6. Link Aggregation (802.3ad describes lacp - link aggregation control protocol)
Link aggregation is used to connect one switch to another with more than just one link. This is useful for redundancy and to assume a higher Bandwidth for the uplink.
First of all you need to know that you should never connect two switches to each other with more than one cable unless you have configured spanning tree or link aggregation.
If you do so without one of these features (there are even more you can configure like the HP mesh) you will cause a broadcast storm.
The broadcast storm will cause a total outage of your network. This is called a network loop and can be achieved with only one switch.
Just plug in both ends of a network cable to the same switch and that's all. To be sure this is not happening (just imagine an employee don't likes to see a cable hanging
around and plugs the other end to another network jack) you need to configure a loop protection on all access/edge ports (this is the name of the ports which are used to connect
an end note like a client or a printer). Depending on the size of the network, a network loop will kill your complete network in less than 10 seconds.
Ok, as I said you can assume a higher Bandwidth with link aggregation but you need to know one more thing. If you just put two one gigabit links to a link aggregation it does
not mean that you have a two gigabit uplink. Most switch vendors do not do any kind of load balancing. Typically this is only a load sharing which means that the network traffic is
shared by both links in a revolving system. First conversation takes link one, second conversation takes link two, third conversation takes link one and so on.
As there is no validation of link quality the fist conversation can be held while the second one has already finished. The third one will take link 1 and not the second link
which is free in this example.
This is the configuration on an hp switch
(as I mentioned on the fist part of tutorial/guide this feature is called trunk in the hp world. Don't mix it with the cisco trunk)
Code:
hpswitch> enable
password manager:
hpswitch# configure terminal
hpswitch(config)# trunk 23,24 trk1 lacp
hpswitch(config)# write memory
What you need to do:
issue the trunk command with the following information
- A list of ports that will be aggregated
- A name for the trunk
- The type of trunk (HP trunk or LACP).
If no option is entered, the trunk will default to an hp trunk.
This is the configuration on a cisco switch:
Code:
ciscoswitch> enable
enable password:
ciscoswitch# configure terminal
ciscoswitch(config)# interface gigabitethernet 0/1
ciscoswitch(config-if)# channel-protocol lacp
ciscoswitch(config-if)# channel-group 1 mode active
ciscoswitch(config-if)# exit
ciscoswitch(config)# interface gigabitethernet 0/2
ciscoswitch(config-if)# channel-protocol lacp
ciscoswitch(config-if)# channel-group 1 mode active
ciscoswitch(config-if)# exit
ciscoswitch(config)# write memory
What you need to do:
enter the interface configuration context and
- define the protocol to be used
- enter a group number (all links in the same group are aggregated
- enter a mode for your aggregation (a complete list of all configuration tasks can be found - Here.
With cisco you have the possiblity to configure load-balancing (this is not really balancing its more like sharing)
Code:
ciscoswitch#show etherchannel load-balance
EtherChannel Load-Balancing Configuration:
src-mac
EtherChannel Load-Balancing Addresses Used Per-Protocol:
Non-IP: Source MAC address
IPv4: Source MAC address
IPv6: Source MAC address
LACP - Link Aggregation Control Protocol
Because it is a widely used standard, static LACP is the preferred trunking method when the switch on the other side of the link supports LACP. However, HP Port Trunking can
be suitable for situations when the other switch does not support LACP or when its trunking support is unknown. Because it does not rely on a protocol, HP Port Trunking
often will interoperate with other trunking configurations.
The primary advantage of dynamic LACP is support for standby links, which means the trunk can be configured with links that will become active if other links in the trunk fail.
However, the implementation of dynamic LACP limits other configuration options for the ports in the aggregation. For instance, ports in a dynamic LACP trunk cannot be configured with
non-default Spanning Tree settings. The dynamic LACP trunk also cannot be configured for membership in static VLANs.
For further reading: Here.
Link Aggregation Support
Link Aggregation support on switches varies among switch vendor, model, and software version. The hp ProVision Asic Switches including 3500yl, 5400zl and 8200zl support 144 link
aggregations with eight ports. You can assign more than these eight ports but only eight will be used for load-sharing. The others will become active if another one fails.
7. Spanning Tree (the basics)
As I mentioned on the link aggregation part, it is easy to kill your complete network with a network loop. As you want to implement redundant links and you are not able to aggregate them
you need another mechanism for that task. Imagine you have three switches. Each one is conected to each other with one link. Without the use of spanning tree, once again you build a network
loop.
_________________________
| | |
|switch1|--------|switch2|--------|switch3|
Basically the classic spanning tree which is stp (spanning tree protocol - 802.1d) and rstp (rapid spanning tree protocol - 802.1w) just blocks the redundant link which will cause a
network loop as long as the other two ports are active. If one of these ports fail then the blocked port will become active. There are a few more spanning tree types like the open standard
mstp (multiple spanning tree protocol) and the cisco pvst (per vlan spanning tree). The old stp is not used anymore as it tooks up to 30 seconds to recalculate the spanning tree topology if a
link went down. This means that a part of the network was not reachable for 30 seconds. The rstp can accomplish this in less than 2 seconds (depending on the size of the network).
In this guide I will focus on the rstp version as this is the most simple way for implementing spanning tree. I will say some words about mstp but not in depth as this can be very complex.
I will start with the hp configuration example and explain the single steps afterwards.
Code:
hpswitch(config)# spanning-tree
turn on spanning tree globally on the switch
Code:
hpswitch(config)# spanning-tree force-version rstp-operation
set the protocol version to rapid spanning tree
Code:
hpswitch(config)# spanning-tree priority 1
set the priority for your switch. Every spanning tree instance needs a root bridge. the root bridge decides which links should be blocked. If you dont set the priorities accordingly the switch with the lowest mac address will become root.
Bridge priority is set in increments of 4096 which means 4096 is 1, 2 is 8192 ...., 8 is 32768.
Code:
hpswitch(config)# spanning-tree 1-22 auto-edge-port
define access/edge ports as auto-edge-ports for not envolving them into the spanning tree topology. If one of these ports is going down the spanning tree will not recalculate it's topology.
Code:
hpswitch(config)# no spanning-tree 23-24 auto-edge-port
set the uplinks port to no auto-edge-ports as they should be involved into the spanning tree topology.
Code:
hpswitch(config)# spanning-tree 1-22 bpdu-protection
define a bpdu protection on the access/edge ports. If some plugs in a switch to one of theses ports the switch will not get a connect. Lets take a look at a comparable cisco configuration.
Code:
ciscoswitch(config)# spanning-tree
turn on spanning tree globally on the switch -> is on by default
Code:
ciscoswitch(config)# spanning-tree mode rapid-pvst
set the protocol version to rapid spanning tree
Code:
ciscoswitch(config)# spanning-tree priority 1
set the priority for your switch. Every spanning tree instance needs a root bridge. the root bridge decides which links should be blocked. If you dont set the priorities accordingly the switch with the lowest mac address will become root. Bridge priority is set with a value between 0-65535
Code:
ciscoswitch(config)# spanning-tree portfast default
set all ports to not be involved in the spanning tree topology
Code:
ciscoswitch(config)# spanning-tree portfast bpduguard default
configure all ports with bdpuguard (bdpu protection)
Code:
ciscoswitch(config)# interface gigabitethernet0/23
Code:
ciscoswitch(config-if)# spanning-tree portfast disable
Code:
ciscoswitch(config-if)# exit
switch to an uplink port to involve him to the spanning tree topology and to turn off bpdu Protection. Repeat that for all uplink ports. Thats all for this part. This is very basic configuration but it will work and can be found in many smaller networks (up to 15 switches)
A much better way for implementing spanning tree is the multiple spanning tree protocol or per vlan spanning tree (mstp or pvst).
MSTP is an improvement to stp and rstp. You can use different spanning trees for different vlans. Within stp and rstp you have redundant links blocked.
With MSTP you can have a redundant link for vlan 5 blocked but the same link open for vlan 10. This means you have no dead links.
As with the above sample this time I will only focus on the hp configuration, start with the example config and explain it afterwards
If you are also interessted in the cisco configuration steps you can read this - Here.
Code:
hpswitch(config)# spanning-tree
turn on spanning tree globally on the switch
Code:
[code]hpswitch(config)# spanning-tree force-version mstp-operation
set the protocol version to multiple spanning tree -> which is used as default
Code:
hpswitch(config)# spanning-tree config-name hp
Code:
hpswitch(config)# spanning-tree config-revision 1
Define an MST region identity for the switch. Must be the same on all switches involved in this mstp topology
Code:
hpswitch(config)# spanning-tree instance 1 vlan 10 30
Code:
hpswitch(config)# spanning-tree instance 2 vlan 20 40
Associate user vlans with MSTP instances. If you have two instances you should consider using different root bridges for each instance. The configuration for the root bridge on instance 1 can look like this:
Code:
hpswitch1(config)# spanning-tree instance 1 priotity 1
Code:
hpswitch1(config)# spanning-tree instance 2 priotity 2
The configuration for the other root bridge may look like this
Code:
hpswitch2(config)# spanning-tree instance 1 priority 2
Code:
hpswitch2(config)# spanning-tree instance 2 priority 1
In this example hpswitch1 is the root bridge for instance 1 and secondary root bridge for instance 2.
hpswitch2 is the root bridge for instance 2 and secondary root bridge for instance 1.
And thats all for the very basic configuration.
8. IP Routing (the basics)
Ok, thats another topic which can fill books on it's own. I will keep that as small as possible. For this I will only focus on static routing, a little bit on RIPv2 and OSPF.
Imagine you have the following network with one router which is located in a transfer network. Every Switch in the different departments is confgured for ip routing and the IP of the Switch
is the default gateway for the clients. Every Switch has a vlan for the clients and a transfer vlan to the router. The Transfer vlan has an address range of 10.10.0.0/28 and the routers ip is
10.10.0.1
Department | Subnet | VLAN | Switch IP User vlan | Switch IP Transfer Network |
DataCenter | 10.10.1.0/24 | 5 | 10.10.1.1 | 10.10.0.2 |
Sales | 10.10.2.0/24 | 10 | 10.10.2.1 | 10.10.0.3 |
Marketing | 10.10.3.0/24 | 15 | 10.10.3.1 | 10.10.0.4 |
e.g. a client in the sales department has network configuration which looks like this:
IP: 10.10.2.10
Netmask: 255.255.255.0
Gateway: 10.10.2.1
_______________|Router|_____________
| | |
|DCSwitch|--------|SalesSwitch|--------|MarketingSwitch|
Static Routing
What needs to be configured:
DCSwitch
Code:
dcswitch(config)# ip route 10.10.2.0 255.255.255.0 10.10.0.1
route to reach the sales department
Code:
dcswitch(config)# ip route 10.10.3.0 255.255.255.0 10.10.0.1
route to reach the marketing department
Code:
dcswitch(config)# ip default-gateway 10.10.0.1
can be used as alternative. This means that all traffic regarding subnets the switch doesn't know will be send to the router
SalesSwitch
Code:
salesswitch(config)# ip route 10.10.1.0 255.255.255.0 10.10.0.1
route to reach the datacenter
Code:
salesswitch(config)# ip route 10.10.3.0 255.255.255.0 10.10.0.1
route to reach the marketing department
Code:
salesswitch(config)# ip default-gateway 10.10.0.1
can be used as alternative. This means that all traffic regarding subnets the switch doesn't know will be send to the router MarketingSwitch
Code:
dcswitch(config)# ip route 10.10.1.0 255.255.255.0 10.10.0.1
route to reach the datacenter
Code:
dcswitch(config)# ip route 10.10.2.0 255.255.255.0 10.10.0.1
route to reach the sales department
Code:
dcswitch(config)# ip default-gateway 10.10.0.1
can be used as alternative. This means that all traffic regarding subnets the switch doesn't know will be send to the router Router
Code:
router(config)#ip route 10.10.1.0 255.255.255.0 10.10.0.2
all traffic for the Datacenter will be sent to the Datacenter Switch
Code:
router(config)#ip route 10.10.2.0 255.255.255.0 10.10.0.3
all traffic for the Sales Department will be sent to the Sales Switch
Code:
router(config)#ip route 10.10.3.0 255.255.255.0 10.10.0.4
all traffic for the Marketing Department will be sent to the Marketing Switch. This maybe belongs to the design part but I think it also fits to this place. This routing concept is called "routing at the edge". The first L3 Switch in the row is routing all
Traffic regarding his local subnets. If you combine this with RACLs (routed access control lists) you can stop unwanted traffic at the first L3 network device.
If you deploy a core router who does all the routing a network packet is traversing the complete network until it reaches the core or backbone and is then droped maybe.
e.g. you want the people from sales department to reach a fileserver (10.10.1.100) in the datacenter but only by smb (server message block tcp/445).
Your ACL could look like this
Code:
salesswitch(config)# ip access-list extended "ACL_TRANSFER_TO_ROUTER"
salesswitch(config-ext-nacl)# 10 permit tcp 10.10.2.0 0.0.0.255 10.10.1.100 0.0.0.0 eq 445
salesswitch(config-ext-nacl)# 20 deny ip 10.10.2.0 0.0.0.255 10.10.1.100 0.0.0.0
Note: within ACLs the subnetmask needs to be inverted. 255.255.255.0 equals 0.0.0.255
This is a very simple example about access control lists. I will write a more in-depth tutorial about that in the future
Ok, this is very simple but can get more and more complex the larger the network grows. I'am a great friend of static routing as you have complete control about which
subnet is able to reach one other. But if you have hundrets of subnets with a lot of routers and switches you maybe won't to confgure all routes by hand.
This is when dymanic routing comes into play.
Dynamic Routing
Dynamic routing protocols enable routers to adjust automatically to changes in topology. With a dynamic routing protocol configured, if a router’s neighbor has failed, it will quickly
learn if other paths are available to the neighbor’s networks and update its route table accordingly.
RIP (Routing Information Protocol) and OSPF (Open Shortest Path First) comparison (mainly from hp training material... they can explain it much better then I can)
Distance Vector:
RIP
- Router sends periodic updates to neighbor routers
- Information about remote networks is passed from router to router based on each routers perspective
- Convergence can be slow
Link State:
OSPF
- Router reports to its neighbors the characteristics of its active connections to local networks
- Updates are flooded to all routers within administratively defined "area"
- Logical tree is build to calculate shortest path to each address range
- Enables faster convergence, detection of alternate paths after link failure due to possession of first-hand information
Two types of standard interior gateway protocols are commonly used in IP networks:
1.Distance-vector protocols
Routers using these protocols integrate information into their route tables and resend the resulting entries, as modified from their own perspectives. RIP is a common
example of a distance-vector protocol.
2. Link-state protocols.
Routers using these protocols establish neighbor relationships with adjacent routers. Routers generate updates based on local information and send the updates to
neighbors, who then flood updates to all their neighbors. Ideally, within a few milliseconds, every router in an administratively defined area has identical information.
Each router builds a logical tree that then traces out the shortest path to each advertised destination, using itself as the root. As a result, every router has a
consistent picture of the network from its own perspective. OSPF is a common example of a link-state protocol
while RIP and other distance-vector protocols are easier to configure than link-state protocols, the distance-vector protocols have one serious disadvantage. Changes in
routing topology often propagate slowly because information in a router’s table is acquired from other routers that may be as many as 15 hops away.
OSPF, like other link-state protocols, avoids the convergence issues of RIP by not relying on “second-hand” information. A router sends an advertisement when it recognizes a
link-state change. Along with the topology change, the update contains the attributes of all of the router’s currently active links. The router sends the advertisement to its immediate
neighbors, which are required by the protocol to immediately flood the advertisement to all of their neighbors.
Unlike RIP routers, OSPF routers do not increment the costs as they flood updates. In fact, an OSPF router is not permitted to make any changes to advertisements it receives
on one network before sending it out onto another network. As a result, all of the routers in the OSPF “area” have a consistent picture of the connections between all routers and
networks in the area. Each router builds a tree based on “first-hand” information that traces the shortest path
between itself and every router and network in the area. When a link state changes, the router recalculates the tree based on the new information. Ideally, less than a second
passes between the time the router advertises its new state and the time when all of the routers have found an alternate path, if one exists.
Ok... that's all I want to write about dynamic routing. As you know there are a lot more routing protocols and this is very complex.
I will write a more in-depth tutorial about dynamic routing with configuration examples in the future.
9. Something about network design
I will tell you some things you need to know if you are designing a network. Mostly you won't have the possiblity to plan a complete building including cableing, network racks and network rooms.
Basically you will do a network redesign. The things I always need to know are the following (this is not a complete list.)
- How is the cableing for switch interconnection (Uplinks) (Fiber optic, copper, 10Gig ethernet (CX4))
- which network room has direct connection to another one
- how far are the switches away from each other
- Availability
- Can new cables be installed
- How deep are the racks (you may laugh but I had the problem that a switch has not fitted into the rack)
- Are there places with additional needs (maybe the human resource department needs extra protection)
and so on.
If you have the possiblity that new cables can be installed you should deploy as many redundant links as possible.
Keep in mind that different types of cables can make different distances
copper: not more than 150 m
copper CX4: 15 m
fiber SX: 550 m
fiber LX: up to 10 km
These are not all types of cables. I just wanted to give an example.
You should consider installing a redundant backbone/core and connect them with a 10 gigabit link. You should use a router redundancy protocol like hsrp (hot standby router protocol)
or vrrp (virtual router redundancy protocol). In simple words every switch has its own ip address. With a router redundancy protocol you assign a virtual ip address on top with a virtual mac
address. The primary router uses this virtual ip address. If the primary router dies the second takes over the virtual ip and mac. You all know that you can not configure a client with two gateway
ips so instead you just use the virtual one. The virtual IP address can also be used for monitoring if a remote or branch office is reachable as this is a highly available IP address.
Think about your spanning tree deployment as much as possible.
Use a protocol which has less dead links like mstp or pvst. Your design must be very good. If there is a mis-configuration, troubleshooting can be very hard as the problems can be very strange.
If you need to mix different venders read as much interoperability guides as possible. For example if you have a cisco network with pvst and a procurve network with mstp you should allways use
a pvst filter on the ports which connect to the cisco world. Believe me... you won't see whats happening if you don't! :-)
Ok.. I think this is enough. If anyone here needs to plan and implement a network they contact me anytime. I would love to discuss that :-)
Last but not least I decided to copy in a configuration I have done for a small branch office network which is connected to a datacenter. The network consids of 4 switches and this config is from one of the L3 Switches (HP 3500yl). If you read both tutorials you should be able to understand most of it. In this config I changed IP Adresses, hostnames and routes.
I will tell you some things you need to know if you are designing a network. Mostly you won't have the possiblity to plan a complete building including cableing, network racks and network rooms.
Basically you will do a network redesign. The things I always need to know are the following (this is not a complete list.)
- How is the cableing for switch interconnection (Uplinks) (Fiber optic, copper, 10Gig ethernet (CX4))
- which network room has direct connection to another one
- how far are the switches away from each other
- Availability
- Can new cables be installed
- How deep are the racks (you may laugh but I had the problem that a switch has not fitted into the rack)
- Are there places with additional needs (maybe the human resource department needs extra protection)
and so on.
If you have the possiblity that new cables can be installed you should deploy as many redundant links as possible.
Keep in mind that different types of cables can make different distances
copper: not more than 150 m
copper CX4: 15 m
fiber SX: 550 m
fiber LX: up to 10 km
These are not all types of cables. I just wanted to give an example.
You should consider installing a redundant backbone/core and connect them with a 10 gigabit link. You should use a router redundancy protocol like hsrp (hot standby router protocol)
or vrrp (virtual router redundancy protocol). In simple words every switch has its own ip address. With a router redundancy protocol you assign a virtual ip address on top with a virtual mac
address. The primary router uses this virtual ip address. If the primary router dies the second takes over the virtual ip and mac. You all know that you can not configure a client with two gateway
ips so instead you just use the virtual one. The virtual IP address can also be used for monitoring if a remote or branch office is reachable as this is a highly available IP address.
Think about your spanning tree deployment as much as possible.
Use a protocol which has less dead links like mstp or pvst. Your design must be very good. If there is a mis-configuration, troubleshooting can be very hard as the problems can be very strange.
If you need to mix different venders read as much interoperability guides as possible. For example if you have a cisco network with pvst and a procurve network with mstp you should allways use
a pvst filter on the ports which connect to the cisco world. Believe me... you won't see whats happening if you don't! :-)
Ok.. I think this is enough. If anyone here needs to plan and implement a network they contact me anytime. I would love to discuss that :-)
Last but not least I decided to copy in a configuration I have done for a small branch office network which is connected to a datacenter. The network consids of 4 switches and this config is from one of the L3 Switches (HP 3500yl). If you read both tutorials you should be able to understand most of it. In this config I changed IP Adresses, hostnames and routes.
Code:
hostname "Switch1"
time timezone 60
time daylight-time-rule Western-Europe
console inactivity-timer 60
ip access-list extended "Transfer_to_DC_ACL"
10 deny tcp 10.10.0.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 3389
20 permit ip 10.10.0.0 0.0.0.255 10.10.100.0 0.0.0.255
30 permit ip 10.10.0.0 0.0.0.255 10.10.150.0 0.0.31.255
40 deny ip 10.10.0.0 0.0.0.255 10.10.200.0 0.0.0.15
50 deny ip 10.10.0.0 0.0.0.255 10.10.201.0 0.0.0.255
60 deny ip 10.10.0.0 0.0.0.255 10.10.202.0 0.0.0.255
70 deny ip 10.10.0.0 0.0.0.255 10.10.203.0 0.0.0.255
80 deny tcp 10.10.0.0 0.0.0.255 10.10.204.0 0.0.0.255 eq 3389
90 permit ip 10.10.0.0 0.0.0.255 10.10.204.0 0.0.0.255
200 deny tcp 10.10.1.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 3389
210 permit ip 10.10.1.0 0.0.0.255 10.10.100.0 0.0.0.255
220 permit ip 10.10.1.0 0.0.0.255 10.10.150.0 0.0.31.255
230 deny ip 10.10.1.0 0.0.0.255 10.10.200.0 0.0.0.15
240 deny ip 10.10.1.0 0.0.0.255 10.10.201.0 0.0.0.255
250 permit ip 10.10.1.0 0.0.0.255 10.10.202.0 0.0.0.255
260 deny ip 10.10.1.0 0.0.0.255 10.10.203.0 0.0.0.255
270 deny ip 10.10.1.0 0.0.0.255 10.10.204.0 0.0.0.255
300 deny tcp 10.10.2.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 3389
310 permit ip 10.10.2.0 0.0.0.255 10.10.100.0 0.0.0.255
320 permit ip 10.10.2.0 0.0.0.255 10.10.150.0 0.0.31.255
330 deny ip 10.10.2.0 0.0.0.255 10.10.200.0 0.0.0.15
340 deny ip 10.10.2.0 0.0.0.255 10.10.201.0 0.0.0.255
350 deny ip 10.10.2.0 0.0.0.255 10.10.202.0 0.0.0.255
360 deny ip 10.10.2.0 0.0.0.255 10.10.203.0 0.0.0.255
370 permit ip 10.10.2.0 0.0.0.255 10.10.204.0 0.0.0.255
400 deny tcp 10.10.3.0 0.0.0.255 10.10.100.0 0.0.0.255 eq 3389
410 permit ip 10.10.3.0 0.0.0.255 10.10.100.0 0.0.0.255
420 permit ip 10.10.3.0 0.0.0.255 10.10.150.0 0.0.31.255
430 permit ip 10.10.3.0 0.0.0.255 10.10.200.0 0.0.0.15
440 permit ip 10.10.3.0 0.0.0.255 10.10.201.0 0.0.0.255
450 permit ip 10.10.3.0 0.0.0.255 10.10.202.0 0.0.0.255
460 permit ip 10.10.3.0 0.0.0.255 10.10.203.0 0.0.0.255
470 permit ip 10.10.3.0 0.0.0.255 10.10.204.0 0.0.0.255
500 permit ip 10.10.4.0 0.0.0.255 10.132.72.240 0.0.0.0
510 deny ip 10.10.4.0 0.0.0.255 10.10.100.0 0.0.0.255
520 deny ip 10.10.4.0 0.0.0.255 10.10.150.0 0.0.31.255
530 deny ip 10.10.4.0 0.0.0.255 10.10.200.0 0.0.0.15
540 deny ip 10.10.4.0 0.0.0.255 10.10.201.0 0.0.0.255
550 deny ip 10.10.4.0 0.0.0.255 10.10.202.0 0.0.0.255
560 deny ip 10.10.4.0 0.0.0.255 10.10.203.0 0.0.0.255
570 deny ip 10.10.4.0 0.0.0.255 10.10.204.0 0.0.0.255
600 permit ip 10.10.7.0 0.0.0.15 10.10.100.0 0.0.0.255
610 permit ip 10.10.7.0 0.0.0.15 10.10.150.0 0.0.31.255
620 permit ip 10.10.7.0 0.0.0.15 10.10.200.0 0.0.0.15
630 permit ip 10.10.7.0 0.0.0.15 10.10.201.0 0.0.0.255
640 permit ip 10.10.7.0 0.0.0.15 10.10.202.0 0.0.0.255
650 permit ip 10.10.7.0 0.0.0.15 10.10.203.0 0.0.0.255
660 permit ip 10.10.7.0 0.0.0.15 10.10.204.0 0.0.0.255
700 deny ip 10.10.0.0 0.0.7.255 10.128.0.0 0.7.255.255
710 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
module 1 type J86xxA
interface 1
name "Connection_to_DC"
speed-duplex auto-1000
exit
interface 2
name "WAN_Optimizer"
speed-duplex auto-1000
exit
interface 3
name "3 Printer1"
exit
interface 4
name "4 Printer2"
exit
interface 6
name "6 Client1"
exit
interface 7
name "Client2"
exit
interface 8
name "8 Client3"
exit
interface 9
name "9 Client 4"
exit
interface 13
name "13 Printer3"
exit
interface 15
name "UPL_Switch4_1"
speed-duplex auto-1000
exit
interface 16
name "UPL_Switch4_2"
speed-duplex auto-1000
exit
interface 17
name "UPL_Switch3_1"
speed-duplex auto-1000
exit
interface 18
name "UPL_Switch3_2"
speed-duplex auto-1000
exit
interface 19
name "UPL_Switch2_1"
speed-duplex auto-1000
exit
interface 20
name "UPL_Switch2_2"
speed-duplex auto-1000
exit
interface 23
name "Client5"
exit
trunk 19-20 Trk1 LACP
trunk 17-18 Trk2 LACP
trunk 15-16 Trk3 LACP
ip routing
snmpv3 enable
snmpv3 group ManagerAuth user "UserName" sec-model ver3
vlan 1
name "DEFAULT_VLAN"
untagged Trk1-Trk3
ip address dhcp-bootp
no untagged 1-14,21-24
exit
vlan 760
name "CLIENTNET"
untagged 3,5-6,8-9,11-12,14,21-24
ip helper-address 10.132.72.13
ip address 10.10.0.1 255.255.255.0
tagged Trk1-Trk3
exit
vlan 770
name "SERVERNET"
untagged 7,10
ip address 10.10.1.1 255.255.255.0
tagged Trk1-Trk3
exit
vlan 780
name "PRINTERNET"
untagged 4,13
ip helper-address 10.132.72.13
ip address 10.10.2.1 255.255.255.0
tagged Trk1-Trk3
exit
vlan 790
name "MGMTNET"
untagged 2
ip address 10.10.3.1 255.255.255.0
tagged Trk1-Trk3
exit
vlan 800
name "GUESTNET"
ip address 10.10.4.1 255.255.255.0
tagged Trk1-Trk3
exit
vlan 830
name "TRANSFERNET"
untagged 1
ip address 10.10.7.5 255.255.255.240
tagged Trk1-Trk3
ip access-group "Transfer_to_DC_ACL" out
exit
fault-finder bad-driver sensitivity high
fault-finder bad-transceiver sensitivity high
fault-finder bad-cable sensitivity high
fault-finder too-long-cable sensitivity high
fault-finder over-bandwidth sensitivity high
fault-finder broadcast-storm sensitivity high
fault-finder loss-of-link sensitivity high
fault-finder duplex-mismatch-hdx sensitivity high
fault-finder duplex-mismatch-fdx sensitivity high
fault-finder link-flap sensitivity high
banner motd "\"Authorized access only!\n\nDisconnect IMMEDIATELY if you are not
an\n authorized user!\""
radius-server host 10.10.202.100 key "RADIUSSERVERKEY"
timesync sntp
sntp unicast
sntp server priority 1 10.10.201.5 4
no telnet-server
no web-management
ip authorized-managers 10.10.150.0 255.255.224.0 access manager
ip authorized-managers 10.10.100.0 255.255.255.0 access manager
ip authorized-managers 10.10.3.0 255.255.255.0 access manager
ip authorized-managers 10.10.201.0 255.255.255.0 access manager
ip dns domain-name "Domain.local"
ip dns server-address priority 1 10.10.203.5
ip dns server-address priority 2 10.10.203.6
ip route 10.10.150.0 255.255.224.0 10.10.7.3
ip route 10.10.100.0 255.255.255.0 10.10.7.3
ip route 10.10.201.0 255.255.255.0 10.10.7.3
ip route 10.10.202.0 255.255.255.0 10.10.7.3
ip route 10.10.200.0 255.255.255.248 10.10.7.3
ip route 10.10.203.0 255.255.255.0 10.10.7.3
ip route 10.10.204.0 255.255.255.128 10.10.7.3
router vrrp
snmp-server community "Community" operator
snmp-server contact "Admins" location "DC"
snmpv3 user "Username"
aaa accounting network start-stop radius
aaa authentication port-access eap-radius authorized
aaa authentication mac-based chap-radius authorized
aaa port-access authenticator active
aaa port-access mac-based 3-6,11-14,21-24
aaa port-access mac-based 3 unauth-vid 800
aaa port-access mac-based 4 logoff-period 10080
aaa port-access mac-based 4 unauth-vid 800
aaa port-access mac-based 5 unauth-vid 800
aaa port-access mac-based 6 unauth-vid 800
aaa port-access mac-based 8 unauth-vid 800
aaa port-access mac-based 9 unauth-vid 800
aaa port-access mac-based 11 unauth-vid 800
aaa port-access mac-based 12 unauth-vid 800
aaa port-access mac-based 13 logoff-period 10080
aaa port-access mac-based 13 unauth-vid 800
aaa port-access mac-based 14 unauth-vid 800
aaa port-access mac-based 21 unauth-vid 800
aaa port-access mac-based 22 unauth-vid 800
aaa port-access mac-based 23 unauth-vid 800
aaa port-access mac-based 24 unauth-vid 800
aaa port-access mac-based addr-format single-dash
spanning-tree
spanning-tree 3 bpdu-protection
spanning-tree 4 bpdu-protection
spanning-tree 5 bpdu-protection
spanning-tree 6 bpdu-protection
spanning-tree 7 bpdu-protection
spanning-tree 8 bpdu-protection
spanning-tree 9 bpdu-protection
spanning-tree 10 bpdu-protection
spanning-tree 11 bpdu-protection
spanning-tree 12 bpdu-protection
spanning-tree 13 bpdu-protection
spanning-tree 14 bpdu-protection
spanning-tree Trk1 priority 4
spanning-tree Trk2 priority 4
spanning-tree Trk3 priority 4
spanning-tree priority 1 force-version rstp-operation
vlan 760
vrrp vrid 41
owner
virtual-ip-address 10.10.0.1 255.255.255.0
priority 255
enable
exit
exit
vlan 770
vrrp vrid 42
owner
virtual-ip-address 10.10.1.1 255.255.255.0
priority 255
enable
exit
exit
vlan 780
vrrp vrid 43
owner
virtual-ip-address 10.10.2.1 255.255.255.0
priority 255
enable
exit
exit
vlan 790
vrrp vrid 44
owner
virtual-ip-address 10.10.3.1 255.255.255.0
priority 255
enable
exit
exit
vlan 800
vrrp vrid 46
owner
virtual-ip-address 10.10.4.1 255.255.255.0
priority 255
enable
exit
exit
vlan 830
vrrp vrid 49
owner
virtual-ip-address 10.10.7.5 255.255.255.240
priority 255
enable
exit
exit
no autorun
no dhcp config-file-update
no dhcp image-file-update
password manager
password operator
Enjoy :)
No comments:
Post a Comment