Advanced CCIE Routing & Switching: Vol-Ii

Advanced
CCIE Routing & Switching

4.0
www.MicronicsTraining.com
Narbik Kocharians
CCIE #12410
R&S, Security, SP
VOL-II
CCIE R&S by Narbik Kocharians Advanced CCIE R&S Work Book 4.0 Page 1 of 48
2012 Narbik Kocharians. All rights reserved
Table of Content:
Subject Page Volume

Topology 8 Vol-I
3560 Switching
Lab 1 Basic 3560 Configuration - I 14 Vol-I
Lab 2 Basic 3560 Configuration - II 51 Vol-I
Lab 3 Configuring Trunks 84 Vol-I
Lab 4 Configuring EtherChannels 136 Vol-I
Lab 5 Advanced STP Configuration 156 Vol-I
Lab 6 Multiple Spanning-Tree (802.1s) 180 Vol-I
Lab 7 Configuring Private VLANs 190 Vol-I
Lab 8 QinQ Tunneling 217 Vol-I
Lab 9 Fallback Bridging 235 Vol-I
Frame-Relay
Lab 1 Hub-and-Spoke Using Frame Map 242 Vol-I
Statements
Lab 2 Hub-and-Spoke Frame-Relay Point-to-point 257 Vol-I
Lab 3 Mixture of P2P and Multipoint 262 Vol-I

Lab 4 Multipoint Frame-Relay W/O Frame maps 267 Vol-I
Lab 5 Frame-Relay and Authentication 273 Vol-I
Lab 6 Frame-Relay End-to-End Keepalives 282 Vol-I
Lab 7 Tricky Frame-Relay Configuration 297 Vol-I
Lab 8 Frame-Relay Multilinking 305 Vol-I
Lab 9 Back-to-Back Frame-Relay Connection 312 Vol-I
ODR
Lab 1 On Demand Routing 321 Vol-I
RIPv2
Lab 1 RIPv2 and Frame-Relay 327 Vol-I
Lab 2 RIPv2 Authentication 335 Vol-I
Lab 3 Advanced RIPv2 Mini Mock Lab 340 Vol-I
EIGRP
Lab 1 Eigrp Configuration 362 Vol-I
Lab 2 Advanced EIGRP Stub Configuration 398 Vol-I
Lab 3 EIGRP & Default-information 407 Vol-I
Lab 4 EIGRP Filtering 418 Vol-I
Table of Content:
Subject Page Volume

OSPF
Lab 1 Advertising Networks 427 Vol-I
Lab 2 Optimization of OSPF & Adjusting Timers 430 Vol-I
Lab 3 OSPF Authentication 437 Vol-I
Lab 4 OSPF Cost 462 Vol-I
Lab 5 OSPF Summarization 467 Vol-I
Lab 6 Virtual-links and GRE Tunnels 474 Vol-I
Lab 7 OSPF Stub, T/Stub, and NSSAs 484 Vol-I
Lab 8 OSPF Filtering 495 Vol-I
Lab 9 Additional OSPF Filtering 522 Vol-I
Lab 10 Redirecting Traffic in OSPF 531 Vol-I
Lab 11 Database Overload Protection 537 Vol-I
Lab 12 OSPF Non-Broadcast Networks 542 Vol-I
Lab 13 OSPF Broadcast Networks 551 Vol-I
Lab 14 OSPF Point-to-Point Networks 555 Vol-I
Lab 15 OSPF Point-to-Multipoint Networks 559 Vol-I
Lab 16 OSPF Point-to-Multi Network II 566 Vol-I
Lab 17 OSPF P-to-M Non-Broadcast Net 573 Vol-I
Lab 18 OSPF and NBMA 579 Vol-I
Lab 19 Forward Address Suppression 588 Vol-I
Lab 20 OSPF NSSA no-redistribution & Injection 600 Vol-I
of default routes
BGP
Lab 1 Establishing Neighbor Adjacency 609 Vol-I
Lab 2 Route Reflectors 626 Vol-I
Lab 3 Conditional Adv & Back door 642 Vol-I
Lab 4 Route Dampening 657 Vol-I
Lab 5 Route Aggregation 666 Vol-I
Lab 6 The community Attribute 686 Vol-I
Lab 7 BGP Cost Community 702 Vol-I
Lab 8 BGP & Load Balancing I 711 Vol-I
Lab 9 BGP Load Balancing II 715 Vol-I
Lab 10 BGP Unequal Cost Load Balancing 719 Vol-I
Lab 11 BGP Local Preference I 727 Vol-I
Lab 12 BGP Local Preference II 738 Vol-I
Lab 13 The AS-Path Attribute 746 Vol-I
Lab 14 The Weight Attribute 754 Vol-I
Lab 15 MED 761 Vol-I
Lab 16 Filtering Using ACLs & Prefix-lists 778 Vol-I
Lab 17 Regular Expressions 788 Vol-I
Lab 18 Adv BGP Configurations 805 Vol-I
Lab 19 Administrative Distance 816 Vol-I
Lab 20 BGP Confederation 824 Vol-I
Lab 21 BGP Hiding Local AS Number 829 Vol-I
Lab 22 BGP Allowas-in 837 Vol-I
Policy Based Routing
Lab 1 PBR based on Source IP address 843 Vol-I
Redistribution
Lab 1 Basics of Redistribution-I 854 Vol-I
Lab 2 Basics of Redistribution-II 874 Vol-I
Lab 3 Advanced Redistribution 890 Vol-I
Lab 4 Routing Loops 919 Vol-I
IP SLA
Lab 1 IP SLA 938 Vol-I
Lab 2 Reliable Static Routing using IP SLA 944 Vol-I
Lab 3 Reliable Conditional Default Route 951 Vol-I
Injection using IP SLA
Lab 4 Object Tracking in HSRP Using SLA 964 Vol-I
Lab 5 Object Tracking 974 Vol-I
GRE Tunnels
Lab 1 Basic Configuration of GRE Tunnels 988 Vol-I
Lab 2 Configuration of GRE Tunnels II 1000 Vol-I
Lab 3 Configuration of GRE Tunnels III 1010 Vol-I
Lab 4 GRE & Recursive loops 1017 Vol-I
QOS
Lab 1 MLS QOS 14 Vol-II
Lab 2 DSCP Mutation 30 Vol-II
Lab 3 DSCP-CoS Mapping 38 Vol-II
Lab 4 CoS-DSCP Mapping 43 Vol-II
Lab 5 IP-Precedence-DSCP Mapping 49 Vol-II
Lab 6 Individual rate Policing 54 Vol-II
Lab 7 Policed DSCP 60 Vol-II
Lab 8 Aggregate Policer 65 Vol-II
Lab 9 Priority Queuing 70 Vol-II
Lab 10 Custom Queuing 76 Vol-II
Lab 11 WFQ 80 Vol-II
Lab 12 RSVP 84 Vol-II
Lab 13 Match Access-group 90 Vol-II
Lab 14 Match Destination & Source Add MAC 95 Vol-II
Lab 15 Match Input-Interface 101 Vol-II
Lab 16 Match FR-de & Packet Length 104 Vol-II
Lab 17 Match IP Precedence vs. Match Precedence 112 Vol-II
Lab 18 Match Protocol HTTP URL, MIME & Host 123 Vol-II
Lab 19 Match Fr-dlci 131 Vol-II
Lab 20 Frame-Relay Traffic Shaping 135 Vol-II
Lab 21 Frame-Relay Traffic-shaping II 142 Vol-II
Lab 22 Frame-Relay Fragmentation 151 Vol-II
Lab 23 Frame-Relay PIPQ 155 Vol-II
Lab 24 Frame-Relay DE 162 Vol-II
Lab 25 Frame-Relay and Compression 165 Vol-II
Lab 26 CBWFQ 178 Vol-II
Lab 27 CBWFQ II 184 Vol-II
Lab 28 Converting Custom Queuing to CBWFQ 186 Vol-II
Lab 29 LLQ 189 Vol-II
Lab 30 CAR 193 Vol-II
Lab 31 Class Based Policing I 200 Vol-II
Lab 32 CB Policing II 210 Vol-II
Lab 33 WRED & CB WRED 215 Vol-II
NAT
Lab 1 Static NAT Configuration 221 Vol-II
Lab 2 Advanced Static NAT Configuration 227 Vol-II
Lab 3 Configuration of Dynamic NAT I 231 Vol-II
Lab 4 Configuration of Dynamic NAT II 234 Vol-II
Lab 5 Configuration of Dynamic NAT III 237 Vol-II
Lab 6 NAT and Load Balancing 241 Vol-II
Lab 7 Configuring PAT 244 Vol-II
Lab 8 Configuring PAR 249 Vol-II
Lab 9 Configuring Static NAT Redundancy W/HSRP 253 Vol-II
Lab 10 Stateful Translation Failover With HSRP 258 Vol-II
Lab 11 Translation of the Outside Source 264 Vol-II
Lab 12NAT on a Stick 267 Vol-II
IP Services
Lab 1 DHCP Configuration 273 Vol-II
Lab 2 HSRP Configuration 277 Vol-II
Lab 3 VRRP Configuration 286 Vol-II
Lab 4 GLBP Configuration 293 Vol-II
Lab 5 IRDP Configuration 305 Vol-II
Lab 6 Configuring DRP 312 Vol-II
Lab 7 Configuring WCCP 314 Vol-II
Lab 8 Core Dump Using FTP 315 Vol-II
Lab 9 HTTP Connection Management 317 Vol-II
Lab 10 Configuring NTP 320 Vol-II
Lab 11 More IP Stuff 329 Vol-II
IP Prefix-List
Lab 1 Prefix-Lists 337 Vol-II
IPv6
Lab 1 Configuring Basic IPv6 364 Vol-II
Lab 2 Configuring OSPFv3 385 Vol-II
Lab 3 Configuring OSPFv3 Multi-Area 394 Vol-II
Lab 4 Summarization of Internal & External N/W 399 Vol-II
Lab 5 OSPFv3 Stub, T/Stub and NSSA networks 408 Vol-II
Lab 6 OSPFv3 Cost and Auto-cost 420 Vol-II
Lab 7 Tunneling IPv6 Over IPv4 426 Vol-II
Lab 8 Eigrp and IPv6 452 Vol-II
Security
Lab 1 Basic Router Security Configuration 477 Vol-II
Lab 2 Standard Named Access List 484 Vol-II
Lab 3 Controlling Telnet Access and SSH 488 Vol-II
Lab 4 Extended Access List IP and ICMP 495 Vol-II
Lab 5 Extended Access List OSPF & Eigrp 501 Vol-II
Lab 6 Using MQC as a Filtering tool 505 Vol-II
Lab 7 Extended Access List With Established 509 Vol-II
Lab 8 Dynamic Access List 512 Vol-II
Lab 9 Reflexive Access-Lists 522 Vol-II
Lab 10 Access-list & Time Range 529 Vol-II
Lab 11 Configuring Basic CBAC 533 Vol-II
Lab 12 Configuring CBAC 535 Vol-II
Lab 13 Configuring CBAC & Java Blocking 542 Vol-II
Lab 14 Configuring PAM 544 Vol-II
Lab 15 Configuring uRPF 546 Vol-II
Lab 16 Configuring Zone Based Firewall 552 Vol-II
Lab 17 Control Plane Policing 559 Vol-II
Lab 18 Configuring IOS IPS 566 Vol-II
Lab 19 Attacks 576 Vol-II
Lab 20 AAA Authentication 587 Vol-II
Multicasting
Lab 1 Configuring IGMP 592 Vol-II
Lab 2 Dense Mode 610 Vol-II
Lab 3 Static RP Configuration 628 Vol-II
Lab 4 Auto-RP 643 Vol-II
Lab 5 Auto-RP Filtering & Listener 665 Vol-II
Lab 6 Configuring BSR 687 Vol-II
Lab 7 Configuring MSDP 702 Vol-II
Lab 8 Anycast RP 720 Vol-II
Lab 9 MSDP/MP-BGP 730 Vol-II
Lab 10 Configuring SSM 749 Vol-II
Lab 11 Helper-Map 760 Vol-II
Lab 12 Bidirectional PIM 767 Vol-II
MPLS & L3VPNs
Lab 1 Configuring Label Distribution Protocol 785 Vol-II
Lab 2 Static & RIPv2 Routing in a VPN 855 Vol-II
Lab 3 OSPF Routing in a VPN 886 Vol-II
Lab 4 Backdoor links & OSPF 905 Vol-II
Lab 5 Eigrp Routing in a VPN 921 Vol-II
Lab 6 BGP Routing in a VPN 937 Vol-II
Lab 7 Complex VPNs and Filters 954 Vol-II
The Serial connection between R1 and R3
The Serial connection between R4 and R5
Frame-Relay Switch connections
Frame-Relay DLCI connections:
Router Local DLCI Connecting to:

R1 102 R2
112 R2
103 R3
104 R4
105 R5
106 R6
164 R4
R2 201 R1
211 R1
203 R3
204 R4
205 R5
206 R6
R3 301 R1
302 R2
304 R4
305 R5
306 R6
R4 401 R1
402 R2
403 R3
405 R5
406 R6
461 R1
R5 501 R1
502 R2
503 R3
504 R4
506 R6
R6 601 R1
602 R2
603 R3
604 R4
605 R5
Advanced
CCIE Routing & Switching
4.0
www.MicronicsTraining.com
Narbik Kocharians
CCIE #12410
R&S, Security, SP
QOS
Lab 1 MLS QOS
Lab Setup:
Configure F0/19 interface of SW1 and SW2 as a Dot1Q trunk.
Configure SW1 and SW2 in VTP domain called TST
Configure F0/1 and F0/2 interface of SW1 in VLAN 100.
Configure F0/3 interface of SW2 as a Dot1Q trunk.
Configure F0/1 interface of R3 as a Dot1Q trunk for VLAN 100.
You can copy and paste the initial configurations from the init directory
IP addressing:
Router Interface / IP address VLAN

R1 F0/0 = 10.1.1.1 /24 100
R2 F0/0 = 10.1.1.2 /24 100
R3 F0/1.100 = 10.1.1.3 /24 100
Task 1
Shutdown all unused ports on SW1 and SW2.
On Switch 1
SW1(config)#int range f0/3-18 , f0/20-24
SW1(config-if-range)#shut
On Switch 2
SW2(config)#int range f0/1-2 , f0/4-18 , f0/20-24
SW2(config-if-range)#shut
Task 2
Configure SW1s port F0/2 such that it marks all ingress traffic with a CoS marking of 2,
do not configure MQC for this purpose. For verification purposes, R3 should be
configured to match on CoS values of 0 7 ingress on its F0/1.100 subinterface.
In this step, R3 is configured to match on incoming CoS values of 0 7, this is done so the policy can be
tested and verified.
On R3:
R3(config)#class-map cos0
R3(config-cmap)#match cos 0
R3(config)#policy-map TST
R3(config-pmap)#class cos0
R3(config)#int f0/1.100
R3(config-subif)#service-policy in TST
On SW1
By default, QOS is disabled and the switch will NOT modify the CoS, IP-Precedence, or the DSCP
values of received traffic. To verify:
SW1#Show mls qos
QoS is disabled
QoS ip packet dscp rewrite is enabled
The following command enables mls QoS; to perform any kind of QoS configuration, MLS QoS must
be enabled.
SW1(config)#mls qos
To verify the configuration:
On SW1
SW1#Show mls qos
QoS is enabled
To continue with the configuration:
SW1(config)#int f0/2
The following command assigns a default CoS value of 2 to untagged traffic received through this
interface.
SW1(config-if)#mls qos cos 2
On SW1
SW1#Show mls qos inter f0/2
FastEthernet0/2
trust state: not trusted
trust mode: not trusted
trust enabled flag: ena
COS override: dis
default COS: 2
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: none
qos mode: port-based
To test the configuration:
On R2:
R2#Ping 10.1.1.3
Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.3, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms
To verify the test:
On R3:
R3#Show policy-map interface | s cos0
Class-map: cos0 (match-all)
4 packets, 472 bytes
5 minute offered rate 0 bps
Match: cos 0

0 packets, 0 bytes
Match: cos 2
The mls qos cos command on its own does NOTHING. It should be combined with either mls qos
cos override or mls qos trust cos. When it is combined with MLS qos trust cos, ONLY the
untagged traffic is effected, but if it is combined with mls qos cos override, then, all traffic (tagged or
untagged) is effected.
NOTE: Even though the interface is configured with mls qos cos 2 the traffic coming in on that
interface is NOT effected. To mark ALL traffic with a CoS marking of 2, which means all traffic
regardless of their markings, the port must be configured to override the existing CoS.
The following command configures the switch port to trust the CoS value in ALL incoming untagged
traffic through F0/2 interface. The mls qos cos override command will be tested later:
SW1(config-if)#mls qos trust cos
On SW1
SW1#Sh mls qos interface f0/2
FastEthernet0/2
trust state: trust cos
trust mode: trust cos
trust enabled flag: ena
COS override: dis
default COS: 2
DSCP Mutation Map: Default DSCP Mutation Map
Trust device: none
qos mode: port-based
On R3:
R3#Clear counters
Clear "show interface" counters on all interfaces [confirm]
Press Enter to allow the counters to be cleared.
On R2:
R2#Ping 10.1.1.3

!!!!!
To verify the test:
On R3:
R3#Sh policy-map inter | s cos0

0 packets, 0 bytes
Match: cos 0

Match: cos 2
NOTE: The output of the above show command reveals that all traffic (in this case untagged) that is
sourced from R2 is marked with a CoS value of 2. However, tagged traffic will retain its CoS marking.
Task 3
Configure SW1 and R1 as follows:
F0/1 interface of SW1 should be configured as a Dot1Q trunk.

Disable mls qos and remove the mls qos cos 2 and mls qos trust cos
command from F0/2 interface of SW1.
Configure F0/0.100 subinterface On R1:, this subinterface should be configured
based on the following:
o R1s F0/0.100 interface should be configured as a DOT1Q trunk

belonging to VLAN 100
o R1s F0/0.100 should be assigned an IP address of 10.1.1.1 /24
o R1s F0/0.100 should be configured to mark all egress traffic with a CoS
value of 6
On SW1
SW1(config)#default inter f0/1
SW1(config-if)#no mls qos trust cos
SW1(config-if)#no mls qos cos 2
SW1(config-if)#swi trunk enc do
SW1(config-if)#swi mode trunk
SW1(config-if)#no shut
SW1(config)#no mls qos
To verify the configuration
On SW1
SW1#Show int trunk
Port Mode Encapsulation Status Native vlan

Fa0/1 on 802.1q trunking 1
Fa0/19 on 802.1q trunking 1
Port Vlans allowed on trunk

Fa0/1 1-4094
Fa0/19 1-4094
Port Vlans allowed and active in management domain
Fa0/1 1,100
Fa0/19 1,100
Port Vlans in spanning tree forwarding state and not pruned

Fa0/1 none
Fa0/19 1,100
On R1:
R1(config)#default inter f0/0
R1(config-if)#int f0/0.100
R1(config-subif)#encap dot1q 100
R1(config-subif)#ip addr 10.1.1.1 255.255.255.0
R1(config-pmap)#class class-default
R1(config-pmap-c)#set cos 6
R1(config-pmap-c)#int F0/0.100
R1(config-subif)#service-policy out TST
On R3:
R3#Clear counters
On R1:
R1#Ping 10.1.1.3 rep 60

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
On R3:
R3#Sh policy-map inter | s cos6
Match: cos 6
Note: All traffic generated by R1 has a CoS marking of 6. The traffic retained its CoS marking because
the mls qos command is NOT configured.
Task 4
Enable mls qos on SW1 and configure SW1 to trust the CoS marking of any traffic
coming through its F0/1 interface.
On SW1
SW1(config)#mls qos
If ONLY mls qos was configured on SW1, and R1 was generating traffic with a CoS marking of 6,
the switch (SW1) will drop the CoS marking and R3 will see all traffic generated by R1 with a CoS
value of 0. If the F0/1 interface of SW1 is configured to trust CoS, when the switch receives the
traffic, it will NOT rewrite or drop the layer two marking. The switch will also consult the CoS-to-
DSCP mapping. Since SW1s default CoS-to-DSCP mapping is NOT changed, and by default it maps
CoS 0 to DSCP 0, R3 will also see a DSCP value of 0 in the ToS byte of all incoming traffic from R1.
To test the configuration
On R3:
R3#Clear counters
On R1:
R1#Ping 10.1.1.3 repeat 60

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
On R3:

Match: cos 6
Task 5
Configure SW1 using the following policy:
1. All ingress untagged traffic from R1 should be marked with a CoS value of 1.
2. All ingress tagged traffic from R1 should retain its CoS value of 6.
3. All ingress traffic (tagged or untagged) from R2 should be marked with a CoS
value of 3.
To configure items 1 and 2:
On SW1
On R3:
R3#Clear counter
On R1:
R1#Ping 10.1.1.3 rep 10

!!!!!!!!!!
On R3:
Since the traffic generated by R1 was tagged meaning that it contains the VLAN-ID, it retained its
marking.

Match: cos 6
Let us configure R1 so that it generates untagged traffic so we can test the first item in the task. This is
done for testing purpose ONLY:
On R1:
R1(config-subif)#encapsulation dot1q 100 NATIVE
The above command will pop the VLAN-ID and traffic will be sent in its native form.
On SW1
SW1(config-if)#switchport trunk native vlan 100
If the above command is NOT configured on the F0/1 interface of SW1, the traffic generated by R1 will
belong to VLAN 1 (the default VLAN) and NOT VLAN 100.
To test and verify the configuration:
On R3:
R3#Clear counter
On R1:
R1#Ping 10.1.1.3 rep 100
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
On R3:

0 packets, 0 bytes
Match: cos 6

Match: cos 1
To configure item 3; remember that R2 is NOT configured to mark its egress traffic:
On SW1
SW1(config-if)#mls qos cos override
On R3:
R3#Clear counter
On R2:
R2#Ping 10.1.1.3 rep 30

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
On R3:

Match: cos 3
To test tagged and untagged traffic; the following configures R2 with an F0/0.100
subinterface for VLAN 100 marking all outbound traffic with a CoS value of 7.
The following tests tagged traffic:
On R2:
R2(config)#default inter f0/0
R2(config-if)#int f0/0.100
R2(config-subif)#encap dot1q 100
R2(config-subif)#ip address 10.1.1.2 255.255.255.0
R2(config)#policy-map tst
R2(config-pmap-c)#set cos 7
R2(config-pmap-c)#int f0/0.100
R2(config-subif)#service-policy output tst
The F0/2 interface of SW1 is also configured as a trunk interface:
On SW1
SW1(config-if)#swi trunk encap dot
SW1(config-if)#swi mode trunk
SW1(config-if)#no swi acc v 100
To see the configuration of SW1s F0/2 interface:
On SW1
SW1#Show run int f0/2 | b inter
interface FastEthernet0/2
switchport trunk encapsulation dot1q
switchport mode trunk
mls qos cos 3
mls qos cos override
On R3:
R3#Clear counter
On R2:
R2#Ping 10.1.1.3 rep 33

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
On R3:

Match: cos 3
To test untagged traffic one more time:
On R2:
R2(config-subif)#encap dot1q 100 NATIVE
On SW1
SW1(config-if)#swi trun nat vlan 100
On R3:
R3#Clear counter
On R2:
R2#Ping 10.1.1.3 rep 30

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
On R3:

Match: cos 3
Reconfigure the F0/0 interfaces of R1, R2, and SW1s F0/1 and F0/2 interfaces such that
they resemble the following:
On R1:
interface FastEthernet0/0.100
encapsulation dot1Q 100 native
ip address 10.1.1.1 255.255.255.0
service-policy output TST
policy-map TST
class class-default
set cos 6
On R2:
ip address 10.1.1.2 255.255.255.0
On SW1
SW1#Show run int f0/1 | b interface
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport mode trunk
mls qos cos 1
mls qos trust cos
end
SW1#Show run int f0/2 | b interface

switchport access vlan 100
switchport mode access
mls qos cos 3
mls qos cos override
end
Task 6
SW2 should be configured such that it marks all traffic from any of the routers connected
to SW1 (tagged or untagged) with a CoS value of 5. DO NOT configure R1, R2, or SW1
to accomplish this task.
Based on the existing configuration, untagged traffic from R1 is marked with a CoS value of 1,
whereas, tagged traffic from R1 is marked with a CoS value of 6. All traffic from R2 (tagged or
untagged) is marked with a CoS value of 3.
On R3:
R3#Clear counters
On SW2
SW2(config)#mls qos
NOTE: The mls qos command will drop the CoS marking in all traffic; this means that traffic
generated by R1 or R2 will be marked with a CoS value of 0.
On R1:
R1#Ping 10.1.1.3 rep 60

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
On R2:
R2#Ping 10.1.1.3 rep 70

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
On R3:
R3#Show policy-map interface | s cos6|cos7|cos0

Match: cos 0

0 packets, 0 bytes
Match: cos 6

0 packets, 0 bytes
Match: cos 7
Let us configure the task and mark all traffic ingress to SW2 with a CoS marking of 5:
On SW2
SW2(config-if)#mls qos cos override
On R3:
R3#Clear counters
On R1:
R1#Ping 10.1.1.3 rep 60

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
On R2:
R2#Ping 10.1.1.3 rep 70

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
On R3:
R3#Show policy-map interface | s cos6|cos7|cos0

0 packets, 0 bytes
Match: cos 0

0 packets, 0 bytes
Match: cos 6

0 packets, 0 bytes
Match: cos 7

Match: cos 5
NOTE: All traffic regardless of their markings are marked with a CoS value of 5. Therefore, if these
commands are used on a trunk link, all traffic will be affected regardless of their marking or Vlan.
Task 7
Erase the startup configuration On R1-3 and SW1 & SW2 and the Vlan.Dat of the two
switches and reload these devices before proceeding to the next lab.
Lab 2 DSCP-Mutation
Lab Setup:
Copy and paste the initial configuration from the init directory
Task 1
Configure an MQC On R1 such that all packets going out of its F0/0 interface are marked
with a DSCP value of 1. For verification purposes, R3s F0/1 interface should be
configured to match on DSCP values of 0-7 for all ingress traffic. Ensure that mls qos
is disabled on both switches.
On both switches:
SWx#Sh mls qos
QoS is disabled
The following configuration marks all egress traffic with a DSCP value of 1:
On R1:
R1(config-pmap-c)#set ip dscp 1
R1(config)#int f0/0
R1(config-if)#service-policy out TST
On R3:
The following configuration is done for verification and testing purposes:
R3(config)#class-map dscp0
R3(config-cmap)#match ip dscp 0
R3(config-pmap)#class dscp0
R3(config)#int f0/1
R3(config-if)#service-policy in TST
On R1:
R1#Ping 10.1.1.3 rep 10

.!!!!!!!!!
On R3:
R3#Sh policy-map inter | s dscp1
Class-map: DSCP1 (match-all)

Match: ip dscp 1
Task 2
Configure SW2 such that if the incoming traffic is marked with a DSCP value of 1, it is
overwritten to a DSCP value of 60. DO NOT configure a class-map or a policy-map to
accomplish this task. Use R3 to verify the configuration.
DSCP-Mutation can be configured on SW2 to accomplish this task; there are four steps in configuring
DSCP-mutation, and they are as follows:
Step 1:
mls qos MUST be enabled:
On SW2
SW2(config)#mls qos
Remember, once the mls qos is enabled, the marking of all traffic is zeroed out, meaning that
incoming traffic that is marked with any DSCP value will match to DSCP value of 0 On R3:. The
following proves this point:
On SW2
SW2#Show mls qos
QoS is enabled
On R3
R3#Clear counter
On R1:
R1#Ping 10.1.1.3 rep 100

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
On R3:

0 packets, 0 bytes
Match: dscp 1

Match: dscp default (0)
Step 2:
Remember, if mls qos trust dscp is NOT configured, this configuration will NOT have any effect on
the packets, because SW2 will drop the marking of the incoming traffic. To verify this information:
On SW2
SW2(config-if)#mls qos trust dscp
To verify this information:
On SW2
SW2#Show mls qos int f0/19 | inc trust state
trust state: trust dscp
NOTE: If CoS was trusted, the output of the above command would have stated trust state: trust
CoS, since ONLY DSCP is trusted, the trust state is DSCP.
To test this information:
On R3:
R3#Clear counters
On R1:
R1#Ping 10.1.1.3 rep 100

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
On R3:

0 packets, 0 bytes
Match: dscp default (0)

Match: dscp 1
Step 3:
In this step, a custom DSCP-Mutation map is configured. Remember that if this custom mapping is
NOT configured, the default DSCP-Mutation map will be used. The default DSCP-Mutation map
cannot be changed and it is configured as one to one, meaning that the incoming DSCP value will
always match the outgoing DSCP value.
In this step, a custom DSCP-Mutation map named TST is configured. This custom DSCP-Mutation
map maps the incoming DSCP value (in this case 1) to an outgoing DSCP value of 60:
To see the default DSCP-Mutation map:

SW2#Show mls qos map dscp-mutation
Dscp-dscp mutation map:

Default DSCP Mutation Map:
d1 : d2 0 1 2 3 4 5 6 7 8 9
---------------------------------------
0 : 00 01 02 03 04 05 06 07 08 09
1 : 10 11 12 13 14 15 16 17 18 19
2 : 20 21 22 23 24 25 26 27 28 29
3 : 30 31 32 33 34 35 36 37 38 39
4 : 40 41 42 43 44 45 46 47 48 49
5 : 50 51 52 53 54 55 56 57 58 59
6 : 60 61 62 63
Note the d1: column (highlighted in yellow) specifies the most significant digit of the DSCP value of
incoming packets, whereas, the d2: row (highlighted in blue) specifies the least significant digit of the
DSCP value of incoming packets.
The intersection of the d1 and d2 values (this is the body of the output highlighted in green) provides
the DSCP value of the outgoing packets.
NOTE: The output of the above show command reveals that by default, the incoming DSCP value of 1,
is re-written to the outgoing DSCP value of 1.
Lets configure a custom DSCP-Mutation map called TST that maps the incoming DSCP value of 1
to an outgoing DSCP value of 60:
SW2(config)#mls qos map dscp-mutation TST 1 to 60
On SW2
SW2#Show mls qos map dscp-mutation TST
Dscp-dscp mutation map:

TST:
d1 : d2 0 1 2 3 4 5 6 7 8 9
---------------------------------------
0 : 00 60 02 03 04 05 06 07 08 09
1 : 10 11 12 13 14 15 16 17 18 19
2 : 20 21 22 23 24 25 26 27 28 29
3 : 30 31 32 33 34 35 36 37 38 39
4 : 40 41 42 43 44 45 46 47 48 49
5 : 50 51 52 53 54 55 56 57 58 59
6 : 60 61 62 63
Once the custom DSCP-Mutation map is configured, it must be applied to the F0/19 interface (trunk
interface) of SW2.
SW2(config-if)#mls qos dscp-mutation TST
On SW2
SW2#Show mls qos int f0/19 | inc DSCP
DSCP Mutation Map: TST
Step 4:
In the final step of this configuration, you MUST ensure that DSCP re-writes are enabled. If this is
disabled, then the DSCP marking will NOT be re-written. Lets verify this information:
To verify if the DSCP re-writes are enabled:
On SW2
SW2#Show mls qos
QoS is enabled
By default, DSCP rewrites are enabled ONLY if mls qos is enabled. Lets test and see if the incoming
DSCP value of 1 is rewritten to a DSCP value of 60:
On R3, we need to match on DSCP 60 so we can test and verify the configuration:
On R3:
On R1:
R1#Ping 10.1.1.3 rep 60

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
On R3:

Match: ip dscp 60
Lets disable the rewrites and verify/test the configuration:
On SW2
SW2(config)#No mls qos rewrite ip dscp
On SW2
SW2#Show mls qos
QoS is enabled
QoS ip packet dscp rewrite is disabled
On R3:
R3#Clear counters
On R1:
R1#Ping 10.1.1.3 rep 10

!!!!!!!!!!
On R3:

Match: dscp 1
Lets enable the rewrites:
On SW2
SW2(config)#mls qos rewrite ip dscp
Task 3
Lab 3 DSCP-CoS Mapping
Lab Setup:
You can copy and paste the initial configuration from the init directory
Task 1
For testing and verification of this lab, configure R3 to match on incoming CoS markings
of 0-7 using an MQC; this policy should be applied inbound to R3s F0/1.100
subinterface.
On R3:
R3(config-subif)#service-policy in TST
Task 2
Configure R1 such that it marks all outgoing traffic with a DSCP value of 5.
On R1:
R1(config-pmap-c)#set ip dscp 5
R1(config)#int f0/0
R1(config-if)#service-policy out TST
Task 3
Configure SW2 such that it maps the DSCP value of 5 in incoming packets to a CoS
value of 6.
Before configuring this task, the default DSCP-CoS mapping should be displayed, using the following
command:
On SW2
SW2#Sh mls qos map dscp-cos
Dscp-cos map:
d1 : d2 0 1 2 3 4 5 6 7 8 9
---------------------------------------
0 : 00 00 00 00 00 00 00 00 01 01
1 : 01 01 01 01 01 01 02 02 02 02
2 : 02 02 02 02 03 03 03 03 03 03
3 : 03 03 04 04 04 04 04 04 04 04
4 : 05 05 05 05 05 05 05 05 06 06
5 : 06 06 06 06 06 06 07 07 07 07
6 : 07 07 07 07
Note the output of the above show command displays the default DSCP to CoS mapping, it means that
if the mls qos trust dscp command is configured, then the DSCP marking of incoming packets are
mapped to outgoing CoS value according to the DSCP-CoS map.
The incoming DSCP values are shown in the d1 column and the d2 row, whereas, the outgoing CoS
values are identified in the body of this display, this is the intersection of the d1 column and the d2 row.
NOTE: By default every eight DSCP values are mapped to a single CoS value. This mapping can affect
the entire switch, and a custom mapping cannot be configured.
By default, an incoming DSCP value of 5 is rewritten to an outgoing CoS value of 0. To accomplish this
task, we have to modify this mapping so the incoming DSCP value of 5 is rewritten to an outgoing CoS
value of 6.
To test & verify the default configuration:
The following command MUST be configured, so the incoming DSCP values are trusted. If this is NOT
configured, the incoming DSCP values will NOT be rewritten to an outgoing CoS value.
On SW2
SW2(config)#mls qos
SW2(config-if)#mls qos trust dscp
On SW2
SW2#Show mls qos int f0/19 | inc trust state
trust state: trust dscp
A ping is generated from R1 with a repeat count of 60 and verified On R3::
On R1:

.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
On R3:
R3#Sh policy-map interface | s cos0
Class-map: COS0 (match-all)

Match: cos 0
Note: DSCP 5 is mapped to a CoS value of 0, this is because of the default mapping that is in use.
In the next step the default DSCP-CoS mapping is changed to map an incoming DSCP value of 5 to an
outgoing CoS value of 6:
On SW2
SW2(config)#mls qos map dscp-cos 5 to 6
NOTE: The first value (5) is the DSCP value in the incoming packets and the second value (6) is the
CoS value in the outgoing packets.
To test & verify the configuration:
On R3:
R3#Clear counters
On R1:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
On R3:
Note: incoming packets that have a marking of DSCP 5 are mapped to an outgoing CoS value of 6 and
NOT 0:
R3#Sh policy-map interface | s COS0

0 packets, 0 bytes
Match: cos 0
R3#Sh policy-map interface | s COS6

Match: cos 6
Question:
What happened to the incoming DSCP value? Was it dropped all together?
Answer:
The best man to explain this is Mr. IOS, lets test:
On R3
R3(config)#class-map d5
R3(config-subif)#No service-policy in tst
R3(config)#Policy-map tst
R3(config-pmap)#No class c6
R3(config-pmap)#class d5
R3(config)#Int f0/1.100
R3(config-subif)#service-policy in tst
R3#Clear counter
On R1
R1#Ping 10.1.1.3 rep 100

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
On R3
R3#Show policy-map interface | s d5
Class-map: d5 (match-all)
Match: ip dscp 5
Lets remove the d5 and add c6 which matches CoS value of 6 back in:
On R3
R3(config)#Int F0/1.100
R3(config-subif)#No service-policy in tst
R3(config)#Policy-map tst
R3(config-pmap)#No class d5
R3(config-pmap)#class c6
R3(config)#Int F0/1.100
R3(config-subif)#service-policy in tst
Lets test again:
On R1
R1#Ping 10.1.1.3 rep 60

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
On R3
R3#Show policy-map interface | s c6
Class-map: c6 (match-all)
Match: cos 6
So we can clearly see that the DSCP value was not changed at all, but the in the
layer 2 encapsulation, the CoS value was changed to 6
Task 4

Advanced CCIE Routing & Switching: Vol-Ii

Uploaded by

Copyright:

Available Formats

Advanced CCIE Routing & Switching: Vol-Ii

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Advanced CCIE Routing & Switching: Vol-Ii

Uploaded by

Copyright:

Available Formats

What topics are covered in the book?

What topics are covered in the book?

How are the labs organized?

How are the labs organized?

Advanced

CCIE Routing & Switching

Subject Page Volume

Lab 3 Mixture of P2P and Multipoint 262 Vol-I

Subject Page Volume

The Serial connection between R4 and R5

Router Local DLCI Connecting to:

Configure F0/19 interface of SW1 and SW2 as a Dot1Q trunk.

Configure SW1 and SW2 in VTP domain called TST

Configure F0/1 and F0/2 interface of SW1 in VLAN 100.

Configure F0/3 interface of SW2 as a Dot1Q trunk.

Configure F0/1 interface of R3 as a Dot1Q trunk for VLAN 100.

Router Interface / IP address VLAN

Shutdown all unused ports on SW1 and SW2.

SW1#Show mls qos

To verify the configuration:

SW1(config-if)#mls qos cos 2

To verify the configuration:

To test the configuration:

Type escape sequence to abort.

To verify the test:

Class-map: cos0 (match-all)

R3#Show policy-map interface | s cos2

Class-map: cos2 (match-all)

To verify the configuration:

To test the configuration:

Press Enter to allow the counters to be cleared.

Type escape sequence to abort.

To verify the test:

Class-map: cos0 (match-all)

R3#Show policy-map interface | s cos2

Class-map: cos2 (match-all)

Configure SW1 and R1 as follows:

F0/1 interface of SW1 should be configured as a Dot1Q trunk.

o R1s F0/0.100 interface should be configured as a DOT1Q trunk

SW1(config)#no mls qos

To verify the configuration

Port Mode Encapsulation Status Native vlan

Port Vlans allowed on trunk

Port Vlans in spanning tree forwarding state and not pruned

To test the configuration:

Type escape sequence to abort.

Class-map: cos6 (match-all)

To test the configuration

Type escape sequence to abort.

Class-map: cos6 (match-all)

To configure items 1 and 2:

To verify the configuration:

Type escape sequence to abort.

R3#Show policy-map interface | s cos6

Class-map: cos6 (match-all)

To test and verify the configuration:

Type escape sequence to abort.

Class-map: cos6 (match-all)

R3#Show policy-map interface | s cos1