CCIE Security lab: Switching


It is time to set up the core network.  Nothing new here really, a bit of HSRP and a few niceties (like disabling timeout on the console). The switches need to be given a hostname (obviously), and then we have some basics to do on all of them, and then the HSRP, which will be on SW1 and SW2.

On all switches we create the VLANs, turn off the time out on the console, and set the inter-switch ports to be dot1q trunks:
vlan 4
name Management
vlan 7
name DMZ
vlan 9
name Phones
vlan 20
name Users-1
vlan 21
name Users-2
vlan 55
name Failover
vlan 99
name Data-Phone
exit
line con 0
exec-t 0 0
exit
int ra gi0/1 - 3
swi tru enc dot
swi mo tru
no shu
exit
The next part is to set up the VLAN interfaces and HSRP. I have decided to use .254 as the final octet for the HSRP IPs, as it means I can use the switch numbers (.1 and .2) on the respective switches.

Vlan interfaces and HSRP


int vlan 4
ip address 10.1.4.1 255.255.255.0
standby 4 ip 10.1.4.254
standby 4 pri 90
standby 4 pre del min 60
no sh
int vlan 7
ip address 10.1.7.1 255.255.255.0
standby 7 ip 10.1.7.254
standby 7 pri 110
standby 7 pre del min 60
no sh
int vlan 9
ip address 10.1.9.1 255.255.255.0
standby 9 ip 10.1.9.254
standby 9 pri 90
standby 9 pre del min 60
no sh
int vlan 20
ip address 10.1.20.1 255.255.255.0
standby 20 ip 10.1.20.254
standby 20 pri 110
standby 20 pre del min 60
no sh
int vlan 21
ip address 10.1.21.1 255.255.255.0
standby 21 ip 10.1.21.254
standby 21 pri 90
standby 21 pre del min 60
no sh
int vlan 55
ip address 10.1.55.1 255.255.255.0
standby 55 ip 10.1.55.254
standby 55 pri 110
standby 55 pre del min 60
no sh
int vlan 99
ip address 10.1.99.1 255.255.255.0
standby 99 ip 10.1.99.254
standby 99 pri 90
standby 99 pre del min 60
no sh
int vlan 4
ip address 10.1.4.2 255.255.255.0
standby 4 ip 10.1.4.254
standby 4 pri 110
standby 4 pre del min 60
no sh
int vlan 7
ip address 10.1.7.2 255.255.255.0
standby 7 ip 10.1.7.254
standby 7 pri 90
standby 7 pre del min 60
no sh
int vlan 9
ip address 10.1.9.2 255.255.255.0
standby 9 ip 10.1.9.254
standby 9 pri 110
standby 9 pre del min 60
no sh
int vlan 20
ip address 10.1.20.2 255.255.255.0
standby 20 ip 10.1.20.254
standby 20 pri 90
standby 20 pre del min 60
no sh
int vlan 21
ip address 10.1.21.2 255.255.255.0
standby 21 ip 10.1.21.254
standby 21 pri 110
standby 21 pre del min 60
no sh
int vlan 55
ip address 10.1.55.2 255.255.255.0
standby 55 ip 10.1.55.254
standby 55 pri 90
standby 55 pre del min 60
no sh
int vlan 99
ip address 10.1.99.2 255.255.255.0
standby 99 ip 10.1.99.254
standby 99 pri 110
standby 99 pre del min 60
no sh

Confirmation:

SW1#sh standby bri
                     P indicates configured to preempt.
                     |
Interface   Grp  Pri P State   Active          Standby         Virtual IP
Vl4         4    90  P Standby 10.1.4.2        local           10.1.4.254
Vl7         7    110 P Active  local           10.1.7.2        10.1.7.254
Vl9         9    90  P Standby 10.1.9.2        local           10.1.9.254
Vl20        20   110 P Active  local           10.1.20.2       10.1.20.254
Vl21        21   90  P Standby 10.1.21.2       local           10.1.21.254
Vl55        55   110 P Active  local           10.1.55.2       10.1.55.254
Vl99        99   90  P Standby 10.1.99.2       local           10.1.99.254
SW1#

SW2#sh standby bri
                     P indicates configured to preempt.
                     |
Interface   Grp  Pri P State   Active          Standby         Virtual IP
Vl4         4    110 P Active  local           10.1.4.1        10.1.4.254
Vl7         7    90  P Standby 10.1.7.1        local           10.1.7.254
Vl9         9    110 P Active  local           10.1.9.1        10.1.9.254
Vl20        20   90  P Standby 10.1.20.1       local           10.1.20.254
Vl21        21   110 P Active  local           10.1.21.1       10.1.21.254
Vl55        55   90  P Standby 10.1.55.1       local           10.1.55.254
Vl99        99   110 P Active  local           10.1.99.1       10.1.99.254
SW2#
Looks good now. We have an internal network and can start playing with the really cool toys, like the ISE and WSA, but not before we setup the firewalls for HA and NAT

I am waiting on my (newish) 3750X to be delivered today, its the PoE version, so it'll handle the phone and the Wifi parts of the lab.

CCIE #49337, author of CCNA and Beyond, BGP for Cisco Networks, MPLS for Cisco Networks, VPNs and NAT for Cisco Networks.

Related Posts

Previous
Next Post »