Get on CLN and get on VIRL

34. Re: Cisco Live Vegas

Jack Jan 22, 2016 12:06 PM (in response to arteq)

CLN/CLUS-LV meet up would be awesome! Please keep me in the loop.

 

One of the reasons i purchased VIRL was based on your youtube videos! So hopefully you’ll keep them coming!

I still have affection for GNS3, it’s where i “grew up” in terms of Cisco. I wouldn’t have obtained my CCNA without it. But the limits of GNS3 affected my CCNP Switch studies, so I had to spend the money.. But I don’t regret the decision!

Do you know where to find any CCNP Switch-VIRL labs? (without a price tag). Just a stab in the dark on that one!

CCNP SWITCH 300-115 2.1 Configure and verify switch security features

2.1.a DHCP snooping

In this segment we will cover DHCP, as well as DHCP Snooping. It seems the blueprint is remiss in mentioning DHCP in its own line item so we will briefly cover it here as you cannot have DHCP Snooping without DHCP.

DHCP is easy enough; there are only 2 requirements for it so long as you are using a single subnet, as we will do here for the sake of simplicity. The minimum requirements call for a default-router and a DHCP network for address assignment. You could establish a lease period, DNS, and many other delimiters,  but they are not minimum requirements. It is a good idea to include a domain-name but usually that has already been configured.

DHCP is the Dynamic Host Configuration Protocol. It eases administration by allowing clients to broadcast for Ip addresses and a default gateway, among other parameters. A lot easier than statically configuring a bunch of windows or linux boxes in any size environment. The usual method is for a dedicated server to handle the chore, but Cisco was kind enough to include it in its routers and switches, and on it’s exams.

So the first step  will be to set up a DHCP server. Keep in mind the acronym DORA, dis, off, req, ack and you can easily memorize the dhcp process. Discover, Offer, Request, Acknowledge.

Option 82 or the information option is a player in the VIRL canvas. Option 82 is turned on by default and does further fact checking for validity on untrusted ports especially in the case of relays. We can avoid this by turning off option 82 at the switch, or by enabling option 82 on the access ports, the untrusted ports, however, here we will turn it off on the switch. You can find out more detail about option 82 on the internet, in fact Petr Lapukhov has a great article about it on his INE blog. Just do a search for “option 82 Petr” and that should be your first hit.

Let’s get down to configuration.

Now that we have DHCP in place and operational, we can talk about DHCP Snooping. DHCP Snooping is designed to disallow rogue DHCP servers from inhabiting your network and dishing out false Ip addresses and gateways to your clients. This is performed by establishing a trust between authorized devices and thereby building a reference database for cross checking. Remember, only untrusted connections will be leased ip addresses and assigned to the snooping database, along with their associated mac’s and vlan’s. It is vital to understand that trusted connections are established between server and switch or router and switch or switch and switch, not switch and access ports.

There are three essential items to get DHCP Snooping operational. Of course there are other options but we will discuss the minimum. They
are:

Turn on dhcp snooping

turn on dhcp snooping for the Vlan or Vlan’s

and establish trust between the server and switch.

here we go:

VIDEO

https://www.youtube.com/watch?v=_pRDz-B_O8U

 

 

SWITCH 300-115 1.5 Configure and verify EtherChannels

1.5.d EtherChannel misconfiguration guard
Etherchannel misconfiguration guard is enabled by default and does what it says it does; helps prevent misconfiguration of etherchannels.
We know that the interfaces we bundle into a channel need to have matching configurations or they will not be suitable, but often enough they are mistakenly put together in a hurry without verifying both sides interfaces first. Etherchannel misconfiguration guard will place the channel in errdissable state and issues an error message if it detects a possible misconfiguration.
To verify that etherchannel guard misconfig is in place as the default use:
sh spann summ | i Ether
If you do break the etherchannel by purposely misconfiguring, or not, you can reenable the channel with shut/no shut or by adjusting the errdisable recovery time interval.
VIDEO