The scenario describes us with two distribution switches and two access switches at the International Travel Agency (ITA). Assignment tasks are to implement high availability in the ITA domain with voice service running in one of the distribution switches provided with MAC security in the access layer switches. Furthermore, the access layer switches must be designed so that it trusts the IP phone COS fields with a simple and automatic QOS running on each of the switches. All IP addresses that are assigned to the various ports used in this topology are covered with the 172.16.10.0 / 24 subnet using VLSM. And finally standard encapsulation technologies are used for the inter switch trunks to meet with scalability of the travel agency. The DS1 and DS2 used are Cisco Catalyst 3560?s and the AS1 and AS2 are Cisco Catalyst 2960?s. The DS?s use IOS Version 12.2(20)EX with 24 Fast Ethernet ports and the AS?s use IOS Version 12.2(35)SE5 with 24 Fast Ethernet ports. Etherchannel enabled on all trunk links with HSRP running in both the DS?s just so to make the network highly available and give maximum throughput making use of all the available bandwidth. Port aggregation i.e etherchannel is configured to achieve maximum efficiency using the trunk links. All codes are delivered in to these switches via the Command Line Interface (CLI). User authentication and remote access to these switches are also configured to provide maximum possible security to the ITA and also to remote troubleshoot the network in case of a failure, as a worst case.
This section covers all the technologies/techniques that is used to configure the network. All techniques used in this assignment are tested effective to the current topology with limited switches running redundancy protocols in them. Brief description of each of the techniques are given below.
2.1 Variable Length Subnet Masking (VLSM)
172.16.10.0 / 24
Subnetting 172.16.10.0/24 ?
Network ID First usable IPLast usable IPBroadcast IP Subnet Mask 172.16.10.017184.108.40.206 172.16.10.126 172.16.10.127 255.255.255.128 172.16.10.129172.16.10.130 172.16.10.190 172.16.10.191 255.255.255.192 172.16.10.193172.16.10.194 172.16.10.222 172.16.10.223 255.255.255.224 172.16.10.225172.16.10.226 172.16.10.238 172.16.10.239 255.255.255.240 172.16.10.241172.16.10.242 172.16.10.246 172.16.10.247 255.255.255.248 172.16.10.249172.16.10.250 172.16.10.250 172.16.10.251 255.255.255.252 172.16.10.253172.16.10.253 172.16.10.253 172.16.10.254 255.255.255.255
We use the first three subnets as there are only 3 vlans discussed. The default vlan has the maximum number of hosts and is considered as the management vlan. Vlan 10 and 200 use the subsequent subnets (i.e) mask 25 and 26 for its hosts respectively. Each subnet?s first ip address will be used for the standby mode with HSRP in action. The vast use of Ip addresses is to provide scalability to the ITA domain. Using VLSM gives maximum efficiency with scalability requirements.
DS(config-if)# ip address (Ip address) (Subnet mask)
2.2 VLAN Trunking Protocol (VTP)
VTP is a layer 2 messaging protocol that reduces administration in a switched network. It is so broadcasting that when we create a new Virtual Local Area Network (VLAN), it distributes it to all the switches available in the network. VTP transmit broadcast messages to all the switches within the domain. VTP is a Cisco-proprietary protocol. All switches have VTP mode server by default. The alternative modes are the client mode and the transparent mode. A well equipped switch is always made as the VTP server as it sometimes floods the whole VLAN with unicast and broadcast messages and only in the server mode the user can create, modify and delete VLAN?s and also configure other parameters for the whole domain, in our case the ITA domain. The client mode acts the same as the server but will not allow us to create, modify or delete a VLAN. A VTP transparent mode system will not participate in the broadcast but will receive advertisements. VTP will broadcast summary advertisements, subset advertisements and advertisement requests.
DS(config)# vtp mode (Required mode)
2.3 IP ROUTING
Ip routing must be enabled in the distribution layer switches DS1 and DS2 to handle layer 3 (Network Layer) traffic within the VLAN?s. Data must be routed between different switches to travel from its source to the destination address. This ip routing protocol command helps build a forwarding table that helps correlate final destinations with the next hop address.
2.4 Port Aggregation Protocol (PAgP)
Trunking is enabled in the ports for availability reasons. If one of the cabling in the switches fails, traffic will be diverted to the other ports with in the trunking group. Now, the throughput may be reduced but the network still remains functional. The IEEE 802.3ad standard calls it Link Aggregation. With this link aggregation we can use policies like L1, L2 and l3 to control the outbound traffic speed. PAgp aids in the automatic creation of fast etherchannel links. From two to eight links can be bundled in a single port channel. This also provides load balancing mechanism within the trunks.
Switchports can be configured for the following modes of PAgP:
On- Non-negotiable bundling of ports in to an etherchannel. Off- Ports are never bundled as an etherchannel. Auto - PAgP packets are sent to the other end switch to negotiate for an etherchannel. If the end switch is in desirable mode, etherchannel is formed. (Two switches in auto mode will never conclude an etherchannel creation.) Desirable - PAgP packets are actively sent to negotiate an etherchannel.
Fig 2.1 PAgP Authentication Modes
DS(config)# interface range (Range of ports to be bundled)
DS(config-if-range)#switchport trunk encapsulation (Required encapsulation technique)
DS(config-if-range)#switchport mode trunk
DS(config-if-range)#channelgroup (Group Number) mode (Required mode)
2.5 Hot Standby Router Protocol (HSRP)
In order to provide high availability in switched networks a level of redundancy must be implemented. This is where HSRP plays its role. HSRP is a Cisco proprietary protocol. So if devices of different classes if used VRRP can be taken in. But Cisco enhancements cannot be used with VRRP. Here in our case we use HSRP, which can provide redundancy with a standby network that will kick in when the active route fails. The local state of the device decides the functionality. The list below shows various states and their functions.
State of local networking device; can be one of the following:
ActiveCurrent Hot Standby router. Standby Router next in line to be the Hot Standby router. Speak Router is sending packets to claim the active or standby role. Listen Router is neither active nor standby, but if no messages are received from the active or standby router, it will start to "speak." Learn Router is neither active nor standby, nor does it have enough information to attempt to claim the active or standby roles. Init Router is not yet ready to participate in HSRP, possibly because the associated interface is not up.
The cycle of states as observed in this assignment is that, if an interface of the active switchfails, the standby device speaks, then listens and learns the network and finally becomes active. The interface that failed turns to Init state.
2.6 Port Access Security and MAC Filtering
Port access security is enabled to minimise data flooding in the ports and also to prevent any kind of a situation that can make the network busy. It actually restricts the MAC address or addresses to gain access to the ports, and a subsequent action if any violation is liable. But the port cannot be a trunk port or in an Etherchannel.
AS(config)# interface port(desired port)
AS(config-if)# switchport mode access
AS(config-if)# switchport port-security
MAC filtering can restrict the number of users to access one given port and also we can manually provide the switch with the MAC addresses that the switch can give access to.
AS(config-if)# switchport port-security max number(Number of MAC addresses)
AS(config-if)# switchport port-security mac-address 1111.2222.3333
The next step in this security mechanism is to assign an action for any violation that the switch recognises. The violation actions that are available are Protect, Restrict and Shutdown. Shutdown is the default action that the switch will do if there is any violation. Protect and Restrict actions drop the data from unknown sources and allow data from known sources, but restrict action will increment the Security Violation counter.
AS(config-if)# switchport port-security violation action(protect, restrict or shutdown)
2.7 Spanning Tree Portfast
Portfast mode for a spanning tree is assigned to the access ports to minimise the time taken for the port to form a link with any PC?s connected to it. This is achieved by bypassing the listening and learning states. Portfast is always used to ports that are connected to a single workstation. Enabling portfast in ports that are connected to other switches will end up in creating loops. Portfast is also termed as Faststart.
AS(config-if)# spanning-tree portfast