Fellow packet herders. I have set myself a challenge lab encompassing some stuff I have learned. I feel it’s time to challenge myself in the public arena and post the results. I am aiming to find some time this week to hit this out. I am looking to be a little busy with wedding preparations but I do have some down time nights that I am going to attempt to lab this out.

SW-A and SW-B are Cisco 3560-x and SW-C and SW-D are 2960S. All four are 48 ports. Just adjust the requirements of interface ranges to match your hardware.




Switch Placement

  • Switch A and B are distribution
  • Switch C and D are access
  • Any two ethernet devices will act as hosts to test security

Initial Connectivity

  • All links to be cabled as per the diagram
  • Configure Gi0/7-8 and Gi0/11-12 on each switch using a IEEE trunking standard.
  • Gi0/9-10 on all switches should use ISL. DTP frames must not be sent.
  • These same links need to provide more bandwidth. Bundle these using a proprietary method
  • Distribution switches must handle negotiation of these interfaces.
  • Enforce bundle protocol


  • Create a Vlan Trunking Protocol domain called Cisco-Inferno
  • Set the mode to server for SW-A. Set all others as clients
  • Create a VTP password and ensure version 2 is used.
  • Create the Following VLANS
    • Vlan 10 Servers
    • Vlan 20 Storage
    • Vlan 30 LWAPP
    • Vlan 40 Desktop
    • Vlan 50 Wireless
    • Vlan 100 Management
  • Assign names to the VLANS
  • Assign IP address to each device from the Management VLAN.


Spanning-Tree and L2 Redundancy

  • Enable 802.1w mode of Spanning-Tree
  • Set Vlan 10,20,100 on SW-A to be Root Bridge and make them Secondary on SW-B
  • Set Vlan 30,40,50 on SW-B to be Root Bridge and make them Secondary on SW-A

Layer 3

  • Create SVI’s for VLANs 10,20,30,40,50 using the IP address of 10.0.x.2 (x= VLAN number) on SW-A
  • Create SVI’s for VLANs 10,20,30,40,50 using the IP address of 10.0.x.3 (x= VLAN number) on SW-B
  • Convert the bundle between SW-A and SW-B (Gi0/11-12) to a L3 link. Use the address range of


Switch Security

Now that base connectivity has been established in out network it is time to implement some security and keep those pesky people out.

  • Ports Gi0/24-40 should reside in VLAN 40. Ports Gi0/40-44 should be in VLAN 50. Apply this to SW-C/SW-D
  • Enable across all access ports in VLAN 40 on SW-C/SW-D the ability to err disable if a BPDU is detected
  • On SW-D enable port fast unconditionally across VLAN 40 and 50 ports
  • On SW-C enable port fast in such a way it will loose its port fast status if a BPDU is received on VLAN 40 and 50 ports
  • A lobby PC will be connected to Gi0/1 an Gi0/3. Enable the ability to learn the MAC Address dynamically and err disable the port if a different device is detected.
  • Gi0/16-20 on SW-C/SW-D require up to 5 different devices to be learned before violating.
  • Gi0/30 on SW-C needs a static assignment of the MAC 0000.000a.baba
  • Gi0/30 on SW-D needs a static assignment of the MAC 0000.000b.cafe
  • Block access from VLAN 40 and 50 into VLAN 100


High Availability

This network requires a strong level of uptime and the time has come to implement some HA technologies.

  • You are to use a proprietary standby protocol
  • SW-A and SW-B will be supporting each other in a HA setup. Virtual IP addresses are to be 10.0.x.1/24 of each VLAN.
  • Group Numbers should represent VLAN numbers
  • Follow good design principals when implementing HA – Think how L2 STP is placed.
  • If SW-A is active, SW-B should be standby. Visa Versa.
  • Ensure that if a switch goes down and comes back up that it regains it’s active status.


Leave a Reply

Your email address will not be published. Required fields are marked *