CertUniverse.BlogSpot.com DCNI-1 | Implementing Cisco Data Center Network Infrastructure 1 Version 2.0 Lab Guide Text Par Number: 97-2676-01,stleetlis Sen roses cisco. caer, See Ceo tas mere than 200cthces wondide Adesso, chan numbers, and tx runes ested ie Cisco Webs t wwwisace comer 22cm pm ma a pl nS er Ba ps nee ern hg iy Un Pease net mt See See aos Se eh a an ESR a aad cee omnia cera oe [DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED “AS IS CISCO MAKES AND YOU RECEIVE NO WARRANTIES IN [CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESS, IMPLIED, STATUTORY OR IN ANY OTHER PROVISION OF [THIS CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU, CISCO SPECIFICALLY DISCLAIMS ALL IMPLIED. |WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. This leaming product may contin erly release conten nd while Cisco lives ito be accwate i falls subjet tothe disclaimer above. SBeeeseoeosc@easoeoeseeeae eee ee C CDCNI-1 Lab Guide Overview This guide presents the instructions and other information conceming the lab activities for this course. You can find the solutions in the lab activity Answer Key. Outline ‘This guide includes these activities: Lab 1-1 Demonstration 1-2: Deploying and Exar Lab 1-3: Lab 1-4: Lab 1-5: Lab 1-6: Lab 2-1 Lab 2-2: Lab 2-3: Lab 3-1 Lab 3-2 Lab 4-1 Deploying and Examining the VSS 1440 Operation 1g Cisco IOS Software Modularity Deploying QoS Deploying and Examining EEM Deploying Automated Diagnostics Deploying SPAN Deploying the FWSM in Transparent Mode Deploying Multiple Contexts on FWSM. |: Deploying the FWSM in Routing Mode Lab 2-4: Deploying the FWSM Failover Deploying the Initial Cisco NAM Configuration Deploying Collection Mechanisms Deploying High Availability on Cisco Catalyst 6500 Series Switch Answer KeyGeneral Lab Topology Information This section presents the general items that are common to all labs. Accessing Lab The lab pod information is provided by the instructor. Use this information to access the assigned pod to complete the lab exercises. Your Lab Pod Information Value Information Provided by Your Instructor Lab Website Pod Number Username Password Lab Topology The figure shows the general lab topology used for the DCNI-I lab exercises and course. DCNI-1 2.0 Lab Topology Lab Devices Each pod consists of the following lab devices: = Two (2) Cisco Catalyst 6500 Series Switches named 6500-1 and 6500-2, cach equipped with Cisco Catalyst 6500 Series FWSM and NAM service modules = Two (2) Cisco Catalyst 4900 Series Switches named 4900-1 and 4900-2 2 Implementing Cisco Data Center Network infratructure # (OCNI-1) v2.0, ‘© 2008 Cisco Systems, Ine.= Two (2) workstation PCs named PCI and PCO = Four (4) servers named Server, Server?, Server3, and Serverd IP Addressing ‘The IP addressing scheme in the following table lists the IP addresses of the PCs and servers used in all lab exercises. The IP addresses of these devices do not change. P in the IP address is your pod number through all lab exercises for PCs, servers, Cisco Catalyst 6500 Series Switch VLAN interfaces, FWSM, and NAM interfaces. Pod Addressing Device IP Subnet Subnet Mask Device IP Default Gateway Device Pot 10P.13.0 ra 10.P.13.25 70P.13.1 13 PCB 10P.23.0 24 10.P.23.25 10P.23.4 23 ‘Server! 10P.11.0 ra 10.P.11.10 10.P.11.20 10.P.11.30 10.P.11.40 OPA 1" Server2 10.120 24 10.P.12.10 10.P.12.20 10.P.12.30 10.P.12.40 10P.121 2 Servers 0P210 rea 10.P.21.10 10P.21.20 10.P.21.30 10P.21.40 10P.21.41 2 Serverd 10P.220 rea 10P.22.10 10.P.22.20 10.P.22.20 10,P.22.40 10P.221 2 Connecting to Lab Devices Connecting to Cisco Catalyst 6500 and Catalyst 4900 Series Switches ‘The Cisco Catalyst 6500 and Catalyst 4900 Series Switches are running the Cisco 10S ‘operating system. To connect to an individual switch, two options are available: '|™ Console connection via icon on the lab exercise page = Establish a Telnet session from the workstation PC or server once proper VLANS are configured Note ‘The Cisco Catalyst 6500 and Catalyst 4900 Series Switches are initaly deployed without ‘any configuration and usemame/password. If certain switch is configured with sernamelpassword, consult the instructor. ‘© 2008 Cisco Systems, Ine. ab Guide 3Connecting to the Cisco Catalyst 6500 Series FWSM Service Module ‘The Cisco Catalyst 6500 Series FWSM service module is running the FWSM operating system. ‘To connect to the Catalyst 6500 Series FWSM, the following options are available: = Console connection via Cisco Catalyst 6500 Series Switch using the session slot s/ot- number processor 1 command = Open a TelnevSSH/ASD session from the workstation PC or server once proper interfaces and access rules are configured To log in via console, use the default password cisco. ‘The default privileged (enable) mode password is blank. To enter the privileged mode, simply press the Enter key when prompted for a password. Note It Catalyst 6500 Series FWSM is configured with a username/password, consult the instructor. Connecting to the NAM Service Module ‘The NAM service module is by default running the NAM application image. To connect to the NAM the following options are available: ™ Console connection via Cisco Catalyst 6500 Series Switch using the session slot slot- ‘number processor 1 command = Open a TelneUSSH session or use a web browser from the workstation PC or server once proper interfaces and access rules are configured To log in via the console, use the default username “root” and password “root.” Cisco NAM can also be running a maintenance image. In such cases, the username is “root” and the password is “cisco.” Note la NAM Is configured with a username/password, consult the instructor. Connecting to the Desktop PC ‘The desktop PCs are running Microsoft Windows operating systems. To log in to the PC, use the username “administrator” and the password “cisco,” Connecting to the Microsoft Windows Servers The servers are running Microsoft Windows 2003 operating systems. To log in to the server, use the username “administrator and the password “cisco.” 4 Implementing Cisco Data Center Network Infrastructure 1 (OGNI1) v2.0 {© 2008 Cisco Systems, Inc.Lab 1-1: Deploying and Examining the VSS 1440 Operation Network operators inerease network reliability by configuring switches in redundant pairs and by provisioning links to both switches in the redundant pair. A virtual switching system (VSS) combines a pair of Cisco Catalyst 6500 Series Switches into a single network element. The virtual switching system manages the redundant links, which extemally act as a single port channel—the Multichassis EtherChanne! (MEC). Activity Objective In this activity, you will deploy and monitor VSS and MEC. After completing this activity, you will be able to meet these objectives: = Convert standalone chassis to VSS mode '@ Deploy and verify the Multichassis EtherChannel Enhance VSS operation with BFD dual-active detection mechanism Convert chassis operating in VSS mode back to standalone mode Examine and verify VSS operation with appropriate show commands Visual Objective The figure illustrates what you will accomplish inthis activity Lab 1-1: Deploying and Exami' VSS 1440 Operation ‘© 2008 Cisco Systems, Ine. Lab GuideIP Addressing The IP addressing scheme in the following table lists the IP addresses of the PCs, servers, Cisco Catalyst 6500 Series Switch VLAN interfaces and Layer 3 physical interfaces, where “ your pod number. Pod Addressing ‘Subnet Detaut | Device Device /1P Subnet | Many | Device | Bete | oor Pot 10P.130 | 124 101325 | 10P1a4 | 13 Senet | 10.110 | 724 yopanso | ioPata | 14 10.11.20 10.11.90 10.11.40 Severs | 10P.210 | (24 wop2i10 | 1P214 | 21 10P2120 10.21.20 10.21.40 Device VLAN IP Subnet pares Device IP Mask 6500-4 | 11 ToP.110 | 126 TPA 6500-1 | 13 1oP.130 | 120 toR.134 6500-4 | 21 top210 | 124 woP21a Required Resources ‘These are the resources and equipment required to complete this activity: @ Two (2) Cisco Catalyst 6500 Series Switches = Two (2) Cisco Catalyst 6500 Series Switch Ethernet modules Two (2) Cisco Catalyst 6500 Series Switch Supervisor 720-10G-: one 10G X2 module = Two (2) Cisco Catalyst 4948 Switches |C modules, each with | Microsoft Windows XP client ‘= Two (2) Microsoft Windows 2003 servers 6 Implementing Cisco Data Center Network Infrastructure 1 (OCNK1) v2.0 (© 2008 Cisco Systems, ineCommand List ‘The table describes the commands that are used in thi Deploying and Exami Command [no] shutdown activity. ing the VSS 1440 Operation Commands Description [Disables] Enables the interface. [no] awitehport Seis the interface operational mode to Layer 3 or Layer 2 (switchport) bfd interval milliseconds min rx milliseconds multiplier multiplier- value Ses the Bidirectional Forwarding Detection (BFD) session parameters on an interface. channel-group portchannel mode desirable ‘Assigns an interface to an EtherChannel group. The desirable option places a port into an active negotiating state in which the port initiates negotiations with other ports, by sending PAgP packets. channel-group portchannel mode on ‘Assigns an interface to an EtherChannel group. The on ‘option enables the EtherChannel manually channel-protocol pagp Sets the EtherChannel protocols to PAgP. configure replace filename Replaces the current running configuration with a saved Cisco IOS configuration file copy running-config startup-config ‘Saves the running configuration to NVRAM. dual-active detection bf Enables BFD duat-active detection method, dual-active pair interface first-interface interface second-interface b&a Configures the dual-active pair of interfaces. The interfaces ‘must be directly connected (a single Layer 3 hop). interface name Enters the interface configuration mode. interface range list-of- interfaces Enters the interface configuration mode for a lst of interfaces, ip adéress address netmask Sets the IP address on a Layer 3 interface. ping destination Parforms ping to the specified destination show etherchannel portchannel summary ‘Show the operational state of configured EtherChannel and physical interfaces belonging to the EtherChannel show interfaces status | include connecte ‘Shows the interface and protocol status for the connected Interfaces only show ip interface brief | include Vian ‘Shows the Layer 3 VLAN interfaces information. show logging ‘Shows the system logging. show module ‘Shows the module information in standalone mode. show module switch 1|2 ‘Shows the module information in a VSS mode for individual ‘switch, VSS can encompass only two Cisco Catalyst 6500 Series Switches. show platform hardware pfc mode ‘Shows the operational mode of the PFC engine, {© 2008 Giseo Systems, Ine Lab Guide‘Command Description show power ‘Shows the operational mode for power supplies, the allable and remaining power. show running-config interface-type interface- number ‘Shows the configuration for an show ewitch virtual Displays the virtual switch domain number, and the switch ‘number and role for each of the chassis. show switch virtual dual- active bfa Displays information about dual-active detection Configuration and status. show switch virtual link Displays the status of the VSL. show ewitch virtual redundancy ‘Shows the virtual switch redundancy operational mode. show switch virtual role Displays the role, switch number, and priority for each of the chassis in the virtual switching system, show version ‘Shows the running version of Cisco IOS operating system, show vlan ‘Shows Layer 2 VLAN information ewitch 1|2 Configures a chassis as virtual switch number 1 or 2 switch accept mode virtual Copies the VSL link configuration from the standby chassis tothe active chassis. Prior to performing the action, the VSS displays the configurations that will be copied, and prompts you to proceed or not. Note that the standby chassis must be in hot standby mode for this command to execute successtuly switch convert mode stand- alone Converts a chassis from a VSS made to standalone mode. switch convert mode virtual Converts chassis to virtual switch mode, ‘After you enter the command, you are prompted to confirm the action. Enter yes, ‘The system creates a converted configuration file, and ‘saves the fle to the RP bootflash, ewitch virtual domain ved- number Configures the virtual switch domain on a chassis. switch virtual link 1/2 ‘Associates a switch 1 or 2 as owner of port channel used for VSL. switchport mode trunk ‘Manually sets the interface mode to trunk. switchport nonegotiate Disabies the trunking negotiation on an interface, ‘switchport trunk encapsulation dotig ‘Sets the trunk encapsulation to 602.14, Implementing Cisco Data Center Network Infrastructure 1 (OCNI-1) v2.0 {© 2008 Cisco Systems, In.Task 1: Removing Previous Configurations Ensure that no previous configuration exists on the switches in your pod and apply the initial configurations to the devices. ‘The initial configuration includes settings for the Layer 2 interfaces used—trunking, access VLAN set, etc.; VLAN configuration, Layer 3 VLAN configuration, correct power scheme, te. ‘The initial configurations are available on the individual device file system as specified in the following steps. Activity Procedure ‘Complete these steps on each switch in your pod: Step 1 Connect to the 6500-1 switch via console and apply the following: = Replace the current running configuration with the configuration from file disk0:denil_lab11_6500-1 using the configure replace b11_6500-1 command. When asked to proceed press Y. You should see output similar to the following printout. 6500-1#contigure replace disk0:deni1_Lab11_6500-1 This will apply all necessary additions and deletions to replace the current running configuration with the contents of the specified configuration file, which is assumed to be a complete configuration, not a partial configuration. Enter ¥ 4f you are sure you wait to proceed. 7 [mols y 01:13:28: Rollback:Acquired Configuration lock. Total number of passes: 0 Rollback Done m= Verify that the switch is running the 12,2(33) SXH1 Cisco IOS image using the show version command, 6500-1#show version Cisco 10S Software, #72022 _xp Software (#72023_xp-IPSERVICESK9_WAN-¥), VarSIGR 12.2(93)SKHi, RELEASE SOFTWARE (fc3) Technical Support: http: //wew.cisco.con/techsupport. Copyright (c) 1986-2008 by Cisco Systems, Inc. Compiled Thu 17-Jan-08 01:55 by prod_rel_team = Ifthe switch is nof running the 12.2(33) SXHI Cisco 10S image, save the running configuration to startup configuration and reboot the switch, Step2 Connect to the 6500-2 switch via console and apply the followin; = Replace the current running configuration with the configuration from file diskO:denil_lab! 1_6500-2 using the configure replace disk0:denii_lab1i_6500-2 command. When asked to proceed press Y. You should see output similar to the output in the previous step. = Verify that the switch is running the 12.2(33) SXHI Cisco TOS image using the show version command. © Ifthe switch is nof running the 12.2(33) SXHI Cisco IOS image, save the running configuration to startup configuration and reboot the switch. {© 2008 Cisco Systoms, Ine Lab Guide 9Step3 Connect to the 4900-1 switch via console and apply the following: ‘= Replace the current running configuration with the configuration from file bootflash:denil_lab!1_4900-1 using the configure replace bootflash:denil_lab11_4900-1 command. When asked to proceed press Y. You should see output similar to the output in Step 1 Step4 Connect to the 4900-2 switch via console and apply the following: & Replace the current running configuration with the configuration from file bootflash:denil_lab11_4900-2 using the configure replace bootflash:denii_lab11_4900-2 command, When asked to proceed press Y. You should see output similar to the output in Step 1 Activity Verification You have completed this task when you attain these results: Step 1 Verify that the modules in slots 1 (ACE), 4 (NAM), and 6 (IDSM) on switches 6500-1 and 6500-2 are disabled—the power has been administratively denied for these modules. The output of the show module command should be similar to the following printout. Note Modules in slots 1 (ACE), 4 (NAM), and 6 (|DSM) are not used inthis lab exercise and are Powered down in order to make the VSS conversion process faster. The module in sot 2 (FWSM) is powered up in order to demonstrate that the VSS-unsupported service modules fe powered down upon conversion process. 6500-1#ehow module Mod Porte Card Type Model Serial wo Application Control engine Module ACE10-6500-K9 ‘SADLO3206VA, ame 2 6 Firewall Module Ws-SVC-FWM-1. ‘SADi0330978 3 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX SAL103921K7 48 Network Analysis Module WS-SVC-NAM-2 ‘SAD104602R1. 5 5 Supervisor Engine 720 10GE (Active) VS-8720-106 ‘SADL151054P 6 & Intrusion Detection syaten WS-BVC-IDSM-2 ‘SADL04400K5 Mod MAC addresses sw status 1 0019.0627.b69¢ to 0019,0627,bea3 ~~ 1.1. ‘Unknown 2 0019.0628.3692 to 0019.0628.3699 4.0 7.2(1) 3.163) 3 0019.55c4.7a50 to 0019.5504.7a7£ 2.5 12.2(14r)S5_ 12.2 (33)SKHL 4 0019.aata.seSc to 0019,aaf4 6263 4.297.212) 3.6() 5 001e.4aaa.d558 to Odle.daaa.d5sf 2.0 4.5(2) 32.2(33) SKH1_Ok 6 0019.5671,6a66 ‘to 0019.5671.6a6d") 6.2 Sub-Module Model Centralized Forwarding Card WS-F6700-CEC SALLO360A68 3.0 Ok 5S Policy Feature Card 3 VS-F6K-PFCIC SADL15103ND 1.0 Ok 5 MSFC3 Daughterboard VS-F6K-MSFC3 SADII5106GD 1.0 Ok Mod Online Diag statue Not Applicable Pass 2 3 Pasa 4 Not Applicable 5 Pass 6 Not Applicable 10 Implementing Cisco Data Genter Network Infrastructure 1 (DCN) v2.0 (© 2008 Cisco Systems, in.Step2 The power redundancy mode used on 6500-1 and 6500-2 should be combined. The ‘output of the show power command should be similar to the following printout. Note “The combined power redundancy scheme has to be used for the individual switch to be able to power the required modules, The individual power supply is not capable of powering the required modules; thus the redundancy power scheme cannot be used. 6500-1#ehow power system power fedutidanicy mode = combined system power total = 1952.16 Watts (46.48 Amps @ 42V) eyatem power used = 1272/18 Katts (30.29 Amps @ 42V) system power available = 679.98 Watts (16.19 Amps @ 42V) Power-Capacity PS-Pan Output Oper PS Type Watts A @42V Status Status State s-CAC-30008 1271.38 27.89 OK OK on. 2 WS-CAC-30008 1171.38 27.89 OK OK on. Pwr-Allocated oper Fan Type Watts A @42v state 1 WS-C6506-2-PAN 98.70 Pwr-Requested Pwr-Allocated Admin oper 135° OK Slot card-Type watts ‘A e42V Watts A @42V State State off (admin request) 1 Acei0-6500-K9 219.68 §.23 2 Ws-sve-FIm-1 anne 4.09 on 3 WS-x6748-GR-Tx «325.50. 7.75 on 4 W5-SVC-NAM-2 145.74 3.47 off (admin request) 5 ¥8-8720-106 338.10 8.05 on 6 WS-SVC-3DSH-2 338.10. 8:05 off (admin request) Step3 Verify the configuration of the 6500-1 switch. The GigabitEthemet3/3, GigabitEthemet3/13, GigabitEthernet3/14, and ‘TenGigabitE:thernetS/4 Layer 2 interfaces should be enabled. © The GigabitEthemet3/13, GigabitEthemet3/14, and TenGigabitEthemnet5/4 interfaces should be configured as trunk interfaces, Note It any other VLANs are configured on the switch, just ignore them. = GigabitEthemet3/3 is in access VLAN 13. ‘The output of the show interfaces status | include connected command should be similar to the following printout. 6500-1#show interfaces status | in connected i373 POL a connected 13 a-full 2-100 10/100/1000BaseT aaa 4900-1 git/13 gonneeeaONEFURE ——a-tull a-i000 10/100/10008aseT eia/ia ‘=== 4900-2 gii/13 G6RWBSEAAINNTEFAAR © a-full a-1000 10/100/1000BaseT ‘re5/4 ‘=== 6500-2 tens/ Bnnestea "Nhe tunk full 106 10Gbase-ix4 = The VLAN database should include VLANs 11 (Serverl), 13 (PCI), 21 (Server3), and 23 (PC6). The output of the show vlan command should be milar to the following printout. 6500-1Nshow vlan {© 2006 Cisco Systems, Inc. LabGude otVLAN Name Status Porte 1 default active Gi3/46 a1 Servert active 13 Pct, ¥ active |) Gi3/3 21 Serverd active 23 PCs active 1002 fddi-defauit act /unsup = The following Layer 3 VLAN interfaces should be enabled: — VLANII with IP address 10.P.11.1/24 — VLANIG with IP address 10.P.13.1/24 — — VLAN2I with IP address 10.P.21.1/24 — VLAN23 with IP address 10.P.23.1/24 ‘The output of the show ip interface brief | include similar to the following printout. brief | include Vian lan command should be 6500-1¥ehow ip interfa: viani unassigned YES NVRAM administratively down down vianii YES NVRAM up up viani3 YES NVRAM up up Vian2i ‘yes manual up vp vian23 YES manual up up Note The printout was taken from pod 4. ‘Step4 On the 6500-1 switch, verify that you have connectivity to the following: © PCI at 10.P.13.25 (where “P” is your pod number) = Server! at 10.P.11.10 (where “P” is your pod number) = Server3 at 10,P.21.10 (where “P” is your pod number) ‘You should see results similar to the following printouts. Note The following printouts show the results of a ping conducted on pod 4, 6500-1#ping 10.4.13.25 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.4.13.25, timeout is 2 seconds: Tit Success rate is 80 percent (4/5), round-trip min/ava/max = 1/1/4 ma 6500-1#ping 10.4.11.10 ‘Type escape sequence to abort Sending 5, 100-byte ICMP Echos to 10.4,11.10, timeout is 2 seconds: " Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms 6500-1#ping 10.4.21.20 ‘Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.4.21.10, timeout is 2 seconds tt Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 me 12 Implementing Cisco Data Center Network infrastructure 1 (OCNI-1) v2.0, (© 2008 Cisco Systems, Inc.y Task 2: Converting Standalone Chassis to VSS Mode In this task you will convert the standalone Cisco Catalyst 6500 Series Switch chassis 6500-1 ‘and 6500-2 to the VSS mode. The conversion process includes two major steps: ‘Applying the Virtual Switch Domain ID and Virtual Switch ID, configuring the Virtual ‘Switch Link (VSL), and verifying the PFC3 operational mode ‘= Starting the conversion process Activity Procedure Complete these steps: Step Save the running configurations of the Cisco Catalyst 6500 Series Switches 6500-1 and 6500-2 to NVRAM, ‘Step2 From the configuration mode, assign the 6500-1 switch to a Virtual Switch Domain (VSD). Use number 10 for the domain number. Set the switch to be the first switch in a newly created VSD, Step3 Create a port channel interface 1 on 6500-1 and set the switch core number to the switch VSD number 1. Leave the port channel settings at their default values (the port channel protocol and mode of operation). Step4 — Manually add an interface TenGigabitEthemetS/4 on 6500-1 to a port channel group 1, set the interface mode to Layer 3 (no switehport), and enable the PortChannel | interface. ‘Step5 From the configuration mode assign the 6500-2 switch to a VSD. Use the same domain number as for 6500-1. Set the switch to be the second switch in a newly created VSD. Step6 Create a port channel interface 2 on 6500-2 and set the switch core number to the switch VSD number 2. Leave the port channel settings at their default values (the port channel protocol and mode of operation). Step7 Manually add an interface TenGigabitFthemetS/4 on 6500-2 to a port channel group 2, set the interface mode to Layer 3 (no switehport), and enable the PortChannel 2 interface. Activity Verification You have completed this task when you attain these results Step1 The PFC3 operational mode on the switches that will be converted to a VSS mode would be the same. Verify that PFC3 operational mode on 6500-1 and 6500-2 is PFC3C. The outputs should be similar to the following printouts. 6500-1#show platform hardware pte mode PFC operating mode + PFCIC 6500-24show platform hardware pf mode PFC operating ode + PFC3C Step2 Start the VSS mode conversion process on 6500-1 vss. st to ensure the active role in Note Wasked to confirm the filename for the saved running configuration upon conversion, just press the Enter key. ‘© 2008 Cisco Systoms, Inc. Lab Gude 13Step3_ Observe the output, which should be similar to the following printout: = The VSS configuration is detected. The TenGigabitEthernet5/4 is detected to be in the port channel that is dedicated for the VSL. Modules that are currently unsupported by the VSS functionality (namely in your case, FWSM) are powered down during the conversion process. = Since 6500-1 boots before 6500-2 is converted, the VSL link is brought down ‘and the supervisor on 6500-2 is the active supervisor in the VSS domain, Note When converting the switch to the VSS mode, proceed with the 6500-1 switch and wait for ‘the switch to reload and finish the conversion process. Then, proceed with the conversion process on the 6500-2 switch. If you start the conversions at the same time, the switch that finishes the boot process first will become the active switch, 6500-1#ewitch convert mode virtual ‘This’ command wilt convert al1/interface names to naming convention "interface-type switch-nukbet/slot/port* save the running config to startup-config and reload the switcn. Do you want to proceed?! [yes/no] Py Converting interface names BuLlding configuration, oR} Saving converted configuration to Best eiaeh ty Destination filename (startup-config.converted_vé-20080508052053)? 5906 bytes copied in 0.436 secs (13546 bytes/sec) 3do2h: ¥S¥S-SP-3-LOGGER_PLUSHING: System pausing to ensure conscle debugging output 3402h: $OIR-SP-6-CONSOLE: Changing console ownership to awitch processor 3402h: $SYS-SP-3-LOGGER_FLUSHED: console debugging output system was paused for 0: 0:00 to ensure 3002h: $SPAN-SP-6-SPAN_EGRESS REPLICATION MODE_CHANGE: Span Egress HW Replication Mode Change Detected. Current replication mode for user seesion 1 is Dis tributed 3d02h: $SPAN-SP-6-SPAN_EGRESS_REPLICATION MODE CHANGE: Span Egress HM Replication Node change Detected. Current replication mode for unused asic is Distributed ado2h: SP: The FC in slot 2 is shutting down. Please wait . 3d02h: $SYS-SP-3-LOGGER FLUSHING: System pausing to ensure console debugging output SHUTDOWN NOW — 3d02h: $SY8-SP-5-RELOAD: Reload requested 32d02h: 40IR-SP-6-CONSOLE: Changing console ownership to ewitch processor +4 Implementing Cisco Data Center Network Infrastructure 1 (OGNI-1) v2.0 (© 2008 Cisco Systems, Inc.3d0zh: $SYS-SP-3-LOGGER_FLUSHED: System was paused for 0} console debugging output. )0 co ensure system Bootstrap, Version 8.5(2) Copyright (c) 1994-2007 by cisco Systems, Inc caték-Sup720/SP processor with 1048576 Kbytes of main menory Autoboot executing command: "boot bootdisk: /s72033-ipservicesk9_wan-mz.122~ 33, SKH1.bin" Loading image, please wait Initializing ATA monitor library Self extracting the image... [0K] Self decompressing the image : AueneuannHenenenHIONRHARHUNHHRNDERHRERHNER EH OHERINANNRAHUNUNRHARHRMRERNEHOOE dnenonennnananenenenEaaeunsEnRaBRRHAERERERER HUSUOHEERNEERNEHENUHEHRABREMEAEHEEHE [OK] Restricted Rights Legend Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) of the Commercial Computer Software - Restricted Rights clause at PAR eec, 52.227-19 and subparagraph {c) (2) (ii) of the Rights in Technical Data and Computer Software clause at DFARS sec. 252.227-7013 cisco Systems, Inc. 170 West Tasman Drive San Jose, California 95134-1706 Checo 10s software, #72033_sp Software (s72033_: 12.2(33)SKH1, RELEASE SOFTWARE (£c3) ‘Technical Support: http: //www.cisco.com/techsupport. Copyright (c) 1986-2008 by Cisco Systems, Inc. Compiled Thu 17-Jan-08 02:10 by prod_rel team Image text-base: 0x40102328, data-base: 0x41C29670 .p-TPSERVICESK9_NAN-M), Version syaten detected virtual Switch contiguration /) Interface TenGigabitethernet 1/5/4 is member of PortChannel 1 00:00:04 output. 'SYS-3-LOGGER_PLUSHING: System pausing to ensure console debugging Firmware compiled 19-Dec-07 10:56 by integ Build [100] Barl Card Index= 259 0 16: SPPREDUN-6-ACTIVE: Initializing as ACTIVE processor for this switch Initializing as Virtual switch ACTIVE processor 00:01: output. 4; NSYS-2-LOGGER FLUSHING: system pausing to ensure console debugging 00:00:07: $S¥S-3-LOGGER_PLUSHED: system was paused for 00:00:00 to ensure console debugging output. 0000122" WEL BRINGUP=6-MoDULE UP! VS RodULe) in s16t”S switeh/Y brought “up {© 2008 Cisco Systems, Inc. Lab Gude 1500:01441 8VSLP-S-RRP_PRER TIMEOUT VSLP peer! tiner expired without” detecting peer. Resolving role as Active 00:01:44; $VSLP-2-VSL_DOWN: VSL Links down anid not ready" for” any trattic 00:01:44: ¥OIR-6-CONSOLE: Changing console ownership to route processor System Bootstrap, Version 12.2(17r)SX5, RELEASE SOFTWARE (fc) Technical Support: http://www.cisco.com/techsupport Copyright (c) 2006 by cisco systems, Inc. Cat6k-Sup?20/RP platform with 1048576 Kbytes of main menory Download Start PEE POCO CeCe ee PEC PEC EEO ESO PICO POCO ee Heiinniea PEC POE eee eee POUCA eee PEC UEEC Eee POCUETEEO LEE EEeE Download Completed! Booting the image Self deconpressing the image HHHRRRGEHRREEHOHAMRHRUREAEARHNHRNRNEHEHEHRHRERMEHRHNHRRMRHRUEEEEEREREREE arr SHRP EROEHRANRAHHHERHAMRHRORORHHHRARHRHEMEEEERESHEHERRHNRESRBRURUEMRNHREHERNE HUERERERHRSHERORAEERERER UREA EREHERERRRREHEH (OK) i ' Restricted Rights Legend Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) of the Commercial Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and subparagraph (c) (1) (44) of the Rights in Technical Data and Computer Software clause at DPARS sec. 252.227-7013. cisco systems, Inc 170 West Tasman Drive San Jose, California 95134-1706 Cisco 108 Software, 872033_rp Software (972033_rp-IPSERVICESKS_WAN-M), Version 12.2(33)SXH1, RELEASE SOPTWARE (£03) ‘Technical Support: http: //wew.cieco.com/techsupport Copyright (c) 1986-2008 by Cisco systems, Inc, Compiled Thu 17-Jan-08 01:55 by prod_rel team Image text-base: 0x40101328, data-base: 0x42B74130 ‘This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Inporters, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations, If you are unable to comply with U.S. and local laws, return thie product innediately. A summary of U.8. laws governing Cisco cryptographic products may be found at hetp: //wew.cisco, com/ wl /export /crypto/tool/starg.html Implementing Cisco Data Center Network Infasiucture 1 (DENI) v2.0 {© 2008 Cisco Systems, Inc. € @eeedgeé € € @@eese é € c wyIE you require further assistance ple: exportecisco.com. contact us by sending email to ciaco WS-C6506-E (R700) processor (revision 1.1) with 963008K/65526K bytes of memory Processor board 1D SALi023R121 §R71000 CPU at G00Mh2, Implementation 0x504, Rev 1.2, 512KB L2 Cache Last reset trom s/w reset 1 Virtual Ethernet interface 73 Gigabit Ethernet interfaces 3 Ten Gigabit Ethernet interfaces 1917K bytes of non-volatile configuration memory. 192K bytes of packet buffer memory. 65536K bytes of Flash internal SIM (Sector size 512K). Press RETURN to get started! 00:03:05: curr is oxo 00:03:05: RP: Currently running ROMMON from $ (Gold) region 00:03:12: ¥SYS-S-CONFIG_I: Configured from memory by console 00:03:16: ¥SYS-S-RESTART: System restarted -- Cisco 10S Software, 972033_rp Software (872033_rp-IPSERVICESKS_WAN-M), Version 12.2(33)SKH1, RELEASE SOFTWARE (fc3) ‘Technical Support: http: //www.cisco.com/techsupport copyright (c) 1986-2008 by Cisco systems, Inc. Compiled Thu 17-Jan-08 01:55 by prod_rel_team Firmware compiled 19-Dec-07 10:56 by integ Build [100] Earl Card Index= 259 00:00:06: ¥PFREDUN-6-ACTIVE: Initializing as ACTIVE processor for this switch 00:00:07: ¥S¥S-3-LOGGER_FLUSHED: System was paused for 00:00:00 to ensure console debugging output. 00/00/12" $VSUBRINGUP=€- NODULE UPH" Vet! RedUIe Hn’ BIOE S SWitCH a broughE up 00;01:44; SVSLB-S-RRP_PEER TIMEOUT: VSLP peer timer expired without detecting peer. Resolving role as Active 00:01:44: 8VSLP-2-VSL_DORN: VSL Links dOwn'and not ready for “ny trattic 00:01:44: 40TR-6-CONSOLE Changing console ownership to route processor 00:03:17: c6k_pwr_ie_fantray_ok returns ok for fan index 1 00:03:17: c6k_pwr_ie_fantray_ok returns ok for fan index 3 00:01:45; tS¥S-3-LOGGER PLUSHED: System was paused For 00:00:00 to ensure console debugging output. 00:03:00: SWi_SP: SP; Currently running ROMMON from $ (Gold) region 00:03:15: $OTR-SW1_SP-6-INSPS: Power supply inserted in slot 1 00:03:15: 4C6KPWR-SW1_SP-4-PSOK: power supply 1 turned on. 00:03:15 -INSPS: Power supply inserted in slot 2 (00:03:15: $C6KPWR-SW1_SP-4-PSOK: power supply 2 turned on. 00:03:16: ¥SYS-SW1_SP-S-RESTART: System restarted -- Cisco 108 Software, #72033 sp Software (#72033_sp-IPSERVICESK9_WAN-M), Version 32.2(33)SXHL, RELEASE SOPTWARE (fc3) Technical Support: http://www.cieco.con/techsupport, Copyright (c) 1986-2008 by Ciaco Systems, Inc Compiled Thu 17-Jan-08 02:10 by prod_rel,_team (© 2008 Cisco Systems, Inc. Lab Guide 1700:03:16: ¥SYS-SW1_SP-6-BOOTTIME: Time taken to reboot after reload = 262 ‘seconds 00:03:17: ACSKPWR-SW1_SP-4-DISABLED: power to module in slot 6 set off (admin request) 00:03:18: SFABRIC-SWi_SP-5-CLEAR BLOCK: Clear block option is off for the fabric in slot 5. 00:03:18: $FABRIC-SW1_SP-5-FABRIC MODULE ACTIVE: The Switch Fabric Module in slot 5 becane active 00:03:19: SC6KPWR-SW_SP-<-DISABLED: power to module in slot 1 request) 00:03;191 SCéKPWR-GW1_SP-4-UNSUPPORTED! unsupported module in slot 2, power not allowed: Unsupported module in Virtual Switch system, 00:03:13: wisp: Remote switch 1 Physical Slot 5 ~ Module Type LINE_CARD inserted off (admin 00:03:20: SWi_SP: Remote Switch 1 Physical Slot 6 - Module Type LINE_CARD inserted 00:03:20: NC6KPWR-SWi_SP-4-DISABLED: power to module in slot 4 set off (admin request) 00:03:20: $DIAG-SW1_SP-6-RUN MINIMUM: Switch 1 Module 5: Running Minimal Diagnostics. 00:03:21: SWi_SP: Remote Switch 1 Physical Slot 1 - Module Type LINE_CARD inserted, 00:03:21: Swi_SP: Remote Switch 1 Physical Slot 2 - Module Type LINE_CARD inserted 00:03:21: SWi_SP: Remote Switch 1 Physical Slot 4 - Module Type LINE_CARD inserted 00:03:21: SWi_SP: Remote Switch 1 Physical Slot 3 - Module Type LINE_CARD inserted 00:03:43: $DIAG-SW1_SP-6-DIAG_OK: Switch 1 Module S: Passed Online Diagnostics 00:03:43: SOTR-SW1_SP-6-INSCARD: Card inserted in slot 5, interfaces are now online 00:03:45: SWi_SP: Card inserted in Switch number - 1, physical slot 5, interfaces are now online 00:00:02: DaughterBoard (Centralized Forwarding Card) Firmware compiled 19-Dec-07 10:56 by integ Build [100] 00:00:05: ¥SYS-CFC3-5-RESTART: system restarted -- Cisco 108 Software, c61c2 Software (c6lc2-SP-M), Version 12.2(33)SXH1, RELEASE SOPTWARE. (fc3) ‘Technical Support: http: //wsw.cisco.com/techsupport Copyright (c) 1986-2008 by Cisco systems, Inc. Compiled Thu 17-Jan-08 01:55 by prod_rel_team May 5 05:27:01,499; CFC3: Currently running ROMMON from § (Gold) region 00:04:13; $DIAG-SW_SP-6-RUN MINIMUM: Switch 1 Module 3; Running Minimal Diagnostics, 00:04:28: $DIAG-SW1_SP-6-DIAG_OK: Switch 1 Module 3: Passed Online Diagnostics 00:04:28: ¥OIR-SW1_SP-6-INSCARD: Card inserted in slot 3, interfaces are now online 00:04:33: SWi_SP: Card inserted in Switch number = 1, physical slot 3, interfaces are now online Stop4 Start the VSS mode conversion process on 6500-2 and observe the output, which should be similar to the following printout, Note It asked to confirm the filename for the saved running configuration, just press the Enter key. Implementing Cisco Data Center Network Infrastructure 1 (OCNK1) v2.0 (© 2008 Cisco Systems, Inc. @eeeesa €Step Observe the outputs on 6500-2 and 6500-1, which should be similar to the following printouts: = The VSS configuration is detected, = The TenGigabitEthemetS/4 is detected to be in a port channel that is dedicated for the VSL. & Modules that are currently unsupported by the VSS functionality (namely in your case FWSM) are powered down during the conversion process. Since 6500-2 has booted before 6500-2 was converted, the 6500-2 becomes the VSS standby chassi Now that both chassis are part of VSD the VSL link is brought up. The console access to the 6500-2 is disabled due to the standby VSS role, ‘The hostname of the 6500-2 changes to 6500-1-sdby. ‘The power supplies operational mode was changed to redundant during the conversion process. In the output on 6500-7 you should see that module 4 in switch 2 (NAM) had to be powered off, due to insufficient power. ‘@ Note that in the output on 6500-7, the final step of conversion process is also indicated—the command switeh accept mode virtual, which merges the configuration from 6500-2 to VSS. Note if asked to confirm the flename for the saved running configuration, just press the Enter key. 6500-24awitch convert mode virtual ‘mnie Commatia will convert all intertace/nanes to naming convention *interface-type switch-nuiber/slot/port"; save the running config to startup-config and reload the switch. Do you want to proceed? [yea/nol? y Converting interface names Building configuration. ok! saving eonverted Configuration ts bootflaen? Destination filenane [startup-config. converted va+2008050S-0630251? 5590 bytes copied in 0.436 secs (12821 bytes/sec) ad03h: ¥SYS-SP-3-LOGGER_PLUSHING: System pausing to ensure console debugging output. d03h: tOIR-SP-6-CONSOLE: Changing console ownership to switch processor 3d03h: ¥S¥S-SP-2-LOGGER_PLUSHED: System was paused for 00:00:00 to ensure console debugging output 3d03h: ¥SPAN-SP-6-SPAN_EGRESS_REPLICATION MODE_CHANGE: Span Egress HW Replication Mode change Detected. Current replication mode for user session 1 is Distributed 3d02h: ¥SPAN-SP-6-SPAN_EGRESS REPLICATION MODE_CHANGE: Span Egress HW Replication Mode Changé Detected. Current replication mode for unused asic session 1 i@ Distr ibuted {© 2008 Ciaco Systems, ine. lab Gude 193d03h; SP: The PC in slot 2 is shutting down. Please wait . 3d03n: $SYS-SP-3-LOGGER FLUSHING: System pauaing to enaure console debugging output, see --- SHUTDOWN NOW - 3d03h: $SYS-SP-5-RELOAD: Reload requested 3d03h: $0IR-SP-6-CONSOLE: Changing console ownership to switch processor 3403h: $SYS-SP-3-LOGGER_FLUSHED: Syatem wi console debugging output. Paused for 00:00:00 to ensure System Bootstrap, Version 8.5(2) Copyright (c) 1994-2007 by cisco systems, Inc. Cat6k-Sup?20/SP processor with 1048576 Kbytes of main memory Autobot executing conmanc 33.SKHL. bin" Loading image, please wait "boot bootdisk: /s72033-ipservicesk9_wan-mz.122- Initializing ATA monitor library. Self extracting the image Self decompressing the image HedeeeheeenenehandHHNenEnaRaHHHaHENaHeHENEERHRHRHOHERRHNNHONEHHMEHRMEHHHEE HHHNHEREERNSHeHEHORRRHNUNERAHEHEMEERHaBRREREEEREHEHER HHHHEEOREEEHUEHEHEEEEHHHOH (OK) (ox) Restricted Rights Legend Use, duplication, or disclosure by the Governnent is subject to restrictions as set forth in subparagraph (c) of the Commercial Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and eubparagraph (c) (2) (14) of the Righte in Technical Data and Computer Software clause at DFARS sec. 252.227-7013 cisco Systems, Inc 170 West Tasman Drive San Jose, California 95134-1706 Cisco 108 Software, 072033_sp Software (a72033_ep-IPSERVICESK3_WAN-M), Version 32.2(33) SKHL, RELEASE SOPTWARE (f03) Technical Support: http: //www.cisco.com/techaupport Copyright (c) 1986-2008 by Cisco Syatems, Inc. Compiled Thu 17-Jan-08 02:10 by prod_rel_tean Image text-base: 0x40101328, data-base: 0x41C27360 Syaten detected virtua! switeh configuration:.: Interface Tendigabitutnernet 2/5/4 is member of Portchannel 2 00:00:06: $SYS-3-LOGGER_PLUSHING: System pausing to ensure console debugging output Firmware compiled 19-Dec-07 10:56 by integ Build [100) Earl Card Indexe 259 Implementing Ciseo Data Center Network infrastructure + (DNF) v2.0 "© 2008 Cisco Systems, Inc.00:00:06: $PPREDUN-6-ACTIVE: Initializing as ACTIVE processor for this switch Initializing as Virtual Switch STANDBY processor 00:00:45: $SYS-SW2_SPSTBY-3-LOGGER_PLUSHING: System pausing to ensure console debugging output. 00:00:07: $S¥S-3-LOGGER_PLUSHED: System was paused for 00:00:00 to ensure console debugging output. 00/00:12 "$VEL_BRINGUP=6-MODULE_UP? VSL module in slot S$ switch 2 brought’ up 00:00:40: WVSLB-5-VSL_UP: Ready for Role Resolution with Switch=1, Mac=0017.a£d0.2400 over 5/4 (0000/43! $VSLP=5°RRP_ROLE RESOLVED: Role resolved as STANDBY by VSLP 00:00:43; $VSL-S-VSL_CNTRL_LINK: New VSL Control Link 5/4 00200%43+ $VSuP-S-VsE_UP! Ready for control traffic 00:00:45: ¥OIR-SW2_SPSTBY-6-CONSOLE: Changing console ownership to route processor syatem Bootstrap, Version 12.2(17r)SXS, RELEASE SOPTWARE (fc) ‘Technical Support: http: //www.cisco.con/techsupport, Copyright (c) 2006 by cisco systems, Inc Catek-Sup720/RP platform with 1048576 Kbytes of main memory Download start Perret PV EEE EEE eee hint nin by He Heeeoieenini feeeineniins Tae been Pennine tte be errnrneerrrrrrreneninerre eri) POPP etie eee POE ee Heveiieeneeoiomeeeereeinres Hii Pereooreecioepogeeeeenoag PEEP DHEn eerie Peeoreeeeereeetieneoiggeeriiiee er neererrrrerrre rite Hi Heneuigereggpoggeney PEELE COPEL EEE EEE ee Download Completed! Booting the image. Self deconpressing the image : dantaeenneneneaeueantaasteaenneeaRaeneeetensagonenetaveaueuedenndeMenenteS AEHERSHROOROREADUSSGAROAUHHRBRROAHAHHOHEREEREHEAHEE WAHHHEOHHERNHEUOABARAAAEURABUREEAEHHGEEREEEEEERR GHEE EEUU R ONAN HH AHEMEHEHEREHED HAHHHEHEHEHHHEURHOREHERRERAOHEEHHRE [OK] Perieeciciiergeereniiger THES EASECLTUEEEEUT EPPA Peoriierceniieeeeerone PEO Restricted Rights Legend Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) of the Commercial Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and subparagraph (c) (2) (ii) of the Rights in Technical Data and Computer Software clause at DFARS sec. 252.227-7013 cisco systems, Inc. 170 West Tasman Drive San Jose, California 95134-1706 Cisco 108 Software, #72033_rp Software (s72033_rp-IPSERVICESKS_WAN-M), Version 12.2(33)SKHL, RELEASE SOFTWARE (fc3) ‘© 2008 Cisco Systems, Ine. Lab Guide 21‘Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2008 by Cisco Systems, Inc. Compiled Thu 17-Jan-08 01:55 by prod rel. team Image text-base: 0x40101326, data-base: Ox42870CFO ‘This product contains cryptographic features and is subject to United States and local country lays governing import, export, transfer and use, Delivery of Cisco cryptographic products does not’ inply third-party authority to import, export, distribute or use encryption Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http: //wew.cisco.com/wil/export /crypto/tool/atgrg. htm] If you require further assistance please contact us by sending email to [email protected]. cisco WS-C6506-E (R7000) processor (revision 1.1) with 983008K/65536K bytes of menory. Processor board ID SAL1023R110 5R71000 CPU at 600Mhz, Implementation Ox504, Rev 1.2, 512KB 12 Cache Last reset from a/w reset 1 Virtual Ethernet interface 146 Gigabit Ethernet interfaces 6 Ten Gigabit Ethernet interfaces 1917K bytes of non-volatile configuration memory. 192K bytes of packet buffer menory. 65536K bytes of Flash internal SINM (Sector size 512K) ¥ This interface cannot be modified switchport ¥ Invalid input detected at '*' marker shutdown % Incomplete command, no edp enable ‘ tnvalid input detected at '** marker ot 17 slot 1 slot-type 207 port-type 106 number 1 virtual. % Invalid input detected at '** marker lot 33 slot 1 slot-type 207 port-type 106 number 1 virtual. ¥ Invalid input detected at '** marker. RETURN to get started! 00:02:02: curr de oxo 00:02:02: RP: Currently running ROMMON from § (Gold) region 00:02:47: c6k_pwr_is fantray ok returns ok for fan_index 5 00:02:52: SS¥S~5-RESTART: System restarted -- Cisco 108 Software, 872033 rp Software (s72033_rp-IPSERVICESKS_MAN-M), Version 12.2(33)SKH1, RELEASE SOFTWARE (fc3) Technical Support: http: //wew.cisco.com/techsupport Copyright (c) 1986-2008 by Cisco Systems, Inc. Compiled Thu 17-Jan-08 01:55 by prod_rel_team Implementing Cisco Data Center Network infrastructure 1 (DCNI-1) v2.0 {© 2008 Cisco Systems, in.s500-1-saby> Standby console disabled Note ‘The rest of the output (regarding the modules, VSL lnk inialization, etc.) is shown on 6500- 1, which is the VSS active chassis. You can see the output by looking at the console or Issuing the show logging command. 02/101 08 9" SVSLP=SWi_SD!5-VSt_ UP! ReAay fOF [Role Resolution with switche2, ‘ac=0017.d#d0.3800 over Te1/5/4 AVSLP-SW1_SP-5-RRP_ROLE RESOLVED! Role Fesolved a6 ACTIVE by VSLP ‘$vsu-Swi_3P-5-VSL_CNTRL_LINK: New VSL Control Link Te1/5/4 AVSLP-SHI_SP-5-VSL_UP: Ready for control traftic 01/11: 181" WS_MERGE-G-SrOBY_cFO_MERGE! Use éxec Command "awiteh accept mode virtual! to merge standby VSt, configuration. 15: $PPREDUN-SW1_SP-G-ACTIVE: Standby initializing for SS0 mode }1@: $PFINIT-Sw1_SP-5-CONFIG SYNC: Sync'ing the startup configuration to the standby Router O1si1:47: SW1_SP: Remote Switch 2 Physical Slot 5 - Module Type LINE_CARD inserted 01:12:05: SWi_SP: Card inserted in switch number = 2 , physical slot 5, interfaces are now online Firmware compiled 19-Dec-07 10:56 by integ Build [200] Barl Card Index= 259 00:00:06: $PPREDUN-6-ACTIVE: Initializing as ACTIVE processor for this switch 00:00:07: $S¥S-3-LOGGER_FLUSHED: System was paused for 00:00:00 to ensure console debugging output. O12 "VSL BRINGUP26“NODULE_UPY Vet! module dn e16t"S witcn 2 Brought up 00:00:40: WVSLB-S-VSL_UP: Ready for Role Resolution with Switch=1, Mace0017.dfd0.2400 over 5/4 $VSLP-5-RRP_ROLE_ RESOLVED! Role resolved as STANDAY by VSLP 43% AVSL-5-VSL_CNTRL_LINK: New VSL. Control Link 5/4 37 AVSLP+S+VSt__UP!) Ready for control trateie + NOIR-SW2_SPSTBY-6-CONSOLE: Changing console ownership to route processor 00:00:46: ¥SYS-SW2_SPSTRY-3-LOGGER_PLUSHED: System was paused for 00:00:00 to ensure console debugging output. 00:01:47: SW2_SPSTBY: Bring up standby supervisor as a DFC 00:01:47: $PPREDUN-SW2_SPSTRY-6-STANDBY: Initializing for S50 mode 00:02:11: sw2_SPSTBY: SP: Currently running ROMMON from S (Gold) region 00:02:16: $CGKPWR-SH2_SPSTSY-4-PSOK: power supply 1 turned on. 00:02:16: $C6KPWR-SW2_SPSTBY-4-PSOK: power supply 2 turned on. 00:02:18: $PABRIC-SW2_SPSTRY-5-CLEAR BLOCK: Clear block option is off for the fabric in slot 5. 00:02:18; $PABRIC-sW2_GPSTBY-5-PABRIC_MODULE ACTIVE: The Switch Fabric Module in plot § became active 00:02:19: ¥DIAG-SW2_SPSTBY-6-RUM MINIMUM: Switch 2 Module 5: Running Minimal Diagnostics (© 2008 Gisco Systems, inc. Lab Gude 2300:024201 NCoNsT_DIAG-sW2_SPSTBY-6-DIAG PORT! SKIPPED Module S port 4/ia skipped in Testioopback due tor the port is used as a VSL link. 00:02:24: $CONST_DIAG-swW2_SPSTSY-6-DIAG_PORT_SKIPPED: Module 5 port 4 ia skipped in Testchannel due to: the port is used aa a VSL link. 00:02:34: §DIAG-SW2_SPSTBY-6-DIAG OK: Switch 2 Module 5: Passed Online Diagnostics 00:02:37: SC6KPWR=SWd_SPSTBY-4=PSREDONDANTMODE! power supplies set” te redundant mode 00:02:37: $CéKPHR“6W2_SPSTBY-4:PSREDUNDANTBOTHSUPPLY!/ in power-redundaniey mode, system is operating on both power supplies. 00:02:52: 8SYS-SW2_SPSTBY-5-RESTART: System restarted -- Cisco 10S Software, s72033_sp Software (s72033_sp-IPSERVICESK9_WAN-M), Version 32.2(33)SKHL, RELEASE SOPTWARE (fc3) ‘Technical Support: http://www.cisco.con/techsupport Copyright (c) 1986-2008 by Cisco Systems, Inc. Compiled Thu 17-Jan-08 02:10 by prod rel team 00:02:52: $PFREDUN-SW2_SPSTBY-5-STANDBY: Ready for SSO node 01:12:22: SWi_SP: Remote Switch 2 Physical Slot 1 - Module Type LINE_CARD inserted 01:12:23: SWi_SP: Remote switch 2 Physical Slot 2 - Module Type LINE_CARD inserted 00:02:53: ¥C6KPWR-SW2_SPSTBY-4-UNSUPPORTED: unsupported module in slot 1, power not allowed: Undupported nodule in Virtual Switch aysten, 00:02:53: AC6KPWR-SW2_SPSTBY-4-UNSUPEORTED: unsupported module in élot 2, power not allowed: Unsupported module in Virtual Switch system. 00:02:55: SCSKPWR-SH2_SPSTBY-4-PONERDENTED: ingufficient power, todulé in slot 4 power denied. 00:02:56: SCSKPWR:SW2. EPSTBY-4 UNSUPPORTED! "Unsupported module in s1ot 6) power not allowed: Undupported module in Virtual Switch aysten, 00:02:56: \SYS-Sh2_SPSTBY-6-BOOTTINE: Time taken to reboot after reload = 235 seconds 0134: inserted SW1_SP: Remote Switch 2 Physical Slot 4 - Module Type LINE_CARD 01:32:24: SWi_SP: Remote Switch 2 Physical Slot 3 - Module Type LINE_CARD inserted o1sa2:24: sWi_si inserted Remote Switch 2 Physical Slot 6 - Module Type LINE_CARD 00:02:57: $SYS-SW2_SPSTBY-3-LOGGER_FLUSHED: System was paused for 00:00:00 to ensure console debugging output. 00:03:15: SC6KPWR-Si12_SPSTBY-4-COULDNOTREPOWER: wanted to re-power FRU (slot 4) but could not. 00:00:02: DaughterBoard (Centralized Forwarding card) Firmware compiled 19-Dec-07 10:56 by integ Build [100] 00:00:05: ¥S¥S-CPC3-5-RESTART: Syatem restarted -- Cisco 10s software, c6lc2 Software (c61c2-SP-M), Version 12,2(33)SXHL, RELEASE SOPTWARE (fc3) ‘Technical Support: http: //wew.cisco.com/techsupport Copyright (c) 1986-2008 by Cisco systems, Inc Compiled Thu 17-Jan-08 01:55 by prod_rel_team May 5 06:36:03.264: CFC3: Currently runfing ROMMON from § (Gold) region 00:03:46: $DIAG-SW2_SPSTBY-6-RUN MINIMUM: Switch 2 Module 3; Running Minimal Diagnostics... 00:04:02: $DIAG-SN2_SPSTBY-6-DIAG_OK: Switch 2 Module 3: Passed Online 24 Implementing Cisco Data Center Network Infrastucture 1 (OCNI-1) v2.0 (© 2008 isco Systeme, Ine.Diagnostics 01:13:33: SW1_SP: Card inserted in Switch_number = 2, physical slot 3, interfaces are now online Step6 Accept the standby virtual switch VSL-related configuration—the command merges the port channel and VSS configuration. This is a one-time task and is necessary only for a first-time conversion. Note that in your case the information regarding the power supply operational mode was also merged. 6500-1#switch accept mode virtual power redundanicy-hode conbined switch 2 ho power enable switch 2 module 1 no power enable switch 2 module 4 no power enable switch 2 module 6 interface Port-channel2 ‘switch virtual Link 2 no shutdown interface Tentigabitethernet2/s/4 channel-group 2 mode on no shutdown ‘This command WIT populate the above vst configuration from the standby switch into the running configuration. The startup configuration will aleo be updated with the new merged configuration if merging is successful. Do you want to proceed? [yes/no]: y Merging the standby VSL configurat iéti./ ¥ module is already disabled and not yet enabled ‘Power admin state updated SPower admin state updated \ module is already disabled and not yet enabled ‘Power admin state updated 00:18:10; SCEKPHR-SW2_SPSTBY-4-PSCOMBINEDMODE: power Gupplis mode. 00:18:10: SW2_SPSTAY: The PC in slot 4 is shutting down. Please wait 00:18:10: ¥SCHED-SW2_SPSTBY-7-WATCH: Attempt to monitor uninitialized watched bitfield (address 0) “Process= "Shutdown", ipl 0, pid~ 414 -Traceback~ 4079B26C 4102270 407523AC 40752398 Building configuration. Je 80 combined 01/27:462" SVSLP*aWi/6P"5°VSL_UPY "Ready for'data traffic i531 WPPINTT-SH1_SP-5=CONFIG SYNCH Syiic" Ing the’ etartup configuration t9 the standby Router. (Ox) Step7 Examine the configuration for the TenGigabitEthemet1/5/4, TenGigabitEthernet2/5/4, Port-channell, and Port-channel2 interfaces. The result of configuration merging is the vatid configuration of the interfaces mentioned. 6500-1tshow running-config interface TenGigabitEtherneti/5/4 Building configuration. Current configuration : 115 bytes ' interface TenGigabitstherneti/5/4 no switchport no ip address mis qos trust cos channel-group 1 mode on end 6500-1#show running-config interface TenGigabitathernet2/5/4 Building configuration. {© 2008 Cisco Systems, Inc. Lab Guide 25Current configuration : 115 bytes 1 interface Tencigabitethernet2/5/4 no switchport no ip address mls qos trust cos channel-group 2 mode on end 6500-1tshow running-config interface Port-channell Building configuration. Current configuration : 135 bytes interface ‘portschanne11 no switchport no ip address switch virtual Link 1 mls gos trust cos no mls qos channel-consietency end 6500-1#show running-config interface Port-channel? Building configuration Current configuration : 135 bytes interface port-channel2 no switchport no ip address switeh virtual Link 2 mls gos trust cos no mis qos channel-consistency end Step8 Examine the newly created VSS using the show switch virtual command on the 6500-1 switch. The local switch (6500-1) is the active one with the switch number 1 and the peer switch (6500-2) is the standby switch with the switch number 2. The ‘output should be similar to the following printout. 6500-1#show ewitch virtual Switch mode : Virtual switeh Virtual switch domain number : 10 Local switch number a Local switch operational role: Virtual switch Active Peer switch number 2 Peer switch operational role : Virtual switch standby ‘Step9 Next examine the status of the Virtual Switch Link (VSL) on 6500-1 using the show switch virtual link command, You should see that the VSL is operational and that the control link of the VSL is interface TenGigabitEthernetS/4 (which by the way is the only interface used for connectivity between the chassis). The output should be similar to the following printout. 6500-1#show switch virtual Link VsL status VSL Uptime vst SCP Ping VSL ICC Ping : Pass VSL Control Link + Te1/5/4 Step 10 Verify the VSS operational parameters for the participating chassis with the show switch virtual role command. The status for both chassis should be UP, with none of the chassis preempt enabled and priority set to the default value of 100. Note also that currently no dual active detection mechanism is deployed. The output should be similar to the following printout. Implementing Cisco Data Center Network Infrastructure 1 (DCNI1) v2.0 (© 2008 Cisco Systems, Inc6500-1#show switch virtual role Switch Switch Statue Preempt Priority Role Session 1D umber ‘Oper (Conf) Oper (Conf) Local Remote Loch «1 UP FALSE(N) 100(100) ACTIVE 0. ° REMOTE 2 UP FALSE(N) 100(100) STANDBY 2183 6871 In dual-active recovery mode: No ‘Step 11 Verify that operational redundancy of the VSS domain is SSO. The switches would revert to RPR mode in case the Cisco IOS versions on the chassis part of the VSS would differ. Notice that for the active chassis both control and data planes are active, whereas for the standby chassis only the data plane is active while the control plane is in standby mode. The output should be similar to the following printout. 6500-1Hehow owitch virtual redundancy Wy Switch 1d Peer switeh td Last switchover reason Configured Redundancy Mode Operating Redundancy Mode = sso Switch 1 Slot’ S Proesssor Information + Current Software state = ACTIVE uptime in current state = 30 minutes Image Version = Cisco IOS Software, #72033 rp Software (972022_xp-IPSERVICESK9_WAN-M), Versi on 12,2(33)SXH, RELEASE SOFTWARE (fc5) ‘Technical Support: http: //www.cisco.con/techsupport, Copyright (c) 1986-2007 by Cisco Systems, Inc. Compiled Sun 19-Aug-07 07:38 by prod_rel_team BooT’ CONFIG _FILE = BOOTLOR = configuration register = 0x2102 Fabric state = ACTIVE control Plane State = ACTIVE Switeh 2)S16t"S PEOGessor Information ¢ ‘Current Software atate « STANDBY HOT (switchover target) uptime in current state = 17 minutes Image Version = Cisco 10S Software, #72033_rp Software (972033_xp-IPSERVICESK9_MAN-M), Versi con 12.2(33)SXH, RELEASE SOFTWARE (fc5) ‘Technical Support: http://www.cisco.com/techsupport, Copyright (c) 1986-2007 by Ciaco Systems, Inc. Compiled Sun 19-Aug-07 07:38 by prod_rel_team BOOT: cONPIG_PILE ‘ROOTLOR = Configuration register = 0x2102 Fabric sti Control Plane state Step 12 Examine the module status information for the second chassis (6500-2). Notice that the currently VSS-unsupported modules (FWSM in your case since others are administratively powered down) are powered down, 6500-1Nshow module switch 2 Switch Number 2 Role: Virtual Switch standby Mod Ports Card Type (© 2008 Cisco Systems, inc. Lab Guide 711 Application control Engine Nodule _AcE10-6500-x3 ‘sRD102905xP 20 6 Firewall Module °WS-8VC-PiM=1 77) SAD10350179 348 CBP720 48 port 10/100/1000m Ethernet WS-x6748-GE-TX _SAL0403VD 48 Network Analysia Nodule WS-SVC-NAM-2 SAD104602E 5 5 Supervisor Engine 720 10GB (Hot) vs-8720-106 ‘SRD11510527 6 8 Intrusion Detection system W3-SVC-1DSM-2 ‘SAD104400H5 Mod MAC adare: sw status Unknown, PwrDown 000a.b671.19b6 to 000a.b871.19ba a aa 2 0018.ba41.4b86/to!0018.ba4l .abed//4 10 © Unknown" PwxDown 3 0019.2fc8.1110 to 0019.2fc8.113f 2.5 12.2(14r)S5 12.2(33) SKH1 Ok 4 0019.aacc.91c6 to 0019.aacc-Sicd 4.2 Unknown Unknown PwrDown 5 001e.4aaa.d5d0 to 00le.4aaa.dsd7 2.0 @.5(2) 12.2(33)8xH1 Ok © 0019.5671.6a16 to 0019.5671.6ald 6.2 Unknown Unknown Pwrdown output omitted . Step 13 Verify that you have connectivity between PCI, Server!, and Server3 by issuing ping from PCI to Server! and Server3. Note that upon conversion to VSS mode the configuration for interfaces GigabitEthernet3/13 and GigabitEthemet3/14 on 6500-2 was not copied to 6500-7. C:\Documents and Settings \Administrator>ping 10.4.21.10 Pinging 10.4,12,20 with 32 bytes of datai Reply from 10.4.11.10: bytes: Reply from 10.4.11.10; bytes: Reply from 1014.11.10; bytes: Reply from 1014.11.10: bytes: times3me TTL=127 timecims TTi=127 timecims TTL=127 timeeims TTL=127 Ping statistics for 10.4.11.10 Packets: Sent = 4, Received = 4, Loat = 0 (0¥ loss), Approximate round trip times in milli-seconds Minimum = Oms, Maximum = 3ms, Average = One C:\Documents and Settings\Administrator>ping 10.4.21.10 Pinging 10.4121,10 with /32)bytes/of datad Request timed out Request timed out. Request timed out. Request timed out. Ping statistics for 10.4.21.10: Packets: Sent = 4, Received = 0, Lost = 4 (100% lo: i Step 14 Sct the configuration for interfaces GigabitEthemnet2/3/13 and GigabitEthernet2/3/14 as follows: Set the operational mode to Layer2 (switchport). Set the trunking to 802.19. Manually enable the trunking. Disable the negotiation on the interfaces. Enable the interfaces, Step 15 Verify again that you have connectivity between PC/ and Server3 by issuing the ping command. This time the ping succeeds. C:\Documents and Settings\Administratorsping 10.4.21.10 28 Implementing Cisco Data Center Network infrastructure 1 (OGNI-1) v2.0 (© 2008 Cisco Systems, Inc.Pinging 10:4.21.10 with 32 bytes of data: Reply from 10.4.21,10: bytes=32 timecims TTL+127 Reply from 10.4.21.10: bytes=32 timecins TTL=127 Reply from 10.4.21.10: bytes=32 timecims TTL=127 Reply from 10.4.21.10: bytes=32 timeclms TTL=127 Ping statistics for 10.4.21.10: Packete: Sent - 4, Received = 4, Lost = 0 (ot loss), Approximate round trip times in milli-seconds: Minimum = Ome, Maximum = Oms, Average = Ons Task 3: Deploying Multichassis EtherChannel In this task you will deploy, verify and test the Multichassis EtherChannel (MEC) between the newly created VSS, 4900-1, and 4900-2 switches. Activity Procedure Complete these steps: Step1 Create a port channel 10 interface on 4900-1 using the following information: = Add the interfaces GigabitEthemet1/13 and GigabitEthernet1/14 to the channel. = Set the protocol to PAgP and the PAgP mode to desirable. = Manually set the trunking mode to 802.14 inable the interfaces. Note I you see port mismatch messages when creating the EtherChannel, the physical interfaces ‘are in Layer 2 mode and the port channel interface is in Layer 3 mode. Use the command ‘switchport on the port channel interface to set the port to Layer 2 manually, Step2 Create a port channel 10 interface on the VSS using the following information; = Add interfaces GigabitEthernet!/3/13 and GigabitEthemet2/3/13 to the channel. Set the protocol to PAgP and the PAgP mode to desirable, © Manually set the trunking mode to 802.14. Step3 Create a port channel 20 interface on 4900-2 using the following information: Add the interfaces GigabitEthemet!/13 and GigabitEthemet|/14 to the channel. Set the protocol to PAgP and the PAgP mode to desirable, © Manually set the trunking mode to 802.14. = Enable the interfaces. Note I you see port mismatch messages when creating the EtherChannel, the physical interfaces are in Layer 2 mode and the port channel interface is in Layer 3 mode. Use the command switchport on the port channel interface to set the port to Layer 2 manually. Step 4 Create a port channel 20 interfa = Add interfaces GigabitEthemet1/3/14 and GigabitEthemet2/3/14 to the channel ‘© Set the protocol to PAgP and the PAgP mode to desirable. oon the VSS using the following information: ‘= Manually set the trunking mode to 802.19. {© 2008 Cisco Systems, Inc. Lab Gude 20Activity Verification You have completed this task when you attain these results: Step 1 Verify the PortChannel 10 operation on 4900-1. You should see that interfaces GigabitEthernet1/13 and GigabitEthernetI/14 are members of the PortChannel10 group. ~ 4900-1#ahow etherchannel 10 summary Flags: D - down P - in port-channel = stand-alone = - suspended = Layers § ~ Layer? in use £ - failed to allocate aggregator - unsuitable for bundling - waiting to be agaregated = default port pecamno Number of channel-groups in use: 1 Nunber of aggregators: a Group Port-channel Protocol Porte 10 Po19 (su) BAR GLA/aaty @iayaa(e) Step2 Verify the PortChannel 10 operation on 6500-1. You should see that interfaces A GigabitEthemet1/1/13 and GigabitEthernet2/1/13 are members of the PortChannell0 group. 5500-1#show etherchanne! 10 summary Flags: D- down P - bundled in port-channe * stand-alone s - suspended = Hot-standby (LACP only) layers S ~ Layer? > inuse WN - not in use, no aggregation ~ failed to allocate aggregator — nowae = not in use, no aggregation due to minimum Links not met = not in use, port not aggregated due to minimum links not met unsuitable for bundling + default port acax W - waiting to he aggregated - Nunber of channel-groups in use: 6 Nunber of aggregators 6 Group Port-channel Protocol _ Porte 10 PoLo (sur Page @43/3/431RY G12 /3/23 (P) Last applied Hash Distribution Algorithm: Fixed Step3 Verify the PortChannel 20 operation on 4900-2. You should see that interfaces GigabitEthemet1/13 and GigabitEthernet1/14 are members of the PortChannel20 wy group. 4900-2#ehow etherchannel 20 summary Flags: D - down P - in port-channel > stand-alone s - suspended > bayer? 8 = Layer? in use £ - failed to allocate aggregator ~ = unsuitable for bundling = waiting to be aggregated > default port y Munber of channel-groups in use: 1 Munber of aggregators: 1 ~ 30 Implementing Cisco Data Cantor Network Infrastructure 1 (DCNI-1) v2.0 {© 2008 Cisco Systems, Inc.Fort-channel Protocol Ports 20 Po10(su) PagP Gi1/13(P)Gi2/14(P) Step4 Verify the PortChannel 20 operation on 6500-1. You should see that interfaces igabitEthemet1/1/14 and GigabitEthernet2/1/14 are members of the PortChannel20 group. etherchannel 20 summary down - bundled in port-channet stand-alone s - suspended Hot-standby (LACP only) layer). S - Layer? in use NW - not in use, no aggregation failed to allocate aggregator = not in use, no aggregation due to minimum links not met = not in use, port not aggregated due to minimum links not met ~ unuitable for bundling ~ default port w - waiting to be aggregated Number of channel-groups in us Number of aggregators: 6 Group Port-channel Protocol Forts 20. Po10(su) PAGP Gi1/3/24(p) > 42/3/2448) Last applied Hash Distribution Algorithm: Fixed Step5 Clear the counters on all interfaces on 6500-1 with the clear counters command. StepS Verify that you have the connectivity between PCI, Server!, and Server3, Issue a continuous ping from PC/ towards Server! and Server3 using the ping destination ~ ‘t command. Leave the pings running. + output omitted Reply from 10.4.21.10: bytes=32 timecims TTh<127 Reply from 10.4.21.10: bytes=32 times2ms TTLe127 Reply from 10.4.21.10: bytes=32 timed [100] Earl Card Index= 259 00:00:06: $PPREDUN-6-ACTIVE: Initializing as ACTIVE processor for this switch a 00:00:07: $SYS-3-LOGGER_PLUSHED: System was paused for 00:00:00 to ensure console debugging output. 00:00:09: SOTR-SP-6-CONSOLE: Changing console ownership to route processor a 00:00:09: $SYS-SP-3-LOGGER_FLUSHED: System was paused for 00:00:00 to ensure console debugging output + 8D: SP: Currently running ROMMON from $ (Gold) region ~ XC6KPHR-SP-4-PSCOMBINEDMODE: power supplies set to combined mode. $OIR-SP-6-INSPS: Power supply inserted in slot 1 SC6KPWR-SP-4-PSOK: power supply 1 turned on Be SOIR-SP-6-INGPS: Power supply inserted in slot 2 ACGKPWR-SP-4-PSOK: power supply 2 turned on. ¥SYS-SP-S-RESTART: System restarted -- Cisco 108 Software, 872033 ap Software (#72033_sp-IPSERVICESK9_WAN-M), Version > 12.2(33)SKH1, RELBASE SOFTWARE (fc3) Technical Support: http://www .cisco.com/techsupport, Copyright (c) 1986-2008 by Cisco Systems, Inc. Compiled Thu 17-Jan-08 02:10 by prod_rel_tean oS 00:01:39: 4S¥S-SP-6-BOOTTIME: Time taken to reboot after reload = 179 seconds 00;01:41: NCSKPWR-SP-4-DISABLED: power to module in elot 1 set off (admin request) ~ 1 NCEKPWR-SP-4-DISABLED: power to module in slot 4 set off (admin + ACEKEWR-SP-4-DISABLED: power to module in slot 6 set off (admin request) o 00:01:46; SPABRIC-SP-5-CLEAR BLOCK: Clear block option is off for the fabric in slot 5. 00:01:46: $PABRIC-SP-5-FABRIC MODULE ACTIVE: The Switch Fabric Module in slot ~ 5 became activ 00:01:49: $DIAG-SP-6-RUN MINIMUM: Module 5: Running Minimal Diagnostics, Step2 After 6500-/ is converted, the former 6500-2 becomes the VSS active chassis and ~ thus the hostname changes to 6500-1. Observe the output on the console. 01:06:20? $VSLP-GW2_SPSTBY-3-VSLP_LMP_PAIL REASON! Te2/S/4i Link down 01:06:28; $VSLP-SW2_SPSTBY-2-VSL_DOWN: Last VSL interface Te2/5/4 went down 01:06:28; 8VSLP-Sw2_SPSTBY=2-VSL_DOWN; || ALI VSL links went down while switch de in Standby role 01061287" ¥DUAL_ACTIVE-Gw2_|SPSTBY-1-vst_DowNy VSL: is down = switchover, or possible dual-active situation has occurred 01:06:28: SDUAL_ACTIVE-GH2_SPSTBY-1-VSL_DOWN: VSL is down = switchover, or a possible dual-active situation has occurred 01:06:28: $VSL-SW2_SPSTBY-3-VSt,_SCP_FAIL: SCP”Operation failed 01:06:28: $PPREDUN=SW2_SPSTBY-6-ACTIVE: Initializing as Virtual Switch ACTIVE processor {© 2008 Cisco Systems, Ine. Lab Gude 7SPIB-SP-4-PIBXDRINV: Invalid format. Port-channel10 Invalid ifindex SP: Now can post switchover to local slots 6k_pwr_is_fantray ok returns ok for fan_index 1 AC6KPHR-SP-4-PSOK: Power supply 1 turned on. 1: ACSKEWR-SP-4-PSOK: power supply 2 turned on. SP: The Pc in slot 2 is shutting down. Please wait : SP: The PC in slot 4 is shutting down. Please wait SP: The PC in slot 6 is shutting down. Please wait NOIR-SW2_SP-6-INSCARD: Card inserted in slot 3, interfaces are now online 01:06:30: ¥OTR-SW2_SP-6-INSCARD: Card inserted in slot 5, interfaces are now online on: SW2_SP: Setting the local_oir_wait_complete boolean to TRUE on SW2_SP: remote bay_ps_remove: Couldn't sync the event 01:08:30: SW2_SP: remote bay pe remove: couldn't sync the event 01:08:51: SW2SP: shutdown _pc_process:No response from nodule 2 01 Sw2_SP: shutdown_pc_process:No response fron nodule 4 oa 1 SW2—SP: shutdown pe_process:No response from nodule 6 on SCGKPWR-SW2_SP-4-UNSUPPORTED: unsupported module in slot 2, power not allowed: Unsupported module in Virtual switch systen. Step3 Convert this chassis (the former 6500-2) also to standalone mode by using the switch convert mode stand-alone command. You should see the output similar to the following printout. Note that the power supply operational mode is correctly set to combined and that modules in slots 1, 4, and 6 are powered down as they were prior to converting to VSS mode. 5500-1fewitch convert mode stand-alone This command will convert all interface names to naming convention "interface-type slot/port"y Save the running config to startup-config and reload the switch. Do you want to proceed? [yes/no] iy Converting interface nanes Building configuration... (OKI 01:14:15: ¥SYS-SW2_SP-3-LOGGER_PLUSHING: System pausing to ensure console debugging output. 01:14:15: 4OTR-SW2_SP-6-CONSOLE: Changing console ownership to awitch processor 01:14:15: SSYS-SW2_SP-3-LOGGER_FLUSHED: System was paused for 00:00:00 to ensure console debugging output. 02:14:17; $S¥S-SW2_SP-3-LOGGER_FLUSHING: System pausing to ensure console debugging output. +> SHUTDOWN NOW 01:14:17: ¥SYS-SW2_SP-5-RELOAD: Reload requested 01:14:17: $OIR-SW2_SP-6-CONSOLE: Changing console ownership to switch processor 01:14:18: ¥SYS-SW2_SP-3-LOGGER_FLUSHED: system was paused for 00:00:00 to engure console debugging ouput System Bootstrap, Version 8.5 (2) Copyright (c) 1994-2007 by cisco systems, Inc limplementing Cisco Data Center Network infrastructure 1 (OCNI-1) v2.0, (© 2008 Cisco Systems, Inc.catek-Sup720/SP processor with 1048576 Kbytes of main memory Autoboot executing command: "boot bootdisk: /272033-ipservicesk9_wan-mz.122- 33.SxHL.bin* Loading image, please wait Initializing ATA monitor library. Self extracting the image... [0K] Self decompressing the image HHdeHHURHRNUOHORRHANEOHARHONEAHARRERERERE ER OHRRIAHERMRORHNERMNeREREEREER EE HHseunnRRRNDHRHORRHNHREAEROMEREHHERARRRHRARER AR ARMHNE dddenneeNnHeueREEEEREEEHERE [OK] Restricted Rights Legend Use, duplication, or disclosure by the Government is subject to reetrictions as set forth in subparagraph (c) of the Commercial Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and subparagraph (c) (2) (44) of the Rights in Technical Data and Computer Software clause at DFARS sec. 252.227-7013. cisco systems, Inc. 170 West Tasman Drive San Jose, California 95134-1706 Cisco 10s Software, #72033_sp Software (s72033_sp-IPSERVICESK9_WAN-M), Version 12.2(33)SKHL, RELBASE SOPTWARE (£c3) ‘Technical Support: http: //www.cisco.com/techsupport, Copyright (c) 1986-2008 by Cisco systems, Inc. Compiled Thu 17-Jan-08 02:10 by prod_rel,_team Image text-base: 0x40101328, data-base: Ox41C2A210 + SSYS-3-LOGGER_PLUSHING: System pausing to ensure console debugging Firmware compiled 19-Dec-07 11 6 by integ Build [100] Earl Card Index= 259 00:00:06; $PPREDUN-6-ACTIVE: Initializing as ACTIVE processor for this switch 00:00:09: ¥S¥S-SP-3-LOGGER_FLUSHING: System pausing to ensure console debugging output 00:00:07: $S¥S-2-LOGGER_PLUSHED: System was paused for 00:00:00 to ensure console debugging output 00:00:09: YOER-SP-6-CONSOLE: Changing console ownership to route processor syatem Bootstrap, Version 12.2(17r)SKS, RELEASE SOFTWARE (fc1) ‘Technical Support: http: //www.cisco.con/techeupport, Copyright (c) 2006 by cisco Systems, Inc Catek-Sup720/RP platform with 1048576 Kbytes of main menory Download start ‘© 2008 Cisco Systeme, ne. Lab Guide 39Heninger PEC LUUEE EL TEEEEE hn Tiivdhiageeeevgeens Heinen 1 hii Heinen Hi Heriiigeteneeeiieeegeni Heinen nici POE POUCEPEECO CD CDEEEUE EEO DEEEE CEE ELLE Download Completed! Booting the image. Self decompressing the image ASRRNOHEREHEHRHORRHINEHEN SR RHOHARANAHRHERERRREH OH EEREHHAHAROHONUHAHAURHUMEHEAE AseendtenenenenananinantnanenoneRRHeHRHEREERNERRR SHANE HebRHeRRNUHSHOHAHRNHHAREASRANUHAHEHERRRSERRRNEERREEERMMAHRROHRNOHANANRHOREHEE AAnHAERRHUHSHRHAHRHENEEAHSHEHEHEHAH [OK] ti bennuiiiigtiiinn HE Hein ternii hieriteny he tenn Heieeniiiiiatisgeens PCE nite Hiuviueerniiiiiete POPUP EE duty POCUUUE eee eee etaeeeee ni POC et rete PEELE POO Horiioiitieeeeeneiieerey POUEEOC CECE Eee eee EEEUEEHEETLELL Restricted Righte Legend Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) of the Commercial Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and subparagraph (c) () (i) of the Rights in Technical Data and Computer Software clause at DFARS sec. 252.227-701. cisco Systems, Inc. 170 West Tasman Drive San Jose, California 95134-1706 Cisco 108 Software, 872033_rp Software (972033_rp-IPSERVICESK9_WAN-M), Version 12.2(33)SxH1, RELEASE SOFTWARE (£03) Technical Support: http://www. cisco.com/techsupport Copyright (c) 1986-2008 by Cisco systems, Inc. Compiled Thu 17-Jan-08 01:55 by prod_rel_team Image text-base: 0x40101328, data-base: 0x12869690 ‘This product contains cryptographic features and is subject to united States and local country laws governing import, export, transfer and use, Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or ue encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http: //wwe..cisco.com/wwi /export /crypto/tool/starg. htm] Tf you require further assistance please contact us by sending email to exporteciaco.com, cisco WS-C6506-E (R7000) processor (revision 1.1) with 983008K/6s536K bytes of memory. Processor board ID SALi023R11U $R73000 CPU at 600Mhz, Implementation Ox504, Rev 1.2, S12KB 12 Cache Last reset from s/w reset 1 Virtual Ethernet interface 73 Gigabit Ethernet interfaces 3 Ten Gigabit Ethernet interfaces 1917K bytes of non-volatile configuration memory Implementing Cisco Data Center Network infrastructure 1 (OCNI-1) v2.0 (© 2008 Cisco Systems, in.192K bytes of packet buffer memory 65526K bytes of Flash internal SIMM (Sector size 512K) ¥ This interface cannot be modified ‘switchport % Invalid input detected at '** marker shutdown % Incomplete command. no cdp enable ¥ Invalid input detected at '** marker. Press RETURN to get started! 00:01:30: curr is Oxo 00:01:30: RP: Currently running ROMMON from $ (Gold) region 00:01:37: ¥SYS-5-CONFIG I: Configured from memory by console 00:01:42: ¥SYS-S-RESTART: System restarted -- Cisco 105 Software, #72033 rp Software (#72033_rp-IPSERVICESK9_WAN-M), Version 12.2(33)SKH1, RELEASE SOPTRARE (£c3) Technical Support: http: //www.cisco.com/techsupport Copyright (c) 1986-2008 by Cisco Systems, Inc. Compiled Thu 17-Jan-08 01:55 by prod_rel_team Firmware compiled 19-Dec-07 10:56 by integ Build [100] Barl Card Index= 259 | SPFREDUN-6-ACTIVE: Initializing as ACTIVE processor for this switch 10:07: ¥SYS-3-LOGGER_FLUSHED: System was paused for 00:00:00 to ensure console debugging output. NOIR-SP-6-CONSOLE: Changing console ownership to route processor 00:00:09: ¥S¥S-SP-3-LOGGER_FLUSH console debugging output . Syatem was paused for 00:00:00 to ensure 00:01:27: SP: SP: Currently running ROMMON from s (Gold) region (00:01:361 $C6KPNR-SP-4-PSCOMBINEDNODE: power supplies set to combined mode. 41; SOIR-SP-6-INSPS: Power supply inserted in slot 1 41: SCGKPWR-SP-4-PSOK: power supply i turned on. (00:01:41: SOIR-SP-6-INGPG: Power supply inserted in elot 2 00:01:41: $C6KPWR-SP-4-PSOK: power supply 2 turned on. 00:01:41: ¥SYS-SP-S-RESTART: System restarted - Cisco 10S Software, #72033 sp Software (872033_sp-IPSERVICESK9_WAN-M), Version 12.2(33)SKHL, RELEASE SOFTWARE (£c3) ‘Technical support: http: //www.cieco.com/techsupport Copyright (c) 1986-2008 by Cisco systems, Inc Compiled Thu 17-Jan-08 02:10 by prod_rel_team 2; SSYS-SP-6-BOOTTINE: Time taken to reboot after reload - 181 seconds ACGKPWR-SP-4-DISABLED: power to module in slot 1 set off (admin DISABLED: power to module in slot 4 set off (admin request) ‘© 2008 Gisco Systeme, Ine. Lab Gude at00:02:45: $C6KPKR-SP-4-DISABLED: power to module in slot 6 set off (admin request) 00:03:50: $BABRIC-SP-5-CLEAR BLOCK: Clear block option is off for the fabric in slot 5 00:02:50: $FABRIC-SP-S-FABRIC_MODULE_ACTIVE: The Switch Fabric Module in slot 5 became active 00:01:52: $DIAG-SP-6-RUN MINIMUM: Module 5: Running Minimal Diagnostics 00:02:11: $DIAG-SP-6-DIAG_OK: Module 5: Passed Online Diagnostics 00:02:13: $OTR-SP-6-INSCARD: Card inserted in slot 5, interfaces are now online Activity Verification ‘You have completed this task when you attain these results: Step1 Verify the switch operational mode on 6500-1 and 6500-2 by issuing the show switch virtual command. The operational mode should be standalone as indicated in the following printout, 6500-1Fehow ewiteh virtual Switch Mode : Standalone @ Implementing Cisco Data Genter Network Infastucture 1 (DCNI1) v2.0 {© 2008 Gisco Systems, Ine.Demonstration 1-2: Deploying and Examining Cisco lOS Software Modularity ‘The Cisco Catalyst 6500 Series Switch IOS Software Modularity minimizes downtime and boosts operational efficiency through evolutionary software infrastructure advancements. Activity Objective In this activity, the instructor will demonstrate how the Cisco Catalyst 6500 Series Switch is upgraded to support Cisco IOS modularity and how patching can be applied. Note ‘Some tasks and steps are not demonstrated since the demonstrations would take too much, time. The procedure and the outputs are included in the lab exercise for your convenience. fier completing this activity, you will be able to meet these objectives: Upgrade the Cisco Catalyst 6500 Series Switch to support Cisco 10S modularity Activate the patching Install and activate maintenance pack Define tag Roll back to a defined tag Delete a tag Repackage Cisco TOS image Examine and verify Cisco IOS Software Modularity actions with appropriate show commands {© 2008 Cisco Systems, Ine. Lab Guide 48Visual Objective The figure illustrates what you will accomplish in this activity Demonstration 1-2: Deploying and Examining Cisco IOS Software Modularity tonal eta ‘ [2 Recaps IP Addressing ‘The IP addressing scheme in the following table lists the IP addresses of the PCs, servers, Cisco Catalyst 6500 Series Switch VLAN interfaces and Layer 3 physical interfaces, where “P” is your pod number. Pod Addressing Subnet Defeat] boven ‘ vevee |rsuome |S | ooicnip [Duet | Dov conor forme [as [wear propa [a torso topsia0 pevie [van | entrar | S20 | pence» won| vrio [ae [orm 44 Implementing Cisco Data Center Network Infrastructure 4 (OGNE1) v2.0 (©-2006 Cisco Systems, in.Required Resources These are the resources and equipment required to complete this activity: Cisco Catalyst 6500 Series Switches Cisco Catalyst 6500 Series Switch Ethernet module Cisco Catalyst 6500 Series Switch Supervisor 720-10G-3C module = Cisco Catalyst 4948 Switch & Microsoft Windows 2003 server Command List ‘The table describes the commands that are used in this activity. ‘Command Description boot system flash ‘Sets the boot variable to the specified Cisco 10S. filesystem: /T0S-image image. Upon reload the specified image will be loaded configure replace filename Replaces the current running configuration with a ‘saved Cisco IOS configuration file. copy running-config startup- ‘Saves the running configuration to NVRAM. config dir disk0: Lists the content ofthe diskO: fle system, install activate disk0:/sys ‘Activates the installed maintenance pack to disk0/sys. inatall bind disk0:/sys ‘Sets the boot variable to the activated (unpacked) Cisco 1S modularity image on disk0:/sys. install commit diek0:/sys tag- | Defines a tag upon maintenance pack installation name to disk0:/sys. install file ‘Activates (unpacks) the Cisco 10S modularity Aisk0: /file-name disk0:/sys image to disk0:/sys, install file filesystem: /patch- | Installs the maintenance pack to disk0:/sys. file disk0:/sys ‘dnatall prune disk0:/sys tag- | Deletes a tag or the installed maintenance pack. install repackage disk0:/eys Repackages base image and installed filesystem:/ filename ‘maintenance packs from diskO:/sys toa single le. install rollback disk0:/sys Rolls back to a defined tag for the maintenance tag-name ‘pack installed in the disk0:/sys. no boot system flash Deletes the boot option from the configuration. filesystem: /filename process restart process-name Restarts the process, reload Reloads the switch. {© 2008 Cisco Systems, Inc LaGude 45‘Command, show bootvar Description ‘Shows the boot variable, show install disk0:/sys ‘Shows the installed (unpacked) base Cisco JOS ‘modularity image in the disk0:/sys. show install running ‘Shows the installed base Cisco IOS modularity mage and maintenance packs. show install tags running Shows the user-defined tags. show process cpu ‘Shows information about the running processes. show processes detailed process-name ‘Shows detailed information about the running processes, show version ‘Shows the version ofthe booted Cisco 10S. operating system, 6 Implementing Cisco Data Center Network Inkastucture 1 (OCNM4) v2.0 ‘©2008 Cisco Systems, Ine.Task 1 (Demonstration): Removing Previous Configurations Ensure that no previous configuration exists on the switches in your pod and apply the initial configurations to the devices, ‘The initial configuration includes settings for the Layer 2 interfaces used—trunking, access VLAN set, etc.; VLAN configuration, Layer 3 VLAN configuration, correct power scheme, etc. The initial configurations are available on the individual device file system as specified in the following steps. Note The instructor will demonstrate this task. The outputs are for your Activity Procedure ‘Complete these steps on the 6500-1 switch in your pod: ‘Step1 Connect to the 6500-1 switch via console and apply the following: = Replace the current running configuration with the configuration from file diskO:denil_lab12_6500-1 using the configure replace disk0:dcnil_lab12_6500-1 command, When asked to proceed press Y. You should see output similar to the following printout. 6500-1#configure replace disk0:denit_1ab11_6500-2 This will apply all necessary additions and deletions to replace the current running configuration with the contents of the specified configuration file, which is assumed to be a complete configuration, not @ partial configuration. Enter ¥ if you are sure you want to proceed. ? [nol: y 01:13:28: Rollback:Acquired Configuration lock. Total nunber of passea: 0 Rollback Done ‘Step 2 Reload the 6500-1 switch with the reload command, Activity Verification ‘The task is completed when the 6500-1 is rebooted. Task 2 (Demonstration): Upgrading to Cisco |OS Modularity Image In this task 6500-1 switch is upgraded to the Cisco IOS Software Modularity image. Note ‘Since reload is time-consuming, the stops in this task have been already completed. The steps and outputs are available for your reference. Activity Procedure Complete these steps: Step1 The first step in upgrading the Cisco Catalyst 6500 Series Switch is to acquire the Cisco IOS Software Modularity image. It can be acquired via Cisco.com, where the MODULAR keyword beside the image denotes the Ciseo IOS Modularity image. {© 2008 Cisco Systems, inc. Lab Gude 47For lab purposes, the Cisco IOS Modularity image already resides on disk0: The image name is 872033-ipservicesk9_wan-vz.122-33,SXH.bin, ‘Step 2 Set the boot system variable to boot the s72033-ipservicesk9_wan-vz.122- 33,SXH.bin Cisco IOS image upon the next reload. ‘Step 3 Reload the 6500-7 switch. Activity Verification ‘You have completed this task when you attain these results: Step1 Verify the running has not been activated. 6500-1#ahow version Cisco 108 Software, 872033_rp Software’ (#72033_ep-1PSERVICESKS_WAN-Vi) , Version 12.2(33)SXH, RELEASE SOFTWARE (fcS) Technical Support: http://www.cisco.con/techsupport Copyright (¢) 1966-2007 by Cisco Syatens, Inc Compiled sun 19-Rug-07 13:29 by prod_rel. tean 0 IOS image. Notice that pate not available since it ROM: System Bootstrap, Version 12.2(17r)SXS, RELEASE SOFTWARE (fc1) 6500-1 uptime is 18 minutes uptime for this control processor is 17 minutes Time since 6500-1 switched to active is 17 minutes system returned to ROM by reload at 12:51:18 UTC Sat Mar 18 2008 (sP by reload) System image file is "diek0ie72033-ipservicesk9_wan-ve.122-33.6xH.bin* ‘This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not’ imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S, and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.s. and local laws, return this product inmediately. A summary of U.8. laws governing Cisco cryptographic products may be found at: http: //www.cisco.con/wwl /export/crypto/tool/starg. htm) If you require further assistance please contact us by sending email to exportscisco.com. cisco WS-Cs506-E (R7000) processor (revision 1.1) with 1040384K/8192K bytes of memory. Processor board ID SAL1023R121 5R71000 CPU at G00Mhz, Implementation 1284, Rev 1.2, S12KB L2 Cache Last reset from s/w reset 5 Virtual Sthernet interfaces 73 Gigabit Ethernet interfaces 3 Ten Gigabit Bthernet interfaces 1917K bytes of non-volatile configuration memory. 65536K bytes of Flash internal SIMM (Sector size 512K) Configuration register is 0x2102 Patching is not available since the system! is not Funning from an/inetaliea image. To install please use the winstali file" command Step2 Examine the output of the show process epu command. Notice that it changed after the Cisco IOS Software Modularity image was used. 5500-1#ehow proce: 48 Implementing Cisco Data Center Network Infrastructure 1 (CNH) v2.0 (© 2008 Cisco Systems, ne.CPU utilization for five seconds PID SSec Min 2.08 0.28 a ook 0.08 ‘ 010% 0.08 5 0.08 0.08 4102 0.08 0.08 4103 0.08 0.08 A104 0.08 0.08 12297 0.08 0.08 12298 0.08 (0.08 12299 0,08 0.08 12300 0.08 0.08 12301 0.08 0.08 12302 0.08 0.08 12303 0.08 (0.08 12304 0.3% 0.08 12305 0.08 (0.08 16386 0.08 (0.08 16402008 0.08 16403 0.08 0.08 16404 0.08 0.08 16405 0,08 0.08 Step 3 6500-1#show proc Executable name Executable Path: Instance ID: Respawn, Respawn count Respawn since last. patch: Max. spawns per minute Last started: Process state Process Redundancy State core: Level: Mandatory: Last restart userid: Related Processes: PID TID Stack pri 12302 1 20K 10 32302 2 20K 32302 3 20K 32302 4 20K Max. state Receive 1 o Receive 7 Sigwaitinfo condvar 3%; one minut Process kernel deve-pty deve-mistral .proc pipe dumper proc poncia driver.proc bflash_driver-proc queue flashfs_hes.proc d£e_bootdisk.proc ldeache. proc watchdog. proc syslogd.proc name_svr .proc wdsyamon proc sysngr .proc cchkpta.proc sysngr proc ‘syslog_dev.proc itrace_exec.proc packet proc 2%; five minutes: 2¥ SMin ay oF oF oF ov oF oF oF fon foe oF oF oF 08 oy Examine the information for the syslogd.proe process. syslogd.proc sbin/syslogd. proc 1 on 1 1 30 Sat Mar 20 13:08:31 2008 Run, Active ‘SHAREDMEM MATNMEM ° 23 on Blked HR: NAME: syslogd .proc syslogd.proc syslogd.proc syslogd. proc MSEC 20028 10000 000 10000 tags 00000000 00000000 00000000 20000000 7R73P Task 3 (Demonstration): Activating Patching Functionality In this task you will enable the patching functionality on the 6500-1 switch. Note Since activating the patching functionality 2 lengthy process, the Cisco IOS Modularity Image is pre-unpacked and activated. The steps and outputs are avaliable for your reference. ‘© 2008 Cisco Systems, Inc. Lab Gude 49Activity Procedure Complete these step: Step1 Examine the disk0: file system on 6500-1. Notice the Cisco IOS image used. 500-1¢dde atako: Directory of disko:/ 1 -rme 11359 Mar 21 2008 23:09:58 +00:00 ace_scripts Az _1.tgz 2 -rwx 4897 Mar 18 2008 06:21:16 +00:00 vas-config 3 -rwx 30292535 Mar 21 2008 23:13:50 +00:00 céace-tik9-mz.A2_1.bin 4 rw 5063 Mar 20 2008 12:57:20 40:00 sosmodular-config =rwx 118601380! Mar 18/2008) 16:00:52 40:00 "572033-ipservicesk9_wan= vz,122-33 .SXH.bin 6 drwx © Mar 16 2008 22:3: 8 +00:00 MODULAR 1024589824 bytes total (754122752 bytes free) Step2 Activate the patching functionality by expanding the packaged Cisco 10S Software Modularity image s72033-ipservicesk9_wan-vz,122-33.SXH.bin. Note that the image is not yet active. 6500-1#install file disk0:/s72033-ipservicesk®_wan-ve.122-33.SxH.bin dieko:/eys Source filename (s72033-ipservicesk9_van-vz.122-33.SKH.bin]? Nariterernrirerrrerrrienni rere POU COO CEE COPE eo eee <...part of the output omitted...» PUCUUEE CPCS Eee REL ECE EPEC EEE PCC EEECU EEE Verifying checksums of extracted files Verifying installation compatibility Finalizing installation . PECELECCUTLEUUCCEEUCDPECUUTELUDOOUU UE ELEDDELEEE EEE EL Ute <...part of the output omitted...» PUUUDOUUCUGECCCC COCO PEC CESEETUUEEEEESELLUUUUU EE ED DEed eee eed ede teenioniuitee Computing and verifying file checksums POUT eee ee POCO EEE EEE <...part of the output omitted...> TAVCeraveceegceeeiaeeeegercogitraeecgegstiggecagess PE Huiieeniiiiiene PEELE Hverieenieciiieriey Writing installation meta-data. Please wait NOTE?) The newly added base image is not yet active. To activate the new base image, perform an ‘install’ bind" in config mode followed by a ‘reload’. (mone) Activity Verification ‘You have completed this task when you attain these results: Step 1 Verify that the s72033-ipservicesk9_wan-vz.122-33.SXH.bin Cisco IOS image has been expanded to the disk0:/sys directory. 6500-1Ndir dteko: Directory of disk0:/ 1 -rwx 11359. Nar 21 2008 23:09:58 +00:00 ace_scripts_A2_1.tgz 2 -rwx 4997 Mar 19 2008 06:21:16 +00:00 vss-config 3 -rwx 30292535 Nar 21 2008 23:13:50 +00:00 céace-tik9-mz.A2_1.bin {50 Implementing Cisco Data Center Network infrastructure 1 (OCNI-1) v20 {© 2008 Cisco Systems, in.4 ore 5063 Mar 19 2008 12:57:20 +00:00 iosnodular-contig 5S -rwx 118601360 Mar 18 2008 16:00:52 +00:00 572033-ipservicesk9_wan- ve.122-33.SXH.bin 10. drwx 0 Mak 19/2008 3:37405 400100. sys 6 dewx © Mar 18 2008 22:35:18 +00:00 MODULAR 1024509824 bytes total (597557248 bytes free) ‘step2 Remove the old boot system option from the configuration. Add the new one pointing to the disk0:/sys directory where the expanded Cisco IOS image resides. Save the running configuration, no boot system flash disk0:s72033-ipservict 33.SxH.bin install bind disk0:/eys ! copy running-config startup-config ‘Step3 Examine the expanded Cisco 1OS image on the disk0:/sys directory. 6500-1#show install disk0:/sys B Active _disk0:/sys/s712033 /base/s72033-ipservicesk9_wan-vm - Version 12.2(33) sx B Active _disk0:/sys/aboot /base/LCP_ABOOT B Active _disk0: /eys/ax1000/base/LCP_AX1000 B Active ‘/eys/ax10100/base/LCP_AX10100 B Active /sys/boot /base/LCP_800T B Active Ysys/c2_1c/base/C2LC B Active /ays/chévysic/base/CHEVYS-LC B Active /ays/cp109/base/LCP_CP10G B Active :/eys/cpfab/base/LCP_CPFAB B Active /sys/cpgbit /base/LCP_CPGRIT B Active :/sys/cpmbit /base/LCP_CPMBIT B Active /sys/cpubit2/base/LCP_CPMBIT2 B Active /sys/cpxbit/base/LCP_CPxBIT B Active : Jaye /ewpaz/base/CHPA2_version 10.10 B Active {sys/cwpa2_fpa/base/CWPA2_FeD_version_10.10 B Active /sys/1x1000/base/LCP_LX1000 B Active /sys/1x10100/base/LCP_LX10100 B Active /sys/672033_rp/base/DRACO2_MP B Active /eys/eipl/base/SiP1_version 10.10 B Active /eys/sip2/base/SiP2_version 10.10 B Active ‘/sys/smsc/base/SMSC_version_10.10 LEGEND: B/P/MP - (B)ase image, (P)atch, or (M)aintenance (P)ack ter = (c)onmitted Pruned - This file has been pruned from the system Active - Thie file is active in the system Pendinst - This file is set to be made available to run on the system after next activation. Pendkoll - This file is set to be rolled back after next activation InstPRel - This file will run on the system after next reload ROLLPRel - This file will be removed from the system after next reload RPRPndin - This file is both rolled back pending a reload, and pending installation. On reload, this file will not run and will move to Pendinst state, If ‘install activate’ ia done before reload, pending removal and install cancel each other and file simply remains active IPRPNdRo - Thie file is both installed pending a reload, and pending rollback. If the card reloads, it will be active on the system pending a rollback If ‘ingtall activate’ is done before a reload, the pending install and removal with cancel each other and the file will simply be removed occluded - This file has been occluded from the system, ‘a newer version of itself has superceded it {© 2008 Cisco Systems, In. Lab Gude StStep4 Verify that the boot variable points to the expanded Cisco IOS image, save the running configuration, and reload the switch, 6500-1#show bootvar BOOT variable = disk0i/sys/s72033/base/s72033-ipservicesk9_wan-vm,12} CONFIG PILE variable = BOOTLDR variable = Configuration register is 0x2102 Standby is not present. StepS Reload the 6500-1 switch, and after it has booted, verify that patching functionality is available. The last lines indicate that patching is available. 6500-1hehow version Cisco 10S Software, 872033_rp Software (s72033_xp-IPSERVICESKS_WAN-VM), Version 12.2(33)SXH, RELEASE SOFTWARE (£5) Technical Support: http: //www.cisco.com/techsupport Copyright (c) 1986-2007 by Cisco systems, Inc. Compiled sun 19-Aug-07 13:29 by prod_rel team ROM: System Bootstrap, Version 12.2(17r)SX5, RELEASE SOFTWARE (£c1) <...part of the output omitted...» 3 Ten Gigabit Ethernet interfaces 1917K bytes of non-volatile configuration menory 65536K bytes of Flash internal SIMM (Sector size 512K) Configuration register is 0x2102 Syaten is currently funing from instalied software For further information use "show install running" Step Examine the running expanded image. 6500-1#ehow inetall running B/PC State Filename Software running on card installed at location #72033 - slot 5 B Active disk0:/sys/872033/base/272033-ipservicesk9_wan-vm - Veraion 12.2(33) SxH Software tunning oh Gard installed at location 072033 rp" slot 5 + B Active disk0:/sys/#72033_rp/base/DRACO2_MP Software running on card installed at location c2_le - Slot 3: B Active — disk0:/sys/c2_1c/base/C2Lc B/P/MP - (B)ase image, (P)atch, or (M)aintenance (P)ack "cr ~ (C)onmitted Pruned - This file has been pruned from the eystem Active - This file is active in the system Pendinst - This file is set to be made available to run on the system after next activation. PendRoll - This file is set to be rolled back after next activation. InstPRel - This file will run on the system after next reload RolLPRel - This file will be removed from the syatem after next reload RPRPndIn - This file is both rolled back pending a reload, and pending installation. On reload, this file will not run and will move to Pendinst state, If ‘install activate’ is done before reload, pending removal and install cancel each other and file simply remains active IPRPndRo = This file is both installed pending a reload, and pending rollback. If the card reloads, it will be active on the aystem pending a rollback ‘52 Implementing Cisco Data Center Network Infrastructure 1 (OGNI-t) v2.0 (© 2008 Cisco Systems, ine.If ‘install activate’ is done before a reload, the pending install and removal with cancel each other and the file will simply be removed Occluded - This file has been occluded from the system, ‘a newer version of itself has superceded it Task 4 (Demonstration): Installing Maintenance Packs and Setting Tags In this task you will install and activate a maintenance pack, define tags and perform a manual process restart. Note ‘The instructor will demonstrate this task. The outputs are for your reference. The 6500-1 was reloaded with the initial configuration and activated Cisco IOS image. Activity Procedure ‘Complete these steps: ‘Step The maintenance packs can be downloaded from http://www cisco.com/go/pn. For lab purposes, two maintenance packs have been downloaded to the disk0:/MODULAR directory: = 572033-demo_mp001-p.122-33.SXH: CDP demo_mp-001.122-33.SXH maintenance pack © $72033-demo_mp002-p.122-33.SXH: IP Routing demo_mp-002,122-33.SXH maintenance pack Step2 Verify that the files are present on disk0:/ MODULAR folder. 6500-1#dix disk0:/MODULAR Directory of disk0:/MODULAR/ 200 =r 1159600 Mar 18 2008 22136:16 400700 /672033-demo|_mpoor-p.122- 33.8KH Loi =e 92734080" Mar/18 200822136130 400100 872033-demo|mpo02¢p1 122+ 93..SxHt 102 -rwx 118601380 Mar 18 2008 22:43:46 +00:00 s72033-ipservicesk9_wan- v2.122-33.SxH.bin 1024589824 bytes total (597704704 bytes free) ‘Step 3 Install the s72033-demo_mp001-p.122-33.SXH maintenance pack to the disk0:/sys folder. 6500-1#inetall £11@ diek0:/MODULAR/s72033~-demo_mp001-p.122-33.SXH disk0:/sys ‘ce filename {/MODULAR/S72033-demo_mp001-p.122-33 .SXH]? rit Verifying checksums of extracted files Verifying installation compatibility Gathering information for location s72033_rp - Slot 5 Trittiiitttitt TVPEPECEECLECETIGAGUCAbLLAgdeeeECategeeeeeneegees Hittites iy tienes rereerrriiit) Monuauneecaeesoaageceecogeuaeenensenaeeesens iii) ‘the following Install changesst ie currently pending for this location + Pending Install : pateh/patch-2AA3373-patch-cdp_n.so Activation of the ‘panding Changes’ Listed above will affect the following processes: cdp2 dosproe {© 2008 Cisco Systems, Ine. Lab Guide 83Finalizing installation ... Computing and verifying file checksums NOTE: The newly added patch is not yet active. Use ‘install activate’ to activate the patch in the currently running system. (Done) Step4 Verify that the maintenance pack was installed. You should notice that the pack is installed but pending since it has not been activated and that only the edp2.iosproe process will be affected by this patch, 6500-1#ehow install running B/PC State Filename Software running on card installed at location #72033 - Slot 5: B Active disk0: /eys/s72033/base/s72033-ipservicesk9_wan-vm - Version 12.2(33)SxH Software running on card installed at location 972033_rp - slot 5 : B Active disk: /sys/s72033_rp/base/DRACO2_MP wp Maintenance Pack Geno_mp00i P Pendinst isk0:/ays/s72033_rp/patoh/pateh-ZAA3373-pateh-cdp n.86 Software running on card installed at location c2_lc - Slot 3: 1B Active — disk0:/sys/c2_lc/base/C2Lc LEGEND. B/P/MP - (B)ase imag te! = (Clommitted Pruned - This file has been pruned from the system Active - This file is active in the ayaten Pendinst - This file ie set to be made available to run on the system after next activation. PendRoll - This file is set to be rolled back after next activation. InstPRel - This file will run on the system after next reload Rol1PRel - This file will be renoved from the ayatem after next reload RPRPndin - This file is both rolled back pending a reload, and pending installation. On reload, this file will not run and will move to Pendinst state. If ‘install activate’ is done before reload, pending removal and install cancel each other and file simply remains active rpRbndko - This file is both installed pending a reload, and pending rollback. If the card reloads, it will be active on the eystem pending a rollback If ‘install activate’ is done before a reload, the pending install and removal with cancel each other and the file will simply be renoved occluded - This file has been occluded from the eysten, ‘a newer version of itself has superceded it. StepS Connect to PC/ and issue a continuous ping to Server!. Step6 Activate the maintenance pack. When asked to continue, choose YES. Notice that the continuous ping issued from PC/ to Server! is not affected by the edp2.iosproc process restart, 6500-1#inatai activate disk0:/ays Determining processes to restart at location 872033_rp - Slot 5 UOUUALDUUEDTUUECEU CULO CUCL CE EEUU EEUTTEE LOPE EUgEE LEED DEED Vetrrtenateniiiiott (P)atch, or (Maintenance (P)ack Implementing Cisco Data Center Notwork Infrastructure 1 (DGNI1) v2.0 (© 2008 Cisco Systems, IncHipoigeeeneeeiagiigeen Perrine Heseoeeeeeseosagaeeeeecoogtageeeeeeonigegoes ‘he following Install changeset is currently pending for this location : Pending Install + patch/patch-2AA3373-patch-cdp_n.so ‘The following processes will be restarted! edp2. tosproc bo you want to continue with activating this change set. Proceeding with activation, writing installer meta-data 2 (yes/no): yes Updating more installer meta-data Beginning process restarts PETLELUETEEE EEE EEE Affected processes restarted. (owe 6500-18 00:24:29 ¥SYSMGR=6:REEPAIM: Process Gdp2viosproc:1 has been respawned Step7 Set the PATCHI-cdp tag for the installed maintenance pack. 6500-1#ingtall commit disk0:/aya PATCHI-cdp (ox) Step8 Verify that the tag has been defined. 6500-i¥ahow install tags running ‘Tags defined over software running on location 972033 - Slot 5 ‘Tagnane Date Committed PATCHI -cdp 5:38 UTC Mar 19 2008 Tage defined over software running on location s72033_rp - Slot 5 ‘agname 4 of Files Date Conmitted PATCHL-cdp 5:38 UTC Mar 19 2008 ‘tags defined over software running on location c2_le - Slot 3 ‘Tagname # of Piles Date Committed PATcHi-cap 1 14:35:38 UTC Mar 13 2008 Step9 Manually restart the syslogd proc process. Like in the previous case, the continuous ping issued from PCI to Server! has not been distupted. 6500-1Hprocess restart syslogd-proc Restarting process syslogd.proc 6500-14 (00:26:447) SSYSNGR*6+RESPAWN: Process sysload.proc:1 has been Fespawned Task 5 (Demonstration): Rolling Back to a Defined Tag In this task you will install another maintenance pack, define a new tag, perform a rollback to a previously defined tag, delete a tag, and repackage the installed base image and maintenance pack to a Cisco 1OS binary image. Note ‘The instructor will demonstrate this task. The outputs are for your reference. {© 2008 Cisco Systems, Ine. Lab Gude 55.Activity Procedure ‘Complete these steps: Step 1 Install the s72033-demo_mp002-p.122-33.SXH maintenance pack to disk0:/sys. ‘Notice that patch name patch-ZAA3373-patch-cdp_n.so is skipped during installation since it was part of the first pack installed. 6500-1#install file disk0: /MODULAR/s72033-deno_mp002-p.122-33.8XH disk0: /eys Source filenane [/MODULAR/s72033-deno_mp002-p.i22-33 .SXit]? VOU UEC DUP DUES LEU EETEE HEEL LYELL Verifying checksuns of extracted files ‘Skipped install of 872033_rp/pateh/pateh-2AA3373-patch-eap n.a0 because it was already installed. Verifying installation compatibility Gathering information for location #72033 - slot 5 PUPP COUPEE ECE OCDE PERCU eee eee ‘The following Install changeset is currently pending for this location : Pending Install : patch/patch-2AA3359-patch-iprouting_n.so Activation will not affect any processes Gathering information for non-running card of type chevysle POUCH UEC CUO E EEE ELE etd PEC EOP Haier ‘The following Install changeset is currently pending for this location ; Pending Install : patch/patch-2AA3359-patch-iprouting_1 Activation will not affect any proces Gathering information for location c2_ic - Slot 3 CUCU EEEOTEC EDDC Tete POCO eee The following Install changeset is currently pending for this location : Pending Install : patch/patch-2AA3359-patch-iprouting_n.so Activation will not affect any processes, Gathering! information’ tor 6eation”/a72033 ep) siot's POUT CCU CPOE PEE eee ELE EEE POU PEO OEE ‘The following Tnstall changeset 4s currently pending for this location Pending Install : patch/patch-ZAA3259-patch-iprouting n.so Activation of the pending changes! 1isted above will’ affect: the following Processes: Aprouting.{eaproe mn iit Finalizing installation errr) rittiseciiiey ru Heinen Computing and verifying file checksums ENTIRE nein) Pi Peeerereeeoetieiiie NOTE? The ewly Added! patch ia not yet active. Use ‘install activate’ to activate the patch in the currently running system. (wone} 56 Implementing Cisco Data Center Network infrastructure 1 (OCN-1) v2.0 {© 2008 Cisco Systems, Inc.‘step2 Verify that the maintenance pack was installed. You should notice that the pack is. installed but pending since it has not been activated and that only the iprouting iosproe process will be affected by this patch. 6500-14ehow install running B/PC State Filename Software running on card installed at location 72033 - Slot 5 B * Active — disk0: /ays/s72033/base/s72033-ipservicesk9_wan-vm - Version 12,2(33) sxH we Maintenance’ Pack denio_mpoo2 P Pendinat —-diak0: /ays/s72033/pateh/patch-2AA3359-patch-iprouting n.80 Software running on card installed at location s72033_rp - Slot 5 : BR * Active — disk0:/sys/s72033_rp/base/DRACO2_MP we Maintenance Pack demo_mp001 P * Active disk0: /sys/872033_rp/patch/patch-ZAA3373-patch-cdp_n.80 wp. Maintenance Pack demo. mp002 P —Pendinst —disk0:/sys/s72033_rp/patch/patch-ZAA3359-patch- iprouting_n.so Software running on card installed at location ¢2_lc - Slot 3 B * Active — disk0:/sys/c2_1c/base/C2ic we Maintenance Pack demo_mpo02 P Pendinst —disk0: /sys/c2_le/patch/patch-2AA3359-patch-iprouting_n.so LEGEND: B/P/MP - (B)ase image, (P)atch, or (M)aintenance (P)ack teh = (chonmitted Pruned - This file has been pruned from the system Active - This file is active in the system Pendinst - This file ia set to be made available to run on the system after next activation. rest of the output omitted...> Step 3 Connect to PC and issue a continuous ping to Server!. ‘Step4 Activate the maintenance pack. When asked to continue, choose YES, Notice that the continuous ping issued from PC! to Server! is not affected by the iprouting iosproc process restart. 6500-1#install activate disko:/sys Determining processes to restart at location #72033 rp - Slot 5 irene Perrirererrrenntrirerrniiir rrr Pe ereeniniiiier Hit HPO PEC Ea Heiney erie ‘he following! Install changeset 1s currently pending for this location + Pending install : patch/patch-2AA3359-patch-iprouting_n.so ‘The following processes will be restarted: iprouting.icsproc some config that affects the processes above has not yet been checkpointed. Tf you choose to continue this activation when prompted, some config may be lost ‘You should choose not to continue this activation when prompted. You should checkpoint your Determining processes affected for non-running card of type chevysic srrinerrervnnenrnrrrnrniitinrrtrierrrr rr insrirr rr nner PEC UPEECEE POE OU COOP PPEE EEE PEELE ‘The following Install changeset is currently pending for this location : Pending Install : patch/patch-ZAa3359-patch-iprouting_n.so {© 2008 Cisco Systems, ine. Lab Gude BTNo processes will be restarted. Determining pro NIUEMEEELLELT LEE PEELE tart at location c2_le - slot 3 PIrerereer nner intr tT PEC Peete ‘The following Install changeset is currently pending for this location : Pending Install : patch/patch-2AA3359-patch-iprouting_n.so ea will be restarted. No proces Determining processes to restart at location #72033 - Slot 5 Tree ecevrnanerirrreratninirrrriiinrrn rnin POU UUUEEC COPECO PEEP Eee ‘The following Install changeset is currently pending for this location : Pending Install : patch/patch-2AA3359-patch-iprouting_n.so No processes will be restarted. Do you want’ to continue With’ activating this change set ii/?/ Iyea/no)¥ yee Proceeding with activation, writing installer meta-data... Updating more installer meta-data Beginning process! restarts 1. Tee 00:51:24: Ykern-6-SYSLOG_GEN: <30>SLOTO:00:51:24: ;1206802408.687: sysngr.proc [63]: Some config for process iprouting. iosproc:1 has not yet been checkpointed and may be lost Af fected processes restarted. 00:51:26: $SYSGR“€-RESPANM!/'Process|iprouting.iosproc:1 has been respawned {non} Step S Sct the PATCH2-iprouting tag for the installed maintenance pack. 6500-1#tnetall commit disk0:/sys PATCH2-iprouting (ox) Step6 Verify that the patch has been activated. 6500-1#show install running B/PC State ‘Filename Software running on card installed at location #72033 - slot 5 ; B * Active — disk0: /sys/s72033/base/s72033-ipservicesk?_wan-vm - Version 12.2(23) SxH MP. Maintenance Pack demo_npo02 P * Active isk0: /sys/s72033/patch/patch-2AA3359-patch- iprouting_n.s0 Software running on card installed at location 872033_xp - slot 5 : B * Active disk0:/sys/s72033_rp/base/DRACO2_MP MP Maintenance Pack demo_mpo01 P * active ‘disk0: /sys/s72033_rp/patch/patch=2AA3373-patch“€dp_n.e0 we. Maintenance Pack deio_mpo02 P * Active disk0:/sys/s72033_rp/patch/patch-ZAA3359-patch= iprouting_n.s0 Software running on card installed at location c2_le - Slot 3: Bo * Active — disko:/sys/c2_1c/base/C2uc MP Maintenance Pack demo mp002 P * Active ‘disk0: /sys/c2_1¢/patch/patch-ZAA3359-patch-iprouting_n.so LEGEND. <...Fest of the output omitted...» Implementing Cisco Data Center Network lnfastructure 1 (DCNI1) v2.0 (© 2008 Cisco Systeme, Ine.Step7 Roll back to the older tag PATCHI-cdp. 6500-1#install rollback disko hering information for Per eieniniet rere Laat ETTCUELC THEORET ‘sys PATCH1-cap location 872033 xp - Slot $ PeUDerreeeeecoiTetereeeneotiggerernoneeeggry PeEUEEECO EEE e Peete Perret iiiteny ‘The following Roliback changeset is currently pending for this location : Pending Rollback + patch/patch-2AA3359-patch- iprouting n.so Activation “Of the pending changes! listed above will affect the following Processes: iprout ing. 16aproe Gathering information for non-running card of type chevysic PESPUUPEeC TEED EEC E CUED EEE EEE EEP Eee PPPOE PU CUECU Cee PEE Coe ‘The following Rollback changeset is currently pending for this location Pending Rollback : patch/patch-2AA3359-patch-iprouting_n.so Activation will not affect any processes. Gathering information for location c2_1c - Slot 3 VES CUTEECEE EE DDEQCUUEE CPU EEUEEELELDELESQC CCF COPE ECC OPER EEE ELEL VCC CUPEO DEEP ‘The following Rollback changeset is currently pending for this location : Pending Rollback : patch/patch-ZAA3359-patch- iprouting_n.co Activation will not affect any proces Gathering information for location 872033 - Slot 5 PEOCCCUUEC EL EEL OUP ECU UEPECEeE EOE PEPE C ECDC POCDUDEEOO EPEC COPECO ‘The following Rollback changeset is currently pending for this location : Pending Rollback : patch/patch-2AA3353-patch-iprouting_n.s0 Activation will not affect any processes. (ox) Step8 Verify which tag will be used upon activation. 6500-1#show install running B/PC State Filename Software running on card installed at location #72033 - Slot 5 : B * Active disk0: /eya/s72033/base/s72033-ipservicesk3_wan-vm - Version 12.2(33) 5xH MP Maintenance Pack demo_mpo02 P * PendRoll — disk0: /sys/s72033/patch/patch-2AA3359-patch-iprouting_n.so software running on card installed at location 872033_rp - slot 5 + B * Active disk0:/sys/s72033_rp/base/DRACO?_MP MP Maintenance Pack demo_mp001 Pp * Active disk0: /sys/s72033_rp/patch/patch-2AA3373-patch-cdp_n.80 Mp Maintenance Pack detio_mp002 PB * PendRoll —_disk0: /ays/872033_rp/patch/patch-ZAA3359-patch- iprouting_n.so {© 2008 Cisco Systems, ine. Lab Gude 69Software running on card installed at location c2_lc - Slot 3: Bt Active disk0:/sys/c2_1c/base/C2ic we Maintenance Pack demo_mp002 P+ PendRoll — disk0:/sys/c2_le/patch/patch-2AA3259-patch- iprouting_n.so ‘Step9 Activate the PACTHI-cdp tag. When asked to continue, choose YES. Notice that this action does not disrupt the continuous ping from PC! to Server!. 6500-1#install activate aisk0:/sys Determining processes to restart at location #72033_xp - slot 5 Prieaivanevnrsvnrenrrrnreririnri nnn rnin nt iret iret PORES UNISOONESOLISTOOESOO NERO T TON T TEST TOTT Ten Teenie ereee reer etre PECOOECO OEE OHO Peete ‘The following Rollback changeset is currently pending for this 1ocation + Pending Rollback : patch/patch-2AA3359-patch-iprouting_n.eo ‘The following processes will be restarted: iprouting.iosproe Sone config that affects the processes above has not yet been checkpointed. If you choose to continue this activation when prompted, some config may be lost. You should choose not to continue this activation when prompted. You should checkpoint your Determining processes affected for non-running card of type chevysic UCP UPPEEe CELE UCDO EE EEE PCL eroiettneneonitee rere nn Ht nt ‘The following Rollback changeset is currently pending for thie location Pending Rollback : patch/patch-ZAA3359-patch-iprouting_n.so No processes will be restarted Determining processe: TeCLELPPPEn tng. TEEEEEELLUEEL En to restart at location cz_le - slot 3 irereerinnvernsterrerrnninititrrn rr PUES ‘The following Rollback changeset is currently pending for this location : Pending Rollback : patch/patch-ZAA3359-patch-iprouting_n,so No processes will be restarted Determining processes to restart at location 872033 - slot 5 TINT SEPEIPEETSTOOTUSEELEOOCOEEEOCeCeTeOELSeereTe Tener The following Rollback changeset is currently pending for this location Pending Rollback : patch/patch-2AA3359-patch-iprouting n.so No processes will be restarted. Do you want to’ éontinle! with activating this change set.1.? [yes/nol? yes Proceeding with activation, writing installer meta-data .. Updating more installer meta-data Beginning process restart: TEE LUL MEE Affected processes restarted: 01:17:05: *kern-6-SYSLOG_GEN: <30>SLOTO:01:17:05:1206803949.490: sysngr.proc(63]: Some config for process iprouting. losproc:1 has not yet been checkpointed and may be lost 01:17:07: $SYSMGR-6-RESPAWN: | PEGG (bone) Step 10 Repackage the base Cisco IOS image with the installed maintenance packs toa file on the disk0: file system named IOS-PATCHI-cdp.bin, Aprouting, iosprocil has been respawned {60 Implementing Cleco Data Center Network infrastructure 1 (OGNI-1) v2.0 (© 2008 Cisco Systems, Ine.6500-1#install repackage disk0:/sys disk0:/I08-PATCHL-cdp.bin Destination filename [I08-PATCH1-cdp.bin]? rrrnnrrrnrrnninniri nna PUP UUUCCO DEPOT PEt eee P EeePC <...part of the output omitted...> Eberrneeninenit eUDCreeeeeceeoieggintennt (Dowe} Step 11. Verify that the file IOS-PATCHI -cdp.bin resides on the disk0: file system. 6500-1#dix dieko: Directory of disko:/ Eenrerenoiieniny 1 -rwx 11359. Mar +00:00 ace_scripts_A2_1.taz 2 -rwx 4997 Mar $00:00 ves-config 3 -rwx 30292535. Mar 23:13:50 40:00 céace-t1k9-mz.A2_1.bin 4 -rwx 5063 Mar 12:57:20 +00:00 iosmodular-contig S -rwx 118601380 Mar v2.122-33.SxH.bin 6 drwx 0 Mar 19 2008 13:37:06 +00:00 sys 105 =rwx 118736896 “Mar 19 2008 15:27:52/+00:00 | T0S=PATCHI-cdp.bin 99 drwx 0 Mar 18 2008 22:35:18 +00:00 MODULAR 16:00:52 +00:00 872033-ipservicesk9 1024589824 bytes total (478593024 bytes free) Step 12 Delete the tag PATCHI-cdp. 6500-1Minstall prune disk0:/sys PATCHI-cdp (OKI Step 13. Verify that the PATCH2-iprouting tag was deleted, 6500-1#show install tags running ‘Taga defined over software running on location 672033 - Slot 5 Tagname # of Files Date Committed tags defined over software running on location 672033 rp - Slot 5 : ‘Tagname # of Files Date Conmitted ‘tags defined over software running on location ¢2_le - Slot 3 + ‘Tagname # of Files Date Committed ‘Step 14 Also examine the installed and activated patches. Notice that the maintenance pack demo_mp001 is still installed and activated; thus only the tag was deleted. 6500-1#show install running B/PC State _—Filename Software running on card installed at location 872033 - slot 5 B Active disk0: /ays/s72033/base/s72033~ipservicesk9_wan-vm - Version 22.2(33)SxH Software running on card installed at location #72033_rp - slot 5 B Active dieko: /ays/s72033_rp/base/DRACO?_MP we. Maintenance Pack deno_mp001 P Active diisk0:/sys/s72033_xp/patch/patch=2AA3373-pateh-edp_n.80 Software running on card installed at location c2_1¢ - Slot 3 B Active disk0:/sys/c2_1c/base/C2Lc {© 2008 Cisco Systems, in. Lab Gude GtLab 1-3: Deploying QoS ‘Switches have large backplanes and are able to switch millions of packets per second, yet ‘congestion can still occur at any time within the network. If congestion management features are not in place, packets received during congested periods will be dropped, causing unnecessary retransmissions to occur. Retransmissions increase network load, and performance degrades in a downward spiral. Activity Objective In this activity, you will deploy and the QoS policy, Control Plane Policing (CoPP) and CPU rate limiters. After completing this activity, you will be able to meet these objectives: Examine the QoS processing Set the ingress QoS trust Define and configure QoS policies Apply ingress policing Configure and apply CoPP Configure and apply CPU rate limiters Verify the QoS, CoPP, and CPU rate limiters configuration and operation using show commands Visual Objective ‘The figure illustrates what you will accomplish in this activity Lab 1-3: Deploying QoS 2 FE homeware) 162 Implementing Cisco Data Center Network infrastructure 1 (OCNI-1) v2.0 (© 2008 Cisco Systems, IneThe pod with the equipment for this lab exercise is divided into two independent subpods with the following devices and VLANs: = Subpodt: 6500-1, 4900-1, PCI, Server! and VLANs: 11, 13 1m Subpod2: 6500-2, 4900-2, PC6, Server3 and VLANS : 21, 23 Divide into subgroups in each pod to complete the following tasks. Note ‘Through the lab exercise, the steps and printouts refer to subpodt in pod 4 (devices 6500-1, 4900-1, PCT, Servert), However the same tasks should be applied to subpod2 with respect to a different numbering and addressing scheme, IP Addressing ‘The IP addressing scheme in the following table lists the IP addresses of the PCs, servers, Cisco Catalyst 6500 Series Switch VLAN interfaces and Layer 3 physical interfaces, where “P” is ‘your pod number. Pod Addressing eee ‘Subnet Default | Device Device | 1Psubnet | ary” | Devicole | Cosay | VLAN Pot 10P.130 | 124 10.1325 | 10P.131 | 13 Po2 10P.230 | 124 10.2325 | 10P.23.1 | 23 Senet | toP1to — | 124 top.stto | topsts | 11 10.11.20 10.P.11.30 10.P.11.40 Severs | 10P21.0 | 124 top2i.to | top211 | 21 10.P.21.20 10.P.21.30 10.P.21.40 Subnet Device | VLAN IP Subnet Device IP Mask 6500-1 | 11 10.1.0 | 126 10P.11.4 500-1 | 13 10P.13.0 | 124 10.13.41 5002 [21 toP.21.0 | 124 10.21.41 65002 | 23, 10P.23.0 | 124 10.231 Required Resources ‘These are the resources and equipment required to complete this activi = Two (2) Cisco Catalyst 6500 Series Switches = Two (2) Cisco Catalyst 6500 Series Switch Ethernet modules & Two (2) Cisco Catalyst 6500 Series Switch Supervisor 720-10G-3C modules, {© 2008 Cisco Systems, Ine. Lab Gude 68= Two (2) Cisco Catalyst 4948 Switches = Two (2) Microsoft Windows XP clients = Two (2) Microsoft Windows 2003 servers Command List ‘The table deseribes the commands that are used in this activity. ‘Command Description [no] service-policy input policy-name Remove or apply defined QoS policy to an interface. class class Use the defined class in a QoS policy “map match-any class- Define a Gos clas. control-plane Enter the control plane interface configuration mode. match access-group aci- ‘Match the trafic ina class-map based upon the defined number access list. mls qos Enable the Qos functionality on PFC on a Cisco Catalyst 6500 Series Switch, mle qos map policed-decp normal-burst 32 to 16 Define remapping of the policed trafic rom DSCP value 32, 1016, mls qos trust cos Set the interface to trust the CoS value police rate conform-action transmit exceed-action drop Perform policing to the trafic according to the specified rate, Transmit the traffic conformed to the rate and drop excess trafic police rate conform-action transmit exceed-action policed-decp-tranemit Perform policing to the trafic according to the specified rate. Transmit the traffic conformed to the rate and remark the DSCP forthe excess trafic. policy-map policy-name Define a QoS policy. aos Enable QoS on a Cisco Catalyst 4900 Series Switch, show interface GigabitEthernet number capabilities Examine the capabilies ofthe individual interface (QoS functionality among other things). show mls qos Examine the QoS operational mode. show mls qos module Examine the QoS configuration for a module—see the trust mode. show policy-map Examine the configure QoS policy, show policy-map control- plane Examine the configured and applied QoS policy for the CoP, show policy-map interface interface Verity the operation of the applied QoS policy in the interface, access-list number permit protocol source destination Define an access list. {84 Implementing Cisco Data Center Network infrastructure 1 (OCNI-1) v2.0 (© 2008 Cisco Systems, IncTask 1: Removing Previous Configurations Ensure that no previous configuration exists on the switches in your pod and apply the initial configurations to the devices. ‘The initial configuration includes settings for the Layer 2 interfaces used—trunking, access VLAN set, ete.; VLAN configuration, Layer 3 VLAN configuration, correct power scheme, ete ‘The initial configurations are available on the individual device file system as specified in the following steps. Note ‘The steps and printouts refer to subpodt in pod 4 (devices 6500-1, 4900-1, PC1, Server!) However the same tasks should be applied to subpod2 with respect to a diferent numbering and addressing scheme, Activity Procedure Complete these steps on each switch in your pod: Step 1 Connect to the 6500-1 switch via console and apply the following: = Replace the current running configuration with the configuration from file diskO:denil_lab!3_6500-1 using the configure replace disk0:denii_lab13_6500-1 command, When asked to proceed press Y. = Verify that the switch is running the 12.2(33) SXHI Cisco 10S image using the show version command. = Only if the switch is not running the 12.2(33) SXH1 Cisco IOS image, save the running configuration to startup configuration and reboot the switch. Step2 Connect to the 4900-1 switch via console and apply the following: ‘© Replace the current running configuration with the configuration from file bootflash:denil_lab13_4900-1 using the configure replace bootflash:denii_lab13_4900-1 command, When asked to proceed press Y. Activity Verification ‘You have completed this task when you attain these result: Step 1 On the 6500-1 switch verify that you have connectivity to the following: PCI at 10.P.13.25 (where “P” is your pod number) @ Server! at 10.P.11.10 (where “P” is your pod number) ‘You should sce results similar to the following printouts. Note ‘The following printouts show results of a ping conducted on pod 4 6500-1Hping 10.4.13.25 ‘Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.4.13.25, timeout is 2 seconds Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms 6500-1#ping 10.4.11.10 {© 2008 Cisco Systems, Inc. Lab Gude 65‘Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.4.11.10, timeout is 2 seconds tt Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms Task 2: Verifying Capabilities for QoS In this task, you will verify the QoS capabilities of network devices. Note ‘The steps and printouts refer to subpodt in pod 4 (devices 6500-1, 4900-1, PCY, Servert) However the same tasks should be applied to subpod2 with respect to a different numbering and addressing scheme. Activity Procedure Complete these steps: Step1 Prior to configuring QoS, you need to verify QoS capabilities on the line cards you have installed in the Cisco Catalyst 6500 Series Switch. Determine whether QoS is supported on the module 3 ports 6500-1tshow interfaces gigabitzthernet 3/3 capabilities Gigabitethernet 3/3 Model Ws-x6740-Ge-7™% Type: 10/100/1000BaseT speed 10,100, 1000, auto Duplex: palf, £411 Trunk encap. type: 802.19, 1SL ‘Trunk mode: on, off, desirable, nonegotiate Channel yes Broadcast suppression: percentage (0-100) Flowcontrol Fx- (Off, on, desired) ,tx- (off, on, desired) Membership: static Fast start: yes (08 scheduling: ” QOS queueing mode: ‘bee (28); te (apaase) Ex: (cos), tx- (cos) CoS rewrite: ye ToS rewrite: yes Inline power: no. Inline power policing: no SPAN. source/destination vDLD yes Link Debounce yes Link Debounce Time: no Ports-in-ASIC (Sub-port ASIC) : 1-24 (1-12) Remote switch uplink: no Dotix no. Port-Security yee Step2 Verify the global Qos setting on 6500-1. 6500-1#ehow mls gos QoS is disabled gicbally Step3 Enable the QoS globally on 6500-1. Step4 Verify the global QoS setting on 6500-1. 5500-1#ehow mis qos (Qos is enabled globally Policy marking depends on port_trust 08 ip packet decp rewrite enabled globally Qos serial policing node disabled globally Input mode for GRE Tunnel is Pipe mode Implementing Cleco Data Genter Network nastructure 1 (OCNI4) v2.0 (© 2008 Cisco Systems, In.Task 3: Input mode for MPLS is Pipe mode QoS Trust state is CoS on the following interface re1/1 Vlan or Portchannel (Multi-Barl) policies supported: Yes Egress policies supported: Yes (08 10g-only mode supported: Yes (Current mode: off) ----- Module [5] Qos global counters: Total packets: 2132 IP shortcut packets: 0 Packete dropped by policing: 0 IP packets with TOs changed by policing: 2 IP packets with COS changed by policing: 2 Nion-IP packets with COS changed by policing: 0 MPLS packets with EXP changed by policing: 0 Step5 Verify the global QoS setting on 4900-1, 4900-1#ahow go 05 is disabled globally TP header DSCP rewrite is enabled Step6 Enable the QoS globally on 4900-1. Defining the Port Trust and Policy Maps In this task, you will perform the following: ‘© Limit the amount of incoming ICMP traffic from PC/ to Server! to 100 kB/s on the 6500-1 switch = Limit the amount of all IP traffic from PCI to Server! to 50 kB/s on the 6500-1 switch & Set QoS trust to CoS for interface GigabitEthemet3/13 ‘= Limit the amount of incoming IP traffic from Server! with DSCP value 0 to 2 MB/s and 25 kB burst on 4900-1 switch, Note ‘The stops and printouts refer to subpodt in pod 4 (devices 6500-1, 4900-1, PC1, Servert), However the same tasks should be applied to subpod2 with respect toa different numbering ‘and addressing scheme. Activity Procedure Complete these steps: Step 1 Define an access list 100 that permits the ICMP traffic from PCY (10.P.13.25) to Server! (10.P.11.10), where “P” is your pod number. Step2 Define a class map CM-ICMP that matches the ICMP traffic from PC! (10.P.13.25) to Server! (10.P.11.10), where “P” is your pod number. Step3 Define a policy map that rate-limits the ICMP traffic from PCI to Server! to 100 kB/s. The traffic that does not conform to the limit should be dropped. Step4 Apply the defined policy map to the incoming traffic on interface GigabitEthernet3/3—the interface where traffic from PCY is received. StepS Define an access list 101 that permits the IP traffic from PC/ (10.P.13.25) to Server! (10.P.11.10), where “P” is your pod number. Step Define a class map CM-IP that matches the IP traffic from PC! (10.P.13.25) to Server! (10.P.11.10), where “P” is your pod number. {© 2008 Cisco Systems, in. Lab Gude 67Step7 Add to the already configured policy map PM-ratelimit, rate-limiting the IP traffic from PCI to Server! to 50 kB/s. The traffic that does not conform to the limit should be dropped. Step8 Start a continuous ping from PC/ to Server! with packet size 2000, Step9 Map C disk of Server! (net use x: \\10.P.11.10\CS, where “P” is your pod number) on PCI and copy the s72033-adventerprisek9_wan-mz.122-18.SXF4,bin file on PC/ from c:\tfip to the x:\tfip directory. me me 22 Step 10 Start a continuous ping from PC/ to Server! with packet size 2000. Step11 Verify the configured QoS policy on 6500-7. You should notice that some traffic is being dropped for the CM-IP class map that is used forthe file copy operation also, 6500-1#show policy-map Policy Map PM-ratelimit Class CM-ICNP police cir 100000 be 3225 conform-action transmit exceed-action drop class CM-rP police cir 50000 be 1562 conform-action tranemit exceed-action drop 6500-1#show policy-map interface Gigabitethernet 3/3 GigabitEthernet3/3 Service-policy input: PM-ratelimit elass-map! (CM=TCHP" (mateh-any) Match: access-group 100 police!: 96000 bps’ 3000) limit 3000 extended limit Bari in slot 5 + 391792 bytes 68 Implementing Cisco Data Center Network infrastructure 1 (OCNI-1) v2.0 (© 2008 Cisco Systems, Ine5 minute offered rate 6136 bps aggregate-forwarded 391792 by! exceeded 0 bytes action: drop aggregate-forward 15000 bps exceed 0 bps action: transmit elass-map: CN-IP (match-a11) Match: access-group 101 police : 48000 bps 1000 Limit 1000 extended Limit Earl in slot 5 + 262449 bytes § minute offered rate cass bps aggregate-forwarded 279533 bytes action: transmit exceeded 2916 bytes action: drop aggregate-forward 19288 bps exceed 255 bps Class-map: class-default (match-any) © packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any 0 packets, 0 bytes 5 minute rate 0 bps Step 12 Remove the QoS policy from the GigabitEthernet3/3 interface. Step 13. Next restart the file copy operation and observe how the file copy operation is faster than when the QoS policy was applied, Step 14 Set the QoS trust for interface GigabitEtheret3/13 on 6500-1 to CoS and verify the configuration. 6500-1fshow mis gos module 3 (Qos is enabled globally Policy marking depends on port_trust Qos ip packet dscp rewrite enabled globally Qos serial policing mode disabled globally Tnput mode for GRE Tunnel is Pipe mode Input mode for MPLS is Pipe mode 00S ‘Trust state ds Cos on the following interface: 33/3 Vlan or Portchannel (Multi-Farl) policies supported: Yes Bgress policies supported: Yes Q0S 10g-only mode supported: Yes [Current mode: Off] No forwarding engine in module (3] Step 15 On the 4900-1 switch, define an access list 101 that permits the IP traffic from Server! (10.P.11.10, where “P” is your pod number) to any destination, Step 16 Define a class map CM-IP that matches the IP traffic from Server! (10.P.11.10, where “P” is your pod number) Step 17 Define a policy map that rate-limits the IP traffic from Server! to 2 MB/s. The traffic that does not conform to the limit should be dropped. Step 18 Apply the defined policy map to the incoming traffic on interface GigabitEthernet1/1—the interface where traffic from Server! is received. Step 19 Verify the configured QoS policy on 4900-/. 4900-18show policy-map Policy Map Pu-ratelimitservert Class CM-IP police 2000000 bps 25000 byte conform-action transmit exceed-action drop {© 2008 Cisco Systems, Ine. Lab Gude 64900-1#show policy-map interface Gigabitethernet 1/1 Gigabitetherneti/1 Service-policy input: PM-ratelimitservert clase-maph cute (matensal2) 37 packets Match: access-group 101 Match: ip dscp default police: Per-interface Conform: 2544 bytes Exceed; 0 bytes Class-map: class-default (match-any) 24 packets Match: any Task 4: Marking Traffic to Be Policed In this task, you will configure the Cisco Catalyst 6500 Series Switch to mark traffic for a lower DSCP. DSCP markdown maps are used when the policer is defined to markdown out-of- profile traffic instead of dropping it. Note ‘The steps and printouts refer to subpod! in pod 4 (devices 6500-1, 4900-1, PC, Servert) However the same tasks should be applied to subpod2 with respect to a diferent numbering and addressing scheme, Activity Procedure ‘Complete these steps: Step1 Modify the default policed DSCP map so that the DSCP value of 32 will be marked down to a DSCP value of 16, Step2 Create the policy PM-DSCP using your previously defined class map. The policy should rate-limit the IP traffic from PCI to Server! to $0 kB/s. The traffic that does not conform to the limit should be remarked to a new DSCP value. Step3 Apply the defined policy map to the incoming traffic on interface GigabitEthernet3/3—the interface where traffic from PC/ is received. 70 Implementing Cisco Data Center Network Infrastructure 1 (OCN-1) v2.0 (© 2008 Cisco Systems, IncStep4 Copy the s72033-adventerprisek9_wan-mz,122-18.SXF4.bin file on PCI from e:tfip to the x:\tftp directory. Step5 Verify the configured QoS policy on 6500-1. Notice that the exceeding traffic has been remarked with the new DSCP value. The copy operation also takes less time than in the previous case. 6500-1#show policy-map interface Gigabitzthernet 3/3 Gigabitethernet3/3 Service-policy inputs Px-pscp class-map: CM-IP (mateh-all) Match: access-group 101 police 496000 bps 15000 Limit 15000 extended Limit Earl in slot § 144535008 bytes 30 second offered rate 6172600 bps aggregate-forwarded 44535046 bytes action: transmit exceeded 43125573 bytes action: policed-decp-transmit aggregate-forward 6098936 bps exceed 6025640 bp: Class-map: class-default (natch-any) 0 packsta, 0 bytes 30 second offered rate 0 bps, drop rate 0 bps Match: any 0 packets, 0 bytes 30 second rate 0 bps {© 2008 Cisco Systems, Inc. Lab Gude 7Task 5: Deploying CoPP In this task you will define a CoPP to limit the amount of ICMP traffic destined to the supervisor on the Cisco Catalyst 6500 Series Switch. Note The steps and printouts refer to subpodt in pod 4 (devices 6500-1, 4900-1, PC1, Servert), However the same tasks should be applied to subpod? with respect to different numbering and addressing scheme. Activity Procedure ‘Complete these steps on each switch in your pod Step1 Define an access list 102 that permits the ICMP traffic from any source to any destination. Step2 Define a class map CM-iempcopp that uses the configured ACL 102. Step3 Define a policy map PM-copp which rate-limits the ICMP traffic destined to the supervisor on 6500-1 to 35 KB/S. The traffic that does not conform to the limit should be dropped. Step4 Open text editor on PC/ (for example, notepad) and create a BAT file with the ping 10.4.13.1 =t -12000 line. Save the file on desktop naming it copp.bat. You will use this file to flood the 6500-1 CPU Start multiple continuous pings from PCY to the 6500-1 Vlan13 interface at 10,P.13.1 (where “P” is your pod number) with the packet size 2000 by clicking multiple times on the copp.bat file you have created. You should be able to s certain ping packets time out Step6 Apply the defined policy map to the incoming traffic on the control plane interface. 7 Implementing Cisco Data Genter Network Infrastructure 1 (DGNI1) v2.0 ‘© 2008 Cisco Systoms, Inc.Step7 Verify the applied CoPP. Since multiple continuous pings are in place, the amount of ICMP traffic destined to the 6500-1 supervisor exceeds the allowed amount and, thus there is some traffic that is dropped. 6500-1#show policy-map control-plane control Plane Interface sérvice=peliey input PM-eopp Hardware Counters class-map: CM-icmpcopp_(match-any) Match: access-group 102 police : 344000 bps 10000 1imit 10000 extended limit Earl in slot 5 : 9aas084 bytes 5 minute offered rate 163160 bpa aggregate- forwarded 9159670 bytes action? transmit exceeded 288414 bytes action: drop aggregate- forward 253720 bps exceed 11360 bps Software Counters: Class-map: CM-icmpcopp {match-any) 9051 packets, 9360862 bytes 5 minute offered rate 189000 bps, drop Fate’ 1000 bps Match: access-aroup 102 9051 packets, 9360862 bytes 5 minute rate 189000 bps police: Gir 350000 bps, be 10937 bytes conformed 9043 packsts, 9348750 byt ‘tranemit ‘exceeded 8 packets,/"12112 bytes} "set ions! ‘drop Gentorsea)169000" bpay exceed 1000" bps Factions: Class-map: class-default (match-any) 73 packets, 13357 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any 73 packets, 13357 bytes 5 minute rate 0 bps {© 2008 Cisco Systoms, Inc Lab Guide 3Lab 1-4: Deploying and Examining EEM ‘The Cisco IOS Embedded Event Manager (EM) functionality is used for automating tasks and troubleshooting. Activity Objective In this activity, you will configure an EEM applet and use it for automating tasks. After completing this activity, you will be able to meet these objectives: ™ Configure EEM applet = Verify EEM applet operation Visual Objective The figure illustrates what you will accomplish in this activity. Lab 1-4: Deploying and Examining EEM The pod with the equipment for this lab exercise is divided into two independent subpods with the following devices: = Subpodl: 6500-1 = Subpod2: 6500-2 Divide into subgroups in each pod to complete the following tasks. Note ‘Through the lab exercise the steps and printouts refer to subpod! in pod 4 (device 6500-1), However the same tasks should be applied to subpod2 with respect to a different numbering and addressing scheme. 74 Implementing Cisco Data Center Network ifrastructure 1 (OCNF-1) v2.0, (© 2008 Cisco Systems, IneRequired Resources ‘These are the resources and equipment required to complete this act Two (2) Cisco Catalyst 6500 Series Switches Command List Task 1: ‘The table describes the commands that are used in this activity. Command Description ‘event manager applet name | Define and register an applet with EM ‘event cli pattern command- | Set the event that triggers the applet pattern syne no skip no "config t* CLI command—enter the configuration mode "copy running CLI command—copy the running configuration to config- bp on aisko: CLI command—enter the privileged mode CLI command—exit the configuration mode “file prompt quiet" CLI command—disables the dialog prompt for file operations “no file prompt quiet" ‘CLI command—enabiles the dialog prompt for fle operations ‘action number ¢14 command | Define a command to be taken upon triggering the applet CLI-comnand Removing Previous Configurations Ensure that no previous configuration exists on the switches in your pod and apply the initial configurations to the devices. ‘The initial configuration includes settings for the Layer 2 interfaces used—trunking, access VLAN set, ete.; VLAN configuration, Layer 3 VLAN configuration, correct power scheme, etc. ‘The initial configurations are available on the individual device file system as specified in the following steps. Note The steps and printouts refer to subpodt in pod 4 (device 6500-1). However the same tasks should be applied to subpod? with respect to a different numbering and addressing scheme. {© 2008 isco Systems, Inc Lab Gude 75Activity Procedure Complete these steps on each switch in your pod: Step1 Connect to the 6500-1 switch via console and apply the following: = Replace the current running configuration with the configuration from file diskO:denil_lab14_6500-1 using the configure replace disk0:denil_lab14_6500-1 command. When asked to proceed press Y. = Verify that the switch is running the 12.2(33) SXH1 Cisco IOS image using the show version command, = Only if the switch is not running the 12.2(33) SXHI Cisco IOS image, save the running configuration to startup configuration and reboot the switch. Task 2: Configuring and Verifying EEM Applet Operation In this task you will create an EM applet and use it to automate the configuration-saving task. Use the following information to create an applet: = Event: Administrator enters the configuration mode with the configure terminal ‘command = Action: Save configuration to disk0:/config-bkp. Note ‘The steps and printouts refer to subpod! in pod 4 (device 6500-1). However the same tasks should be applied to subpod? with respect toa different numbering and addressing scheme, Activity Procedure Complete these steps: Step1 On the 6500-1 switch, configure the EEM applet using the following information: = Set the EEM applet name to BKPCFG. = Sot the event that triggers the applet to match the CLI exit command. = Set the following actions upon triggering the applet: 1. Enter the privileged EXEC mode. Enter the global configuration mode. Set the prompt level for file operations to quiet. Exit the configuration mode. Save the running configuration to disk0:/config-bkp. Reenter the global configuration mode. Set the file operations prompt level back to default PN Aaweawn Exit the global configuration mode. 76 Implementing Cisco Data Contor Network infrastructure 1 (OGN/-1) v2.0 (© 2008 Cisco Systems, ine.Activity Verification ‘You have completed this task when you attain these results: A ‘Step1 Verify the EEM applet operation. Notice that EEM triggered the BKPCFG applet. 6500-1#write memory Building configuration. om 03:26:11: ¥SYS¢S:CoNFIG_t: Configured from console’ by "on vtyo (BEN: BKECEG) (OR) - Step2 List the content of the disk0: file system. Notice that the config-bkp file is present on the disk0. 6500-1hai diek0: ~ Directory of disko:/ Loom 31359 war 21 2008 +00:00 ace_scripts_Az_1.tgz 2 or 4997 Mar 15 2008 400:00 vas=contig| 3. “rw 30292535 Mar 21 2008 400:00 c6ace-t1k9-me.A2_1.bin 4 oer 5062 Mar 15 2008 400:00 iosmodular-contig S 0 iad Error Records ~ +> n/a w Step3 Run the overall system diagnostic test and observe the output. Note ‘The diagnostic start system test all command starts the comprehensive systems test. In ~ Corder to stop the test, use the diagnostic stop system test all command. 6500-1#dLagnostic start system test all ~ + warning: . + ‘diagnostic start system test all’ will disrupt normal system . Vv + operation. The system requires RESET after the conmand . + ‘diagnostic start system test all’ has completed prior to . + normal use. : . : - + Important: : * 2. D0 NOT INSERT, OIR, oY POWER DOWN Linecards or * + " supervisor while system test is running * wo + 2, DO NOT ISSUE ANY DIAGNOSTIC COMMAND except . * "diagnostic stop system test all" while system test . . is running. : ~ * 3. PLEASE MAKE SURE no traffic is runnning in background. . Do you want to continue? (nel: y 6500-18 03:59:16: SDIAG-SP-6-TEST_RUNNING: Module 1: Running ‘TestFirmvareDiagStatus(ID=2) ... ~~ 03:59:16: SDIAG-SP-6-TEST OK: Module 1: TestFirmwareDiagStatus{1D=2) has completed successfully 03:59:16: SDIAG-SP-6-TEST_RUNNING: Module 1: Running Testasiesyne{ID-2} 03:59:16: $DIAG-SP-6-TEST_OK: Module 1: TestAsicSync{ID=3} has completed = successfully 03:59:16; 8DIAG-SP-6-TRST RUNNING: Module 1: Running TestEobestressPing(tD-1} E Y d3isa.t6: sp: 03:59:16: SP: * WARNING 7) 03:59:16; SP: + EOBC Stress Ping test on module 2 may take up to amin. 03:59:16: SP: * During this time, please bo NCT perform packet switching on the nodule. ~ 03:59:26: SDIAG-SP-6-TEST_OK: Nodule 1: TestEobcStressPing{1Ds1} has completed Ye successfully 2 impiamening Ceco Data Canter Network Infastuctre 1 (SON) 20 © 2008 isco Stor, re03:59:27: $DIAG-SP-6-TEST_RUNNING: Module 2: Running a ‘TeatPortasiCLoopback{ID=1} ... ‘SP: komodo_plus_test_loopback [2]: On-Demand test is not allowed DIAG-SP-3-TEST_SKIPPED: Module 2: TestPortASICLoopback{1D-1} is a 03:59:27; SDIAG-SP-6-TEST_RUNNING: Module 2: Running TestPCLoopback(1D=2} 03:59:27: SP: komodo plus test_loopback (2): On-Demand test is not allowed 27: $DIAG-SP-3°TEST SKIPPED: Module 2: TestPCLoopback(ID=2} is skipped ~ 03:59:27: $DIAG-SP-6-TEST_RUNNING: Module 2: Running ‘TeatNetflowInlineRewrite{7D=3} . 03:59:27; $DIAG-SP-2-TEST SKIPPED: Module 2: TestNetflowinlinekewrite(1D=3} is skipped a 03:59:27: $DIAG-SP-6-TEST_RUNNING: Module 2: Running ‘Test SynchedFabChannel { 1D=4) 03:59:27: ¥DIAG-SP-6-TEST_OK: Module 2: TestSynchedPabChannel(1D=4} has a completed successfully 03:59:27: ¥DIAG-SP-6-TEST RUNNING: Module 2: Running ‘TestPirmvareDiagstatus(1D=6} . 03:59:27: $DIAG-SP-6-TRST_OK: Module 2: TestPirmareDiagStatus{1D-6} has - completed successfully 03:59:27: SDIAG-SP-6-TEST RUNNING: Module 2: Running Testasicsync(1D=7) . 03:59:27: SDIAG-SP-6-TEST_OK: Module 2: TestAsicsync(1D=7} has completed succesatully ai 03:59:27: $DIAG-SP-6-TEST_RUNNING: Module 2: Running ‘TestBrrorCounterMonitor(1D=6) .. <..-est of the output omitted, ..> Step4 Run the automated system configuration check test and observe the output. 6500-1#'show @tagnostic sanity oll The boot string is empty. Please enter a valid boot string UDLD has been disabled globally - port-level UDLD sanity checks are being bypassed. ‘The following ports with mode set to desirable are not trunking: ai3/3 ‘The following porte have portfast enabled: 3/3 > ‘The following ports have receive flow control disabled: Gi3/1, Gi3/2, Gi3/2, Gi3/4, Gi3/5, C43/6, Gi3/7, Gi3/8, Gi3/9, Gi3/10, Gi3/11, Gi3/12, Gi3/13, Gi3/14, Gi3/15, Gi3/16, G13/17, Gi3/18, Gi3/29, Gi3/20, Gi3/21, Gi3/22, Gi2/22, Gi3/24, Gi3/25, Gi3/26, Gi3/27, Gi3/28, Gi3/29, my Gi3/20, Gi3/31, Gi3/32, Gi3/33, Gi3/34, Gi3/35, Gi3/36, Gi3/37, Gi3/38, Gi3/39, Giz/40, Gi3/41, Gi3/42, Gi3/43, Gi3/44, Gi3/45, Gi3/46, Gi3/47, Gi3/48, Gi5/1, GiS/2, GiS/3, Te5/4, TeS/5 ‘The following interfaces have a duplex mismatch: Gig 3/13, Gig 3/14 > Please check the statue of the following modules: 1,2,4,6 ~ ‘The Module 5 failed the following tests ‘Test CRW ~ (© 2008 Gisco Systems, Inc. lab Gude 83.Task 4: Deploying Call Home Functionality In this task you will configure the Call Home functionality “4 Note ‘The steps and printouts refer to subpod! in pod 4 (device 6500-1). However the same tasks wW should be applied to subpod2 with respect toa ditferent numbering and addressing scheme, Activity Procedure = ‘Complete these steps: Step1 Define the Call Home contact information using the following list: io = Contact e-mail: [email protected] = Phone number: n/a r @ Street address: | Acme rd. ® Customer ID: Acme001 Si ®@ Site ID: AcmeCentralLocation: ow Step 2 Define and activate the profile named PR-ACME using the following information: = Transport method: e-mail wu © Destination e-mail: [email protected] m= Preferred message format : long-text ) Step3 Verify the profile configuration. 6500-1¥show call-home profile PR-ACKE WJ Profile Name: PR-ACME Profile statue: ACTIVE Preferred Message Format: long-text ~ Message Size Limit: 3145728 Bytes ‘Transport Method: email Bnail address(es): joesacne.con HTTP address(es): Not yet set up =. Mert-group severity es 2 ~ syslog-pattern N/a ~ Step 4 Subscribe the created profile to all alert groups, set the mail server address to 10.P.11.10 (where “P” is your pod number), and start the Call Home service. wv Activity Verification You have completed this task when you attain these results: — Step1 Check the created Call Home profile operation by creating a configuration change ‘event. Notice that the sending of e-mail will not succeed since the mail server Se specified (10.P.11.10, where “P” is your pod number) does not exist. 6500-1#call-home send alert-group configuration profile PR-ACKE Sending configuration info call-hone message ... Please wait. This may take cone tine . 04:26:22; $CALL_MOME~3-SNIP_SEND FAILED: Unable to send notification ueing all SMTP servers (ERR 6, error in reply from SNTP server) {84 Implementing Cisco Data Cantor Network Infrastructure 1(OCNI-t) v2.0 ‘© 2008 Cisco Systems, IneLab 1-6: Deploying SPAN SPAN, RSPAN, and ERSPAN sessions allow the network administrator to monitor and analyze traffic locally or remotely. Activity Objective In this activity, you will configure an SPAN and RSPAN session to monitor traffic on a certain interface. After completing this activity, you will be able to meet these objectiv« © Configure and use the SPAN session = Configure and use the RSPAN session = Verify SPAN and RSPAN configuration Visual Objective ‘The figure illustrates what you will accomplish in this activity. ‘The pod with the equipment for this lab exercise is divided into two independent subpods with the following devices and VLANs = Subpod!: 6500-1, 4900-1, PCI, Server! and VLANs: 11, 13 = Subpod2; 6500-2, 4900-2, PC6, Server3 and VLANs: 21,23 Divide into subgroups in each pod to complete the following tasks. Note ‘Through the lab exercise the steps and printouts refer to subpodit in pod 4 (devices 6500-1, 4900-1, PC1, Servert). However the same tasks should be applied to subpod2 with respect to a different numbering and addressing scheme, {© 2008 Cisco Systome, Ine. Lab Gude 65IP Addressing =. The IP addressing scheme in the following table lists the IP addresses of the PCs, servers, Cisco Catalyst 6500 Series Switch VLAN interfaces and Layer 3 physical interfaces, where “P” is A your pod number. ~~) Pod Addressing ‘Subnet Defaut | Device w Device | IP Subnet Device IP paleo Pct 10130 | 24 10.1325 | 10.181 | 13 ww Pos tor 230 | 124 102325 | 10P2a1 | 23 severt | 10P.110 | 124 yopaio [ipa | 11 we 40.11.20 40.41.30 40.41.40 ~ Severs | 10P210 | 124 wor2110 | ioP2ia | 2 40.21.20 ~ 40.21.30 10.21.40 ~ ~ Device | VLAN subnet | SUM | Device Mask Sat 6500-1 | 11 7oP.110 | 124 fOPAt4 ~ 6500-1 | 13 10P.130 | 724 10P.434 65002 | 21 toP210 | 126 yoP214 we 65002 | 23 10P.230 | 124 10.23.41 Required Resources ‘These are the resources and equipment required to complete this activity: - = Two (2) Cisco Catalyst 6500 Series Switches = Two (2) Cisco Catalyst 6500 Series Switch Ethernet modules Y = Two (2) Cisco Catalyst 6500 Series Switch Supervisor 720-10G-3C modules § Two (2) Cisco Catalyst 4948 Switches ~ Two (2) Microsoft Windows XP clients = Two (2) Microsoft Windows 2003 servers et ~ ~ ~ 86 Implementing Cisco Data Center Network infrastructure 1 (OCNI-t) v2.0 {© 2008 Cisco Systems, Ine,om Command List The table describes the commands that are used in this activity. o Command Description monitor session 1 source { | Define a source for the SPAN or RSPAN session - interface interface | remote vian repan-vlan both on monitor session 1 Define a destination for SPAN or RSPAN session destination {interface Snterface| remote vlan es) rspan-vian} vlan number Define a Layer2 VLAN i remote-span, Dedicate VLAN for RSPAN a Task 1: Removing Previous Configurations Ensure that no previous configuration exists on the switches in your pod and apply the initial configurations to the devices. ‘The initial configuration includes settings for the Layer 2 interfaces used—trunking, access VLAN set, etc.; VLAN configuration, Layer 3 VLAN configuration, correct power scheme, - ete. ‘The initial configurations are available on the individual device file system as specified in the Bat following steps. Note The steps and printouts refer to subpod! in pod 4 (devices 6500-1, 4900-1, PC1, Server). - However the same tasks should be applied to subpod2 with respect to a diferent numbering ‘and addressing scheme. Activity Procedure ‘Complete these steps on each switch in your pod: Step 1 Connect to the 6500-1 switch via console and apply the following: = Replace the current running configuration with the configuration from file disk0:denil_lab16_6500-1 using the configure replace diskO:denii_lab16_6500-1 command, When asked to proceed press Y. ~ = Verify that the switch is running the 12.2(33) SXHI Cisco IOS image u show version command. ig the = Only if the switch is not running the 12.2(33) SXH1 Cisco IOS image, save the running configuration to startup configuration and reboot the switch, Step2 Connect to the 4900-1 switch via console and apply the following: = Replace the current running configuration with the configuration from file bootflash:denil_lab16_4900-1 using the configure replace ~ bootflash:denit_lab16_4900-1 command. When asked to proceed press Y. {© 2008 Cisco Systems, Inc. Lab Gude 87Activity Verification ‘You have completed this task when you attain these results: Step1 On the 6500-1 switch verify that you have connectivity to the following: PCT at 10.P.13.25 (where “P” is your pod number) © Server! at 10.P.11.10 (where “P” is your pod number) You should see results similar to the following printouts. Note ‘The following printouts show results ofa ping conducted on pod 4, 6500-1#ping 10.4.13.25, ‘Type escape sequence to abort Sending 5, 100-byte ICMP Echos to 10.4.13.25, timeout is 2 seconds: uit Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ns 6500-1#ping 10.4.11.10 ‘Type escape sequence to abort Sending 5, 100-byte ICMP Echos to 10.4.11.10, timeout is 2 seconds sty Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ma Task 2: Configuring SPAN In this task you will create a SPAN session and monitor traffic with the Wireshark protocol analyzer application. Note ‘The steps and printouts refer to subpod! in pod 4 (devices 6500-1, 4900-1, PC1, Server). However the same tasks should be applied to subpod2 with respect to a diferent numbering and addressing scheme. Activity Procedure Complete these steps: Step 1 Create a SPAN session on 6500-1 using the following information: = SPAN session number = 1 GigabitEthemet3/13 GigabitEthernet3/3 r received and transmitted traffic m= SPAN session soures m= SPAN session destinatior = Mor Step2 Start a continuous ping from Server! to 6500-1 and open a Telnet session from Server! to 6500-1. Do not close the session. e Implementing Cisco Data Center Network Infrastructure 1 (DGNH4) v2.0 (© 2008 Cisco Systems, Inc. aTask 3: Step3 Connect to PC/ and run the Wireshark application. Choose Capture > Interfaces and choose the interface where the packet count is incrementing, After a couple of seconds press the Stop button to examine the captured traffic. Examine the traffic captured—you should be able to see the information from OSI Layers 1, 2, 3, and 4 and also the content of the individual packets. The output should be similar to the following picture. Ceees conse weve tt aaaoweane Ble mean we Step4 Disable and remove the SPAN session from the 6500-7 configuration. Step5 Stop the Telnet session and ping Server! Configuring RSPAN In this task you will create an RSPAN session and monitor trafic with the Wireshark protocol analyzer application. Note ‘The steps and printouts refer to subpodt in pad 4 (devices 6500-1, 4900-1, PC1, Servert), However the same tasks should be applied to subpod2 with respect toa different numbering and addressing scheme. Activity Procedure Complete these steps: Step1 Create a source RSPAN session on 4900-1 using the following information: 1 m= SPAN session number SPAN session source = GigabitEthemet!/1 = SPAN session destination = VLAN99 Monitor received and transmitted traffic. ‘© 2008 Cisco Syetoms, Ine. Lab Gude 89Step2 Create a destination RSPAN session on 6500-/ using the following information: = SPAN session number = 1 = SPAN session source = VLAN99 jgabitEthemet3/3 Step3 Start a continuous ping from Server! to 6500-1 and open a Telnet session from Server! to 6500-1. Do not close the session, = SPAN session destination Step4 Connect to PC/ and nun the Wireshark application. Choose Capture > Interfaces ‘and choose the interface where the packet count is incrementing. Step5 After a couple of seconds press the Stop button. Examine the traffic captured—you should be able to see the information from OSI Layers 1, 2, 3, and 4 and also the content of the individual packets. The output should be similar to the following picture, oT Ueeew case Seeets SG aacousene BEPSSSRESSp: aeaaaaagacaday ‘90 Implementing Cisco Data Genter Network Infrastructure 1 (DGNK1) v2.0 "© 2008 Cisco Systems, Ine.Lab 2-1: Deploying the FWSM in Transparent Mode In this lab activity the Catalyst 6500 Series FWSM in transparent mode will be deployed. ity Objective In this activity, you will configure the Catalyst 6500 Series FWSM in transparent mode. After completing this activity, you will be able to meet these objectives Aci = Configure the Cisco Catalyst 6500 Series Switch to support an FWSM Designate FWSM interface characteristics Configure IP address and routing on the FWSM Configure permitted traffic patterns Use client systems to demonstrate access to resources through the FWSM Visual Objective ‘The figure illustrates what you will accomplish in this activity Lab 2-1: Deploying the FWSM in Transparent Mode ten mabe (02) Stnot nme (23) ‘The pod with the equipment for this lab exercise is divided into two independent subpods with the following devices and VLANs: = Subpodl: 6500-1, 4900-1, PCI, Server and VLANs: 10, 11, 13 1 Subpod2: 6500-2, 4900-2, PC6, Server3 and VLANs: 20, 21, 23 Divide into subgroups in each pod to complete the following tasks. {© 2008 Cisco Systems, Ine Lab Gude 91Note ‘Through the lab exercise the steps and printouts refer to subpodt In pod 4 (devices 6500-1, 4900-1, PC1, Servert, FWSM). However the same tasks should be applied to subpod2 with respect to a different numbering and addressing scheme. IP Addressing The IP addressing scheme in the following table lists the IP addresses of the PCs, servers, Cisco Catalyst 6500 Series Switch VLAN interfaces and Layer 3 physical interfaces, where “P” is your pod number. Pod Addressing Subnet Detauit | Device Deve | subnet | fang, | Device | Caw | ore Pct 10P.130 | 124 1oP.1325 | 10P.131 | 13 pce | 10P.230 | 2a 102326 | 10P231 | 23 Severt | 10P.110 | 24 topatio | ropaia [a1 10P.11.20 10.11.30 10P.11.40 Severs | 10P210 | 724 tor2iso | 10P211 | 21 10.21.20 10.21.30 10.P.21.40 Device VLAN IP Subnet penta Device IP Mask 6500-1 | 10 10.P.110 | 124 TOPAiA e5001 | 13 10.130 | 24 10.13.41 Fwsw-t [11 1oP.110 [126 t0P.A12 65002 | 20 10200 | 126 10P.204 65002 | 23 10230 | 126 10231 Fwsw2 [21 yoP210 | 26 t0P.242 Required Resources These are the resources and equipment required to complete this activity Two (2) Cisco Catalyst 6500 Series Switches Two (2) Cisco Catalyst 6500 Series Switch Ethernet modules Two (2) Cisco Catalyst 6500 Series Switch Supervisor 720-10G-3C modules Two (2) Cisco Catalyst 6500 FWSM service modules 82 Implementing Cisco Data Center Network Infrastructure 1 (OCNI-1) v2.0 {© 2008 Cisco Systems, Ine.= Two (2) Cisco Catalyst 4948 Switches = Two (2) Microsoft Windows XP clients = Two (2) Microsoft Windows 2003 servers Command List ‘The table describes the commands used in this activity. ‘Command Description enable Enter EXEC mode config t Enter global configuration mode vlan x Configure a VLAN name xyz Configure an administrative name for the VLAN int type elot/port Enler sub-configuration mode switchport switchport mode access awitchport access vlan x Configure an interface asa switchport Configure the switchport as an access port Configure the associated VLAN no shut IP adare H.R. YY-Y-Y Configure an IP address and subnet mask show interface status ‘Show the status of interfaces show vlan brief Display a briof VLAN listing show interface ip brief Display the IP interface details in brief ping ‘Verity connectivity using PING firewall vlan-group x vian_no| Configure a firewall VLAN group and associated VLANS firewall module x vlan- group x ‘Associate a firewall VLAN group with an FWSM module show interface status module x ‘Show the status of interfaces on a specific module show vlan brief Display a brief VLAN listing show firewall vlan-group Display the frewall VLAN group configuration show firewall module Display the firewall module session slot x processor 1 (Open a session to the FWSM firewall transparent pameif xyz security xy bridge-group x Configure the firewall mode Configure the interface namo Configure the interface security level Configure the bridge-group association show firewall Display the firewall mode show nameif Display the named interfaces show interface Display the interface details. route outside 0 0 x.x.x-x Configure a detauit route ‘© 2008 isco Systems, Ine Lab Guide 8Command Description show 4p addr show interface ip brie! Display the IP addresses in use Display the IP interface details in brief list xyz extended ‘/deny protocol source destination Configure an extended ACL. group xyz in/out ‘Associate the ACL group with an interface name show running-config Display the ACL configuration Display the access-group configuration access-group ping Verify connectivity using PING show connections Display active connections port-channel load-balance type Configure the port-channel load-balancing type clear xlate Clear the current transiation table show route Task 1: Removing Pre’ Display the IP route us Configurations Ensure that no previous configuration exists on the switches in your pod and apply the initial configurations to the devices. ‘The initial configuration includes settings for the Layer 2 interfaces used— trunking, access VLAN set, etc.; VLAN configuration, Layer 3 VLAN configuration, correct power scheme, ete, The initial configurations are available on the individual device file system as specified in the following steps. Note The steps and printouts refer to subpodt In pod 4 (devices 6500-1, 4900-1, PC1, Servert). However the same tasks should be applied to subpod? with respect to a diferent numbering and addressing scheme. Activity Procedure ‘Complete these steps on each switch in your pod: step 1 Connect to the 6500-7 switch via console and apply the following: ‘= Replace the current running configuration with the configuration from file diskO:denil_lab21_6500-1 using the configure replace 4isk0:denil_lab21_6500-1 command. When asked to proceed press Y. |= Verify that the switch is running the 12.2(33) SXH1 Cisco IOS image using the show version command. = Only if the switch is not running the 12.2(33) SXHI Cisco IOS image, save the running configuration to startup configuration and reboot the switch ‘84 Implementing Cisco Data Center Network Infrastructure 1 (OCNI-1) v2.0 {© 2008 Cisco Systems, Inc.Step2 Connect to the 4900-1 switch via console and apply the following: = Replace the current running configuration with the configuration from file bootflash:denil_lab21_4900-1 using the configure replace bootflash:denii_lab21_4900-1 command, When asked to proceed press Y. Activity Verification You have completed this task when you attain these results: Step1 On the 6500-1 switch verify that you have connectivity to the following: PCT at 10,P.13.25 (where “P” is your pod number) Server! at 10.P.11.10 (where “P” is your pod number) You should sce results similar to the following printouts. Note The following printouts show results of a ping conducted on pod 4 Sending 3,100‘ byte TEMP Echoo to 10.4.29.25, timeout 8 2 second Success rate 48 80 percent (4/8), round-trip min/avg/max = 1/1/4 es 6500-1Npiag 10.4.21.10 Sending 5, 100-byte ICMP Echos to 10,4.11.10, timeout is 2 seconds: Success rate is 80 percent (4/5), round-trip min/avg/nax = 1/1/4 ms Task 2: Configuring Cisco Catalyst 6500 Series Switch Switching Functions In this task, you will configure the C co Catalyst 6500 Series Switch to support an FWSM. Note The steps and printouts refer to subpodt in pod 4 (devices 6500-1, 4900-1, PC1, Servert, FWSM). However the same tasks should be applied to subpod2 with respect to a different numbering and addressing scheme. Activity Procedure Complete the following steps on 6500-1: Step1 Remove the Layer 3 VLAN I1 interface, Step2 Configure VLAN 10 and name it Outside, Step3_Create a VLAN interface in VLAN 10 with an IP address of 10.P.11.1, where “P” is, your pod number. Step4 Create a firewall VLAN group. Step5 Assign the VLAN group to the FWSM in slot 2. {© 2008 Cisco Systoms, Ine. Lab Gude 85Task 3: Configuring FWSM Interfaces In this task, you will define FWSM interface characteristics. Note The stops and printouts refer to subpodt in pod 4 (devices 6500-1, 4900-1, PCT, Servert, FWSM). However the same tasks should be applid to subpod2 with respect oa diferent numbering and aderessing scheme. Activity Procedure Complete the following steps: Step1 In the EXEC mode on 6500-/, open a session with the FWSM in slot 2. The password is “cisco,” which is the default value. Step2 Enter the enable mode and press enter at the password prompt. Step3 Confirm that your firewall is currently in single context mode. FUSMishow mode Security context mode: single The flash node is the SAME as the running node. Step4 Enter FWSM configuration mode. Step5 Delete the existing configuration with the clear config all command. Step Delete any existing configuration files on the disk: with the delete /noconfirm disk:* command, Step7 Reload the FWSM. Upon reload you will be disconnected from the FWSM. Step8 — When the FWSM reloads, open a session with the FWSM again from the switch. Step Configure the firewall to operate in transparent mode. Step 10 Name the interfaces used by the firewall and define the security level. Activity Verification You have completed this task when you attain these results: Step1 Display the firewall mode, FWSMHehow firewall Firewall mode: Traneparent Step2 Show the named interfaces. FuSMHshow nameif Interface Name Security Vianio outside ° vlanla inside 200 Step3 Display details of the configured interfaces. FuSMishow interface Interface Vlani0 *outside", is up, line protecol is up Hardware ia BtherSvI WAC address 000d.29£3.259: TP address unasaigned Traffic Statistics for ‘outside" © packets input, 0 bytes © packets output, 0 bytes © packets dropped wu 1500 {86 Implementing Cisco Data Center Network infrastructure * (OCNI-1) v2.0 (© 2008 Cisco Systems, Inc.Interface Vlan11 "inside", is up, line protocol is up Hardware is EthersvI MAC address 0004.29£3,2590, MTU 1500 1p address unassigned Traffic statistics for "inside": © packets input, 0 bytes 0 packets output, 0 bytes 0 packets dropped Task 4: Configuring IP Parameters In this task, you will configure IP address and routing parameters on the FWSM for ‘management purposes. Note The stops and printouts refer to subpodt in pod 4 (devices 6500-1, 4900-1, PC1, Servert, FWSM), However the same tasks should be applied to subpod2 wih respect toa diferent numbering and addressing scheme. Activity Procedure ‘Complete the following steps on FWSM: Step1 Assign interface VLAN 10 and 11 to bridge-group 1 Step2 Assign a management IP address to the FWSM bridge-group. Use an IP address of 10.P.11.2, where “P” is your pod number. Step3 Configure a default route pointing all traffic to the gateway at 10.P.11.1, where is your pod number. Activity Verification ‘You have completed this task when you attain these results: Step 1 Display the IP addresses in use by the FWSM. Fustitshow 4p addr Management. Syaten TP Address: ip address 10.1.11.2 255 Management. Current IP Addres ip address 10.1,11.2 255.255.255.0 Step2 Display the list of IP interfaces. Because you are in transparent mode, the management IP address is listed on both VLAN interfaces. FuSM#show interface ip brief 55.255.0 Interface IP-address OK? Method Status Protocol Gigabitétherneto unassigned YES unset up up Gigabitethernet1 unassigned YES unset up up vianio 10.1.11.2 YES unset up up vianit 10.1.11.2 YES unset up up BOBCO 127.0.0.21 YES CONFIG up up BVIL unassigned YES unset up up Step3 Display detailed information about the interfaces present in the FWSM. Notice that the management IP address is now assigned to cach of the VLAN interfaces. PuSHBehow interéa Interface Vianl0 ‘outside, is up, line protocol is up Hardware is EtherSvI MAC address 000d.29£3.2580, MTU 1500 TP address 10.1.11.2, subnet mask 255.255.255.0 Traffic Statistics for "outside" 1638 packets input, 0 bytes 26 packets output, 1904 bytes © packets dropped (© 2008 Cisco Systems, inc. Lab Gude 87Interface Vlanli "inside", is up, line protocol is up Hardware is Ethersvi MAC address 000d.29f3.2580, MTU 1500 IP address 10.1.11.2, subnet mask 255.255.255.0 Traffic Statistics for "inside" 40 packets input, 2244 bytes 43 packets output, 3036 bytes 0 packets dropped Interface BVIi "", is up, line protocol is up Hardvare is Available but not configured via naneif MAC address 000d.29£3.2590, MTU not set TP address 10.1.11.2, subnet mask 255.255.255.0 Step4 Display the routing table. FHSH¥show route S 0.0.0.0 0.0.0.0 [1/0] via 10.1.11.1, outside Task 5: Configuring Network Access In this task, you will configure permitted traffic patterns. Note The steps and printouts refer to subpodt in pod 4 (devices 6500-1, 4900-1, PCY, Servert, FWSM). However the same tasks should be applied to subpod2 with respect to a diferent humbering and addressing scheme, Activity Procedure Complete the following steps on FWSM: Step Create an ACL named “allow-in” that permits ICMP traffic from 10.P.13.25 to 10.P.11.10, where “P" is your pod number, Note ‘As each ACL Is defined, you will rceive the following message as the FWSM auto-commits the ACL changes: Access Rules Download Complete: Memory Utilization: < 1%, Step2 Add another line to the allow-in ACL that permits any host to access the web server at 10.P.11.20, where “P" is your pod number. Step3 Create an ACL called “allow-out” that permits any IP traffic. Step4 Use the allow-in ACL to control traffic received from the outside interface, Step5 Use the allow-out ACL to control traffic received from the inside interface, Activity Verification You have completed this task when you attain these results: ‘Step1 Display the ACLs that have been defined. FHSMishow access-list access-list mode auto-comnit access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300 access-list allow-in; 2 elements access-list allow-in line 1 extended permit icmp host 10.1.13.25 host. 10.1-11.10 (hitentz0) oxse7ef9b1 access-list allow-in line 2 extended permit tcp any host 10.1.11.20 eq wi (hite nt=0) ox251e47£ access-list allow-out; 1 elements access-list allow-out line 1 extended permit ip any any (hitenteo) ox15202144 88 Implementing Cisco Data Center Network Infrastructure 1(OCN-t) v2.0 (© 2008 Cisco Systems, IneTask 6: Step2 Display the mapping of ACLs to interfaces. FWSM#show running-config access-group access-group allow-in in interface outside faccess-group allow-out in interface inside Demonstrating the Firewall In this task, you will use client systems to demonstrate access to resources through the FWSM. Note ‘The steps and printouts refer to subpadt in pod 4 (devices 6500-1, 4900-1, PC1, Servert, FWSM). However the same tasks should be applied to subpod2 with respect to a different numbering and addressing scheme. Activity Procedure ‘Complete the following steps: Step 1 Drop your connection to the FWSM. Step2 Connect to PC/ and issue ping to 10.P.11.10 (where “P” is your pod number), which is the inside server IP address. This ping will succeed, 6500-1#ping 10.1.11.10 Type escape sequence to abort. Sending 5, 100-byte ICP Echos to 10.1.11.10, timeout is 2 seconds: nit Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms Step3 Ping 10.P.11.20 from the PC/ (where “P” is your pod number). This ping will fail 6500-1#ping 10.1.11.20 ‘Type escape sequence to abort Sending 5, 100-byte ICMP Echos to 10.1.11.20, timeout is 2 seconds: Success rate is 0 percent (0/5) ‘Step4 Log in to the FWSM and enter the enable mode, Remember that the login password defaults to “cisco,” and the default enable password is blank, Step5 Use Intemet Explorer on the PC/ in your pod and try to access the site at 10P.11.10, where “P” is your pod number. This attempt will fail Step6 Use Intemet Explorer on the PC/ to access the site at 10.P.11.20, where “P” is your pod number. A web page filled with test images will appear. ‘step7 Display the connections active on the FWSM. Notice that all the connections are using the same network processor. PHSMBshow connection 2 in use, 3 most used Network Processor 1 connections Network Processor 2 connections TCP out 10.1,13.25:1452 in 10.1.21.20:80 idle 0:00:05 Bytes 199296 FLAGS - upor TCP out 10.2.13.25:1453 in 10.1,11.20:80 idle 0:00:05 Bytes 199868 FLAGS - uBor TCP out 10.1.13.25:1454 in 10.1.11.20:80 idle 0:00:05 Bytes 108120 FLAGS - upor Step Exit from your login session on the FWSM. ‘Step9 Enter the configuration mode on the switch, ‘Step 10 Change the port-channel load-balancing algorithm to include the Layer 4 port address in the hash function input. {© 2008 Cisco Systemes, ine. Lab Gude 99Step 14 Step 12 Step 13 © in use, Network Pi Network Pi Multicast. Network Pi Network Pi IPvé conn Stop 14 3 in use, Log back in to the FWSM and enter enable mode. Display active connections on the FWSM. If any active connections exist, force them to close. Verify that no connections exist. FWst¥show connection 4 most used rocessor 1 connections rocessor 2 connections processor 1 connections processor 2 connections jections: Use Internet Explorer on the PC/ to re-retrieve the web page from 10.P.11.20, where “P” is your pod number. Step 15 Display the connections that are active on the FWSM. Notice that the connections are now more balanced between the Network Processors. Fustiehow connection 9 most used Network Processor 1 connections TCP out 1 TeP out 1 Tor out 1 UBOr TCP out 1 Bor TCP out 11 0.1.13,25:1455 in 10.1 (0.1.13,25:1456 in 10.1 (0.1.13.25:1460 in 10.1 0.1.13.25:1462 in 10.1 0.1.13.25:1463 in 10.1, Network Processor 2 connections TCP out 1 TCP out 1 TCP out 1 TCP out 1 Step 16 0.3,13.25:1457 in 10.1 (0.2.13.25:1458 in 10.1 (0.2,13.25:1459 in 10.1 (0.1,13.25:1461 in 10.1. n rte i, ne 20:80 20:80 20:80 idie idle idle idie idle idle idle idle idle 00:04 Bytes 12556 FLAGS - UBOI 00:04 Bytes 8424 FLAGS - USOT 100:04 Bytes 118486 FLAGS - 00:04 Bytes 100898 FLAGS - 00:04 Bytes 73566 FLAGS - UBOI Bytes 8202 FLAGS - UBOT Bytes 48534 FLAGS - UBOT Bytes 65170 FLAGS - UBOT Bytes 74206 FLAGS - UOT Ifyou are done verifying and validating the transparent mode, configure the FWSM back to routed mode. Activity Verification ‘You have completed this task when you attain these results: Step 1 Display the status of the Gigabit Ethemet interfaces. Specifically, check the status of the first three interfaces, 5500-1tshow interface status module 3 Port Name Gi3/. Gi3/2 4643/3 Gi3/4 Gi3/5 Gi3/6 13/7 Gi3/e i3/3 Gi3/10 oi3/1a i3/iz 63/13 <..oreat Status Vian aisabied’ disabled ‘connected disabled disabled disabled disabled disabled disabled disabled disabled disabled connected trunk of the output omitted tite Duplex speed full full full full full full full full full full full full, ‘auto auto auto ‘auto auto auto auto auto auto auto Type 20/100/1000Baset 10/100/1000BaseT 40/100/10008aseT 10/100/1000BaseT 30/100/1000BaseT 10/100/1000BaseT 10/100/1000BaseT 10/100/1000BaseT 10/100/10008aseT 10/100/1000BaseT 10/100/1000BaseT a-full a-1000 10/100/1000BaseT. 100 Implementing Cisco Data Center Network infrastructure 1 (OCNI-1) v2.0 (© 2008 Cisco Systems, Inc.Step2 Display the VLANs. 6500-1#show vlan brief VLAN Name Status Porte 1 default active Gi4/1, Gis/2, Gia/3, Gia/ Gia/s, Gid/6, Gi6/2, Gi6/3 Gi6/4, Gi6/s, cis/s 10 Outside active 11 Inside active 13 Clientec active 13/3 Step3 Display the IP interfaces that have been configured, 6500-1#show 4p interface brief | exclude unas Interface Tp-Address OK? Method Status Protocol vianio 10.3.11.1 YES manual up up viani3 10.3.13.1 YES manual up up Step4 Display the firewall VLAN group. 6500-1#show firewall vian-group Group vlans 1 10,11 Step Display information about the FWSMs in the chas 6500-1#show firewall module Module Vian-groups o2 1 ‘© 2008 Cisco Systems, Ine. Lab Guide 101Lab 2-2: Deploying Multiple Contexts on FWSM In this lab exercise, multiple contexts will be deployed on the Catalyst 6500 Series FWSM. Activity Objective In this activity, you will configure multiple security contexts on the Catalyst 6500 Series FWSM. After completing this activity, you will be able to meet these objectives: = Configure the Cisco Catalyst 6500 Series Switch to support multiple contexts, = Create multiple contexts Configure each context . Demonstrate access to resources through multiple contexts Visual Objective The figure illustrates what you will accomplish in this activity Lab 2-2: Deploying Multiple Contexts on FWSM 2Tsepurber oe} ‘The pod with the equipment for this lab exercise is divided into two independent subpods with the following devices and VLANs: = Subpodl: 6500-1, 4900-1, PCI, Server!, Server2 and VLANs: 10, 11, 12, 13 = Subpod2: 6500-2, 4900-2, PC6, Server3, Serverd and VLANs: 20, 21, 22,23 Divide into subgroups in each pod to complete the following tasks. Note ‘Through the lab exercise the steps and printouts refer to subpod! in pod 4 (devices 6500-1, 4900-1, PC1, Servert, Server2), However the same tasks should be applied to subpod2 with respect to a diferent numbering and addressing scheme, 02 Implementing Cisco Data Center Network Infastructure 1 (OCNI-1) v2.0 {© 2008 Cisco Systems, IncIP Addressing ‘The IP addressing scheme in the following table lists the IP addresses of the PCs, servers, Cisco Catalyst 6500 Series Switch VLAN interfaces and Layer 3 physical interfaces, where “ ‘your pod number. Pod Addressing Subnet Default | Device Device | 1Psubnet | Ha0h' | Device im = Pct top.130 [14 10P.1325 | 10.131 | 13 PCs 10P230 | 124 10P.2325 | 10P231 | 23 Severt | 10P110 | 724 fopti10 [ioPtt | 11 40.P.11.20 10.P.11.90 10.11.40 Sever2 | 10P.120 | 124 rop.1210 | 10Ps21 | 12 10.P.12.20 10.P.12.30 10.12.40 Severs | 10P210 | 24 tor2i10 | wr2i1 | 21 10.21.20 10.P.21.30 10.P.21.40 servers | 107.220 | 24 1op2210 | 10P221 | 2 10.P.22.20 10,P.22.30 10,P.22.40 Device vian | 1p subnet | SYEMF | Device Mask 6500-1 10 10.P.10.0 | 124 1OP.114 6500-1 2 10P.130 | 24 10.134 Context Test | 10 roP.100 | 24 10.102 ‘on 6500-1 Context Test | 11 wopat0 | ra ToP.tta .0n 6500-1 Context 10 roP.100 | 24 10P.103 Production on 6500-1 Context 12 top.120 | 124 10P.124 Production on 6500-1 6500-2 20 1oP200 | 724 10.P.20.1 6500-2 2 10P.230 | 124 10.P.23.41 ‘© 2008 cisco Systems, Inc. ‘ab Guide 108Device Vian | 1p subnet | Subnet Device IP Mask Context Test | 20 10.200 | 124 10.P.202 ‘on 6500-2 Context Test | 21 10P210 | 124 10P214 (on 6500-2 Context 20 10.200 | 124 10.203 Production on 8500-2 Context 22 10.220 | 124 10P.22.1 Production on. 6500-2 Required Resources ‘These are the resources and equipment required to complete this activity Two (2) Cisco Catalyst 6500 Series Switches Two (2) Cisco Catalyst 6500 Series Switch Ethernet modules Two (2) Cisco Catalyst 6500 Series Switch Supervisor 720-10G-3C modules Two (2) Cisco Catalyst 6500 Series Switch Firewall Services modules Two (2) Cisco Catalyst 4948 Switches Two (2) Microsoft Windows XP clients Four (4) Microsoft Windows 2003 servers Command List ‘The table describes the commands used in this activity. Command Description config t Enter global configuration mode vlan x Enter subconfiguration mode name xyz Configure an administrative name for a VLAN interface vlan vian_no Enter subconfiguration mode IP address x.x.x.x | Configure an IP address on a VLAN interface YY, no shut ‘Administratively enable an interface interface type slot/port | Enter subconfiguration mode switchport Configure an interface as a switchport switchport mode Configure an interface as an access port Configure a VLAN for an access port switchport acc vlan vian_no firewall vlan-group x Configure a firewall VLAN group vlan firewall module x vian- ‘Associate a VLAN group with a frewall module group no. 104 Implementing Cisco Data Center Network intastructure 1 (OCNI-1) v2.0 '© 2008 Cisco Systems, ine,‘Command, Description port-channel load-balance type ‘Configure the port-channel load-balancing type ip route x.x.x.x V.y.Y-¥ 2.2.2.2 Configure a static route show vian brief Display the VLANs configured on a switch show IP interface brief ‘Show IP interface details in brief show interface status module x ‘Show the status of interfaces on a specific module show firewall vlan-group Display the firewall VLAN group details show IP route Display the IP route ion slot x proc (Open a session to a specific module mode multiple Configure the FWSM for multiple mode show start Display the startup-config dir diel Display the contonts ofthe disk: fie system more disk: /context_name Display the configuration fle for a specific context context admin Configure a context allocate-interface x (nameif) ‘Allocate interfaces to a context config-url. disk: /context_name ‘Set a configuration URL for a context show context (detail) Display the context details changeto context ‘Change to a specific context context_name interface x Enter subcontfiguration mode nameif xyz security level Configure a name for an interface Configure the security level for an interface Configure an IP address for an interface Beep x.x.x.x Y.YY-Y nameif Enable HTTP server access via a management interface http server enable Enable the HTTP server ‘aaa authentication protocol/command console Locat. Configure AAA authentication username name password password privilege level ‘Configure a username, password and privilege level route nameif 0 0 x.x.x.x Configure a static route how interface IP brief Display the IP interface details in brief copy running-config atartup-config Save the running configuration to NVRAM access-list name permit/deny protocol source destination Configure an ACL (© 2008 Gisco Systems, Ine. Lab Guide 105:Command Description access-group name in/out interface nameif ‘Associate an ACL with an interface static (nameif,nameif) XOX. XXX Retake YY, ‘Configure Identity NAT policy-map global_policy ela inspection default inapect protocol Configure inspection engines show interface Display details of interfaces show route Display the route show access-list Display the ACL configuration ‘unaing-config “group Display the access-group configuration show running-config static Display the identity NAT configuration show connections Display the active connections show xlate Display the transiation table Task 1: Removing Previous Configurations Ensure that no previous configuration exists on the switches in your pod and apply the initial configurations to the devices. ‘The initial configuration includes settings for the Layer 2 interfaces used—trun| 1g, access VLAN set, cte.; VLAN configuration, Layer 3 VLAN configuration, correct power scheme, ‘The initial configurations are available on the individual device file system as specified in the following steps. Note ‘The steps and printouts refer to subpodt in pod 4 (devices 6500-1, 4900-1, PC1, Servert). However the same tasks should be applied to subpod2 with respect to a different numbering ‘and addressing scheme, Activity Procedure Complete these steps on each switch in your pod: Stop 1 Connect to the 6500-1 switch via console and apply the following: = Replace the current running configuration with the configuration from file diskO;denil_lab22_6500-1 using the configure replace disk0:denif_lab22_6500-1 command, When asked to proceed press Y. = Verify that the switch is running the 12.2(33) SXHI Cisco IOS image using the show version command, = Only if the switch is not running the 12.2(33) SXH1 Cisco 10S image, save the running configuration to startup configuration and reboot the switch. 108 Implementing Cisco 'a Center Network infrastructure 1 (OCNI-1) v2.0 (© 2008 Cisco Systems, Ine.Step 2 Step 3 Step 4 step 5 Stop 6 Step 7 Step 8 Connect to the 4900-1 switch via console and apply the following: Replace the current running configuration with the configuration from file bootflash:denil_lab22_4900-1 using the configure replace bootflash:denii_tab22_4900-1 command. When asked to proceed press Y. In the EXEC mode on 6500-1, open a session with the FWSM in slot 2. The password is “cisco,” which is the default value. Enter the enable mode and press enter at the password prompt. Enter FWSM configuration mode. Delete the existing configuration with the elear config all command. Delete any existing configuration files on the disk: with the delete /noconfirm disk:* command. Reload the FWSM. Upon reload you will be disconnected from the FWSM. Activity Verification ‘You have completed this task when you attain these results: step 1 (On the 6500-1 switch verify that you have connectivity to the following: = PCL at 10.P.13.25 (where “P” is your pod number) m= Server! at 10.P.11.10 (where “P” is your pod number) ‘You should see results similar to the following printouts. Note ‘The following printouts show results of a ping conducted on pod 4 6500-14ping 10.4.13.25 ‘ype escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.4.13.25, timeout is 2 seconds att Suc ag rate ia 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms 6500-1Hping 10.4.21.10 ‘Type escape sequence to abort Sending 5, 100-byte ICMP Echos to 10.4.11.10, timeout is 2 seconds: Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms Task 2: Configuring Cisco Catalyst 6500 Series Switch Switching Functions In this task, you will configure the Cisco Catalyst 6500 Series Switch to support multiple contexts on the FWSM, ‘The steps and printouts refer to subpodt in pod 4 (devices 6500-1, 4900-1, PC1, Server?) However the same tasks should be applied to subpod2 with respect to a different numbering ‘and addressing scheme. ‘© 2008 Cisco Systems, Inc. Lab Gude 107Activity Procedure ‘Complete the following steps: ‘Step 1 Connect to 6500-1. Step2 Create VLAN 10 named “outside, “production.” Step2 Delete Layer 3 interfaces VLAN 11 and VLAN 12 if they exist. ‘Step3 Create an MSFC interface in VLAN 10 and give it an IP address of 10.P.10.1/24, where “P” is your pod number. Step4 Assign VLANs 10, 11, and 12 to the FWSM in module 2 VLAN 11 named “testing” and VLAN 12 named, ‘StepS Configure port-channel load balancing to include Layer 4 port numbers in the hash function, Step 6 Configure the router to send traffic for the 10.P.11.0/24 subnet to IP address 10.P.10.2, where “P” is your pod number. Step7 Configure the router to send traffic for the 10.P.12.0/24 subnet to IP address 10.P.10.3, where “P” is your pod number. Activity Verification ‘You have completed this task when you attain these results: Step1 Display the VLANs configured on the switch, 6500-1#show vlan brief VLAN Name Statue Porte a default active 10 outside active 11 testing active 32 production active a3 Pe-client active — Gi3/3 1002 fddi-defauit act /unsup 1003 token-ring-default act /unsup 1004 fddinet-defaule, act /unsup 1005 trnet-default act /unsup Step2 Display the IP interfaces. 6500-L#ehow ip interface brief | exclude unassigned Interface 1P-Address OK? Method Statue Protocol viamio 10.1.10.1 YES manual up up Viani3 20.1-13.1 YES NVRAM up up Step3 Display the status of interfaces on the Ethernet module, 6500-itshow interface status module 3 Port Name Status Vian Duplex Speed Type oi3/a disabled 1 full auto 10/100/1000BaseT oi3/2 disabled 1 full auto 10/100/1000BaseT 43/3 connected 13 full auto cia/a disabled 1 full auto Gi3/5 disabled 1 full auto aia/e disabled 1 full auto 13/7 disabled 1 full auto Gi3/a disabled 1 full auto 10/100/1000BaseT si3/3 disabled 1 full auto 10/100/1000RaseT Gi3/10 disabled 1 © full_ auto 10/100/1000BaseT Gi3/11_ disabled 1 full auto 10/100/1000BaseT <...Fest of the output omitted...» 108 Implementing Cisco Data Center Network infrastructure 1 (OCNI-1) v2.0 {© 2008 Cisco Systems, ine.Task 3: Step4 Display the mapping of VLANs to FWSM modules. 6500-1show firewall vian-group Group vians 1 10-12 6500-1#show f1rewal module Module vian-groups 02 2 Step5 Display the IP routing table, 6500-1ltshow ip route Codes: ¢ - connected, § - static, R - RIP, N- mobile, B - BOP D- EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area NL - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 EL - OSPF external type 1, E2 - OSPF external type 2, B - BGP i - 18-8, su - I8-I8 sumary, L1 - 18-18 level-1, 12 - 18-18 level-2 ja - 18-1 inter area, * - candidate default, U - per-user static route © - ODR, P - periodic’ downloaded static route Gateway of last resort is not set 10.0.0.0/24 is subnetted, 5 subnets ic 10.4.10.0 is directly connected, Vian10 s 10.4.12-0 [1/0] via 10.4.10.3 c 10.4.23.0 is directly connected, vian23 s 10.4:11.0 [1/0] via 10.4.10.2 c 10.4.12.0 ie directly connected, Vian13 Creating Contexts In this task, you will create multiple contexts on the FWSM. Note ‘The steps and printouts refer to subpod! in pod 4 (devices 6500-1, 4900-1, PC1, Servet) However the same tasks should be applied to subpod? with respect to a different numbering and addressing scheme. Activity Procedure Complete the following steps: ‘Step Access the FWSM by opening the console session from 6500-1. Step2 Configure the FWSM to use multiple security contexts. This will cause a reboot of the FWSM, FWSM (config) #mode multiple WARNING: This command will change the behavior of the device WARNING: This command will initiate a Reboot Proceed with change mode? (confirm] Convert the system configuration? [confirm] ‘The old running configuration file will be written to disk 1386 bytes copied in 1.380 secs (1386 bytes/sec) ‘The admin context configlet will be written to disk 1229 bytes copied in 1.370 secs (1229 bytes/sec) The new running configuration file was written to flash Firewall mode: multiple 10:00:48: SP: ‘The PC in slot 2 is shutting down. Please wait 10:00:49: SP: PC shutdown completed for module 2 10:00:49; C6KPHR-SP-4-DISABLED: power to module in slot 2 set off (Reset) 10:02:28: $DIAG-SP-6-RUN MINIMUM: Module 2: Running Minimum Diagnostic {© 2008 Cisco Systems, ine. Lab Guide 109,10 ASVCLC-5-PHVTPMODE: VIP mode is set to non-transparent 10:02:31: $MLS_RATE-4-DISABLING: The Layer? Rate Limiters have been disabled 10:02:30: $DIAG-SP-6-DIAG_OK: Module 2: Passed Online Diagnostice 10:02:42: AOIR-SP-6-INSCARD: Card inserted in slot 2, interfaces are now online {Connection to 127.0.0.21 closed by foreign hoat] Note Your session was dropped when the FWSM rebooted, Step3 Reconnect to the FWSM and enter enable mode, Stop 4 Display the contents of the disk: file system, FusMidix disk Directory of disk:/ 10 -rw- 1386 17:07:44 Feb 16 2006 old _running.ctg 31 -rw- 1229 17:07:44 Feb 16 2006 adnin.ctg 59748352 bytes total (59674624 bytes free) Step Display the configuration file for the admin context. FwsMiimore disk: /admin.cfg Step6 Enter the configuration mode. Step7 Enter the context configuration sub-mode to make changes to the admin context. Step8 Connect VLAN 100 to the admin context. Step9 Display the startup configuration. Note that three lines have been inserted into the configuration along with the other defaults FWSM (config-ctx) #ehow startup-config <...part of the output omitted...> adnin-context admin context admin config-url disk: /adnin.cta <...Fest of the output omitted...» Step 10 Display the configuration file for the admin context. FWSM (config-ctx) #more disk: /admin.cfg <...part of the output omitted...> : Saved Written by enable_1§ at 14:04:17.460 UTC Tue Apr 15 2008 FWSM Version 3,1(3) hostname FWSM enable password SRy2¥jIyt7RRXU24 encrypted passwd 2KFQnbNTGT.2KYOU encrypted pager lines 24 no asdm history enable arp timeout 14400 timeout xlate 3:00:00 <...Fest of the output omitted...> Step 11 Create the testing context. ‘Step 12 Allocate VLAN 10 to the testing context with an interface alias of “test_outside.’ ‘Step 13 Allocate VLAN 11 to the testing context with an interface alias of “test_inside.” ‘Stop 14 Set the configuration URL for the testing context to point to a file in the disk: file system called “testing.cfg.” Stop 15 Create the production context. 110 implementing Cisco Data Center Network Infrastructure 1 (DCNI-1) v2.0, (© 2008 Cisco Systems, inc.‘Step 16 Allocate VLAN 10 as “prod_outside,” and VLAN 12 as “prod_inside” to the production context. Step 17 Set the configuration URL for the production context to point to a file in the disk file system called “production.cf.” Activity Verification Task 4: You have completed this task when you attain these results: Step1 Display the contexts defined for the FWSM. FUSM#show context Context Name Class Interfaces Mode URL. sadmin default Vlanio Routed disk: /admin.cfg production default Vianl0,Viani2 Routed disk: /production.cfa testing default Vianl0,Vianli Routed disk: /testing.cfg Total active Security Contexte: 3 Step2 Display detailed information about each context defined for the FWSM. PWSHWehow context detail Context "admin*, is ADMIN and active ‘config URL: disk:/admin.cfg Real Interfaces: Vlanl0 Mapped Interfaces: Vianl0 Class: default, Flags: 0x00001857, ID: 1 Context *null*, is a system resource Contig URL null Real Interface: Mapped Interfaces: Class: default, Flags: 0x00000809, 1D: 256 context "production", is active Config URL: disk: /production.ctg Real Interfaces: Viani0, Vlani2 Mapped Interfaces: prod inside, prod_cutside Class: default, Plage: 0x00001855, ID: 3 context "ayatem", is a system resource Config URL: flash:contig Real Interfaces: Mapped Interfaces: EORCO, GigabitBthernet0, Gigabitethernet1, Viani0, Viani2, Viani2 Class: default, Flags: 0x00000819, ID: 0 context "testing", is active Config URL: disk: /testing.ctg Real Interfaces: Vlani0, Viani1 Mapped Interfaces: test inside, test_outside Class: default, Flags: x00001855, 1D: 2 Configuring Contexts In this task, you will configure each of the security contexts on the FWSM. Note The steps and printout refer to subpodt in pod 4 (devices 6500-1, 4900-1, PCT, Servert) However the same tasks shouldbe applied to subpod2 with respect o a different numbering and addressing scheme Activity Procedure ‘Complete the following steps: Step 1 Switch to the admin context. Step2 Enter the configuration mode. {© 2008 Cisco Systems, Ine Lab Guide 111Step3 Give the name “mgmt” to VLANIO and assign a security level of “100.” Step4 Authorize 10.P.13.25 (where “P" is your pod number) to access the HTTP server via the mgmt interface. Step5 Enable the HTTP server. Step6 Enable AAA authentication for HTTP access to the FWSM. Step7 Configure a user named “admin” with the password “bigboss.” Step® Configure a default route through the MSFC via the management interface. Step9 Exit the configuration mode. Step 10 Display the IP interfaces. FWSM/adminishow interface ip brief Interface IP-Address OK? Method Status Protocol Viani0010.4.20.254 YES manual up up Step 11 Save the running configuration to the startup configuration, Step 12 Change to the testing context. Step 13. Enter the configuration mode. Step 14 Rename “test_inside” to “inside” and assign a security level of “100.” Step 15 Rename “test_outside” to “outside” and assign a security level of Step 16 Configure an IP address of 10.P.10.2 on the outside interface, where “P” is your pod ‘number, Step 17 Configure a default route through the MSFC via the outside interface. Step 18 Configure the inside interface with an IP address of 10.P.10.1, where “ pod number. Step 19 Configure an ACL named “permit-all” that allows all IP traffic. Step20 Assign this new ACL to both interfaces, Step 21 Configure identity NAT for the entire inside subnet. Step 22 Configure protocol inspection engines for ICMP. Step 23. Create an “adi Step 24 Enable AAA authentication for all HTTP access. Step 25 Enable the HTTP server. ” user with the password “admin.” Step 26 Exit the configuration mode and display the interfaces that have been defined. EWSM/testingtshow interface Interface test_outside "outside", is up, line protocol is up MAC address 000d.29f3.2580, mru 1500 IP address 10.4.10.2, subnet mask 255.255.255.0 Traffic statistics for *outaide": 25 packets input, 68 bytes 3 packets output, 204 bytes 487 packets dropped Interface test_inside "inside, is up, line protocol is up MAC address 0004.29f3.2580, MTU’ 1500 YP address 10.4.11.1, subnet mask 255.255.255.0 Traffic Statistics for "inside" 48 packets input, 68 bytes 2 packets output, 136 bytes 276 packets dropped 112 implementing Cisco Data Genter Network Infastructure 4 (OCNI1) v2.0 "© 2008 Cisco Systems, Ine.Step 27 Display the status of defined IP interfaces. FUSM/testing¥show interface ip brief Interface IP-Address OK? Method Status Protocol test_outaide 10.4.10,2 YES manual up up test_ineide 10.4.11.1 YES manual up up Step 28 Display the routing table. EWSM/testing#show route 8 0.0.0.0 0.0.0.0 [1/0] via 10.0.0.1, outside © 10.4.10.0 255.255.255.0 is directly connected, outside © 1014.11.10 255.255.255.0 ie directly connected, inside Step 29 Display the static NAT configuration. FUSM/testing#ahow running-config static static (inside, outside) 10.4.11.0 10.4.11.0 netmask 255.255.255.0 Step 30 Display the ACLs and the interface to which they are assigned. BWSM/testingtshow access-list access-list mode auto-commit access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4095) alert-interval 300 access-list permit-all; 1 elements access-list permit-all line 1 extended permit ip any any (hitcnt=66) oxfe6t0eo EWSM/testingWshow running-config access-group access-group permit-all in interface outside access-group permit-all in interface inside Step 31 Save the running configuration to the startup configuration. Step 32 Switch to the production context. Step 33 Display the available interfaces. FWSM/productiontshow interface Interface prod_outside *", is up, line protocol is up Available but not configured via naneif Interface prod_inside **, is up, Line protocol is up Available but not Configured via nameit ‘Step 34 Enter the configuration mode. Step 38 Name the context’s interfaces as “inside” (with secu (with security level “10"). evel 100") and “outside” Step 36 Configure an inside IP address of 10.P.12.1, where “P” is your pod number. Step 37 Configure an outside IP address of 10.P.10.3, where “P” is your pod number. Step 38 Configure a default route through the MSFC at 10.P.10.1, where “P” is your pod number. Step 39 Configure an “internet” ACL that permits any IP traffic. ‘Step 40 Configure a “public” ACL that permits access to web servers, Step 41 Assign the “intemet” ACL to the inside interface and the “public_access” ACL to the outside interface. ‘Step 42 Configure identity NAT for the entire inside subnet. ‘Step. 43. Create a user “admin” with the password “prodcontrol.” Step 44 Enable AAA-authenticated HTTP management access from 10.P.13.25, where “ is your pod number. {© 2008 isco Systems, In. Lab Guide 113Activity Verification You have completed this task when you attain these result Step1 Display the defined ACLs and associated interfaces, List FNSM/production#show acces access-list mode auto-commit access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300 access-list internet; 1 elements access-list internet line 1 extended permit ip any any (hitent<0) oxbsd9¢a32 list public_access; 1 elements line 1 extended permit tep any any eq www (hitent~0) PWSH/production#show running-config access-group access-group internet in interface inside access-group public access in interface outeide ‘Step2 Display information about the defined interfaces. FWSM/producticnitshow interface Interface prod_outside outside", is up, line protocol is up MAC address 000d.29£3.2560, NTU 1500 IP address 10.4.10.3, subnet mask 255.255.255.0 Traffic statistics for "outside": 64 packets input, 68 bytes 4 packets output, 272 bytes 834 packets dropped Interface prod_inside "inside", ie up, line protocol is up MAC address 000d.29£3.2580, NTU 1500 IP address 10.4.12.1, subnet mask 255.255.255.0 Traffic Statistics for "inside" 1 packets input, 0 bytes 1 packets output, 68 bytes 214 packets dropped Step3__Display IP interface information. Fiish/productiontshow interface tp briet Interface IP-Address OK? Method Status Protocol prod_outeide 10.4.10.3 YES manual up up prod_inside 10.4.12.1 YES manual up up Step 4 Display the IP routes on this context PHSM/production#ehow route § 0.0.0.0 0.0.0.0 [1/0] via 10.0.0.2, outside © 10.4.10.0 255.255.255.0 is directly connected, outaide © 10.4.12.0 255.255.255.0 is directly connected, inside Step5 Display the static NAT configuration, FWSM/productionl#show running-config static static (inside, outside) 10.4.12.0 10.4.12.0 netmask 255.255.255.0 Step Save the running configuration to the startup configuration. Step7 Change to the system execution space. FWSN/product iontchangeto system Step8 Display the files in the disk: file system. FusMidir disk: Directory of disk:/ 10 -rw- 1386 17:0: 44 Feb 16 2006 old_running.cfg 11 rw 1893 17:44:10 Feb 16 2006 admin.cfg 38 -rw- 2015 17:58:44 Feb 16 2006 testing.ctg 39 -rw- 2033 18:05:48 Feb 16 2006 producticn.cfg 59748352 bytes total (59670528 bytes free) ‘114 Implementing Cisco Data Center Network inrastucture 1 (OCNI-1) v2.0 {© 2008 Cisco Systems, incTask 5: Step9 Display each of the context configlets. PusMimore disk: /admin.cfg PHSMimore disk: /testing.cfg PHsMfmore disk: /production.cfg Demonstrating Multiple Contexts In this task, you will demonstrate access to resources through multiple contexts. Note ‘The steps and printouts refer to subpod! in pod 4 (devices 6500-1, 4900-1, PC, Server). However the same tasks should be applied to subpod2 with respect to a different numbering ‘and addressing scheme. Activity Procedure Complete the following steps: Step1 Use the web browser on PCI to visit each of the websites accessible through your test context. These are at IP addresses 10.P.11.10, 10.P.11.20, 10.P.11.30, and 10.P.11.40, where “P” is your pod number. ‘Step2 Display the connections active on the testing context (use ehangeto context testing to access the context from the FWSM). Note that your output may be different since the connections are load-balanced over NPI and NP2 processors. PuSM/testing#show connections 8 in use, 8 most used Network Processor 1 connections TCP out 10.4.13.25:1072 in 10.4,11.30:80 idle TCP out 10.4.13.25:1074 in 10.4.11,20:80 idle TCP out 10.4.13.25:1075 in 10.4.11.20:60 idle TeP out 10.4.13.25+1080 in 10.4.11.40:80 idle Network Processor 2 connections CP out 10.4.13.25:1071 in 10.4.12. TCP out 10.4.13.25:1077 in 10.4.1 TCP out 10.4.13.25:1078 in 10.4.12 TCP out 10.4.13.25:1079 in 1014.22 Multicast. sessions: Network Processor 1 connect ions Network Processor 2 connect ions IPv6 connections: Step3 Display the network address translation table in this context. FsM/testingtshow xlate 5 in use, 5 most used Global 10.4.13.25 Local 10. Global 1014.11.20 tocal 10. Global 10,412.30 Local 10.4:21.30 Global 1014.11.40 Local 10.4.11.40 Global 1014.11110 Local 10.4.11.10 Step4 Use the web browser on PC! to visit each of the websites accessible through your production context. These are at IP addresses 10.P.20.10, 10.P.20.20, 10.P.20.30, and 10,P.20.40, where “P” is your pod number. Step Display the connections active on the production context. Bytes 3402 FLAGS - UBOr Bytes 4715 FLAGS - UBOT Bytes 2773 FLAGS - UOT Bytes 3460 FLAGS - UOT idle idle idle idle Bytes 4088 FLAGS - UBOT Bytes 4084 FLAGS - UBOI Bytes 3402 FLAGS - UBOT Bytes 4093 FLAGS - UBOT FusM/productionishow connections ® in use, 8 most used Network Processor 1 connections TeP out 10.4.12,10:80 in 10.4.13.25:1082 idle 0:00:51 Bytes 136560 FLAGS - UOT ‘Top out 10.4.12.10:80 in 10.4.22.25:1083 idle 0:00:51 Bytes 100646 FLAGS - UOT TCP out 10.4.12,30:80 in 10,4.13.25:1088 idle 0:00:33 Bytes 136509 FLAGS - UOT {© 2008 Cisco Systems, In. Lab Guide 115TCP out 10.4.12,30:80 in 10.4.13.25:1089 idle 0:00:33 Bytes 100788 FLAGS - vor TCP out 10.4.12.40:80 in 10.4.13.25:1091 idle 0:00:22 Bytes 136450 FLAGS - UOT Network Processor 2 connections TCP out 10.4.12.20:80 in 10.4.13.25:1085 idle 0:00:39 Bytes 138286 FLAGS - VOT TCP out 10-4.12.20:80 in 10.4,13.25:1086 idle 0:00:39 Bytes 98893 FLAGS - UOT ‘TCP out 10.4.12.40:80 in 10.4,13.25:1092 idle 0:00:22 Bytes 100962 FLAGS - UOT Multicast sessions; fetwork Procesecr 1 connections Network Processor 2 connections IPv6 connections: Step6 Display the active network address translations in this context. FWSM/productiontahow xlate 5 in use, 5 most used Global 10.4.13.25 Local 10.4 Global 10.4.12.10 Local 10.4 Global 10.4.12.20 Local 10.4 Global 10.4,12.30 Local 10.4 4 Global 1014.12.40 Local 10 Step7 Use the web browser on PC/ to access the ASDM on the admin context using IP address 192.168.100.10 and HTTPS protocol. Notice that you need to use the password configured for the admin context. The ASDM panel shown below will appear. Notice that from the admin context you can display information about any other context. 12 Note ‘ASDM can be installed as a local application or run as a Java applet. For lab purposes, choose “Run ASDM as a Java Applet.” Step8 Use the web browser on PC/ to access the ASDM on the production context using IP address 192,168.100.2 and HTTPS protocol. Notice that you need to use the password configured for the production context. The ASDM panel shown below appear. 118 implementing Cisco Data Center Network infrastructure 1 (OCNI-1) v2.0, (© 2008 Cisco Systems, IneStep9 —_Use the web browser on PC/ to access the ASDM on the testing context using IP ~ address 192.168,100.3 and protocol HTTPS. You should see results similar to the ASDM display from the production context. {© 2008 Cisco Systems, Inc. Lab Guide 17Lab 2-3: Deploying the FWSM in Routing Mode Complete this lab activity to practice what you learned in the related lesson. Activity Objective In this activity, you will configure the Cisco Catalyst 6500 Series FWSM in routing mode, Afler completing this activity, you will be able to meet these objectives: = Configure the Cisco Catalyst 6500 Series Switch Configure the network topology on the FWSM Configure NAT Configure permitted traffic patterns Configure Protocol Inspection Use client systems to demonstrate access to resources through the FWSM Visual Objective ‘The figure illustrates what you will accomplish in this activity: Lab 2-3: Deploying the FWSM in Routing Mode = Suen nge (2 4 Serger 153) ‘The pod with the equipment for this lab exercise is divided into two independent subpods with the following devices and VLANs: = Subpod!: 6500-1, 4900-1, PCI, Server!, Server2 and VLANs: 10, 11, 12, 13, © Subpod2: 6500-2, 4900-2, PC6, Server3, Serverd and VLANs: 20, 21, 22, 23 Divide into subgroups in each pod to complete the following tasks 118 Implementing Cisco Data Center Network infrastructure 1 (OCNI-1) v2.0, ‘© 2008 Cisco Systems, IncNote ‘Through the lab exercise the steps and printouts refer to subpodt in pod 4 (devices 6500-1 4900-1, PC1, Servert, Server2). However the same tasks should be applied to subpod2 with respect to a different numbering and addressing scheme, IP Addressing The IP addressing scheme in the following table lists the IP addresses of the PCs, servers, Cisco Catalyst 6500 Series Switch VLAN interfaces and Layer 3 physical interfaces, where “P” is your pod number. Pod Addressing Subnet Defauit | Device Device | tPsubnet | toon | DevicelP | Covey | VLAN Pct 1oP.130 | (24 10.1325 | 10P.131 | 13 PCé 10230 | /24 toP2325 | 10P.231 | 23 senert |10P110 | (24 top.siio | 1oPs4 | 11 10P.11.20 10P.11.30 10.P.11.40 sever2 | 10P.120 | 124 yop.1210 | toP121 | 12 10.12.20 40.12.30 10.12.40 Servers |10P210 | i24 rop2ii0 | 1oP2i1 [21 10.P.21.20 10.P.21.30 10.P.21.40 servers | 10220 | 24 rop2210 | 10P221 | 22 10.22.20 10.22.30 10.22.40 Device van | ip subnet | SUPP | Device Mask 6500-1 10 10P.100 | 124 10P.114 6500-1 3 10P.130 | 726 10.134 Outside on | 10 toP.100 | faa 10P.102 FWSM in 6500-1 DMZ on "1 rop.sr0 | 14 T0P.A14 FWSM in 6500-1 Inside on 12 yoP.120 | 14 4OP.124 FWSM in 6500-1 {© 2008 Cisco Systems, ne Lab Guide 119Device vian |p subnet | Sr | Device 500-2 20 | 10.200 | ra 10.201 6500-2 2 | 10P230 | 126 10P.23.1 Outsideon [20 | 10P200 | 26 10P202 FWSM in 6500-2 DMZ.on 2 1oP210 | 24 ToP214 FWSM in 500-2 inside on 22 10220 | 2 10P.221 FWsM in 6500-2 Required Resources ‘These are the resources and equipment required to complete this activity: Two (2) Cisco Catalyst 6500 Series Switches Two (2) Cisco Catalyst 6500 Series Switch Ethernet modules ‘Two (2) Cisco Catalyst 6500 Series Switch Supervisor 720-10G-3C modules ‘Two (2) Cisco Catalyst 6500 Series Switch Firewall Services modules Two (2) Cisco Catalyst 4948 Switches Two (2) Microsoft Windows XP clients Four (4) Microsoft Windows 2003 servers Command List The table describes the commands used in this activity. ‘Command Deseription SSS a Se ee enable | Enter EXEC mode config & Enter global configuration mode vian x Configure @ VLAN name xyz Configure an administrative name for a VLAN interface type slot/port | Enlersub-configuration mode ewittehport Configure an interface asa switchport ewitchport mode Contigure the switchport mode eas Configure the access VLAN forthe switchport switehport access vian x no hut ‘Administratvely enable en interface ip address x.x.x.x y-y-y-¥ | Configure an|P address port-channel load-balance type Configure the port-channe! load-balancing type firewall vlan-group x vians Configure a firewall VLAN group and associated VLANs 120 Implementing Cisco Data Center Network Infrastructure 1 (OCNI1) v2.0 {© 2008 Cisco Systems, Ine.Command Description firewall module x vlan- group x Associate a VLAN group with a firewall module show interface status module x Display the status of interfaces on a specific module show IP interface brief show vlan brief Display the IP brief details for interfaces Display the VLANs configured in brief or 1 ion slot x proc: ‘Start a session with an FWSM in a specific slot interface type nameif xyz security x Enter sub-configuration mode Configure the interface name Configure the interface security level ip address nameif x.x.x.x ¥-¥-¥-¥ Configure an IP address and associate it with an interface route nameif 0 0 x.x.x.x yey¥-¥ show nameif ‘Configure a default route through a specific interface Display named interfaces show interface ip brie Display IP brief dotals on the firewall show interface Display interface details show route Display the configure route mat (nameif) 1 x.x.x.x Configure NAT translation for an interface name Yey-v-¥ global (nameif) 1 x.x.x.x- | Configure a pool of addresses for NAT translation through yevey-y a specific interface static (nameif,nameif) X.X.K. Y+Y-Y-Y ‘Configure a NAT static mapping ehow running-config nat Display the NAT configuration show running-config global | Display the global NAT configuration ‘show running-config atatic | Display the static NAT configuration ‘access-list mode manual- | Configure the ACLs to be manually committed commit accel Configure an ACL permit/deny protocol source destination access-group name in/out interface nameif ‘Configure an ACL group on a specific interface access-list commit Manually commit the ACL to be applied show ace “Lise Display the ACL configuration. show running-config access-group Display the access group configuration policy-map global_policy class inspection default inspect protocol Configure inspection engines {© 2008 Cisco Systems, Inc. Lab Gude 121‘Command Description show running-config Display the inspection engine configuration Policy-map show arp Display the ARP entries ping Verity connectivity using ping show connections Display the active connections show xlate Display the translation table show users Display attached users Task 1: Removing Previous Configurations Ensure that no previous configuration exists on the switches in your pod and apply the initial ‘configurations to the devices, ‘The initial configuration includes settings for the Layer 2 interfaces used—trunking, access VLAN set, ete.; VLAN configuration, Layer 3 VLAN configuration, correct power scheme, ete ‘The initial configurations are available on the individual device file system as specified in the following steps. Note ‘The steps and printouts refer to subpod! in pod 4 (devices 6500-1, 4900-1, PC1, Servert) However the same tasks should be applied to subpod2 with respect to a different numbering and addressing scheme. Activity Procedure Complete these steps on each switch in your pod: Step1 Connect to the 6500-1 switch via console and apply the following: = Replace the current running configuration with the configuration from file disk0:denil_lab23_6500-1 using the configure replace disk0:denii_lab23_6500-1 command. When asked to proceed press Y. Verify that the switch is running the 12.2(33) SXHI Cisco IOS image using the show version command, = Only if the switch is not running the 12.2(33) SXHI Cisco IOS image, save the running configuration to startup configuration and reboot the switch. Step2 Connect to the 4900-1 switch via console and apply the following: = Replace the current running configuration with the configuration from file bootflash:dcnil_lab23_4900-1 using the configure replace bootflash:denii_tab23_4900-1 command. When asked to proceed press Y. ‘Step3 In the EXEC mode on 6500-1, open a session with the FWSM in slot 2. The password is “cisco,” which is the default value. ‘Step4 Enter the enable mode and press enter at the password prompt. Step5 Enter FWSM configuration mode. Step6 Delete the existing configuration with the clear config all command. 122 Implementing Cisco Deta Center Network Infrastructure 1 (OGN1) v2.0 (© 2008 Cisco Systems, inc.‘Step7 Delete any existing configuration files on the disk: with the delete /noconfirm disk:* command Step8 Reload the FWSM. Upon reload you will be disconnected from the FWSM. Activity Verification ‘You have completed this task when you attain these results: Step1 On the 6500-1 switch verify that you have connectivity to the following: = PCL at 10.P.13.25 (where “P” is your pod number) m= Server! at 10.P.11.10 (where “P” is your pod number) You should sce results similar to the following printouts, Note The following printouts show results ofa ping conducted on pod 4, 6500-1#ping 10.4.23.25 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.4.13.25, timeout is Success rate is 60 percent (4/5), round-trip min/avg/max 6500-1#ping 10.4.11.10 ‘Type escape sequence to abort Sending 5, 100-byte ICMP Echoa to 10.4.11.10, timeout is in Success rate is 80 percent (4/5), round-trip min/avg/max seconds: a/a/4 ms seconds: 1/4 ne Task 2: Configuring Cisco Catalyst 6500 Series Switch Switching Functions In this task, you will configure the Cisco Catalyst 6500 Series Switch to support the FWSM. Note ‘The steps and printouts refer to subpodt in pad 4 (devices 6500-1, 4900-1, PC1, Servert), However the same tasks should be applied to subpod2 with respect to a different numbering and addressing scheme. Activity Procedure Complete the following steps: Step 1 Step 2 step 3 Step 4 Step 5 Step 6 Create VLAN 10 and name it “Outside.” Rename (or create, if it does not exist) VLAN 11 with the name “DMZ” and VLAN 12 with the name “Inside.” Remove Layer 3 interfaces VLANII and VLANI2 if they exist Create an MSFC interface in VLAN 10 with an IP address of 10.P.10.1, where “P™ is your pod number. Configure the switch to use port numbers in port-channe! load-balancing algorithms. ‘Associate VLANs 10, 11, and 12 with the FWSM in slot 2. {© 2008 Cisco Systems, In. Lab Guide 123Activity Verification ‘You have completed this task when you attain these results: Step1 Display the status of interfaces on module 3. 6500-1#show interface status module 3 Port Name Status Vian Duplex Speed Type Gi3/i disabled 2 full auto 10/100/1000BaseT 63/2 disabled 1 full auto 10/100/1000aseT Gi3/3 connected 13 a-full a-100 10/100/1000BaseT Gi3/4 disabled 1 full auto 10/100/1000BaseT Gi3/5 disabled 1 full auto 10/100/1000BaseT Gi3/6 disabled 1 full auto 10/100/1000BaseT Gi3/7 disabled 1 full auto 10/100/1000BaseT Gi3/8 disabled 1 full auto 10/100/1000BaseT Gi3/9 disabled 1 full auto 10/100/1000BaseT Gi3/10 disabled 1 full auto 10/100/1000BaseT Gi3/i1 disabled 1 full auto 10/100/1000BaseT output omitted. Step2 Display the IP interfaces. 6500-1#show 4p interface brief | exclude unassigned Interface IP-address OK? Method status Protocol Vianio 10.4.10.1 YES manual up up viani3 10.4.13.1 YES NVRAM up up. Step3 Display the VLANs that exist on the switch. 6500-1#show vlan brief VLAN Name status Porte 2 default active 10 outsude active a1 Mz, active 32 inside active 13 Clientrc active Gi3/3 s+ OUtpuE omitted ... Task 3: Connecting the FWSM to the Network In this task, you will configure the network topology on the FWSM. Note ‘The steps and printouts refer to subpod! in pod 4 (devices 6500-1, 4900-1, PCY, Servert) However the same tasks should be applied to subpod2 with respect to a diferent numbering and addressing scheme, Activity Procedure Complete the following steps: Step1 Session into the FWSM in slot 2 and enter the enable mode. The login password defaults to “cisco,” and the enable password is blank Step2 Enter the configuration mode. Step3 Name the interfaces and assign security levels. Step4 Define IP addresses for each interface. Step$ Define a default route to the MSFC. 124 [implementing Cisco Data Center Network infrastructure 1 (OCNI-1) v2.0 {© 2008 Cisco Systems, ne.Activity Verification You have completed this task when you attain these results: ‘Step1 Display the named interfaces and their security levels. PWSMishow nameif Interface Name Security viani0 outeide ° vianii Dea 50 viani2 inside 100 Step2 Display the IP interfaces in the FWSM. FUSMshow interface ip brief Interface 1P-Address OK? Method status Protocol Gigabitetherneto unassigned YES unset up up Gigabitetherneti unassigned YES unset up up vianio 20.4.10.2 ys manual up up viania 30.4.11.3 Yes manual up up viani2 30.4.12.2 YES manual up up BOBCO 127.0.0.21 ‘YES CONFIG up up ‘Step3_—_Display detailed information about all of the interfaces on the FWSM. FusMshow interface Interface Vlani0 toutside", is up, line protocol is up Hardware is EthersvI WAC address 0018.73bc.6000, MTU 1500 TP address 10.4,10.2, subnet mask 255.255.255.0 ‘traffic Statistics for *outside" 0 packets input, 0 bytes 1 packets output, 68 bytes 133 packets dropped Interface Viant1 *DWZ*, is up, Line protocol is up Hardware is EtherSVI MAC address 0018.73bc.6000, MTU 1500 IP address 10.4.11.1, subnet mask 255.255.255.0 Traffic Statistics for *oMZ": 1 packets input, 0 bytes 1 packets output, 68 bytes 129 packets dropped Interface Vlani2 "inside", is up, Line protocol is up Hardware is EthersVI MAC address 0018.73bc.6000, NTU 1500 IP address 10.4.12.1, subnet mask 255.255.255.0 traffic statistics for *inside": (0 packets input, 0 bytes 1 packets output, 68 bytes 123 packets dropped Step 4 Display the IP routing table on the FWSM. PusMHshow route 0.0.0.0 0.0.0.0 [1/0] 10,4.10.0 255.255.255 1014.11.0 255.255.255 10.4.12.0 255.255.255 ia 10.4,10.1, outside is directly connected, outside is directly connected, DMZ is directly connected, inside naae ‘© 2008 Cisco Systems, Ine. Lab Gude 125,Task 4: Configuring NAT In this task, you will configure NAT. Note ‘The steps and printouts refer to subpod! in pod 4 (devices 6500-1, 4900-1, PC1, Servert). However the same tasks should be applied to subpod? with respect to a different numbering ‘and addressing scheme, Activity Procedure Complete the following steps: Step1 Configure NAT ID 1 to cover all addresses on the inside IP subnet of 10.P.12.0, where “P” is your pod number. Step 2 Configure the global addresses to be used when systems from the inside subnet access the outside network. Step3 Configure the global addresses to be used when systems from the inside subnet access the DMZ. Step4 Configure a static address translation that maps 192.168,100.11 to the DMZ host at 10.P.20.10, where “P” is your pod number. Activity Verification ‘You have completed this task when you attain these results: Step1 Display the NAT configuration FWSH¥show running-config nat nat (inside) 1 10.4.12.0 255.255.255.0 Step2 Display the global address configuration. FWSH¥show running-config global global (outside) 1 10.4.10.100-10.4.10.200 global (DMZ) 1 10.4.11.100-10.4.11.200 Step3 Display the static NAT configuration. FWSt¥ehow running-config static static (Dmz,outside) 10.4.10.11 10.4,.11.10 netmask 255.255.255.255 Task 5: Configuring Network Access In this task, you will configure permitted traffic patterns. Note ‘The steps and printouts refer to subpod! in pod 4 (devices 6500-1, 4900-1, PC1, Servert). However the same tasks should be applied to subpod2 with respect to a diferent numbering and addressing scheme, Activity Procedure Complete the following steps: Step1 Switch to manual commit mode for ACLs. Step2 Create an ACL called “internet” that permits any IP traffic. Step3 Create an ACL called “public_access” that permits web access to the server in the DMz. 126 Implementing Cisco Data Center Network infrastructure 4 (DCNI-1) v2.0, (© 2008 Cisco Systems, IneStep 4 Create an ACL called “maintenance” that permits the DMZ host to initiate Telnet and web connections. Step Designate the public_access ACL as the ACL to be used to control traffic received on the outside interface. Step 6 Notice that an error is issued. This error occurs because the ACL commit mode is manual, and the ACL has not been committed. Commit the ACLs. Step7 Designate the public_access ACL as the ACL to be used to control traffic received on the outside interface. Step8 Designate the internet ACL as the list to be used to control traffic received on the inside interface. Step9 Designate the maintenance ACL as the list to be used to control traffic received on the DMZ interface. Activity Verification Task 6: Activity Pr You have completed this task when you attain these results: Step1 Display the configured ACLs. FWSMshow access-list access-list mode manual-conmit access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300 access-list internet; 1 elements access-list internet line 1 extended permit ip any any (hitcnts0) oxbsd98a32 access-list public access; 1 elements access-list public_access line 1 extended permit tep any host 10.4.11.10 eq (hitent=0) 0x2£208965 List maintenance; 2 elements List maintenance line 1 extended permit tep 10.4.11.0 255.255.255.0 any q telnet (hitent=0) oxs2915206 access-list maintenance line 2 extended permit tcp 10.4.11.0 255.255.255.0 any q www (hitent=0) oxaga26sa2 Step2 Display the ACLs that are configured on the IP interfaces. Ewstiehow running-contig access-group access-group public_access in interface outside access-group maintenance in interface dnz faccess-group internet in interface inside Configuring Protocol Inspection In this task, you will configure protocol spection, Note ‘The steps and printouts refer to subpod! in pod 4 (devices 6500-1, 4900-1, PCT, Servert), However the same tasks should be applied to subpod? with respect toa different numbering and addressing scheme. rocedure Complete the following step: Step Add the ICMP inspection engines. {© 2008 Cisco Systems, In. Lab Gude 127Activity Verification Task 7: ‘You have completed this task when you attain this result Step1 Display the configured fixups FWSM¥show running-config policy-map policy-map global_policy class inspection default inspect dns maximun-length 512 inspect ftp inspect h323 h225 inspect 323 ras inspect netbios inspect reh inspect skinny inspect smtp inspect eqlnet sunrpe cet inspect sip inspect xdnep inspect icmp inspect icmp error Demonstrating the Firewall In this task, you will use client systems to demonstrate access to resources through the FWSM. Note ‘The steps and printouts refer to subpod! in pod 4 (devices 6500-1, 4900-1, PC1, Server). However the same tasks should be applied to subpod2 with respect to a different numbering ‘and addressing scheme, Activity Procedure Complete the following steps: Step1 Log on to each of the Microsoft Windows 2000 servers in your pod and bring up a command prompt on each of them. Step2 On Server! ping 10.P.11.1, where “P” is your pod number. This ping will fail Step3 On Server? ping 10.P.12.1, where “P” is your pod number. This ping will also fail, ‘Stop 4 Session into the FWSM and display the ARP table. Notice that the FWSM knows the MAC addresses of each of the servers. This indicates that Layer 2 connectivity is working and that our previous pings failed because the FWSM is not configured to respond to pings. FWSMiishow arp DMZ 10.4.12.10 000¢.29da.5a23 inside 10.4.12.10 000c.29e9.64£1 eobe 127.0.0.51 0000.1500.0000, Step5 Ping cach of the servers from the FWSM. FWSM ping 10.4.11.20 Sending 5, 100-byte ICMP Echos to 10.4.12.10, timeout is 2 seconds. an Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms FWSM ping 10.4.12.10 Sending 5, 100-byte ICMP Echos to 10.4.12.10, timeout ie 2 seconds: Mitt suce! 8 rate is 100 percent (5/5), round-trip min/ayg/max = 3/1/1 ms 128 implementing Cisco Data Genter Network infrastructure 1 (OCNL-1) v2.0 "© 2008 Cisco Systems, Inc.Step6 Inthe command prompt window of Server2, issue a ping -m 15 10.P.11.10 command, where “P” is your pod number. This will generate 15 pings to Server2. While this command is running, display the active connections on the FWSM. FusMishow connections 1 in use, 1 most used Network Processor 1 connections Network Processor 2 connections TeMP out 10.4.11.10:512 in 10.4.12.10:8 idle multicast sessions: Network Processor 1 connections Network Processor 2 connections Ipvé connections: Step7 In the command prompt window of Server/, issue a telnet 10.P.10.1 command, where “P” is your pod number. This will open the Telnet session to the 6500-1 VLAN 10 interface. Since no Telnet password is defined on 6500-1 you will be disconnected with a “Password required, but none set” message. 0:00 Bytes 1404 Step 8 FWSMH show xlate 2 in use, 2 most used Global 10.4.10.100 Local 10.4.12.10 Global 10.4.10.11 Local 10.4.11.10 Step9 Start Internet Explorer on Server? and browse to 10.P.11.10, where “P” is your pod number. Display the active connections on the FWSM. FWSMH show connections splay the active address translations. 2 in use, 4 most used Network Processor 1 connections Network Processor 2 connections ‘TOP out 10.4.21.10:80 in 10.4.12.10:1093 idle 0:00:07 Bytes 145341 FLAGS - UOT TCP out 10.4.11,10:80 in 10.4.12.10:1094 idle 0:00:07 Bytes 88405 FLAGS - UOT Multicast sessions: Network Processor 1 connections Network Processor 2 connections 1Pvé connections: Step 10 Establish a Telnet session from Server? to 10.P.11.10, where “P” is your pod number. Leave this Telnet session active. Step 11 Connect to 6500-/ and configure VTY password to allow Telnet access. 5500-1 (contig) #iine vty 015 6500-1 (config-Line) #password cisco Step 12 Open a second command prompt on Server? and establish a Telnet connection to 10,P.10.1. Log in to the router with the password “cisco.” Leave this Telnet session active. Step 13 Establish a Telnet session from Server! to 10. Leave this Telnet session active. 10.1 and log in as deseribed above. Step 14 Display the active connections on the FWSM PHSMHshow connections 3 in use, § most used Network Processor 1 connections Network Processor 2 connections ‘TOP out 10.4.11,10:23 in 10.4.12.10:1095 idle 0:00:53 Bytes 748 FLAGS - FRUOT ‘TEP out 10.4:10,1:23 in 10.4.12.10:1097 idle 0:00:31 Bytes 1337 FLAGS - UOT TeP out 10.4.10.1:23 in 10.4.11.10:3836 idle 0:00:06 Bytes 1337 FLAGS - UOT Multicast sessions: Network Processor 1 connections {© 2008 Cisco Systems, Inc. Leb Guide 129,Network Processor 2 connections 18V6 connect ions Step 15. Display the active connections on the FWSM. FHSMHshow xlate 3 in use, 3 most used Global 10.4.11,100 Local 10.4.12.10 Global 10-4:10.100 Local 10.4.12.10 Global 1014.10.12 Local 10.4,11.10 Step 16 On one of the routers, display the active users, Notice the locations from which the router sees your logon sessions. 6500-1hshow Line Host (5) idle Location * 0 con 0 127.0.0.21 00:00:18 i vty 0 dale 00:01:24 10.4.10.100 2 vey 2 idle 00:01:09 10.4.10.12 Step 17 Double-click on the Server icon on the desktop of Server!. In the address window, center \10.P.12.10\e$ to display the disk contents of Server2. This command will fail Step 18 Double-click on the Server? icon on the desktop of Server2. In the address window, center \\10.P.11.10\e$ (where “P" is your pod number) to display the disk contents of Server]. The results of this command will appear as shown below. 130 Implementing Cisco Data Center Network nastucture 1 (DCNI1) v2.0 (© 2008 Cisco Systems, ne.BGs Gams Gor EEK AE Step 19 Display the active connections on the FWSM. FWSMishow connections 4 in use, 6 most used Network Processor 1 connections TCP out 10.4.11.10:139 in 10.4.12.10:1100 idle 0:00:10 Bytes 82975 FLAGS - UOT Network Processor 2 connections TCP out 10.4.11,10:23 in 10.4.12.10:1095 idle 0:03:52 Bytes 749 FLAGS - FRUOT TCP out 10.4120.1:23 in 10.4.12.10:1097 idle 0:03:30 Bytes 1337 FLAGS - UOT TCP out 10.4.20.1:23 in 10.4.11.10:3838 idle 0:03:06 Bytes 1337 FLAGS - UOT Multicast sessions: Network Processor 1 connections Network Processor 2 connections 1Pv6 connections Step 20 Save your configuration on the firewall. Step 21 Save your configuration on the switch. ‘© 2008 Cisco Systems, no Lab Guide 131Lab 2-4: Deploying the FWSM Failover Complete this lab activity to practice what you learned in the related lesson. Activity Objective In this lab you will work together with the team using the other Cisco Catalyst 6500 Series and 4948 Switches in your pod. One switch will be defined as the primary Cisco Catalyst 6500 Series Switch and will contain the primary Catalyst 6500 Series FWSM. The other switch will be defined as the secondary Cisco Catalyst 6500 Series Switch and will contain the backup Catalyst 6500 Series FWSM. Before you begin, your team members must decide which switch will fulfill each role, This lab may be repeated with the roles reversed. To accomplish this, reload the Cisco Catalyst 6500 Series Switches and start again. In this activity, you will configure redundant Firewall Services Modules. After completing this activity, you will be able to meet these objectives: |= Configure Cisco Catalyst 6500 Series Switch switching functions to support redundant FWSMs = Configure a redundant FWSM pair = Demonstrate the redundancy provided by the FWSM Visual Objective The figure illustrates what you will accomplish in this activity: Deploying the FWSM Failover 12 Implementing Cisco Data Center Network Infrstucture 1 (DCNI-1) v2.0 {© 2008 Cisco Systems, In.IP Addressing ‘The IP addressing scheme in the following table lists the IP addresses of the PCs, servers, Cisco Catalyst 6500 Series Switch VLAN interfaces and Layer 3 physical interfaces, where “ ‘your pod number. Pod Addressing Bana Deiout [boven Sip eS eS eae {ES | em SS rar Ser n| SCAN, rr forme [ae [wena [orn [a Senarr ftopsi0 [rae Jwesiao rors [1 forte torti3o vevce [view ]rsionet |] oovce cami [we [wre fer [para cama [3 | wre0 fae [wpaa waa [10 [swr00 [ee [roan aoa [1 [wes [os [orasz cuscem [10 wro0 [ar | wrsoa erin Guscem [10 wrsoa [a [waa ‘Standby a ee Fis wavem [vv [wena [a [urna ‘Standby a Required Resources ‘These are the resources and equipment required to complete this act Two (2) Cisco Catalyst 6500 Series Switches ‘Two (2) Cisco Catalyst 6500 Series Switch Ethernet modules ‘Two (2) Cisco Catalyst 6500 Series Switch Supervisor 720-10G-3C modules ‘Two (2) Cisco Catalyst 6500 Series Switch Firewall Services modules Two (2) Cisco Catalyst 4948 Switches Microsoft Windows XP client Microsoft Windows 2003 server {© 2008 Cisco Systems, Inc. Lab Guide 133,Command List The table describes the commands used in this activity. ‘Command, Description conf t Enter global configuration mode vlan x Enter subconfiguration mode name xyz Configure an administrative name interface vlan x ip address x.x.x.x y-y-¥-¥ Enter subconfiguration mode Configure an IP address no shut Administratively enable an interface interface type slot/port switchport ewitchport mode switchport acc vlan no Enter subconfiguration mode for an interface Configure an interface as a switchport Configure the interface as an access port Configure the access port VLAN firewall vlan-group x vilans Configure the firewall VLAN group vians| firewall module x vian- group x ‘Associate an FWSM module with the VLAN group spanning-tr root primary Contigure the spanning-tree root bridge show vian brief Display VLAN output in brief show interface status module no Display the interface status for a specific module show firewall vian Display the frewall VLAN groups show firewall module Display the VLAN group mappings show IP interface brief Display the IP interfaces in brit ion slot x processor 1 Open a session to a module failover failover lan interface vlan vlan_no Configure the VLAN the failover interface will use failover interface IP failover x.x.2-% y-¥.¥-¥ standby x.x.x.x ‘Assign the failover interface an IP adres ‘and secondary FWSM ‘on the primary failover link state vian vlan_no Configure the state interface to use a VLAN failover interface IP state x.x.x.% y.¥-¥-¥ standby x.x.x.x ‘Assign the state interface an IP address on the primary and ‘secondary FWSM failover lan unit primary Configure the primary failover unit failove: Enable falover 134 Implementing Cisco Data Center Network infrastructure 1 (OCNI-1) v2.0 (© 2008 Cisco Systems, ine.Command interface vlan no nameif name security level ip address x.x.x.x Description Enter subconfiguration mode Configure the interface name Configure the interface security level Configure the primary and secondary IP addresses for the interface Configure an ACL interface nameif Configure the access group and associate it with an interface static (nameif,nameif) iH KeH KK KK Configure static NAT route nameif x.x.x.x Yoye¥ey KA Configure a default route through an interface show nameif Display the named interfaces show route Display the IP route show failover Display the failover configuration show access-list Display the ACL configuration show running-config Display the access group configuration access-group show running-config static | Display the static NAT configuration show connections Display the active connections. configurations to the devices. g Previous Configurations Ensure that no previous configuration exists on the switches in your pod and apply the ial ‘The initial configuration includes settings for the Layer 2 interfaces used—trunking, access VLAN set, ete.; VLAN configuration, Layer 3 VLAN configuration, correct power scheme, ete. ‘The initial configurations are available on the individual device file system as specified in the following steps. Activity Procedure ‘Complete these steps on each switch in your pod: step 1 Connect to the 6500-1 switch via console and apply the following: © Replace the current running configuration with the configuration from file di rdenil_lab24_6500-1 using the configure replace disk0:denii_lab24_6500-1 command. When asked to proceed press Y. Verify that the switch is running the 12.2(33) SXHI Cisco TOS image using the show version command, = Only if the switch is not running the 12.2(33) SXHI Cisco 10S image, save the running configuration to startup configuration and reboot the switch, {© 2008 Cisco Systems, Inc. Lab Guide 195Step2 Connect to the 4900-1 switch via console and apply the following: Replace the current running configuration with the configuration from file bootflash:denil_tab24_4900-1 using the configure replace bootflash:denil_lab24_4900-1 command. When asked to proceed press Y. You should see the output similar to the output in previous step. Step3 Inthe EXEC mode on 6500-1, open a session with the FWSM in slot 2. The password is “cisco,” which is the default value. ‘Step4 —_Enter the enable mode and press enter at the password prompt. StepS Enter FWSM configuration mode. Step6 Delete the existing configuration with the clear config all command. Step7 Delete any existing configuration files on the disk: with the delete /noconfirm disk:* command, Step@ Reload the FWSM. Upon reload you will be disconnected from the FWSM. ‘Step 9 Connect to the 6500-2 switch via console and apply the following: = Replace the current running configuration with the configuration from file diskO:denil_lab24_6500-1 using the configure replace disk0:denti_lab24_6500-1 command, When asked to proceed press Y. Verify that the switch is running the 12.2(33) SXH1 Cisco IOS image using the show version command. |= Only if the switch is not running the 12.2(33) SXHI Cisco IOS image, save the running configuration to startup configuration and reboot the switch. Step 10 Connect to the 4900-2 switch via console and apply the following: Replace the current running configuration with the configuration from file bootflash:denil_1ab24_4900-1 using the configure replace bootflash:denit_lab24_4900-1 command. When asked to proceed press Y. You should see the output similar to the output in previous step. Step 11. In the EXEC mode on 6500-2, open a session with the FWSM in slot 2. The password is “cisco,” which is the default value, Step 12 Enter the enable mode and press enter at the password prompt. Step 13 Enter FWSM configuration mode. Step 14 Delete the existing configuration with the clear config all command. Step 18 Delete any existing configuration files on the disk: with the delete /noconfirm disk:* command, Step16 Reload the FWSM. Upon reload you will be disconnected from the FWSM. Activity Verification You have completed this task when you attain these results: Step 1 On the 6500-1 switch verify that you have connectivity to the following: = PCL at 10.P.13.25 (where “P” is your pod number) = Server! at 10.P.11.10 (where “P” is your pod number) ‘You should see results similar to the following printouts, 138 Implementing Cisco Date Center Network Infrastructure 4 (DCNE1) v2.0 (© 2008 Cisco Systems, IneNote The following printouts show results of a ping conducted on pod 4 6500-1#ping 10.4.13.25 ‘Type escape sequence to abort Sending 5, 100-byte ICMP Echos to 10.4.13.25, timeout is 2 seconds: Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms 6500-1Mping 10.4.12.10 ‘Type escape sequence to abort Sending 5, 100-byte ICMP Echos to 10.4.11.10, timeout is 2 seconds: Success rate is 60 percent (4/s), round-trip min/avg/max = 1/1/4 ms Task 2: Configuring Cisco Catalyst 6500 Series Switch Switching Functions In this task, you will configure the Cisco Catalyst 6500 Series Switch switching functions to support redundant Firewall Services Modules. Activity Procedure Complete the following steps: Step 1 Step 2 step 3 Connect to the 6500-1 switch and create VLANs 10, 11, 13, 90 and 91 named “outside,” “inside,” “clientPC,” “failover,” and “FWSM-state,” respectively. Connect to the 6500-2 switch and create VLANs 10, 11, 13, 90 and 91 named “outside,” “inside,” “clientPC,” “failover,” and “FWSM-state,” respectively. Create a virtual IP interface on the MSFC in VLAN 13 on 6500-2. Note The 6500-1 switch already has VLAN13, created from Task 1 Step 4 Step 5 Stop 6 Step7 Steps Step Step 10 Step 11 Step 12 Assign an IP address of 10.P.13.2 to this interface and then activate the interface, Create a virtual IP interface on the MSFC in VLAN 10 on 6500-1 Assign an IP address of 10.P.10.1 to this interface and then activate the interface. Create a virtual IP interface on the MSFC in VLAN 10 on 6500-2. Assign an IP address of 10.P.10.2 to this interface and then activate the interface, Configure VLANs 10, 11, 90 and 91 to be attached to the FWSM in slot 2 on 6500-1 and 6500-2. Enable the TenGigabitEthernetS/4 to be a trunk port on 6500-/ and 6500-2. This port will connect your switch to the switch in your neighbor pod. ‘The 6500-1 switch will be deployed with the primary FWSM; thus define the switch to be the root of the spanning tree for the inside and outside VLANS. Exit the configuration mode, {© 2008 Cisco Systems, Inc. Lab Guide 197Activity Verification ‘You have completed this task when you attain these results: Step1 Display the configured VLANs. 6500-1#ahow vlan briet VIAN Mane status Porte 1 detauie active Gi4/1, Gi4/2, Gi4/3, Gi4/s Gid/s, Gi4/6, Gi6/2, Gi6/3 Gi6/a, Gi6/s, cie/é 10 outeide active 11 ineide active 32 vaNoo12 active 13 clientpc active Gi3/3 90 failover active 91 FHSM-atate active ‘Step2 Display the status of the interfaces on module 3 on 6500-1 and 6500-2. 6500-1Nshow interface status module 3 Port Name Status Vlan Duplex Speed Type Gi3/3 connected 50 a-full a-100 10/100/1000BaseT = output omitted . Gi3/13, connected’ trunk a-ful1 a-1000 10/100/1000BaseT Gi3/14 connected trunk a-full a-1000 10/100/1000BaseT output omitted Step3 Verify the spanning tree for VLAN 11 on 6500-1, which is the primary root bridge 6500-1#show spanning-tree vlan 10 vLANoO11, Spanning tree enabled protocol ieee Root ID Priority #192 Address 0017.dfdo.240b ‘This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority #192 Address 0017.dfd0.240 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio.Nbr Type ai3/33 Desg FAD 4 128.269 Pap gi3/a4 Desg FWD 4 328.270 Pap 75/4 Deag PHD 2 328.516 Pap P0306 Deeg FWD 2 128.1665 Pap Edge Step4 Verify the spanning tree for VLAN 11 on 6500-2, which is the primary root bridge 6500-2#show spanning-tree vian 10 vyuanoo11, Spanning tree enabled protocol ieee Root ID Priority #192 Address _0017.4£40.240b Cost a Port 516 (TenGigabitethernet5/4) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32768 Address 0017.df40.380b Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 Interface Role Sts Cost Prio.Nbr Type 138 Implementing Cisco Data Center Network Infrastructure + (DCNI-1) v2.0 (© 2008 Cisco Systems, Ine.Task 3: ai3/33 Desg FWD 4 128.269 P2p Gi3/ie Desg FWD 4 128.270 P2p Te5/4 Root FWD 2 129.516 P2p 0306 Deag PHD 3 128.1665 Pap Edge Step5 Display the FWSM VLAN groups. 6500-1#show firewall vian Group vans 2 10,11, 90-91 ‘Step6 Display the mapping of VLAN groups to FWSM modules, 6500-1#show firewall module Module Vian-groups 021 Step7 Display the configured IP interfaces on 6500-1 and 6500-2 6500-1#show ip interfcace brief | exclude unassigned Interface 1P-Address OK? Method Status Protocol vianio 20.4.10.1 Yes manual up up vianis 1014.13.21 YES NVRAM up up 6500-1#ehow 1p interfeace brief | exclude unassigned Interface IP-address OK? Method Status Protocol vianio 10.4.10.2 YES manual up up Viani3 10.4.13.2 YES manual up up Configuring Redundant FWSMs In this task, you will configure a redundant pair of Firewall Services Modules. Activity Procedure Complete the following steps: Step1 Connect to the FWSM and enter the configuration mode. Step2 Configure the failover interface to use VLAN 90 on the primary and secondary FWSMs. Step3 Assign the failover interface an IP address of 192.168.1.1 on the primary FWSM on 6500-1, and an IP address of 192.168.1.2 on the secondary FWSM on 6500-2 (Configure the same command on both switches). Step4 Configure the state interface to use VLAN 91 on the primary and secondary FWSMs. StepS Assign the state interface an IP address of 192.168.2.1 on the primary FWSM on 6500-1, and an IP address of 192.168,2.2 on the secondary FWSM on 6500-2 (Configure the same command on both switches). Step6 On the primary FWSM only, configure the FWSM to be the primary unit of the redundant pair. ‘Step7 On the sccondary FWSM only, configure the FWSM to be the secondary unit of the redundant pair. Stop8 Enable failover on both units. {© 2008 Cisco Systems, Inc. Lab Guide 139Step® You should see the following output on the primary FWSM. Beginning configuration replication: Sending to mate Bnd Configuration Replication to mate Step 10 You should sce the following output on the secondary FWSM. Detected an Active mate Beginning configuration replication from mate This unit is in syncing state. ‘failover! command will not be effective at this time ‘This unit is in syncing state, ‘failover’ conmand will not be effective at this time End configuration replication from mate Access Rules Download Complete: Menory Utilization: < 1% Note you are configuring the secondary FWSM, exit the configuration mode and skip the remaining steps in this task Step 11 Name the interfaces used for traffic—VLANI0 as “outside” and VLANII as “inside” —and assign security levels. Step 12 Define the IP addresses for each interface, Notice that one command is used to configure both the primary and secondary IP addresses for each interface. For the inside interface, use a primary address of 10.P.11.1 anda secondary address of 10,P.11.2, where “P” is your pod number. Define outside IP addresses of 10.P.10.3, and 10.0.10.4, respectively. Step 13. Configure an ACL permitting all IP traffic, and apply it to both interfaces. Step 14 Create a static NAT entry for Server. The IP address of this server is 10.P.11.10, where “P” is the pod number. This server is reachable at an IP address of 10.P.10.100, Step 15 Route the 10.P.13.0 subnet to both MSFCs on 10.P.10.X, where “P” is your pod number and *X” is the Cisco Catalyst 6500 Series Switch number. Activity Verification ‘You have completed this task when you attain these results: Step 1 Display the inte FitsMishow nameit 1ce configurations on each FWSM. Interface Nane Security Vianio outside ° Vianit inside 100 FHSM# show int 1p brief Interface qp-Address OK? Method Status Protocol Gigabitetherneto unassigned YES unset up up Gigabitetherneri unassigned YES unset up up vianto 10.4.10.3 YES manual up up Viania 20.4.11.2 YS manual up up viang0 192,i68.1.1 YES manual up up viansi 192/168.2.1 YES manual up up BOBCO 12710.0.21 YES CONFIG up up 140 Implementing Cisco Data Center Network infrastructure 1 (OCNI-1) v2.0, (© 2008 Cisco Systems, Inc.‘Step2 Display the IP routing table on the FWSM. FuSMishow route 192.168.1,0 255.255.255.0 is directly connected, failover 192.168.2.0 255.255.255.0 is directly connected, state Step3 Display the failover status for each FWSM. The output listing for the primary FWSM is shown below. Compare this listing to the listing received on the secondary FWSM. PuSM¥show failover Failover On Failover unit primary Failover LAN Interface: failover Vian 90 (up) Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 15 seconds Interface Policy 50% Monitored Interfaces 0 of 250 maximum Config sync: active Version: Ours 3.1(3), Mate 3.2(3) Last Failover at: 12:49:51 UTC Apr 23 2008 ‘This host: Primary - Active Active time: 920 (sec) Interface outside (10.4.10.3): Normal (Not-Monitored) Interface inside (10.4.11.1): Normal (Not-Monitored) Other host: Secondary - standby Ready Active time: 0 (sec) Interface outside (10.4.10.4): Normal (Not-Nonitored) Interface inside (10.4.11.2): Normal (Not-Monitored) C 10.4.10.0 255.255.255.0 is directly connected, outside © 10.4.11.0 255.255 1255.0 is directly connected, inside S 10.4.13.0 255.255.255.0 [1/0] via 10.4.10.1, outside S 10.4.13.0 255.255.255.0 [1/0] via 10.4.10.2, outside c c Stateful Failover Logical Update Statistics Link ; atate Vian 91 (up) Stateful Obj xmit xerr rev rerr General a4 ° ae ° sys cmd au ° ue ° up time ° ° ° ° RPC services 0 ° ° ° TCP conn, o ° ° ° UDP conn ° ° ° ° ARP tbl ° ° ° o Xlate Timeout 0 ° ° ° Logical Update Queue Information Cur Max Total Recy Q: ° 1 983 xmit ° ° a4 Step4 Display the ACLs and group assignments. EWsHiishow access-list access-list mode auto-commit access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300 access-list permit-all; 1 elements access-list permit-all extended permit ip any any (hitcnt=0) EWsMishow running-config access-group access-group permit-all in interface inside access-group permit-all in interface outside Step5 Show the configured static NAT entries. FWSMiishow running-config static static (inside, outside) 10.4.10.100 10.4.11.10 netmask 255.255.255.255, {© 2008 Cisco Systems, Inc Lab Gude 141Note ‘The output from these steps should be similar on each FWSM, indicating that the ‘configuration has been successfully replicated. Task 4: Demonstrating Redundancy In this task, you will demonstrate the redundancy provided by the FWSM redundant pai Activity Procedure Complete the following steps: Step1 Log in to the PCY, start a command prompt, and establish a Telnet connection to 10,P.10.100 (Server/). Step2 Display the active connections on each FWSM. ‘Step3_On the primary FWSM, you should see an output listing similar to the following. FHSHPshow connections 1 in use, 1 most used Network Processor 1 connections Network Processor 2 connections TOP out 10.4.13.25:1154 in 10.4.11.10:23 idle 0:00:27 Bytes 698 FLAGS - UBOT Multicast sessions Network Processor 1 connections Network Processor 2 connections IPv6 connections: On the secondary FWSM, you should see output simi differences in the flags between each FWSM. FWSiishow connections i in use, 1 most used Network’ Processor 1 connections Network Processor 2 connections TCP out 10.4.13.25:1154 in 10.4.11.10:29 idle 0:00:44 Bytes 256 PLAGS - UB Multicast sessions: Network Processor 1 connections Network Processor 2 connections 1Pvé connections: Step4 Issue the show connection detail command to view the active connections and a legend explaining the flags. Pistiishow connections detai2 lin use, 2 most used Flags: A’- awaiting inside ACK to SYN, a - awaiting outside ACK to SYN, B - initial Siw fron outside, C - CTIQBE media, D - DNS, d- dump, to the following, Note the E - outside back connection, F - outside FIN, f - inside FIN, G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data, i + incomplete, J - Grp, 3 - G7P data, k - Skinny media, M - SMTP data, 'm- SIP media, 0 - outbound data, P- inside back connect i gq - SQLMet data, R - outside acknowledged FIN, R - UDP SUNRPC, F - inside acknowledged FIN, S - awaiting ineide svN, 8 - awaiting outside SYN, T - SIP, t - SIP transient, U - up Network Processor 1 connections Network Processor 2 connections ‘TP out 10.4.13.25:1153 in 10,4.12.10:23 idle 0:00:43 Bytes 614 FLAGS - UBfrOI Multicast sessions: Network Processor 1 connections Network Processor 2 connections IPvé connect ions: Step Force the primary FWSM to fail over to the secondary by configuring the primary FWSM as no longer active. This step is performed on the primary FWSM only. 142 implementing Cisco Data Genter Network infrastructure 1 (OCNI-1) v2.0 (© 2008 Cisco Systems, In.‘Step6 On the primary FWSM you should sec the “Switching to Standby” message while cn the secondary FWSM you should see the “Switching to Active” message. ‘Step? Verify the Active/Standby role on the secondary FWSM. FWSM show failover Failover On Fallover unit Secondary Failover LAN Interface: failover Vlan 90 (up) unit Poll Erequency 1 seconds, holdtime 15 seconds Interface Poll frequency 15 seconds Interface Policy 50% Monitored Interfaces 0 of 250 maximum Config sync: active Version: Ours 3.1(3), Mate 3.1(3) Last Failover at: 13:12:24 UTC Apr 23 2008 ‘This host: Secondary - active ‘Active time: 97 (sec) Interface outside (10.4.10.3): Normal (Not-Monitored) Interface inside (10.4.11.1): Normal (Not-Monitored) other host: Primary - Standby Ready ‘Active time: 1351 (sec) Interface outside (10.4.10.4): Normal (Not -Monitored) Interface inside (10.4.11.2): Normal (Not-Monitored) stateful Failover Logical Update statistics Link : state Vian 91 (up) Stateful obj xmit xerr rev rerr General 194 ° 190 ° aya ond ea ° ea ° up time ° ° ° ° RPC services 0 o ° ° TCP conn 8 o 3 ° UDP conn 0 ° 1 ° ARP tbl a ° 2 ° Xlate Timeout 0 ° ° ° Logical Update Queue Information cur Max Total Recy 0: ° 1 1580 mit o ° tas Step 8 Return to the client systems and type a new command in the Telnet session, Notice that the session is still active. Step9 Display the connection information on each FWSM. EWSMtishow connections 2 in use, 3 most used Network Processor 1 connections Network Processor 2 connections ‘TOP out 10,4,13,25:1154 in 10.4,11.10:23 idle 0:00:19 Bytes 1183 FLAGS - UBOT Multicast sessions: Network Processor 1 connections Network Processor 2 connections xPv6 connections: Step 10 Display the current state of the failover mechanism on the primary FWSM also. Compare the primary FWSM output with the output from the secondary FWSM. EWSH¥show failover Failover On Failover unit primary Failover LAN Interface: failover Vlan 90 (up) Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 15 seconds Interface Policy $0% Monitored Interfaces 0 of 250 maximum {© 2008 Cisco Systems, In. ab Guide 3Config sync: active Version: Ours 3.1(3), Mate 3.1(3) Last Failover at: 13:16:28 UTC Apr 23 2008 ‘This host? Primary’ Standby Ready Active time: 1416 (sec) Interface outside (10.4.10.4): Normal Interface inside (10.4.11.2): Normal Other host: Secondary = Active ‘Active time: 275 (sec) Interface outside (10.4.10.3): Interface inside (10.4.11.1) Stateful Failover togical Update statistics Link : state Vlan 91 (up) Stateful Obj xmit xerr General 241 ° ays ond 216 ° up tine ° ° RPC services 0 ° TCP conn 2 ° UDP conn 3 ° ARP tbl 4 ° xlate_Timeout 0 ° Logical Update Queue Information cur Max =Total Rev ° 2 1867 xmit Q: ° ° 222 (Not-Monitored) (iot-Monitored) Normal (Not-Monitored) Normal (iot-Monitored) 148 Implementing Cisco Data Center Network Infrastructure 1 (OCNI-1) v2.0 (© 2008 Cisco Systems, inc.Lab 3-1: Deploying the Initial Cisco NAM Configuration ‘Complete this lab activity to practice what you leamed in the related module. ty Objective In this activity, you will configure the NAM for communication and then securely log into the NAM. You will also practice navigating the menus and create a new user, After completing this you will be able to meet these objectives: ig the CLI activ = Configure NAM network parameters = Log in to the NAM = Nayigate the NAM Traffic Analyzer menus and view various configuration parameters and preference settings = Create new user accounts Visual Objective ‘The figure illustrates what you will accomplish in this activity. Lab 3-1: Deploying the Initial Cisco NAM Configuration ‘The pod with the equipment for this lab exercise is divided into two independent subpods with the following devices and VLANs: = Subpodl: 6500-1, 4900-1, PCI, Server!, and VLANs: 11, 13, 99 = Subpod2: 6500-2, 4900-2, PC6, Server3, and VLANs: 21, 23, 99 Divide into subgroups in each pod to complete the following tasks. {© 2008 Cisco Systems, Ine Lab Gude 45,Note ‘Through the lab exercise the steps and printouts refer to subpodt in pod 4 (devices 6500-1, 4900-1, PC1, Servers). However the same tasks should be applied to subpod2 with respect to a different numbering and addressing scheme, IP Addressing The IP addressing scheme in the following table lists the IP addresses of the PCs, servers, Cisco Catalyst 6500 Series Switch VLAN interfaces and Layer 3 physical interfaces, where “P” is, your pod number. Pod Addressing ‘Subnet Detauit | Device mr vice IP Device | subnet | tracy [Device | Ceaun Pot 10P.130 [26 tor1925 | 10P.131 | 13 PCS 70P230 [res tor2325 | 10P231 | 2 Severt | 10P.110 | re yoraiao |iopaia [1 40.11.20 10.11.30 t0.P.11.40 Severs | 10P210 | 124 yor2ii0 | ioP2ia [21 10P.21.20 10.P.21.30 10.P.21.40 Devi ‘VLAN IP Subnet ene Device IP- a - Mask 0500-1 1 T0P.110 | 126 WPAN 6500-1 13 1oP.130 | 126 10P.134 6500-1 9 t0P.000 | 124 10P.994 65002 2 roP210 | ra ToP214 65002 2 10P230 | 126 10P.231 6500.2 9 roP.sa0 | 124 10P994 148 Implementing Cisco Data Center Network infrastucture 1 (OCNI-1) v2.0, (© 2008 Cisco Systems, IneRequired Resources ‘These are the resources and equipment required to complete this activity: Two (2) Cisco Catalyst 6500 Series Switches & Two (2) Cisco Catalyst 6500 Series Switch Ethernet modules Two (2) Cisco Catalyst 6500 Series Switch Supervisor 720-10G-3C modules . . ‘Two (2) Cisco Catalyst 6500 Series Switch NAM service modules Two (2) Cisco Catalyst 4948 Switches Two (2) Microsoft Windows XP clients = Two (2) Microsoft Windows 2003 servers Job Aids This job aid is available to help you complete the lab activity. Fill in the information provided by your instructor. Value Deseription NAM si 4 ‘Management VLAN 99 NAMIP address 10.P.99 2 255 255.2550 NAM defauit gateway 10P.991 NAM system domain name NAM-1 labgear.net NAM host name (ONS name) NAM IP address of name server 10. P.90.254 NAM web access account admin/cisco oa Task 1: (user/password) Removing Previous Configura Ensure that no previous configuration exists on the switches in your pod and apply the initial ‘configurations to the devices. The initial configuration includes settings for the Layer 2 interfaces used—trunking, access VLAN set, ete.; VLAN configuration, Layer 3 VLAN configuration, correct power scheme, ete, ‘The initial configurations are available on the individual device file system as specified in the following steps. Note The steps and printouts refer to subpodt in pod 4 (devices 6500-1, 4900-1, PC1, Server). However the same tasks should be applied to subpod? with respect toa different numbering and addressing scheme. {© 2008 Cisco Systems, Inc Lab Guide 147Activity Procedure ‘Complete these steps on each switch in your pod Step 1 Step 2 Stop 3 Step 4 Step 5 Step 6 Step7 Connect to the 6500-1 switch via console and apply the following: ‘= Replace the current running configuration with the configuration from file diskO:dcnil_lab31_6500-1 using the configure replace disk0:denti_lab31_6500-1 command. When asked to proceed press Y. = Verify that the switch is running the 12.2(33) SXHI Cisco IOS image using the show version command. = Only if the switch is not running the 12.2(33) SXH1 Cisco IOS image, save the running configuration to startup configuration and reboot the switch. Connect to the 4900-1 switch via console and apply the following: = Replace the current running configuration with the configuration from file bootflash:denil_lab13_4900-1 using the configure replace bootflash:denil_lab13_4900-1 command, When asked to proceed press Y. From the 6500-1 switch reset the NAM CLI username and password to default “root/root” with the command clear module pe-module 4 password. In the EXEC mode on the 6500-1, open a session to the NAM in slot 4. The uusername/password are “root/root,” which is the default value. Clear the old NAM configuration with the clear config command, Exit the NAM and reload the module with the hw-module module 4 reset command. Enter the enable mode and press Enter at the password prompt. Activity Verification ‘You have completed this task when you attain these results: Stop 1 ‘On the 6500-1 switch verify that you have connectivity to the following: = PCI at 10.P.13.25 (where “P” is your pod number) © Server! at 10.P.11.10 (where “P” is your pod number) ‘You should see results similar to the following printouts. Note ‘The folowing printouts show results of a ping conducted on pod 4 6500-1 4p Type escai Sending 5. nin Success ri Ing 10.4.23.25 ype sequence to abort + 100-byte ICMP Echos to 10.4.13.25, timeout is 2 seconds ate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 me 6500-1#ping 10.4.11.10 ‘Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.4.11.10, timeout is 2 seconds Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms 448° Implementing Cisco Data Genter Network Infrastructure 1 (DCNI-1) v2.0 {© 2008 Cisco Systems, Inc.Task 2: Configuring NAM Network Parameters In this task, you will configure the network parameters for the NAM, Note ‘The steps and printouts refer to subpodt in pod 4 (devices 6500-1, 4900-1, PC1, Servert), However the same tasks should be applied to subpod2 with respect to a diferent numbering land addressing scheme, Activity Procedure Complete these steps: Step Create VLAN 99 named “NAM” on the 6500-1 switch. Step2 Create a virtual IP interface on the MSFC in VLAN 99 on 6500-1. Step3 Assign an IP address of 10.P.11.1 to this interface and then activate the interface. ‘Step4 Verify the NAM module installation, mode! number, and location (slot number) on 6500-1. 6500-14 show module Mod Forte Cara Type Serial Xo. Application Control Engine Module 'Sa103206vA Firewall Module ‘sA01033097B CeP720 48 port. 10/100/1000mb Ethernet SALL0399147 Network Analysis Module saDi0a6o2RL Supervisor Engine 720 10GE (Active) SADI1520540 Intrusion Detection Systew ‘SADLOA4O0RS Step 5 Step 6 Step7 Configure the management VLAN 99 for the NAM using the parameters in the Job Aids section at the beginning of this lab activity description. ‘Access the NAM CLI by establishing a console session with the NAM. At the login prompt, enter the root account “root/root.” Note The default password for the root account is “root." Consult the instructor if the password has been reset. Steps Step 8 Step 10 Step 14 Step 12 step 13 Configure the NAM IP address and subnet mask. Configure the default gateway for the NAM. Set the NAM system domain name Set the NAM system host name. Set NAM system name server. Verify that the parameters were entered correetly with the show ip command. rootsNAM-1.labgear.net# show 4p IP address Subnet mask: TP Broadcast: DNS Name: Default Gateway: Naneserver (s) HTTP server: HTTP secure server: ETTP port HTTP secure port TACACS+ configured: 10.4.99.2 255.255.255.0 20.4.99.255 NAN-1.labgear.net 10.4.99.1 10.4.99.254 Disabled Disabled 80 44a No. ‘© 2008 Gisco Systems, ne Lab Gude 149Telnet Disabled ssi. Disabled Note I" the NAM is to be accessed by third-party management applications, use the NAM CLI to enter SNMP variables. Step 14 Enable the traffic analyzer application on the NAM. When asked to create WEB administrator, use the data provided in the table (username: admin, password: cisco). FOOt@NAN-1,labgear.net# ip http server enable Enabling HTTP server... No web users are configured. Please enter a web administrator user name [admin]: admin New password: Confirm password User admin added Successfully enabled HTTP server. Step 15 Exit the NAM CLI Activity Verification This task will be completed successfully when you successfully log in to the NAM during the nnext task. Task 3: Logging in to the NAM Traffic Analyzer In this task, you will log in to the NAM Traffic Analyzer using the web account created in the previous task. Activity Procedure Complete these steps: Step1 Step2 Connect to PC/ and open a web browser and enter the NAM IP address (10.P.99.2) as the URL, The NAM Traffic Analyzer login dialog box is displayed. Enter the username and password you created during the previous task (admin/cisco) and click Login. ‘hess |) tp 160.168 159.18/0ahogn php 160 Implementing Cisco Data Center Network Infrastructure 1 (DCNI-1) v2.0 (© 2008 Cisco Systems, inc.Step3 If the AutoComplete window appears, check the Don’t offer to remember any more passwords box and click No. Caution Do not allow your browser to remember passwords. Choosing "Yes" to remomber passwords can leave the CiscoWorks server vulnerable to unauthorized access. Step4 ‘The NAM Traffic Analyzer window appears displaying the system overview. ‘io Bl aps.08109eaentmvorcireen te retnrcare 08 co cn “oy, 19s sine QI) What is the current CPU utilization? Activity Verification You have completed this task when you have successfully logged into the NAM Traffic Analyzer software and reviewed the system overview, Task 3: Navigating the NAM Traffic Analyzer Menus Students will navigate the menus on the NAM Traffic Analyzer to find the task to display the initial network configuration of the NAM. Activity Procedure Complete these steps: Note ‘You should be logged in to the NAM. p1 Examine the NAM Traffic Analyzer desktop, which contains several major functions represented as tabs. Click each tab and the options for the function will be listed underneath the tabs: = Setup Monitor Reports Capture Alarms Admin {© 2008 Cisco Systems, Inc Lab Gude 151Step2 Click the Monitor tab. Q2) What are the available options under the Monitor tab? Step3 Often, choosing an option will lead to suboptions displayed in a table of contents on the left side of the screen. Q3) What are the suboptions for the Alarms option of the Setup function? 10, Step4 Find the task that displays the NAM network parameters. Q4) List the path to find the NAM network parameters: (tab) (option) (suboption) Q5) How many parameters can be set or displayed by this task (name servers count as one parameter even though up to three can be displayed)? ‘These steps are to ensure proper processing for a lab that follows: Step 5 Choose the Setup tab and the Protocol Directory option. Step Choose the Auto-learned Applications suboption from the suboptions box on the left side of the sereen Step7 The Auto Leamed Protocols Preferences dialog box is displayed. Unselect Enable Auto Learned Protocols and click Apply. Activity Verification ‘You have completed this task when you are comfortable navigating the NAM Traffic Analyzer desktop. 152 Implementing Cisco Data Center Network Infrastructure 1 (OCNI-1) v2.0 {© 2008 Cisco Systems, Inc.Task 4: Creating User Accounts In this task, you will create a new user account with the ability to view collections and capture packets (you will not have the ability to configure accounts, the system, alarms, and collections). Also, you will modify the Refresh Interval of the real-time reports by changing the NAM preferences. Activity Procedure Complete these steps: Note ‘You should be logged in to the NAM Traffic Analyzer desktop, Step 1 Choose the Admin tab and the Users option. Make sure the Local Database suboption is chosen, © wna Rag nin Ct So ieee Z ‘ Step2 A list of the currently defined users and their privileges is displayed. Click Create to create a new user. Step3 Enter a usemame and password for this new user. Enter the privileges for the user (remember that this user is only to be able to view collections and run data captures). Q6) What privileges are to be enabled? to create the user. Make sure this user is now listed in the local User database, Step View the parameters necessary to secure user access through a TACACS+ server. Choose the TACACS+ suboption Note ‘You should already be at Admin > Users and just need to choose TACACS+ from the suboptions menu on the left side of the screen, Q7) _Atthe minimum, what information is needed to enable user authentication using a TACACS+ server? ‘© 2008 Cisco Systems, Inc. Lab Guide 153Caution —_Donot enable TACACS+ authentication at this time. Prior to enabling this ‘TACACS+ server must be configured to accept authentication requests from the NAM and the user account must also exist in the TACACS+ server. Step 6 Change the Refresh Interval of the real-time reports to 30 seconds. Click Setup > Preferences. Change the value and click Apply. Note that these preferences apply to all users of the NAM. Activity Verification ‘You have completed this task when you have successfully created a new user and the new user is listed in the User local database, 154 Implementing Cisco Data Center Network intastructure 1 (OCNI-1) v2.0 {© 2008 Cisco Systems, Inc.Lab 3-2: Deploying Collection Mechanisms Complete this lab activity to practice what you leared in the related module, Activity Objective In this activity, you will configure the hosting switch to enable mini-RMON and view the collected statistics. Next, you will choose a port to be spanned to the NAM for in-depth RMON I analysis. Numerous RMON II collections will be enabled and viewed, Finally, a historical report will be generated, After completing this activity, you will be able to meet these objectives: = Enable and view mini-RMON per-port statistics = Span a port to the NAM and enable collections |= View various NAM analysis reports © Generate an historical report Visual Objective ‘The figure illustrates what you will accomplish in this activity. Lab 3-2: Deploying Collection Mechanisms ‘The pod with the equipment for this lab exercise is divided into two independent subpods with the following devices and VLANs: m= Subpod!: 6500-1, 4900-1, PCL, Server, and VLANs: 11, 13, 99 @ Subpod2: 6500-2, 4900-2, PC6, Server3, and VLANs: 21, 23, 99 Divi into subgroups in each pod to complete the following tasks. {© 2008 Cisco Systems, Inc. Lab Guide 155,Note ‘Through the lab exercise the steps and printouts refer to subpod! in pod 4 (devices 6500-1, 4900-1, PC1, Servert). However the same tasks should be applied to subpod2 with respect to. different numbering and addressing scheme IP Addressing The IP addressing scheme in the following table lists the IP addresses of the PCs, servers, Cisco Catalyst 6500 Series Switch VLAN interfaces and Layer 3 physical interfaces, where “P” is ‘your pod number. Pod Addressing Subnet Detauit | Device Psu pene re Mask aren Gateway | VLAN Pot 10P.130 [24 1oP1325 | 10.131 | 13 Pcs | 10.230 | 124 toP2325 | 10P.231 | 23 Senet | 10P.110 | 724 ropaiio fiopaia [1 10.11.20 10.11.30 10.11.40 Severs | 10P210 | (2a wop2iio | iop2i1 | 21 10.21.20 40.21.30 10.21.40 Device VLAN IP Subnet bs Device IP_ Mask 6500-1 11 10.110 | 124 TOP.A4 6500-4 13 | t0P.130 | rea 10.131 6500-1 0 | 10Pe90 | na 10P.994 65002 24 40240 | 124 10P2141 6500-2 23 | 10P230 | ra 10P234 6500-2 2 [10990 | 24 10P.904 156 Implementing Cisco Data Center Network infrastructure 1 (OCN-1) v2.0 (© 2008 Cisco Systems, IneRequired Resources ‘These are the resources and equipment required to complete this activity: Two (2) Cisco Catalyst 6500 Series Switches ‘Two (2) Cisco Catalyst 6500 Series Switch Ethernet modules Two (2) Cisco Catalyst 6500 Series Switch Supervisor 720-10G-3C modules Two (2) Cisco Catalyst 6500 Series Switch NAM service modules Two (2) Cisco Catalyst 4948 Switches Two (2) Microsoft Windows XP clients Two (2) Microsoft Windows 2003 servers Job Aids This job aid is available to help you complete the lab activity. Fill in the information provided by your instructor. Val Description NAM siot 4 Management VLAN 99 NAM IP address 10,P.99.2 285 255.2560 NAM default gateway 10P.99.4 NAM system domain name NAM-1 labgear.net NAM host name (ONS name) NAM-41 IP address of name server 10,P.99.254 NAM web access account ‘adminicisco (userfpassword) Trunk port tobe spanned GigabitEthernet3/13 Note This lab exercise is a continuation of the previous lab exercise. Thus, the inital configurations on the switches and NAM should already be present. Ifthe configurations are ‘not available, redo Tasks 1 and 2 from the previous lab exercise, {© 2008 Cisco Systems. nc Lab Gude 187Task 1: Enabling and Viewing Mini-RMON Per-Port Statistics Students will enable mini-RMON on the Catalyst Switch and view the per-port statistics. Activity Procedure Complete these steps: Note You should be logged in to the NAM Traffic Analyzer desktop, Step1 Connect to PCI and Server!. Share the C disk of Server! (net use x: \\10.P.11.10\CS, where “P” is your pod number) on PC/ and copy the s72033- adventerprisek9_wan-mz.122-18,SXF4.bin file on PC/ from the e:\tfip directory to the x:\tftp directory. Step2 At the same time, start a continuous ping from PC/ to Server! with the ping 10.P.11.10 -t command, where “P” is your pod number. ‘These next few steps change the configuration of the switch and enable mini-RMON statistics to be calculated and collected by the supervisor module in the host switch, Step3 Choose the Setup tab and the Switeh Parameters option. Step4 The Switch Information table is displayed. This table can be used to determine if mini-RMON is available, ‘Step From the suboptions menu on the left side of the screen, click Port Stats (Mini- Rmon). Step6 The Port Stats (Mini-Rmon) dialog box is displayed detailing the current state of availability of mini-RMON statistics. If not currently enabled, click Enable. Step? To Step8 If the NAM host switch is a Cisco IOS switch, click Save to write the new configuration to the startup configuration. ew the mini-RMON availability by port, click Details, Next, allow the NAM to collect the mini-RMON statistics from the host switch supervisor module. 158 Implementing Cisco Data Center Network Infrastructure 1 (OGNE-1) v2.0 {© 2008 Cisco Systems, IneStep9 Choose the Setup tab and the Monitor option. Make sure the Core Monitoring suboption is chosen. Step 10 Choose Supervisor from the Data Source drop-down menu, Ensure that Port Stats (Mini-Rmon) is checked. If changes were needed, click Apply, ‘Next, view the statistics for each operational port. Step 11, Choose the Monitor tab and the Switeh option. Make sure the Ports Stats suboption is chosen. Step 12 The Port Stats table is displayed. There are three basic displays for most analysis reports. By default, the Current Rates table is displayed showing Traffic Rate counts during the last refresh cycle for currently operational ports, QI) Which port is reporting the highest utilization? Step 13 Highlight this port and click Real-Time to see port usage over time in a new window. Close this window after viewing. Q2) On the Port Stats table, what are the options for displaying Count Types? Step 14 Change the display to TopN Chart 3) How many different variables can be graphed? ‘Step 15 Change the display to Cumulative Data, Q4) What is this table displaying? Activity Verification ‘You have completed this task when you attain these results: i-RMON on the host switch. = You have enabled mi = You have viewed the collected port stat {© 2008 Cisco Systems, Inc. Lab Guide 1591g a Port to the NAM and Enabling Collections You will SPAN a switch port to the NAM and enable collection to allow for RMON II analysis. Activity Procedure ‘Complete these steps: Note ‘You should be logged in to the NAM Traffic Analyzer desktop. Step1 Choose the Setup tab and the Data Sources option. Make sure the SPAN suboption is chosen, Step2 The Active SPAN Sessions dialog box is displayed showing the current SPAN session. If a SPAN session is currently active, click Delete (you cannot create a new SPAN session if one is currently active). Click Create to configure a SPAN session. Note fa NAN-2 card is deployed, then a table displays both ports avaliable for spanning, In this case, choose a por fist, and then click Create to get to the Create SPAN Session dialog box. Step3 The Create SPAN Session dialog box is displayed. rte sseon 1 soanripe © saenton O van O tmacieras O nsran a ‘ten one: [Noche 2 2 pore (WS¥EK-S2U-MSFC2) ¥) eau Desratin rintuce [OATAPORT! somrateoneen Of» Om Comm ‘Asati ace foun laze 160 Implementing Cisco Data Center Network Intrastucture 1 (OCNI-1) v2.0 (© 2008 Cisco Systems, inc.Q5) What are the SPAN Types available? Step 4 If the host switch runs Cisco IOS Software, there will be a field for Monitor Session Number (allows for multiple SPAN sessions to various switch ports). Choose 1. Step5 _ For the SPAN Type, click the Switch Port radio button. Step Choose the module that the port to be spanned resides on (port information to be provided by instructor), and click the Both radio button for SPAN Traffic Direction. Step7 The list of ports available on the selected module will be listed in the Available Sources list. Highlight the port dictated by the instructor, and click Add. The port moves to the Selected Sources Step8 Click Submit to configure the SPAN session, ‘The next steps will enable monitoring of the data source. ‘Step9 Choose the Setup tab and the Monitor option. Make sure the Core Monitoring suboption is chosen, oSc5cGcGa ¢ Note ‘When using the NAM-1 and changing SPAN sources, itis always a good idea to go through the different data source VLANs and turn off any monitoring because those VLANs may not be part of the newly spanned data source. Step 10 The first step is to enable monitoring for the entire data source, which is called ALL SPAN. Make sure ALL SPAN is chosen in the Data Source drop-down menu Q6) How many monitoring functions are available? {© 2008 Cisco Systems, Ine Lab Guide 161Note On the NAM-2, the ALL SPAN data source is an aggregate data source, including trafic {rom both Data Ports 1 and 2. The NAM-2 includes data sources for Data Port 1 and Data Port 2, which will configure monitoring on each individual SPAN session, ‘Step 11. Enable all monitoring functions except those related to the MAC layer (these would be used to see analyses based on MAC addresses, such as MAC-to-MAC conversations). Click Apply to enable the monitoring, Next, assuming a trunk port was spanned, determine the VLANs on the trunk port and enable ‘monitoring for the individual VLANs. Step 12 Choose the Monitor tab and the VLAN option. Make sure the Traffic Statistics suboption is chosen and the ALL SPAN data source is selected on the displayed VLAN Traffic Statistics table. Q7)__ List the VLANs reporting traffic. Step 13. To perform traffic analysis on an individual VLAN basis, you need to enable ‘monitoring on each VLAN. (ALL SPAN can be viewed as an aggregate of all VLAN traffic on the spanned data source.) Step 14 Choose the Setup tab and the Monitor option. Make sure the Core Monitoring suboption is selected. Step 15 From the Data Source drop-down menu, select a VLAN recorded previously. Step 16 Enable all monitoring functions except those related to the MAC layer. Click Apply to enable the monitoring. Step 17 Repeat Steps 15 and 16 for the remaining VLANs recorded in Step 12. Note Not al recorded VLANs may be available in the drop-down Data Source menu Activity Verification If this task is completed successfully, the analysis reports in the next task will be available. Task 3: Viewing Traffic Analysis Reports ‘You will view various RMON II traffic analysis reports (apps, hosts, and conversations). Activity Procedure Complete these steps: Note You should be logged in to the NAM Traffic Analyzer desktop, Step Connect to PCI and Server1. Repeat copy operation of the s72033- adventerprisek9_wan-mz.122-18.SXF4.bin file on PC/ from the e:\tfip directory to the x:\tfip directory a few times. 162 Implementing Cisco Data Center Network Infrastructure 1 (OCNI-1) v2.0, {© 2008 Cisco Systems, IncStep2 First, look at the available applications. Choose the Monitor tab and the Apps ‘option, Make sure the Individual Applications suboption is chosen. AG corte eermatram me vest Step3 The Applications table should be displayed showing the most active applications in the last refresh period for the ALL SPAN data source (all trafic seen on the port spanned to the NAM), Step4 From the drop-down Data Source list, choose one of the listed VLANs (only VLANs with monitoring enabled should be listed). This allows you to analyze traffic ‘on this specific VLAN. Step 5 Click on the most active protocol to see a list of all hosts that have used the application since the counters were reset. Step6 Highlight the most active application (radio button to the left of the application name) and click Real-Time at the bottom-right of the table. Leave the new window that is displayed open for a while to view the application usage over time. Close the window after viewing. Note ‘There are three basic display types—Current Rates, TopN Chart, and Cumulative Data, ‘Asso, sor the table by clicking on a column. Step7 Now change the tab option from Apps to Hosts. Make sure the Network Hosts, suboption is chosen, Step8 A table of the most active hosts is di clicking on a host. layed. Drill down into Host Details by Q8) What information is displayed? i a a 4 Step9 Close the Host Details window, and from the Active Hosts table, sclect TopN Chart to graphically view the most active hosts. {© 2008 Cisco Systems, Ine Lab Guide 163Q9) How many variables can the TopN host chart display? Step 10 — Now change the tab option from Hosts to Conversations. Make sure the Network Hosts suboption is selected Step 11 A table of all active conversations sorted by packets per second in the last refresh period is displayed. Choose Cumulative Data to view the activity of all conversations since the counters were last reset (usually when the SPAN session was changed), Activity Verification You have completed this task when you have successfully viewed RMON II application, host, and conversation reports. Task 4: Creating Historical Reports ‘You will create a report to view the usage of the top three applications on a VLAN over time. Activity Procedure Complete these steps: Note You should be logged into the NAM Traffic Analyzer desktop. Step1 Connect to PCI and Server. Repeat copy operation of the s72033- adventerprisek9_wan-mz.122-18.SXF4.bin file on PC/ from the e:\tfip directory to the x:\ttp directory a couple of times. Step2 Use the quick report creation method, Choose the Monitor tab and the Apps option. ‘Make sure the Individual Applications suboption is chosen. WRENN Coreenae warnurrone. airs Oem Ofewown Soma as ee oe fete Step3__The Applications table should be displayed showing the most active applications in the last refresh period. From the drop-down Data Source list, choose one of the listed VLANs. Step4 Highlight the most active application in the list (radio button to the left of the application name), and click Report on the bottom right of the table. 164 Implementing Cisco Data Center Network infrastructure 1 (OCNI-1) v2.0 (© 2008 Cisco Systems, incStep A dialog window will inform you that no report exists for this collection and asks ‘you want to create one. Choose Yes. You will be redirected to the Reports > Basic Reports task where you will see an entry for your created report. Step6 Repeat Steps 1-4 for the next two most active applications on the selected VLAN. Note “There wil be no data available for atleast 15 minutes (the default collection period for a Quick create report). The instructor wil probably cal for a break at this ime and the remaining steps will be finished after some time has elapsed to allow for data collection, Remember to repeat the copy operation from PCH to Server Step7 Choose the Reports tab and the Basie Reports option. A table of the created historical reports is displayed. Make sure all your reports are listed and have the status of OK. Step Choose the three reports that you created earlier by checking the box to the left of the report, and click View. Step9 A report is displayed showing the historical usage of the three applications on the selected VLAN. Activity Verification ‘You have completed this task when you have successfully launched a historical report showing the usage of three applications on the selected VLAN. (© 2008 Cisco Systems, inc. Lab Guide 165;Lab 4-1: Deploying High Availability on Cisco Catalyst 6500 Series Switch Connectivity between VLANs is achieved by configuring Layer 3 functionality on a Layer 3 device (switch or router) in the network. But pure Layer 3 functionality by itself does not provide high availability. When a Layer 3 device failure occurs, the inter-VLAN routing is no longer available. To avoid such situations, HSRP, VRRP, and GLBP are used. Activity Objective In this activity, you will deploy and monitor HSRP and GLBP. After completing this activity, you will be able to meet these objectives: Deploy and configure HSRP Examine and verify HSRP operation using show commands = Deploy and configure GLBP ® Examine and verify GLBP operation using show commands Visual Objective The figure illustrates what you will accomplish in this activity. Lab 4-1: Deploying High Availability on Cisco Catalyst 6500 Series Switch "166 Implementing Cisco Data Center Network infrastructure (OCNI-1) v2.0 (© 2008 Cisco Systems, in.IP Addressing ‘The IP addressing scheme in the following table lists the IP addresses of the PCs, servers, Cisco Catalyst 6500 Series Switch VLAN interfaces and Layer 3 physical interfaces, where “P” your pod number, Pod Addressing Default | Device Device | 1P Subnet Device P| Coteway | VLAN Pot 70P.130 | 124 rop.1325 | 10P4131 | 13 ‘Subnet Devico | VLAN wsubnet | Meret | Device ip 65001 [4 10286.2550 | 124 10.255.255.2 65002 | 4 10.255.255.0 | 124 10.25.2553 sep | 4 10.255.255.0 | 124 10.255.255.1 cusp | t 10:255.2550 | 724 10.255.255.1 6500-1 | Tensia 102542540 | 24 10.254 .254.1 65002 | Tensia 102542540 | 724 10:254.254.2 Required Resources These are the resources and equipment required to complete this activity: Two (2) Cisco Catalyst 6500 Series Switches Two (2) Cisco Catalyst 6500 Series Switch Ethernet modules ‘Two (2) Cisco Catalyst 6500 Series Switch Supervisor 720-10G-3C modules Two Q) Microsoft Windows XP client isco Catalyst 4900 Series Switches {© 2008 Cisco Systems, inc. Lab Guide 167Command List ‘The table describes the commands that are used in this activity Command Description [no] shutdown Disables an interface. The no form of this command ‘enables an interface, [no] switchport Puls the switch port into Layer 2 (switched) mode. The no form of this command puts the interface into Layer 3 (routed) mode. gibp grp-id 4p virtual-ip Activates the Gateway Load Balancing Protocol on an interface, glbp grp-id load-balancing round-robin ‘Specifies the load-balancing method used by the active virtual gateway, glbp grp-id preempt Configures the gateway to take over as the active virtual gateway ifithas a higher priority than the current AVG. glbp gzp-id priority priority Configures the GLBP priory ofthe virtual gateway. interface intf-id Enters interface configuration mode. ip address ip-addr mask Sets the IP address and subnet mask to the interface, ping ip-addr repeat repetitions Performs an extended ping to an IP address with specified number of repetitions. show azp Displays the content of the ARP table on the switch show glbp vlan vian-id Displays GLBP status information for a given VLAN. show standby Displays HSRP status information. standby grp-id ip virtual- ip ‘Activates HRP on the switch. The vitual-ip parameter defines the IP address of the virtual router standby grp-id preempt Configures HSRP preemption for the given HSRP group. standby grp-id priority priority Defines the prionty for the virtual router in the HSRP group. traceroute ‘Shows which path Is being chosen for packets going to the given destination. Task 1: configurations to the devices. The init Removing Previous Configurations Ensure that no previous configuration exists on the switches in your pod and apply th tial configuration includes settings for the Layer 2 interfaces used—trunking, access VLAN set, ete.; VLAN configuration, Layer 3 VLAN configuration, correct power scheme, ete, ‘The initial configurations are available on the individual device file system as specified in the following steps. 168 Implementing Cisco Data Center Network infrastructure 1 (DCNI-1) v2.0 (© 2008 Cisco Systems, Ine.Activity Procedure Complete these steps on each switch in your pod: Step 1 Step 2 Step3 Step 4 Connect to the 6500-1 switch via console and apply the following: © Replace the current running configuration with the configuration from file disk0:dcnil_lab41_6500-1 using the configure replace disk0:denif_lab4i_6500-1 command. When asked to proceed press Y. Verify that the switch is running the 12.2(33) SXHI Cisco IOS image using the show version command. ‘& Only if the switch is not running the 12.2(33) SXH1 Cisco IOS image, save the running configuration to startup configuration and reboot the switch. ‘Connect to the 6500-2 switch via console and apply the following: ‘= Replace the current running configuration with the configuration from file diskO:denil_lab41_6500-2 using the configure replace disk0:denii_lab41_6500-2 command. When asked to proceed press Y. = Verify that the switch is running the 12.2(33) SXHI Cisco 1OS image using the ‘show version command. = Only if the switch is not running the 12.2(33) SXH1 Cisco IOS image, save the running configuration to startup configuration and reboot the switeh. Connect to the 4900-1 switch via console and apply the following: = Replace the current running configuration with the configuration from file bootflash:denil_labs41_4900-1 using the configure replace bootflash:denii_lab41_4900-1 command, When asked to proceed press Y. ‘Connect to the 4900-2 switch via console and apply the following: = Replace the current running configuration with the configuration from file bootflash:denil_lab41_4900-2 using the eonfigure replace bootflash:denil_lab41_4900-2 command. When asked to proceed press Y. Task 2: Setting the Initial Switch Configuration In this task you will set the initial Layer 2 and Layer 3 interface configuration on Cisco Catalyst £6500 and 4900 Series Switches. Activity Procedure Complete these steps: step Step 2 Stop 3 Apply the following configuration on the 4900-1 switch: = Create interface VLANI and set IP address 10.255.255.11 255.255.255.0 Apply the following configuration on the 4900-2 switch: = Create interface VLANI and set IP address 10.255.255.12 255.255.255.0 Verify the following connectivity Ping from 4900-1 to 10.255.255.253 and 10.255.255.254 m= Ping from 4900-2 to 10.255.255.253 and 10.255.255.254 {© 2008 Cisco Systems, In. ‘lab Guide 169Task 3: Note ‘The 6500-1 and 6500-2 initial configurations include EIGRP process 1, which announces routes between the two switches. Thus the ping should be successful 4900-1#ping 10.255.255.253 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.255.255.253, timeout is 2 seconds: Ht Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/21 me 4900-1#ping 10.255.255.254 ‘Type escape sequence to abort Sending 5, 100-byte ICMP Echos to 10.255.255.254, timeout is 2 seconde: Mit Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms 4900-2#ping 10.255.255.253 ‘Type escape sequence to abort Sending 5, 100-byte ICMP Echos to 10.255.255.253, timeout is 2 seconds iit suce js rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms 4900-2hping 10.255.255.254 ‘Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.255.255.254, timeout is 2 seconds: in Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms Implementing HSRP In this task, you will configure HSRP for redundancy on each of your Layer 3 devices for your workgroup. You will configure basic HSRP functionality and tune HSRP for better efficiency; that is, influence the HSRP active and standby election by setting the HSRP priority Activity Procedure Complete these steps: Step1 Use the standby group-number ip virtual-router-ip-address command to configure HSRP on the 6500-1 switch using the following information: = Virtual IP: 10,255.255.1 = HSRP group: | = HSRP priority: 150 = HSRP preempt Step2 Use the standby group-number ip virtual-rowter-ip-address command to configure HSRP on the 6500-2 switch using the following information: Virtual IP: 10.255.255.1 = HSRP group: 1 Step3__Use the show standby command to verify HSRP operation. Your output should be similar to the following printout. 6500-i#show standby Vlanl - Group 1 State ie Active 1 state change, last state change 00:03:46 Virtual IP address is 10.255.255.1 170 Implementing Cisco Data Center Network infrastructure 1 (OCNF-1) v2.0 (© 2008 Cisco Systems, Inc.Active virtual MAC address is 0000.0c07.aco1 Local virtual MAC address is 0000.0c07.acdl (v1 default) Hello time 3 sec, hold time 10 sec Next hello sent in 1.744 secs Preemption enabled Active router is local ‘Standby router ie 10.255.25513) priority 100 (expires in 9.568 sec) Priority 150 (configured 150) TP redundancy name is "harp-V11-1" (default) Step4 Verify the following connectivity = Ping from 4900-/ to 10.P.13.25 (where “P” is your pod number) = Ping from 4900-2 to 10.P.13.25 (where “P” is your pod number) 4900-1#ping 10.4.13.25 ‘Type escape sequence to abort Sending 5, 100-byte ICMP Echos to 10.4.13.25, timeout is 2 seconds: rt Success rate i 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms 4900-2Hping 10.4.13.25 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.4.13.25, timeout is 2 seconds rity Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms Step5 Examine the MAC address for 10.255.255.1 on 4900-1 and 4900-2. It should be the ‘same in both cases. 4900-1#show arp Protocol Address ‘Age (min) Hardware Addr Type Interface Internet 10.255.255.11 = 0019.e72a.208f ARPA Vian Internet 10.255.255.2 37 0017.4fd0.2400 ARPA Viant Internet 10.255.255.3 37 0017.4f40.3800 ARPA viani Internet 10.258.255.1 ‘8, /'0000-0¢07.ac01 ARPA = \Viani 4900-2#show arp Protocol Address Age (min) Hardware Addr Type Interface Internet 10.255.255.12 = 0019.e72a.1f3f ARPA Viant Internet 10.255.255.2 37 0017.df40.2400 ARPA Vani Internet 10.255.255.3 37 0017.dfd0.3600 ARPA Vlant Internet /10.255.255.1 ‘8, 1000010007 aco1/ ARPA!” Vian Step6 Verily that HSRP is operating in case of an active router failure. Start continuous ping from 4900-1 to 10.P.13.25 with the ping 10.P.13.25 repeat 10000 command (where “P” is your pod number). Step7 Disable the VLANI interface on 6500-1 and observe the continuous ping issued on 4900-1. You should see a brief connectivity outage, which is eliminated once the 6500-2 takes over the active role. 4900-1ping 10.4.13.25 repeat 10000 ‘Type escape sequence to abort Sending 10000, 100-byte ICMP Echos to 10.4.13.25, timeout is 2 seconds: TETLLELUTIUSUULELLEETLEELLEUETEEEEEEELELEEELECEL fittiisetiitt! TURBO Ce EOO CEE be POPES E EEE EEE EEE Petit 6500-2#ahow standby Vianl - Group 2 State ie active @ state changes, last state change 00:02:58 Virtual IP address ie 10.255.255.1 Active virtual MAC address is 0000.0c07.aco1 ‘© 2008 Cisco Systems, ne. Lab Guide 171Task 4: Local virtual MAC address is 0000.0c07.ac01 (vi default) Hello tine 3 sec, hold tine 10 sec Next hello sent in 1.408 secs Preemption disabled Active router is local Standby router is unknowh Priority 100 (default 100) 3P redundancy name is "hsrp-Vii-1" (default) Step@ Examine the path that packets take between the 4900-1 and PC/ using the traceroute command, Your result should be similar to the following printout. 4900-1#traceroute 10.4.13.25 Type escape sequence to abort. Tracing the route to 10.4.13.25 1 10,255.255.3 0 msec 0 msec 2 10.254.254.1 0 msec 0 msec 0 msec 3 10.4.13.25 0 msec 0 msec 0 msec Stop9 —_Re-enable the Vian! interface on 6500-1. Implementing GLBP In this task, you will configure GLBP for redundancy on each of the Layer 3 devices for your ‘workgroup. You will configure GLBP functionality and tune GLBP for better efficiency; that is, influence the GLBP AVG election by setting the GLBP priority. Activity Procedure Complete these steps: Step 1 Configure GLBP on the 6500-7 switch using the following information: Virtual IP: 10.255.255.1 GLBP group: | GLBP priority: 150 GLBP preempt Load balancit yund-robin Step2 Configure GLBP on the 6500-2 switch using the following information: m= Virtual IP: 10.255.255.1 = GLBP group: | © Load balancing: round-robin Step3 Verify HSRP operation. Your output should be similar to the following printout. 5500-1#ahow glbp Viani - Group 1 Statelis Active 1 state change, last state change 00:03:52 Virtual IP address is 10.255.255.1 Helio time 3 sec, hold time 10 sec Next hello sent in 1.632 secs Redirect time 600 sec, forwarder time-out 14400 sec Preemption enabled, min delay 0 sec Active is local Standby is 10.255.255.3, priority 100 (expires in 8.032 sec} Priority 150 (configured) Weighting 100 (default 100), thresholds: lower 1, upper 100 Load balancing: round-robin Group members: 172 Implementing Cisco Data Center Network infrastructure 1 (OCNI-1) v2.0 (© 2008 Cisco Systems, Inc. ~0017 ,a£40.2400"(10,255.255.2) local 0017.4£40,3800 (10.255.255.3) ‘mere are 2 forwarders (1 active) Forwarder 2 State is active 1 state change, last state change 00:03:41 MAC address is 0007.b100.0101 (default) Owner ID is 0017.ta0.2400 Redirection enabled Preemption enabled, min delay 30 sec Active is local, weighting 100 Forwarder 2 State ie Listen MAC address is 007.400.0102 (learnt) Owner 1D is 0017.dfd0.3800 Redirection enabled, 599.232 sec remaining (maximum 600 sec) ‘Time to live: 14399.232 sec (maximum 14400 sec) Preemption enabled, min delay 30 sec Active is 10.255.255.3 (primary), weighting 100 (expires in 9.536 sec) Step4 Verify the following connectivit Ping from 4900-1 to 10.P.13.25 (where “P” is your pod number) © Ping from 4900-2 to 10.P.13.25 (where “P” is your pod number) 4900-1#ping 10.4.13.25 ‘Type escape sequence to abort. Sending 5, 100-byte ICNP Echo: Ht Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms to 10.4.13.25, timeout is 2 seconds 4900-24ping 10.4.13.25 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.4.13.25, timeout is 2 seconds: Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms Step5 Examine the MAC address for 10.255.255.1 on 4900-1 and 4900-2. Itis different on 4900-1 and 4900-2. 4900-1#show arp Protocol Address Age (min) Hardware Addr Type Interface Internet 10.255.255.11 = 0019.e72a.20f€ ARPA Viani Internet 10.255.255.1 0° 0007, b400,0101 ARPA T'Viani. 4900-2#show arp Protocol Address Age (min) Hardware Addr Type _ Interface Internet 10.255.255.12 = 0019.e72a.1f3£ ARPA Viant Internet 10.255.255.1 0°) 0007. b400.0102 ARPA Vani Step6 Verify that GLBP is operating in case of an active router failure. Start continuous ping from 4900-1 to 10.P.13.25 with the ping 10.P.13.25 repeat 10000 command (where “P” is your pod number), ‘Step7 Disable the VLANI interface on 6500-/ and observe the continuous ping issued on 4900-1, You should see a brief connectivity outage, which is eliminated once the 6500-2 takes over the active forwarder role. 4900-1#ping 10.4.3.25 repeat 10000 ‘Type escape sequence to abort. Sending 10000, 100-byte ICMP fichos to 10.4.13.25, timeout is 2 seconds: TEFLAUEEELEELGSAULESTLIAEOCLELLLSELLCUELGLEEELSEELUAEL OE EEESEE LE EEE PC HECC URI COP OEeeeE eee Een reiieeny POCUECUPEEEE CDP PEPE Eee eee {© 2008 Cisco Systems, Ine Lab Guide 1736500-2#show standby Vianl - Group 1 State is Active 8 state changes, last state change 00:02:58 Virtual IP address is 10.255.255.1 Active virtual MAC address 18 0000.0c07.ac01 Local virtual MAC address is 0000.0c07.ac01 (v1 default) Hello time 3 sec, hold tine 10 sec Next hello sent in 1.408 secs Preemption disabled Active router is local Standby router is unknown Priority 100 (default 100) IP redundancy name is *hsrp-Vl1-1" (default) Step8 Examine the GLBP information on 6500-2 with the show glbp vian 1 command. The output shows that 6500-2 is now the AVF for both MAC addresses. 6500-2#ehow glbp vlan 1 Vianl - Group 1 State is active 2 state changes, last state change 00:01:42 Virtual 1p address is 10.255.255.1 Hello tine 3 sec, hold time 10 sec Next hello sent in 0.632 sece Redirect time 600 sec, forwarder time-out 14400 sec Preemption disabled Active is local ‘Standby is unknowh Priority 100 (default) Weighting 100 (default 100), thresholds: lower 1, upper 100 Load balancing: round-robin Group members: ci 0027.afa0.3800 (10,255:255.3) local ‘There are 2 forwarders (2 active) Forwarder 1 State is Active 1 state change, last state change 00:01:42 WAC address is 0007.b400.0101 (learnt) Owner ID is 0017.dfd0.2400 Redirection enabled, 486.144 sec remaining (maximum 600 sec) Time to live: 14286.144 sec (maximum 14400 sec) Preemption enabled, min delay 30 sec Active is local, weighting 100 Forwarder 2 State 2s Active 1 state change, last state change 00:16:26 MAC address is 0007.b400.0102 (default) Owner ID is 0017.4¢40.3800 Redirection enabled Preemption enabled, min delay 30 sec Active is local, weighting 100 Step9 Examine the path that packets take between the 4900-7 and PC/ using the traceroute command. Your result should be similar to the following printout. 4900-1#traceroute 10.4.13.25 ‘Type escape sequence to abort ‘Tracing the route to 10.4.13.25 2 10.255.255.3 0 msec 0 msec 2 10.254.254.1 0 msec 0 msec 0 mace 3 10.4.13.25 0 msec 0 msec 0 msec 174 Implementing Cisco Data Center Network Infrastructure 1 (OGNV1) v20 '©.2008 Cisco Systems, inc.Answer Key ‘The correct answers and expected solutions for the activities that are described in this guide appear here. Lab 1-1 Answer Key: Deploying and Examining the VSS 1440 Operation Task 1: Removing Previous Configurations When you complete this activity, the following has been applied in the privileged (enable) mode on the 4900-1 switch, with differences that are specific to your device or workgroup: configure replace bootflash:dcni1_labi1_4900-1 When you complete this activity, the following has been applied in the privileged (enable) mode on the 4900-2 switch, with differences that are specific to your device or workgrou configure replace bootflash:dcni1_labi1_4900-2 ‘When you complete this activity, the following has been applied in the privileged (enable) ‘mode on the 6500-1 switch, with differences that are specific to your device or workgroup: jeni1_lab11_6500-1 configure replace disk’ When you complete this activity, the following has been applied in the privileged (enable) mode on the 6500-2 switch, with differences that are specific to your device or workgroup: configure replace disk0:dcni1_1ab11_6500-2 Task 2: Converting Standalone Chassis to VSS Mode ‘When you complete this activity, the following configuration has been applied on the 6500-1 switch, with differences that are specific to your device or workgroup: copy running-config startup-config ! switch virtual domain 10 ewitch 1 interface Port-channell ewitch virtual link 1 interface TenGigabitEthernets/4 no ewitchport channel-group 1 mode on 1 interface Port-channel 1 no shutdown {© 2008 Cisco Systems, Ino Lab Guide 175‘When you complete this activity, the following configuration has been applied on the 6500-2 switch, with differences that are specific to your device or workgrou copy running-config startup config ewitch virtual domain 10 ewitch 2 ' interface Port-channel2 switch virtual link 2 1 interface TenGigabitethernets/4 no switchport channel-group 2 mode on interface Port-channel 2 no shutdown interface GigabitEthernet2/3/13 switchport switchport trunk encapsulation dotig switchport mode trunk switchport nonegotiate no shutdown interface GigabitBthernet2/3/14 switchport switchport trunk encapsulation dotiq switchport mode trunk switchport nonegotiate no shutdown Task 3: Deploying Multichassis EtherChannel ‘When you complete this activity, the following configuration has been applied on the 4900-1 switch, with differences that are specific to your device or workgroup: interface range gigabitathernet 1/13 - 16 channel-protocol pagp channel-group 10 mode desirable no shutdown When you complete this activity, the following configuration has been applied on the 4900-2 switch, with differences that are specific to your device or workgroup: interface range gigabitsthernet 1/13 - 14 channel-protocol pagp channel-group 20 mode desirable no shutdown 176 Implementing Cisco Data Center Network infrastucture 1 (OCNI-1) v2.0, (© 2008 Gisco Systems, Inc w‘When you complete this activity, the following configuration has been applied on the 6500-1 (VSS) switch, with differences that are specific to your device or workgroup: interface range GigabitBthernet 1/3/13,GigabitEthernet 2/3/13 channel-protocol pagp channel-group 10 mode desirable interface port-channel 10 switchport trunk encapsulation dotig switchport mode trunk no shutdown ! interface range Gigabitethernet 1/3/14,Gigabitethernet 2/3/14 channel-protocol pagp channel-group 20 mode desirable ! interface port-channel 20 switchport trunk encapsulation dotig switchport mode trunk no shutdown Task 4: Deploying BFD Dual-Active Detection Mechanisms ‘When you complete this activity, the following configuration has been applied on the 6500-1 (VSS) switch, with differences that are specific to your device or workgroup: interface GigabitBthernet1/3/47 no ewitchport ip address 10.255.1.1 255.255.255.0 b€d interval 100 min_rx 100 multiplier 50 no shutdown interface GigabitEthernet2/3/47 no switchport ip address 10.255.2.1 255.255.255.0 bfd interval 100 min_rx 100 multiplier 50 no shutdown switch virtual domain 10 dual-active detection béd dual-active pair interface GigabitBtherneti/3/47 interface Gigabitethernet2/3/47 bfd {© 2008 Cisco Systems, Inc. Lab Guide 177Demonstration 1-2 Answer Key: Deploying and Examining Cisco IOS Software Modularity Task 1 (Demonstration): Removing Previous Configurations ‘When the activity is completed, the following is applied on the 6500-1 switch, with differences that are specific to your device or workgroup: configure replace disk0:dcnii_lab12_6500-1 reload Lab 1-3 Answer Key: Deploying QoS Task 1: Removing Previous Configurations ‘When you complete this activity, the following has been applied in the privileged (enable) mode on the 4900-1 switch, with differences that are specific to your device or workgroup: configure replace bootflash:dcni1_1ab13_4900-1 ‘When you complete this activity, the following has been applied in the privileged (enable) mode on the 6500-1 switch, with differences that are specific to your device or workgroup: configure replace disk0:dcni1_1abi3_6500-1 Task 2: Verifying Capabilities for QoS When you complete this activity, the following configuration has been applied on the 4900-1 switch, with differences that are specific to your device or workgroup: mls gos ‘When you complete this activity, the following configuration has been applied on the 6500-1 switch, with differences that are specific to your device or workgroup: mls gos Task 3: Defining the Port Trust and Policy Maps ‘When you complete this activity, the following configuration has been applied on the 4900-1 switch, with differences that are specific to your device or workgroup: access-list 101 permit ip host 10.4.11.10 any class-map match-any CH-IP match access-group 101 match ip dscp default policy-map PN-ratelimitServerl class CM-1P police 2000000 25000 conform-action transmit exceed-action drop ! interface GigabitEthernet 1/1 service-policy input PM-ratelimitServer1 178 Implementing Cisco Data Center Network infrastructure 1 (OCNF-1) v2.0 {© 2008 Cisco Systems, inc.‘When you complete this activity, the following configuration has been applied on the 6500-1 switch, with differences that are specific to your device or workgroup: access-list 100 permit icmp host 10.4.13.25 host 10.4.11.10 : class-map match-any CM-ICMP match access-group 100 policy-map PM-ratelimit class CN-ICMP police 100000 conform-action transmit exceed-action drop interface Gigabitfthernet 3/3 service-policy input PM-ratelimit ! access-list 101 permit ip host 10.4.13.25 host 10.4.11.10 ! class-map match-any CM-IP match access-group 101 ' policy-map PM-ratelimit class CM-IP police 50000 conform-action transmit exceed-action drop interface Gigabitethernet 3/3 no service-policy input PN-ratelimit interface GigabitBthernet3/13 mls qos trust cos Task 4: Marking Traffic to Be Policed ‘When you complete this activity, the following configuration has been applied on the 6500-7 switch, with differences that are specific to your device or workgroup: mls qos map policed-dscp normal-burst 32 to 16 ! policy-map PM-DSCP class oM-IP police 500000 conform-action transmit exceed-action policed- decp-tranemit : interface GigabitEthernet 3/3 no service-policy input PN-ratelimit service-policy input PM-DSCP {© 2008 Cisco Systems, Ine Lab Guide 179Task 5: Deploying CoPP ‘When you complete this activity, the following configuration has been applied on the 6500-1 switch, with differences that are specific to your device or workgroup: access-list 102 permit icmp any any class-map match-any CM-icnpeopp match access-group 102 policy-map PM-copp class CM-icmpcopp police 350000 conform-action transmit exceed-action drop control-plane service-policy input PM-copp Lab 1-4 Answer Key: Deploying and Examining EEM Task 1: Removing Previous Configurations When you complete this activity, the following has been applied in the privileged (enable) mode on the 6500-1 switch, with differences that are specific to your device or workgroup: configure replace disk0:dcni1_labi4_6500-1 Task 2: Configuring and Verifying EEM Applet Operation When you complete this activity, the following configuration has been applied on the 6500-1 switch, with differences that are specific to your device or workgroup: event manager applet BKPCFG event cli pattern "exit" sync no skip no action 1.0 cli command "enable" action 2.0 cli command “config t* action 3.0 cli command "file prompt quiet* action 4.0 cli command ‘exit" action 5.0 cli command "copy running disk0:/config-bkp" action 6.0 cli command "config t* action 7.0 cli command "no file prompt quiet" action 8.0 cli command "exit" Lab 1-5 Answer Key: Deploying Automated Diagnostics Task 1: Removing Previous Configurations When you complete this activity, the following has been applied in the privileged (enable) mode on the 6500-1 switch, with differences that are specific to your device or workgroup: configure replace disk0:dcni1_labi5_6500-1 780 Implementing Cisco Data Center Network Inrastucture 1 (DCNI-1) v2.0, (© 2008 Cisco Systems, IncTask 2: Using TDR for Troubleshooting ‘When you complete this activity, the following configuration has been applied on the 6500-1 switch, with differences that are specific to your device or workgroup: test cable-diagnostics tdr interface GigabitBthernet 3/13 interface GigabitBthernet 3/48 no shutdown test cable-diagnostics tdr interface Gigabitethernet 3/48 Task : Deploying Call Home Function: ‘When you complete this activity, the following configuration has been applied on the 6500-1 switch, with differences that are specific to your device or workgroup: call-home contact-enail-addr joeaacme.com street-address "1 Acme rd." customer-id Acme001 site-id AcmeCentralLocation ! profile PR-ACME destination transport-method email destination address email joesacme.com destination preferred-msg-format long-text active call-home alert-group all profile PR-ACME subscribe-to-alert-group all severity notification exit mail-server 10.4.11.10 priority 10 service call-home Lab 1-6 Answer Key: Deploying SPAN Task 1: Removing Previous Configurations ‘When you complete this activity, the following has been applied in the privileged (enable) mode on the 6500-1 switch, with differences that are specific to your device or workgroup: configure replace disk0:denit_lab16_6500-1 Task 2: Configuring SPAN When you complete this activity, the following configuration has been applied on the 6500-1 switch, with differences that are specific to your device or workgroup: monitor session 1 source interface GigabitEthernet 3/13 both monitor session 1 destination interface Gigabitethernet 3/3 {© 2008 Cisco Systems, Ine. Lab Guide 181Task 3: Configuring RSPAN ‘When you complete this activity, the following configuration has been applied on the 4900-1 switch, with differences that are specific to your device or workgroup: vian 99 remote-span wonitor session 1 source interface gigabitEthernet 1/1 both monitor session 1 destination remote vlan 99 ‘When you complete this activity, the following configuration has been applied on the 6500-1 switch, with differences that are specific to your device or workgroup: no monitor session 1 ' vian 99 remote-span monitor session 1 source remote vlan 99 monitor session i destination interface gigabitBthernet 3/3 Lab 2-1 Answer Key: Deploying the FWSM in Transparent Mode Task 1: Removing Previous Configurations ‘When you complete this activity, the following has been applied in the privileged (enable) ‘mode on the 4900-7 switch, with differences that are specific to your device or workgroup: configure replace disk0:dcnii_lab21_4900-1 When you complete this activity, the following has been applied in the privileged (enable) ‘mode on the 6500-1 switch, with differences that are specific to your device or workgroup: configure replace disk0:dcnii_lab21_6500-1 Task 2: Configuring Cisco Catalyst 6500 Series Switch Switching Functions ‘When you complete this activity, the following configuration has been applied on the 6500-1 switch, with differences that are specific to your device or workgroup: no interface vlan 11 interface vlan 10 name Outside ip address 10.P.11.1 255.255.255.0 no shutdown exit firewall vian-group 1 10,11 firewall module 2 vlan-group 1 session slot 2 processor 1 182 Implementing Cisco Data Center Network intrastucture 1 (OCNI-1) v2.0 (© 2008 Cisco Systems, IneTask 3: Configuring FWSM Interfaces When you complete this activity, the following configuration has been applied on the FWSM in the 6500-1 switch, with differences that are specific to your device or workgroup: enable configure terminal clear config all delete /noconfirm disk:* 1 reload ! firewall transparent interface vlan 10 nameif outside interface vlan 11 nameif inside Task 4: Configuring IP Parameters When you complete this activity, the following configuration has been applied on the FWSM in the 6500-1 switch, with differences that are specific to your device or workgroup: interface vlan 10 bridge-group 2 interface vlan 11 bridge-group 1 interface bvi 1 ip address 10.P.11.2 255.255.255.0 route outside 0 0 10,P.11.2 Task 5: Configuring Network Access When you complete this activity, the following configuration has been applied on the FWSM in the 6500-1 switch, with differences that are specific to your device or workgroup: access-list allow-in extended permit icmp host 10.P.13.25 host 10.P.11.10 access-list allow-in extended permit tep any host 10.P.11.20 eq www access-list allow-out extended permit ip any any access-group allow-in in interface outside access-group allow-out in interface inside '©-2008 Cisco Systems, in. Lab Gude 183,Task 6: Demonstrating the Firewall ‘When you complete this activity, the following configuration has been applied on the FWSM in the 6500-1 switch, with differences that are specific to your device or workgroup: exit session slot 2 processor 1 enable exit configure terminal 1 port-channel load-balance src-dst-port 1 session slot 2 processor 1 enable clear xlate no firewall transparent Lab 2-2 Answer Key: Deploying Multiple Contexts on FWSM Task 1: Removing Previous Configurations When you complete this activity, the following has been applied in the privileged (enable) mode on the 4900-1 switch, with differences that are specific to your device or workgroup: configure replace disk0:dcni1_lab22_4900-1 ‘When you complete this activity, the following has been applied in the privileged (enable) mode on the 6500-1 switch, with differences that are specific to your device or workgroup: configure replace diskO:deni1_1ab22_6500-1 Task 2: Configuring Cisco Catalyst 6500 Series Switch Switching Functions ‘When you complete this activity, the following configuration has been applied on the 6500-7 switch, with differences that are specific to your device or workgroup: vian 10 name outside vian 11 name testing vlan 12 name production no interface vlan 11 no interface vlan 12 interface vlan 10 4p address 10.P.10.1 255.255.255.0 no shutdown 184 Implementing Cisco Data Center Network Infrastructure 1 (OCNI-1) v20 (© 2008 Cisco Systems, ne' firewall vlan-group 1 10,11,12 firewall module 2 vlan-group 1 port-channel load-balance src-dst-port ip route 10.P.11.0 255.255.255.0 10.P.10.2 ip route 10.P.12.0 255.255.255.0 10.P.10.3 Task 3: Creating Contexts ‘When you complete this activity, the following configuration has been applied on the FWSM in the 6500-1 switch, with differences that are specific to your device or workgroup: enable configure terminal node multiple 1 session slot 2 processor 1 enable configure terminal 1 context admin allocate-interface vlan10 context testing allocate-interface vlani0 test_outside allocate-interface vlanii test_inside config-url disk: /testing.cfg context production allocate-interface vlan10 prod_outside allocate-interface vlani2 prod_inside config-url disk: /production.cfg exit Task 4: Configuring Contexts When you complete this activity, the following configuration has been applied on the FWSM in the 6500-1 switch, with differences that are specific to your device or workgroup: changeto context admin configure terminal ! interface vlen 10 nameif mgmt security 100 ip address 10.P.20.254 255.255.255.0 ‘© 2008 Cisco Systems, Ine Lab Guide 185,http 10.P.13.25 285.255.255.255 mgmt, http server enable aaa authentication http console LOCAL ! username admin password bighoas privilege 15 1 route mgt 0 0 10.P.10.1 ! exit copy running-config startup-config changeto context testing ' configure terminal ' interface test_inside nameif inside security 100 1 interface test_outeide nameif outside security 1 ip address 10.P.10.2 255.255.255.0 route outside 0 0 10.P.10.1 interface test_inside ip address 10.P.11.1 255.255.255.0 1 access-list permit-all permit ip any any 1 access-group permit-all in interface inside access-group permit-all in interface outeide static (inside,outside) 10.P.11.0 10.P.11.0 netmask 255.255.255.0 policy-map global_policy class inspection_default inspect icmp inspect icmp error exit exit ! rname admin password testboss privilege 15 186 Implementing Cisco Data Center Network infrastructure 1 (OCNI-1) v2.0 (© 2008 Cisco Systems, ine.! aaa authentication http console LOCAL ' http 10.P.13.25 255.255.255.255 outside ' http server enable ' copy running-config startup-config ' changeto context production ' configure terminal interface prod_outside nameif outside security 10 interface prod_inside nameif inside security 100 ! interface prod_inside ip address 10.P.12.1 255.255.255.0 interface prod_cutside ip address 10.P.10.3 255.255.255.0 route outside 0 0 10.P.10.1 access-list internet permit ip any any access-list public_access permit tcp any any eq www access-group internet in interface inside access-group public_access in interface outside static (inside,outside) 10.P.12.0 10.P.12.0 netmask 255.255.255.0 username admin password prodcontrol privilege 15 authentication http console LOCAL http 10.P.13.25 255.255.255.255 outside http server enable copy running-config startup-config {© 2008 Cisco Systems, inc. Lab Guide 167Lab 2-3 Answer Key: Deploying the FWSM in Routing Mode Task 1: Removing Previous Configurations ‘When you complete this activity, the following has been applied in the privileged (enable) ‘mode on the 4900-1 switch, with differences that are specific to your device or workgroup: configure replace disk0:deni1_1ab23_4900-1 ‘When you complete this activity, the following has been applied in the privileged (enable) ‘mode on the 6500-1 switch, with differences that are specific to your device or workgroup: configure replace disk0:dcni1_1ab23_6500-1 Task 2: Configuring Cisco Catalyst 6500 Series Switch Switching Functions When you complete this activity, the following configuration has been applied on the 6500-1 switch, with differences that are specific to your device or workgroup: vian 10 name Outside 1 vlan 12 name DMZ vlan 12 name Inside interface vian 10 ip address 10.P.10.1 255.255.255.0 no shutdown port-channel load-balance src-dst-port 1 firewall vlan-group 1 10,11,12 firewall module 2 vian-group 1 Task 3: Connecting the FWSM to the Network ‘When you complete this activity, the following configuration has been applied on the FWSM in the 6500-1 switch, with differences that are specific to your device or workgroup: session slot 2 processor 1 enable configure terminal interface vlan 10 nameif outside interface vlan 11 nameif DMZ security 50 interface vlan 12 nameif inside 168 imple ing Cisco Data Center Network Infrastructure 1 (OCNI-1) v2.0 (© 2008 Cisco Systems, ne.Task interface vlan 10 4p address 10.P.10.2 255.255.255.0 interace vlan 11 ip address 10.1.11.1 255.255.255.0 interface vlan 12 ip address 10.1.12.1 255.255.255.0 route outside 0 0 10.P.10.1 : Configuring NAT ‘When you complete this activity, the following configuration has been applied on the FWSM in the 6500-7 switch, with differences that are specific to your device or workgroup: nat (inside) 1 10.P.12.0 255.255.285.0 ! global (outside) 1 10.P.10.100-10.P.10.200 ! global (dmz) 1 10.P.11.100-10.P.11.200 static (dmz,outside) 10.P.10.11 10.P.11.10 Task 5: Configuring Network Access ‘When you complete t activity, the following configuration has been applied on the FWSM in the 6500-1 switch, with differences that are specific to your device or workgroup: access-list mode manual-commit ! access-list internet permit ip any any ! access-list public_access permit tcp any host 192.168.100.121 eq www ' access-list maintenance permit tcp 10.1.10.0 255.255.255.0 any eq telnet, access-list maintenance permit tcp 10.1.10.0 255.255.255.0 any eq www access-group public_access in interface outside access-list commit 1 acceas-group public_access in interface outside access-group internet in interface inside access-group maintenance in interface dmz {© 2008 Cisco Systems, Inc. Lab Guide 189Task 6: Configuring Protocol Inspection policy-map global_policy class inspection _default inspect icmp inspect icmp error copy running-config startup-config ! exit copy running-config startup-config Lab 2-4 Answer Key: Deploying the FWSM Failover Task 1: Removing Previous Configurations ‘When you complete this activity, the following has been applied in the privileged (enable) mode on the 4900-1 switch, with differences that are specific to your device or workgroup: configure replace disk0:dcni1_1ab24_4900-1 When you complete this activity, the following has been applied in the privileged (enable) mode on the 6500-1 switch, with differences that are specific to your device or workgroup: configure replace disk0:dcni1_lab24_6500-1 When you complete this activity, the following has been applied in the privileged (enable) mode on the 4900-2 switch, with differences that are specific to your device or workgroup: configure replace disk0:deni1_lab24_4900-2 ‘When you complete this activity, the following has been applied in the privileged (enable) ‘mode on the 6500-2 switch, with differences that are specific to your device or workgroup: configure replace disk0:dcni1_lab24_6500-2 Task 2: Configuring Cisco Catalyst 6500 Series Switch Switching Functions ‘When you complete this activity, the following configuration has been applied on the 6500-1 switch, with differences that are specific to your device or workgroup: vlan 11 name inside vlan 10 name outeide vlan 90 name failover vlan 91 name FWSN-state interface vlan10 ip address 10.P.10.1 255.255.255.0 no shutdown firewall vlan-group 1 10,11,90,91 firewall module 2 vian-group 1 interface TenGigabitEthernet 5/4 190 Implementing Clsco Data Center Network Infrastructure 1 (DCN) v2.0, {© 2008 cisco Systems, Ineswitehport no shutdown interface gigabitBthernet 3/14 no shutdown ' epanning-tree vlan 10,11 root primary ‘When you complete this activity, the following configuration has been applied on the 6500-2 switch, with differences that are specific to your device or workgroup: vlan 21 name inside vlan 10 name outside vlan 90 name failover vlan 91 name FWSM-state interface vian13 ip address 10.P.13.2 255.255.255.0 no shutdown ! interface viani0 ip address 10.P.10.1 255.255.255.0 no shutdown t firewall vian-group 1 10,11, 90,91 firewall module 2 vian-group 1 ! interface TenGigabitEthernet 5/4 switchport no shutdown interface gigabitBthernet 3/14 no shutdown epanning-tree vlan 10,11 root primary Task 3: Configuring Redundant FWSMs When you complete this activity, the following configuration has been applied on the FWSM in the 6500-1 switch, with differences that are specific to your device or workgroup: enable configure terminal failover lan interface failover vlan 90 ! failover interface ip failover 192.168.1.1 255.255.255.0 standby 192.168.1.2 ‘© 2008 Cisco Systems, Inc. Leb Guide 1011 failover link state vlan 91 1 failover interface ip state 192.168.2.1 255.255.255.0 standby 192.168.2.2 1 failover lan unit primary Note ‘On the secondary FWSM on 6500-1, enter the fallover Ian unit secondary command instead ofthe fallover lan unit primary command. 1 failover interface vlan 100 nameif outeide interface vlan 10 nameif inside interface vlan 10 ip address 10.P.10.1 255.255.255.0 standby 10.P.10.2 interface vlan 100 ip address 192.168.100.10 255.255.255.0 standby 292.168.100.121 access-list permit-all permit ip any any access-group permit-all in interface inside access-group permit-all in interface outside static (inside, outside) 192.168.100.100 10.P.10.10 route outside 10.P.50.0 255.255.255.0 192.168.100.1 route outside 10.P.50.0 255.255.255.0 192.168.100.2 no failover active Lab 3-1 Answer Key: Deploying the Initial Cisco NAM Configuration Task 1: Removing Previous Configurations ‘When you complete this activity, the following has been applied in the privileged (enable) ‘mode on the 4900-1 switch, with differences that are specific to your device or workgroup: configure replace disk0:dcnii_1ab31_4900-1 ‘When you complete this activity, the following has been applied in the privileged (enable) mode on the 6500-7 switch, with differences that are specific to your device or workgroup: configure replace disk0:deni1_lab31_6500-1 1 12 Implementing Cisco Data Center Network inastrcture 1 (DCNI-4) v2.0 (© 2008 Cisco Systems, IncTask 2: Configuring NAM Network Parameters When you complete this activity, the following configuration has been applied on the 6500-1 switch, with differences that are specific to your device or workgroup: vlan 99 name NAM interface vlan 99 ip address 10.P.99.1 255.255.255.0 analysis module 4 management-port access-vlan 99 exit ' session slot 4 processor 1 ‘When you complete this activity, the following configuration has been applied on the NAM in the 6500-1 switch, differences that are specific to your device or workgroup: ip address 10.4.99.2 255.255.255.0 ip gateway 10.4.99.2 ip domain labgear.net ip host NAM-2 ip nameserver 10.4.99.254 ip http server enable ‘When you complete this activity, your answers to the questions raised in the instructions will be similar to the answers here: Qn Q2) What is the current CPU utilization? ‘The CPU utilization should be low, appro» ately around 1% What are the nine available options under the Monitor tab? Overview Apps Voice/Video Hosts VLAN DiffServ Response Time 1 2 3 4. 5. Conversations 6 1, 8 9. Switch {© 2008 Cisco Systems, Ine. Lab Guide 193,Q3) 4) Qs) Q6) a ‘What are the five suboptions for the Alarms option of the Setup function? ____ 1. NAMMIB Thresholds ____ 2._ NAM Voice Thresholds ____ 3._ NAM Syslog ____ 4. Switch Thresholds ____ 5. NAM Trap Destination List the path to find the NAM network parameters: (tab) Admin (option) System (suboption) Network Parameters How many parameters can be set or displayed by this task (name servers count as one parameter even though up to three can be displayed)? Seven (7) What privileges are to be enabled? Collection view At the minimum, what information is needed to enable user authentication using a TACACS+ server? ‘The TACACS+ server IP address and secret key Lab 3-2 Answer Key: Deploying Collection Mechanisms Qy @) Q3) 4) Q5) Which port is reporting the highest utilization? GigabitEthemet3/13 ‘On the Port Stats table, what are the three options for displaying Count Types? 1. Current Rates 2. TopN Chart 3. Cumulative Dat How many different variables can be graphed? Depends on the Cisco NAM software version ‘What is this table displaying? ‘The data collected since the collection mechanism was started (in/out packets, bytes) What are the four SPAN types available? 1. Switch port 2. VLAN 3. EtherChannel 4, RSPAN 194 Implementing Cisco Data Center Network inastructure 1 (OCNI-1) v2.0, (© 2008 Cisco Systems, inc6) How many monitoring functions are available? Nine (could be more, depending on the Cisco NAM software) Q7) List the VLANs reporting traffic. Depends on the amount of the traffic through the switch—should be at least VLAN 11 and 13 (or VLAN 21 and 23, respectively) Q8) What information is displayed? In Packets, Out Packets, In Bytes, Out Bytes, and Non-unicast traffic Q9) How many variables can the TopN host chart 18, but depends on the Cisco NAM software version Lab 4-1 Answer Key: Deploying High Availability on Cisco Catalyst 6500 Series Switch Task 1: Removing Previous Configurations isplay? When you complete this activity, the following has been applied in the privileged (enable) ‘mode on the 4900-1 switch, with differences that are specific to your device or workgroup: configure replace disk0:deni1_lab41_4900-1 When you complete this activity, the following has been applied in the privileged (enable) ‘mode on the 6500-7 switch, with differences that are specific to your device or workgroup: configure replace disk0:deni1_lab41_6500-1 When you complete this activity, the following has been applied in the privileged (enable) mode on the 4900-2 switch, with differences that are specific to your device or workgroup: jend1_lab41_4900-2 configure replace disk0: When you complete this activity, the following has been applied in the privileged (enable) mode on the 6500-2 switch, with differences that are specific to your device or workgroup: configure replace disk0:dcni1_laba1_6500-2 Task 2: Setting the Initial Switch Configuration ‘When you complete this activity, your configuration on the 4900-1 switch will be similar to the results here, with differences that are specific to your device or workgroup: interface vian 1 ip address 10.255.255.11 255.255.255.0 no shutdown ‘When you complete this activity, your configuration on the 4900-2 switch will be similar to the results here, with differences that are specific to your device or workgroup: interface vlan 1 ip address 10.255.255.12 255.255.255.0 no shutdown {© 2008 Cisco Systoms, Ine. ab Guide 195:Task 3: Implementing HSRP When you complete this activity, your configuration on the 6500-1 switch will be similar to the results here, with differences that are specific to your device or workgroup: interface vian 1 standby 1 4p 10.255.255.2 standby 1 priority 150 standby 1 preempt ‘When you complete this activity, your configuration on the 6500-2 switch will be similar to the results here, with differences that are specific to your device or workgroup: interface vian 1 standby 1 ip 10.255.255.1 Task 4: Implementing GLBP ‘When you complete this activity, your configuration on the 6500-1 switch will be similar to the results here, with differences that are specific to your device or workgroup: interface vlan 1 lbp 1 ip 10.255.255.2 lbp 1 load-balancing round-robin lbp 1 priority 150 lbp 1 preempt ‘When you complete this activity, your configuration on the 6500-2 switch will be similar to the results here, with differences that are specific to your device or workgroup: interface vlan 1 glbp 1 ip 10.255.255.1 lbp 1 load-balancing round-robin glbp 1 priority 150 glbp 1 preempt 198 Implementing Cisco Data Center Network infrastructure 1 (DCNI-1) v2.0 (© 2008 Cisco Systems, ine