Catalyst Ethernet Switch Setup I 5 Points

Configure the Ethernet switch for five VLANs:

■ VLAN 2, named VLAN_A, is connected to R1 and PIX inside.

■ VLAN 3, named VLAN_B, is connected to R4 and R5 Eth0/0.

■ VLAN 4, named VLAN_C, is connected to R5 FastEth0/1 (switch port Fast0/6).

■ VLAN 5, named VLAN_D, is connected to R2 and R3.

■ VLAN 6, named VLAN_E, is connected to the PIX outside interface and to the ISP managed router.

■ Ensure that the IDS is also in the correct VLANs for the sniffing and control interfaces.

Using VLAN_D (VLAN 5), configure the management interface sc0 with the address 144.254.4.3/26. Ensure that all devices in your network can ping the switch even if R2 or R3 is down.

Make sure the switch is configured in the VTP domain, SecCCIE.

The switch will never be permitted to create any more VLANS, so ensure that after you set up these VLANs, only a VTP server configuration change will allow VLAN additions to this switch.

Ensure that the only routers that can telnet to the switch are the loopback IP interfaces on R1 through R5 and the directly attached networks on R2 and R3.

Catalyst Ethernet Switch Setup I Solution

Creating VLANs on a Catalyst 3550 switch requires the VTP domain name to be set up first.

Example 8-13 configures the Catalyst 3550 in the VTP domain, SecCCIE, and mode server. You must enable new VLANs.

Example 8-13 Enable VTP Domain Name and Server Mode

switch#configuration terminal

Enter configuration commands, one per line.

End with CNTL/Z.

switch(config)#vtp domain SecCCIE

switch(config)#vtp mode ?

client Set the device to client mode

server Set the device to server mode.

transparent Set the device to transparent

mode.

switch(config)#vtp mode server

Now that the switch is enabled for VTP and VLAN creation, you can create the five VLANs. Example 8-14 configures the switch for the five VLANs in global configuration mode.

Example 8-14 VLAN Creation

switch#configuration terminal

Enter configuration commands, one per line.

End with CNTL/Z.

switch#configure terminal

Enter configuration commands, one per line.

End with CNTL/Z.

switch(config)#vlan

switch(config)#vlan 2

switch(config-vlan)#name

VLAN_A

switch(config-vlan)#vlan

3

switch(config-vlan)#name

VLAN_B

switch(config-vlan)#vlan

4

switch(config-vlan)#name

VLAN_C

switch(config-vlan)#vlan

5

switch(config-vlan)#name

VLAN_D

switch(config-vlan)#vlan

6

switch(config-vlan)#name

VLAN_E

switch(config-vlan)#exit

switch(config)#

switch#config terminal

After you create all the VLANs, you must disable VLAN creation by configuring the switch as a VTP client only. The central switch in the network (VTP server) creates and deletes VLANs, as required in the future.

Example 8-15 disables local VLAN creation on the Catalyst switch.

Example 8-15 VTP Client Setup

switch#configuration terminal

Enter configuration commands, one per line.

End with CNTL/Z.

switch(config)#vtp domain SecCCIE

switch(config)#vtp mode ?

client Set the device to client mode

server Set the device to server mode

transparent Set the device to transparent

mode.

switch(config)#vtp mode client

The Catalyst 3550 command, switchport, configures port assignments for each VLAN. Notice that each Fast Ethernet interface is given a description for completeness, which helps you to troubleshoot in the future.

Example 8-16 configures the VLAN assignment on the Ethernet switch.

Example 8-16 VLAN Port Assignment interface FastEthernet0/1 Description connection to R1 Ethernet 0/0 ! The following commands assign the VLAN switchport mode a switchport access vlan 2

! The following command assigns the port as an access port, layer 2. switchport switchport mode access

interface FastEthernet0/2

Description connection to R2 Fast Ethernet 0/0 switchport switchport access vlan 5 switchport mode access

interface FastEthernet0/3

Description connection to R3 Fast Ethernet 0/0 switchport switchport access vlan 5 switchport mode access

interface FastEthernet0/4 Description connection to R4 Ethernet 0/0 switchport switchport access vlan 3 switchport mode access

interface FastEthernet0/5

Description connection to R5 Fast Ethernet 0/0 switchport switchport access vlan 3 switchport mode access

interface FastEthernet0/6 Description connection to R5 Ethernet 0/1 switchport switchport access vlan 4 switchport mode access

interface FastEthernet0/7 Description connection to PIX inside switchport switchport access vlan 2 switchport mode access

interface FastEthernet0/8 Description connection to PIX outside switchport switchport access vlan 6 switchport mode access

Example 8-16 VLAN Port Assignment (Continued)

!Note interfaces 9 and 10 not used nor shown here interface FastEthernet0/11 Description connection IDS control switchport switchport access vlan 3 switchport mode access interface FastEthernet0/12 Description connection to IDS sniffing switchport access vlan 2 switchport mode access

Configure the management interface (VLAN 5) on the Catalyst switch with the following Catalyst command:

set interface sc0 [vlan] [ip_addr [netmask [broadcast]]] interface VLAN (tag) The configuration of the interface in VLAN_D (VLAN 5) is defined in Example 8-17.

Example 8-17 Defining the Management Interface interface Vlan5 ip address 144.254.4.3 255.255.255.192.0

Example 8-18 confirms the IP address assignment and correct VLAN to all interfaces. Notice the 12 Fast Ethernet ports and two Gigabit interfaces.

Example 8-18 show interface Command on the Ethernet Switch Switch1#show ip interface brief

Interface

IP-Address

OK?

Method

Status

Protocol

Vlan1

unassigned

YES

unset

administratively

down down

Vlan5

144.254.4.3

YES

manual

up

up

FastEthernet0/1

unassigned

YES

unset

up

up

FastEthernet0/2

unassigned

YES

unset

up

up

FastEthernet0/3

unassigned

YES

unset

up

up

FastEthernet0/4

unassigned

YES

unset

up

up

FastEthernet0/5

unassigned

YES

unset

up

up

FastEthernet0/6

unassigned

YES

unset

up

up

FastEthernet0/7

unassigned

YES

unset

up

up

FastEthernet0/8

unassigned

YES

unset

up

up

FastEthernet0/9

unassigned

YES

unset

down

down

FastEthernet0/10

unassigned

YES

unset

down

down

FastEthernet0/11

unassigned

YES

unset

up

up

FastEthernet0/12

unassigned

YES

unset

up

up

GigabitEthernet0/1

unassigned

YES

unset

down

down

GigabitEthernet0/2

unassigned

YES unset

down

down

Example 8-18 also confirms connectivity to all the routers, PIX, and IDS server as the line protocol state for those interfaces is UP.

You can ping the management interface (VLAN 5) and the local routers (R2/R3) to ensure connectivity to the rest of the network; you must also enable a default route. The Catalyst switch on VLAN_D is connected to R2 and R3, so you can provide two default gateways, one through R2 and another through R3; in case of network failure, the switch will still be managed either by R2 or R3.

Example 8-19 configures a default gateway point to R2 and R3 Ethernet address and also displays a successful ping request to R2 and R3.

Example 8-19 Default Gateway Configuration and Ping Request ip route 0.0.0.0 0.0.0.0 144.254.4.2 ip route 0.0.0.0 0.0.0.0 144.254.4.1 100

Example 8-20 confirms the default routes (via the preferred route of 144.254.4.2) with the Catalyst command show ip route.

Example 8-20 show ip route on the Catalyst Switch

Switch1#show ip route

Codes: C -

connected, S - static, I -

IGRP, R - RIP, M - mobile, B - BGP

D -

EIGRP, EX - EIGRP external,

O - OSPF, IA - OSPF inter area

N1

OSPF NSSA external type 1,

N2 - OSPF NSSA external type 2

E1

OSPF external type 1, E2

OSPF external type 2, E - EGP

i -

IS-IS, L1 - IS-IS level-1,

L2 - IS-IS level-2, ia - IS-IS inter area

* _

candidate default, U - per-

user static route, o - ODR

P -

periodic downloaded static

route

Gateway of

last resort is 144.254.4.2

to network 0.0.0.0

144.254.0.0/24 is subnetted, 1 subnets

C 144.254.5.0 is directly connected, Vlan5

S* 0.0.0

.0/0 [1/0] via 144.254.4.2

Notice in Example 8-20 that only the active default route is shaded.

The final configuration request is to permit only the VLAN_D users and the assigned loopbacks on R1 through R5. To complete this on a Catalyst switch, you need to enable a vty line access inbound list, which defines what IP addresses are permitted access to the management interface via the vty lines.

Example 8-21 displays the configuration required to ensure that only the loopbacks from R1-R5 are permitted access.

Example 8-21 Vty Access List Inbound access-list 5 permit 144.254.151.1 access-list 5 permit 144.254.152.2 access-list 5 permit 144.254.153.3 access-list 5 permit 144.254.154.4 access-list 5 permit 144.254.155.5 ! Vlan D users access-list 5 permit 144.254.4.0 0.0.0.64

line vty 0 4 access-class 5 in password cisco login line vty 5 15 access-class 5 in password cisco login

Example 8-21 configures an access list numbered 5 with the only source permitted IP addresses defined as the loopbacks of routers R1-R5 and VLAN_D.

Example 8-22 confirms the permitted networks and hosts with the Catalyst command show ip permit.

Example 8-22 show ip permit Command

C5K> (enable) show ip permit

IP permit list feature enabled.

Permit List Mask

144

254.4.0 255.255.255.192

144

254.151.1

144

254.152.1

144

254.153.1

144

254.154.1

144

254.155.1

Denied IP Address Last Accessed Time

Type

144

254.2.1 09/30/02,15:13:44

Telnet

C5K> (enable)

The default mask on the loopback is actually 255.255.255.255, but it is not displayed in Example 8-22.

Example 8-23 displays a successful telnet from R2 to the VLAN 5 management interface or the Catalyst SCO interface. Notice the requirement to define the source interface as the R2 loopback address.

Example 8-23 Telnet to 144.254.4.3 or R3 from R2

R2#telnet 144.254.4

3 /source-interface loopback0

Trying 144.254.4.3

.. Open

password: cisco

switch1> quit

[Connection to 144

254.4.3 closed by foreign host]

Example 8-24 displays an unsuccessful telnet when the source interface is not defined on the Catalyst 3550.

Example 8-24 Denied Telnet to Catalyst 3550

R1#telnet 144.254.4.3

Access not permitted. Closing connection...

[Connection to 144.254.4.3 closed by foreign host]

0 0

Post a comment