MDH Lab – Private-VLANs & VACL

Topologi

pvlan

Objectives

  • Secure the server farm using private VLANs.
  • Secure the staff VLAN from the student VLAN.
  • Secure the staff VLAN when temporary staff personnel are used.

Background

In this lab, you will configure the network to protect the VLANs using router ACLs, VLAN ACLs, and private VLANs. First, you will secure the new server farm by using private VLANs so that broadcasts on one server VLAN are not heard by the other server VLAN.

Service providers use private VLANs to separate different customers’ traffic while utilizing the same parent VLAN for all server traffic. The private VLANs provide traffic isolation between devices, even though they might exist on the same VLAN.

You will then secure the staff VLAN from the student VLAN by using a RACL, which prevents traffic from the student VLAN from reaching the staff VLAN. This allows the student traffic to utilize the network and Internet services while keeping the students from accessing any of the staff resources.

Lastly, you will configure a VACL that allows a host on the staff network to be set up to use the VLAN for access but keeps the host isolated from the rest of the staff machines. This machine is used by temporary staff employees.

Genomförande

L2 basic konfig

Då vi ska använda oss av Private-VLANs i den här labben måste vi konfigurera våra switchar till VTP mode Transparent.

S1

Switch(config)#hostname S1
 S1(config)#line con 0
 S1(config-line)#logging sync
 S1(config-line)#!Trunk-links till S2
 S1(config-line)#int range fa0/1 - 2
 S1(config-if-range)#switchport trunk encaps dot1q
 S1(config-if-range)#switchport mode trunk
 S1(config-if-range)#description to S2
 S1(config-if-range)#channel-protocol lacp
 S1(config-if-range)#channel-group 1 mode active
 Creating a port-channel interface Port-channel 1
S1(config-if-range)#
 S1(config-if-range)#!Trunk-links till S3
 S1(config-if-range)#int range fa0/3 - 4
 S1(config-if-range)#switchport trunk encaps dot1q
 S1(config-if-range)#switchport mode trunk
 S1(config-if-range)#description to S2
 S1(config-if-range)#channel-protocol lacp
 S1(config-if-range)#channel-group 2 mode active
 Creating a port-channel interface Port-channel 2
S1(config-if-range)#exit
 S1(config)#vtp mode transparent
 Setting device to VTP TRANSPARENT mode.
S1(config)#vlan 100,150,200
 S1(config-vlan)#exit

S3

Switch(config)#hostname S3
 S3(config)#line con 0
 S3(config-line)#logging sync
 S3(config-line)#!Trunk-links till S2
 S3(config-line)#int range fa0/1 - 2
 S3(config-if-range)#switchport trunk encaps dot1q
 S3(config-if-range)#switchport mode trunk
 S3(config-if-range)#description to S2
 S3(config-if-range)#channel-protocol lacp
 S3(config-if-range)#channel-group 1 mode active
 Creating a port-channel interface Port-channel 1
S3(config-if-range)#
 S3(config-if-range)#!Trunk-links till S1
 S3(config-if-range)#int range fa0/3 - 4
 S3(config-if-range)#switchport trunk encaps dot1q
 S3(config-if-range)#switchport mode trunk
 S3(config-if-range)#description to S1
 S3(config-if-range)#channel-protocol lacp
 S3(config-if-range)#channel-group 2 mode passive
 Creating a port-channel interface Port-channel 2
S3(config-if-range)#exit
 S3(config)#
 S3(config)#vtp mode transparent
 Setting device to VTP Transparent mode for VLANS.
 S3(config)#vlan 100,150,200
 S3(config-vlan)#exit

S2

Switch(config)#hostname S2
 S2(config)#line con 0
 S2(config-line)#logging sync
 S2(config-line)#!Trunk-links till S1
 S2(config-line)#int range fa0/1 - 2
 S2(config-if-range)#switchport mode trunk
 S2(config-if-range)#description to S1
 S2(config-if-range)#channel-protocol lacp
 S2(config-if-range)#channel-group 1 mode passive
 Creating a port-channel interface Port-channel 1
S2(config-if-range)#
 S2(config-if-range)#!Trunk-links till S3
 S2(config-if-range)#int range fa0/3 - 4
 S2(config-if-range)#switchport mode trunk
 S2(config-if-range)#description to S3
 S2(config-if-range)#channel-protocol lacp
 S2(config-if-range)#channel-group 2 mode passive
 Creating a port-channel interface Port-channel 2
S2(config-if-range)#exit
 S2(config)#
S2(config)#vtp mode transparent
Setting device to VTP Transparent mode for VLANS.
S2(config)#vlan 100,150,200
S2(config-vlan)#exit

HSRP

S1

S1(config)#interface vlan 1
 S1(config-if)#ip add 172.16.1.10 255.255.255.0
 S1(config-if)#no shut
 S1(config-if)#standby 1 ip 172.16.1.1
 S1(config-if)#standby 1 preempt
 S1(config-if)#standby 1 priority 100
 S1(config-if)#
 S1(config-if)#interface vlan 100
 S1(config-if)#ip add 172.16.100.10 255.255.255.0
 S1(config-if)#no shut
 S1(config-if)#standby 1 ip 172.16.100.1
 S1(config-if)#standby 1 preempt
 S1(config-if)#standby 1 priority 150
 S1(config-if)#
 S1(config-if)#interface vlan 150
 S1(config-if)#ip add 172.16.150.10 255.255.255.0
 S1(config-if)#no shut
 S1(config-if)#standby 1 ip 172.16.150.1
 S1(config-if)#standby 1 preempt
 S1(config-if)#standby 1 priority 150
 S1(config-if)#
 S1(config-if)#interface vlan 200
 S1(config-if)#ip add 172.16.200.10 255.255.255.0
 S1(config-if)#no shut
 S1(config-if)#standby 1 ip 172.16.200.1
 S1(config-if)#standby 1 preempt
 S1(config-if)#standby 1 priority 100
 S1(config-if)#

S3

S3(config)#interface vlan 1
 S3(config-if)#ip add 172.16.1.30 255.255.255.0
 S3(config-if)#no shut
 S3(config-if)#standby 1 ip 172.16.1.1
 S3(config-if)#standby 1 preempt
 S3(config-if)#standby 1 priority 150
 S3(config-if)#
 S3(config-if)#interface vlan 100
 S3(config-if)#ip add 172.16.100.30 255.255.255.0
 S3(config-if)#standby 1 ip 172.16.100.1
 S3(config-if)#standby 1 preempt
 S3(config-if)#standby 1 priority 100
 S3(config-if)#
 S3(config-if)#interface vlan 150
 S3(config-if)#ip add 172.16.150.30 255.255.255.0
 S3(config-if)#standby 1 ip 172.16.150.1
 S3(config-if)#standby 1 preempt
 S3(config-if)#standby 1 priority 100
 S3(config-if)#
 S3(config-if)#interface vlan 200
 S3(config-if)#ip add 172.16.200.30 255.255.255.0
 S3(config-if)#standby 1 ip 172.16.200.1
 S3(config-if)#standby 1 preempt
 S3(config-if)#standby 1 priority 150
 S3(config-if)#

Verifiering

S1#sh standby brief
 P indicates configured to preempt.
 |
 Interface Grp Pri P State Active Standby Virtual IP
 Vl1 1 100 P Standby 172.16.1.30 local 172.16.1.1
 Vl100 1 150 P Active local 172.16.100.30 172.16.100.1
 Vl150 1 150 P Active local 172.16.150.30 172.16.150.1
 Vl200 1 100 P Standby 172.16.200.30 local 172.16.200.1

Private-VLANs

PVLANs provide layer 2-isolation between ports within the same broadcast domain. There are three types of PVLAN ports:

  • Promiscuous— A promiscuous port can communicate with all interfaces, including the isolated and community ports within a PVLAN.
  • Isolated— An isolated port has complete Layer 2 separation from the other ports within the same PVLAN, but not from the promiscuous ports. PVLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic from isolated port is forwarded only to promiscuous ports.
  • Community— Community ports communicate among themselves and with their promiscuous ports. These interfaces are separated at Layer 2 from all other interfaces in other communities or isolated ports within their PVLAN.

Mer info om just PVLANs och design-rekommendationer finns att läsa här!

Vi börjar med att konfigurera upp våra secondary-vlans (Isolated- & Community-PVLAN) i S1 & S3.

S1(config)#vlan 151
S1(config-vlan)#private-vlan isolated
S1(config-vlan)#exit
S1(config)#!Community
S1(config)#vlan 152
S1(config-vlan)#private-vlan community
S1(config-vlan)#exit
S1(config)#

S3(config)#vlan 151
S3(config-vlan)#private-vlan isolated
S3(config-vlan)#exit
S3(config)#!Community
S3(config)#vlan 152
S3(config-vlan)#private-vlan community
S3(config-vlan)#exit

Vi behöver sedan associera våra PVLAN med “parent”-vlanet 150, “primary:n”.

S1(config)#vlan 150
S1(config-vlan)#private-vlan primary
S1(config-vlan)#private-vlan association 151,152
S1(config-vlan)#exit

S3(config)#vlan 150
S3(config-vlan)#private-vlan primary
S3(config-vlan)#private-vlan association 151,152
S3(config-vlan)#exit

Då vi i detta exemplet använder SVI’s för att routa trafik direkt i switchen behöver vi även knyta våra Secondary-vlan till primaryn (150).

S1(config)#interface vlan 150
S1(config-if)#private-vlan mapping 151,152
S1(config-if)#
*Mar 1 01:35:40.794: %PV-6-PV_MSG: Created a private vlan mapping, Primary 150, Secondary 151
*Mar 1 01:35:40.794: %PV-6-PV_MSG: Created a private vlan mapping, Primary 150, Secondary 152

S3(config)#int vlan 150
S3(config-if)#private-vlan mapping 151,152
S3(config-if)#
*Mar 1 01:35:37.170: %PV-6-PV_MSG: Created a private vlan mapping, Primary 150, Secondary 151
*Mar 1 01:35:37.170: %PV-6-PV_MSG: Created a private vlan mapping, Primary 150, Secondary 152

Verifiera med “show vlan private-vlan”:

S1#sh vlan private-vlan
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
150 151 isolated 
150 152 community

Nu återstår det endast att koppla interfacen till respektive secondary-vlan. Enligt uppgiften ska fördelningen se ut enligt följande:

  • Fa0/5-10 – Isolated
  • Fa0/11-15 – Community

S1

S1(config)#int range fa0/5 - 10
S1(config-if-range)#description Isolated-port
S1(config-if-range)#switchport mode private-vlan host
S1(config-if-range)#switchport private-vlan host-association 150 151
S1(config-if-range)#
S1(config-if-range)#int range fa0/11 - 15
S1(config-if-range)#description Community-port
S1(config-if-range)#switchport mode private-vlan host
S1(config-if-range)#switchport private-vlan host-association 150 152

S3

S3(config)#int range fa0/5 - 10
S3(config-if-range)#description Isolated-port
S3(config-if-range)#switchport mode private-vlan host
S3(config-if-range)#switchport private-vlan host-association 150 151
S3(config-if-range)#
S3(config-if-range)#int range fa0/11 - 15
S3(config-if-range)#description Community-port
S3(config-if-range)#switchport mode private-vlan host
S3(config-if-range)#switchport private-vlan host-association 150 152

Verifiering

S3#show vlan private-vlan
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
150 151 isolated Fa0/5, Fa0/6, Fa0/7, Fa0/8, Fa0/9, Fa0/10
150 152 community Fa0/11, Fa0/12, Fa0/13, Fa0/14, Fa0/15

RACL

Vi skulle även skydda Vlan 200 (172.16.200.0/24) från Vlan 100 (172.16.100.0/24), vilket vi gör enkelt med en vanlig ACL.

S1(config)#ip access-list extended RACL
S1(config-ext-nacl)#deny ip 172.16.100.0 0.0.0.255 172.16.200.0 0.0.0.255
S1(config-ext-nacl)#permit ip any any
S1(config-ext-nacl)#exit
S1(config)#interface vlan 200
S1(config-if)#ip access-group RACL in

S3

S3(config)#ip access-list extended RACL
S3(config-ext-nacl)#deny ip 172.16.100.0 0.0.0.255 172.16.200.0 0.0.0.255
S3(config-ext-nacl)#permit ip any any
S3(config-ext-nacl)#exit
S3(config)#interface vlan 200
S3(config-if)#ip access-group RACL in
S3(config-if)#

VACL

Vlan-ACL är ett nytt koncept i CCNP, mer info finns att läsa här! Istället för att knyta det till ett interface används det istället direkt på VLAN:et, själva konfigureringen påminner väldigt mycket om route-maps som vi använt oss mycket av i tidigare inlägg om ex. route-filtering.

Enligt specifikationen skulle vi blockera hosten 172.16.100.150 från att nå någon annan på vlan 100. Vi skapar först en ACL för att ha något att använda i match-statement.

S1(config)#ip access-list extended VACL-BLOCK
S1(config-ext-nacl)#permit ip host 172.16.100.150 172.16.100.0 0.0.0.255
S1(config-ext-nacl)#exit

S3(config)#ip access-list extended VACL-BLOCK
S3(config-ext-nacl)#permit ip host 172.16.100.150 172.16.100.0 0.0.0.255
S3(config-ext-nacl)#exit

Vi bygger sedan vår VLAN Access-map, glöm inte att utan en match all/permit så blockerar vi all trafik precis som en vanlig ACL.

S1(config)#vlan access-map AM-VACL-BLOCK 10
S1(config-access-map)#match ip addr VACL-BLOCK
S1(config-access-map)#action drop
S1(config-access-map)#exit
S1(config)#vlan access-map AM-VACL-BLOCK 20
S1(config-access-map)#action forward
S1(config-access-map)#exit
S1(config)#

S3(config)#vlan access-map AM-VACL-BLOCK 10
S3(config-access-map)#match ip addr VACL-BLOCK
S3(config-access-map)#action drop
S3(config-access-map)#exit
S3(config)#vlan access-map AM-VACL-BLOCK 20
S3(config-access-map)#action forward
S3(config-access-map)#exit
S3(config)#

Sen återstår det bara att knyta detta till vlan:et.

S1(config)#vlan filter AM-VACL-BLOCK vlan-list 100
S3(config)#vlan filter AM-VACL-BLOCK vlan-list 100

Tyvärr har vi inga host att testa med så vi får helt enkelt räkna med att allt är ok! 😉

MDH Lab – Switch Case Study

Topologi

lab4-3clean

Objectives

  • Plan and design the International Travel Agency switched network as shown in the diagram and described below.
  • Implement the design on the switches and router.
  • Verify that all configurations are operational and functioning according to the requirements.

Requirements

You will configure a group of switches and a router for the International Travel Agency. The network includes two distribution switches, S1 and S3, and two one access layer switches, S2. External router R3 and S1 provide inter-VLAN routing. Design the addressing scheme using the address space 172.16.0.0/16 range. You can subnet it any way you want, although it is recommended to use /24 subnets for simplicity.

  1. Place all switches in the VTP domain CISCO. Make S1 the VTP server and all other switches VTP clients.
  2. On S1, create the VLANs shown in the VLAN table and assign the names given. For subnet planning, allocate a subnet for each VLAN.
  3. Configure S1 as the primary spanning-tree root bridge for all VLANs. Configure S3 as the backup root bridge for all VLANs.
  4. Configure Fa0/4 between S1 and S3 as a Layer 3 link and assign a subnet to it.
  5. Create a loopback interface on S1 and assign a subnet to it.
  6. Configure the Fa0/3 link between S1 and S3 as an ISL trunk.
  7. Statically configure all inter-switch links as trunks.
  8. Configure all other trunk links using 802.1Q.
  9. Bind together the links from S1 & S3 to the access-switch together in an EtherChannel.
  10. Enable PortFast on all access ports.
  11. On S2, place Fa0/15 through Fa0/17 in VLAN 10. Place Fa0/19 and Fa0/25 in VLAN 20. Place Fa0/21-22 in VLAN 30.
  12. Create an 802.1Q trunk link between R3 and S3. Only VLANs 10 and 40 to pass through the trunk.
  13. Configure R2 subinterfaces for VLANs 10 and 40.
  14. Create an SVI on S1 in VLANs 20, 30, and 40. Create an SVI on S3 in VLAN 10 and 30, an SVI on S2 in VLAN 40.
  15.  Enable IP routing on S1 and S3. On R2 and S1, configure EIGRP for the whole major network (172.16.0.0/16) and disable automatic summarization.

VLANs:

  • Vlan 10 – Red
  • Vlan 20 – Blue
  • Vlan 30 – Orange
  • Vlan 40 – Green

Genomförande

Subnetting

Jag har som synes redan lagt in den subnetting jag gjorde i topologin men såhär ser den ut iaf: 172.16.0.0/16

Vlan 10 - Red 172.16.10.0/24
 Vlan 20 - Blue 172.16.20.0/24
 Vlan 30 - Orange 172.16.30.0/24
 Vlan 40 - Green 172.16.40.0/24

S1

Lo0 - 172.16.1.1/24
Vlan 20 - 172.16.20.1/24
Vlan 30 - 172.16.30.1/24
Vlan 40 - 172.16.40.1/24
S1-S3 Link - 172.16.13.1/24

S3

Vlan 10 - 172.16.10.3/24
S1-S3 Link - 172.16.13.3/24

S2

Vlan 40 - 172.16.40.2/24

R3

Vlan 40 - 172.16.40.200/24
Vlan 10 - 172.16.10.200/24

Med den information vi fått ovan kan vi uppdatera vår topologi lite:

Basic L2-konfig

S1 – Kom ihåg att S1 även ska vara Root-bridge för samtliga VLAN & VTP-server

Switch(config)#hostname S1
 S1(config)#line con 0
 S1(config-line)#logging sync
 S1(config-line)#!Trunk-links till S2
 S1(config-line)#int range fa0/1 - 2
 S1(config-if-range)#switchport trunk encaps dot1q
 S1(config-if-range)#switchport mode trunk
 S1(config-if-range)#description to S2
 S1(config-if-range)#channel-protocol lacp
 S1(config-if-range)#channel-group 1 mode active
 Creating a port-channel interface Port-channel 1
S1(config-if-range)#!L3-link till S3
 S1(config-if-range)#inte fa0/4
 % Command exited out of interface range and its sub-modes.
 Not executing the command for second and later interfaces
 S1(config-if)#no switchport
 S1(config-if)#ip add 172.16.13.1 255.255.255.0
 S1(config-if)#description to S3 L3-port
 S1(config-if)#!ISL-trunk till S3
 S1(config-if)#int fa0/3
 S1(config-if)#switchport trunk encapsulation isl
 S1(config-if)#switchport mode trunk
 S1(config-if)#description Trunklink to S3
 S1(config-if)#!VTP
 S1(config-if)#exit
 S1(config)#vtp mode server
 Device mode already VTP SERVER.
 S1(config)#vtp domain CISCO
 Changing VTP domain name from NULL to CISCO
 S1(config)#
 *Mar 1 00:14:20.226: %SW_VLAN-6-VTP_DOMAIN_NAME_CHG: VTP domain name changed to CISCO.
 S1(config)#!VLANs
 S1(config)#vlan 10
 S1(config-vlan)#name Red
 S1(config-vlan)#vlan 20
 S1(config-vlan)#name Blue
 S1(config-vlan)#vlan 30
 S1(config-vlan)#name Orange
 S1(config-vlan)#vlan 40
 S1(config-vlan)#name Green
 S1(config-vlan)#exit
 S1(config)#spanning-tree vlan 1,10,20,30,40 root primary

S3 – Ska även vara Secondary Root-bridge för samtliga vlan

Switch(config)#hostname S3
 S3(config)#line con 0
 S3(config-line)#logging sync
 S3(config-line)#!Trunk-links till S2
 S3(config-line)#int range fa0/1 - 2
 S3(config-if-range)#switchport trunk encaps dot1q
 S3(config-if-range)#switchport mode trunk
 S3(config-if-range)#channel-protocol lacp
 S3(config-if-range)#channel-group 1 mode active
 Creating a port-channel interface Port-channel 1
S3(config-if-range)#
 S3(config-if-range)#description to S2
 S3(config-if-range)#inte fa0/3
 % Command exited out of interface range and its sub-modes.
 Not executing the command for second and later interfaces
 S3(config-if)#!ISL-trunk till S1
 S3(config-if)#switchport trunk encaps ISL
 S3(config-if)#switchport mode trunk
 S3(config-if)#description ISL-trunk to S1
 S3(config-if)#!L3-port till S1
 S3(config-if)#int fa0/4
 S3(config-if)#no switchport
 S3(config-if)#ip add 172.16.13.3 255.255.255.0
 S3(config-if)#description L3-link to S1
 S3(config-if)#exit
 S3(config)#vtp mode client
 Setting device to VTP CLIENT mode.
 S3(config)#vtp domain CISCO
 Domain name already set to CISCO.
 S3(config)#spanning-tree vlan 1,10,20,30,40 root secondary

S2

Switch(config)#hostname S2
 S2(config)#line con 0
 S2(config-line)#logging sync
 S2(config-line)#!Etherchannels till S1 & S3
 S2(config-line)#inte range fa0/1 - 2
 S2(config-if-range)#switchport mode trunk
 S2(config-if-range)#description to S1
 S2(config-if-range)#channel-protocol lacp
 S2(config-if-range)#channel-group 1 mode passive
 Creating a port-channel interface Port-channel 1
S2(config-if-range)#int range fa0/3 - 4
 S2(config-if-range)#switchport mode trunk
 S2(config-if-range)#description to S3
 S2(config-if-range)#channel-protocol lacp
 S2(config-if-range)#channel-group 2 mode passive
 Creating a port-channel interface Port-channel 2
S2(config-if-range)#exit
 S2(config)#!VTP
 S2(config)#vtp mode client
 Setting device to VTP CLIENT mode.
 S2(config)#vtp domain CISCO
 Domain name already set to CISCO.
S2(config)#!Host-interface
 S2(config)#int range fa0/15 - 17
 S2(config-if-range)#switchport mode access
 S2(config-if-range)#switchport access vlan 10
 S2(config-if-range)#spanning-tree portfast
 S2(config-if-range)#int range fa0/19 - 20
 S2(config-if-range)#switchport mode access
 S2(config-if-range)#switchport access vlan 20
 S2(config-if-range)#spanning-tree portfast
 S2(config-if-range)#int range fa0/21-22
 S2(config-if-range)#switchport mode access
 S2(config-if-range)#switchport access vlan 30
 S2(config-if-range)#spanning-tree portfast
 S2(config-if-range)end

L3-Konfig

S1 – Kom ihåg att aktivera routing innan vi lägger in EIGRP-konfig

S1(config)#int lo0
 S1(config-if)#ip add 172.16.1.1 255.255.255.0
 S1(config-if)#!SVIs for VLANs
 S1(config-if)#int vlan 20
 S1(config-if)#ip add 172.16.20.1 255.255.255.0
 S1(config-if)#description Red
 S1(config-if)#int vlan 30
 S1(config-if)#ip add 172.16.30.1 255.255.255.0
 S1(config-if)#description Blue
 S1(config-if)#int vlan 40
 S1(config-if)#ip add 172.16.40.1 255.255.255.0
 S1(config-if)#description Green
 S1(config-if)#exit
 S1(config)#ip routing
 S1(config)#router eigrp 1
 S1(config-router)#network 172.16.0.0
 S1(config-router)#no auto
 S1(config-router)#no auto-summary

S3

S3(config)#int vlan 10
 S3(config-if)#ip add 172.16.10.3 255.255.255.0
 S3(config-if)#description Red
 S3(config-if)#int vlan 30
 S3(config-if)#ip add 172.16.30.3 255.255.255.0
 S3(config-if)#description Orange
 S3(config-if)#exit
 S3(config)#ip routing
S3(config-if)#!trunk to R3
S3(config-if)#int fa0/5
S3(config-if)#description trunk to R3
S3(config-if)#switchport mode trunk
S3(config-if)#switchport trunk allowed vlan 10,40

S2

S2(config)#int vlan 40 
S2(config-if)#ip add 172.16.40.2 255.255.255.0 
S2(config-if)#description Green

Då var all switch-konfig klar, endast routern kvar.. R3

Router(config)#hostname R3
 R3(config)#inte fa0/1
 R3(config-if)#description to S3-trunklink
 R3(config-if)#no shut
 R3(config-if)#inte fa0/1.10
 R3(config-subif)#encapsulation dot1q 10
 R3(config-subif)#ip add 172.16.10.200 255.255.255.0
 R3(config-subif)#inte fa0/1.40
 R3(config-subif)#encapsulation dot1q 40
 R3(config-subif)#ip add 172.16.40.200 255.255.255.0
 R3(config-subif)#exit
R3(config)#router eigrp 1
 R3(config-router)#network 172.16.0.0
 R3(config-router)#no auto-summary
 R3(config-router)#end

Verifiering – L3

S1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
 D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
 N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 E1 - OSPF external type 1, E2 - OSPF external type 2
 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
 ia - IS-IS inter area, * - candidate default, U - per-user static route
 o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 6 subnets
C 172.16.40.0 is directly connected, Vlan40
C 172.16.30.0 is directly connected, Vlan30
C 172.16.20.0 is directly connected, Vlan20
C 172.16.13.0 is directly connected, FastEthernet0/4
D 172.16.10.0 [90/28416] via 172.16.40.200, 00:01:51, Vlan40
C 172.16.1.0 is directly connected, Loopback0
R3#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
 D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
 N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 E1 - OSPF external type 1, E2 - OSPF external type 2
 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
 ia - IS-IS inter area, * - candidate default, U - per-user static route
 o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
172.16.0.0/24 is subnetted, 6 subnets
C 172.16.40.0 is directly connected, FastEthernet0/1.40
D 172.16.30.0 [90/28416] via 172.16.40.1, 00:02:35, FastEthernet0/1.40
D 172.16.20.0 [90/28416] via 172.16.40.1, 00:02:35, FastEthernet0/1.40
D 172.16.13.0 [90/30720] via 172.16.40.1, 00:02:35, FastEthernet0/1.40
C 172.16.10.0 is directly connected, FastEthernet0/1.10
D 172.16.1.0 [90/156160] via 172.16.40.1, 00:02:35, FastEthernet0/1.40
S1#ping 172.16.40.200
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms
S1#ping 172.16.10.200
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
S1#ping 172.16.40.2
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms
R3#ping 172.16.40.2
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Verifiering L2

S3#sh interface trunk
Port Mode Encapsulation Status Native vlan
Fa0/3 on isl trunking 1
Fa0/5 on 802.1q trunking 1
Po1 on 802.1q trunking 1
Port Vlans allowed on trunk
Fa0/3 1-4094
Fa0/5 10,40
Po1 1-4094
S1#sh spanning-tree summary
Switch is in pvst mode
Root bridge for: VLAN0001, VLAN0010, VLAN0020, VLAN0030, VLAN0040
S2#sh etherchannel summary
Flags: D - down P - bundled in port-channel
 I - stand-alone s - suspended
 H - Hot-standby (LACP only)
 R - Layer3 S - Layer2
 U - in use f - failed to allocate aggregator
M - not in use, minimum links not met
 u - unsuitable for bundling
 w - waiting to be aggregated
 d - default port

Number of channel-groups in use: 2
Number of aggregators: 2
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
1 Po1(SU) LACP Fa0/1(P) Fa0/2(P) 
2 Po2(SU) LACP Fa0/3(P) Fa0/4(P)

Härligt! Stötte på lite problem under labben då det visade sig att interfacet jag tänkte använda mellan Switch & Router inte var directly connected. Det var inga problem att sätta upp trunkingen etc men trafiken fastnade i någon dold switch eller dylikt. Från början var det tänkt att Routern skulle vara ansluten till S2 men det fanns tyvärr inget interface att använda där som fungerade. Fick istället göra om ritningen lite och använda länken mellan R3-S3 men det fungerade ju precis lika bra efter lite mindre modifieringar. 🙂 Kul labb!

MDH Lab – Inter-VLAN MLS Routing

Topologi

lab4-2real

Objective

  • Route between VLANs using a 3560 switch with an internal route processor using Cisco Express Forwarding (CEF).

Background

The current network equipment includes a 3560 distribution layer switch and two 2960 access layer switches. The network is segmented into three functional subnets using VLANs for better network management. The VLANs include Finance, Engineering, and a subnet for equipment management, which is the default management VLAN, VLAN 1. After VTP and trunking have been configured for the switches, switched virtual interfaces (SVI) are configured on the distribution layer switch to route between these VLANs, providing full connectivity to the internal network.

Genomförande

Easy! Blir inte så mycket förklaringar här då all konfig är rätt självklar. Först fixar vi upp grundkonfigen:

S1

Switch(config)#hostname S1
S1(config)#line con 0
S1(config-line)#logging sync
S1(config-line)#int range fa0/3 - 4
S1(config-if-range)#switchport trunk encaps dot1q
S1(config-if-range)#switchport mode trunk
S1(config-if-range)#channel-protocol pagp
S1(config-if-range)#channel-group 2 mode desirable 
Creating a port-channel interface Port-channel 2
S1(config-if-range)#int range fa0/1 - 2
S1(config-if-range)#switchport trunk encaps dot1q
S1(config-if-range)#switchport mode trunk
S1(config-if-range)#channel-protocol pagp
S1(config-if-range)#channel-group 1 mode desirable
Creating a port-channel interface Port-channel 1
S1(config-if-range)#exit
S1(config)#vtp mode server
Device mode already VTP SERVER.
S1(config)#vtp domain Cisco
Changing VTP domain name from NULL to Cisco
S1(config)#vlan 100
S1(config-vlan)#name Finance
S1(config-vlan)#vlan 200
S1(config-vlan)#name Engineering
S1(config-vlan)#exit
S1(config)#spanning-tree vlan 1,100,200 root primary 
S1(config)#

S3

Switch(config)#hostname S3
S3(config)#line con 0
S3(config-line)#logging sync
S3(config-line)#int range fa0/1 - 4
S3(config-if-range)#switchport trunk encaps dot1q
S3(config-if-range)#switchport mode trunk
S3(config-if-range)#int range fa0/1 - 2
S3(config-if-range)#channel-protocol pagp
S3(config-if-range)#channel-group 1 mode desirable 
Creating a port-channel interface Port-channel 1
3(config-if-range)#int range fa0/3 - 4
S3(config-if-range)#channel-protocol pagp
S3(config-if-range)#channel-group 2 mode auto
Creating a port-channel interface Port-channel 2
S3(config-if-range)#exit
S3(config)#vtp domain Cisco
Domain name already set to Cisco.
S3(config)#vtp mode client
Setting device to VTP CLIENT mode.

S2

Switch(config)#hostname S2
S2(config)#int range fa0/1 - 4
S2(config-if-range)#switchport mode trunk
S2(config-if-range)#int range fa0/1 - 2
S2(config-if-range)#channel-protocol pagp
S2(config-if-range)#channel-group 1 mode auto
Creating a port-channel interface Port-channel 1
S2(config-if-range)#int range fa0/3 - 4
S2(config-if-range)#channel-protocol pagp
S2(config-if-range)#channel-group 2 mode auto
Creating a port-channel interface Port-channel 2
S2(config-if-range)#exit
S2(config)#vtp mode client
Setting device to VTP CLIENT mode.
S2(config)#vtp domain Cisco
Domain name already set to Cisco.
S2#sh etherchannel summary
Flags: D - down P - bundled in port-channel
 I - stand-alone s - suspended
 H - Hot-standby (LACP only)
 R - Layer3 S - Layer2
 U - in use f - failed to allocate aggregator
M - not in use, minimum links not met
 u - unsuitable for bundling
 w - waiting to be aggregated
 d - default port

Number of channel-groups in use: 2
Number of aggregators: 2
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
1 Po1(SU) PAgP Fa0/1(P) Fa0/2(P) 
2 Po2(SU) PAgP Fa0/3(P) Fa0/4(P)
S3#sh etherchannel summary
Flags: D - down P - bundled in port-channel
 I - stand-alone s - suspended
 H - Hot-standby (LACP only)
 R - Layer3 S - Layer2
 U - in use f - failed to allocate aggregator
M - not in use, minimum links not met
 u - unsuitable for bundling
 w - waiting to be aggregated
 d - default port

Number of channel-groups in use: 2
Number of aggregators: 2
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
1 Po1(SU) PAgP Fa0/1(P) Fa0/2(P) 
2 Po2(SU) PAgP Fa0/3(P) Fa0/4(P)

Allt ok så långt!

Så då återstår det bara att konfa upp lite L3 SVI’s, vilket är oerhört enkelt egentligen.

S1(config)#interface vlan 1
S1(config-if)#ip add 172.16.1.1 255.255.255.0
S1(config-if)#no shut
S1(config-if)#interface vlan 100
S1(config-if)#ip add 172.16.100.1 255.255.255.0
S1(config-if)#no shut
S1(config-if)#interface vlan 200
S1(config-if)#ip add 172.16.200.1 255.255.255.0
S1(config-if)#no shut
S1(config-if)#exit

Lätt att glömma är att vi även måste aktivera routing-funktionen i switchen!

S1(config)#ip routing

Vi har ju tyvärr ingen host att testa med nu men vi kan åtminstone dra en ping från S3 till något av S1’s vlan.

S3(config)#int vlan 1
S3(config-if)#ip add 172.16.1.3 255.255.255.0
S3(config-if)#no shut
S3(config-if)#exit
S3(config)#ip default-gateway 172.16.1.1
S3(config)#do ping 172.16.200.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.200.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/203/1007 ms

Vackert.

Om vi tar en titt i CEF-table för 172.16.1.3 kan vi se följande:

S1#sh ip cef 172.16.1.3 detail
 172.16.1.3/32, epoch 2, flags attached
 Adj source: IP adj out of Vlan1, addr 172.16.1.3 038C1420
 Dependent covered prefix type adjfib cover 172.16.1.0/24
 attached to Vlan1

Och switchen har även ett entry i adjacency-table med L2-information för nexthop (S3):

S1#sh adjacency detail
Protocol Interface Address
IP Vlan1 172.16.1.3(8)
0 packets, 0 bytes
epoch 0
sourced in sev-epoch 0
Encap length 14
0014A8899CC00024C33F9EC00800
L2 destination address byte offset 0
L2 destination address byte length 6
Link-type after encap: ip
ARP