Configuring the Access Layer
Switchports on the Catalyst 5500 SW3 and interfaces on the Catalyst 4506 SW4 will be configured in VLANs to support access layer devices. Figure 7-10 shows the IP network numbers assigned to these VLANs.
Figure 7-10. Addition of Access Layer VLANs
Configuring the access layer begins with configuring ports on SW3 to be in VLAN 130. VLAN 130 is one of the access layer VLANs in the VLAN addressing scheme outlined in Table 7-1 earlier in this chapter. Remember VLAN 130 was created on SW3 earlier in VTP configuration (refer to Example 7-3). In Example 7-37, module 4 on SW3 is a 24-port 10/100 Mb FastEthernet module, and will have all ports assigned to VLAN 130.
Example 7-37. Configuring Ports on SW3 as Members of VLAN 130
SW3> (enable) show mod 4 Mod Module-Name Ports Module-Type Model Serial-Num Status --- ------------------- ----- --------------------- --------- --------- ------- 4 24 10/100BaseTX Ethernet WS-X5224 009607843 ok Mod MAC-Address(es) Hw Fw Sw --- -------------------------------------- ------ ---------- ----------------- 4 00-10-7b-78-57-00 to 00-10-7b-78-57-17 1.4 3.1(1) 4.5(5) SW3> (enable) SW3> (enable) set vlan 130 4/1-24 VLAN 130 modified. VLAN 1 modified. VLAN Mod/Ports ---- ----------------------- 130 4/1-24 SW3> (enable)
For these ports to be reachable from other networks, an SVI must be configured on the RSM for VLAN 130. The SVI for VLAN 130 is configured in Example 7-38. Remember sc0 on the switch is already assigned to VLAN 130 with an IP address of 172.16.196.5/24 in Example 7-8, earlier in the chapter.
Example 7-38. Configuring a SVI for VLAN 130 on the RSM of SW3
RSM1#config t Enter configuration commands, one per line. End with CNTL/Z. RSM1(config)#int vlan130 RSM1(config-if)#ip address 172.16.196.1 255.255.255.0 RSM1(config-if)#end RSM1#
In Example 7-39, the show interface vlan130 command is issued to confirm the SVI is UP/UP, and a ping from the SVI to the sc0 interface on the supervisor is issued.
In Example 7-40, the interfaces on module 2 of SW4 are configured for VLAN 140. Module 4 on the SW4 is a 48-port 10/100/1000BASE-TX module.
Example 7-39. Verifying the Status of the VLAN130 Interface and sc0
RSM1#show interface vlan130 Vlan130 is up, line protocol is up Hardware is Cat5k Virtual Ethernet, address is 0010.f6b3.4800 (bia 0010.f6b3.4 800) Internet address is 172.16.196.1/24 (output truncated) RSM1#ping 172.16.196.5 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.196.5, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/23/112 ms
Example 7-40. Configuring Ports 2/1-48 on SW4 for VLAN 140
SW4#config t Enter configuration commands, one per line. End with CNTL/Z. SW4(config)#interface range gigabitethernet 2/1 - 48 SW4(config-if-range)#switchport mode access SW4(config-if-range)#switchport access vlan 140 SW4(config-if-range)#end SW4# SW4#show vlan VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active 140 VLAN0140 active Gi2/1, Gi2/2, Gi2/3, Gi2/4 Gi2/5, Gi2/6, Gi2/7, Gi2/8 Gi2/9, Gi2/10, Gi2/11, Gi2/12 Gi2/13, Gi2/14, Gi2/15, Gi2/16 Gi2/17, Gi2/18, Gi2/19, Gi2/20 Gi2/21, Gi2/22, Gi2/23, Gi2/24 Gi2/25, Gi2/26, Gi2/27, Gi2/28 Gi2/29, Gi2/30, Gi2/31, Gi2/32 Gi2/33, Gi2/34, Gi2/35, Gi2/36 Gi2/37, Gi2/38, Gi2/39, Gi2/40 Gi2/41, Gi2/42, Gi2/43, Gi2/44 Gi2/45, Gi2/46, Gi2/47, Gi2/48 !output truncated
The interface range command must be entered exactly as shown in Example 7-40 with spaces to be accepted. The output of the show vlan command shows ports 2/1?48 assigned successfully to VLAN 140.
Now that these ports have been assigned, an SVI must be created on SW4 so that VLAN 140 can be reached from other networks. The SVI for VLAN 140 on SW4 is created in Example 7-41.
Example 7-41. Configuration of a SVI on SW4 for VLAN 140
SW4#config t Enter configuration commands, one per line. End with CNTL/Z. SW4(config)#interface VLAN140 SW4(config-if)#ip address 172.16.197.1 255.255.255.0 SW4(config-if)#no shutdown SW4(config-if)#end SW4#
In Example 7-42, the show interface vlan140 command is issued to confirm the SVI is UP/UP.
Example 7-42. Verifying the Status of the VLAN140 Interface
SW4#show interface vlan140
Vlan140 is up, line protocol is up
Hardware is Ethernet SVI, address is 000b.fdd5.62bf (bia 000b.fdd5.62bf)
Internet address is 172.16.197.1/24
Dynamic Routing
Now that the Layer 3 connections between the four switches are configured, the access layer VLANs created, and access ports assigned, a dynamic routing protocol is configured to allow connectivity between VLANs. In these examples, EIGRP is used as the dynamic routing protocol. EIGRP will be enabled on all four switches using Autonomous System (AS) 100, starting with SW1. Refer to the documentation on Cisco.com for more information about EIGRP and other dynamic routing protocols. Example 7-43 shows EIGRP being configured on SW1.
Example 7-43. EIGRP Configured on SW1
SW1(config)#router eigrp 100 SW1(config-router)#network 172.16.192.0 0.0.63.255 SW1(config-router)#end SW1#show ip eigrp interfaces IP-EIGRP interfaces for process 100 Xmit Queue Mean Pacing Time Multicast Pending Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes Gi1/1 0 0/0 0 0/10 0 0 Gi1/2 0 0/0 0 0/10 0 0 Fa10/23 0 0/0 0 0/10 0 0 Lo0 0 0/0 0 0/10 0 0 SW1#
The output of the show ip eigrp interfaces command in Example 7-43 indicates the four interfaces that have been configured on SW1 with IP addresses in the previous exercises now part of EIGRP AS 100. The same commands are repeated on SW2 in Example 7-44, on SW3 in Example 7-45, and on SW4 in Example 7-46.
Example 7-44. EIGRP Configured on SW2
SW2#config t Enter configuration commands, one per line. End with CNTL/Z. SW2(config)#router eigrp 100 SW2(config-router)#network 172.16.192.0 0.0.63.255 SW2(config-router)#end SW2#show ip eigrp interfaces IP-EIGRP interfaces for process 100 Xmit Queue Mean Pacing Time Multicast Pending Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes Gi1/1 1 0/0 1044 0/10 5216 0 Gi1/2 0 0/0 0 0/10 0 0 Fa3/37 0 0/0 0 0/10 0 0 Lo0 0 0/0 0 0/10 0 0 SW2#
Example 7-45. EIGRP Configured on the RSM of SW3
RSM1(config)#router eigrp 100 RSM1(config-router)#network 172.16.192.0 0.0.63.255 RSM1(config-router)#end RSM1#show ip eigrp interfaces IP-EIGRP interfaces for process 100 Xmit Queue Mean Pacing Time Multicast Pending Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes Vl130 0 0/0 0 0/10 0 0 Vl901 1 0/0 726 0/10 3632 0 Vl902 1 0/0 752 0/10 3760 0 Lo0 0 0/0 0 0/10 0 0 RSM1#
Example 7-46. EIGRP Configured on SW4
SW4#config t Enter configuration commands, one per line. End with CNTL/Z. SW4(config)#router eigrp 100 SW4(config-router)#network 172.16.192.0 0.0.63.255 SW4(config-router)#end SW4#show ip eigrp interfaces IP-EIGRP interfaces for process 100 Xmit Queue Mean Pacing Time Multicast Pending Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes Vl140 0 0/0 0 0/10 0 0 Gi1/1 1 0/0 0 0/10 0 0 Gi1/2 1 0/0 0 0/10 0 0 Lo0 0 0/0 0 0/10 0 0 SW4#
Now that dynamic routing for network 172.16.192.0 and its subnets has been configured on all four switches, a look at the routing table of SW1 in Example 7-47 shows that the networks for the access layer VLANs (172.16.196.0 and 172.16.197.0) are now reachable via the uplinks to those switches.
Example 7-47. Output of show ip route on SW1
SW1#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
172.16.0.0/16 is variably subnetted, 11 subnets, 3 masks
C 172.16.240.12/30 is directly connected, FastEthernet10/23
D 172.16.240.8/30
[90/28416] via 172.16.240.6, 00:03:08, GigabitEthernet1/2
C 172.16.240.4/30 is directly connected, GigabitEthernet1/2
D 172.16.240.20/30
[90/3072] via 172.16.240.6, 00:03:11, GigabitEthernet1/2
[90/3072] via 172.16.240.18, 00:03:11, GigabitEthernet1/1
D 172.16.225.1/32
[90/130816] via 172.16.240.6, 00:03:08, GigabitEthernet1/2
C 172.16.240.16/30 is directly connected, GigabitEthernet1/1
C 172.16.224.1/32 is directly connected, Loopback0
D 172.16.227.1/32
[90/130816] via 172.16.240.18, 00:03:11, GigabitEthernet1/1
D 172.16.226.1/32
[90/156160] via 172.16.240.13, 00:06:00, FastEthernet10/23
D 172.16.196.0/24
[90/30720] via 172.16.240.13, 00:06:00, FastEthernet10/23
D 172.16.197.0/24
[90/3072] via 172.16.240.18, 00:03:12, GigabitEthernet1/1
C 127.0.0.0/8 is directly connected, EOBC0/0
SW1#
Channeling and Trunking
All the configuration examples thus far have assumed it is possible to restrict a VLAN to a single switch. Although this is the cleanest and simplest configuration, it is not always possible. Many times, connections between access layer and distribution layer switches are Layer 2, and VLANs must span many switches because of application or administrative requirements. Chapter 11, "Design and Implementation Best Practices," discusses additional design options and considerations.
In Figure 7-11, a requirement for two additional VLANs with ports on both SW1 and SW2 is introduced. VLANs 401 and 402 are used for the exercises. VLANs 401 and 402 have been created on SW1 and SW2 using the same procedures as in Examples 7-1 through 7-4. While the Gigabit connection between SW1 and SW2 could be converted to a trunk to carry these additional VLANs, some unused FastEthernet ports will be configured in a channel to carry only these new VLANs and VLAN 1.
Figure 7-11. Addition of VLANs 401 and 402
Configuration begins with creating the channel group on SW1, as shown in Example 7-48.
Example 7-48. Creating the Channel Group on SW1
SW1#config t Enter configuration commands, one per line. End with CNTL/Z. SW1(config)#interface range fastEthernet 10/11 - 14 SW1(config-if-range)#no ip address SW1(config-if-range)#switchport SW1(config-if-range)#switchport trunk encapsulation dot1q SW1(config-if-range)#switchport mode trunk SW1(config-if-range)#switchport mode dynamic desirable SW1(config-if-range)#switchport trunk allowed vlan remove 2-400,403-1005 SW1(config-if-range)#channel-group 1 mode desirable SW1(config-if-range)#no shutdown SW1(config-if-range)#end SW1#
The channel is completed by configuring the other side on SW2, as shown in Example 7-49.
Example 7-49. Creating the Channel Group on SW2
SW2(config)#interface range fastEthernet 3/11 - 14 SW2(config-if-range)#no ip address SW2(config-if-range)#switchport SW2(config-if-range)#switchport trunk encapsulation dot1q SW2(config-if-range)#switchport mode trunk SW2(config-if-range)#switchport mode dynamic desirable SW2(config-if-range)#switchport trunk allowed vlan remove 2-400,403-1005 SW2(config-if-range)#channel-group 1 mode desirable Creating a port-channel interface Port-channel1 SW2(config-if-range)#no shutdown SW2(config-if-range)#end SW2#
Issuing a show run interface fastEthernet 3/11 command displays the configuration of one of the ports in the channel (see Example 7-50).
Example 7-50. Verifying the Configuration on SW2
SW2#show run interface fastEthernet 3/11
Building configuration...
Current configuration : 182 bytes
!
interface FastEthernet3/11
no ip address
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,401,402
channel-group 1 mode desirable
end
The operation of the new channel group can be verified by issuing a show interfaces port-channel 1 command. The operation of the trunk can be verified by issuing the show interfaces trunk command, as shown in Example 7-51.
Example 7-51. Output of the show interfaces port-channel and show interfaces trunk Commands on SW1
SW1#show interfaces port-channel 1 Port-channel1 is up, line protocol is up Hardware is EtherChannel, address is 0009.1267.9ffa (bia 0009.1267.9ffa) MTU 1500 bytes, BW 400000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Full-duplex, 100Mb/s Members in this channel: Fa10/11 Fa10/12 Fa10/13 Fa10/14 !output truncated SW1#show interfaces trunk Port Mode Encapsulation Status Native vlan Po1 desirable 802.1q trunking 1 Port Vlans allowed on trunk Po1 1,401-402 Port Vlans allowed and active in management domain Po1 1,401-402 Port Vlans in spanning tree forwarding state and not pruned Po1 1,401-402 SW1#
The bandwidth reported on the channel is 400000 Kbit, and the members of the channel are listed in the output.
Configuring UniDirectional Link Detection
One best practice to follow when configuring a network like the one used in this chapter is the configuration of UniDirectional Link Detection (UDLD) in Aggressive mode. UDLD is designed to mitigate certain fault conditions on fiber and copper Ethernet interfaces. UDLD is designed to shutdown any miswired ports or unidirectional links by putting the port in an errDisabled state. UDLD is a Layer 2 protocol and, when run in combination with autonegotiation Layer 1 mechanisms, UDLD can validate the physical (Layer 1) and logical (Layer 2) integrity of a link. UDLD accomplishes this task by learning about neighbors and keeping neighbor status in a cache. Neighbors are learned by the sending of UDLD echo or hello messages.
The UDLD Aggressive feature provides additional protection against unidirectional link conditions in certain situations, and attempts to re-establish a connection with the neighbor when a failure is detected. UDLD Aggressive works by detecting when one side of a link remains up while the other side of the link has gone down, and after eight failed retries, transitions the port to an errDisabled state and generates a syslog message.
Cisco recommends configuring UDLD in Aggressive mode on point-to-point FastEthernet/GigabitEthernet links between Cisco switches, and setting the message interval to 15 seconds. UDLD is globally disabled by default and can be enabled globally or on a port?by-port basis. In the examples in this section, UDLD Aggressive should be configured on all the links between switches. An example of this configuration on a per-port basis is shown in Example 7-52 using SW1 and SW2.
Example 7-52. Enabling Aggressive UDLD on SW1 and SW2
SW1#config t Enter configuration commands, one per line. End with CNTL/Z. SW1(config)#interface range gigabitethernet 1/1 - 2 SW1(config-if-range)#udld enable SW1(config-if-range)#udld aggressive SW1(config-if-range)#end SW2#config t Enter configuration commands, one per line. End with CNTL/Z. SW2(config)#interface range gigabitethernet 1/1 - 2 SW2(config-if-range)#udld enable SW2(config-if-range)#udld aggressive SW2(config-if-range)#end SW2#
The output of the show udld command on SW1 shows the status of the UDLD configuration. In the output in Example 7-53, SW1 detects SW2 as a UDLD neighbor, because both SW1 and SW2 have been configured, but does not detect SW4 on GigabitEthernet1/1 because it has yet to be configured.
Example 7-53. Output of show udld Command on SW1
SW1#show udld Interface Gi1/1 --- Port enable administrative configuration setting: Enabled / in aggressive mode Port enable operational state: Enabled / in aggressive mode Current bidirectional state: Unknown Current operational state: Advertisement Message interval: 7 Time out interval: 5 No neighbor cache information stored Interface Gi1/2 --- Port enable administrative configuration setting: Enabled / in aggressive mode Port enable operational state: Enabled / in aggressive mode Current bidirectional state: Bidirectional Current operational state: Advertisement - Single neighbor detected Message interval: 60 Time out interval: 5 Entry 1 --- Expiration time: 168 Device ID: 1 Current neighbor state: Bidirectional Device name: SAD04281ARM Port ID: Gi1/1 Neighbor echo 1 device: SAD050814BH Neighbor echo 1 port: Gi1/2 Message interval: 5 CDP Device name: SW2
Portfast and BPDU Guard
You can find a detailed discussion of portfast and BPDU Guard in Chapter 10, "Implementing and Tuning Spanning Tree," but the configuration of the access layer ports in this chapter's examples would not be complete without enabling portfast and BPDU Guard.
Portfast is a feature that bypasses the normal spanning-tree operation of listening and learning and places a port immediately into forwarding when a port is connected. Portfast should only be used on ports connecting to end-station devices such as workstations and servers. Portfast is disabled by default and is enabled on a port-by-port basis.
The addition of BPDU Guard as an additional protection allows the switch to place any port configured with portfast into an errDisabled state if a BPDU is received on that port. Because ports 2/1 through 2/48 on SW4 were configured for access layer devices in VLAN 140 in Example 7-40 earlier in the chapter, those ports will have portfast and BPDU Guard enabled as follows in Example 7-54.
Example 7-54. Enabling Portfast and BPDU Guard on SW4
SW4#config t Enter configuration commands, one per line. End with CNTL/Z. SW4(config)#interface range gigabitethernet 2/1 - 48 SW4(config-if-range)#spanning-tree portfast %Warning: portfast should only be enabled on ports connected to a single host. Connecting hubs, concentrators, switches, bridges, etc... to this interface when portfast is enabled, can cause temporary bridging loops. Use with CAUTION %Portfast will be configured in 48 interfaces due to the range command but will only have effect when the interfaces are in a non-trunking mode. SW4(config-if-range)#spanning-tree bpduguard enable SW4(config-if-range)#end
