CertificationZone Page 1 of 14 http://www.certificationzone.com/studyguides/s ./?Issue=5&IssueDate=01-01-2000&CP= 11/06/01 Date of Issue: 01-01-2000 Bridging Lab Scenarios by David Wolsefer Introduction Scenario 1 - A LAT Challenge Equipment The Setup Objectives Solution R4's Configuration R6's Final Configuration Scenario 2 - Troubleshooting IRB Equipment Objectives The Setup R1: R2: R3: R4: Hints Bugs Revealed Solution R2 Final Configuration: R3 Final Configuration: R4 Final Configuration: R1 Final Configuration: Introduction I developed these scenarios during my own preparation for the CCIE laboratory exam. The first scenario is designed to demonstrate how to configure a LAT service and use both one and two step LAT translation. The second scenario is a complex IRB scenario requiring the reader to troubleshoot numerous routers and illustrates a number of key issues one might encounter when configuring both transparent bridging and IRB. Scenario 1 - A LAT Challenge Equipment This scenario requires 3 routers and the proper version of IOS. I suggest you use Enterprise or Enterprise Plus IOS. The actual routers I used were a 2511 for R1, a 2513 for R4, and a 2524 for R6. The Setup CertificationZone Page 2 of 14 http://www.certificationzone.com/studyguides/s ./?Issue=5&IssueDate=01-01-2000&CP= 11/06/01 Objectives Disable IP routing on R6 and remove all IP addresses from R6. Enable LAT on the E0 interface of R6 and configure a LAT service named CCIE. Verify using appropriate debug and show commands. Configure R4 to translate the 160.10.1.2 address to the LAT CCIE service. Verify one-step translation by Telnetting to 160.10.1.2 from R1. If the translation is configured correctly, you will find yourself at R6 as seen below: r1#160.10.1.2 Trying 160.10.1.2 . Open Trying CCIE .Open Notice that you in effect Telnetted to R4, where one-step translation LATed you to R6. Now try two-step translation. Telnet into R4 and then LAT to CCIE as shown below: r4#lat CCIE Trying CCIE .Open r6# Solution R4's Configuration Current configuration: ! version 11.3 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname r4 ! ! ip tcp synwait-time 5 no ip domain-lookup ! interface Loopback0 ip address 160.10.1.1 255.255.255.0 ! interface Ethernet0 ip address 172.16.40.4 255.255.255.0 lat enabled ! interface Serial0 no ip address encapsulation frame-relay no ip mroute-cache lat enabled no fair-queue clockrate 56000 no frame-relay inverse-arp ! interface Serial0.1 point-to-point ip address 172.16.60.4 255.255.255.0 ip ospf network non-broadcast frame-relay interface-dlci 201 ! interface Serial1 no ip address shutdown ! interface TokenRing0 CertificationZone Page 3 of 14 http://www.certificationzone.com/studyguides/s ./?Issue=5&IssueDate=01-01-2000&CP= 11/06/01 ip address 172.16.240.4 255.255.255.0 ring-speed 16 ! router ospf 1 redistribute connected subnets passive-interface TokenRing0 network 172.16.40.0 0.0.0.255 area 0 network 172.16.60.0 0.0.0.255 area 0 ! ip classless ! translate tcp 160.10.1.2 lat CCIE alias exec r show run alias exec i show ip route alias exec br show ip int brief ! line con 0 exec-timeout 0 0 privilege level 15 line aux 0 line vty 0 4 privilege level 15 no login ! end R6's Final Configuration r6#r Building configuration . Current configuration: ! version 11.3 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname r6 ! ! no ip routing <--------- IP routing completely disabled ip tcp synwait-time 5 no ip domain-lookup ! ! ! interface Ethernet0 no ip address no ip route-cache lat enabled <---------- LAT enabled on E0 interface ! ip classless ! lat service CCIE enabled <-- LAT service "CCIE" enabled lat service SHOWRUN autocommand show run lat service SHOWRUN enabled ! alias exec r show run alias exec i show ip route alias exec br sho ip int brief ! line con 0 privilege level 15 line aux 0 line vty 0 4 privilege level 15 no login ! end Scenario 2 - Troubleshooting IRB CertificationZone Page 4 of 14 http://www.certificationzone.com/studyguides/s ./?Issue=5&IssueDate=01-01-2000&CP= 11/06/01 Equipment This scenario requires 4 routers to complete as is. R5 is not really necessary since we are just pinging the BVI interface, which would route to R5. Objectives The objective of this lab is to troubleshoot a complex scenario using multiple routers configured for transparent bridging and IRB. When the network is configured correctly, you should be able to ping from the S0.1 interface of R2 to the BVI interface of R3. The IP address of R2's sub-interface S0.1 is 172.16.70.2 and the IP address of R3's BVI Interface is 172.16.70.3. You need to make sure that R1 is always the root bridge and that all bridging loops are eliminated. Use the IEEE spanning tree protocol. You may only use the "bridge 1 route IP" statement on a single router. All traffic must traverse the R4 router. You should remove all IP routing on R1 and R4 and all IP addresses on R1, R4, and R3's Serial 0.1 and Ethernet 1 Interfaces. R3 may only route on the E 0 interface. All other interfaces on R3 should be configured for bridging only. The Setup The following configurations should be cut and pasted into your routers before beginning troubleshooting. If you do not have routers that have the same interfaces as depicted in the diagram, adjust your configurations as necessary. Here are the configurations: R1: Current configuration: ! version 11.3 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname r1 ! ! no ip routing ip tcp synwait-time 5 no ip domain-lookup ip host frsw 2001 1.1.1.1 CertificationZone Page 5 of 14 http://www.certificationzone.com/studyguides/s ./?Issue=5&IssueDate=01-01-2000&CP= 11/06/01 ip host r2 2004 1.1.1.1 ip host r3 2003 1.1.1.1 ip host r4 2002 1.1.1.1 ip host r6 2006 1.1.1.1 ! ! ! interface Loopback0 ip address 1.1.1.1 255.255.255.255 no ip route-cache no ip mroute-cache ! interface Loopback10 description DO NOT DISTURB - for use by golab scripts ip address 10.255.255.254 255.255.255.0 no ip route-cache no ip mroute-cache ! interface Ethernet0 no ip address no ip route-cache no ip mroute-cache shutdown no lat enabled ! interface Serial0 no ip address encapsulation frame-relay no ip route-cache no ip mroute-cache lat enabled clockrate 56000 no frame-relay inverse-arp ! interface Serial0.1 point-to-point no ip route-cache no ip mroute-cache frame-relay interface-dlci 102 bridge-group 1 ! interface Serial0.2 multipoint no ip route-cache no ip split-horizon no ip mroute-cache bridge-group 1 bridge-group 1 priority 255 ! interface Serial1 ip address 192.168.4.1 255.255.255.0 encapsulation x25 dce no ip route-cache no ip mroute-cache shutdown x25 address 112233 x25 map ip 192.168.4.2 556677 broadcast clockrate 56000 ! ip classless ! ! bridge irb bridge 1 protocol ieee bridge 1 priority 128 alias exec r show run alias exec i show ip route alias exec br show ip int brief alias exec s show ses ! line con 0 exec-timeout 0 0 privilege level 15 line 1 8 modem Host transport input all line 9 16 line aux 0 CertificationZone Page 6 of 14 http://www.certificationzone.com/studyguides/s ./?Issue=5&IssueDate=01-01-2000&CP= 11/06/01 line vty 0 4 privilege level 15 no login ! end R2: Current configuration: ! version 11.3 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname r2 ! ! no ip routing ip tcp synwait-time 5 no ip domain-lookup ! ! ! interface Serial0 no ip address encapsulation frame-relay no ip route-cache no ip mroute-cache ! interface Serial0.1 point-to-point ip address 172.16.70.2 255.255.255.0 no ip route-cache frame-relay interface-dlci 401 ! interface Serial1 no ip address no ip route-cache shutdown ! interface TokenRing0 no ip address no ip route-cache shutdown ! interface BRI0 no ip address no ip route-cache shutdown ! ip classless ! ! alias exec r show run alias exec i show ip route alias exec br show ip int brief ! line con 0 exec-timeout 0 0 privilege level 15 line aux 0 line vty 0 4 privilege level 15 no login ! end R3: r3#sh run Building configuration . Current configuration: CertificationZone Page 7 of 14 http://www.certificationzone.com/studyguides/s ./?Issue=5&IssueDate=01-01-2000&CP= 11/06/01 ! version 11.3 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname r3 ! ! no ip routing ip tcp synwait-time 5 no ip domain-lookup ! ! ! interface Ethernet0 ip address 172.16.30.3 255.255.252.0 no ip route-cache ! interface Ethernet1 no ip address no ip route-cache bridge-group 1 ! interface Serial0 no ip address encapsulation frame-relay no ip route-cache no ip mroute-cache ! interface Serial0.1 point-to-point no ip route-cache frame-relay interface-dlci 301 bridge-group 1 ! interface Serial1 no ip address no ip route-cache shutdown ! interface BVI1 ip address 172.16.70.3 255.255.255.0 ! ip classless ! ! bridge irb bridge 1 protocol ieee alias exec r show run alias exec i show ip route alias exec br show ip int brief ! line con 0 exec-timeout 0 0 privilege level 15 line aux 0 line vty 0 4 privilege level 15 no login ! end R4: r4#r Building configuration . Current configuration: ! version 11.3 service timestamps debug uptime service timestamps log uptime no service password-encryption ! CertificationZone Page 8 of 14 http://www.certificationzone.com/studyguides/s ./?Issue=5&IssueDate=01-01-2000&CP= 11/06/01 hostname r4 ! ! no ip routing ip tcp synwait-time 5 no ip domain-lookup ! ! ! interface Ethernet0 no ip address no ip route-cache bridge-group 1 bridge-group 1 priority 0 ! interface Serial0 no ip address encapsulation frame-relay no ip route-cache no ip mroute-cache no fair-queue clockrate 56000 ! interface Serial0.1 point-to-point no ip route-cache frame-relay interface-dlci 201 bridge-group 1 ! interface Serial1 no ip address no ip route-cache shutdown ! interface TokenRing0 no ip address no ip route-cache shutdown ! ip classless ! ! bridge irb bridge 1 protocol dec alias exec r show run alias exec i show ip route alias exec br show ip int brief ! line con 0 exec-timeout 0 0 privilege level 15 line aux 0 line vty 0 4 privilege level 15 no login ! end Hints 1. Use the Show Span command to make sure each router is running the IEEE spanning tree protocol and that the correct interfaces are blocking. 2. Use the Debug Span Tree command to see where BPDUs are being forwarded 3. Use the Show Bridge command to see which MAC addresses each router is bridging. 4. Use the Show Interface IRB command to see which interfaces are routing and bridging IP. 5. Use the Debug Span Events command to monitor a given bridge's state. Is it forwarding, blocking, listening, or learning? CertificationZone Page 9 of 14 http://www.certificationzone.com/studyguides/s ./?Issue=5&IssueDate=01-01-2000&CP= 11/06/01 6. Is the correct port blocking or forwarding? Which port is the root port? Which port is the designated port? Which bridge is the root bridge? You may need to manipulate priority to make sure the correct router is the root bridge. 7. Use the show IP protocol command to make sure R1 and R4 are not routing IP. 8. Do you need a frame map statement for physical and multipoint interfaces when you are bridging? 9. You must have the "bridge 1 route IP" command if you want to route and bridge on a given router using IRB. Bugs Revealed Each router has two different bugs. Here is a breakdown of the bugs: • R1, changed the router's priority to 255 making R1 least likely to be the root bridge • R1, eliminated the frame map bridge statements, these statements are necessary for NBMA networks • R4, changed the spanning tree protocol to DEC, the correct protocol is IEEE • R4, changed router's priority to 0, making it the root bridge instead of R1 • R3, missing bridge 1 route ip statement, this is necessary for the BVI to route IP to an interface • R3, is missing a cost 65535 statement, which is necessary to place interface s 0.1 into blocking state and eliminate the bridging loop. Solution Test that your solution is correct by pinging the BVI IP address on R3 from R2. Do a trace route to see that all the routers in between are configured as transparent bridges. Sample output is given below followed by the final configuration for each router: r2#trace 172.16.70.3 Type escape sequence to abort. Tracing the route to 172.16.70.3 1 172.16.70.3 116 msec * 100 msec r2#ping 172.16.70.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.70.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 184/196/204 ms r2# R2 Final Configuration: Note: R2 has no special configuration since it is a non-bridging router r2#r Building configuration . Current configuration: ! version 11.3 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname r2 ! CertificationZone Page 10 of 14 http://www.certificationzone.com/studyguides/s ./?Issue=5&IssueDate=01-01-2000&CP= 11/06/01 ! no ip routing ip tcp synwait-time 5 no ip domain-lookup ! ! ! interface Serial0 no ip address encapsulation frame-relay no ip route-cache no ip mroute-cache ! interface Serial0.1 point-to-point ip address 172.16.70.2 255.255.255.0 no ip route-cache frame-relay interface-dlci 401 ! interface Serial1 no ip address no ip route-cache shutdown ! interface TokenRing0 no ip address no ip route-cache shutdown ! interface BRI0 no ip address no ip route-cache shutdown ! ip classless ! ! alias exec r show run alias exec i show ip route alias exec br show ip int brief ! line con 0 exec-timeout 0 0 privilege level 15 line aux 0 line vty 0 4 privilege level 15 no login ! end R3 Final Configuration: r3#r Building configuration . Current configuration: ! version 11.3 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname r3 ! ! no ip routing ip tcp synwait-time 5 no ip domain-lookup ! ! ! interface Ethernet0 ip address 172.16.30.3 255.255.252.0 no ip route-cache [...]... 2002 1.1.1.1 ip host r6 2006 1.1.1.1 ! ! ! interface Loopback0 ip address 1.1.1.1 255.255.255.255 no ip route-cache no ip mroute-cache ! interface Loopback10 description DO NOT DISTURB - for use by golab scripts ip address 10.255.255.254 255.255.255.0 http://www.certificationzone.com/studyguides/s /?Issue=5&IssueDate=01-01-2000&CP= 11/06/01 CertificationZone Page 13 of 14 no ip route-cache no ip mroute-cache . http://www.certificationzone.com/studyguides/s ./?Issue=5&IssueDate=01-01-2000&CP= 11/06/01 Date of Issue: 01-01-2000 Bridging Lab Scenarios by David Wolsefer Introduction Scenario 1 - A LAT Challenge. Final Configuration: Introduction I developed these scenarios during my own preparation for the CCIE laboratory exam. The first scenario is designed to