Fellow packet herders. I have set myself a challenge lab encompassing some stuff I have learned. I feel it’s time to challenge myself in the public arena and post the results. I am aiming to find some time this week to hit this out. I am looking to be a little busy with wedding preparations but I do have some down time nights that I am going to attempt to lab this out.
SW-A and SW-B are Cisco 3560-x and SW-C and SW-D are 2960S. All four are 48 ports. Just adjust the requirements of interface ranges to match your hardware.
- Switch A and B are distribution
- Switch C and D are access
- Any two ethernet devices will act as hosts to test security
- All links to be cabled as per the diagram
- Configure Gi0/7-8 and Gi0/11-12 on each switch using a IEEE trunking standard.
- Gi0/9-10 on all switches should use ISL. DTP frames must not be sent.
- These same links need to provide more bandwidth. Bundle these using a proprietary method
- Distribution switches must handle negotiation of these interfaces.
- Enforce bundle protocol
VLAN & VTP
- Create a Vlan Trunking Protocol domain called Cisco-Inferno
- Set the mode to server for SW-A. Set all others as clients
- Create a VTP password and ensure version 2 is used.
- Create the Following VLANS
- Vlan 10 Servers 10.0.10.0/24
- Vlan 20 Storage 10.0.20.0/24
- Vlan 30 LWAPP 10.0.30.0/24
- Vlan 40 Desktop 10.0.40.0/24
- Vlan 50 Wireless 10.0.50.0/24
- Vlan 100 Management 10.0.100.0/24
- Assign names to the VLANS
- Assign IP address to each device from the Management VLAN.
Spanning-Tree and L2 Redundancy
- Enable 802.1w mode of Spanning-Tree
- Set Vlan 10,20,100 on SW-A to be Root Bridge and make them Secondary on SW-B
- Set Vlan 30,40,50 on SW-B to be Root Bridge and make them Secondary on SW-A
- Create SVI’s for VLANs 10,20,30,40,50 using the IP address of 10.0.x.2 (x= VLAN number) on SW-A
- Create SVI’s for VLANs 10,20,30,40,50 using the IP address of 10.0.x.3 (x= VLAN number) on SW-B
- Convert the bundle between SW-A and SW-B (Gi0/11-12) to a L3 link. Use the address range of 10.0.5.0/30
Now that base connectivity has been established in out network it is time to implement some security and keep those pesky people out.
- Ports Gi0/24-40 should reside in VLAN 40. Ports Gi0/40-44 should be in VLAN 50. Apply this to SW-C/SW-D
- Enable across all access ports in VLAN 40 on SW-C/SW-D the ability to err disable if a BPDU is detected
- On SW-D enable port fast unconditionally across VLAN 40 and 50 ports
- On SW-C enable port fast in such a way it will loose its port fast status if a BPDU is received on VLAN 40 and 50 ports
- A lobby PC will be connected to Gi0/1 an Gi0/3. Enable the ability to learn the MAC Address dynamically and err disable the port if a different device is detected.
- Gi0/16-20 on SW-C/SW-D require up to 5 different devices to be learned before violating.
- Gi0/30 on SW-C needs a static assignment of the MAC 0000.000a.baba
- Gi0/30 on SW-D needs a static assignment of the MAC 0000.000b.cafe
- Block access from VLAN 40 and 50 into VLAN 100
This network requires a strong level of uptime and the time has come to implement some HA technologies.
- You are to use a proprietary standby protocol
- SW-A and SW-B will be supporting each other in a HA setup. Virtual IP addresses are to be 10.0.x.1/24 of each VLAN.
- Group Numbers should represent VLAN numbers
- Follow good design principals when implementing HA – Think how L2 STP is placed.
- If SW-A is active, SW-B should be standby. Visa Versa.
- Ensure that if a switch goes down and comes back up that it regains it’s active status.