Fellow packet herders. I have set myself a challenge lab encompassing some stuff I have learned. I feel it’s time to challenge myself in the public arena and post the results. I am aiming to find some time this week to hit this out. I am looking to be a little busy with wedding preparations but I do have some down time nights that I am going to attempt to lab this out.

SW-A and SW-B are Cisco 3560-x and SW-C and SW-D are 2960S. All four are 48 ports. Just adjust the requirements of interface ranges to match your hardware.

 

 

Switch Placement

• Switch A and B are distribution
• Switch C and D are access
• Any two ethernet devices will act as hosts to test security

Initial Connectivity

• All links to be cabled as per the diagram
• Configure Gi0/7-8 and Gi0/11-12 on each switch using a IEEE trunking standard.
• Gi0/9-10 on all switches should use ISL. DTP frames must not be sent.
• These same links need to provide more bandwidth. Bundle these using a proprietary method
• Distribution switches must handle negotiation of these interfaces.
• Enforce bundle protocol

VLAN & VTP

• Create a Vlan Trunking Protocol domain called Cisco-Inferno
• Set the mode to server for SW-A. Set all others as clients
• Create a VTP password and ensure version 2 is used.
• Create the Following VLANS

• Vlan 10 Servers 10.0.10.0/24
• Vlan 20 Storage 10.0.20.0/24
• Vlan 30 LWAPP 10.0.30.0/24
• Vlan 40 Desktop 10.0.40.0/24
• Vlan 50 Wireless 10.0.50.0/24
• Vlan 100 Management 10.0.100.0/24

• Assign names to the VLANS
• Assign IP address to each device from the Management VLAN.

 

Spanning-Tree and L2 Redundancy

• Enable 802.1w mode of Spanning-Tree
• Set Vlan 10,20,100 on SW-A to be Root Bridge and make them Secondary on SW-B
• Set Vlan 30,40,50 on SW-B to be Root Bridge and make them Secondary on SW-A

Layer 3

• Create SVI’s for VLANs 10,20,30,40,50 using the IP address of 10.0.x.2 (x= VLAN number) on SW-A
• Create SVI’s for VLANs 10,20,30,40,50 using the IP address of 10.0.x.3 (x= VLAN number) on SW-B
• Convert the bundle between SW-A and SW-B (Gi0/11-12) to a L3 link. Use the address range of 10.0.5.0/30

 

Switch Security

Now that base connectivity has been established in out network it is time to implement some security and keep those pesky people out.

• Ports Gi0/24-40 should reside in VLAN 40. Ports Gi0/40-44 should be in VLAN 50. Apply this to SW-C/SW-D
• Enable across all access ports in VLAN 40 on SW-C/SW-D the ability to err disable if a BPDU is detected
• On SW-D enable port fast unconditionally across VLAN 40 and 50 ports
• On SW-C enable port fast in such a way it will loose its port fast status if a BPDU is received on VLAN 40 and 50 ports
• A lobby PC will be connected to Gi0/1 an Gi0/3. Enable the ability to learn the MAC Address dynamically and err disable the port if a different device is detected.
• Gi0/16-20 on SW-C/SW-D require up to 5 different devices to be learned before violating.
• Gi0/30 on SW-C needs a static assignment of the MAC 0000.000a.baba
• Gi0/30 on SW-D needs a static assignment of the MAC 0000.000b.cafe
• Block access from VLAN 40 and 50 into VLAN 100

 

High Availability

This network requires a strong level of uptime and the time has come to implement some HA technologies.

• You are to use a proprietary standby protocol
• SW-A and SW-B will be supporting each other in a HA setup. Virtual IP addresses are to be 10.0.x.1/24 of each VLAN.
• Group Numbers should represent VLAN numbers
• Follow good design principals when implementing HA – Think how L2 STP is placed.
• If SW-A is active, SW-B should be standby. Visa Versa.
• Ensure that if a switch goes down and comes back up that it regains it’s active status.