Step 2 - Base Configuration - Security: VLAN's and Remote Management: IP Connectivity
Steps towards creating a VLAN:
(1) Create Ports - Establish 'access' ports and 'trunk' ports depending upon the design of the network. (Make sure no ports are left unassigned and that all are 'hardcoded'. Only those ports connected to another switch should be hardcoded as trunks.
(2) Create VLAN's - create vlan's, name them, give em' a description and an ip-address. For best practise, try and assign an ip that matches the VLAN number, or should I say, try to create a VLAN no. that goes well with the available ip-range you have to work with. For eg: vlan 10 = 192.168.10.0 255.255.255.0, vlan 20 = 192.168.20.0 ... and so on.
(3) Assign ports to VLAN's - Assign appropriate access ports to the applicable VLAN's. Make sure all ports belong to a VLAN including those that are unused (for security reasons and best practise). Send unused ports to a "Blackhole VLAN" (A term accredited to the legendary Cisco guru - JC) A blackhole VLAN is basically where all the unused access ports get directed to, so even if someone connects their switch to a port, the port does light up but there won't be any signal and the user won' be able to do much, thus a lot more secure from risk of VTP attacks, etc.
Do not setup the default-gateway on the switch as the BCMSN curriculum largely focuses on inter-vlan routing thus we'll make extensive use of 'L3 switching' in-place for 'router on a stick'.
If we were to basically focus on solely the data layer and intra-vlan switching then we'd likely also have a standard default gateway set-up on the switch which would be directed towards the nearest intended outgoing router and look something like the command: ip default-gateway 192.168.10.1
Configuration:
Also, since we're building our lab, I'll keep adding extra commands for purposes relating towards 'best-practise' and for reasons rightly so. In this case, since I'll be working under the interface-configuration mode to assign ports, I will also hardcode the speed and duplex of each interface, as anything 'auto' is not really recommended and could be deemed potentially vulnerable towards a 'hack'. The 'speed' has to be configured before the duplex btw.
A 'show run' reveals that S1 has 15 fast-ethernet ports off which only one is connected to another switch. That port being Fa0/0, and thus interface fa0/0 will be the one hardcoded as a 'trunk' port.
S1#config t
S1(config)#int fa0/0
S1(config-if)#speed 100 (100 = 100 mbps)
S1(config-if)#duplex full
S1(config-if)#switchport trunk encapsulation dot1q (optional - if switch has the feature of multiple tagging/trunking protocols. There are two such protocols. One is 802.1q which is industry standard, and the second is ISL which is Cisco proprietary. I used to think the latter was only available on the higher-end 'enterprise' level Cisco switches and thus why the command didn't necessarily need to be typed on all Cisco switches, but the actual reason as to why that is, is because ISL is being phased out off all Cisco switches nowadays, thus it's mostly the old Cisco gear such as Catalyst switches that support ISL and where the command maybe required. Most new Cisco switches do not support ISL anymore and have no biuilt-in feature for it. It's only the high-end switches for which Cisco still do and that's only for legacy compatibility purposes. Also 'Trunking' is the Cisco term whereas most other switching vendors use the term 'Tagging'. I'll try and cover up some theory on this in my next post differentiating the Cisco ISL and IEEE 802.1q)
S1(config-if)#switchport mode trunk
S1(config-if)#interface range fa0/1 - fa0/15
S1(config-if)#speed 100
S1(config-if)#duplex full
S1(config-if)#switchport mode access
S1(config-if)#exit
Step two is to create VLAN's. Before we jump onto that, we need to design our network. I intend to create the following VLAN's for my LAN:
VLAN 10 = ENGINEERING = 192.168.10.0 255.255.255.240 (/28 = lowest denomination of net-id (1) located at '16'. Range is therefore: 0 - 15, in-short totalling 14 hosts which is more than enough in this case)
VLAN 20 = MARKETING = 192.168.20.0 255.255.255.240
VLAN 30 = SALES = 192.168.30.0 255.255.255.240
I havn't gone over those basic subnetting and CIDR skills as you are well expected to be knowing this at the CCNP level, considering subnetting was part of the CCENT curriculum and VLSM part of CCNA.
I basically didn't wanna use up the whole 192.168.10.x subnet and waste all those addresses as I don't intend to have anything close to 254 hosts hence I didn't use the 255.255.255.0 subnet mask. Around 2 to 7 hosts is what I intend to have here but always remember that whenever you are performing VLSM 'in the real world' always try to keep room for spare and keep space for a few addresses as in the future in-case your organisation grows you don't have to restructure and redesign your whole network from scratch. In theory however as in when it comes to 'giving exams' (this is for all the CCNA's out there) you definitely want to waste as few addresses as possible (preferably none whenever possible).
S1(config)#vlan 10
S1(config-if)#name ENGINEERING
S1(config-if)#exit
S1(config)#vlan 20
S1(config-if)#name MARKETING
S1(config-if)#vlan 30
S1(config-if)#name SALES
S1(config-if)#exit
next step is to configure the vlan with an ip-address
S1(config)#int vlan 10
S1(config-if)#desc ENGINEERING_VLAN
S1(config-if)#ip address 192.168.10.1 255.255.255.240
S1(config-if)#no shutdown
S1(config-if)#int vlan 20
S1(config-if)#desc MARKETING_VLAN
S1(config-if)#ip address 192.168.20.1 255.255.255.240
S1(config-if)#no shutdown
S1(config)#int vlan 30
S1(config-if)#desc SALES_VLAN
S1(config-if)#ip address 192.168.30.1 255.255.255.240
S1(config-if)#no shutdown
S1(config-if)#exit
The final step is to assign ports to the applicable VLAN interface.
Keeping in mind that I intend to do some inter-vlan routing at my virtual project-lab, the design I have in mind is one where I achieve this with the least amount of effort put in its configuration. Following is the strategy:
Each switch (S1, S2 and S3) will have all the 3 VLAN's. Each vlan belonging to a specific port-interface that is common to every switch (thus making configuration easier, as in able to copy-paste the config seeing each port such as fa0/3 will be assigned to a particular vlan such as Engineering, a setup which would be the same on all three switches).
Fa0/5 = Engineering VLAN, Fa0/6 = MARKETING VLAN and Fa0/7 = SALES Vlan.
S1(config)#int fa0/5
S1(config-if)#switchport access vlan 10
S1(config-if)#int fa0/6
S1(config-if)#switchport access vlan 20
S1(config-if)#int fa0/7
S1(config-if)#switchport access vlan 30
S1(config-if)#^c
S1#copy run star
Next step is to configure VTP in the right manner so as to ease our work as network admins and not manually create those three VLAN's on every switch.
When it comes to assigning ports to each VLAN, well in this case, I have specifically designed my LAN in such a way that I can simply copy-paste the config as I intend to have the same VLAN set-up on each switch. This greatly reduces the time and effort as I can simply copy-paste the config on the other two switches.
Next stop: vtp ...
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment