : B * Active disk0:/sys/c2_1c/base/C2LC MP Maintenance Pack demo_mp002 P * Active disk0: /sys/c2_1c/patch/patch-2AA3359-patch-iprouting_n.so rest of the output omitted. Implementing Cisco Data Center Network Infrastructure 1 (OCNI-1) v2.0 {© 2008 Cisco Systems, Inc.Step7 Roll back to the older tag PATCHI-cdp. 6500-1#4natall rollback disk0:/sys PATCH1-cdp Gathering information for location s72033_rp - Slot 5 everrarrrereniiretenrrrrrrnrrrrer ir rrrrr reir en) PECDEVUOUEEEC EEE Hetengenettn uw PECUECEL CISC CECC CCC LEE EEE CELL EEE PUTTONeNUeeeTevesrrererreeeerreenerer err nnis ty) PPPOE EE ‘The following Rollback changeset is currently pending for this location : Pending Rollback : patch/patch-ZAA3359-patch-iprouting n.so Activation Of ‘the pending changes listed above will affect the following processes: iprouting. tesproc Gathering information for non-running card of type chevysic PUPP EP EEO eee PEEP COUPEE CEE ‘The following Rollback changeset is currently pending for this location Pending Rollback : patch/patch-2AA3359-patch-iprouting_n.so Activation will not affect any processes Gathering information for location c2_1c PEPPCCUO ECP Ee EEE ny PECPEUUeUnte dene POPEUEEEEDUGCUt0 EEE slot 3 rereeenigeny btn tut The following Rollback changeset is currently pending for this location : Pending Rollback : patch/patch-2AA3359-patch-iprouting_n.so Activation will not affect any processes. Gathering information for location s72033 - Slot 5 PeCHEECEEe tty PEDPCUEEEEE EE " tony PECPECUEE CEEOL EUUEEEEEDEL EEL in PELCEUEEEEUE 20 TLE ‘The following Rollback changeset is currently pending for this location Pending Rollback : patch/patch-ZAA3359-patch-iprouting_n.so Activation will not affect any processes fox) Step8 Verify which tag will be used upon activation. 6500-1¥show install running B/PC State Filename Software running on card installed at location s72033 - Slot 5 + B * Active — disk0:/sys/s72033/base/s72033-ipservicesk9_wan-vm - Version 12.2(33) SXH MP Maintenance Pack demo_mp002 P * PendRoll —disk0: /sys/s72033/patch/patch-2AA3359-patch-iprout ing_n.so Software running on card installed at location 872033_rp - Slot 5 B * Active disk0:/sys/s72033_rp/base/DRACO2_MP Mp Maintenance Pack demo_mp001 P_* active disk0 : /sys/s72033_rp/patch/patch-2AA3373-patch-cdp_n.so Mp =) Maintenance Pack demo_mp002 P * PendRoll disk: /ays/872033_rp/patch/patch-ZAA3359-patch- Aprouting_n.so ‘© 2008 Cisco Systems, inc. Lab Gude 59Software running on card installed at location c2_1c - Slot 3 B * Active — disk0:/sys/c2_1c/base/C2Lc MP Maintenance Pack demo_mpoo2 P * PendRoll —disk0: /sys/c2_1c/patch/patch-ZAA3359-patch-iprouting_n.so Step9 Activate the PACTH1-cdp tag. When asked to continue, choose YES. Notice that this action does not disrupt the continuous ping from PC/ to Server! 6500-1#inatall activate diek0:/sys Determining processes to restart at location s72033_rp - Slot 5 POPE CEEOL POCO Peete POCO e POOLE POO ‘The following Rollback changeset is currently pending for this location + Pending Rollback : patch/patch-ZAA3359-patch-iprouting_n.eo ‘The following processes will) be restarted: iprouting.josproc Some config that affects the processes above has not yet been checkpointed. Tf you choose to continue this activation when prompted, some config may be lost. You should choose not to continue this activation when prompted. You should checkpoint your Determining processes affected for non-running card of type chevysic Tin) PEELE PELUUUUETLULUECUEEEELUSU EEL Ett Henne HEHE Hentinist ‘The following Rollback changeset is currently pending for this location : Pending Rollback : patch/patch-2AA3359-patch-iprouting_n.so No processes will be restarted. Determining processes to restart at location c2_1c - Slot 3 " errr ne PITUCUIUUUYUEUIEEEEDODUEEE LEU EE i Henny mn PEOPLE Litt ht ‘The following Rollback changeset is currently pending for this location : Pending Rollback : patch/patch-2AA3359-patch-iprout ing_n.so No processes will be restarted Determining processes to restart at location #72033 - slot 5 PEE Pennie HOt PCE EEE IUTTTNNUNeTenSTerenrirrensriite ‘The following Rollback changeset is currently pending for this location : Pending Rollback : patch/patch-ZAA3359-patch-iprouting_n.so No processes will be restarted Do you want to continue with activating this change set...? [yes/no]: yea Proceeding with activation, writing installer meta-data Updating more installer meta-data . Beginning process! restarts i. PEELE EEE Affected processes restarted. 01:17:05: tkern-6-SYSLOG_GEN: <30>SLOTO:01:17:05:;1206803949.490 sysngr.proc(69]: Some config for process iprouting.icsproc:1 has not yet bé checkpointed and may be lost 01:17:07: $SYSMGR-6-RESPAWN: ‘Process! iprouting.iosproc:1 has been Yespawned (DONE) Step 10 Repackage the base Cisco IOS image with the installed maintenance packs to a file on the disk0: file system named IOS-PATCHI-cdp.bin, Implementing Cisco Data Center Network Infrastructure 1 (DCNI-) v2.0 (© 2008 Cisco Systems, nc.6500-1install repackage disk0:/sys disk0:/10S-PATCH1-cdp.bin Destination filename [108-PATCH1-cdp.bin] ? eeeernivrrrnirirrrrrrrerrri errr rrr PEPE OCCU EOE <...part of the output omitted.. PELDELEE UA LOOUEE CELE EEE EEE ut (powe} Step 11 Verify that the file IOS-PATCHI-cdp.bin resides on the disk0: file system. 6500-1#dir disko: Directory of disko:/ fy PeCCEUDECEED Pedr ee nee ta Lo -rwx, 11359 Mar 21 2008 23:09:58 +00:00 ace_scripts_A2_1.tgz 2 -rwx 4897 Mar 19 2008 06:21:16 +00:00 vss-contig 3 -rwx 30292535 Mar 21 2008 23:13:50 +00:00 c6ace-t1k9-mz.A2_1.bin 4 -rwx 5063 Mar 19 2008 12:57:20 +00:00 iosmodular-config 5 -rwx 118601380 Mar 18 2008 16:00:52 +00:00 72033-ipservicesk9_wan- v2.122-33,SXH.bin 6 drwx 0 Mar 19 2008 13:37:06 +00:00 sys 105 -rwx 118736896 “Mar 19 2008 15:27:52 /+00:00. 10S-PATCHI-cap.bin 99 drwx 0 Mar 18 2008 22:35:18 +00:00 MODULAR 1024589824 bytes total (478593024 bytes free) Step 12 Delete the tag PATCH I-edp. all prune disk0:/sys PATCH1-cdp Step 13 Verify that the PATCH2-iprouting tag was deleted. 6500-1#show install tags running Tags defined over software running on location s72033 - Slot 5 ‘Tagname # of Files Date Committed Taga defined over software running on location s72033_rp - Slot 5 ‘Tagname # of Files Date Committed Tags defined over software running on location c2_lc - Slot 3 ‘Tagname # of Files Date Committed Step 14 Also examine the installed and activated patches. Notice that the maintenance pack ‘demo_mp001 is still installed and activated; thus only the tag was deleted. 6500-1#show install running B/P.C State Filename Software running on card installed at location 872033 - slot 5 B Active —_disk0: /ays/s72033/base/s72033-ipservicesk9_wan-vm - Version 32.233) SxH Software running on card installed at location s72033_rp - Slot 5 : B_ Active disk0: /ays/s72033_rp/base/DRACO2_MP me Maintenance Pack demo_mp0oi P Active disk0: /sys/s72033_rp/patch/patch-2AA3373-patch-edp_n.80 Software running on card installed at location c2_le - Slot 3 B Active —disk0:/sys/c2_1c/base/C2LC ‘© 2008 Cisco Systems, inc. Lab Guide GtLab 1-3: Deploying QoS Switches have large backplanes and are able to switch millions of packets per second, yet congestion can still occur at any time within the network. If congestion management features are not in place, packets received during congested periods will be dropped, causing unnecessary retransmissions to occur, Retransmissions increase network load, and performance degrades in a downward spiral. Activity Objective In this activity, you will deploy and the Qos policy, Control Plane Policing (CoPP) and CPU rate limiters, After completing this activity, you will be able to meet these objectives: = Examine the QoS processing = Sct the ingress QoS trust Define and configure QoS policies Apply ingress policing Configure and apply CoPP Configure and apply CPU rate limiters Verify the QoS, CoPP, and CPU rate limiters configuration and operation using show commands Visual Objective The figure illustrates what you will accomplish in this ac Lab 1-3: Deploying QoS i Tans Sten unba 0F2) = Sane aneer (1003) 22 Crumeer (tore) 62 Implementing Cisco Data Center Network Infrastructure 1 (OCNI-1) v2.0 (© 2008 Cisco Systems, IncThe pod with the equipment for this lab exercise is divided into two independent subpods with the following devices and VLANs: @ Subpod!: 6500-1, 4900-1, PC1, Server! and VLANs: 11, 13 = Subpod?: 6500-2, 4900-2, PC6, Server3 and VLANs : 21, 23 Divide into subgroups in each pod to complete the following tasks. Note ‘Through the lab exercise, the steps and printouts refer to subpodt in pod 4 (devices 6500-1, 4900-1, PC1, Servert). However the same tasks should be applied to subpod2 with respect, toa different numbering and addressing scheme. IP Addressing ‘The IP addressing scheme in the following table lists the IP addresses of the PCs, servers, Cisco Catalyst 6500 Series Switch VLAN interfaces and Layer 3 physical interfaces, where “P” is your pod number. Pod Addressing Default | Device Device | IP Subnet DevicelP | Gateway | VLAN —— Pct 10P.13.0 | 124 10.P.1325 | 10P.13.1 | 13 Pc2 10P.230 | 124 10.P.23.25 | 10P.23.1 | 23 Soret | toP.11.0 | 124 top.s10 | tops | 11 10.P.11.20 10.P.11.30 10..11.40 servers | 10P.21.0 | 124 10P.21.10 | toP214 | 21 10.P.21.20 10.P.21.30 10.P.21.40 Device VLAN IP Subnet Soret Device IP Mask 6500-1 Ww 10.P.11.0 | 124 10.P.11.4 65001 [13 10P.130 | 16 10.134 6500-2 | 21 10P21.0 | rs 10P21.4 6500-2 | 23 10P230 | f24 1023.1 Required Resources ‘These are the resources and equipment required to complete this activity: = = Two (2) Cisco Catalyst 6500 Series Switches @ Two (2) Cisco Catalyst 6500 Series Switch Ethernet modules & Two (2) Cisco Catalyst 6500 Series Switch Supervisor 720-10G-3C modules (© 2008 Cisco Systems, Inc Lab Guide 63= Two (2) Cisco Catalyst 4948 Switches = Two (2) Microsoft Windows XP clients Two (2) Microsoft Windows 2003 servers Command List The table describes the commands that are used in this activity. Command Description [no] service-policy input policy-name Remove or apply defined QoS policy to an interface. class Use the defined class in a QoS policy. "map match-any class- Define a QoS class. Enter the control plane interface configuration mode. Match the traffic in a class-map based upon the defined access list Enable the QoS functionality on PFC on a Cisco Catalyst 6500 Series Switch Define remapping of the policed traffic from OSCP value 32 to 16. mls qos trust cos Set the interface to trust the CoS value. police rate conform-action transmit exceed-action drop Perform policing to the traffic according to the specified rate. Transmit the traffic conformed to the rate and drop, excess traffic, police rate conform-action transmit exceed-action policed-dscp-transmit Perform policing to the traffic according to the specified rate. Transmit the traffic conformed to the rate and remark the DSCP for the excess traffic. policy-map policy-name Define a QoS policy. qos show interfac GigabitEthernet number capabilities Enable QoS on a Cisco Catalyst 4900 Series Switch. Examine the capabilities of the individual interface (QoS functionality among other things). show mls qos Examine the QoS operational mode. show mls qos module Examine the QoS configuration for a module—see the trust mode. show policy-map show policy-map control - plane Examine the configure QoS policy. Examine the configured and applied QoS policy for the CoPP. show policy-map interface interface Verify the operation of the applied QoS policy in the interface, access-list number permit protocol source destination Define an access list 64 Implementing Cisco Data Center Network Infrastructu 1 (NI) v2.0 (© 2008 Cisco Systems, neTask 1: Removing Previous Configurations Ensure that no previous configuration exists on the switches in your pod and apply the initial configurations to the devices. ‘The initial configuration includes settings for the Layer 2 interfaces used—trunking, access VLAN set, etc.; VLAN configuration, Layer 3 VLAN configuration, correct power scheme, ete, ‘The initial configurations are available on the individual device file system as specified in the following steps. Note ‘The steps and printouts refer to subpodt in pod 4 (devices 6500-1, 4900-1, PC1, Server) However the same tasks should be applied to subpod2 with respect to a different numbering and addressing scheme. Activity Procedure Complete these steps on each switch in your pod: Step1 Connect to the 6500-/ switch via console and apply the following: = Replace the current running configuration with the configuration from file disk0:denil_lab13_6500-1 using the configure replace disk0:denil_lab13_6800-1 command. When asked to proceed press Y. = Verify that the switch is running the 12.2(33) SXHI Cisco IOS image using the show version command. ® Only if the switch is not running the 12.2(33) SXH1 Cisco IOS image, save the running configuration to startup configuration and reboot the switch. Step2 Connect to the 4900-1 switch via console and apply the following: = Replace the current running configuration with the configuration from file bootflash:denil_lab13_4900-1 using the configure replace bootflash:denil_lab13_4900-1 command. When asked to proceed press Y. Activity Verification You have completed this task when you attain these results: Step1 On the 6500-1 switch verify that you have connectivity to the following: m= PCI at 10.P.13.25 (where “P” is your pod number) Server! at 10.P.11.10 (where “P” is your pod number) You should sce results similar to the following printouts. Note ‘The following printouts show results of a ping conducted on pod 4. 6500-1#ping 10.4.13.25 ‘Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.4.13.25, timeout is 2 seconds: Success rate is 80 percent (4/5), round-trip min/avg/max 1/1/4 ms 6500-1#ping 10.4.11.10 ‘© 2008 Cisco Systems, inc. Lab Guide 65‘Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.4.11.10, timeout is 2 seconds: Hit Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms Task 2: Verifying Capabilities for QoS In this task, you will verify the QoS capabilities of network devices. Note ‘The steps and printouts refer to subpodt in pod 4 (devices 6500-1, 4900-1, PC1, Servert). However the same tasks should be applied to subpod2 with respect toa different numbering and addressing scheme. Activity Procedure Complete these steps: Step1 Prior to configuring QoS, you need to verify QoS capabilities on the line cards you have installed in the Cisco Catalyst 6500 Series Switch. Determine whether Qos is, supported on the module 3 ports. 6500-1#show interfaces gigabitsthernet 3/3 capabilities Gigabitzthernet3/3 Model: WS-X6748-GE-7X Type: 10/100/1000BaseT Speed: 10,100, 1000, auto Duplex: half, full Trunk encap. type: 802.10, ISL Trunk mode: on, off, desirable, nonegotiate Channel: yes Broadcast suppression: percentage (0-100) Flowcontro: rx- (off, on, desired) , tx- (off, on, desired) Membership: static Fast Start: yes 008 schedulingr "= Q0S queueing mode: rx- (gst), tx: (p3qet) x= (cos), tx= (cos) Cos rewrite: yes ‘Tos rewrite: yes Inline power: no Inline power policing: no SPAN: source/dest ination vubLD yes Link Debounce: yes Link Debounce Time: no Ports-in-ASIC (Sub-port ASIC) : 1-24 (1-12) Remote switch uplink: no Dotix: no Port-Security: yes Step2 Verify the global QoS setting on 6500-1. 6500-1#show mis qos QoS is disabled globally Step3 Enable the QoS globally on 6500-1. Step4 Verify the global QoS setting on 6500-1. 6500-1#show mis qos Qos is enabled globally Policy marking depends on port_trust Qos ip packet dscp rewrite enabled globally QoS serial policing mode disabled globally Input mode for GRE Tunnel is Pipe mode 66 Implementing Cisco Data Center Network Infrastructure 1 (DCNI-1) v2.0 © 2008 Cisco Systems, Inc.Task 3: Input mode for MPLS is Pipe mode Qos Trust state is CoS on the following interface: Te1/1 Van or Portchannel (Multi-Earl) policies supported: Yes Egress policies supported: Yes Qos 10g-only mode supported: Yes [Current mode: Off] crrr> Module [5] - Q08 global counters Total packets: 2132 IP shortcut packets: 0 Packets dropped by policing: 0 IP packets with TOS changed by policing: 2 IP packets with COS changed by policing: 2 Non-IP packeta with COS changed by policing: 0 MPLS packets with EXP changed by policing: 0 Step5 Verify the global QoS setting on 4900-1. 4900-1#show qos Q08 is disabled globally IP header DSCP rewrite is enabled ‘Step 6 Enable the QoS globally on 4900-1 Defining the Port Trust and Po! In this task, you will perform the following: © Limit the amount of incoming ICMP traffic from PCI to Server! to 100 kB/s on the 6500-1 switch -y Maps = Limit the amount of all IP traffic from PC! to Server! to 50 kB/s on the 6500-1 switch Set QoS trust to CoS for interface GigabitEthernet3/13 Limit the amount of incoming IP traffic from Server! with DSCP value 0 to 2 MB/s and 25 KB burst on 4900-1 switch Note The steps and printouts refer to subpodt in pod 4 (devices 6500-1, 4900-1, PC1, Server. However the same tasks should be applied to subpod2 with respect to a different numbering and addressing scheme. Activity Procedure ‘Complete these steps: Step1 Define an access list 100 that permits the ICMP traffic from PC/ (10.P.13.25) to Server! (10.P.11.10), where “P” is your pod number. Step2 Define a class map CM-ICMP that matches the ICMP traffic from PC/ (10.P.13.25) to Server! (10.P.11.10), where “P” is your pod number. Step3 Define a policy map that rate-limits the ICMP traffic from PCI to Server! to 100 kB/s. The traffic that does not conform to the limit should be dropped. step4 Apply the defined policy map to the incoming traffic on interface GigabitEthernet3/3—the interface where traffic from PC/ is received. Step5 Define an access list 101 that permits the IP traffic from PC/ (10.P.13.25) to ‘Server! (10.P.11.10), where “P” is your pod number. Step6 Define a class map CM-IP that matches the IP traffic from PC/ (10.P.13.25) to Server! (10.P.11.10), where “P” is your pod number. (© 2008 Cisco Systems, Inc. Lab Guide 67Step7 _ Add to the already configured policy map PM-ratelimit, rate-limiting the IP traffic from PC! to Server! to 50 kB/s. The traffic that does not conform to the limit should be dropped. Step Start a continuous ping from PC/ to Server! with packet size 2000. Step9 Map C disk of Server! (net use x: \\10.P,11,10\CS, where “P” is your pod number) ‘on PCI and copy the s72033-adventerprisek9_wan-mz.122-18,SXF4.bin file on PC/ from c:\tftp to the x:\tfip directory. Step 10 Start a continuous ping from PC/ to Server! with packet size 2000, Step 11 Verify the configured QoS policy on 6500-1. You should notice that some traffic is being dropped for the CM-IP class map that is used for the file copy operation also. 6500-i#show policy-map Policy Map PN-ratelimit Class CM-ICMP police cir 100000 be 3125 conform-action transmit exceed-action drop Clase CM-IP police cir 50000 be 1562 conform-action transmit exceed-action drop 6500-1#show policy-map interface Gigabitgthernet 3/3 Gigabitethernet3/3 Service-policy input: PM-ratelimit class-mapi (CM=rCMP"(hateh-any) Match: access-group 100 police 96000 bps""3000 1imit "3000 extended 1imit Earl in slot 5: 391792 bytes 68 Implementing Cisco Data Genter Network Infrastructure 1 (DCNV-1) v2.0 (© 2008 Cisco Systems, In.5 minute offered rate 6136 bps aggregate-forwarded 391792 bytes action: transmit exceeded 0 bytes action: drop aggregate-forward 15000 bps exceed 0 bps lass-map! CM-1P (natch=a11) Match: access-group 101 police : 48000 bps 1000 Limit 1000 extended Tinie Earl in slot 5 : 282449 bytes 5S minute offered rate 6488 bps aggregate-forvarded 279533 bytes action: transmit exceeded 2916 bytes action: drop aggregate-forward 19288 bps exceed 256 bps Class-map: class-default (match-any) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any 0 packets, 0 bytes 5 minute rate 0 bps Step 12 Remove the QoS policy from the GigabitEthernet3/3 interface. ‘Step 13 Next restart the file copy operation and observe how the file copy operation is faster than when the QoS policy was applied. Step 14 Set the QoS trust for interface GigabitE:themet3/13 on 6500-1 to CoS and verify the configuration. 6500-1#show mis qos module 3 (QoS is enabled globally Policy marking depends on port_trust Q0S ip packet dacp rewrite enabled globally QoS serial policing mode disabled globally Input mode for GRE Tunnel is Pipe mode Input_mode for MPLS is Pipe mode 005 Triist state 4s CoS on the following! interface: 6i3/3 Vlan or Portchannel (Mu1ti-Barl) policies supported: Yes Egress policies supported: Yes QoS 10g-only mode supported: Yes [Current mode: Off] No forwarding engine in module [31 Step15 On the 4900-1 switch, define an access list 101 that permits the IP traffic from Server! (10.P.11.10, where “P” is your pod number) to any destination, Step 16 Define a class map CM-IP that matches the IP traffic from Server! (10.P.11.10, where “P” is your pod number). Step 17 Define a policy map that rate-limits the IP trafic from Server! to 2 MB/s. The traffic that does not conform to the limit should be dropped. Step 18 Apply the defined policy map to the incoming traffic on interface GigabitEthernet1/1—the interface where traffic from Server! is received. Step 19 Verify the configured QoS policy on 4900-1. 4900-1#show policy-map Policy Map PM-ratelimitServert Class OM-1P Police 2000000 bps 25000 byte conform-action transmit exceed-action drop ‘© 2008 Cisco Systems, Inc Lab Guide 694900-1#show policy GigabitBtherneti/1 sp interface Gigabituthernet 1/1 Service-policy input: PM-ratelimitserver1 Class-map! CMSTP (matehall) 37 packets Match: access-group 101 Match: ip dscp default police: Per-interface Conform: 2544 bytes Exceed: "0 bytes Class-map: class-default (match-any) 24 packets Match: any Task 4: Marking Traffic to Be Policed In this task, you will configure the Cisco Catalyst 6500 Series Switch to mark traffic for a lower DSCP. DSCP markdown maps are used when the policer is defined to markdown out-of profile traffic instead of dropping it. Note The steps and printouts refer to subpodt in pod 4 (devices 6500-1, 4900-1, PC1, Servert). However the same tasks should be applied to subpod2 with respect to a different numbering and addressing scheme. Procedure Complete these steps: Step1 Modify the default policed DSCP map so that the DSCP value of 32 will be marked down toa DSCP value of 16, Step2 Create the policy PM-DSCP using your previously defined class map. The policy should rate-limit the IP traffic from PC/ to Server! to 50 kB/s. The traffic that does not conform to the limit should be remarked to a new DSCP value. Step3 Apply the defined policy map to the incoming traffic on interface GigabitEthemet3/3—the interface where traffic from PC1 is received. 70 Implementing Cisco Data Center Network Infrastructure 1 (OCNI-1) v2.0 (© 2008 Cisco Systems, Inc.Step4 Copy the s72033-adventerprisek9_wan-mz.122-18.SXF4.bin file on PC! from cAtfip to the Step5 Verify the configured QoS policy on 6500-1. Notice that the exceeding traffic has been remarked with the new DSCP value. The copy operation also takes less time than in the previous case. 6500-1#show policy-map interface Gigabit#thernet 3/3 Gigabitethernet3/3 Seérvice-policy Gnputy pM-pscP class-map: CM-IP (match-al1) Match: access-group 101 police 496000 bps 15000 Limit /1S000" extended Limit Earl in slot 5 : 44535048 bytes 30 second offered rate 8172800 bps yegate-forwarded 44535048 bytes action: transmit exceeded 43125573 bytes action: policed-dscp-transmit aggregate-forward 6098936 bps exceed 6025640 bps Clasa-map: class-default (match-any) 0 packets, 0 bytes 30 second offered rate 0 bps, drop rate 0 bps Match: any 0 packets, 0 bytes 30 second rate 0 bps (© 2008 Cisco Systems, inc Lab Guide 71Task 5: Deploying CoPP In this task you will define a CoPP to limit the amount of ICMP traffic destined to the supervisor on the Cisco Catalyst 6500 Series Switch. Note The steps and printouts refer to subpodt in pod 4 (devices 6500-1, 4900-1, PC1, Server!) However the same tasks should be applied to subpod2 with respect to a different numbering and addressing scheme. Activity Procedure Complete these steps on each switch in your pod: Step 1 Step 2 Step 3 Step 4 Define an access list 102 that permits the ICMP traffic from any source to any destination. Define a class map CM-icmpcopp that uses the configured ACL 102. Define a policy map PM-copp which rate-limits the ICMP traffic destined to the supervisor on 6500-1 to 35 kB/s. The traffic that does not conform to the limit should be dropped. Open text editor on PC/ (for example, notepad) and create a BAT file with the ping 10.4.13.1 ~t -12000 line. Save the file on desktop naming it copp.bat. You will use this file to flood the 6500-1 CPU. Start multiple continuous pings from PC/ to the 6500-1 Vian13 interface at 10.P.13.1 (where “P” is your pod number) with the packet size 2000 by clicking multiple times on the copp.bat file you have created. You should be able to see certain ping packets time out. Sn) comers. Jmcieneon |encnaene|imcienr momen ow lore [anor Bsn Step 6 Apply the defined policy map to the incoming traffic on the control plane interface. 72 Implementing Cisco Data Center Network Infrastructure 1 (OCNI-1) v2.0 © 2008 Cisco Systems, Inc.Step7 Verify the applied CoPP. Since multiple continuous pings are in place, the amount of ICMP traffic destined to the 6500-1 supervisor exceeds the allowed amount and thus there is some traffic that is dropped. 6500-1#show policy-map control-plane Control Plane Interface service-policy input? PM-copp Hardware Counters: Class-map: CM-‘empeopp (match-any) Match: access-group 102 police + 344000 bps 10000 Limit 10000 extended limit Barl in slot 5 9448084 bytes 5 minute offered rate 163160 bpa aggregate-forwarded 9159670 bytes aétion? transit exceeded 208414 bytes action: drop aggregate-forward 253720 bps exceed 11360 bps Software Counters Class-map: CM-icmpcopp (match-any) 9051 packets, 9360862 bytes 5 minute Offered rate’ 199000 bps, drop” Fate 1000 bps Match: access-group 102 9051 packets, 9360862 bytes 5 minute rate 189000 bps police cir 350000 bpa; be 10937 bytes conformed 9043 packets, 9348750 bytes} actions: transmit exceeded 8 packets, "12112 bytes; actions? arop. ‘eonformed 189000 bps; exceed 1000 bps Class-map: class-default (match-any) 73 packets, 13357 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any 73 packets, 13357 bytes 5 minute rate 0 bps (© 2008 Cisco Systems, Inc Lab Guida 73Lab 1-4: Deploying and Examining EEM The Cisco 10S Embedded Event Manager (EEM) functionality is used for automating tasks and troubleshooting, Activity Objective In this activity, you will configure an EEM applet and use it for automating tasks. After completing this activity, you will be able to meet these objectives: = Configure EEM applet = Verify EEM applet operation Visual Objective The figure illustrates what you will accomplish in this activity. Lab 1-4: Deploying and Examining EEM X= Sich number (122) ‘The pod with the equipment for this lab exercise is divided into two independent subpods with the following devices: m= Subpodl: 6500-1 ™ Subpod2: 6500-2 Divide into subgroups in each pod to complete the following tasks. Note Through the lab exercise the steps and printouts refer to subpod in pod 4 (device 6500-1) However the same tasks should be applied to subpod2 with respect to a different numbering and addressing scheme, 74 Implementing Cisco Data Center Network Infrastructure 4 (OCNI-1) v2.0 (© 2008 Cisco Systems, Inc.Required Resources These are the resources and equipment required to complete this activity: = Two (2) Cisco Catalyst 6500 Series Switches Command List The table describes the commands that are used in this activity. ‘Command event manager applet name scription Define and register an applet with EEM event cli pattern command- pattern sync no skip no Set the event that triggers the applet config t" CLI command—enter the configuration mode “copy running isk0: /config-bkp* CLI command—copy the running configuration to contig- bbkp on disk: "enable" CLI command—enter the privileged mode sexit" CLI command—exit the configuration mode "file prompt quiet" CLI command—disables the dialog prompt for file operations "no file prompt quiet" CLI command—enables the dialog prompt for fle operations action number cli command CLI-command Define a command to be taken upon triggering the applet Task 1: Removing Previous Configurations Ensure that no previous configuration exists on the switches in your pod and apply the initial configurations to the devices. The initial configuration includes settings for the Layer 2 interfaces used—trunking, access VLAN set, etc.; VLAN configuration, Layer 3 VLAN configuration, correct power scheme, te The initial configurations are available on the individual device file system as specified in the following steps. Note ‘The steps and printouts refer to subpod in pod 4 (device 6500-1). However the same tasks should be applied to subpod2 with respect to a different numbering and addressing scheme. ‘© 2008 Cisco Systems, Inc. Lab Guide 75Activity Procedure Complete these steps on each switch in your pod: Step 1 Connect to the 6500-1 switch via console and apply the following: = Replace the current running configuration with the configuration from file diskO:denil_lab14_6500-1 using the configure replace disk0:denil_lab14_6500-1 command, When asked to proceed press Y. = Verify that the switch is running the 12.2(33) SXHI Cisco IOS image using the show version command, = Only if the switch is not running the 12.2(33) SXHI Cisco IOS image, save the running configuration to startup configuration and reboot the switch. Task 2: Configuring and Verifying EEM Applet Operation In this task you will create an EEM applet and use it to automate the configuration-saving task. Use the following information to create an applet: = Event: Administrator enters the configuration mode with the configure terminal command. = Action: Save configuration to disk0:/config-bkp. Note Activity Procedure Complete Step 1 The steps and printouts refer to subpodt in pod 4 (device 6500-1). However the same tasks should be applied to subpod? with respect to a different numbering and addressing scheme. these steps: On the 6500-1 switch, configure the FEM applet using the following information: ™ Set the EEM applet name to BKPCFG. = Set the event that triggers the applet to match the CLI exit command. Set the following actions upon triggering the applet: 1, Enter the privileged EXEC mode, Enter the global configuration mode. Set the prompt level for file operations to quiet. Exit the configuration mode. Save the running configuration to disk0:/contfig-bkp. Reenter the global configuration mode. Set the file operations prompt level back to default, Seta anween Exit the global configuration mode. 76 Implementing Cisco Data Center Network Infrastructure 1 (OCNI-1) v2.0 (© 2008 Cisco Systems, Inc.Activity Verification ‘You have completed this task when you attain these results: Step1 Verify the EM applet operation. Notice that EEM triggered the BKPCFG applet. 6500-1fwrite memory Building configuration. 03:26:11: ¥S¥8-8-CONFIG I: ‘Configured from console by on vtyO (BEM: BKPCFG) [0K] Step2 List the content of the disk0: file system. Notice that the config-bkp file is present on the disk0. 6800-1dir diskd: Directory of disk0:/ ow 11359 Mar 21 2008 a 4997 Mar 15 2008 -rw- 30292835 Mar 21 2008 -ew- 5063 Mar 15 2008 5 -rw- 118601380 Mar 15 2008 vz.122-33,SXH.bin ace_scripts_A2_1.taz vas-config c6ace-t1k9-mz.A2_1.bin iosmodular-config 872033-ipservicesk9_wan- 1 2 3 4 109 Sew) 9) 6793 Mar 15 2008 eontig-bep 6 drw- 0 Mar 15 2008 sys 104 -rw- 116736896 Mar 15 2008 15:27:52 +00:00 T0S-PATCHi-cdp.bin 105 drw- 0 Mar 16 2008 22:35:18 +00:00 MODULAR 1024589824 bytes total (478429184 bytes free} (© 2008 Cisco Systems, Inc. Lab Guise 77Lab 1-5: Deploying Automated Diagnostics The fault management framework on the Cisco Catalyst 6500 Series Switch consists of automated and administrator-initiated tools. Activity Objective In this activity, you will explore and use the automated diagnostic and troubleshooting tools. After completing this activity, you will be able to meet these objectives: = Use the TDR for copper cable troubleshooting Use the GOLD test to verify proper hardware operation = Define Call Home as the enabled automated event notification ual Objective The figure illustrates what you will accomplish in this activity. Lab 1-5: Deploying Automated Diagnostics Sich number (1 02) The pod with the equipment for tl the following devices: = Subpodl: 6500-1 = Subpod2: 6500-2 Divide into subgroups in each pod to complete the following tasks. lab exercise is divided into two independent subpods with Note ‘Through the lab exercise the steps and printouts refer to subpodt in pod 4 (device 6500-1) However the same tasks should be applied to subpod2 with respect to a different numbering and addressing scheme, 78 Implementing Cisco Data Center Network Infrastructure 1 (OGNI-1) v2.0 (© 2008 Cisco Systems, Inc.Required Resources ‘These are the resources and equipment required to complete this activity: m= Two (2) Cisco Catalyst 6500 Series Switches = Two (2) Cisco Catalyst 4900 Series Switches Command List ‘The table describes the commands that are used in this activity. ‘Command Description diagnostic start module number test non-disruptive port number Start the automated non-disruptive diagnostic test on the ‘specified module and interface show diagnostic result module number test ‘Show the results of the diagnostic test for specified module and test all-home Enter the Call Home configuration mode contact-email-addr email- address Define the contact e-mail address etreet-address string Define the contact address customer-id customer-ID site-id site-1D Define the customer 1D Define the site ID profile profile-name Define the profile to be used for Call Home: destination transport- method email Set the transport method to e-mail destination addr e-mail-address email ‘Set the destination e-mail address for Call Home destination preferred-msg- format long-text ‘Set the format of the message sent to the destination e- mail active ‘Activate Call Home functionality show call-home profile profile-name Verify the configured Call Home profile test cable-diagnostics tdr interface interface Perform the TDR test on the interface specified (© 2008 Cisco Systems, Inc LabGuide 79Task 1: Removing Previous Configurations Ensure that no previous configuration exists on the switches in your pod and apply the initial configurations to the devices. The initial configuration includes settings for the Layer 2 interfaces used—trunking, access VLAN set, etc.; VLAN configuration, Layer 3 VLAN configuration, correct power scheme, ete. The initial configurations are available on the individual device file system as specified in the following steps. Note ‘The steps and printouts refer to subpodt in pod 4 (device 6500-1). However the same tasks should be applied to subpod2 with respect to a different numbering and addressing scheme. Activity Procedure Complete these steps on each switch in your pod: Step1 Connect to the 6500-/ switch via console and apply the followin; |= Replace the current running configuration with the configuration from file diskO:dcnil_lab15_6500-1 using the configure replace disk0:denil_lab15_6500-1 command, When asked to proceed press Y. = Verify that the switch is running the 12.2(33) SXHI Cisco IOS image using the show version command. = Only if the switch is not running the 12.2(33) SXH1 Cisco IOS image, save the running configuration to startup configuration and reboot the switch, Task 2: Using TDR for Troubleshooting In this task you will use the TDR to pinpoint the problem with copper cables. Note ‘The steps and printouts refer to subpod! in pod 4 (device 6500-1). However the same tasks should be applied to subpodz with respect to a different numbering and addressing scheme, Activity Procedure ‘Complete these steps: Step1 Use the TDR to check the copper cable connected to interface GigabitEthemet3/13 on 6500-1. Step2 Verify the results. 6500-i#show cable-diagnostics tdr interface GigabitBthernet 3/13 TDR test last run on: March 21 19:31:59 Interface Speed Pair Cable length Distance to fault channel Pair status Gi3/13, 1000 1-2 0 = +/- 6 m N/A Pair 3-6 0 +/-6 mON/A Pair A Terminated 4-50 4/76 m N/A Pair D Terminated 7-80 +/-6 m WA Pair C Terminated ‘The test shows that the copper cable is properly terminated, which can be also be confirmed by the fact that the connection between 6500-1 and 4900-1 is working properly. Step3 Enable the interface GigabitEthemnet3/48. The interface is not connected to anywhere. 80 Implementing Cisco Data Center Network Infrastructure 1 (OCNI-1) v2.0 (© 2008 Cisco Systems, Ine.Task 3: Step4 Run the TDR test for interface GigabitEthemnet3/48 on 6500-1. Step5 Verify the results. 6500-1#show cable-diagnostics tdr interface Gigabitethernet 3/48 TDR test last run on: March 21 19:31:04 Interface Speed Pair cable length Distance to fault Channel Pair status Trvalid Open 613/48 “auto “4-2 N/A oa e 3-6 N/A 0 +/- 6 m Invalid Open k AS ON/A Oe /= bom. Invalid Open ym 0 4/6 mw Invalid Open ‘The test shows that the there is no copper cable attached to the interface. Using GOLD Tests for Troubleshooting In this task you will use the TDR to pinpoint the problem with copper cables. Note ‘The steps and printouts refer to subpod! in pod 4 (device 6500-1). However the same tasks should be applied to subpod2 with respect to a different numbering and addressing scheme. Activity Procedure Complete these steps: Step1 Start the nondisruptive GOLD diagnostic test for port 3 on module 48, Observe the output to see which GOLD test has been used and which has been skipped, 6500-ifdiagnostic start module 3 test non-disruptive port 3 6500-18 03:51:41: SDIAG-SP-6-TEST RUNNING: Module 3: Running ‘TestTxPathMonitoring{1D=2} ... 03:51:41: $DIAG-SP-6-TEST_OK: Module 3: TestTxPathMonitoring{ID-2} has completed successfully 03:51:41: SDIAG-SP-6-TEST_RUNNING: ‘TestsynchedFabChannel { 1D=3} 03:51:41: $DIAG-SP-6-TEST_OK: Module 3: TestSynchedPabChannel{1D=3} has completed successfully 03:51:41: $DIAG-SP-6-TEST RUNNING: Module 3: Running ‘TestPirnwareDiagstatus{1D=9} 03:51:41; $DIAG-SP-6-TEST_OK: Module 3: TestPirnwareDiagstatus{1D=9) has completed successfully 03:51:41: SDIAG-SP-6-TEST_RUNNING: Module 3: Running TestAsicSync{ID=10} 03:51:41; SDIAG-SP-6-TEST_OK: Module 3: TestAsicsync{1D-10} has completed successfully 03:51:41: $DIAG-SP-6-TEST_RUNNING: Module 3: Running ‘TestUnusedPortLoopback{ 1D=11} 03:51:41: SDIAG-SP-3-TEST_SKIPPED: Module 3: TestUnusedPortLoopback{1D=11} is skipped 03:51:41: $DIAG-SP-6-TEST RUNNING: Module 3: Running TestOBFL{ 1D=12) 03:51:41: $DIAG-SP-6-TEST_OK: Module 3: TestOBFL{1D=12) has completed successfully 03:51:41: $DIAG-SP-6-TEST_RUNNING: Module 3: Running ‘TestErrorCounterNonitor(1D=13) 03:51:41: SDIAG-SP-6-TEST_OK: Module 3: TestErrorCounterMonitor(1D-13} has completed successfully 03:51:41: $DIAG-SP-6-TEST_RUNNING: Module 3: Running ‘TestPortTxMonitoring{ID=14} ... 03:51:41: SP: Module 3:TestPortTxMonitoring is supported only in Health Monitoring test 03:51:41: SDIAG-SP-3-TEST_SKIPPED: Module 3: TestPortTxMonitoring{1D=14)} is skipped Step2 Examine the result of TestErrorCounterMonitor. Module 3: Running ‘© 2008 Cisco Systems, Inc Lab Guide Bt6500-1#show diagnostic result module 3 test TestBrrorcounterMonitor detail Current bootup diagnostic level: minimal Test results: (. = Pass, F = Fail, U = Untested) 13) TestBrrorcounterMonitor - > Error code > 0 (DIAG_succEss) Total run count 433 Last test execution time Mar 21 2008 19:47:38 First test failure time - n/a Last test failure time => n/a Last test pass time > Mar 21 2008 19:47:38 Total failure count ° Consecutive failure count Error Records Step3 Run the overall system diagnostic test and observe the output. Note ‘The diagnostic start system test all command starts the comprehensive systems tests. In order to stop the test, use the diagnostic stop system test all command, 6500-1#diagnostic start system test all * WARNING: * ‘diagnostic start system test all’ will disrupt normal system operation. The system requires RESET after the command ‘diagnostic start system test all’ has completed prior to normal use. + IMPORTANT: * 1. DO NOT INSERT, OIR, or POWER DOWN Linecards or . Supervisor while system test is running 2. DO NOT ISSUE ANY DIAGNOSTIC COMMAND except “diagnostic stop system test all" while system test . ie running. PLEASE MAKE SURE no traffic is runnning in background. Do you want to continue? (nol: y 6500-14 03:59:16: $DIAG-SP-6-TEST_RUNNING: Module 1; Running TestPirnwareDiagstatus(ID=2) .. 03:59:16: ADIAG-SP-6-TEST_OK: Module 1: TestFirmwareDiagstatus( 1-2) has completed successfully 03:59:16: $DIAG-SP-6-TEST RUNNING: Module 1: Running TestAsicSync{1D=3} ... 03:59:16: SDIAG-SP-6-TEST_OK: Module 1: TestAsicsyne(ID=3) has completed successfully 03:59:16: $DIAG-SP-6-TEST_RUNNIN Module 1: Running TestBobeStressPing{1D=1} 03:59:16: sp: * WARNING: : SP: * BOBC Stress Ping test on module 1 may take up to 3min 03:59:16: SP: * During this time, please DO NOT perform packet switching on the module 03:59:16: SP: 03:59:26: SDIAG-SP-6-TEST_OK: Module 1: TestEobeStressPing{ 1De1) has completed successfully Implementing Cisco Data Center Network infrastructure 1 (DCNI-1) v2.0 {© 2008 Cisco Systems, Inc.03:59:27: $DIAG-SP-6-TEST_ RUNNING: Module 2: Running ‘TestPortASICLoopback{1D=1) .. 03:59:27: SP: komodo_plus_test_loopback [2] 03:59:27: ¥DIAG-SP-3-TEST SKIPPED: Module 2: skipped 03:59:27: ¥DIAG-SP-6-TEST_RUNNING: Module 2 03:59:27: SP: komodo_plus test_loopback [2]: On-Demand test is not allowed 03:59:27: SDIAG-SP-3-TEST_SKIPPED: Module 2: TestPCLoopback{ID+2} is skipped 03:59 oF Module 2: Running ‘TestNetflowInlineRewrite(ID=3} . 03:59:27: SDIAG-SP-3-TEST_SKIPPEI skipped 03:59:27: SDIAG-SP-6-TEST_RUNNIN ‘TestsynchedPabChannel {1D=4) ... 03:59:27: $DIAG-SP-6-TEST OK: Module 2: TestSynchedFabChannel{1D=4} has completed successfully 03:59:27: $DIAG-SP-6-TEST RUNNING: Module 2: Running ‘TestPirmwareDiagstatus(1D=6} 03:59:27: ¥DIAG-SP-6-TEST_OK: Module 2: TestFirmwareDiagStatus{1D=6} has completed successfully 03:59:27: $DIAG-SP-6-TEST RUNNING: Module 2: Running TestAsicSync{1D=7) . 03:59:27: SDIAG-SP-6-TEST OK: Module 2: TestAsicSync{ID=7} has completed successfully 03:59:27: $DIAG-SP-6-TEST RUNNING: Module 2: Running ‘TestErrorCounterMonitor{1D=8} ... <...rest of the output omitted. Step4 Run the automated system configuration check test and observe the output. 6500-1#show diagnostic sanity ‘The boot string is empty. Please enter a valid boot string On-Demand test is not allowed ‘TestPortASICLoopback(1D=1} is Running TestPCLoopback(1D=2} ... Module 2: TestNetflowInlineRewrite{1D=3} is Module 2: Running UDLD has been disabled globally - port-level UDLD sanity checks are being bypassed. ‘The following ports with mode set to desirable are not trunking: Gi3/3 ‘The following ports have portfast enabled: Gi3/3 ‘The following porte have receive flow control disabled: Gi3/1, G13/2, Gi3/3, Gi3/4, Gi3/S, Gi3/6, Gi3/7, Gi3/8, Gi3/9, Gi3/10, Gi3/11, Gi3/12, Gi3/13, Gi3/14, Gi3/15, Gi3/16, Gi3/17, Gi3/18, Gi3/19, Gi3/20, Gi3/21, Gi3/22, Gi3/23, Gi3/24, Gi3/25, Gi3/26, Gi3/27, Gi3/28, Gi3/29, Gi3/30, Gi3/31, Gi3/32, Gi3/33, Gi3/34, Gi3/35, Gi3/36, Gi3/37, Gi3/38, Gi2/39, Gi3/40, Gi3/41, Gi3/42, Gi3/43, Gi3/aa, Gi3/45, Gi3/46, Gi3/47, Gi3/48, Gi5/1, Gi5/2, Gis/3, Te5/4, Te5/5 ‘The following interfaces have a duplex mismatch: Gig 3/13, Gig 3/14 Please check the status of the following modules: 2,2,4,6 ‘The Module 5 failed the following tests: TestCFRW ‘© 2008 Cisco Systems, Inc. Lab Guide 83Task 4: Deploying Call Home Functionality In this task you will configure the Call Home functionality. Note The steps and printouts refer to subpod! in pod 4 (device 6500-1). However the same tasks should be applied to subpod2 with respect to a different numbering and addressing scheme. Activity Procedure Complete these steps: Step1 Define the Call Home contact information using the following list: Contact e-mai Phone number: n/a Street address: | Acme rd Customer ID: Acme001 Site ID: AcmeCentralLocation Step2 Define and activate the profile named PR-ACME using the following information: [email protected] ‘= Transport method: e-mail Destination e-mail: [email protected] ‘= Preferred message format : long-text Step3 Verify the profile configuration 6500-1¥show call-home profile PR-ACKE Profile Name: PR-ACME Profile status: ACTIVE Preferred Message Format: long-text Message Size Limit: 3145728 Bytes ‘Transport Method: email Bnail address(es): joegacme.com HTTP address(es): Not yet set up Alert-group Severity syslog-Pattern N/A w/a Step4 Subscribe the created profile to all alert groups, set the mail server address to 10.P.11.10 (where “P” is your pod number), and start the Call Home service. Activity Verification ‘You have completed this task when you attain these results: Step1 Check the created Call Home profile operation by creating a configuration change event, Notice that the sending of e-mail will not succeed since the mail server specified (10.P.11.10, where “P” is your pod number) does not exist. 6500-1#call-home send alert-group configuration profile PR-ACNE Sending configuration info call-home message ... Please wait. This may take sone time ... 04:16:22: 4CALL_HOME-3-SWTP_SEND_PAILED: Unable to’ seh notification! Yeing all SMTP servers (ERR 6, error in reply from SMTP server) 84 Implementing Cisco Data Center Network Infrastructure 1 (DCNI-1) v2.0 © 2008 Cisco Systems, Inc.Lab 1-6: Deploying SPAN SPAN, RSPAN, and ERSPAN sessions allow the network administrator to monitor and analyze traffic locally or remotely. Activity Objective In this activity, you will configure an SPAN and RSPAN session to monitor traffic on a certain interface. After completing this activity, you will be able to meet these objectives: = Configure and use the SPAN se: = Configure and use the RSPAN session = Verify SPAN and RSPAN configuration Visual Objective ‘The figure illustrates what you will accomplish in this activity. X= Sch be (1 2) 42 Sener ramme{t 3) 2 PE mumbo tte) The pod with the equipment for this lab exercise is di the following devices and VLANs: = Subpodl: 6500-1, 4900-1, PCI, Server! and VLANs: 11, 13 = Subpod2: 6500-2, 4900-2, PC6, Server3 and VLANs: 21, 23 ided into two independent subpods with Divide into subgroups in each pod to complete the following tasks. Note ‘Through the lab exercise the steps and printouts refer to subpodi in pod 4 (devices 6500-1, 4900-1, PC1, Servert). However the same tasks should be applied to subpod? with respect, toa different numbering and addressing scheme. ‘© 2008 Cisco Systems, Inc Lab Guide 85,IP Addressing ‘The IP addressing scheme in the following table lists the IP addresses of the PCs, servers, Cisco Catalyst 6500 Series Switch VLAN interfaces and Layer 3 physical interfaces, where “P” is your pod number. Pod Addressing Subnet Default | Device Subnet | iaey Device aseneayal VLAN Pct 10.P.13.0 | /24 10P.1325 | 10.P.13.1 | 13 Pos 10P.230 | 124 10P.2325 | 10.P.231 | 23 Servet | 10P.11.0 | 124 10.11.10 | toPs14 | 14 10.P.11.20 10.P.11.30 10.P.11.40 Servers | 10.P.21.0 | 24 toP.21.10 | 10.P.211 | 21 10.P.21.20 10.P.21.30 10.P.21.40 Device | VLAN we subnet | SUret | Device ip 65004 | 11 roP.110 | 124 1OPAVA @500-1 | 13 10P.130 | 124 10P.134 6500-2 | 24 1oP210 | 126 woP214 6500-2 | 23 10.230 | 124 10P.234 Required Resources ‘These are the resources and equipment required to complete Two (2) Cisco Catalyst 6500 Series Switches Two (2) Cisco Catalyst 6500 Series Switch Ethernet modules Two (2) Cisco Catalyst 6500 Series Switch Supervisor 720-10G-3C modules Two (2) Cisco Catalyst 4948 Switches Two (2) Microsoft Windows XP clients Two (2) Microsoft Windows 2003 servers activi 86 Implementing Cisco Data Center Network infrastructure 1 (DCN) v2.0 (© 2008 Cisco Systems, Inc.Command List The table describes the commands that are used in this activity. ‘Command Description monitor session 1 source { | Define a source for the SPAN or RSPAN session interface interface | remote vlan rspan-vlan both monitor session 1 Define @ destination for SPAN or RSPAN session destination {interface interface| remote vlan repan-vian} vlan number Define a Layer2 VLAN remote-span Dedicate VLAN for RSPAN Task 1: Removing Previous Configurations Ensure that no previous configuration exists on the switches in your pod and apply the initial configurations to the devices. The initial configuration includes settings for the Layer 2 interfaces used—trunking, access VLAN set, ete.; VLAN configuration, Layer 3 VLAN configuration, correct power scheme, ete. ‘The initial configurations are available on the individual device file system as specified in the following steps. Note The steps and printouts refer to subpodt in pod 4 (devices 6500-1, 4900-1, PC1, Servert). However the same tasks should be applied to subpod2 with respect to a different numbering and addressing scheme. Activity Procedure Complete these steps on each switch in your pod: Step1 Connect to the 6500-1 switch via console and apply the following: = Replace the current running configuration with the configuration from file diskO:denil_lab16_6500-1 using the eonfigure replace disk0:denii_lab16_6500-1 command. When asked to proceed press Y. = Verify that the switch is running the 12.2(33) SXHI Ciseo 105 show version command. age using the = Only ifthe switch is not running the 12,2(33) SXHI Cisco IOS image, save the running configuration to startup configuration and reboot the switch Step2 Connect to the 4900-1 switch via console and apply the following: © Replace the current running configuration with the configuration from file bootflash:denil_lab16_4900-1 using the configure replace bootflash:denil_lab16_4900-1 command, When asked to proceed press Y. ‘© 2008 Cisco Systems, Inc. LabGuie 87Activity Verification Task 2: You have completed this task when you attain these results: Step1 On the 6500-1 switch verify that you have connectivity to the following: = PCI at 10.P.13.25 (where “P” is your pod number) Server! at 10.P.11.10 (where “P” is your pod number) You should see results similar to the following printouts. Note ‘The following printouts show results of a ping conducted on pod 4. 6500-1#ping 10.4.13.25 ‘Type escape sequence to abort Sending 5, 100-byte ICMP Echos to 10.4.13.25, timeout is 2 seconds: Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms 6500-1#ping 10.4.11.10 ‘Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.4.11.10, timeout is 2 seconds: rit Success rate is @0 percent (4/5), round-trip min/avg/max = 1/1/4 ms Configuring SPAN In this task you will create a SPAN session and monitor traffic with the Wireshark protocol analyzer application Note The steps and printouts refer o subpodt in pod 4 (devices 6500-1, 4900-1, PC1, Servert), However the same tasks should be applied to subpod2 with respect to a different numbering and addressing scheme. Activity Procedure Complete these steps: Step1 Create a SPAN session on 6500-1 using the following informati 1 ™ SPAN session source = GigabitEthernet3/13 FigabitEthemet3/3 ® =Monitor received and transmitted traffic & SPAN session number = SPAN session destination = Step2 Start a continuous ping from Server! to 6500-1 and open a Telnet session from Server! to 6500-1. Do not close the session. 88 Implementing Cisco Data Center Network Infrastructure 4 (OCNI-1) v2.0 (© 2008 Cisco Systems, Inc.Step3 Connect to PC/ and run the Wireshark application. Choose Capture > Interfaces and choose the interface where the packet count is incrementing. After a couple of seconds press the Stop button to examine the captured traffic. Examine the traftic captured—you should be able to see the information from OSI Layers 1, 2, 3, and 4 and also the content of the individual packets. The output should be similar to the following picture. AT CSAS SIR TRAN Beeewe rare s Beets @aaactevax we eRe ancearaes: Step4 Disable and remove the SPAN session from the 6500-1 configuration. Step Stop the Telnet session and ping Server! Task 3: Configuring RSPAN In this task you will create an RSPAN session and monitor traffic with the Wireshark protocol analyzer application. Note ‘The steps and printouts refer to subpodt in pod 4 (devices 6500-1, 4900-1, PC1, Servert). However the same tasks should be applied to subpod2 with respect to a different numbering and addressing scheme. Activity Procedure ‘Complete these steps: ‘Step 1 Create a source RSPAN session on 4900-/ using the following information: 1 = SPAN session source = GigabitEthernet1/1 | SPAN session destination = VLAN99 Monitor received and transmitted traffic. = SPAN session number ‘© 2008 Cisco Systems, Inc Lab Guide 89Step 2 Stop 3 Step4 Step 5 a Bueew case Oreo tea aacnuaaxs a a Create a destination RSPAN session on 6500-/ using the following information: = SPAN session number = SPAN session source = VLAN99 = SPAN session destination = GigabitEthemet3/3, Start a continuous ping from Server! to 6500-1 and open a Telnet session from Server to 6500-1. Do not close the session. Connect to PC/ and run the Wireshark application. Choose Capture > Interfaces and choose the interface where the packet count is incrementing. After a couple of seconds press the Stop button, Examine the traffic captured—you should be able to see the information from OSI Layers 1, 2, 3, and 4 and also the content of the individual packets. The output should be similar to the following picture. eae 5 | ee comer Implementing Cisco Data Center Network Infrastructure 1 (OGNI-) v2.0 (© 2008 Cisco Systems, incLab 2-1: Deploying the FWSM in Transparent Mode In this lab activity the Catalyst 6500 Series FWSM in transparent mode will be deployed. Activity Objective In this activity, you will configure the Catalyst 6500 Series FWSM in transparent mode. After completing this activity, you will be able to meet these objectives: = Configure the Cisco Catalyst 6500 Series Switch to support an FWSM. m= Designate FWSM interface characteristics Configure IP address and routing on the FWSM Configure permitted traffic pattems Use client systems to demonstrate access to resources through the FWSM Visual Objective ‘The figure illustrates what you will accomplish in this act Lab 2-1: Deploying the FWSM in Transparent Mode X= Seen ruber 02) ¥Someemamber (93) 2oe meer tore) ‘The pod with the equipment for this lab exercise is divided into two independent subpods with the following devices and VLANs: = Subpod!: 6500-1, 4900-1, PCI, Server! and VLANs: 10, 11, 13 = Subpod2: 6500-2, 4900-2, PC6, Server3 and VLANs: 20, 21, 23 Divide into subgroups in each pod to complete the following tasks. ‘© 2008 Cisco Systems, Inc. Lab Gude otNote Through the lab exercise the steps and printouts refer to subpodt in pod 4 (devices 6500-1, 4900-1, PC1, Servert, FWSM), However the same tasks should be applied to subpod2 with respect to a different numbering and addressing scheme, IP Addressing The IP addressing scheme in the following table lists the IP addresses of the PCs, servers, Cisco Catalyst 6500 Series Switch VLAN interfaces and Layer 3 physical interfaces, where “P” is your pod number. Pod Addressing SEEN EEEEEeeeee Subnet Default | Device Device | IP Subnet | 4.2) Device IEE | crave LAN Pct 10P.13.0 | 124 10P.1325 | 10P.13.1 | 13 Poe 10P.23.0 | 124 10.P.2325 | 10P.23.1 | 23 Servert | 10.P.11.0 | 124 1oP.11.10 | 10P.114 [11 10.P.11.20 10.P.11.30 10.P.11.40 Severs |10P21.0 | i24 10.P.21.10 | t0P.211 | 21 10.P.21.20 10.P.21.30 10.P.21.40 Device | VLAN IP Subnet | SY | Device iP Mask 6500-1 | 10 roP.1.0 | 124 1OPAnA 65001 | 13 10.P.130 | 124 10.131 Fwswet | 47 1or.110 | 126 10P.112 6500-2 | 20 10P.200 | 126 10.204 6500-2 | 23 10P230 | 124 10P.23.41 Fwsm-2 | 21 1oP210 | 124 10P.242 Required Resources These are the resources and equipment required to complete this activity: = Two (2) Cisco Catalyst 6500 Series Switches & Two (2) Cisco Catalyst 6500 Serics Switch Ethernet modules = Two (2) Cisco Catalyst 6500 Series Switch Supervisor 720-10G-3C modules = Two (2) Cisco Catalyst 6500 FWSM service modules 92 Implementing Cisco Data Center Network Infrastructure 1 (OCNI-1) v2.0 (© 2008 Cisco Systems, Inc.= Two (2) Cisco Catalyst 4948 Switches = Two (2) Microsoft Windows XP clients = Two (2) Microsoft Windows 2003 servers Command List ‘The table describes the commands used in this activity. ‘Command Description aS config t Enter global configuration mode vian x Configure a VLAN name xyz Configure an administrative name forthe VLAN int type slot/port switchport switchport mode Enter sub-configuration mode Configure an interface as a switchport Configure the switchport as an access port saps Configure the associated VLAN ewitchport access vlan x no shut Administratively enable an interface IP address x.x.x.x y-Y-Y-Y Configure an IP address and subnet mask show interface status Show the status of interfaces show vlan brief Display a brief VLAN listing show interface ip brief Display the IP interface details in brief ping Verify connectivity using PING firewall vlan-group x vlan_no Configure a firewall VLAN group and associated VLANS firewall module x v1 group x ‘Associate a firewall VLAN group with an FWSM module show interface status module x ‘Show the status of interfaces on a specific module show vlan brief Display a brief VLAN listing show firewall vlan-group Display the firewall VLAN group configuration. show firewall module Display the firewall module ion slot x proc Open a session to the FWSM firewall transparent Configure the firewall mode nameif xyz security xy bridge-group x Configure the interface name Configure the interface security level Configure the bridge-group association show firewall Display the firewall mode show nameif Display the named interfaces show interface Display the interface details route outside 0 0 x.x. Configure a default route ‘© 2008 Cisco Systems, Inc. Lab Guide (93Command Description show ip address Display the IP addresses in use show interface ip brief Display the IP interface details in brief acce: permit / source destination list xyz extended Configure an extended ACL access-group xyz in/out ‘Associate the ACL group with an interface name nameif show access-list Display the ACL configuration how running-config access-group Display the access-group configuration ping Verify connectivity using PING show connections Display active connections port-channel load-balance type Configure the port-channel load-balancing type clear xlate Clear the current translation table show route Display the IP route Task 1: Removing Previous Configurations Ensure that no previous configuration exists on the switches in your pod and apply the initial configurations to the devices. The initial configuration includes settings for the Layer 2 interfaces used— trunking, access VLAN set, etc.; VLAN configuration, Layer 3 VLAN configuration, correct power scheme, ete. The initial configurations are available on the individual device file system as specified in the following steps. Note ‘The steps and printouts refer to subpodt in pod 4 (devices 6500-1, 4900-1, PC1, Server!) However the same tasks should be applied to subpod2 with respect to a different numbering and addressing scheme. Activity Procedure ‘Complete these steps on each switch in your pod: Step 1 Connect to the 6500-1 switch via console and apply the following: = Replace the current running configuration with the configuration from file disk0:denil_lab21_6500-1 using the configure replace disk0:denit_} b21_6500-1 command. When asked to proceed press Y. = Verify that the switch is running the 12.2(33) SXH1 Cisco IOS image using the show version command. © Only if the switch is not running the 12.2(33) SXHI Cisco IOS image, save the running configuration to startup configuration and reboot the switch. 94 Implementing Cisco Data Center Network Infrastructure 1 (OCNI-1) v2.0 {© 2008 Cisco Systems, nc.Step2 Connect to the 4900-1 switch via console and apply the following: ‘= Replace the current running configuration with the configuration from file bootflash:denil_lab21_4900-1 using the configure replace bootflash:denil_lab21_4900-1 command. When asked to proceed press Y. Activity Verification You have completed this task when you attain these results: Step On the 6500-1 switch verify that you have connectivity to the followin; ® = PCI at 10.P.13.25 (where “P” is your pod number) @ Server! at 10.P.11.10 (where “P” is your pod number) You should see results similar to the following printouts. Note The following printouts show results of a ping conducted on pod 4. 6500-1#ping 10.4.13.25 ‘Type escape sequence to abort Sending 5, 100-byte ICMP Echos to 10.4.13.25, timeout is Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms 6500-1#ping 10.4.11.10 ‘Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.4.11.10, timeout is 2 seconds Success rate is 80 percent (4/s), round-trip min/avg/max = 1/1/4 ms Task 2: Configuring Cisco Catalyst 6500 Series Switch Switching Functions In this task, you will configure the Cisco Catalyst 6500 Series Switch to support an FWSM. Note ‘The steps and printouts refer to subpod in pod 4 (devices 6500-1, 4900-1, PC1, Servert, FWSM), However the same tasks should be applied to subpod2 with respect to a different numbering and addressing scheme, Activity Procedure Complete the following steps on 6500-1: Step1 Remove the Layer 3 VLAN 11 interface. Step2 Configure VLAN 10 and name it Outside. Step 3 Create a VLAN interface in VLAN 10 with an IP address of 10.P.11.1, where “I your pod number. Step4 Create a firewall VLAN group. Step Assign the VLAN group to the FWSM in slot 2. ‘© 2008 Cisco Systems, Inc. Lab Guide (95Task 3: Configuring FWSM Interfaces In this task, you will define FWSM interface characteristics. Note The steps and printouts refer to subpodt in pod 4 (devices 6500-1, 4900-1, PC1, Servert, FWSM). However the same tasks should be applied to subpod2 with respect to a different ‘numbering and addressing scheme. Activity Procedure Complete the following steps: Step1 In the EXEC mode on 6500-/, open a session with the FWSM in slot 2. The password is “cisco,” which is the default value. Step2 Enter the enable mode and press enter at the password prompt. Confirm that your firewall is currently in single context mode. Security context mode: single ‘The flash mode is the SAME as the running mode Step4 Enter FWSM configuration mode. Step Delete the existing configuration with the clear config all command. Step6 Delete any existing configuration files on the disk: with the delete /noconfirm disk:* command. Step7 _Reload the FWSM. Upon reload you will be disconnected from the FWSM. Step8 — When the FWSM reloads, open a session with the FWSM again from the switch. Step9 Configure the firewall to operate in transparent mode. Step 10 Name the interfaces used by the firewall and define the security level. Activity Verification You have completed t! task when you attain these results: Step1 Display the firewall mode FWSMHshow firewall Firewall mode: Transparent Step2 Show the named interfaces. FWSMHshow nameif Interface Name Security vianio outside 0 viani1 inside 100 Stop3 Display details of the configured interfaces. FWSMHshow interface Interface Vianl0 "outside", is up, line protocol is up Hardware is Ethersvi MAC address 000d.29£3.2580, MTU 1500 IP address unassigned Traffic Statistics for "outside": 0 packets input, 0 bytes 0 packets output, 0 bytes © packets dropped 96 Implementing Cisco Data Center Network Infrastructure 1 (OCNI-1) v2.0 (© 2008 Cisco Systems, Inc.Interface Vlanl1 "inside", is up, line protocol is up Hardware is EtherSvr MAC address 000d.29£3.2580, MTU 1500 IP address unassigned Traffic Statistics for *inside* 0 packets input, 0 bytes 0 packets output, 0 bytes 0 packets dropped Task 4: Configuring IP Parameters In this task, you will configure IP address and routing parameters on the FWSM for management purposes. Note ‘The steps and printouts refer to subpodt in pod 4 (devices 6500-1, 4900-1, PC1, Servert, FWSM), However the same tasks should be applied to subpod2 with respect to a different numbering and addressing scheme. Activity Procedure Complete the following steps on FWSM: Step 1 Assign interface VLAN 10 and 11 to bridge-group 1. Step2 Assign a management IP address to the FWSM bridge-group. Use an IP address of 10.P.11.2, where “P” is your pod number. Step3 Configure a default route pointing all traffic to the gateway at 10.P.11.1, where “ is your pod number. Activity Verification ‘You have completed this task when you attain these results: Step1 Display the IP addresses in use by the FWSM. FWSMishow Ap addr Management System IP Addres: ip address 10.1.11.2 255.255.255.0 Management Current IP Address: ip address 10.1.11.2 255.255.255.0 Step 2 Display the list of IP interfaces. Because you are in transparent mode, the management IP address is listed on both VLAN interfaces. FWSM#show interface ip brief Interface IP-Address OK? Method Status Protocol Gigabitetherneto unassigned YES unset up up Gigabitethernet1 unassigned YES unset up up vianio 10.1.11.2 YES unset up up vianii 10.1.11.2 YES unset up up BOBCO 127.0.0.21 YES CONFIG up up BVIL unassigned YES unset up up ‘Step 3 Display detailed information about the interfaces present in the FWSM. Notice that the management IP address is now assigned to each of the VLAN interfaces. FWSMitshow interfa: Interface Vlani0 “outside, is up, line protocol is up Hardware is EtherSVI MAC address 000d.29£3.2580, MTU 1500 IP address 10.1.11.2, subnet mask 255.255.255.0 Traffic statistics for ‘outside* 1838 packets input, 0 bytes 28 packets output, 1904 bytes 0 packets dropped ‘© 2008 Cisco Systems, Inc Lab Guide 97Interface Vlanii "inside", is up, line protocol is up Hardware is EthersvI MAC address 000d.29£3.2580, MTU 1500 IP address 10.1.11.2, subnet mask 255.255.255.0 Traffic Statistics for "inside": 40 packets input, 2244 bytes 43 packets output, 3036 bytes 0 packets dropped Interface BVIi "*, is up, line protocol is up Hardware is Available but not configured via nameif MAC address 000d.29f3.2580, MTU not set IP address 10.1.11.2, subnet mask 255.255.255.0 Step4 Display the routing table, FWSM#show route S 0.0.0.0 0.0.0.0 [1/0] via 10.2.11.1, outside Task 5: Configuring Network Access In this task, you will configure permitted traffic patterns, Note The steps and printouts refer to subpodt in pod 4 (devices 6500-1, 4900-1, PC1, Servert, FWSM). However the same tasks should be applied to subpod2 with respect to a different fumbering and addressing scheme. Activity Procedure Complete the following steps on FWSM: Step1 Create an ACL named “allow-in” that permits ICMP traffic from 10.P.13.25 to 10.P.11.10, where “P” is your pod number. Note ‘As each ACL is defined, you will receive the following message as the FWSM auto-commits the ACL changes: Access Rules Download Complete: Memory Utilization: < 1%. Step2 Add another line to the allow-in ACL that permits any host to access the web server at 10.P.11.20, where “P” is your pod number. Step3 Create an ACL called “allow-out” that permits any IP traffic. Step4 Use the allow-in ACL to control traffic received from the outside interface, Step Use the allow-out ACL to control traffic received from the inside interface. Activity Verification You have completed this task when you attain these results: Step1 Display the ACLs that have been defined, FHSMHshow access-list access-list mode auto-commit access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300 access-list allow-in; 2 elemente access-list allow-in line 1 extended permit icmp host 10.1.13.25 host 10.1.11.10 (hitcnt=0) oxse7cf9b1 access-list allow-in line 2 extended permit tep any host 10.1.11.20 eq www (nite nt=0) ox251ea7£ access-list allow-out; 1 elements access-list allow-out line 1 extended permit ip any any (hitent-0) 0xi5201144 88 Implementing Cisco Data Center Network Infrastructure 1 (OCNI-1) v2.0 (© 2008 Cisco Systems, Inc.Task 6: Step2 Display the mapping of ACLs to interfaces. FWSMishow running-config access-group access-group allow-in in interface outside access-group allow-out in interface inside Demonstrating the Firewall In this task, you will use client systems to demonstrate access to resources through the FWSM. Note ‘The steps and printouts refer to subpodt in pod 4 (devices 6500-1, 4900-1, PC1, Servert, FWSM), However the same tasks should be applied to subpod2 with respect to a different numbering and addressing scheme, ity Procedure Complete the following steps: Step1 Drop your connection to the FWSM. Step2 Connect to PC/ and issue ping to 10.P.11.10 (where “P” is your pod number), which is the inside server IP address. This ping will succeed. 6500-1#ping 10.1.11.10 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.11.10, timeout is 2 seconds: Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms Step3 Ping 10.P.11.20 from the PC/ (where “P” is your pod number). This ping will fail. 6500-1#ping 10.1.11.20 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.11.20, timeout is 2 seconds: Success rate is 0 percent (0/5) Step4 Log in to the FWSM and enter the enable mode. Remember that the login password defaults to “cisco,” and the default enable password is blank. Step Use Intemet Explorer on the PC/ in your pod and try to access the site at 10.P.11.10, where “P” is your pod number. This attempt will fail Step 6 Use Internet Explorer on the PC/ to access the site at 10.P.11.20, where “ pod number. A web page filled with test images will appear. is your Step7 Display the connections active on the FWSM. Notice that all the connections are using the same network processor. PWSMishow connection a in use, 3 most used Network Processor 1 connections Network Processor 2 connections TCP out 10.1.13.25:1452 in 10.1.11.20:80 idle 0:00:05 Bytes 199296 FLAGS - Bor ‘TeP out 10.1.13.2! usor TCP out 10.1.13.25:1454 in 10.1.11.20:80 idle 0:00:05 Bytes 108120 FLAGS - ‘UBOT Step8 Exit from your login session on the FWSM. 1453 in 10.1.11.20:80 idle 0:00:05 Bytes 199868 FLAGS - Step9 Enter the configuration mode on the switch. ‘Step 10 Change the port-channel load-balancing algorithm to include the Layer 4 port address in the hash function input. ‘© 2008 Cisco Systems, Inc. Lab Guide 99‘Step 11 Log back in to the FWSM and enter enable mode. Step 12. Display active connections on the FWSM. If any active connections exist, force them to close. Step 13 Verify that no connections exist. FWSM#show connection 0 in use, 4 most used Network Processor 1 connections Network Processor 2 connect ions Multicast sessions: Network Processor 1 connections Network Processor 2 connections IPv6 connection Stop 14 Use Internet Explorer on the PCY to re-retrieve the web page from 10,P.11.20, where “P” is your pod number. Step 15 Display the connections that are active on the FWSM. Notice that the connections are now more balanced between the Network Processors. PWSM#show connection 9 in use, 9 most used Network Processor 1 connections TCP out 10.1.13.2: in 10.1.1. TCP out 10.1.13.2 in 10.1.1. TCP out 10,1.13.2 in 10.1.1. idle 0: 12556 FLAGS - UBOT idle 0:00:04 8424 FLAGS - UBOT idle 0:00:04 118486 FLAGS - sor TCP out 10 in 10.1.11.20:80 idle 0:00:04 ooase FLAGS - vuBor TCP out 10 in 10.1.11.20:80 idle 0:00:04 73566 FLAGS - UBOI Network Processor 2 connections TCP out 10.1.13.25:1457 in 10.1.11.20:80 idle 0:00:05 8202 FLAGS - UBoI TCP out 10,1113.25:1458 in 10.1,11.20:80 idle 0:00:05 48534 FLAGS - UBOI TCP out !al11!20:80 iale 0:00:05 65170 FLAGS - UBOI cP out !2111!20:80 idle 0:00:05 74206 FLAGS - UBOI ‘Step 16 If you are done verifying and validating the transparent mode, configure the FWSM back to routed mode. Activity Verification ‘You have completed this task when you attain these result Step1 Display the status of the Gigabit Ethernet interfaces. Specifically, check the status of the first three interfaces. 6500-1#show interface status module 3 Port Name Status Vian Duplex Speed type Gi3/. disabled” 1 ©) full auto /10/100/1000BaseT Gi3/2 isabied 1. full auto 10/100/1000BaseT Gi3/3 connected 13 full auto 10/100/1000BaseT Gi3/a disabled 1 full auto 10/100/1000BaseT Gia/s disabled 1 full auto 10/100/1000BaseT Gi3/6 disabled 1 full auto 10/100/1000BaseT 13/7 disabled 1 full auto 10/100/1000BaseT Gi3/a disabled 1 full auto 10/100/1000BaseT Gi3/9 disabled 1 full auto 10/100/1000BaseT Gi3/10 disabled 1 full auto 10/100/1000BaseT Gi3/i. disabled 1 full auto 10/100/1000BaseT Gi3/12, disabled i full auto 10/100/1000BaseT Gi3/13 connected trunk a-full a-1000 10/100/1000BaseT <..-rest of the output omitted. 100 Implementing Cisco Data Center Network infrastructure 1 (DCNI-1) v2.0 (© 2008 Cisco Systems, Inc.Step2 Display the VLANs. 6500-1#'show vlan brief VLAN Name Status Ports 1 default active Gid/1, Gia/2, Gid/3, Gid/4 Gi4/5, Gid/6, Gi6/2, GiG/3 Gi6/4, Gis/5, Gie/é 10 outside active 11 Inside active 13° Clientpc active Gi3/3 Step 3 Display the IP interfaces that have been configured. 6500-1#show 4p interface brief | exclude unas Interface IP-Address OK? Method Status Protocol Viani0 10.3.11.1 YES manual up up Viani3 10.3.13.1 YES manual up up Step4 Display the firewall VLAN group. 6500-1Nshow firewall vlan-group Group vlans 2 10,12 Step 5 —_Display information about the FWSMs in the chassis. 6500-1#show firewall module Module Vian-groups o2 1 (© 2008 Cisco Systems, inc. Lab Guide 101Lab 2-2: Deploying Multiple Contexts on FWSM In this lab exercise, multiple contexts will be deployed on the Catalyst 6500 Series FWSM. Activity Objective In this activity, you will configure multiple security contexts on the Catalyst 6500 Series FWSM. After completing this activity, you will be able to meet these objectives: = Configure the Cisco Catalyst 6500 Series Switch to support multiple contexts = Create multiple contexts = Configure each context = Demonstrate access to resources through multiple contexts Visual Objective The figure illustrates what you will accomplish in this activity: Lab 2-2: Deploying Multiple Contexts on FWSM The pod with the equipment for this lab exercise is divided into two independent subpods with the following devices and VLANs: = Subpod!: 6500-1, 4900-1, PCI, Serverl, Server? and VLANs: 10, 11, 12, 13 = Subpod2: 6500-2, 4900-2, PC6, Server3, Serverd and VLANS: 20, 21, 22, 23 Divide into subgroups in each pod to complete the following tasks. Note ‘Through the lab exercise the steps and printouts refer to subpodt in pod 4 (devices 6500-1, 4900-1, PC1, Servert, Server2). However the same tasks should be applied to subpod2 with respect to a different numbering and addressing scheme. 102 Implementing Cisco Data Center Network Infrastructure 1 (DCN/-1) v2.0 (© 2008 Cisco Systems, Inc.IP Addressing The IP addressing scheme in the following table lists the IP addresses of the PCs, servers, Cisco Catalyst 6500 Series Switch VLAN interfaces and Layer 3 physical interfaces, where “P” is, your pod number. Pod Addressing Subnet Default | Device Device | IPSubnet | 2h Device | Cateway fp Pct 10P.130 | 24 10P.1325 | 10.P.131 | 13 Pcs 10P.230 | 124 10.P.2325 | 10P.231 | 23 Sevvert | t0.P.11.0 | 124 top.st10 | 10P.11.1 | 41 10.P.11.20 10.P.11.30 10.P.11.40 Server2 | 10P.120 | 124 top.1210 | 10.121 | 12 10.P.12.20 10.P.12.30 10.P.12.40 Servers | 10.P21.0 | 124 toP2i10 | 10P.211 | 21 10.P.21.20 10.P.21.30 10.P.21.40 Servers | 10P220 | 124 10.22.10 | 10.P.221 | 22 10.P.22.20 10.P.22.30 10.P.22.40 Device VLAN | Ip Subnet | Subnet Device IP; 6500-1 10 10.100 | 124 10.P.11.1 6500-1 3 10P.13.0 | 124 10.P.13.1 Context Test | 10 10P.100 | 124 10.P.10.2 (on 6500-1 Context Test | 11 10P.110 | 24 10.P.11.1 (on 6500-1 Context 10 10.P.10.0 | 124 10.P.103 Production on 6500-1 Context 2 10.P.120 | 24 10.P.12.4 Production on 6500-1 6500-2 20 10.P.20.0 | i24 10.P.20.1 6500-2 23 10P.23.0 | 124 10.P.23.1 (© 2008 Cisco Systems, Inc Lab Guide 103‘Subnet Device VLAN | IP Subnet | 22h Device IP | Context Test | 20 10.P.200 | 124 10.P.202 ‘on 6500-2 Context Test | 21 10.P.21.0 | 124 10.P.21.1 ‘on 6500-2 Context 20 10.200 | 124 10.P.20.3, Production on 6500-2 Context 22 10.P.220 | 24 10.P.22.1 Production on 6500-2 Required Resources ‘These are the resources and equipment required to complete this activity: Command List ‘Two (2) Cisco Catalyst 6500 Series Switches Two (2) Cisco Catalyst 6500 Series Switch Ethernet modules ‘Two (2) Cisco Catalyst 6500 Series Switch Supervisor 720-10G-3C modules Two (2) Cisco Catalyst 6500 Series Switch Firewall Services modules Two (2) Cisco Catalyst 4948 Switches Two (2) Microsoft Windows XP clients Four (4) Microsoft Windows 2003 servers ‘The table describes the commands used in this activity. ‘Command Description config t Enter global configuration mode vlan x Enter subconfiguration mode name xyz Configure an administrative name for a VLAN interface vlan vlan_no. IP address x.x.x.x Yeyeyey Enter subconfiguration mode Configure an IP address on a VLAN interface no shut Administratively enable an interface interface type slot/port switchport switchport mode switchport acct vlan vlan_no Enter subconfiguration mode Configure an interface as a switchport Configure an interface as an access port Configure a VLAN for an access port firewall vlan-group x vlans Configure a firewall VLAN group firewall module x vlan- group no. Associate a VLAN group with a firewall module 108 Implementing Cisco Data Center Network infrastructure 1 (OCNI1) v2.0 (© 2008 Cisco Systems. nc.Command Description port-channel load-balance type Configure the port-channel load-balancing type ip route x.x.x.x Y.y.¥.¥ 2.2.2.2 Configure a static route show vlan brief Display the VLANs configured on a switch show IP interface brief ‘Show IP interface details in brief show interface status module x ‘Show the status of interfaces on a specific module show firewall vlan-group Display the firewall VLAN group details show IP route Display the IP route ion alot x proc Open session to a specific module mode multiple Configure the FWSM for multiple mode show start Display the startup-config dir dis! Display the contents of the disk: file system more disk: /context_name Display the configuration fle for a specific context context admin Configure a context ‘allocat (nameif) interface x Allocate interfaces to a context config-url disk: /context_name Sot a configuration URL for a context show context (detail) Display the context details changeto context context_name Change to a specific context interface x nameif xyz security level He Enter subconfiguration mode Configure a name for an interface Configure the security level for an interface Configure an IP address for an interface http x.x.x.x y-¥-¥-¥ Enable HTTP server access via a management interface nameif http server enable Enable the HTTP server aaa authentication Configure AAA authentication protocol/command console LocaL username name password password privilege level Configure a username, password and privilege level route nameif 0 0 x.x.x.x Configure a static route show interface IP brief Display the IP interface details in brief copy running-config startup-config ‘Save the running configuration to NVRAM access-list name permit/deny protocol source destination Configure an ACL. ‘© 2008 Cisco Systems, Inc. Lab Guide 105,‘Command Description access-group name in/out — | Associate an ACL with an interface interface nameif static (nameif, nameif) Configure Identity NAT XXX XXX netmask: yyy policy-map global _policy | Configure inspection engines class inspection default t protocol show interface Display detals of interfaces Display the route Display the ACL configuration Display the access-group configuration 8-group show running-config static | Display the identity NAT configuration show connections Display the active connections show xlate Display the translation table Task 1: Removing Previous Configurations Ensure that no previous configuration exists on the switches in your pod and apply the initial configurations to the devices. The initial configuration includes settings for the Layer 2 interfaces used—trunking, access VLAN set, etc.; VLAN configuration, Layer 3 VLAN configuration, correct power scheme, ete ‘The initial configurations are available on the individual device file system as specified in the following steps. Note The steps and printouts refer to subpodt in pod 4 (devices 6500-1, 4900-1, PC1, Servert), However the same tasks should be applied to subpod2 with respect to a different numbering and addressing scheme, Procedure Complete these steps on each switch in your pod: Step1 Connect to the 6500-7 switch via console and apply the following: = Replace the current running configuration with the configuration from file disk0:deni_lab22_6500-1 using the configure replace disk0:denii_lab22_6500-1 command. When asked to proceed press Y. = Verify that the switch is running the 12.2(33) SXH1 Cisco IOS image using the show version command. = Only if the switch is not running the 12.2(33) SXH1 Cisco IOS image, save the running configuration to startup configuration and reboot the switch. 108 Implementing Cisco Data Center Network infrastructure 1 (DCNM1) v2.0 (© 2008 Cisco Systems, IncStep2 Connect to the 4900-1 switch via console and apply the following: = Replace the current running configuration with the configuration from file bootflash:denil_lab22_4900-1 using the configure replace bootflash:denit_lab22_4900-1 command, When asked to proceed press ¥. Step3 In the EXEC mode on 6500-1, open a session with the FWSM in slot 2. The password is “cisco,” which is the default value. step4 Enter the enable mode and press enter at the password prompt Step S Enter FWSM configuration mode. Step6 Delete the existing configuration with the elear config command, Step7 Delete any existing configuration files on the disk: with the delete /noconfirm disk:* command. Step8 Reload the FWSM. Upon reload you will be Activity Verification You have completed this task when you attain these results: -onnected from the FWSM. Step1 On the 6500-1 switch verify that you have connect = PCT at 10.P.13.25 (where “P” is your pod number) © Server! at 10.P.11.10 (where “P” is your pod number) ity to the following: ‘You should see results similar to the following printouts, Note The following printouts show results of a ping conducted on pod 4. 6500-1#ping 10.4.13.25 ‘Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.4.13.25, timeout is 2 seconds: mn Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms 6500-1#ping 10.4.11.10 ‘Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.4.11.10, timeout is 2 seconds: arin Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms Task 2: Configuring Cisco Catalyst 6500 Series Switch Switching Functions In this task, you will configure the Cisco Catalyst 6500 Series S contexts on the FWSM. +h to support multiple Note ‘The steps and printouts refer to subpodt in pod 4 (devices 6500-1, 4900-1, PC1, Server). However the same tasks should be applied to subpod2 with respect to a different numbering and addressing scheme. {© 2008 Cisco Systems, nc. Lab Guide 107Activity Procedure Complete the following steps: Step1 Connect to 6500-1. Step2 Create VLAN 10 named “outside,” VLAN 11 named “testing” and VLAN 12 named “production.” Step2 Delete Layer 3 interfaces VLAN 11 and VLAN 12 if they exist. Step3 Create an MSFC interface in VLAN 10 and give it an IP address of 10.P.10.1/24, where “P” is your pod number. Step4 Assign VLANs 10, 11, and 12 to the FWSM in module 2. Step5 Configure port-channel load balancing to include Layer 4 port numbers in the hash function, Step Configure the router to send traffic for the 10.P.11.0/24 subnet to IP address 10.P.10.2, where “P” is your pod number. Step7 Configure the router to send traffic for the 10.P.12,0/24 subnet to IP address 10.P.10.3, where “P” is your pod number. Activity Verification You have completed this task when you a Step1 Display the VLANs configured on the switch. 6500-1#show vlan brief these results: VLAN Name Status Ports 1 default active 10 outside active 11 testing active 32 production active 13 Pc-Client active Gi3/3 1002 fddi-defauit act/unsup 1003 token-ring-default act /unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup Step2 Display the IP interfaces. 6500-1#show ip interéa: brief | exclude unassigned Interface IP-Address OK? Method Status Protocol vianio 20.1.10.1 YES manual up up viani3 10.1.13:1 YES NVRAM up up Step3 Display the status of interfaces on the Ethernet module, 6500-i#show interface status module 3 Port Name Status Vian Duplex Speed Type Gi3/1 disabled 1 full auto 10/100/1000BaseT Gi3/2 disabled 1 full auto 10/100/1000BaseT Gi3/3 connected 13 full auto 10/100/1000BaseT Gi3/a disabled 1 full auto 10/100/1000BaseT Gi3/s disabled 1 full auto 10/100/1000BaseT Gi3/6 disabled 1 full auto 10/100/1000BaseT Gi3/7 disabled 1 full auto 10/100/1000BaseT Gi3/8 disabled 1 full auto 10/100/1000BaseT. Gi3/9 disabled 1 full auto 10/100/1000BaseT Gi3/10 disabled 1 © full auto _10/100/1000BaseT Gi3/11 disabled 1 full auto 10/100/1000BaseT <.--rest of the output omitted...> 108 Implementing Cisco Data Center Network infrastructure 1 (DCNI-1) v2.0 (© 2008 Cisco Systems, Inc.Step4 Display the mapping of VLANs to FWSM modules. 6500-1#show firewall vian-group Group vlans 1 10-12 6500-1#show firewall module Module vlan-groups o2 1 Step5 Display the IP routing table. 6500-1#show ip route Codes: C - connected, $ - static, R - RIP, M - mobile, B - BOP D - EIGRP, EX - EIGRP external, 0 - OSPF, IA - OSPF inter area Ni - OSPP'NSSA external type 1, N2 - OSPF NSSA external type 2 Bl - OSPF external type 1, B2 - OSPF external type 2, B - BGP i - 18-18, eu - IS-IS summary, Li - IS-I8 level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route © - ODR, P - periodic downloaded static route Gateway of last resort is not set 10.0.0.0/24 is subnetted, 5 subnets c 10.4.10.0 is directly connected, Vianlo 8 10.4.12.0 [1/0] via 10.4.10.3 2 10.4.23.0 is directly connected, Vian23 8 10.4.11.0 [1/0] via 10.4.10.2 ¢ 10.4.13.0 is directly connected, Vian13 Task 3: Creating Contexts In this task, you will create multiple contexts on the FWSM Note ‘The steps and printouts refer to subpodt in pod 4 (devices 6500-1, 4900-1, PCT, Servert) However the same tasks should be applied to subpod2 with respect to a different numbering and addressing scheme. Activity Procedure Complete the following steps: Step 1 Access the FWSM by opening the console session from 6500-1, Step 2 Configure the FWSM to use multiple security contexts. This will cause a reboot of the FWSM. FWSM (config) #mode multiple WARNING: This command will change the behavior of the device WARNING: This command will initiate a Reboot Proceed with change mode? [confirm] Convert the system configuration? [confirm] ‘The old running configuration file will be written to disk 1386 bytes copied in 1.380 secs (1386 bytes/sec) ‘The admin context configlet will be written to disk 1 1229 bytes copied in 1.370 secs (1229 bytes/sec) ‘The new running configuration file was written to flash Firewall mode: multiple 10:00:48: SP: The PC in slot 2 is shutting down. Please wait .. 10:00:49: SP: PC shutdown completed for module 2 10:00:49; $C6KPWR-SP-4-DISABLED: power to module in slot 2 set off (Reset) 10:02:28: ‘DIAG-SP-6-RUN MINIMUM: Module 2: Running Minimum Diagnostics. ‘© 2008 Cisco Systems, Inc. Lab Guide 109,10:02:31: $SVCLC-5-FWVTPMODE: VTP mode is set to non-transparent 10:02:31; $MLS_RATE-4-DISABLING: The Layer2 Rate Limiters have been disabled 10:02:30: $DIAG-SP-6-DIAG_OK: Module 2: Passed Online Diagnostics 10:02:42: YOIR-SP-6-INSCARD: Card inserted in slot 2, interfaces are now online {Connection to 127.0.0.21 closed by foreign host) Note Your session was dropped when the FWSM rebooted. Step3 Reconnect to the FWSM and enter enable mode. Step4 Display the contents of the disk: file system. EWSMRdir disk: Directory of disk:/ 10 -rw- 1386 17:07:44 Feb 16 2006 old_running.cfg 11 -rw- 1229 17:07:44 Feb 16 2006 admin.cfg 59748352 bytes total (59674624 bytes free) Step Display the configuration file for the admin context. FWSM#more disk: /admin.ctg Step6 Enter the configuration mode. Step7 Enter the context configuration sub-mode to make changes to the admin context. Step 8 Connect VLAN 100 to the admin context. ‘Step9 Display the startup configuration. Note that three lines have been inserted into the configuration along with the other defaults. FWSM (conf ig-ctx) #show startup-config <...part of the output omitted. ..> adnin-context admin context admin config-url disk:/admin.ctg <.+-rest of the output omitted...> Step 10 Display the configuration file for the admin context, FWSM (config-ctx) more disk: /admin.ctg <..-part of the output omitted. ..> : Saved : Written by enable 18 at 14:04:17.460 UTC Tue Apr 15 2008 FWSM Version 3.1(3) hostname PHSM enable password sRy2Yj1yt7RRXU24 encrypted passwd 2KFQnbNIGr.2KYOU encrypted pager lines 24 ho asdm history enable arp timeout 14400 timeout xlate 3:00:00 <..+Fest of the output omitted. Stop 11 Create the testing context, Step 12 Allocate VLAN 10 to the testing context with an interface alias of “test_outside, Step 13 Allocate VLAN 11 to the testing context with an interface alias of “test_inside.” Step 14 Sct the configuration URL for the testing context to point toa file in the disk: file system called “testing.cfy.” Stop 15 Create the production context. 110 Implementing Cisco Data Center Network Infrastructure 1 (DCN/-1) v2.0 (© 2008 Cisco Systems, Inc.Step 16 Allocate VLAN 10 as “prod_outside,” and VLAN 12 as “prod_inside” to the production context. ‘Step 17 _ Set the configuration URL for the production context to point toa file in the dis! file system called “production.cfg.” Activity Verification ‘You have completed this task when you attain these results: Step1 Display the contexts defined for the FWSM. PWSMishow context Context Name Class Interfaces Mode URL ‘admin default Vianl0 Routed disk: /admin.cfg production default Vianl0,Vlani2 Routed disk: /production.ctg testing default Viani0,Vlanil Routed disk: /testing.cfg Total active Security Contexts: 3 Step2 Display detailed information about each context defined for the FWSM. FWSM¥show context detail Context "admin", is ADMIN and active Config URL: disk: /admin.cfg Real Interfaces: Vlan10 Mapped Interfaces: Vlan10 Class: default, Flags: 0x00001857, ID: 1 Context "null", is a system resource Config URL null Real Interfaces Mapped Interface; Class: default, Flags: 0x00000803, ID: 256 context "production", is active Config URL: disk: /production.cfg Real Interfaces: Vianl0, Viani2 Mapped Interfaces: prod inside, prod_outside Class: default, Flags: 0xo0001855, ID: 3 Context "system", is a system resource Config URL: flash:config Real Interfaces: Mapped Interfaces: EOBCO, Gigabitthernet0, Gigabitetherneti, Viani0, viani2, Viani2 Class: default, Flags: 0x00000819, 1D: 0 Context "testing", is active Config URL: disk: /testing.ctg Real Interfaces: Vianl0, Vlani1 Mapped Interfaces: test inside, test_outside Class: default, Flags: 0x00001855, 1D: 2 Configuring Contexts In this task, you will configure each of the security contexts on the FWSM. Note The steps and printouts refer to subpodt in pod 4 (devices 6500-1, 4900-1, POT, Servert). However the same tasks should be applied to subpod2 with respect toa different numbering and addressing scheme. Activity Procedure Complete the following step: Step 1 Switch to the admin context. Step2 Enter the configuration mode. (© 2008 Cisco Systems, Inc. Lab Guide 111Step3 Give the name “mgmt” to VLAN1O and assign a security level of “100.” Step4 Authorize 10.P.13.25 (where “P” is your pod number) to access the HTTP server via the mgmt interface. Step5 Enable the HTTP server. Step6 Enable AAA authentication for HTTP access to the FWSM. Step7 Configure a user named “admin” with the password “bigboss.” Step@ Configure a default route through the MSFC via the management interface, Step9 Exit the configuration mode, Step 10 Display the IP interfaces. FWSM/admin#show interface ip brief Interface IP-Address OK? Method Status Protocol Vlani00 —10.4.10.254 YES manual up up Step 11. Save the running configuration to the startup configuration. Step 12 Change to the testing context. Step 13 Enter the configuration mode. Step 14 Rename “test_inside” to “inside” and assign a security level of “100.” Step 15 Rename “test_outside” to “outside” and assign a security level of “1.” Step 16 Configure an IP address of 10.P.10.2 on the outside interface, where “P” is your pod number. Step 17 Configure a default route through the MSFC via the outside interface. Step 18 Configure the inside interface with an IP address of 10.P.10.1, where pod number. Step 19 Configure an ACL named “permit-all” that allows all IP traffic, Step 20 Assign this new ACL to both interfaces. Step 21 Configure identity NAT for the entire inside subnet. Step 22 Configure protocol inspection engines for ICMP. Step 23. Create an “admin” user with the password “admin.” Step 24 Enable AAA authentication for all HTTP access. Step 25 Enable the HTTP server. Step 26 Exit the configuration mode and display the interfaces that have been defined. FWSM/testing#show interface Interface test_outside "outside", is up, line protocol is up MAC address 000d.29f3.2580, MTU 1500 IP address 10.4.10.2, subnet mask 255.255.255.0 Traffic Statistics for "outside": 25 packets input, 68 bytes 3 packets output, 204 bytes 487 packets dropped Interface test_inside "inside", is up, line protocol is up MAC address 0004.29f3.2580, MTU 1500 IP address 10.4.11.1, subnet mask 255.255.255.0 Traffic Statistics for "inside": 48 packets input, 68 bytes 2 packets output, 136 bytes 276 packets dropped 142 Implementing Cisco Data Center Network infrastructure 1 (OCNI-1) v2.0 ‘© 2008 Cisco Systems, IncStep 27 Display the status of defined IP interfaces FWSM/testing#show interface ip brief Interface TP-Address OK? Method Status Protocol test_outside 10.4.10.2 | YBS manual up up test_inside 10.4.11.1 YES manual up up Step 28 Display the routing table. FWSM/testing#show route S$ 0.0.0.0 0.0.0.0 (1/0) via 10.0.0.1, outside © 10.4.10.0 255.255.255.0 ia directly connected, © 10.4.11.0 255.255.255.0 is directly connected, Step29 Display the static NAT configuration. FWSM/testinglshow running-config static static (inside,outside) 10.4.11.0 10.4.11.0 netmask 255.255.255.0 Step 30 Display the ACLs and the interface to which they are assigned. PUSM/testingtahow access-list access-list mode auto-commit access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300 access-list permit-all; 1 elements access-list permit-all line 1 extended permit ip any any (hitcnte66) Oxf86foe0 outside inside FWSM/testing#show running-config access-group access-group permit-all in interface outside access-group permit-all in interface inside Step 31 Save the running configuration to the startup configuration. Step 32 Switch to the production context. Step 33 Display the available interfaces. FWSM/productiontshow interface Interface prod_outside "", is up, line protocol is up ‘Available but not configured via nameif Interface prod_inside "", is up, line protocol is up Available but not configured via nameif Step 34 Enter the configuration mode. Step 35 Name the context’s interfaces as “inside” (with security level “100") and “outside” (with security level “10”. Step 36 Configure an inside IP address of 10.P.12.1, where “P” is your pod number. Step 37 Configure an outside IP address of 10.P.10.3, where “P” is your pod number. Step 38 Configure a default route through the MSFC at 10.P.10.1, where “P” is your pod number. Step 39 Configure an “internet” ACL that permits any IP traffic. Step 40 Configure a “public” ACL that permits access to web servers. Step 41. Assign the “internet” ACL to the inside interface and the “public_access” ACL to the outside interface. Step 42 Configure identity NAT for the entire inside subnet. Step 43 Create a user “admin” with the password “prodcontrol.” Step 44 Enable AAA-authenticated HTTP management access from 10.P.13.25, where “P” is your pod number. ‘© 2008 Cisco Systems, in. LabGuide 113Activity Verification You have completed this task when you attain these results: Step1 Display the defined ACLs and associated interfaces. FWSM/producticn#tshow access-list access-list mode auto-commit access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300 access-list internet; 1 elements access-list internet line 1 extended permit ip any any (hitent=0) oxbsd9ea32 access-list public_access; 1 elements access-list public_access line 1 extended permit tcp any any eq www (hitcnte0) 0xeaosi171 FWSM/production#show running-config access-group access-group internet in interface inside access-group public_access in interface outside Step2 Display information about the defined interfaces, FWSM/productiontshow interface Interface prod_outside "outside", is up, line protocol is up MAC address 000d.29f3.2580, MTU 1500 IP address 10.4.10.3, subnet mask 255.255.255.0 Traffic Statistics for "outside": 64 packets input, 68 bytes 4 packets output, 272 bytes 834 packets dropped Interface prod_inside "inside", is up, line protocol is up MAC address 000d.29£3.2580, MTU 1500 IP address 10.4.12.1, subnet mask 255.255.255.0 Traffic Statistics for "inside 1 packets input, 0 bytes 1 packets output, 68 bytes 214 packets dropped Step3 Display IP interface information, FWSM/production#show interface ip brief Interface IP-Address OK? Method Status Protocol prod_outside 10.4.10.3 YES manual up up prodinside 10.4.12.1 YES manual up up Step 4 Display the IP routes on this context. FWSM/production#show route S 0.0.0.0 0.0.0.0 [1/0] via 10.0.0.1, outside © 10.4.10.0 255.255.255.0 is directly connected, outside © 10.4.12.0 255.255.255.0 is directly connected, inside Step5 Display the static NAT configuration FWSM/production#show running-config static static (inside, outside) 10.4.12.0 10.4.12.0 netmask 255.255.255.0 Step& Save the running configuration to the startup configuration, Step7 Change to the system execution space. FuSM/product ion#changeto system Step8 Display the files in the disk: file system. FWSMHdir diek: Directory of disk:/ 10 -rw- 1386 17:07:44 Feb 16 2006 old_running.ctg 31 -rw- 1593 17:44:10 Feb 16 2006 admin.cfg 38° -rw- 2015 17:58:44 Feb 16 2006 testing.cfg 39 -rw- 2033 18:05:48 Feb 16 2006 production.cfg 59740352 bytes total (59670528 bytes free) 114 Implementing Cisco Data Center Network Infrastructure 1 (OCNI-1) v2.0 (© 2008 Cisco Systems, IncTask 5: Step9 Display each of the context configlets. PisMimore disk: /admin.cfg FWsMimore disk: /testing.ctg FusM¥more disk: /production.cfg Demonstrating Multiple Contexts In this task, you will demonstrate access to resources through multiple contexts. Note ‘The steps and printouts refer to subpodt in pod 4 (devices 6500-1, 4900-1, PC1, Server), However the same tasks should be applied to subpod2 with respect to a different numbering and addressing scheme. Activity Procedure Complete the following steps: ‘Step1 Use the web browser on PCI to visit each of the websites accessible through your test context. These are at IP addresses 10.P.11.10, 10.P.11.20, 10.P.11.30, and 10.P.11.40, where “P” is your pod number. Step2 Display the connections active on the testing context (use changeto context testing to access the context from the FWSM). Note that your output may be different since the connections are load-balanced over NPI and NP2 processors. PWSM/testingtehow connections 8 in use, 8 most used Network Processor 1 connect ions ‘TCP out 10.4.13.25:1072 in 10.4.11.30:80 idle Bytes 3402 FLAGS - UBOT TCP out 10.4.13.25:1074 in 10.4.11.20:80 idle Bytes 4715 FLAGS - UBOT TCP out 10.4.13.25:1075 in 10.4.11.20:80 idle Bytes 2773 FLAGS - UBOI TCP out 10.4.13.25:1080 in 10.4.11.40:80 idle Bytes 3460 FLAGS - UBOT Network Processor 2 connections ‘TCP out 10.4.13.25:1071 in 10.4.11. idle Bytes 4088 FLAGS - UBOI TCP out 10.4.13.25:1077 in 10.4.11. idle Bytes 4084 FLAGS - UBOI TCP out 10.4.13.25:1078 in 10.4.11. TCP out 10.4.13.25:1079 in 10.4.1. Multicast sessions: Network Processor 1 connections Network Processor 2 connections IPv6 connections Step3 Display the network address translation table in this context. FWSM/testing#show xlate 5 in use, 5 most used idle idle Bytes 3402 FLAGS - UBOI Bytes 4093 FLAGS - UBOI Global 10.4.13.25 Local 10.4.13.25 Global 10.4.11.20 Local 10.4.11.20 Global 10.4.11.30 Local 10.4.11.30 Global 10.4.11-40 Local 10.4.11.40 Global 10.4:11-10 Local 10.4.11.10 Step4 Use the web browser on PC/ to visit each of the websites accessible through your production context. These are at IP addresses 10.P.20.10, 10.P.20.20, 10.P.20.30, and 10.P.20.40, where “P” is your pod number. Step 5 FWSM/product ion#show connections 8 in use, @ most used Network Processor 1 connections TCP out 10.4.12.10:80 in 10.4.13.25:1082 idle 0:00:51 Bytes 136560 FLAGS - UOT TEP out 10.4.12.10:80 in 10.4.13.25:1083 idle 0:00:51 Bytes 100846 FLAGS - UOT ‘TCP out 10.4:12.30:80 in 10.4.13.25:1088 idle 0:00:33 Bytes 136509 FLAGS - UOT splay the connections active on the production context. (© 2008 Cisco Systems, Inc. Lab Guide 115TCP out 10.4.12.30:80 in 10.4.13.25:1089 idle TCP out 10.4.12.40:80 in 10.4.13.25:1091 idle Network Processor 2 connections TCP out 10.4.12.20:80 in 10.4.13.25:1085 idle TCP out 10.4.12.20:80 in 10.4,13.25:1086 idle TCP out 10.4.12.40:80 in 10.4,13.25:1092 idle Multicast sessions Network Processor 1 connections Network Processor IPv6 connections 100788 FLAGS - vor 136450 FLAGS - UOT 138286 FLAGS - UOI 98893 FLAGS - UOI 100962 FLAGS - UOT Step6 Display the active network address translations in this context. FWSM/production#show xlate 5 in use, 5 most used Global 10.4.13.25 Local 10.4.13.25 Global 10.4.12.10 Local 10.4.12.10 Global 10.4.12.20 Local 10.4.12.20 Global 10.4.12.30 Local 10.4.12.30 Global 10.4.12.40 Local 1014.12.40 Step 7 Use the web browser on PC/ to access the ASDM on the admin context using IP address 192.168.100.10 and HTTPS protocol. Notice that you need to use the password configured for the admin context. The ASDM panel shown below will appear. Notice that from the admin context you can display information about any other context. Note ‘ASDM can be installed as a local application or run as a Java applet. For lab purposes, choose “Run ASDM as a Java Applet.” Step8 Use the web browser on PCI to access the ASDM on the production context using IP address 192.168,100.2 and HTTPS protocol. Notice that you need to use the password configured for the production context, The ASDM panel shown below will appear. 116 Implementing Cisco Data Center Network infrastructure 1 (OCNI-1) v2.0 (© 2008 Cisco Systems, Inc.Step9 Use the web browser on PCI to access the ASDM on the t address 192.168,100.3 and protocol HTTPS. You should s ASDM display from the production context. ng context using IP results similar to the (© 2008 Cisco Systems, Inc Lab Guide 117Lab 2-3: Deploying the FWSM in Routing Mode ‘Complete this lab activity to practice what you learned in the related lesson. Activity Objective In this activity, you will configure the Cisco Catalyst 6500 Series FWSM in routing mode. After completing this activity, you will be able to meet these objectives: = Configure the Cisco Catalyst 6500 Series Switch Configure the network topology on the FWSM Configure NAT Configure permitted traffic patterns Configure Protocol Inspection Use client systems to demonstrate access to resources through the FWSM Visual Objective The figure illustrates what you will accomplish in this activity: X= Sach number (102) 15 Sonor nampa {1 3} z2PCrumper(t os) raat nme spo. te. Se na var es The pod with the equipment for this lab exercise is divided into two independent subpods with the following devices and VLANs: = Subpodl: 6500-1, 4900-1, PCI, Server!, Server? and VLANs: 10, 11, 12, 13 = =Subpod2: 6500-2, 4900-2, PC6, Server3, Serverd and VLANs: 20, 21, 22, 23 Divide into subgroups in each pod to complete the following tasks. 118 Implementing Cisco Data Center Network infrastructure 1 (OCNI-1) v2.0 ‘© 2008 Cisco Systems, Inc.Note Through the lab exercise the steps and printouts refer to subpod! in pod 4 (devices 6500-1, 4900-1, PC1, Servert, Server2). However the same tasks should be applied to subpod2 with respect to a different numbering and addressing scheme. IP Addressing The IP addressing scheme in the following table lists the IP addresses of the PCs, servers, Cisco Catalyst 6500 Series Switch VLAN interfaces and Layer 3 physical interfaces, where “P” i your pod number. Pod Addressing Subnet Defautt | Device Mask eee Gateway | VLAN Pct 10P.130 | (24 10P.1325 | 10P.131 | 13 PCB 10P230 | 24 t0P.2325 | 10P.231 | 23 Severt | 10P.110 | (24 worse [ropant [11 10.11.20 10.P.11.30 10.P.11.40 Sower2 | 10P.120 | (24 ropazt0 | topi21 | 12 10.12.20 40P.12.30 10.P.12.40 Severs | 10P210 | 124 wop2140 | rop2it | 21 10.21.20 10.21.30 10.21.40 sewers | 10P.220 | 24 top22.10 | 10221 | 22 10P.22.20 10.P.22.30 10.P.22.40 ee Device vian | iPsupnet | SUP | Device IP Mask al 85004 40 | 10P00 | 124 T0PA14 6500-1 13 [s0R430 |i 70P.134 Outside on | 10 | 10.100 | ma 10.102 FWSM in 6500-1 DMZ on 1 [aoaso |r toPt4 FWsiin 500-1 Insideon [12 | 10.420 | 24 10P.124 FWSM in 6500-1 ‘© 2008 Cisco Systems, Inc. Lab Guide 119ee Device VLAN | iP subnet | SU2Pet | Device ip Mask 6500-2 20 10.200 | 124 10.P.20A 0500-2 2 10P.230 | 126 10P23.4 Outside on | 20 10P.200 | 126 10.202 FWSM in 6500-2 DMZ on 2 woP2i0 | 24 4OP214 FWSM in 6500-2 insideon | 22 ‘| 10.220 | 124 40P.224 FWSM in 6500-2 Required Resources These are the resources and equipment required to complete activity: Two (2) Cisco Catalyst 6500 Series Switches ‘Two (2) Cisco Catalyst 6500 Series Switch Ethernet modules ‘Two (2) Cisco Catalyst 6500 Series Switch Supervisor 720-10G-3C modules ‘Two (2) Cisco Catalyst 6500 Series Switch Firewall Services modules Two (2) Cisco Catalyst 4948 Switches ‘Two (2) Microsoft Windows XP clients Four (4) Microsoft Windows 2003 servers Command List The table describes the commands used in this activity. ‘Command Description enable Enter EXEC mode config t Enter global configuration mode vlan x Configure a VLAN name xyz Configure an administrative name for a VLAN interface type slot/port _| Enter sub-configuration mode switchport Configure an interface as a switchport witchport mode Configure the switchport mode Configure the access VLAN for the switchport switchport access vlan x no shut ‘Administratively enable an interface: ip address x.x.x.x y.y-y-y | Configure an|P address port-channel load-balance | Configure the port-channel load-balancing type type firewall vlan-group x Configure a firewall VLAN group and associated VLANs vlans 120 Implementing Cisco Data Center Network infrastructure 1 (DCNM1) v2.0 (© 2008 Cisco Systems, nc.‘Command Description firewall module x vlan- group x ‘Associate a VLAN group with a firewall module show interface status module x Display the status of interfaces on a specific module show IP interface brief Display the IP brief detals for interfaces show vlan brief Display the VLANs configured in brief aor 1 sion slot x proc Start a session with an FWSM in a specific slot interface type Enter sub-configuration mode nameif xyz Configure the interface name ecurity x Configure the interface security level ip address nameif x.x.x.x | Configure an P address and associate it with an interface ye¥-¥-¥ route nameif 0 0 x.x.x.x | Configure a default route through a specific interface yeyeyey show nameif Display named interfaces show interface ip brief Display IP brief details on the firewall show interface Display interface details show route Display the configure route nat (nameif) 1 x.x.x.x yeyeyvey Configure NAT translation for an interface name global (nameif) 1 x.x.x.x- Yey-¥-¥ Configure a pool of addresses for NAT translation through a specific interface static (nameif,nameif) XXLK.X YLY-Y-¥ Configure a NAT static mapping show running-config nat Display the NAT configuration show running-config global Display the global NAT configuration show running-config static Display the static NAT configuration list mode manual- Configure the ACLs to be manually committed list name permit/deny protocol Configure an ACL. access-group name in/out interface nameif Configure an ACL group on a specific interface access-list commit ‘Manually commit the ACL to be applied show access-list Display the ACL configuration show running-config access-group Display the access group configuration policy-map global policy ei inspection default inspect protocol Configure inspection engines (© 2008 Cisco Systems, Inc Lab Guide 121Command Description show running-config Display the inspection engine configuration policy-map show arp Display the ARP entries “ping Verity connectivity using ping show connections Display the active connections show xlate Display the translation table show users Display attached users Task 1: Removing Previous Configurations Ensure that no previous configuration exists on the switches in your pod and apply the initial configurations to the devices, The initial configuration includes settings for the Layer 2 interfaces used—trunking, access VLAN set, etc.; VLAN configuration, Layer 3 VLAN configuration, correct power scheme, ete. The initial configurations are available on the individual device file system as specified in the following steps. Note The steps and printouts refer to subpodt in pod 4 (devices 6500-1, 4900-1, PC1, Servert), However the same tasks should be applied to subpod2 with respect toa different numbering and addressing scheme Activity Procedure ‘Complete these steps on each switch in your pod: Step1 Connect to the 6500-1 switch via console and apply the following: = Replace the current running configuration with the configuration from file diskO:dcnil_lab23_6500-1 using the configure replace disk0:deniT_lab23_6500-1 command, When asked to proceed press Y. |= Verify that the switch is running the 12.2(33) SXHI Cisco IOS image using the show version command. = Only if the switch is not running the 12.2(33) SXHI Cisco IOS image, save the running configuration to startup configuration and reboot the switch. Step2 Connect to the 4900-1 switch via console and apply the following: = Replace the current running configuration with the configuration from file bootflash:denil_lab23_4900-1 using the configure replace bootflash:denil_tab23_4900-1 command. When asked to proceed press Y. Step3 In the EXEC mode on 6500-1, open a session with the FWSM in slot 2. The password is “cisco,” which is the default value. Step4 Enter the enable mode and press enter at the password prompt. Step 5 Enter FWSM configuration mode. Step Delete the existing configuration with the clear config all command, 122 Implementing Cisco Data Center Network Infrastructure 1 (DCNI-1) v2.0 ‘© 2008 Cisco Systems, IncStep7 Delete any existing configuration files on the disk: with the delete /noconfirm disk:* command, Step8 Reload the FWSM. Upon reload you will be disconnected from the FWSM. Activity Verification You have completed this task when you attain these results: Step1 On the 6500-1 switch verify that you have connectivity to the following: = PCI at 10.P.13.25 (where “P” is your pod number) © Server! at 10.P.11.10 (where “P” is your pod number) You should see results similar to the following printouts. Note The following printouts show results of a ping conducted on pod 4. 6500-14ping 10.4.13.25 ‘Type escape sequence to abort Sending 5, 100-byte ICMP Echos to 10.4.13.25, timeout is 2 seconds ttt Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms 6500-1Mping 10.4.11.10 Type escape sequence to abort Sending 5, 100-byte ICMP Echos to 10.4.11.10, timeout is 2 seconds: ret Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms Task 2: Configuring Cisco Catalyst 6500 Series Switch Switching Functions In this task, you will configure the Cisco Catalyst 6500 Series Switch to support the FWSM. Note The steps and printouts refer to subpodt in pod 4 (devices 6500-1, 4900-1, PC1, Servert). However the same tasks should be applied to subpod? with respect to a different numbering and addressing scheme. Activity Procedure Complete the following steps: ‘Step 1 Create VLAN 10 and name it “Outside.” Step 2 Rename (or create, if it does not exist) VLAN 11 with the name “DMZ” and VLAN 12 with the name “Inside.” Step3 Remove Layer 3 interfaces VLANI1 and VLANI2 if they exist. Step 4 Create an MSFC interface in VLAN 10 with an IP address of 10.P.10.1, where “P” is your pod number. Step5 Configure the switch to use port numbers in port-channel load-balancing algorithms. Step6 Associate VLANs 10, 11, and 12 with the FWSM in slot 2. ‘© 2008 Cisco Systems, Lab Guide 123Activity Verification ‘You have completed this task when you attain these results: Step1 Display the status of interfaces on module 3. 6500-1#show interface status module 3 Port Name Status Vian Duplex Speed Type Gi3/1 disabled 1 full auto 10/100/1000BaseT Gi3/2 disabled 1 full auto 10/100/1000BaseT Gi3/3 connected 13 —a-full a-100 10/100/1000BaseT Gi3/4 disabled 1 full auto 10/100/1000BaseT Gi3/5 disabled 1. full auto 10/100/1000BaseT Gi3/6 disabled 1 full auto 10/100/1000BaseT sl a 1 1 1 Gi3/7 disabled full auto 10/100/1000B: Gi3/8 disabled full auto 10/100/1000BaseT Gi3/9 disabled full auto 10/100/1000BaseT Gi3/10 disabled full auto 10/100/1000BaseT Gi3/11__ disabled full auto 10/100/1000RaseT -output omitted. Step2 Display the IP interfaces. 6500-1#show ip interface brief | exclude unasssigned Interface 1P-Address OK? Method Status Protocol Vianio 10.4.10.1 YES manual up up Viani3 10.4.13.1 YES NVRAM up up Step3 Display the VLANs that exist on the switch, 6500-1#show vlan brief VLAN Name Status Ports 2 defaule active 10 outeude active a1 DMZ active 12 inside active 33° Clientpc active Gi3/3 output omitted ... Task 3: Connecting the FWSM to the Network In this task, you will configure the network topology on the FWSM. Note The steps and printouts refer to subpodt in pod 4 (devices 6500-1, 4900-1, PC1, Server!) However the same tasks should be applied to subpod2 with respect to a different numbering and addressing scheme. Activity Procedure Complete the following steps: Step1 Session into the FWSM in slot 2 and enter the enable mode, The login password defaults to “cisco,” and the enable password is blank. Step2 Enter the configuration mode, Step3 Name the interfaces and assign security levels. Step4 Define IP addresses for each interface. Step5 Define a default route to the MSFC. 124 lmplementing Cisco Data Center Network infrastructure 1 (DCNI-1) v2.0 (© 2008 Cisco Systems, Inc.Activity Verification ‘You have completed this task when you attain these results: Step1 Display the named interfaces and their security levels. FWSMHshow nameif Interface Name Security viani0 outside ° Vianii DMz 50 viani2 inside 100 Step 2 Display the IP interfaces in the FWSM. FusMishow interface ip brief Interface TP-Address OK? Method status Protocol Gigabitetherneto unassigned YES unset up up Gigabitethernet1 unassigned YES unset up up viano 10.4.10.2 YES manual up up viani1 10.4.11.1 Yes manual up up Viani2 10.4.12.1 YES manual up up BOBCO 127.0.0.21 YES CONFIG up up Step 3 Display detailed information about all of the interfaces on the FWSM. FWSMishow interface Interface Vlanl0 ‘outside", is up, line protocol is up Hardware is EtherSVI MAC address 0018.73bc.6000, MTU 1500 IP address 10.4.10.2, subnet mask 255.255.255.0 Traffic statistics for "outside": 0 packets input, 0 bytes 1 packets output, 68 bytes 133 packets dropped Interface Vianil "DMZ", is up, line protocol is up Hardware is EtherSVI MAC address 0018.73bc.6000, MTU 1500 IP address 10.4.11.1, subnet mask 255.255.255.0 Traffic Statistics for "DMZ 1 packets input, 0 bytes 1 packets output, 68 bytes 129 packets dropped Interface Viani2 "inside", is up, line protocol is up Hardware is EtherSVI MAC address 0018.73bc.6000, MTU 1500 IP address 10.4.12.1, subnet mask 255.255.255.0 ‘traffic statistics for "inside": © packets input, 0 bytes 1 packets output, 68 bytes 123 packets dropped Step4 Display the IP routing table on the FWSM. PWSMishow route 9.0.0.0 0.0.0.0 [1/0] via 10.4.10.1, outside 10.4,10.0 255.255.255.0 is directly connected, outside 10.4.11.0 255.255.255.0 is directly connected, DMZ 10.4.12.0 255.255.255.0 is directly connected, inside naa (© 2008 Cisco Systems, Inc Lab Guide 125Task 4: Configuring NAT In this task, you will configure NAT. Note ‘The steps and printouts refer to subpodt in pod 4 (devices 6500-1, 4900-1, PC1, Server!) However the same tasks should be applied to subpod2 with respect to a different numbering and addressing scheme, Activity Procedure Complete the following steps: Step1 Configure NAT ID 1 to cover all addresses on the inside IP subnet of 10.P.12.0, where “P” is your pod number. Step2 Configure the global addresses to be used when systems from the inside subnet access the outside network, Step3 Configure the global addresses to be used when systems from the inside subnet access the DMZ. Step4 Configure a static address translation that maps 192.168.100.11 to the DMZ host at 10.P.20.10, where “P” is your pod number. Activity Verification You have completed this task when you attain these results: Step1 Display the NAT configuration FWSM#show running-config nat nat (inside) 2 10.4.12.0 255.255.255.0 Step2 Display the global address configuration, FWSM#show running-config global global (outside) 1 10.4.10.100-10.4.10.200 global (DMZ) 1 10.4.11.100-10.4.11.200 Step3 Display the static NAT configura FWSM#ehow running-config static static (DMZ,outside) 10.4.10.11 10.4.11.10 netmask 255.255.255.255 Task 5: Configuring Network Access In this task, you will configure permitted traffie patterns. Note ‘The steps and printouts refer to subpodt in pod 4 (devices 6500-1, 4900-1, PC1, Server?) However the same tasks should be applied to subpod2 with respect to a different numbering and addressing scheme. Activity Procedure ‘Complete the following steps: ‘Step 1 Switch to manual commit mode for ACLs. Step2 Create an ACL called “internet” that permits any IP traffic. Step3 Create an ACL called “publi DMZ. ~ access” that permits web access to the server in the 126 Implementing Cisco Data Center Network Infrastructure 1 (DCNI-1) v2.0 (© 2008 Cisco Systems, IncStep4 Create an ACL called “maintenance” that permits the DMZ host to initiate Telnet and web connections. Step Designate the public_access ACL as the ACL to be used to control traffic received on the outside interface. Step6 Notice that an error is issued, This error occurs because the ACL commit mode is manual, and the ACL has not been committed. Commit the ACLs. Step7 Designate the public_access ACL as the ACL to be used to control traffic received on the outside interface. Step8 Designate the internet ACL as the list to be used to control traffic received on the inside interface. ‘Step9 Designate the maintenance ACL as the list to be used to control traffic received on the DMZ interface. Activity Verification Task 6: ‘You have completed this task when you attain these results: Step1 Display the configured ACLs. FWSMi#ahow access-list access-list mode manual-commit access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300 access-list internet; 1 elements access-list internet line 1 extended permit ip any any (hitcnt-0) oxbsd9aa32 access-list public access; 1 elements access-list public_access line 1 extended permit tcp any host 10.4.11.10 eq (hitent=0) 0x2£208965 access-list maintenance; 2 elements access-list maintenance line 1 extended permit tcp 10.4.11.0 255.255.255.0 any e g telnet (hitcnt=0) 0x429152c6 access-list maintenance line 2 extended permit tcp 10.4.11.0 255.255.255.0 any q www (hitent=0) oxada265a2 Step2 Display the ACLs that are configured on the IP interfaces. FWsMishow running-config access-group access-group public access in interface outside access-group maintenance in interface dnz access-group internet in interface inside Configuring Protocol Inspection In this task, you wi configure protocol inspection. Note The steps and printouts refer to subpodt in pod 4 (devices 6500-1, 4900-1, PC1, Server1). However the same tasks should be applied to subpod2 with respect to a different numbering and addressing scheme. Activity Procedure Complete the following step: Step1 Add the ICMP inspection engines. ‘© 2008 Cisco Systems, in. Lab Guide 127Activity Verification You have completed this task when you attain this result: Step1 Display the configured fixups. FNSM#show running-config policy-map policy-map global_policy class inspection _ default inspect dns maximum-length 512 inspect ftp inspect h323 225 inspect h323 rae inspect netbios inspect rsh inspect skinny inspect smtp inspect eqlnet inspect sunrpc ingpect tftp inspect sip inspect xdmcp inspect icmp inspect icmp error Task 7: Demonstrating the Firewall In this task, you will use client systems to demonstrate access to resources through the FWSM. Note ‘The steps and printouts refer to subpodt in pod 4 (devices 6500-1, 4900-1, PC1, Server?) However the same tasks should be applied to subpod2 with respect to a different numbering and addressing scheme. Activity Procedure Complete the following steps: Step 1 Log on to each of the Microsoft Windows 2000 servers in your pod and bring up a command prompt on each of them, Step2 On Server! ping 10.P.11.1, where “P” is your pod number. This ping will fal Step3 On Server2 ping 10.P.12.1, where “P” is your pod number. This ping will also fail. Step4 Session into the FWSM and display the ARP table. Notice that the FWSM knows the MAC addresses of each of the servers. This indicates that Layer 2 connectivity is working and that our previous pings failed because the FWSM is not configured to respond to pings, FHSM#show arp DMZ 10.4.11.10 000c.29da.5a23 inside 10.4.12.10 000c.23e9.64f2 eobe 127.0.0.51 0000.1500.0000 Step Ping each of the servers from the FWSM. FWSMH ping 10.4.11.10 Sending 5, 100-byte ICMP Echos to 10.4.11.10, timeout is 2 seconds: Hitt Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms FWSM# ping 10.4.12.20 Sending 5, 100-byte ICMP Echos to 10.4.12.10, timeout ie 2 seconds rent Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms 128 Implementing Cisco Data Center Network Infrastructure 1 (OCNI-1) v2.0 (© 2008 Cisco Systems, ncStep6 —_In the command prompt window of Server2, issue a ping —n 15 10.P.11.10 command, where “P” is your pod number. This will generate 15 pings to Server?2. While this command is running, display the active connections on the FWSM. FWSMHshow connections 1 in use, 1 most used Network Processor 1 connections Network Processor 2 connections ICMP out 10.4.11.10:512 in 10.4.12.10:8 idle 0:00:00 Bytes 1404 Multicast session Network Processor 1 connections Network Processor 2 connections IPv6 connect ions Step7 _In the command prompt window of Server!, issue a telnet 10.P.10.1 command, where “P” is your pod number. This will open the Telnet session to the 6500-1 VLAN 10 interface. Since no Telnet password is defined on 6500-1 you will be disconnected with a “Password required, but none set” message. Step8 Display the active address translations. FWSM# show xlate 2 in use, 2 most used Global 10.4.10.100 Local 10.4.12.10 Global 10.4.10.11 Local 10.4.11.10 Step9 Start Internet Explorer on Server? and browse to 10.P.11.10, where “P” is your pod number. Display the active connections on the FWSM. PWSMB show connections 2 in use, 4 most used Network Processor 1 connections Network Processor 2 connections TCP out 10.4.12.10:80 in 10.4.12.10:1093 idle 0:00:07 Bytes 145341 FLAGS - UOT TCP out 10.4.11.10:80 in 10.4.12.10:1094 idle 0:00:07 Bytes 88405 FLAGS - UOT Multicast sessions Network Processor 1 connections Network Processor 2 connections IPv6 connections: Step 10 Establish a Telnet session from Server? to 10.P.11.10, where “P” is your pod number. Leave this Telnet session active. Step 11 Connect to 6500-/ and configure VTY password to allow Telnet access. 6500-1 (config) #line vty 0 15 6500-1 (config-1ine) ¢password cisco Step 12 Open a second command prompt on Server? and establish a Telnet connection to 10.P.10.1. Log in to the router with the password “cisco.” Leave this Telnet session active. Step 13 Establish a Telnet session from Server! to 10.P.10.1 and log in as described above. Leave this Telnet session active. Step 14 Display the active connections on the FWSM. FWSM#show connections 3 in use, 5 most used Network Processor 1 connections Network Processor 2 connections TCP out 10.4.11,10:23 in 10.4.12,10:1095 idle 0:00:53 Bytes 748 FLAGS - FRUOT TCP out 10.4.10.1:23 in 10.4.12.10:1097 idle 0:00:31 Bytes 1337 FLAGS - UOT TCP out 10.4.10.1:23 in 10.4.11,10:3838 idle 0:00:06 Bytes 1337 FLAGS - UOT Multicast session: Network Processor 1 connections (© 2008 Cisco Systems, Inc. Lab Guide 129Network Processor 2 connections IPv6 connections: Step 15. Display the active connections on the FWSM. FusMitshow xlate 3 in use, 2 most used Global 10.4.11.100 Local 10.4.12.10 Global 10.4,10.100 Local 10.4.12.10 Global 10.4,10.11 Local 10.4,11.0 Step 18 On one of the routers, display the active users. Notice the locations from which the router sees your logon sessions. 6500-1#show users Line User Host (s) Idle Location * 0cono 127.0.0.21 00:00:18 1 vty 0 idle 00:01:24 10.4.10.100 2 vty 1 idle 00:01:09 10.4.10.12 Step17 Double-click on the Serverl icon on the desktop of Server. In the address window, enter \\10.P.12.10\e$ to display the disk contents of Server2. This command will fail. a Step 18 Double-click on the Server? icon on the desktop of Server2. In the address window, enter \\10.P.11.10\e$ (where “P” is your pod number) to display the disk contents of Server!. The results of this command will appear as shown below. 130 Implementing Cisco Data Center Network infrastructure 1 (DCNI-1) v2.0 (© 2008 Cisco Systems, Inc.Step 19 Display the active connections on the FWSM. FWSMitshow connections 4 in use, 6 most used Network Processor 1 connections TCP out 10.4.11.10:139 in 10.4,12.10:1100 idle 0:00:10 Bytes 82975 FLAGS - UOI Network Processor 2 connections TCP out 10.4.11.10:23 in 10.4.12.10:1095 idle 0:03:52 Bytes 748 FLAGS - FRUOI TCP out 10.4.10.1:23 in 10.4.12.10:1097 idle 0:03:30 Bytes 1337 FLAGS - UOT TCP out 10.4.10.1:23 in 10.4.11.10:3838 idle 0:03:06 Bytes 1337 FLAGS - UOT Multicast sessions: Network Processor 1 connections Network Processor 2 connections IPV6 connection: Step 20. Save your configuration on the firewall. Step 21 Save your configuration on the switch. ne. Lab Guide 131Lab 2-4: Deploying the FWSM Failover ‘Complete this lab activity to practice what you learned in the related lesson, Activity Objective In this lab you will work together with the team using the other Cisco Catalyst 6500 Series and 4948 Switches in your pod. One switch will be defined as the primary Cisco Catalyst 6500 Series Switch and will contain the primary Catalyst 6500 Series FWSM. The other switch will be defined as the secondary Cisco Catalyst 6500 Series Switch and will contain the backup Catalyst 6500 Series FWSM. Before you begin, your team members must decide which switch will fulfill each role. This lab may be repeated with the roles reversed. To accomplish this, reload the Cisco Catalyst 6500 Series Switches and start again. In this activity, you will configure redundant Firewall Services Modules. After completing this. ivity, you will be able to meet these objectives: ® Configure Cisco Catalyst 6500 Series Switch switching functions to support redundant FWSMs = Configure a redundant FWSM pair = Demonstrate the redundancy provided by the FWSM Visual Objective The figure illustrates what you will accomplish in this activity: Lab 2-4: Deploying the FWSM Failover 192 Implementing Cisco Data Center Network infrastructure 1 (OCNI-1) v2.0 (© 2008 Cisco Systems, IncIP Addressing The IP addressing scheme in the following table lists the IP addresses of the PCs, servers, Cisco Catalyst 6500 Series Switch VLAN interfaces and Layer 3 physical interfaces, where “P” is your pod number. Pod Addressing Defauit | Device Device | IP Subnet Device | Ooty | vow Pct 10130 | 124 vop1325 | 10PAa4 | 13 Serert | 10P.11.0 | (24 sopaao [tora |v 10.11.20 10.11.30 t0P.11.40 er Device VLAN | iP Subnet | SUP | Device ip Mask 6500-1 10 10P.100 | 124 1OPAtA 6500-1 3 wop.130 | 24 10P.13.1 6500-2 10 toP.100 | 12s 10P.102 6500-2 8 woP.130 | 124 10P.132 Outside on | 10 woP.z00 | 26 10P.103 ‘tive FWSM Outside on | 10 woP.s00 | 12 1oP.104 Standby FWSM inside on " torsio | 126 1oPAtA Active FWSM inside on " torat0 | 126 1oP.A12 Standby FWSM Required Resources ‘These are the resources and equipment required to complete this act Two (2) Cisco Catalyst 6500 Series Switches ‘Two (2) Cisco Catalyst 6500 Series Switch Ethernet modules 1 720-10G-3C modules ‘Two (2) Cisco Catalyst 6500 Series Switch Firewall Services modules Two (2) Cisco Catalyst 6500 Series Switch Supe ‘Two (2) Cisco Catalyst 4948 Switches Microsoft Windows XP client Microsoft Windows 2003 server (© 2008 Cisco Systems, Inc Lab Guide 133,Command List The table describes the commands used in this acti Command Description conf t Enter global configuration mode vlan x Enter subconfiguration mode name xyz Configure an administrative name interface vlan x ip addres Yey-y-¥ AX. Enter subconfiguration mode Configure an IP address no shut ‘Administratively enable an interface interface type slot/port ewitchport switchport mode access switchport access vlan no Enter subconfiguration mode for an interface Configure an interface as a switchport Configure the interface as an access port Configure the access port VLAN firewall vlan-group x vlans Configure the firewall VLAN group vians firewall module x vlan- group x Associate an FWSM module with the VLAN group spanning-tree vlan vlan(s) root primary Configure the spanning-tree root bridge show vlan brief Display VLAN output in brief show interface status module no Display the interface status for a specific module show firewall vlan Display the firewall VLAN groups show firewall module Display the VLAN group mappings show IP interface brie! Display the IP interfaces in brief a jor 1. ion slot x proces Open a session to a module failover lan interface failover vlan vlan_no Configure the VLAN the failover interface will use failover interface IP failover x.x.x.x y-¥-¥-¥ standby x.x.x.x ‘Assign the failover interface an IP address on the primary ‘and secondary FWSM failover link state vlan vlan_no Configure the state interface to use a VLAN failover interface IP state x.x.x.x y.¥.¥-¥ tandby x.x.x.x Assign the state interface an IP address on the primary and secondary FWSM failover lan unit primary Configure the primary failover unit failover Enable failover 134 Implementing Cisco Data Center Network Infrastructure 1 (DCNI-1) v2.0 (© 2008 Cisco Systems, Inc.‘Command Description interface vlan no nameif name jecurity level ip address x.x.x.x y-¥-¥-Y, standby x.x.x.x Enter subconfiguration mode Configure the interface name Configure the interface security level Configure the primary and secondary IP addresses for the interface Configure an ACL group name in/out interface nameif Configure the access group and associate it with an interface static (nameif,nameif) KKK KKK Configure static NAT route nameif x.x.x.x YeVeY+Y XX." Configure a default route through an interface show nameif Display the named interfaces show route Display the IP route show failover Display the failover configuration show access-list Display the ACL configuration show running-config group Display the access group configuration show running-config static Display the static NAT configuration show connections Display the active connections Task 1: Removing Previous Configurations Ensure that no previous configuration exists on the switches in your pod and apply the it configurations to the devices. tial The initial configuration includes settings for the Layer 2 interfaces used—trunking, access, VLAN set, ete.; VLAN configuration, Layer 3 VLAN configuration, correct power scheme, etc. ‘The initial configurations are available on the individual device file system as specified in the following steps. Activity Procedure Complete these steps on each s Step 1 ‘hin your pod: Connect to the 6500-1 switch via console and apply the following: = Replace the current running configuration with the configuration from file disk0:deni _lab24_6500-I using the configure replace disk0:denil_lab24_6500-1 command. When asked to proceed press Y. | Verify that the switch is running the 12.2(33) SXHI Cisco IOS image using the show version command. = Only if the switch is not running the 12.2(33) SXHI Cisco IOS image, save the running configuration to startup configuration and reboot the switch. (© 2008 Cisco Systems, Inc. Lab Guide 135Step2 Connect to the 4900-1 switch via console and apply the following: = Replace the current running configuration with the configuration from file bootflash:dcnil_lab24_4900-1 using the configure replace bootflash:denil_lab24_4900-1 command. When asked to proceed press Y. You should see the output similar to the output in previous step Step3 In the EXEC mode on 6500-1, open a session with the FWSM in slot 2. The password is “cisco,” which is the default value. Step4 Enter the enable mode and press enter at the password prompt. Step5 Enter FWSM configuration mode. Step Delete the existing configuration with the clear config all command, Step7 _Delete any existing configuration files on the disk: with the delete /noconfirm disk:* command. Step8 Reload the FWSM. Upon reload you will be disconnected from the FWSM. Step® Connect to the 6500-2 switch via console and apply the following: = Replace the current running configuration with the configuration from file diskO:dcni_1ab24_6500-1 using the configure replace disk0:dcnil_lab24_6500-1 command. When asked to proceed press Y. = Verify that the switch is running the 12.2(33) SXHI Cisco 10S image using the show version command. = Only if the switch is not running the 12.2(33) SXHI Cisco IOS image, save the running configuration to startup configuration and reboot the switch. Step 10 Connect to the 4900-2 switch via console and apply the following: = Replace the current running configuration with the configuration from file bootflash:denil_lab24_4900-1 using the configure replace bootflash:denil_lab24_4900-1 command. When asked to proceed press Y. You should see the output similar to the output in previous step, Step 11 _In the EXEC mode on 6500-2, open a session with the FWSM in slot 2. The password is “cisco,” which is the default value. Step 12 Enter the enable mode and press enter at the password prompt. Step 13 Enter FWSM configuration mode. Step 14 Delete the existing configuration with the clear config all command. Step 15 Delete any existing configuration files on the disk: with the delete /noconfirm disk:* command. Step 16 Reload the FWSM. Upon reload you will be disconnected from the FWSM. Activity Verification You have completed this task when you attain these results: Step 1 ‘On the 6500-1 switch verify that you have connectivity to the following: = PCI at 10.P.13.25 (where “P” is your pod number) & Server! at 10.P.11.10 (where “P” is your pod number) ‘You should see results similar to the following printouts. 136 Implementing Cisco Data Center Network Infrastructure 1 (DCNI-1) v2.0 (© 2008 Cisco Systems, Inc.Note The following printouts show results of a ping conducted on pod 4. 6500-14ping 10.4.13.25 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.4.13.25, timeout is 2 seconds: nin Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms 6500-1#ping 10.4.11.10 Type escape sequence to abort Sending 5, 100-byte ICMP Echos to 10.4.11.10, timeout is ii Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms Task 2: Configuring Cisco Catalyst 6500 Series Switch g Functions In this task, you will configure the Cisco Catalyst 6500 Series Switch switching functions to support redundant Firewall Services Modules. Activity Procedure Complete the following steps: Step 1 Connect to the 6500-1 switch and create VLANs 10, 11, 13, 90 and 91 named “outside,” “inside,” “clientPC,” “failover,” and “FWSM-state,” respectively, Step2 Connect to the 6500-2 switch and create VLANs 10, 11, 13, 90 and 91 named “outside,” “inside,” “clientPC,” “failover,” and “FWSM--state,” respectively. Stop 3 Create a virtual IP interface on the MSFC in VLAN 13 on 6500-2. Note The 6500-1 switch already has VLAN13, created from Task 1. Step4 Assign an IP address of 10.P.13.2 to this interface and then activate the interface. Step5 Create a virtual IP interface on the MSFC in VLAN 10 on 6500-1. Step Assign an IP address of 10.P.10.1 to this interface and then activate the interface. Step7 Create a virtual IP interface on the MSFC in VLAN 10 on 6500-2. Step8 Assign an IP address of 10.P.10.2 to this interface and then activate the interface, Step9 Configure VLANs 10, 11, 90 and 91 to be attached to the FWSM in slot 2 on 6500-1 and 6500-2. Step 10 Enable the TenGigabitEthernet5/4 to be a trunk port on 6500-1 and 6500-2. This port will connect your switch to the switch in your neighbor pod. Step 11. The 6500-1 switch will be deployed with the primary FWSM; thus define the switch to be the root of the spanning tree for the inside and outside VLANs. Step 12 _ Exit the configuration mode. (© 2008 Cisco Systems, Inc Lab Guide 137Activity Verification You have completed this task when you attain these results: Step1 Display the configured VLANs. 6500-1#show vian brief VLAN Name Status Ports 1 default active Gi4/1, Gi4/2, Gi4/3, Gia/a Gid/5, Gi4/6, Gi6/2, Gis/3 Gi6/4, Gi6/S, Gis/6 10 outeide active 11 inside active 12 VLANoo12 active 13. clientpc active Gi3/3 90 failover active 91 FWSM-state active Step 2 Display the status of the interfaces on module 3 on 6500-1 and 6500-2. 6500-1#show interface status module 3 Port Name Status Vlan Duplex Speed Type Gi3/3_ connected 50 a-full a-100 10/100/1000BaseT --output omitted . Gi3/13 connected trunk a-full a-1000 10/100/1000BaseT. Gi3/14 connected trunk a-full a-1000 10/100/1000BaseT s-output omitted .. Step3 Verify the spanning tree for VLAN 11 on 6500-1, which is the primary root bridge 6500-1#show spanning-tree vlan 10 VLANOO11 Spanning tree enabled protocol ieee Root ID Priority 8192 Address 0017.dfdo.240b This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 9192 addre 0017.df40.240b Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio.Nbr Type 13/13 Desg FWD 4 128.269 Pap Gi3/14 Desg FWD 4 128.270 P2p Te5/4 Desg FWD 2 128.516 Pap P0308 Desg FWD 3 128.1665 P2p Rage Step4 Verify the spanning tree for VLAN 11 on 6500-2, which is the primary root bridge 6500-2#show spanning-tree vian 10 vuaNoo1t Spanning tree enabled protocol ie Root ID Priority 8192 Address _0017.d£40.240b Cost 2 Port 516 (TenGigabitethernets/4) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32768 Address 0017.dfdo.380b Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio.Nbr Type 138 Implementing Cisco Data Center Network infrastructure 1 (DCNI-1) v2.0 (© 2008 Cisco Systems, nc.Task 3: 613/13, Desg FAD 4 128.269 2p Gi3/14 Desg FWD 4 128.270 P2p Tes/4 Root FMD 2 128.516 P2p P0306 Desg FWD 3 128.1665 P2p Bdge Step5 Display the FWSM VLAN groups. 6500-1#show firewall vlan Group vians 1 10,11, 90-91 Step6 Display the mapping of VLAN groups to FWSM modules. 6500-1#show firewall module Module Vian-groups o2 1 Step7 _Display the configured IP interfaces on 6500-1 and 6500-2. 6500-1#show ip interfcace brief | exclude unassigned Interface IP-Address ‘OK? Method Status Protocol viani0 20.4.10.1 YES manual up up viani3 10.4.13.1 YES NVRAM up up. 6500-1#show ip interfcace brief | exclude unassigned Interface IP-address OK? Method Status Protocol Vianto 10.4.10.2 YES manual up vp Viani3 10.4.13.2 YES manual up up Configuring Redundant FWSMs In this task, you will configure a redundant pair of Firewall Services Modules. Activity Procedure Complete the following steps: Step1 Connect to the FWSM and enter the configuration mode. Step2 Configure the failover interface to use VLAN 90 on the primary and secondary FWSMs Step3 Assign the failover interface an IP address of 192.168.1.1 on the primary FWSM on 6500-1, and an IP address of 192.168.1.2 on the secondary FWSM on 6500-2 (configure the same command on both switches). Step4 Configure the state interface to use VLAN 91 on the primary and secondary FWSMs. Step 5 Assign the state interface an IP address of 192.168.2,1 on the primary FWSM on 6500-1, and an IP address of 192.168,2.2 on the secondary FWSM on 6500-2 (configure the same command on both switches). Step6 On the primary FWSM only, configure the FWSM to be the primary unit of the redundant pair. Step7 On the secondary FWSM only, configure the FWSM to be the secondary unit of the redundant pair. Step8 Enable failover on both units. ‘© 2008 Cisco Systems, Inc. Lab Guide 139Step9 You should see the following output on the primary FWSM. Beginning configuration replication: Sending to mate. End Configuration Replication to mate Step 10 You should sce the following output on the secondary FWSM. Detected an Active mate Beginning configuration replication from mate. ‘This unit is in syncing state. ‘failover’ command will not be effective at this time ‘This unit is in syncing state. ‘failover' command will not be effective at this time End configuration replication from mate Access Rules Download Complete: Memory Utilization: < 1% Note If you are configuring the secondary FWSM, exit the configuration mode and skip the remaining steps in this task. Step 11. Name the interfaces used for traffic—VLAN10 as “outside” and VLANI1 as “inside” —and assign security levels. Step 12__Define the IP addresses for each interface. Notice that one command is used to configure both the primary and secondary IP addresses for each interface, For the inside interface, use a primary address of 10.P.11.1 and a secondary address of 10.P.11.2, where “P" is your pod number. Define outside IP addresses of 10.P.10.3 and 10.0.10.4, respectively. Step 13. Configure an ACL permitting all IP traffic, and apply it to both interfaces. Step 14 Create a static NAT entry for Server. The IP address of this server is 10.P.11.10, where “P" is the pod number. This server is reachable at an IP address of 10.P.10.100. Step 15 Route the 10.P.13.0 subnet to both MSFCs on 10.P.10.X, where “P” is your pod number and “X” is the Cisco Catalyst 6500 Series Switch number. Activity Verification You have completed this task when you attain these results: Step1 Display the interface configurations on each FWSM. FWSM#show nameit Interface Name Security vianio outside 0 Vlanit inside 100 FWSM# show int ip brief Interface IP-address OK? Method Status Protocol Gigabitetherneto unassigned YES unset up up Gigabitethernet1 unassigned YES unset up up Vlanio 10.4.10.3 YES manual up up Vania 30.4.1. YES manual up vp vian90 192.168.1.1 YES manual up up Vian9i 192-168.2.1 YES manual up up BOBCO 127.0.0.21, YES CONFIG up up 140 Implementing Cisco Data Center Network infrastructure 1 (OGNI-1) v2.0 (© 2008 Cisco Systems, Inc.Step2 Display the IP routing table on the FWSM. FWSM¥show route 10.4.10.0 255.255.255.0 is directly connected, outside 10.4.11.0 255.255.255.0 is directly connected, inside 10.4.13.0 255.255.255.0 {1/0} via 10.4.10.1, outside 10.4.13.0 255.255.255.0 [1/0] via 10.4.10.2, outside 192.168.1.0 255.255.255.0 is directly connected, failover 192.168.2.0 255.255.255.0 is directly connected, state Step3 Display the failover status for each FWSM. The output listing for the primary FWSM is shown below. Compare this listing to the listing received on the secondary FWSM. PUSMiishow failover Failover On Failover unit Primary Failover LAN Interface: failover Vian 90 (up) Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 15 seconds Interface Policy 50% Monitored Interfaces 0 of 250 maximum Config sync: active Version: Ours 3.1(3), Mate 3.1(3) Last Failover at: 12:49:51 UTC Apr 23 2008 ‘This host: Primary - Active ‘Active time: 920 (sec) Interface outside (10.4.10.3): Normal (Not-Monitored) Interface inside (10.4.11.1): Normal (Not-Monitored) Other host: Secondary - standby Ready Active time: 0 (sec) Interface outside (10.4.10.4): Normal (Not-Monitored) Interface inside (10.4.11.2): Normal (Not-Monitored) anaaaa stateful Failover Logical Update statistics Link : state Vian 91 (up) Stateful Obj xmit xerr rev rerr General 114 ° u4 ° sys cmd ua ° ua ° up time ° ° ° ° RPC services 0 ° ° ° TCP conn ° ° 0 ° UDP conn ° ° 0 ° ARP tbl 0 ° 0 ° Xlate_Timeout 0 ° ° ° Logical Update Queue Information cur Max Total Recv Q: 0 a 983 xmit Q: ° ° a4 Step4 Display the ACLs and group assignments. FWSMHshow access-list List mode auto-commit List cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) ‘alert-interval 300 access-list permit-all; 1 elements access-list permit-all extended permit ip any any (hitcnt=0) FWSM#show running-config access-group access-group permit-all in interface inside access-group permit-all in interface outside Step Show the configured static NAT entries, PNSMilshow running-config static static (inside,outside) 10.4.10.100 10.4.11.10 netmask 255.255.255.255 (© 2008 Cisco Systems, Inc Lab Guide 141Note ‘The output from these steps should be similar on each FWSM, indicating that the configuration has been successfully replicated Task 4: Demonstrating Redundancy In this task, you will demonstrate the redundancy provided by the FWSM redundant pair. Activity Procedure Complete the following steps Step 1 _Log in to the PCJ, start a command prompt, and establish a Telnet connection to 10.P.10.100 (Server!). Step2 Display the active connections on each FWSM. Step3 On the primary FWSM, you should see an output listing similar to the following. FWSM#show connections 1 in use, 1 most used Network Processor 1 connections Network Processor 2 connections TCP out 10.4,13.25:1154 in 10.4.11,10:23 idle 0:00:27 Bytes 698 FLAGS - UBOI Multicast session: Network Processor 1 connections Network Processor 2 connections IPvé connections On the secondary FWSM, you should see output similar to the following. Note the differences in the flags between each FWSM. FWSM#show connections 1 in use, 1 most used Network Processor 1 connections Network Processor 2 connections TCP out 10.4.13.25:1154 in 10.4.11.10:23 idle 0:00:44 Bytes 256 FLAGS - UB Multicast sessions Network Processor 1 connections Network Processor 2 connections IPvé connections Stop4 Issue the show connection detail command to view the active connections and a legend explaining the flags. FWSM#show connections detail 1 in use, 2 most used Plags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN, B - initial SYN from outside, C - CTIQBE media, D - DNS, d - dump, E - outside back connection, F - outside FIN, f - inside FIN, G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data, 4 - incomplete, J - GTP, j - GTP data, k - Skinny media, M - SMTP data, m - SIP media, 0 - outbound data, P - inside back connect q- SQL*Net data, R - outside acknowledged FIN, R - UDP SUNRPC, Fr - inside acknowledged PIN, § - awaiting inside SYN, 8 - awaiting outside SYN, T - SIP, t - SIP transient, U - up Network Processor 1 connections Network Processor 2 connections TCP out 10.4.13.25:1153 in 10.4.11.10:23 idle 0:00:43 Bytes 614 FLAGS - UBfror Multicast session! Network Processor 1 connections Network Processor 2 connections IPvs connections Step Force the primary FWSM to fail over to the secondary by configuring the primary FWSM as no longer active, This step is performed on the primary FWSM only. 142 Implementing Cisco Data Center Network Infrastructure 1 (DCNI-1) v2.0 ‘© 2008 Cisco Systems, In.Step6 On the primary FWSM you should see the “Switching to Standby” message while ‘on the secondary FWSM you should see the “Switching to Active” message. Step7 Verify the Active/Standby role on the secondary FWSM. FWSMH show failover Failover On Failover unit Secondary Failover LAN Interface: failover Vian 90 (up) Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 15 seconds Interface Policy 50% Monitored Interfaces 0 of 250 maximum Config syne: active Version: Ours 3.1(3), Mate 3.1(3) Last Failover at: 13:12:24 UTC Apr 23 2008 ‘This host! Secondary - Active Active time: 97 (sec) Interface outside (10.4.10.3 Interface inside (10.4.11.1): Other host: Primary - Standby Ready Active time: 1351 (sec) Interface outside (10.4.10.4): Normal (Not-Monitored) Interface inside (10.4.11.2): Normal (Not-Monitored) Normal (Not-Monitored) Normal (Not-Monitored) Stateful Failover Logical Update statistics Link : state Vian 91 (up) Stateful Obj xmit xerr rev rerr General 194 ° 190 ° sys cmd 184 ° 184 ° up time 0 0 ° ° RPC services 0 ° ° ° TCP conn 8 ° 3 ° UDP conn ° ° % ° ARP tbl 2 ° 2 ° Xlate_Timeout 0 ° ° ° Logical Update Queue Information cur Max Total Recv Q: o 1 1580 xmit 0 ° ° 186 Step8 —_Retum to the client systems and type a new command in the Telnet session, Notice that the session is still active. Step9 Display the connection information on each FWSM. FWSMitshow connections 2 in use, 3 most used Network Processor 1 connections Network Processor 2 connect ions TCP out 10.4,13.25:1154 in 10.4.11.10:23 idle 0:00:19 Bytes 1183 FLAGS - UBOT Multicast session: Network Processor 1 connections Network Processor 2 connections IPvé connections: Step 10 Display the current state of the failover mechanism on the primary FWSM also. ‘Compare the primary FWSM output with the output from the secondary FWSM. FWSM#show failover Failover on Pailover unit Primary Failover LAN Interface: failover Vian 90 (up) Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 15 seconds Interface Policy 50% Monitored Interfaces 0 of 250 maximum (© 2008 Cisco Systems, Inc. Lab Guide 143,Config sync: active Version: Ours 3.1(3), Mate 3.1(3) Last Failover at: 13:16:28 UTC Apr 23 2008 ‘This host? Primary - Standby Ready Active time: 1416 (sec) Interface outside (10.4.10.4) Interface inside (10.4.11.2) Other host: Secondary - Active Active time: 275 (sec) Interface outside (10.4.10.3): Interface inside (10.4.11.1): Stateful Failover Logical Update statistics Link : state Vian 91 (up) Stateful Obj xmit xerr General 241 0 sys cmd, 216 0 up time ° 0 RPC services 0 ° TCP conn a2 ° UDP conn 9 0 ARP tbl 4 ° Xlate Timeout 0 ° Logical Update Queue Information Cur Max =Total. Recv Q: ° x 1867 Xmit Q: ° ° 222 Normal (Not -Monitored) Normal (Not-Monitored) Normal (Not-Monitored) Normal (Not-Monitored) 144 Implementing Cisco Data Center Network infrastructure 1 (OCNI-1) v2.0, ‘© 2008 Cisco Systems, IncLab 3-1: Deploying the Initial Cisco NAM Configuration ‘Complete this lab activity to practice what you learned in the related module. Activity Objective In this activity, you will configure the NAM for communication and then securely log in to the NAM. You will also practice navigating the menus and create a new user. After completing this activity, you will be able to meet these objectives: © Configure NAM network parameters using the CLI = Log in to the NAM = Navigate the NAM Traffic Analyzer menus and view various configuration parameters and preference settings © Create new user accounts Visual Objective ‘The figure illustrates what you will accomplish in this activity. Lab 3-1: Deploying the Initial Cisco NAM Configuration The pod with the equipment for thi the following devices and VLAN: ‘= Subpod!: 6500-1, 4900-1, PCI, Server1, and VLANs: 11, 13, 99 m= Subpod2: 6500-2, 4900-2, PC6, Server3, and VLANs: 21, 23, 99 s lab exercise is divided into two independent subpods with Divide into subgroups in each pod to complete the following tasks. ‘© 2008 Cisco Systems, Inc Lab Guile 145:IP Addressing Note ‘Through the lab exercise the steps and printouts refer to subpod! in pod 4 (devices 6500-1, 4900-1, PC1, Server). However the same tasks should be applied to subpod2 with respect toa different numbering and addressing scheme. ‘The IP addressing scheme in the following table lists the IP addresses of the PCs, servers, Cisco Catalyst 6500 Series Switch VLAN interfaces and Layer 3 physical interfaces, where “P” is your pod number. Pod Addressing ‘Subnet Default | Device Devi " P jevice | IP Subnet | 4.2 Device duceaya | iat Pct 10.P.13.0 | i246 10.P.1325 | 10P.13.1 | 13 Pos 10P.230 | 124 10P.2325 | 10P.23.1 | 23 Servert | 10.P.11.0 | i24 top.11.10 | toP.s11 | 11 10.P.11.20 10.P.11.30 10.P.11.40 Severs |10.P.21.0 | 124 toPp21.10 | 10211 | 21 10.P.21.20 10.P.21.30 10.P.21.40 ‘Subnet Devic IP Subnet | ack Device 6500-1 11 10.P.11.0 | 124 10.P.11.41 6500-1 13 10.P.13.0 | 124 10.P.13.4 6500-1 99 10.P.99.0 | 124 10.P.99.1 6500-2 2 10.P.21.0 | 124 10.P.21.41 6500-2 23 10,P.23.0 | 124 10.P.23.1 6500-2 99 10,P.99.0 | 124 10.P.09.1 146 Implementing Cisco Data Center Network Infrastructure 1 (OCNI-1) v2.0 ‘© 2008 Cisco Systems, Inc.Required Resources ‘These are the resources and equipment required to complete this activity: Two (2) Cisco Catalyst 6500 Series Switches Two (2) Cisco Catalyst 6500 Series Switch Ethernet modules Two (2) Cisco Catalyst 6500 Series Switch Supervisor 720-10G-3C modules Two (2) Cisco Catalyst 6500 Series Switch NAM service modules Two (2) Cisco Catalyst 4948 Switches Two (2) Microsoft Windows XP clients Two (2) Microsoft Windows 2003 servers Job Aids This job aid is available to help you complete the lab activity. Fill in the information provided by your instructor. Description NAM slot 4 ‘Management VLAN 99) NAM IP address 10,P.99.2 255.255.255.0 NAM default gateway 10,P.99.1 NAM system domain name NAM-1 labgear.net NAM host name (DNS name) NAM-1 IP address of name server 10.P.99.254 NAM web access account adminicisco (userfpassword) Task 1: Removing Previous Configurations Ensure that no previous configuration exists on the switches in your pod and apply the initial configurations to the devices. The initial configuration includes settings for the Layer 2 interfaces used—trunking, access VLAN set, etc.; VLAN configuration, Layer 3 VLAN configuration, correct power scheme, ete. The initial configurations are available on the individual device file system as specified in the following steps. Note The steps and printouts refer to subpodt in pod 4 (devices 6500-1, 4900-1, PC1, Servert).. However the same tasks should be applied to subpod2 with respect to a different numbering and addressing scheme. {© 2008 Cisco Systems, inc Lab Guide 147Activity Procedure Complete these steps on each switch in your pod: Step 1 Step 2 Step 3 Stop 4 Step 5 Step 6 ‘Step7 Connect to the 6500-1 switch via console and apply the following: = Replace the current running configuration with the configuration from file diskO:denil_lab31_6500-1 using the configure replace disk0:denil_lab31_6500-1 command, When asked to proceed press Y. = Verify that the switch is running the 12,2(33) SXHI Cisco IOS image using the show version command, = Only if the switch is not running the 12.2(33) SXHI Cisco IOS image, save the running configuration to startup configuration and reboot the switch. Connect to the 4900-1 switch via console and apply the following: = Replace the current running configuration with the configuration from file bootflash:denil_lab13_4900-1 using the configure replace bootflash:denil_lab13_4900-1 command, When asked to proceed press Y. From the 6500-1 switch reset the NAM CLI username and password to default “root/root” with the command clear module pe-module 4 password. In the EXEC mode on the 6500-1, open a session to the NAM in slot 4. The username/password are “root/root,” which is the default value, Clear the old NAM configuration with the clear config command. Exit the NAM and reload the module with the hw-module module 4 reset ‘command. Enter the enable mode and press Enter at the password prompt. Activity Verification ‘You have completed this task when you attain these results: Step 1 On the 6500-1 switch verify that you have connectivity to the following: = PCI at 10.P.13.25 (where “P” is your pod number) © Server! at 10.P.11.10 (where “P” is your pod number) You should see results similar to the following printouts, Note The following printouts show results of a ping conducted on pod 4. 6500-1#ping 10.4.13.25 Type escape sequence to abort Sending 5, 100-byte ICMP Echos to 10.4.13.25, timeout is Success rate is 80 percent (4/5), round-trip min/avg/max seconds: 11/4 ms 6500-1#ping 10.4.11.10 Type escape sequence to abort Sending 5, 100-byte ICMP Echos to 10.4.11.10, timeout is 2 seconds: Success rate is 80 percent (4/5), round-trip min/avg/max 1/1/4 ms 148 implementing Cisco Data Center Network Infrastructure 1 (OCNI-1) v2.0 (© 2008 Cisco Systems, Inc.Task 2: Configuring NAM Network Parameters In this task, you will configure the network parameters for the NAM. Note The steps and printouts refer to subpod! in pod 4 (devices 6500-1, 4900-1, PC1, Servert). However the same tasks should be applied to subpod2 with respect to a different numbering and addressing scheme, Activity Procedure Complete these steps: Step1 Create VLAN 99 named “NAM” on the 6500-1 switch. Step2 Create a virtual IP interface on the MSFC in VLAN 99 on 6500-1. Step3 Assign an IP address of 10.P.11.1 to this interface and then activate the interface. Step4 Verify the NAM module installation, model number, and location (slot number) on. 6500-1. 6500-18 show module Nod Porte Card Type Model serial No. t 1 Application Control Engine Module ACE10-6500-K9 SAD103206VA 2 6 Firewall module WS-SVC-FMM-1 SAD103309TB 348. ceP720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX —SAL10393147 4 "8 Network Analysis Module WS-6VC-NAN-2" SAD104602R 5 5 Supervisor Engine 720 10GR (Active) VS-S720-100_—_—GAD1151054P. & @ Intrusion Detection syaten WS-SVC-IDEM-2 _SADLO44O0KS Step 5 ‘Configure the management VLAN 99 for the NAM using the parameters in the Job Aids section at the beginning of this lab activity description. Step 6 Access the NAM CLI by establishing a console session with the NAM. Step7 —_At the login prompt, enter the root account “root/root.’ Note “The default password for the root account is “root.” Consult the instructor i the password has been reset Step8 Configure the NAM IP address and subnet mask. Step9 Configure the default gateway for the NAM. ‘Step 10 Set the NAM system domain name. Step 11 Set the NAM system host name. Step 12 Sct NAM system name server. Step 13 Verify that the parameters were entered correctly with the show ip command. [email protected]# show ip IP address. Subnet mask: IP Broadcast: DNS Name Default Gateway: Nameserver (a) : HTTP server: HTTP secure server: HTTP port: HITP secure port: TACACS+ configured: 10.4.99.2 255.255.255.0 10.4.99.255 NAM-1.labgear-net 10.4.99.1 10.4.99.254 Disabled Disabled 80 443 No ‘© 2008 Cisco Systems, in. Lab Guide 149Telnet Disabled ssH Disabled Note I the NAM is to be accessed by third-party management applications, use the NAM CLI to ‘enter SNMP variables. Step 14 Enable the traffic analyzer application on the NAM. When asked to create WEB administrator, use the data provided in the table (username: admin, password: cisco). [email protected]# ip http server enable Enabling HTTP server... No web users are configured. Please enter a web administrator user name [admin]: admin New password: confirm password: User admin added Successfully enabled HTTP server. Step 15 Exit the NAM CLI. Activity Verification This task will be completed successfully when you successfully log in to the NAM during the next task. Task 3: Logging in to the NAM Traffic Analyzer In this task, you will log in to the NAM Traffic Analyzer using the web account created in the previous task. Activity Procedure Complete these steps: Step1 Connect to PC/ and open a web browser and enter the NAM IP address (10.P.99,2) as the URL, Step2 The NAM Traffic Analyzer login dialog box is displayed. Enter the username and password you created during the previous task (admin/cisco) and click Login. ‘hese |) ht: /192.168.158.118/authogn. oh NAM Traffic Analyzer 150 Implementing Cisco Data Genter Network infrastructure 1 (DCNI-1) v2.0 (© 2006 Cisco Systems, IncStep3 If the AutoComplete window appears, check the Don’t offer to remember any more passwords box and click No. Caution _Do not allow your browser to remember passwords. Choosing “Yes” to remember passwords can leave the CiscoWorks server vulnerable to unauthorized access, step4 The NAM Traffic Analyzer window appears displaying the system overview. > Sytem sources ‘oe a4, 12002016 tc £508. 30cm me, hous, anne QI) What is the current CPU utilization? Activity Verification You have completed this task when you have successfully logged into the NAM Traffic Analyzer software and reviewed the system overview. Task 3: Navigating the NAM Traffic Analyzer Menus Students will navigate the menus on the NAM Traffic Analyzer to find the task to display the initial network configuration of the NAM. Activity Procedure Complete these steps: Note You should be logged in to the NAM. Step1 Examine the NAM Traffic Analyzer desktop, which contains several major functions represented as tabs. Click each tab and the options for the function will be listed undemeath the tabs: = Setup = Monitor Reports Capture Alarms. Admin (© 2008 Cisco Systems, inc. Lab Guide 181Step2 Click the Monitor tab. 2) What are the available options under the Monitor tab? 1 er avrewn 9, Step3 Often, choosing an option will lead to suboptions displayed in a table of contents on the left side of the screen, Q3) What are the suboptions for the Alarms option of the Setup function? 10. 4 Step4 Find the task that displays the NAM network parameters. Q4) List the path to find the NAM network parameters: (tab) (option) (suboption) Q5) How many parameters can be set or displayed by this task (name servers count as one parameter even though up to three can be displayed)? These steps are to ensure proper processing for a lab that follows: Step Choose the Setup tab and the Protocol Directory option. Step6 Choose the Auto-learned Applications suboption from the suboptions box on the left side of the screen. Step7 The Auto Leamed Protocols Preferences dialog box is displayed. Unselect Enable Auto Learned Protocols and click Apply. Activity Verification You have completed this task when you are comfortable navigating the NAM Traffic Analyzer desktop. 152 Implementing Cisco Data Center Network infrastructure 1 (DCNI-1) v2.0 (© 2008 Cisco Systems, Inc.Task 4: Creating User Accounts In this task, you will create a new user account with the ability to view collections and capture packets (you will not have the ability to configure accounts, the system, alarms, and collections). Also, you will modify the Refresh Interval of the real-time reports by changing the NAM preferences. Activity Procedure ‘Complete these steps: Note You should be logged in to the NAM Traffic Analyzer desktop. Step1 Choose the Admin tab and the Users option. Make sure the Local Database suboption is chosen. Step2 A list of the currently defined users and their privileges is displayed. Click Create to create a new user. Step3 Enter a username and password for this new user. Enter the privileges for the user (remember that this user is only to be able to view collections and run data captures). Q6) What privileges are to be enabled? Step4 Click Submit to create the user. Make sure this user is now listed in the local User database. Step5 View the parameters necessary to secure user access through a TACACS+ server. Choose the TACACS+ suboption. Note You should already be at Admin > Users and just need to choose TACACS+ from the suboptions menu on the left side of the screen. Q7) At the minimum, what information is needed to enable user authentication using a TACACS$ server? (© 2008 Cisco Systems, Ine Lab Guide 153Caution Do not enable TACACS+ authentication at this time. Prior to enabling this feature, the TACACS+ server must be configured to accept authentication requests from the NAM and the user account must also exist in the TACACS+ server. Step Change the Refresh Interval of the real-time reports to 30 seconds, Click Setup > Preferences. Change the value and click Apply. Note that these preferences apply toll users of the NAM. Activity Verification ‘You have completed this task when you have successfully created a new user and the new user is listed in the User local database. 154 Implementing Cisco Data Center Network Infrastructure 1 (OGNI-1) v2.0 (© 2008 Cisco Systems, IneLab 3-2: Deploying Collection Mechanisms Complete this lab activity to practice what you learned in the related module. Activity Objective In this activity, you will configure the hosting switch to enable mini-RMON and view the collected statistics. Next, you will choose a port to be spanned to the NAM for in-depth RMON IL analysis. Numerous RMON II collections will be enabled and viewed. Finally, a historical report will be generated. After completing this activity, you will be able to meet these objectives: inable and view mini-RMON per-port statistics Span a port to the NAM and enable collections = View various NAM analysis reports . Generate an historical report Visual Objective The figure illustrates what you will accomplish in this acti Lab 3-2: Deploying Collection Mechanisms The pod with the equipment for this lab exereise is divided into two independent subpods with the following devices and VLANs: @ Subpod!: 6500-1, 4900-1, PCI, Serverl, and VLANs: 11, 13, 99 = Subpod2: 6500-2, 4900-2, PC6, Server3, and VLANs: 21, 23, 99 Divide into subgroups in each pod to complete the following tasks. (© 2008 Cisco Systems, Inc Lab Guide 185Note ‘Through the lab exercise the steps and printouts refer to subpod in pod 4 (devices 6500-1, 4900-1, PC1, Server), However the same tasks should be applied to subpod2 with respect to.a different numbering and addressing scheme. IP Addressing The IP addressing scheme in the following table lists the IP addresses of the PCs, servers, Cisco Catalyst 6500 Series Switch VLAN interfaces and Layer 3 physical interfaces, where “P” is your pod number. Pod Addressing ‘Subnet Default Device Device IP Subnet Masse Device IP Gateway | VLAN Pot 1oP.130 | 126 10P.1325 | 10P.131 | 13 PCE 10.P.23.0 (24 10.P.23.25 10.P.23.1 | 23 Sever | 10P.110 | 726 rop.ario [topats | 41 10.P.11.20 10.P.11.30 10.P.11.40 Servers | 10P.210 | 124 1oP21.10 | toP2t1 | 21 10.21.20 10.21.30 10.P.21.40 Device VLAN IP Subnet eel Device IP Mask 6500-1 11 10.P,.11.0 | 124 10.P.11.4 6500-1 13 10.130 | re 10P.13.4 6500-1 9 10.P.99.0 | /24 10.P.98.1 6500-2 21 10P.21.0 | 24 t0P214 6500-2 23 10.P.23.0 | (24 10.P.23.1 6500-2 9 10P.990 | /24 10P.99.4 158 Implementing Cisco Data Center Network infrastructure 1 (OCNI1) v2.0 (© 2008 Cisco Systems, Inc.Required Resources ‘These are the resources and equipment required to complete this activity: @ Two (2) Cisco Catalyst 6500 Series Switches = Two (2) Cisco Catalyst 6500 Series Switch Ethernet modules Two (2) Cisco Catalyst 6500 Series Switch Supervisor 720-10G-3C modules Two (2) Cisco Catalyst 6500 Series Switch NAM service modules Two (2) Cisco Catalyst 4948 Switches Two (2) Microsoft Windows XP clients Two (2) Microsoft Windows 2003 servers Job Aids This job aid is available to help you complete the lab activity. Fill in the information provided by your instructor. Value Description NAM slot 4 Management VLAN 99) NAM IP address. 10.P.99.2 255.255.2550 NAM default gateway 10.P.99.1 NAM system domain name NAM-1 labgear.net NAM host name (ONS name) NAMA IP address of name server 10.P.99.254 NAM web access account ‘admin/cisco (useripassword) ‘Trunk port to be spanned GigabitEthemet3/13 Note This lab exercise is a continuation of the previous lab exercise. Thus, the inital configurations on the switches and NAM should already be present. Ifthe configurations are not available, redo Tasks 1 and 2 from the previous lab exercise. © 2008 Cisco Systems, Inc Lab Guide 187Task 1: Enabling and Viewing Mini-RMON Per-Port Statistics ‘Students will enable mini-RMON on the Catalyst Switch and view the per-port statistics. Activity Procedure Complete these steps: Note ‘You should be logged in to the NAM Traffic Analyzer desktop. Step 1 Step 2 Connect to PC] and Server]. Share the C disk of Server] (net use x: \\10.P.11.10\CS, where “P” is your pod number) on PCI and copy the s72033- adventerprisek9_wan-mz.122-18,SXF4.bin file on PCI from the c:\tftp directory to the x:\tip directory, At the same time, start a continuous ping from PC/ to Server! with the ping 10.P.11.10 -t command, where “P” is your pod number. These next few steps change the configuration of the switch and enable mini-RMON statistics to be calculated and collected by the supervisor module in the host switch. Step 3 Step 4 Step 5 ssleals sco Step 6 Step 7 Stop 8 Choose the Setup tab and the Switch Parameters option. The Switch Information table is displayed. This table can be used to determine if mini-RMON is available, From the suboptions menu on the left side of the screen, click Port Stats (Mini- Rmon). NAM Traffic Analyzer ‘The Port Stats (Mini-Rmon) dialog box is displayed detailing the current state of availability of mini-RMON statistics. If not currently enabled, click Enable. To view the mini-RMON availability by port, click Details. If the NAM host switch is a Cisco IOS switch, click Save to write the new configuration to the startup configuration, ‘Next, allow the NAM to collect the mini-RMON statistics from the host switch supervisor module. 158 Implementing Cisco Data Center Network infrastructure 1 (OCNI-1) v2.0 (© 2008 Cisco Systems, In.Step9 Choose the Setup tab and the Monitor option. Make sure the Core Monitoring suboption is chosen. the NAM Traffic Analyzer Step 10 Choose Supervisor from the Data Source drop-down menu, Ensure that Port Stats (Mini-Rmon) is checked. If changes were needed, click Apply. ‘Next, view the statistics for each operational port. Step 11 Choose the Monitor tab and the Switch option. Make sure the Ports Stats suboption is chosen. Step 12 The Port Stats table is displayed. There are three basic displays for most analysis reports. By default, the Current Rates table is displayed showing Traffic Rate counts during the last refresh cycle for currently operational ports. QI) Which port is reporting the highest utilization? Step 13 Highlight this port and click Real-Time to see port usage over time in a new window. Close this window after viewing, Q2) On the Port Stats table, what are the options for displaying Count Types? 1 a Ei Step 14 Change the display to TopN Chart. Q3) How many different variables can be graphed? Step 15 Change the display to Cumulative Data. Q4) What is this table displaying? Activity Verification You have completed this task when you attain these results: = You have enabled mini-RMON on the host s\ = You have viewed the collected port sta (© 2008 Cisco Systems, Inc. Lab Guie 159Task 2: Spanning a Port to the NAM and Enabling Collections You will SPAN a switch port to the NAM and enable collection to allow for RMON II analysis. Activity Procedure Complete these steps: Note ‘You should be logged in to the NAM Traffic Analyzer desktop. Step1 Choose the Setup tab and the Data Sources option. Make sure the SPAN suboption is chosen. Mente Seaton na Set Neca Seam ses smmnn ian [a eo) Step2 The Active SPAN Sessions dialog box is displayed showing the current SPAN session. If a SPAN session is currently active, click Delete (you cannot create a new SPAN session if one is currently active). Click Create to configure a SPAN session. Note fa NAM-2 card is deployed, then a table displays both ports available for spanning. In this. case, choose a port first, and then click Create to get to the Create SPAN Session dialog box. Step3 The Create SPAN Session dialog box is displayed, Natasa | semen © swtentot Oan O tracrarra © nsoanvean ‘whch Motte [Modul 2:2 pons (WS XBK-S2UMSFCD +] sonintentinace (DATAPORT! © spanramteteecten Ore Ox © ban ‘Avani Sarcee fear joze 160 Implementing Cisco Data Center Network infrastructure 1 (OCNI1) v2.0 © 2008 Cisco Systems, nc.Q5) What are the SPAN Types available? . 7 2 4, Step4 If the host switch runs Cisco IOS Software, there will be a field for Monitor Session ‘Number (allows for multiple SPAN sessions to various switch ports). Choose 1 Step For the SPAN Type, click the Switeh Port radio button. Step 6 Choose the module that the port to be spanned resides on (port information to be provided by instructor), and click the Both radio button for SPAN Traffic Direction. Step7 The list of ports available on the selected module will be listed in the Available Sources list. Highlight the port dictated by the instructor, and click Add. The port moves to the Selected Sources list. Step8 Click Submit to configure the SPAN session. ‘The next steps will enable monitoring of the data source. Step9 Choose the Setup tab and the Monitor option. Make sure the Core Monitoring suboption is chosen. Note When using the NAM-1 and changing SPAN sources, itis always a good idea to go through the different data source VLANs and turn off any monitoring because those VLANs may not be part of the newly spanned data source, Step 10 The first step is to enable monitoring for the entire data source, which is called ALL SPAN, Make sure ALL SPAN is chosen in the Data Source drop-down menu. Q6) How many monitoring funetions are available? {© 2006 Cisco Systems, Inc Lab Guide 161Note (On the NAM-2, the ALL SPAN data source is an aggregate data source, including traffic. from both Data Ports 1 and 2. The NAM-2 includes data sources for Data Port 1 and Data Port 2, which will configure monitoring on each individual SPAN session. Step 11 Enable all monitoring functions except those related to the MAC layer (these would be used to see analyses based on MAC addresses, such as MAC-to-MAC conversations). Click Apply to enable the monitoring. Next, assuming a trunk port was spanned, determine the VLANs on the trunk port and enable monitoring for the individual VLANs. Step 12 Choose the Monitor tab and the VLAN option. Make sure the Traffic Statistics suboption is chosen and the ALL SPAN data source is selected on the displayed VLAN Traffic Statistics table. QJ) List the VLANs reporting traffi Step 13. To perform traffic analysis on an individual VLAN basis, you need to enable monitoring on each VLAN. (ALL SPAN can be viewed as an aggregate of all VLAN traffic on the spanned data source.) Step 14 Choose the Setup tab and the Monitor option, Make sure the Core Monitoring suboption is selected, Step 15 From the Data Source drop-down menu, select a VLAN recorded previously. Step 16 Enable all monitoring functions except those related to the MAC layer. Click Apply to enable the monitoring. Step17 Repeat Steps 15 and 16 for the remaining VLANs recorded in Step 12. Note Not all recorded VLANs may be available in the drop-down Data Source menu. Activity Verification If this task is completed successfully, the analysis reports in the next task will be available. Task 3: Viewing Traffic Analysis Reports You will view various RMON II traffic analysis reports (apps, hosts, and conversations). Activity Procedure Complete these steps: Note You should be logged in to the NAM Trafic Analyzer desktop. Step1 Connect to PC/ and Server. Repeat copy operation of the s72033- adventerprisek9_wan-mz.122-18.SXF4.bin file on PCI from the e:\tfip directory to the x:\tftp directory a few times. 162 Implementing Cisco Data Center Network Infrastructure 1 (DCNI-1) v2.0 (© 2008 Cisco Systems, nc.Step2 First, look at the available applications. Choose the Monitor tab and the Apps ‘option, Make sure the Individual Applications suboption is chosen. we EGET Fete oo ra iret — Cearennane OTe Guet © Combai bas Sy feponeOATAPORT! [re] Sony 0a co FS Ra TI SNES © 2m asim tasers ok Olan er res a8 DDL lend Step3 The Applications table should be displayed showing the most active applications in the last refresh period for the ALL SPAN data source (all traffic seen on the port spanned to the NAM). Step 4 From the drop-down Data Source list, choose one of the listed VLANs (only VLANs with monitoring enabled should be listed). This allows you to analyze traffic on this specific VLAN. Step Click on the most active protocol to see a list of all hosts that have used the application since the counters were reset. Step6 Highlight the most active application (radio button to the left of the application ame) and click Real-Time at the bottom-right of the table. Leave the new window that is displayed open for a while to view the application usage over time. Close the window after viewing. Note ‘There are three basic display types—Current Rates, TopN Chart, and Cumulative Data, Also, sort the table by clicking on a column. Step7 Now change the tab option from Apps to Hosts, Make sure the Network Hosts suboption is chosen, Step8 A table of the most active hosts is displayed. Drill down into Host Details by clicking on a host. Q8) What information is displayed? L 2. 3, 4. Step9 Close the Host Details window, and from the Active Hosts table, select TopN Chart to graphically view the most active hosts. (© 2008 Cisco Systems, Inc Lab Guide 163,9) How many variables can the TopN host chart display? Step 10 Now change the tab option from Hosts to Conversations. Make sure the Network Hosts suboption is selected. Step 11 A table of all active conversations sorted by packets per second in the last refresh period is displayed. Choose Cumulative Data to view the activity of all conversations since the counters were last reset (usually when the SPAN session was changed). Activity Verification You have completed this task when you have successfully viewed RMON II application, host, and conversation reports. Task 4: Creating Historical Reports ‘You will create a report to view the usage of the top three applications on a VLAN over time, Activity Procedure Complete these steps: Note You should be logged in to the NAM Traffic Analyzer desktop, Step1 Connect to PC/ and Server!. Repeat copy operation of the s72033- adventerprisek9_wan-mz.|22-18.SXF4.bin file on PC/ from the c:\tftp directory to the x:\ftp directory a couple of times. Stop2 Use the quick report creation method. Choose the Monitor tab and the Apps option. Make sure the Individual Applications suboption is chosen, AEG rntne set muy an, 4440s sm orks ree Byes + 14.4 Sotomaee 1 Eacinememmeneens) [oer [e [cor [aie Step3 The Applications table should be displayed showing the most active applications in the last refresh period. From the drop-down Data Source list, choose one of the listed VLANs. Step4 Highlight the most active application in the list (radio button to the left of the application name), and click Report on the bottom right of the table, 164 Implementing Cisco Data Center Network infrastructure 1 (DCNI-1) v2.0 © 2008 Cisco Systems, In.Step A dialog window will inform you that no report exists for this collection and asks if ‘you want to create one, Choose Yes. You will be redirected to the Reports > Basic Reports task where you will see an entry for your created report. Step6 Repeat Steps 1-4 for the next two most active applications on the selected VLAN. Note. ‘There will be no data available for at least 15 minutes (the default collection period for a quick create report). The instructor will probably call for a break at this time and the remaining steps will be finished after some time has elapsed to allow for data collection. Remember to repeat the copy operation trom PC to Servert Step7 Choose the Reports tab and the Basie Reports option. A table of the created historical reports is displayed, Make sure all your reports are listed and have the status of OK. Step® Choose the three reports that you created earlier by checking the box to the left of the report, and click View. Step9 A report is displayed showing the historical usage of the three applications on the selected VLAN, Activity Verification You have completed this task when you have successfully launched a historical report showing the usage of three applications on the selected VLAN. © 2008 Cisco Systems, Inc Lab Guide 165Lab 4-1: Deploying High Availability on Cisco Catalyst 6500 Series Switch Connectivity between VLANs is achieved by configuring Layer 3 functionality on a Layer 3 device (switch or router) in the network, But pure Layer 3 functionality by itself does not provide high availability. When a Layer 3 device failure occurs, the inter-VLAN routing is no longer available. To avoid such situations, HSRP, VRRP, and GLBP are used. Activity Objective In this activity, you will deploy and monitor HSRP and GLBP. After completing this activity, you will be able to meet these objectives: Deploy and configure HSRP Examine and verify HSRP operation using show commands Deploy and configure GLBP Examine and verify GLBP operation using show commands Visual Objective ‘The figure illustrates what you will accomplish in this activity. Lab 4-1: Deploying High Availability on Cisco Catalyst 6500 Series Switch P= Pod narter 166 Implementing Cisco Data Center Network infrastructure 1 (OCNI1) v2.0 (© 2008 Cisco Systems, Inc.IP Addressing ‘The IP addressing scheme in the following table lists the IP addresses of the PCs, servers, Cisco Catalyst 6500 Series Switch VLAN interfaces and Layer 3 physical interfaces, where “P” is your pod number. Pod Addressing Default Device Device | IP Subnet Device P| Cotowey | VLAN Pci 10r4130 | 124 vor1325 | toPia1 [13 Subnet Device | VLAN we sunet | SYP" | Device IP — 6500. 10.255.2550 | 128 10.255.2552 6500-2 |1 10.256.255.0 | 124 10.25.2553 Herp [1 10.255.2550 | 128 10.255.255.1 ase ft 10,255,255 | 124 10.255.266.1 6500-1 Tens/4 10.254.254.0 | [24 10.254.254.1 6500-2 | Tenia 10.254.254.0 | 124 10.254.254.2 Required Resources ‘These are the resources and equipment required to complete this activity: Two (2) Cisco Catalyst 6500 Series Switches Two (2) Cisco Catalyst 6500 Series Switch Ethernet modules Two (2) Cisco Catalyst 6500 Series Switch Supervisor 720-10G-3C modules Two (2) Cisco Catalyst 4900 Series Switches Microsoft Windows XP client ‘© 2008 Cisco Systems, Inc. Lab Guide 167Command List The table describes the commands that are used in this activity. Command Description [no] shutdown Disables an interface. The no form of this command enables an interface. [no] switchport Pats the switch port into Layer 2 (switched) mode, The no {orm of this command puts the interface into Layer 3 (routed) mode. gibp grp-id ip virtual-ip Activates the Gateway Load Balancing Protocol on an interface, glbp grp-id load-balancing round-robin ‘Specifies the load-balancing method used by the active virtual gateway. glbp grp-id preempt Configures the gateway to take over as the active virtual gateway if it has a higher priority than the current AVG, glbp grp-id priority priority Configures the GLBP priority of the virtual gateway. interface intf-id Enters interface configuration mode. ip address ip-addr mask Sets the IP address and subnet mask to the interface. ping ip-addr repeat repetitions Performs an extended ping to an IP address with specified number of repetitions show arp Displays the content of the ARP table on the switch. show glbp vlan vlan-id Displays GLBP status information for a given VLAN. show standby Displays HSRP status information, standby grp-id ip virtual- | Activates HSRP on the switch. The vitual-ip parameter ip defines the IP address of the virtual router. standby grp-id preempt Configures HSRP preemption for the given HSRP group. standby grp-id priority priority Defines the priority for the virtual router in the HSRP group. traceroute ‘Shows which path is being chosen for packets going to the given destination. Task 1: configurations to the devices. Removing Previous Configurations Ensure that no previous configuration exists on the switches in your pod and apply the ini The initial configuration includes settings for the Layer 2 interfaces used—trunking, access VLAN set, etc.; VLAN configuration, Layer 3 VLAN configuration, correct power scheme, ete. ‘The initial configurations are available on the individual device file system as specified in the following steps. 168 Implementing Cisco Data Center Network infrastructure 1 (DCN/-1) v2.0 (© 2008 Cisco Systems, IncActivity Procedure Complete these steps on each switch in your pod: Step 1 Step 2 Step 3 Step 4 ‘Connect to the 6500-1 switch via console and apply the following: = Replace the current running configuration with the configuration from file disk0:denil_lab41_6500-1 using the configure replace disk0:denif_lab4i_6500-1 command, When asked to proceed press Y. Verify that the switch is running the 12,2(33) SXHI Cisco IOS image using the show version command. = Only if the switch is not running the 12.2(33) SXHI Cisco IOS image, save the running configuration to startup configuration and reboot the switch. Connect to the 6500-2 switch via console and apply the following: = Replace the current running configuration with the configuration from file diskO:dcnil_lab41_6500-2 using the configure replace disk0:denii_lab41_6500-2 command. When asked to proceed press Y. = Verify that the switch is running the 12.2(33) SXH1 Cisco IOS image using the show version command. © Only if the switch is not running the 12.2(33) SXH1 Cisco IOS image, save the running configuration to startup configuration and reboot the switch. Connect to the 4900-1 switch via console and apply the following: ‘= Replace the current running configuration with the configuration from file bootflash:denil_lab41_4900-1 using the configure replace bootflash:denil_lab41_4900-1 command. When asked to proceed press Y. Connect to the 4900-2 switch via console and apply the followin; m= Replace the current running configuration with the configuration from file bootflash:denil_lab41_4900-2 using the configure replace bootflash:denit_lab41_4900-2 command. When asked to proceed press Y. Task 2: Setting the Initial Switch Configuration In this task you will set the initial Layer 2 and Layer 3 interface configuration on Cisco Catalyst 6500 and 4900 Series Switches. Activity Procedure Complete these steps: Step 1 Step 2 Step 3 Apply the following configuration on the 4900-1 switch: = Create interface VLANI and set IP address 10.255.255.11 255.255.255.0 Apply the following configuration on the 4900-2 switch: = Create interface VLANI and set IP address 10.255.255.12 255.255.255.0 Verify the following connectivity: Ping from 4900-1 to 10.255.255.253 and 10.255.255.254 Ping from 4900-2 to 10.255.255.253 and 10.255.255.254 (© 2008 Cisco Systems, Inc Lab Guide 169Task 3: Note ‘The 6500-1 and 6500-2 initial configurations include EIGRP process 1, which announces routes between the two switches. Thus the ping should be successful 4900-1#ping 10.255.255.253 ‘Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.255.255.253, timeout is 2 seconds: rit Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms 4900-1#ping 10.255.255.254 ‘Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.255.255.254, timeout is 2 seconds Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms 4900-2#ping 10.255.255.253 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.255.255.253, timeout is 2 seconds: in Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms 4900-2#ping 10.255.255.254 ‘Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.255.255.254, timeout is 2 seconds: nm Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms Implementing HSRP In this task, you will configure HSRP for redundancy on each of your Layer 3 devices for your workgroup. You will configure basic HSRP functionality and tune HSRP for better efficiency; that is, influence the HSRP active and standby election by setting the HSRP priority Activity Procedure Complete these steps: Step1 Use the standby group-number ip virtual-router-ip-address command to configure HSRP on the 6500-1 switch using the following information: m= Virtual IP: 10.255.255.1 = HSRP group: 1 = HSRP priority: 150 = HSRP preempt Step2 Use the standby group-number ip virtual-router-ip-address command to configure HSRP on the 6500-2 switch using the following information: @ Virtual IP: 10.255.255.1 = HSRP group: 1 Step 3 Use the show standby command to verify HSRP operation. Your output should be similar to the following printout. 6500-1#show standby vlani - Group 1 State is Active 1 state change, last state change 00:03:46 Virtual IP address is 10.255.255.1 170 Implementing Cisco Data Center Network infrastructure 1 (OCNI-1) v2.0 ‘© 2008 Cisco Systems, Inc.Active virtual MAC address is 0000.0c07.aco1 Local virtual MAC address is 0000.0c07.ac01 (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 1.744 secs Preemption enabled Active router is local Standby router is 10.285.255.3, priority 100 (expires in 9/568 sec) Priority 150 (configured 150) IP redundancy name is "herp-V11-1" (default) Step4 Verify the following connectivity: Ping from 4900-/ to 10.P.13.25 (where “P” is your pod number) = Ping from 4900-2 to 10.P.13.25 (where “P” is your pod number) 4900-14ping 10.4.13.25 ‘Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.4.13.25, timeout is 2 seconds: mitt Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms 4900-2#ping 10.4.13.25 ‘Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.4.13.25, timeout is 2 seconds: Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms Step Examine the MAC address for 10.255.255.1 on 4900-1 and 4900-2. It should be the same in both cases. 4900-1#show arp Protocol address Age (min) Hardware Addr Type Interface Internet 10.255.255.11 0019.e72a.20ff ARPA Viani Internet 10.255.255.2 37 0017.dfd0.2400 ARPA Vian Internet 10.255.255.3 37 0017.dfd0.3800 ARPA Vian Internet /10.255.255.1 8 0000.0c07.ac01 ARPA /Viani 4900-24show arp Protocol Address ‘Age (min) Hardware Addr Type _ Interface Internet 10.255.255.12 = 0019.e72a.1f3£ ARPA Viant Internet 10.255.255.2 37 0017.dfd0.2400 ARPA Viant Internet 10.255.255.3 37 0017.dfd0.3800 ARPA Viant Internet /10,255.255.1 8 0000.0¢07.aco1” ARPA’ Vani Step6 Verify that HSRP is operating in case of an active router failure. Start continuous ping from 4900-1 to 10.P.13.25 with the ping 10.P.13.25 repeat 10000 command (where “P” is your pod number) Step7 Disable the VLANI interface on 6500-1 and observe the continuous ping issued on 4900-1. You should see a brief connectivity outage, which is eliminated once the 6500-2 takes over the active role. 4900-1pang 10.4.13.25 repeat 10000 Type escape sequence to abort. Sending 10000, 100-byte ICMP Echos to 10.4.13.25, timeout is 2 seconds: PECUOCUCUUCGLLOUEUC0 LC CEUTECCECUELLEEPECT ECL EEE O EEE EEE PEPE SEE ECE OEE COE Penner nena ! bent Perneeenttiny 6500-2#show standby Vani - Group 1 State is Active @ state changes, last state change 00:02:58 Virtual IP address is 10.255.255.1 Active virtual MAC address is 0000.0c07.aco1 {© 2008 Cisco Systems, Inc Lab Guide 171Local virtual MAC address is 0000.0c07.ac01 (vi default) Hello time 3 sec, hold time 10 sec Next hello sent in 1.408 secs Preemption disabled Active router is local Standby router ie unknown Priority 100 (default 100) IP redundancy name is “hsrp-Vl1-1" (default) Step8 Examine the path that packets take between the 4900-1 and PC/ using the traceroute command, Your result should be similar to the following printout. 4900-1#traceroute 10.4.13.25 Type escape sequence to abort. Tracing the route to 10.4.13.25 1 10.255.255.3 0 msec 0 msec 2 10.254.254.1 0 msec 0 msec 0 msec 3 10.4.13.25 0 msec 0 msec 0 msec Step9 —_Re-enable the Vian! interface on 6500-1. Task 4: Implementing GLBP In this task, you will configure GLBP for redundancy on each of the Layer 3 devices for your workgroup. You will configure GLBP functionality and tune GLBP for better efficiency; that is, influence the GLBP AVG election by setting the GLBP priority. Activity Procedure Complete these steps: Step1 Configure GLBP on the 6500-7 switch using the following information: Virtual IP: 10.255.255.1 GLBP group: GLBP priority: 150 GLBP preempt Load balancing: round-robin Step2 Configure GLBP on the 6500-2 switch using the following information: = Virtual IP: 10.255.255.1 = GLBP group: | = Load balancing: round-robin Step3 Verify HSRP operation. Your output should be similar to the following printout. 6500-14ahow glbp Viani - Group 1 State ie active 1 state change, last state change 00:03:52 Virtual IP address is 10.255.255.1 Hello time 3 sec, hold time 10 sec Next hello sent in 1.632 secs Redirect time 600 sec, forwarder time-out 14400 sec Preemption enabled, min delay 0 sec Active is local Standby is 10.255.255.3, priority 100 (expires in 9.032 sec) Priority 150 (configured) Weighting 100 (default 100), thresholds: lower 1, upper 100 Load balancing: round-robin Group members: 172 Implementing Cisco Data Genter Network infrastructure 1 (DCNI-1) v2.0 (©2008 Cisco Systems, Ine0017 .dfd0.2400"(101255.255.2)" Local 0017.d£d0.3800 (10.255.255.3) ‘There are 2 forwarders (1 active) Forwarder 1 State ie Active 1 tate change, last state change 00:03:41 MAC address is 0007.b400.0101 (default) Owner ID is 0017.df40.2400 Redirection enabled Preemption enabled, min delay 30 sec Active is local, weighting 100 Forwarder 2 State is Listen MAC address is 0007.b400.0102 (learnt) Owner ID is 0017.dfd0.3800 Redirection enabled, 599.232 sec remaining (maximum 600 sec) Time to live: 14399.232 sec (maximum 14400 sec) Preemption enabled, min delay 30 sec Active is 10.255.255.3 (primary), weighting 100 (expires in 9.536 sec) Step 4 Verify the following connectivity: = Ping from 4900-/ to 10.P.13.25 (where “P” is your pod number) = Ping from 4900-2 to 10.P.13.25 (where “P” is your pod number) 4900-1Mping 10.4.13.25 ‘Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.4.13.25, timeout is 2 seconds: mn Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms 4900-2Hping 10.4.13.25 ‘Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.4.13.25, timeout is 2 seconds: Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms Step5 Examine the MAC address for 10.255.255.1 on 4900-1 and 4900-2. It is different on 4900-1 and 4900-2. 4900-1#'show arp Protocol Address Age (min) Hardware Addr Type Interface Internet 10.255.255.11 0019.e72a.20ff ARPA Vlani Internet "10.255.255.1 0 -0007.b400.0101 ARPA" 'Viani 4900-2#show arp Protocol Address Age (min) Hardware Addr Type Interface Internet 10,255.255.12 = 0019.e72a.1f3f ARPA Vlani Internet "10.255.255.1 0'0007.b400.0102 ARPA Viant Step6 Verify that GLBP is operating in case of an active router failure. Start continuous ping from 4900-1 to 10.P.13.25 with the ping 10.P.13.25 repeat 10000 command (where “P” is your pod number). Step7 _ Disable the VLANI interface on 6500-1 and observe the continuous ping issued on 4900-1. You should sce a brief connectivity outage, which is eliminated once the 6500-2 takes over the active forwarder role. 4900-1#ping 10.4.13.25 repeat 10000 Type escape sequence to abort. Sending 10000, 100-byte ICMP Echos to 10.4.13.25, timeout is 2 seconds: SVEreNTTvreneNTTseeeseesTeresrrreeyrrsrerrrerren rev eren errr retin POPE HREOC PCs u PeCEPEUUEEEE LEE EEEEE Peeneeninitt t (© 2008 Cisco Systems, Inc Lab Guide 1736500-2#show standby Vani - Group 1 State is Active 8 state changes, last state change 00:02:58 Virtual TP address is 10.255.255.1 Active virtual MAC address is 0000.0c07.aco1 Local virtual MAC address is 0000.0c07.ac01 (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 1.408 secs Preemption disabled Active router is local Standby router is unknown Priority 100 (default 100) IP redundancy name is "hsrp-V11-1" (default) Step8 Examine the GLBP information on 6500-2 with the show glbp vlan 1 command. The output shows that 6500-2 is now the AVF for both MAC addresses. 6500-24show glbp vlan 1. Vianl - Group 1 State is Active 2 state changes, last state change 00:01:41 Virtual IP address is 10.255.255.1 Hello time 3 sec, hold time 10 sec Next hello sent in 0.832 secs Redirect time 600 sec, forwarder time-out 14400 sec Preemption disabled Active is local Standby is unknown Priority 100 (default) Weighting 100 (default 100), thresholds: lower 1, upper 100 oad balancing: round-robin Group members: 0017.dfd0. 3800) (107255.255.3) local ‘There are 2 forwarders (2 active) Forwarder 1 State is active 1 state change, last state change 00:01:42 MAC address is 0007.b400.0101 (learnt) Owner ID is 0017.dfd0.2400 Redirection enabled, 486.144 sec remaining (maximum 600 sec) Time to live: 14286.144 sec (maximum 14400 sec) Preemption enabled, min delay 30 sec Active is local, weighting 100 Forwarder 2 State ‘s Active 1 state change, last state change 00:16 MAC address is 0007.b400.0102 (default) Owner 1D is 0017.dfa0.3800 Redirection enabled Preemption enabled, min delay 30 sec Active is local, weighting 100 Step9 Examine the path that packets take between the 4900-1 and PCI using the traceroute command. Your result should be similar to the following printout. 6 4900-1#traceroute 10.4.13.25 ‘Type escape sequence to abort. Tracing the route to 10.4.13.25 1 10.255.255.3 0 mec 0 maec 2 10.254.254.1 0 msec 0 msec 0 msec 3 10.4.13.25 0 msec 0 meec 0 msec 174 implementing Cisco Data Center Network infrastructure 1 (OCNI-1) v2.0 (© 2008 Cisco Systems, Inc.Answer Key The correct answers and expected solutions for the activities that are described in this guide appear here. Lab 1-1 Answer Key: Deploying and Examining the VSS 1440 Operation Task 1: Removing Previous Configurations When you complete this activity, the following has been applied in the privileged (enable) mode on the 4900-1 switch, with differences that are specific to your device or workgroup: configure replace bootflash:deni1_lab11_4900-1 When you complete this activity, the following has been applied in the privileged (enable) mode on the 4900-2 switch, with differences that are specific to your device or workgroup: configure replace boot flash:deni1_1abii_4900-2 When you complete this activity, the following has been applied in the privileged (enable) mode on the 6500-1 switch, with differences that are specific to your device or workgroup: configure replace disk0:denii_lab11_6500-1 When you complete this activity, the following has been applied in the privileged (enable) mode on the 6500-2 switch, with differences that are specific to your device or workgroup: configure replace disk0:denii_lab11_6500-2 Task 2: Converting Standalone Chassis to VSS Mode When you complete this activity, the following configuration has been applied on the 6500-1 switch, with differences that are specific to your device or workgroup: copy running-config startup-config ! switch virtual domain 10 switch 1 ! interface Port-channell switch virtual link 1 interface TenGigabitEthernetS/4 no switchport channel-group 1 mode on interface Port-channel 1 no shutdown ‘© 2008 Cisco Systems, Ine Lab Guide 175When you complete this activity, the following configuration has been applied on the 6500-2 switch, with differences that are specific to your device or workgroup: copy running-config startup config 1 switch virtual domain 10 switch 2 interface Port-channel2 switch virtual link 2 ! interface TenGigabitEthernetS/4 no switchport channel-group 2 mode on interface Port-channel 2 no shutdown interface Gigabitethernet2/3/13 switchport switchport trunk encapsulation dotiq switchport mode trunk switchport nonegotiate no shutdown interface Gigabitethernet2/3/14 switchport switchport trunk encapsulation dotiq switchport mode trunk switchport nonegotiate no shutdown Task 3: Deploying Multichassis EtherChannel When you complete this activity, the following configuration has been applied on the 4900-1 switch, with differences that are specific to your device or workgroup: interface range gigabitEthernet 1/13 - 14 channel-protecol pagp channel-group 10 mode desirable no shutdown When you complete this activity, the following configuration has been applied on the 4900-2 switch, with differences that are specific to your device or workgroup: interface range gigabitEthernet 1/13 - 14 channel-protocol pagp channel-group 20 mode desirable no shutdown 176 Implementing Cisco Data Center Network infrastructure 1 (OCNI-1) v2.0 (© 2008 Cisco Systems, Inc‘When you complete this activity, the following configuration has been applied on the 6500-1 (VSS) switch, with differences that are specific to your device or workgroup: interface range GigabitEthernet 1/3/13,GigabitEthernet 2/3/13 channel-protocol pagp channel-group 10 mode desirable interface port-channel 10 ewitchport trunk encapsulation dotiq switchport mode trunk no shutdown ! interface range GigabitBthernet 1/3/14,GigabitEthernet 2/3/14 channel-protocol pagp channel-group 20 mode desirable interface port-channel 20 switchport trunk encapsulation dotiq switchport mode trunk no shutdown Task 4: Deploying BFD Dual-Active Detection Mechanisms. When you complete this activity, the following configuration has been applied on the 6500-1 (VSS) switch, with differences that are specific to your device or workgroup: interface GigabitEthernet1/3/47 no switchport ip address 10.255.1.1 255.255.255.0 bfd interval 100 min_rx 100 multiplier 50 no shutdown 1 interface Gigabitpthernet2/3/47 no switchport ip address 10.255.2.1 255.255.255.0 bfd interval 100 min_rx 100 multiplier 50 no shutdown switch virtual domain 10 dual-active detection bfd dual-active pair interface GigabitEtherneti/3/47 interface Gigabitethernet2/3/47 bfd ‘© 2008 Cisco Systems, Inc. Lab Guide 177Demonstration 1-2 Answer Key: Deploying and Examining Cisco IOS Software Modularity Task 1 (Demonstration : Removing Previous Configurations When the activity is completed, the following is applied on the 6500-1 switch, with differences that are specific to your device or workgrouy configure replace disk0:dcni1_labi2_6500-1 reload Lab 1-3 Answer Key: Deploying QoS Task 1: Removing Previous Configur: ns When you complete this activity, the following has been applied in the privileged (enable) mode on the 4900-/ switch, with differences that are specific to your device or workgroup: configure replace bootflash:deni1_lab13_4900-1 When you complete this activity, the following has been applied in the privileged (enable) mode on the 6500-7 switch, with differences that are specific to your device or workgroup: configure replace disk0:dcni1_lab13_6500-1 Task 2: Verifying Capabilities for QoS ‘When you complete this activity, the following configuration has been applied on the 4900-1 switch, with differences that are specific to your device or workgroup: mls qos ‘When you complete this activity, the following configuration has been applied on the 6500-1 switch, with differences that are specific to your device or workgroup: mls gos Task 3: Defining the Port Trust and Policy Maps When you complete this activity, the following configuration has been applied on the 4900-1 switch, with differences that are specific to your device or workgroup: access-list 101 permit ip host 10.4.11.10 any class-map match-any CM-IP match access-group 101 match ip dscp default ! policy-map PM-ratelimitServer1 class CM-IP police 2000000 25000 conform-action transmit exceed-action drop interface GigabitBthernet 1/1 service-policy input PM-ratelimitServer] 178 Implementing Cisco Data Genter Network infrastructure 1 (DCNE1) v2.0 (©2008 Cisco Systems, IneWhen you complete this activity, the following configuration has been applied on the 6500-1 switch, with differences that are specific to your device or workgroup: access-list 100 permit icmp host 10.4.13.25 host 10.4.11.10 ! class-map match-any CM-ICMP match access-group 100 policy-map PM-ratelimit class CM-ICMP police 100000 conform-action transmit exceed-action drop ! interface GigabitEthernet 3/3 service-policy input PM-ratelimit 1 access-list 101 permit ip host 10.4.13.25 host 10.4.11.10 1 class-map match-any CM-IP match access-group 101 1 policy-map PM-ratelimit class CM-IP police 50000 conform-action transmit exceed-action drop ! interface GigabitEthernet 3/3 no service-policy input PM-ratelimit interface GigabitEthernet3/13 mls gos trust cos Task 4: Marking Traffic to Be Policed ‘When you complete this activity, the following configuration has been applied on the 6500-1 switch, with differences that are specific to your device or workgroup: mls qos map policed-dscp normal-burst 32 to 16 ! policy-map PM-DSCP class CM-IP police 500000 conform-action transmit exceed-action policed- dscp-transmit interface GigabitBthernet 3/3 no service-policy input PM-ratelimit service-policy input PM-DSCP {© 2008 Cisco Systems. nc. Lab Guide 179Task 5: Deploying CoPP When you complete this activity, the following configuration has been applied on the 6500-1 switch, with differences that are specific to your device or workgroup: access-list 102 permit icmp any any class-map match-any CM-icmpcopp match access-group 102 ' policy-map PM-copp class CM-icmpcopp police 350000 conform-action transmit exceed-action drop control-plane service-policy input PM-copp Lab 1-4 Answer Key: Deploying and Examining EEM Task 1: Removing Previous Configurations When you complete this activity, the following has been applied in the privileged (enable) mode on the 6500-1 switch, with differences that are specific to your device or workgroup: configure replace disk0:dcni1_lab14_6500-1 Task 2: Configuring and Verifying EEM Applet Operation When you complete this activity, the following configuration has been applied on the 6500-1 switch, with differences that are specific to your device or workgroup: event manager applet BKPCFG event cli pattern "exit" sync no skip no action 1.0 cli command "enable" action 2.0 cli command "config t" action 3.0 cli command "file prompt quiet" action 4.0 cli command "exit" action 5.0 cli command "copy running disk0:/config-bkp" action 6.0 cli command "config t" action 7.0 cli command "no file prompt quiet" action 8.0 cli command "exit" Lab 1-5 Answer Key: Deploying Automated Diagnostics Task : Removing Previous Configurations When you complete this activity, the following has been applied in the privileged (enable) mode on the 6500-1 switch, with differences that are specific to your device or workgroup: configure replace disk0:dcnii_lab15_6500-1 160 Implementing Cisco Data Center Network Infrastructure 1 (OCNI-1) v2.0, (© 2008 Cisco Systems, Inc.Task 2: Using TDR for Troubleshooting When you complete this activity, the following configuration has been applied on the 6500-7 switch, with differences that are specific to your device or workgroup: test cable-diagnostics tdr interface Gigabitithernet 3/13 interface GigabitEthernet 3/48 no shutdown test cable-diagnostics tdr interface GigabitEthernet 3/48 Task 4: Deploying Call Home Functionality ‘When you complete this activity, the following configuration has been applied on the 6500-1 switch, with differences that are specific to your device or workgroup: cal1-home contact-email-addr joeeacme.com street-address "1 Acme rd." customer-id Acme001 site-id AcmeCentralLocation profile PR-ACME destination transport-method email destination address email [email protected] destination preferred-msg-format long-text active ! call-home alert-group all profile PR-ACME subscribe-to-alert-group all severity notification exit mail-server 10.4.11.10 priority 10 service call-home Lab 1-6 Answer Key: Deploying SPAN Task 1: Removing Previous Configurations ‘When you complete this activity, the following has been applied in the privileged (enable) mode on the 6500-1 switch, with differences that are specific to your device or workgroup: configure replace disk0:dcnii_lab16_6500-1 Task 2: Configuring SPAN When you complete this activity, the following configuration has been applied on the 6500-1 switch, with differences that are specific to your device or workgroup: monitor session 1 source interface GigabitEthernet 3/13 both monitor session 1 destination interface GigabitEthernet 3/3 (© 2008 Cisco Systems, Inc. Lab Guide 181Task 3: Configuring RSPAN When you complete this activity, the following configuration has been applied on the 4900-1 switch, with differences that are specific to your device or workgroup: vlan 99 remote-span monitor session 1 source interface gigabitEthernet 1/1 both monitor session 1 destination remote vlan 99 When you complete this activity, the following configuration has been applied on the 6500-1 switch, with differences that are specific to your device or workgroup: no monitor session 1 ! vlan 99 remote-span monitor session 1 source remote vlan 99 monitor session 1 destination interface gigabitEthernet 3/3 Lab 2-1 Answer Key: Deploying the FWSM in Transparent Mode Task 1: Removing Previous Configurations When you complete this activity, the following has been applied in the privileged (enable) mode on the 4900-1 switch, with differences that are specific to your device or workgroup: configure replace disk0:dcni1_lab21_4900-1 ‘When you complete this activity, the following has been applied in the privileged (enable) mode on the 6500-1 switch, with differences that are specific to your device or workgroup: configure replace disk0:dcnil_1ab21_6500-1 Task 2: Configuring Cisco Catalyst 6500 Series Switch Switching Functions When you complete this activity, the following configuration has been applied on the 6500-1 switch, with differences that are specific to your device or workgroup: no interface vlan 11 interface vlan 10 name Outside ip address 10.P.11.1 255.255.255.0 no shutdown exit firewall vlan-group 1 10,11 firewall module 2 vlan-group 1 session slot 2 processor 1 182 Implementing Cisco Data Center Network infrastructure 1 (DCNI-1) v2.0 (© 2008 Cisco Systems, IncTask 3: Configuring FWSM Interfaces ‘When you complete this activity, the following configuration has been applied on the FWSM in the 6500-1 switch, with differences that are specific to your device or workgroup: enable configure terminal clear config all delete /noconfirm disk:* 1 reload 1 firewall transparent 1 interface vlan 10 nameif outside interface vlan 11 nameif inside Task 4: Configuring IP Parameters When you complete this activity, the following configuration has been applied on the FWSM in the 6500-1 switch, with differences that are specific to your device or workgroup: interface vlan 10 bridge-group 1 interface vlan 11 bridge-group 1 interface bvi 1 ip address 10.P.11.2 255.255.255.0 route outside 0 0 10.P.11.1 Task 5: Configuring Network Access When you complete this activity, the following configuration has been applied on the FWSM in the 6500-1 switch, with differences that are specific to your device or workgroup: access-list allow-in extended permit icmp host 10.P.13.25 host 10.P.11.10 access-list allow-in extended permit tcp any host 10.P.11.20 eq www access-list allow-out extended permit ip any any access-group allow-in in interface outside group allow-out in interface inside (© 2008 Cisco Systems, Inc. Lab Guide 183,Task 6: Demonstrating the Firewall When you complete this activity, the following configuration has been applied on the FWSM in the 6500-1 switch, with differences that are specific to your device or workgroup: exit 1 session slot 2 processor 1 enable 1 exit 1 configure terminal 1 port-channel load-balance src-dst-port session slot 2 processor 1 enable clear xlate no firewall transparent Lab 2-2 Answer Key: Deploying Multiple Contexts on FWSM Task emoving Previous Configurations When you complete this activity, the following has been applied in the privileged (enable) mode on the 4900-1 switch, with differences that are specific to your device or workgroup: configure replace disk0:denii_lab22_4900-1 When you complete this activity, the following has been applied in the privileged (enable) ‘mode on the 6500-1 switch, with differences that are specific to your device or workgroup: configure replace disk0:deni1_lab22_6500-1 Task 2: Configuring Cisco Catalyst 6500 Series Switch Switching Functions When you complete this activity, the following configuration has been applied on the 6500-1 switch, with differences that are specific to your device or workgroup: vlan 10 name outside vlan 11 name testing vlan 12 name production no interface vlan 11 no interface vlan 12 interface vlan 10 ip address 10.P.10.1 255.255.255.0 no shutdown 184 Implementing Cisco Data Center Network infrastructure 1 (DCNI-1) v2.0 (© 2008 Cisco Systems, Inc.ftewatt vian-geoup 1 20,13,32 firewall module 2 vlan-group 1 port-channel load-balance src-dst-port ! ip route 10.P.11.0 255.255.255.0 10.P.10.2 1 ip route 10.P,.12.0 255.255.255.0 10.P.10.3 Task 3: Creating Contexts When you complete this activity, the following configuration has been applied on the FWSM in the 6500-1 switch, with differences that are specific to your device or workgroup: enable configure terminal mode multiple session slot 2 processor 1 enable configure terminal context admin allocate-interface vlan10 context testing allocate-interface vlani0 test_outside allocate-interface vlanii test_inside config-url disk:/testing.cfg ! context production allocate-interface vlani0 prod_outside allocate-interface vlani2 prod_inside config-url disk: /production.cfg exit Task 4: Configuring Contexts When you complete this activity, the following configuration has been applied on the FWSM in the 6500-1 switch, with differences that are specific to your device or workgroup: changeto context admin configure terminal ! interface vlan 10 nameif mgmt security 100 ip address 10.P.10.254 255.255.255.0 (© 2008 Cisco Systems, Inc. Lab Guide 185,http 10.P.13.25 255.255.255.255 mgmt. http server enable ' aaa authentication http console LOCAL L username admin password bigboss privilege 15 ! route mgmt 0 0 10.P.10.1 1 exit 1 copy running-config startup-config ' changeto context testing ' configure terminal ! interface test_inside nameif inside security 100 ! interface test_outside nameif outside security 1 ip address 10.P.10.2 255.255.255.0 route outside 0 0 10.P.10.1 interface test_inside ip address 10.P.11.1 255.255.255.0 access-list permit-all permit ip any any group permit-all in interface inside group permit-all in interface outside static (inside,outside) 10.P.11.0 10.P.11.0 netmask 255.255.255.0 1 policy-map global_policy class inspection_default inspect icmp inspect icmp error exit exit 1 username admin password testboss privilege 15 186 Implementing Cisco Data Center Network Infrastructure 4 (OCNI-1) v2.0 (© 2008 Cisco Systems, inc.1 aaa authentication http console LOCAL http 10.P.13.25 255.255.255.255 outside hetp server enable copy Fantiing-condiy stareup-contlg changeto context production configure terminal interface prod_outside nameif outside security 10 interface prod_inside nameif inside security 100 ! interface prod_inside ip address 10.P.12.1 255.255.255.0 interface prod_outside ip address 10.P.10.3 255.255.255.0 route outside 0 0 10.P.10.1 access-list internet permit ip any any ! access-list public_access permit tcp any any eq www 1 access-group internet in interface inside access-group public_access in interface outside static (inside,outside) 10.P.12.0 10.P.12.0 netmask 255.255.255.0 username admin password prodcontrol privilege 15 aaa authentication http console LOCAL http 10.P.13.25 255.255.255.255 outside http server enable copy running-config startup-config (© 2008 Cisco Systems, Inc Lab Guide 187Lab 2-3 Answer Key: Deploying the FWSM in Routing Mode Task 1: Removing Previous Configurations When you complete this activity, the following has been applied in the privileged (enable) mode on the 4900-1 switch, with differences that are specific to your device or workgroup: configure replace disk0:dcenil_lab23_4900-1 When you complete this activity, the following has been applied in the privileged (enable) mode on the 6500-1 switch, with differences that are specific to your device or workgroup: configure replace disk’ :deni1_lab23_6500-1 Task 2: Configuring Cisco Catalyst 6500 Series Switch Switching Functions When you complete this activity, the following configuration has been applied on the 6500-1 switch, with differences that are specific to your device or workgroup: vlan 10 name Outside vlan 11 name DMZ vlan 12 name Inside interface vlan 10 ip address 10.P.10.1 255.255.255.0 no shutdown port-channel load-balance src-dst-port firewall vlan-group 1 10,11,12 firewall module 2 vlan-group 1 Task 3: Connecting the FWSM to the Network When you complete this activity, the following configuration has been applied on the FWSM in the 6500-1 switch, with differences that are specific to your device or workgroup: session slot 2 processor 1 enable configure terminal interface vlan 10 nameif outside interface vlan 11 nameif DMZ security 50 interface vlan 12 nameif inside ! 188 Implementing Cisco Data Center Network infrastructure 1 (OGNI-1) v2.0 (© 2008 Cisco Systems, Incinterface vlan 10 ip address 10.P.10.2 255.255.255.0 interace vlan 11 ip address 10.1.11.1 255.255.255.0 interface vlan 12 ip address 10.1.12.1 255.255.255.0 route outside 0 0 10.P.10.1 Task 4: Configuring NAT ‘When you complete this activity, the following configuration has been applied on the FWSM in the 6500-1 switch, with differences that are specific to your device or workgroup: nat (inside) 1 10.P.12.0 255.255.255.0 global (outside) 1 10.P.10.100-10.P.10.200 global (dmz) 1 10.P.11.100-10.P.11.200 static (dmz,outside) 10.P.10.11 10.P.11.10 Task 5: Configuring Network Access ‘When you complete this activity, the following configuration has been applied on the FWSM in the 6500-1 switch, with differences that are specific to your device or workgroup: access-list mode manual-commit 1 access-list internet permit ip any any access-list public_access permit tcp any host 192.168.100.121 eq www ' access-list maintenance permit tcp 10.1.10.0 255.255.255.0 any eq telnet access-list maintenance permit tcp 10.1.10.0 255.255.255.0 any eq www access-group public_access in interface outside access-list commit access-group public_access in interface outside access-group internet in interface inside access-group maintenance in interface dmz ‘© 2008 Cisco Systems, Ine. Lab Guide 189Task 6: Configuring Protocol Inspection policy-map global_policy class inspection_default inspect icmp inspect icmp error ! copy running-config startup-config ! exit copy running-config startup-config Lab 2-4 Answer Key: Deploying the FWSM Failover Task 1: Removing Previous Configurations When you complete this activity, the following has been applied in the privileged (enable) mode on the 4900-1 switch, with differences that are specific to your device or workgroup: configure replace disk0:deni1_lab24_4900-1 When you complete this activity, the following has been applied inthe privileged (enable) mode on the 6500-1 switch, with differences that are specific to your device or workgroup: configure replace disk0:dceni1_lab24_6500-1 ‘When you complete this activity, the following has been applied in the privileged (enable) mode on the 4900-2 switch, with differences that are specific to your device or workgroup: configure replace disk0:dcni1_lab24_4900-2 When you complete this activity, the following has been applied in the privileged (enable) mode on the 6500-2 switch, with differences that are specific to your device or workgroup: configure replace disk0:dcni1_lab24_6500-2 Task ‘onfiguring Cisco Catalyst 6500 Series Switch Switching Functions ‘When you complete this activity, the following configuration has been applied on the 6500-1 switch, with differences that are specific to your device or workgroup: vlan 11 name inside vlan 10 name outside vlan 90 name failover vlan 91 name FHSM-state interface vlan10 ip address 10.P.10.1 255.255.255.0 no shutdown firewall vlan-group 1 10,11,90,91 firewall module 2 vlan-group 1 1 interface TenGigabitEthernet 5/4 190 Implementing Cisco Data Center Network infrastructure 1 (OGNI1) v2.0 (© 2008 Cisco Systems, Incswitchport no shutdown interface gigabitEthernet 3/14 no shutdown spanning-tree vlan 10,11 root primary When you complete this activity, the following configuration has been applied on the 6500-2 switch, with differences that are specific to your device or workgroup: vlan 11 name inside vlan 10 name outside vlan 90 name failover vlan 91 name FWSM-state ! interface vlan13 ip address 10.P.13.2 255.255.255.0 no shutdown interface vlan10 ip address 10.P.10.1 255.255.255.0 no shutdown firewall vlan-group 1 10,11,90,91 firewall module 2 vlan-group 1 interface TenGigabitEthernet 5/4 switchport no shutdown ! interface gigabitsthernet 3/14 no shutdown : spanning-tree vlan 10,11 root primary Task 3: Configuring Redundant FWSMs ‘When you complete this activity, the following configuration has been applied on the FWSM the 6500-1 switch, with differences that are specific to your device or workgroup: enable configure terminal failover lan interface failover vlan 90 failover interface ip failover 192.168.1.1 255.255.255.0 standby 192.168.1.2 ‘© 2008 Cisco Systems, Inc. Lab Guide 191' failover link state vlan 91 ! failover interface ip state 192.168.2.1 255.255.255.0 standby 192.168.2.2 failover lan unit primary Note On the secondary FWSM on 6500-1, enter the failover lan unit secondary command instead of the failover lan unit primary command. ! failover interface vlan 100 nameif outside interface vlan 10 nameif inside interface vlan 10 ip address 10.P.10.1 255.255.255.0 standby 10.P.10.2 interface vlan 100 ip address 192.168.100.10 255.255.255.0 standby 192.168.100.112 access-list permit-all permit ip any any access-group permit-all in interface inside access-group permit-all in interface outside static (inside, outside) 192.168.100.100 10.P.10.10 route outside 10.P.50.0 255.255.255.0 192.168.100.1 route outside 10.P.50.0 255.255.255.0 192.168.100.2 no failover active Lab 3-1 Answer Key: Deploying the Initial Cisco NAM Configuration Task 1: Removing Previous Configurations When you complete this activity, the following has been applied in the privileged (enable) mode on the 4900-1 switch, with differences that are specific to your device or workgroup: configure replace disk0:dcnii_lab31_4900-1 When you complete this activity, the following has been applied in the privileged (enable) mode on the 6500-1 switch, with differences that are specific to your device or workgroup: configure replace disk0:dcni1_lab31_6500-1 192 Implementing Cisco Data Center Network Infrastructure 1 (OCNI-1) v2.0 (© 2008 Cisco Systems, IncTask 2: Configuring NAM Network Parameters ‘When you complete this activity, the following configuration has been applied on the 6500-1 switch, with differences that are specific to your device or workgroup: vlan 99 name NAM interface vlan 99 ip address 10.P.99.1 255.255.255.0 analysis module 4 management-port access-vlan 99 : exit : session slot 4 processor 1 ‘When you complete this activity, the following configuration has been applied on the NAM in the 6500-1 switch, with differences that are specific to your device or workgroup: ip address 10.4.99.2 255.255.2550 ip gateway 10.4.99.1 1 ip domain labgear.net ip host NAM-1 ! ip nameserver 10.4,99.254 ip http server enable When you complete this activity, your answers to the questions raised in the instructions will be similar to the answers here: QI) What is the current CPU utilization? The CPU utilization should be low, approximately around 1% 2) What are the nine available options under the Monitor tab? ___ L._ Overview Apps Voice/Video Hosts Conversations VLAN DiffServ Response Time a Switch ‘© 2008 Cisco Systems, Ine Lab Guide 193Q3) Q4) Qs) Q6) Qn ‘What are the five suboptions for the Alarms option of the Setup function? 1. NAMMIB Thresholds 2. NAM Voice Thresholds 3. NAM Syslog + 5. Switch Thresholds ____ 5. NAM Trap Destination List the path to find the NAM network parameters: (tab) Admin (option) System (suboption) Network Parameters How many parameters can be set or displayed by this task (name servers count as one parameter even though up to three can be displayed)? Seven (7) What privileges are to be enabled? Collection view At the minimum, what information is needed to enable user authentication using a TACACS¢+ server? The TACACS+ server IP address and secret key Lab 3-2 Answer Key: Deploying Collection Mechanisms Qn Q2) Q@) Q4) Qs) Which port is reporting the highest utilization? GigabitEthemnet3/13 On the Port Stats table, what are the three options for displaying Count Types? ____ 1. Current Rates ___. 2. TopN Chart ____ 3. Cumulative Data How many different variables can be graphed? Depends on the Cisco NAM software version What is this table displaying? The data collected since the collection mechanism was started (in/out packets, bytes) What are the four SPAN types available? 1. Switch port 2. VLAN ____ 3. EtherChannel ____ 4. RSPAN 194 Implementing Cisco Data Center Network infrastructure 1 (DCN/-1) v2.0 (© 2008 Cisco Systems, Ine.Q6) How many monitoring functions are available? Nine (could be more, depending on the Cisco NAM software) Q7) List the VLANs reporting traffic. Depends on the amount of the traffic through the switch—should be at least VLAN I and 13 (or VLAN 21 and 23, respectively) Q8) What information is displayed? In Packets, Out Packets, In Bytes, Out Bytes, and Non-unicast traffic 9) How many variables can the TopN host chart display? 18, but depends on the Cisco NAM software version Lab 4-1 Answer Key: Deploying High Availability on Cisco Catalyst 6500 Series Switch Task 1: Removing Previous Configurations When you complete this activity, the following has been applied in the privileged (enable) mode on the 4900-1 switch, with differences that are specific to your device or workgroup: configure replace disk0:denil_lab41_4900-1 When you complete this activity, the following has been applied in the privileged (enable) mode on the 6500-1 switch, with differences that are specific to your device or workgroup: configure replace disk0:dcni1_lab41_6500-1 ‘When you complete this activity, the following has been applied in the privileged (enable) mode on the 4900-2 switch, with differences that are specific to your device or workgroup: configure replace disk0:dcni1_lab41_4900-2 When you complete this activity, the following has been applied in the privileged (enable) mode on the 6500-2 switch, with differences that are specific to your device or workgroup: configure replace disk0:dcni1_lab41_6500-2 Task 2: Setting the Initial Switch Configuration When you complete this activity, your configuration on the 4900-1 switch will be similar to the results here, with differences that are specific to your device or workgroup: interface vlan 1 ip address 10.255.255.11 255.255.255.0 no shutdown When you complete this activity, your configuration on the 4900-2 switch will be similar to the results here, with differences that are specific to your device or workgroup: interface vlan 1 ip address 10.255.255.12 255.255.255.0 no shutdown (© 2008 Cisco Systems, Inc. Lab Guide 195Task 3: Implementing HSRP When you complete this activity, your configuration on the 6500-7 switch will be similar to the results here, with differences that are specific to your device or workgroup: interface vlan 1 standby 1 ip 10.255.255.1 standby 1 priority 150 standby 1 preempt When you complete this activity, your configuration on the 6500-2 switch will be similar to the results here, with differences that are specific to your device or workgroup: interface vlan 1 standby 1 ip 10.255.255.1 Task 4: Implementing GLBP When you complete this activity, your configuration on the 6500-1 switch will be similar to the results here, with differences that are specific to your device or workgroup: interface vlan 1 glbp 1 ip 10.255.255.1 glbp 1 load-balancing round-robin glbp 1 priority 150 glbp 1 preempt When you complete this activity, your configuration on the 6500-2 switch will be similar to the results here, with differences that are specific to your device or workgroup: interface vlan 1 glbp 1 ip 10.255,255.1 glbp 1 load-balancing round-robin glbp 1 priority 150 glbp 1 preempt 196 Implementing Cisco Data Center Network infrastructure 1 (DCNI-) v2.0 © 2008 Cisco Systems, Inc.