Agenda: Layer2-lab.txt

File Layer2-lab.txt, 18.7 KB (added by Perez Matsiko, 6 years ago)
Line 
1% Layer 2 Network Design Lab
2
3\pagebreak
4
5# Part 1
6
7## Introduction
8
9The purpose of these exercises is to build Layer 2 (switched) networks
10utilizing the concepts explained in today's design presentations. Students
11will see how star topology, aggregation, virtual LANs, Spanning Tree
12Protocol, etc. are put to work.
13
14There will be 5 groups of students, with 6 switches per group.  The
15distribution of IP address space for the building (Layer 2) networks will be
16as follows:
17
18Group   IPv4 Block        IPv6 Block       
19-----   -------------     --------------   
201       10.110.0.0/16      fd00:110::/32
212       10.120.0.0/16      fd00:120::/32
223       10.130.0.0/16      fd00:130::/32
234       10.140.0.0/16      fd00:140::/32
245       10.150.0.0/16      fd00:150::/32
25
26Each group will then further partition their space like this:
27
28IPv4                 IPv6                    Description
29--------------       -----------------       -----------------------------
3010.1X0.1.0/24        fd00:1X0:1:1::/64       Core Network
3110.1X0.10.0/24       fd00:1X0:a::/64         Router Loopback Subnet
3210.1X0.64.0/24       fd00:1X0:2:64::/64      ECS Data Subnet (VLAN 64)
3310.1X0.65.0/24       fd00:1X0:2:65::/64      ECS VOIP Subnet (VLAN 65)
3410.1X0.254.0/24      fd00:1X0:2:FE::/64      ECS MGMT Subnet (VLAN 254)
3510.1X0.74.0/24       fd00:1X0:2:74::/64      LIB Data Subnet (VLAN 74)
3610.1X0.75.0/24       fd00:1X0:2:75::/64      LIB VOIP Subnet (VLAN 75)
3710.1X0.255.0/24      fd00:1X0:2:FF::/64      LIB MGMT Subnet (VLAN 255)
38
39With X being your group number (1,2,3,4,5)
40
41### Using private address space
42
43We are using private address space for the exercises - we recommend
44using public address space in campus networks wherever possible.
45
46### Switch types used in the lab
47
48Cisco 3725 with 16 Port 10BaseT/100BaseTX EtherSwitch (NM-16ESW) module
49
50*Note: This Cisco model is actually a router, but the 16-port module provides
51basic Layer-2 capabilities, and we will use these as switches. Dynamips does
52not support the emulation of the Cisco Catalyst class of switches, unfortunately.*
53
54\pagebreak
55
56## Hierarchical, redundant network
57
58![Lab topology](SwitchingLab.png)
59
60Our building network consists of two backbone switches each with two edge
61switches. The backbone switches connect to the core of our campus network
62and serve as aggregation points for all the edge switches. Edge switches serve
63the end users. Each edge switch has a connection to its backbone switch.
64
65Switches BB11, SW11 and SW12 are used to represent one campus
66department, Engineering and Computer Science, and switches BB12, SW13
67and SW14 represent the Library. We will also use the abbreviations ECS and
68LIB in the notes.
69
70### Lab access instructions
71
72Refer to the file called [dynamips-access-instructions.txt]()
73
74## Basic Switch Configuration
75
76We've set up the switches in the lab with a very basic setup:
77
78~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
79hostname BB11
80!
81aaa new-model
82aaa authentication login default local
83aaa authentication enable default enable
84aaa session-id common
85!
86no logging console
87logging buffered 8192 debugging
88ipv6 unicast-routing   
89no ip domain-lookup
90
91username nsrc secret nsrc
92enable secret nsrc
93service password-encryption
94
95line con 0
96  exec-timeout 0 0
97  transport preferred none
98  stopbits 1
99line aux 0
100  exec-timeout 0 0
101  stopbits 1
102line vty 0 4
103  transport preferred none
104  exec-timeout 0 0
105~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
106
107You could have used these instructions to configure each switch:
108
1091. Name the switch
110
111    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
112    enable
113    config terminal
114    hostname <NAME>
115    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
116
1172. Configure Authentication
118
119    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
120    aaa new-model
121    aaa authentication login default local
122    aaa authentication enable default enable
123    aaa session-id common
124    username nsrc secret nsrc
125    enable secret nsrc
126    service password-encryption
127    line vty 0 4
128      transport preferred none
129    line console 0
130      transport preferred none
131    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
132
1333. Configure logging
134
135    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
136    no logging console
137    logging buffered 8192 debugging
138    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
139
1404. Disable DNS resolution
141
142    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
143    no ip domain-lookup
144    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
145
1465. Turn on IPv6
147
148    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
149    ipv6 unicast-routing   
150    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
151
1526. Exit configuration mode and save
153
154    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
155    end
156    write memory
157    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
158
159
160### IP Address Configuration
161
1621. Assign each switch different IP addresses as follows:
163
164    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
165    int vlan 1
166      ip address 10.1X0.33.Y 255.255.255.0
167      ipv6 address fd00:1X0:2:33::Y/64
168      no shut
169    end
170    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
171
172Replace the "X" with your group number and replace "Y" like this:
173
174     ECS switches:
175     
176     BBX1: 10.1X0.33.4 and fd00:1X0:2:33::4
177     SWX1: 10.1X0.33.6 and fd00:1X0:2:33::5
178     SWX2: 10.1X0.33.7 and fd00:1X0:2:33::6
179
180     LIB switches:
181     
182     BBX2: 10.1X0.33.5 and fd00:1X0:2:33::7
183     SWX3: 10.1X0.33.8 and fd00:1X0:2:33::8
184     SWX4: 10.1X0.33.9 and fd00:1X0:2:33::9
185
186Verify connectivity by pinging each switch. Do not continue until you
187can ping each switch from every other switch in the group.
188
189HINT: If ping fails, but the configuration seems OK, try doing the following:
190
191~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
192int vlan 1
193 shutdown
194 no shutdown
195end
196~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
197
198(this is not normal, but most likely a bug in the IOS code somewhere)
199
200## Spanning Tree Protocol
201
202### STP Status
203
204Run the following commands on each switch and pay close attention to the output:
205
206~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
207show spanning-tree brief
208show spanning-tree blockedports
209show spanning-tree
210~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
211
212a. What is the priority on each switch?
213
214b. Which switch is the root? Why?
215
216c. Which ports are blocked? Why?
217
218### STP Configuration
219
2201. Configure the STP priorities explicitly for each switch, according
221to the plan in Appendix A.
222
223For example, on BB11:
224
225~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
226BB11(config)#spanning-tree vlan 1 priority 12288
227~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
228
2292. Verify:
230
231~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
232show spannning-tree brief
233~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
234
235Why is it so important to set the priorities explicitly?
236
237### Disabling STP
238
239We are now going to disable spanning tree to see what effect it has.
240
241*WARNING: Disabling spanning tree has a significant effect on the Dynamips
242server's CPU load. For this reason, we cannot have all groups disable
243spanning tree at the same time. We will take turns.*
244
245
246 **ASK THE INSTRUCTOR BEFORE DISABLING STP!!!**
247
248
249When you get the go-ahead from the instructor, execute the following
250on each of the LIB switches:
251
252~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
253no spanning-tree vlan 1
254~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
255
256Can the switches ping each other reliably now? Why?
257
258Watch the port counters on the inter-switch links.
259 
260~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
261show interfaces stats
262~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
263
264What happens with the counters of the connected interfaces?
265What is going on?
266
267Very quickly enable STP again on all switches:
268
269~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
270spanning-tree vlan 1
271~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
272
273### Simulate a backbone failure
274
2751. Disconnect BBX1 from the rest of the network:
276
277~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
278interface range fastEthernet 1/13 - 15
279 shutdown
280~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
281
282While it is cut off from the rest, verify spanning tree status on the
283other switches.
284
285a. Who is the root now?
286
287b. Verify port roles and status.  Verify connectivity with ping.
288
2892. Reconnect BBX1:
290
291~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
292interface range fastEthernet 1/13 - 15
293 no shutdown
294~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
295
296What happens to the spanning tree when the switch comes back online?
297
298# Part 2
299
300## VLANs
301
302We now want to segment the network to separate end-user traffic from VOIP and
303network management traffic. Each of these segments will be a separate subnet.
304
305### Configure the switches with separate DATA, VOIP and MGMT VLANs for
306ECS and LIB.
307
308VTP (VLAN Trunking Protocol) is a proprietary Cisco technology that allows
309for dynamic VLAN provisioning. We will not use it here.
310
3111. Disable VTP by setting it to 'transparent mode':
312
313~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
314vtp mode transparent
315~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
316
3172. Add the VLANs to the VLAN database and give them names to better identify them:
318
319~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
320vlan 64
321 name ECS DATA
322vlan 65
323 name ECS VOIP
324vlan 254
325 name ECS MGMT
326 
327vlan 74
328 name LIB DATA
329vlan 75
330 name LIB VOIP
331vlan 255
332 name LIB MGMT
333~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
334
3353. Move the IP address to the MGMT vlan (notice the new subnet octets
336"254" and "255"):
337
338On the ECS switches BB11, SW11 and SW12:
339
340~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
341interface vlan 1
342 no ip address
343 no ipv6 address
344interface vlan 254
345 ip address 10.1X0.254.Y 255.255.255.0
346 ipv6 address fd00:1X0:2:254::Y
347ip default-gateway 10.1X0.254.2
348~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
349
350On the LIB switches BB12, SW13 and SW14:
351
352~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
353interface vlan 1
354 no ip address
355 no ipv6 address
356interface vlan 255
357 ip address 10.1X0.255.Y 255.255.255.0
358 ipv6 address fd00:1X0:2:255::Y
359ip default-gateway 10.1X0.255.2
360~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
361
362Verify connectivity between switches. Can you ping? What's missing?
363
3644. Configure trunk ports. Do the following for each port that needs
365to tag VLAN frames:
366
367~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
368interface FastEthernet1/14
369 switchport mode trunk
370 switchport trunk encapsulation dot1q
371~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
372
373Note: Check Figure 1 to see which ports you need to modify. BBX1 and
374BBX2 are each connected to the RX2 router on Fast1/0. This port also needs
375to be a trunk.
376
377Try pinging within the ECS and LIB switches again. It should work now.
378
3795. Designate 5 edge ports for each ECS DATA and VOIP VLAN access:
380
381On SWX1 and SWX2 only:
382
383~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
384interface range Fast1/1 - 5
385 switchport mode access
386 switchport access vlan 64
387!
388interface range Fast1/6 - 10
389 switchport mode access
390 switchport access vlan 65
391~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
392
393Designate 5 edge ports for each LIB DATA and VOIP VLAN access:
394
395On SWX3 and SWX4 only:
396
397~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
398interface range Fast1/1 - 5
399 switchport mode access
400 switchport access vlan 74
401!
402interface range Fast1/6 - 10
403 switchport mode access
404 switchport access vlan 75
405~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
406
407Verify which ports are members or trunks of each vlan:
408
409~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
410show vlan-switch id <VLAN ID>
411~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
412
413Imagine that there are computers connected to the DATA vlan. Would they be able
414to ping the switch? Explain your response.
415
416## Verify the Spanning Tree status
417
418~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
419show spanning-tree brief
420~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
421
422Notice the root and bridge priorities on each VLAN (1,64,65,74,75,254,255). Are they the same?
423
424This is called "Per-VLAN spanning tree", or PVST. This means that the switches are
425creating 7 separate trees, each with its own parameters, status,
426calculations, etc.
427
428Use the commands in Appendix B to Configure PVST Priorities and check the root and bridge
429priorities again.
430
431*Note: Imagine if you had several hundred VLANs! This is certainly not ideal. There are
432better standards, like "Multiple Spanning Tree" (MST), that allow the administrator
433to create only the desired number of trees, and map groups of VLANs to each tree.
434Unfortunately, this Cisco device does not support MST.*
435
436## STP Extended Features
437
438### PortFast
439
440PortFast is a feature that allows end-user stations to be granted instant access
441to the L2 network. Instead of starting at the bottom of the Blocking-Listening-
442Learning-Forwarding hierarchy of states (30 seconds!), Portfast starts at the top.
443The port starts in Forwarding state, and if a loop is detected, STP does all its
444calculations and blocks the necessary ports. This feature should only be applied
445to ports that connect end-user stations.
446
4471. Configure end-user ports to be in PortFast mode:
448
449~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
450interface range fast1/1 - 10
451 spanning-tree portfast
452~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
453
454### BPDUGuard
455
456With PortFast, end-user ports still participate in STP. That means that anything
457connected to those ports can send BPDUs and participate in (and affect the status of)
458the spanning tree calculations. For example, if the device connected to the edge port
459is configured with a lower bridge priority, it becomes the root switch and the tree
460topology becomes suboptimal.
461
462Another useful Cisco feature that avoids this situation is BPDUGuard. At the reception
463of BPDUs, the BPDU guard operation disables the port that has PortFast configured.
464
4651. Enable BPDUGuard on all ports with PortFast enabled:
466
467~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
468spanning-tree portfast bpduguard
469~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
470
471## Port Bundling
472
473We now want more capacity and link redundancy between a backbone and
474an edge switch.
475
4761. Configure a Port Channel between BBX1 and SWX1:
477
478On each switch:
479
480~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
481interface port-channel 1
482 description description BBX1-SWX1 aggregate link
483!
484interface range fast1/13 - 14
485 channel-group 1 mode on
486~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
487
4882. Verify the status:
489
490~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
491show interface port-channel 1
492~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
493
494What capacity do you have now on the new trunk?
495Hint: Look for the line that says BW ... Kbit/sec
496
4973. Disable one of the ports in the bundle.
498
499~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
500interface fast 1/13
501 shutdown
502~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
503
504Is the channel still up?
505
5064. Enable it again:
507
508~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
509interface fast 1/13
510 no shutdown
511~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
512
513*Note: There is a standard protocol for port bundling. It's called "LACP"
514(Link Aggregation Control Protocol). This particular Cisco device does
515not support LACP, so these port channels are actually using a proprietary
516Cisco protocol called "EtherChannel". All modern switches support LACP, so
517we strongly recommend using it, instead of any proprietary versions.*
518
519\pagebreak
520
521# Reference
522
523## Appendix A - Spanning Tree Configuration
524
525Refer to this priority table below for the appropriate priorities on each
526switch.
527
528---------------------------------------------------------------------------
529Priority   Description               Notes
530--------   -----------------------   --------------------------------------
5310          Core Node                 The core switches/routers will not be
532                                     participating in STP... reserved in
533                                     case they ever are
534
5354096       Redundant Core Node       Ditto
536                                 
537
5388192       Reserved
539
54012288      **Building Backbone**
541
54216384      Redundant Backbones
543
54420480      Secondary Backbone        This is for building complexes, where
545                                     there are separate building (secondary)
546                                     backbones that terminate at the complex
547                                     backbone.
548
54924576      **Access Switches**       This is the normal edge-device priority
550
55128672      Access Switches           Used for access switches that are
552                                     daisy-chained from another access switch.
553                                     We're using this terminology instead of
554                                     "aggregation switch" because it's hard to
555                                     define when a switch stops being an
556                                     access switch and becomes an
557                                     aggregation switch.
558 
55932768      Default                        No managed network devices should have
560                                     this priority.
561---------------------------------------------------------------------------
562
563Table: Priority Table
564
565
566\pagebreak
567
568
569## Appendix B - Configuring PVST priorities
570
571Configure BBX1 as the root switch for VLANs 64, 65 and 254 and BBX2 as the root switch
572for VLANs 74, 75 and 255.
573
574On BBX1:
575
576~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
577spanning-tree vlan 64 priority 12288
578spanning-tree vlan 65 priority 12288
579spanning-tree vlan 254 priority 12288
580~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
581
582On BBX2:
583
584~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
585spanning-tree vlan 74 priority 12288
586spanning-tree vlan 75 priority 12288
587spanning-tree vlan 255 priority 12288
588~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
589
590On SWX1 and SWX2, the priorities are the same on every VLAN:
591
592~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
593spanning-tree vlan 64 priority 24576
594spanning-tree vlan 65 priority 24576
595spanning-tree vlan 255 priority 24576
596~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
597
598On SWX3 and SWX4, the priorities are the same on every VLAN:
599
600~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
601spanning-tree vlan 74 priority 24576
602spanning-tree vlan 75 priority 24576
603spanning-tree vlan 255 priority 24576
604~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
605
6062. Verify that the root switch is the correct one in all cases:
607
608~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
609show spanning-tree brief
610~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
611