Lab 7: Ethernet Switching, VLAN Trunking, and Spanning Tree Root Placement-Part II
| < Free Open Study > |
Lab 7: Ethernet Switching, VLAN Trunking, and Spanning Tree Root Placement ”Part IILab WalkthroughAttach the switches by using Cat 5 Ethernet crossover cables. A switch in a back-to-back mode requires a crossover cable. Attach the routers with Cat 5 patch cables to the switches, as illustrated in Figure 2-39. In building this model, you will begin with the configuration of the Ethernet switches and end with the configuration of the routers. Let's begin by defining VLANs and IP subnets to them. Figure 2-40 more accurately reflects the network VLANs, HSRP, and IP address at this point. Figure 2-40. Game LAN Ethernet Network You also need to define and create the following VLANs:
The VLAN IDs do not need to match the subnet; we purposely match the VLAN ID to the subnet to make the network more self-documenting . You will begin by configuring the gl_switch1 device. In this model, this device is a Catalyst is in the 4000/5500/6500 family. Recall the four-step configuration process from earlier in this chapter:
Step 1 calls you to configure basic switch management. Because you are not using VLAN 1 as the default VLAN, you will need to create a new default VLAN before configuring the management interface. To allow IP access to the switch, you also need to configure a password. Example 2-47 demonstrates the creation of the VTP domain, VLANs, and the new management interface on gl_switch1. Example 2-47 Initial Configuration gl_switch1Console> (enable) set prompt gl_switch1 gl_switch1 (enable) set vtp domain funtime VTP domain funtime modified gl_switch1 (enable) set vlan 16 Vlan 16 configuration successful gl_switch1 (enable) set vlan 17 Vlan 17 configuration successful gl_switch1 (enable) set vlan 128 name management Vlan 128 configuration successful gl_switch1 (enable) gl_switch1 (enable) set int sc0 128 172.16.128.13 255.255.255.0 Interface sc0 vlan set, IP address and netmask set. gl_switch1 (enable) set ip route 0.0.0.0 172.16.128.1 Route added. gl_switch1 (enable) Example 2-47 also shows the addition of a default route. The set ip route 0.0.0.0 172.16.128.1 command causes the switch to forward all IP traffic to this address. This address needs to be on the same subnet as the management interface ”in this case, subnet 172.16.128.0/24. To ensure that the VTP domain is active, use the show vtp domain command to check for configuration errors. You already have begun to configure the first phase of Step 2, and normally you still would need to assign ports to VLANs. This switch, however, doesn't have any ports in VLANs to configure. This switch has only trunks to the other switches. Therefore, you can skip to Step 3 and define the trunks. To configure the trunks, set them to a static 802.1q trunking mode. Example 2-48 demonstrates the configuration of the trunk lines on gl_switch1. Example 2-48 Trunk Configuration on gl_switch1gl_switch1 (enable) set trunk 2/1 dot1q Port(s) 2/1 trunk type set to dot1q. gl_switch1 (enable) set trunk 2/1 on Port(s) 2/1 trunk mode set to on. gl_switch1 (enable) set trunk 2/14 dot1q Port(s) 2/14 trunk type set to dot1q. gl_switch1 (enable) set trunk 2/14 on Port(s) 2/14 trunk mode set to on. gl_switch1 (enable) set trunk 2/20 dot1q Port(s) 2/20 trunk type set to dot1q. gl_switch1 (enable) set trunk 2/20 on Port(s) 2/20 trunk mode set to on. gl_switch1 (enable) The final step calls for you to fine-tune Spanning Tree. This step cannot be completed until all the trunks are up and operational. When the entire network is converged , routers included, you can come back and tune STP on all the switches. For now, configure the rest of the switches in the domain. The initial configurations of the gl_switch2 and the gl_switch3 are similar. Beginning with other VTP server, gl_switch2, configure basic management. Example 2-49 demonstrates the configuration of the management interface on gl_switch2. Remember, the gl_switch2 and gl_switch3 devices are in the Catalyst 2900/3500 family, so their configuration is different from that of the gl_switch1 device. Example 2-49 Management Configuration on gl_switch2Switch(config)# hostname gl_switch2 gl_switch2(config)# int vlan1 gl_switch2(config-if)# shut gl_switch2(config-if)# exit 01:35:54: %LINK-5-CHANGED: Interface VLAN1, changed state to administratively do wn 01:35:55: %LINEPROTO-5-UPDOWN: Line protocol on Interface VLAN1, changed state t gl_switch2(config)# int vlan128 gl_switch2(config-subif)# ip address 172.16.128.11 255.255.255.0 gl_switch2(config-subif)# no shut gl_switch2(config-if)# exit gl_switch2(config)# ip default-gateway 172.16.128.1 To allow IP connectivity to the switch, a default-gateway had to be configured, as in Example 2-48. The default gateway must be in the same subnet as the current active management interface, VLAN 128. The IP address of the gateway is the HSRP address of 172.16.128.1. In Step 2, you define the VTP domain and VLANs. Because you already have VLANs defined on the gl_switch1, there is no need to configure VLANs on any more switches; instead, you can rely on VTP to transport the VLAN information after the trunks are up. Example 2-50 demonstrates the configuration of the VTP domain on gl_switch1. Example 2-50 VTP Domain Creation on gl_switch2gl_switch2# vlan database gl_switch2(vlan)# vtp domain funtime Changing VTP domain name from cisco to funtime The gl_switch2 device has a user VLAN on interface fastEthernet 0/7. To assign interface fastEthernet 0/7 to VLAN 16, use the switchport command, as in Example 2-51. Example 2-51 Assign an Interface to a VLAN on gl_switch2gl_switch2# conf t Enter configuration commands, one per line. End with CNTL/Z. gl_switch2(config)# interface fastEthernet 0/7 gl_switch2(config-if)# switchport mode access gl_switch2(config-if)# switchport access vlan 16 Proceeding on to Step 3, you can configure the trunks from this switch to the other two. The trunk to gl_switch is an 802.1q trunk, while the trunks to gameserver_2 and gl_switch3 are ISL. Example 2-52 demonstrates the configuration of these trunks on the gl_switch2. Example 2-52 Assign an Interface to a VLAN on gl_switch2Enter configuration commands, one per line. End with CNTL/Z. gl_switch2(config)# int gig 0/1 gl_switch2(config-if)# switchport mode trunk gl_switch2(config-if)# switchport trunk encapsulation dot1q gl_switch2(config-if)# exit gl_switch2(config)#int fast 0/10 gl_switch2(config-if)# switchport mode trunk gl_switch2(config-if)# switchport trunk encapsulation isl gl_switch2(config-if)# exit gl_switch2(config)#int fast 0/20 gl_switch2(config-if)# switchport mode trunk gl_switch2(config-if)# switchport trunk encapsulation isl When the trunks are configured on gl_switch2, the trunk to gl_switch1 becomes active. To determine the status of the trunk, use the show vlan command along with show interface gigabitEthernet 0/1 switchport on gl_switch2. The trunk should be up and trunking. You also should see the VLANs that you created on gl_switch1, and you should be able to ping the IP address of 172.16.128.13. Example 2-53 shows the status of an active trunk on gl_switch2. Example 2-53 Verifying VLAN and Trunk Operation on gl_switch2gl_switch2# show vlan VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4, Fa0/5, Fa0/6, Fa0/8, Fa0/9, Fa0/11, Fa0/12, Fa0/13, Fa0/14, Fa0/15, Fa0/16, Fa0/17, Fa0/18, Fa0/19, Fa0/21, Fa0/22, Fa0/23, Fa0/24, Fa0/25, Fa0/26, Fa0/27, Fa0/28, Fa0/29, Fa0/30, Fa0/31, Fa0/32, Fa0/33, Fa0/34, Fa0/35, Fa0/36, Fa0/37, Fa0/38, Fa0/39, Fa0/40, Fa0/41, Fa0/42, Fa0/43, Fa0/44, Fa0/45, Fa0/46, Fa0/47, Fa0/48, Gi0/2 16 VLAN0016 active Fa0/7 17 VLAN0017 active 128 management active 1002 fddi-default active 1003 token-ring-default active 1004 fddinet-default active 1005 trnet-default active <<<text omitted>>> gl_switch2# gl_switch2# show interface gigabitEthernet 0/1 switchport Name: Gi0/1 Switchport: Enabled Administrative mode: trunk Operational Mode: trunk Administrative Trunking Encapsulation: dot1q Operational Trunking Encapsulation: dot1q Negotiation of Trunking: Disabled Access Mode VLAN: 0 ((Inactive)) Trunking Native Mode VLAN: 1 (default) Trunking VLANs Enabled: ALL Trunking VLANs Active: 1,16,17,128 Pruning VLANs Enabled: 2-1001 Priority for untagged frames: 0 Override vlan tag priority: FALSE Voice VLAN: none Appliance trust: none gl_switch2# You will come back and complete Step 4, tuning STP, after you configure the gl_switch3 switch. Basic management configuration of the gl_switch3 switch is identical to the configuration in Example 2-49. In that example, you configured a host name, a management interface, and a default gateway. The VTP mode will be transparent, so there is not need to configure VLANs on this switch. The VLANs will be sent when the trunks are configured to the other two switches. Example 2-54 demonstrates the configuration of the VTP and trunks on gl_switch3. Example 2-54 VTP Client and VLAN Trunk Configuration on gl_switch3gl_switch3# vlan database gl_switch3(vlan)# vtp domain funtime Changing VTP domain name from Null to funtime gl_switch3(vlan)#vtp client To verify the configuration, view the VTP status with the show vtp status command. You also can view the VLANs to be sure that they are being propagated. Example 2-55 lists the output of these status commands on the gl_switch3. At this time, you also should be able to ping the IP addresses of the neighboring switches. Example 2-55 Verifying VTP Status on gl_switch3gl_switch3# show vtp status VTP Version : 2 Configuration Revision : 4 Maximum VLANs supported locally : 254 Number of existing VLANs : 8 VTP Operating Mode : Client VTP Domain Name : funtime VTP Pruning Mode : Disabled VTP V2 Mode : Disabled VTP Traps Generation : Disabled MD5 digest : 0xC9 0xC8 0x2D 0xEE 0x8D 0xE1 0x46 0x97 Configuration last modified by 172.16.128.13 at 7-2-01 14:43:56 gl_switch3# show vlan VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4, Fa0/5, Fa0/7, Fa0/8, Fa0/9, Fa0/10, Fa0/11, Fa0/12, Fa0/13, Fa0/14, Fa0/15, Fa0/16, Fa0/17, Fa0/18, Fa0/19, Fa0/22, Fa0/23, Fa0/24, Fa0/25, Fa0/26, Fa0/27, Fa0/28, Fa0/29, Fa0/30, Fa0/31, Fa0/32, Fa0/33, Fa0/34, Fa0/35, Fa0/36, Fa0/37, Fa0/38, Fa0/39, Fa0/40, Fa0/41, Fa0/42, Fa0/43, Fa0/44, Fa0/45, Fa0/46, Fa0/47, Fa0/48, Gi0/1, Gi0/2 16 VLAN0016 active 17 VLAN0017 active Fa0/6 128 management active 1002 fddi-default active 1003 token-ring-default active 1004 fddinet-default active 1005 trnet-default active VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------ 1 enet 100001 1500 - - - - - 0 0 16 enet 100016 1500 - - - - - 0 0 17 enet 100017 1500 - - - - - 0 0 128 enet 100128 1500 - - - - - 0 0 1002 fddi 101002 1500 - 0 - - - 0 0 1003 tr 101003 1500 - 0 - - srb 0 0 1004 fdnet 101004 1500 - - - ieee - 0 0 1005 trnet 101005 1500 - - - ibm - 0 0 gl_switch3# gl_switch3# ping 172.16.128.13 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.128.13, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 7/7/8 ms gl_switch3# ping 172.16.128.11 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.128.11, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/3 ms gl_switch3# The entire switching domain is operational at this point. All the switches will be capable of ping ing each other's management interface. The two routers glaccess_1 and glaccess_2 should be configured for IP now. This involves simply configuring an IP addresses under the Ethernet interface and the loopback interface. In this model, you are using EIGRP as the routing protocol with an Autonomous System ID of 2001. EIGRP must be configured on all the routers. Example 2-56 illustrates the configuration of glaccess_1. The configurations of glaccess_1 and glaccess_2 will be similar except for the IP addresses. Example 2-56 Router Configuration of glaccess_1hostname glaccess_1 ! interface Loopback20 ip address 172.16.21.6 255.255.255.0 no ip directed-broadcast ! interface Ethernet0 ip address 172.16.17.6 255.255.255.0 no ip directed-broadcast ! <<<text omitted>>> ! router eigrp 2001 network 172.16.0.0 no auto-summary ! For the VLANs to communicate with one another, you must configure a router with an interface in each VLAN, or a router with a VLAN trunk. In this model, you will use the routers gameserver_1 and gameserver_2 to not only route between our VLANs, but also to provide resiliency through HSRP. When configuring a VLAN trunk, you need to create subinterfaces on the Ethernet interface and assign a VLAN and VLAN encapsulation to it. You will need one subinterface for each VLAN that you want to route between. Example 2-57 highlights the VLAN trunk configuration for both routers. The trunk of gameserver_1 is an 802.1 trunk, and the trunk of gameserver_2 is an ISL trunk. Example 2-57 Router Configuration of gameserver_1 and gameserver_2hostname gameserver1 ! interface FastEthernet0/0 no ip address duplex auto speed auto ! interface FastEthernet0/0.1 encapsulation dot1Q 128 ip address 172.16.128.14 255.255.255.0 ! interface FastEthernet0/0.2 encapsulation dot1Q 16 ip address 172.16.16.14 255.255.255.0 ! interface FastEthernet0/0.3 encapsulation dot1Q 17 ip address 172.16.17.14 255.255.255.0 __________________________________________________________ hostname gameserver_2 ! interface FastEthernet0/0 no ip address duplex auto speed auto ! interface FastEthernet0/0.1 encapsulation isl 128 ip address 172.16.128.10 255.255.255.0 no ip redirects ! interface FastEthernet0/0.2 encapsulation isl 16 ip address 172.16.16.10 255.255.255.0 no ip redirects ! interface FastEthernet0/0.3 encapsulation isl 17 ip address 172.16.17.10 255.255.255.0 no ip redirects ! The HSRP configuration requires that the primary router for VLAN 128 and VLAN 17, subnets 172.16.128.0/24 and 172.16.17.0/24, reside on gameserver_1. The HSRP primary address for VLAN 16, subnet 172.16.16.0/24, resides on gameserver_2. To accomplish this, you will need to create an HSRP group for every VLAN, for a total of three groups. You will use a priority of 101 for the interfaces that you want to be active. For more detailed information on configuring HSRP, see Chapter 16, "Configuring Hot Standby Routing Protocol (HSRP)." Example 2-58 lists the HSRP configuration of the gameserver1 and gameserver2 routers. Example 2-58 HSRP Configuration of gameserver1 and gameserver2hostname gameserver1 ! interface FastEthernet0/0 no ip address duplex auto speed auto ! interface FastEthernet0/0.1 encapsulation dot1Q 128 ip address 172.16.128.14 255.255.255.0 standby 1 priority 101 preempt standby 1 ip 172.16.128.1 ! interface FastEthernet0/0.2 encapsulation dot1Q 16 ip address 172.16.16.14 255.255.255.0 standby 2 priority 95 preempt standby 2 ip 172.16.16.1 ! interface FastEthernet0/0.3 encapsulation dot1Q 17 ip address 172.16.17.14 255.255.255.0 standby 3 priority 101 preempt standby 3 ip 172.16.17.1 ! __________________________________________________________ ! hostname gameserver_2 ! interface FastEthernet0/0 no ip address duplex auto speed auto ! interface FastEthernet0/0.1 encapsulation isl 128 ip address 172.16.128.10 255.255.255.0 no ip redirects standby 1 priority 95 preempt standby 1 ip 172.16.128.1 ! interface FastEthernet0/0.2 encapsulation isl 16 ip address 172.16.16.10 255.255.255.0 no ip redirects standby 2 priority 101 preempt standby 2 ip 172.16.16.1 ! interface FastEthernet0/0.3 encapsulation isl 17 ip address 172.16.17.10 255.255.255.0 no ip redirects standby 3 priority 95 preempt standby 3 ip 172.16.17.1 ! The network is fully redundant and operational now. All IP addresses should be reachable . You can test the network with ping s and by unplugging the gameserver_1 or gameserver_2 routers. The network should experience no outages. Example 2-59 lists the route table of glaccess_1, showing the redundant routes. Example 2-59 The IP Route Table of glaccess_1 glaccess_1# show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is not set 172.16.0.0/24 is subnetted, 5 subnets D 172.16.128.0 [90/284160] via 172.16.17.10, 01:04:35, Ethernet0 [90/284160] via 172.16.17.14, 01:04:35, Ethernet0 D 172.16.20.0 [90/412160] via 172.16.17.10, 01:04:35, Ethernet0 [90/412160] via 172.16.17.14, 01:04:35, Ethernet0 C 172.16.21.0 is directly connected, Loopback20 D 172.16.16.0 [90/284160] via 172.16.17.10, 01:04:35, Ethernet0 [90/284160] via 172.16.17.14, 01:04:35, Ethernet0 C 172.16.17.0 is directly connected, Ethernet0 glaccess_1# The final steps in this lab involve setting Spanning Tree root and controlling IP access. To set STP root on the gl_switch1, you will use the set spantree root command. By viewing the current STP topology on the gl_switch3, you can see that it is currently root. Example 2-60 shows the STP topology on gl_switch3. Example 2-60 STP Topology on gl_switch3gl_switch3# show spanning-tree vlan 128 Spanning tree 128 is executing the IEEE compatible Spanning Tree protocol Bridge Identifier has priority 32768, address 0004.275e.f0c1 Configured hello time 2, max age 20, forward delay 15 We are the root of the spanning tree Topology change flag not set, detected flag not set, changes 2 Times: hold 1, topology change 35, notification 2 hello 2, max age 20, forward delay 15 Timers: hello 1, topology change 0, notification 0 Interface Fa0/20 (port 34) in Spanning tree 128 is FORWARDING Port path cost 19, Port priority 128 Designated root has priority 32768, address 0004.275e.f0c1 Designated bridge has priority 32768, address 0004.275e.f0c1 Designated port is 34, path cost 0 Timers: message age 0, forward delay 0, hold 0 BPDU: sent 1376, received 0 Interface Fa0/21 (port 35) in Spanning tree 128 is FORWARDING Port path cost 19, Port priority 128 Designated root has priority 32768, address 0004.275e.f0c1 Designated bridge has priority 32768, address 0004.275e.f0c1 Designated port is 35, path cost 0 Timers: message age 0, forward delay 0, hold 0 BPDU: sent 1392, received 2 gl_switch3# You will want to set the gl_switch1 switch to be root for VLANs 17 and 128 only. Example 2-61 demonstrates the configuration of gl_switch1. Example 2-61 Setting Root for VLAN 17 and VLAN 128 on gl_switch1 gl_switch1 (enable) set spantree root 17,128 VLANs 17,128 bridge priority set to 8192. VLANs 17,128 bridge max aging time set to 20. VLANs 17,128 bridge hello time set to 2. VLANs 17,128 bridge forward delay set to 15. Switch is now the root switch for active VLANs 17,128. gl_switch1 (enable) If you view STP on the gl_switch3 in Example 2-62, you will see that this switch is no longer root for VLAN 128. Notice that the priority has changed and that it now points to gl_switch1 as the root. Example 2-62 STP for VLAN 128gl_switch3# show spanning-tree vlan 128 Spanning tree 128 is executing the IEEE compatible Spanning Tree protocol Bridge Identifier has priority 32768, address 0004.275e.f0c1 Configured hello time 2, max age 20, forward delay 15 Current root has priority 8192, address 0030.1976.4d7f Root port is 35, cost of root path is 19 Topology change flag not set, detected flag not set, changes 5 Times: hold 1, topology change 35, notification 2 hello 2, max age 20, forward delay 15 Timers: hello 0, topology change 0, notification 0 Interface Fa0/20 (port 34) in Spanning tree 128 is BLOCKING Port path cost 19, Port priority 128 Designated root has priority 8192, address 0030.1976.4d7f Designated bridge has priority 32768, address 0004.275e.f5c3 Designated port is 34, path cost 4 Timers: message age 3, forward delay 0, hold 0 BPDU: sent 4762, received 97 Interface Fa0/21 (port 35) in Spanning tree 128 is FORWARDING Port path cost 19, Port priority 128 Designated root has priority 8192, address 0030.1976.4d7f Designated bridge has priority 8192, address 0030.1976.4d7f Designated port is 84, path cost 0 Timers: message age 3, forward delay 0, hold 0 BPDU: sent 4777, received 98 gl_switch3# To set the STP root for VLAN 16 on gl_switch2, use the following global command: gl_switch2(config)# spanning-tree vlan 16 priority 100 If you exclude the VLAN, all VLANs will have a priority of 100. The final portion of the lab requires you to limit Telnet access to gl_switch1 to only devices on the subnet 172.16.17.0/24. This can be done by enabling IP permit lists. After an IP permit list is entered, it still must be enabled before it will take effect. Example 2-63 demonstrates the configuration of the IP permit list on gl_switch1. Example 2-63 Enabling IP Permit Listsgl_switch1 (enable) set ip permit 172.16.17.0 255.255.255.0 172.16.17.0 with mask 255.255.255.0 added to IP permit list. gl_switch1 (enable) set ip permit enable IP permit list enabled. gl_switch1 (enable) The optional portion of the lab is about security. By enabling port security, you can force a port to become inactive if it detects a MAC address that isn't specifically allowed on that port. If port security is enabled when a workstation is plugged into the port, it automatically records the MAC address and secures the port for that address. To configure a specific address. add the MAC address to the set port security command. Example 2-64 demonstrates enabling port security. Example 2-64 Enabling Port Security gl_switch1 (enable) set port security 2/24 enable 00-00-86-3c-3b-41 Port 2/24 port security enabled with 00-00-86-3c-3b-41 as the secure mac address Trunking disabled for Port 2/24 due to Security Mode gl_switch1 (enable) If any other workstation or device is plugged into port 2/24, the port automatically shuts down. Example 2-65 highlights the port status after an unauthorized device is plugged into port 2/24. Example 2-65 Port Securitygl_switch1 (enable) show port 2/24 Port Name Status Vlan Level Duplex Speed Type ----- ------------------ ---------- ---------- ------ ------ ----- ------------ 2/24 shutdown 1 normal auto auto 10/100BaseTX Port Security Secure-Src-Addr Last-Src-Addr Shutdown Trap IfIndex ----- -------- ----------------- ----------------- -------- -------- ------- 2/24 enabled 00-00-86-3c-3b-41 00-60-5c-f3-5e-65 Yes disabled 34 Port Status Channel Channel Neighbor Neighbor mode status device port ----- ---------- --------- ----------- ------------------------- ---------- 2/24 shutdown auto not channel <<<text omitted>>> |
Setting VTP client | < Free Open Study > |
EAN: 2147483647
Pages: 283