VLAN LAB Objective • Create VLANs • Configuration of trunk port

VLAN LAB Objective • Create VLANs • Configuration of trunk ports • Configuration of Access ports • Assign IP to hosts • Verification Vlan Name Vlan ID Ports Subnet cisco 10 Fa010 15 192 168 10 024 r.VLAN LAB Objective • Create VLANs • Configuration of trunk ports • Configuration of Access ports • Assign IP to hosts • Verification Vlan Name Vlan ID Ports Subnet cisco 10 Fa010 15 192 168 10 024 r.

Trang 1

VLAN

LAB Objective

• Create VLANs

• Configuration of trunk ports

• Configuration of Access ports

Trang 2

ACC2(config-vlan)#exit

ACC2(config)#vlan 20

ACC2(config-vlan)#name redhat

ACC2(config-vlan)#exit

Configure Trunk port (ACC1 and ACC2)

Before configuring trunk ports we will know the basic function of DTP

DTP is normally used on Cisco IOS switches to negotiate if the interface should become an access port or trunk

By default DTP is enabled and the interfaces of your switches will be in “dynamic auto” or “dynamic

desirable” mode Without configuring anything on the interfaces, the default is dynamic auto mode and the interfaces will be in access mode

Dynamic auto + dynamic auto = access

ACC1#show interfaces fastEthernet 0/24 switchport

Name: Fa0/24

Switchport: Enabled

Administrative Mode: dynamic auto

Operational Mode: static access

Administrative Trunking Encapsulation: dot1q

Operational Trunking Encapsulation: native

Negotiation of Trunking: On

Access Mode VLAN: 1 (default)

Trunking Native Mode VLAN: 1 (default)

Voice VLAN: none

Administrative private-vlan host-association: none

Administrative private-vlan mapping: none

Administrative private-vlan trunk native VLAN: none

Administrative private-vlan trunk encapsulation: dot1q

Administrative private-vlan trunk normal VLANs: none

Administrative private-vlan trunk private VLANs: none

Operational private-vlan: none

Trunking VLANs Enabled: All

Pruning VLANs Enabled: 2-1001

Capture Mode Disabled

Capture VLANs Allowed: ALL

Trang 3

Name: Fa0/24

Operational Mode: static access

Operational Trunking Encapsulation: native

Voice VLAN: none

Administrative private-vlan host-association: none

Administrative private-vlan mapping: none

Administrative private-vlan trunk native VLAN: none

Administrative private-vlan trunk encapsulation: dot1q

Administrative private-vlan trunk normal VLANs: none

Administrative private-vlan trunk private VLANs: none

Operational private-vlan: none

Dynamic auto or dynamic desirable + access = access

Depending on the switch model and IOS version, the default might be “dynamic auto” or “dynamic desirable”

• dynamic auto + dynamic desirable = trunk

• dynamic desirable + dynamic desirable = trunk

• dynamic auto or dynamic desirable + trunk = trunk

Now configure trunk on ACC1 switch and no configuration on ACC2 switch

ACC1(config)#interface fastEthernet 0/24

ACC1(config-if)#switchport mode trunk

Name: Fa0/24

Administrative Mode: trunk

Operational Mode: trunk

Trang 4

Operational Trunking Encapsulation: dot1q

Voice VLAN: none

Administrative private-vlan host-association: none Administrative private-vlan mapping: none

Administrative private-vlan trunk native VLAN: none Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk private VLANs: none Operational private-vlan: none

Check the switch ACC2

Name: Fa0/24

Operational Mode: trunk

Operational Trunking Encapsulation: dot1q

Voice VLAN: none

Administrative private-vlan host-association: none Administrative private-vlan mapping: none

Administrative private-vlan trunk native VLAN: none Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: none Administrative private-vlan trunk private VLANs: none Operational private-vlan: none

Trang 5

But the port is already trunk ports, right? This is because of DTP

Dynamic auto or dynamic desirable + trunk = trunk

The DTP protocol is unauthicated which means that a station can send false DTP packets, pretending to

be a switch If the switchport is configured as a dynamic port, an attacker can lure the switchport to become a trunk port and he will gain access to all VLANs allowed on that trunk Therefore, after a network has been installed, it is the best practice to set the mode statically and deactivate the DTP

protocol on a port using the command switchport nonegotiate (this command is necessary only for trunk

ports, as the static access ports do not send DTP packets automatically)

Administrative Mode: trunk

Operational Mode: trunk

Administrative Trunking Encapsulation: dot1q

Operational Trunking Encapsulation: dot1q

Negotiation of Trunking: Off

Access Mode VLAN: 1 (default)

Trunking Native Mode VLAN: 1 (default)

Voice VLAN: none

Administrative private-vlan host-association: none

Administrative private-vlan mapping: none

Administrative private-vlan trunk native VLAN: none

Administrative private-vlan trunk encapsulation: dot1q

Administrative private-vlan trunk normal VLANs: none

Administrative private-vlan trunk private VLANs: none

Operational private-vlan: none

Trang 6

On ACC2 switch

Name: Fa0/24

Switchport: Enabled

Administrative Mode: dynamic auto

Operational Mode: static access

Operational Trunking Encapsulation: native

Negotiation of Trunking: On

Voice VLAN: none

Administrative private-vlan trunk encapsulation: dot1q

Administrative private-vlan trunk normal VLANs: none

Now this port of this switch can not be a trunk port as we have disabled auto negotiation, so we need to create trunk port manually

Administrative Mode: trunk

Operational Mode: trunk

Operational Trunking Encapsulation: dot1q

Negotiation of Trunking: Off

Voice VLAN: none

Trang 7

Administrative private-vlan trunk encapsulation: dot1q Administrative private-vlan trunk normal VLANs: none

Now this port become a trunk

Configure Access port

ACC1(config)#interface range fastEthernet 0/10-15 ACC1(config-if-range)#switchport mode access

ACC1(config-if-range)#switchport access vlan 10

ACC2(config-vlan)#interface range fastEthernet 0/10-15 ACC2(config-if-range)#switchport mode access

Assign IP Address to host

Our given subnet for vlan 10: 192.168.10.0/24 & Vlan 20: 192.168.20.0/24

So we will assign IP to associated vlan hosts from this subnet

Trang 8

Verification

First, we will apply ping commands which are the same vlan host

Trang 9

Successful, but if we try to ping the different vlan host, what happen? Let’s check

Every Vlan is like a separate island, can’t communicate with other vlans unless if we configure inter-vlan routing We will do this later

Trang 10

ASA Port-Channel and Redundant Interface

Port-Channel

A Port-Channel provides a method of aggregating multiple Ethernet links into a single

logical channel The benefit of Ether Channel or Port Channel is that you are able to

configure redundancy and load balancing in the same time; ASA Interfaces will be

bundle to a link in the Layer 2 then you assign all VLANs directly to the Port Channel

and so they applied to all Interfaces of ASA

Redundant Interfaces

They are used for interface redundancy The idea is to provide for the physical link

failure That is – you combine two physical interfaces on the ASA into a virtual one, then

you configure all the Layer 3 parameters on this virtual interface At the same time only

ONE of the interfaces in a group is active (that is - no load sharing), if it fails ASA

transparently switches to the next available interface in a group and all the traffic passes

through it

Trang 11

First, Make the Interfaces are up

ASA(config)# interface ethernet 2

ciscoasa(config)# hostname ASA

ASA(config-if)# channel-group 10 mode on

INFO: security-level, delay and IP address are cleared on Ethernet2 ASA(config-if)# no security-level

ASA(config-if)# no ip address

ASA(config-if)# exit

ASA(config)#

ASA(config-if)# channel-group 10 mode on

INFO: security-level, delay and IP address are cleared on Ethernet3 ASA(config-if)# no nameif

ASA(config-if)# no security-level

ASA(config-if)# no ip address

Trang 12

ASA(config-if)# exit

Create sub-interface, Vlan & assign security-level and IP address

ASA(config)# interface port-channel 10.10

ASA(config-subif)# vlan 10

ASA(config-subif)# no shutdown

ASA(config-subif)# nameif inside1

INFO: Security level for "inside1" set to 0 by default

ASA(config-subif)# nameif inside2

INFO: Security level for "inside2" set to 0 by default

The ports are shutdown state, apply no shut down

ASA(config)# interface port-channel 10

Trang 13

Now Verify it again

The ports are functional

Trang 14

Ether-Channel, trunk, Vlan, Access port configuration on Switch

Switch#conf t

Enter configuration commands, one per line End with CNTL/Z

Switch(config)#interface range ethernet 0/0-1

Switch(config-if-range)#channel-group 10 mode on

Creating a port-channel interface Port-channel 10

Switch(config-if-range)#exit

Trang 15

Switch(config)#interface port-channel 10

Switch(config-if)#switchport trunk encapsulation dot1q

Switch(config-if)#switchport mode trunk

Switch(config-if)#switchport mode access

Switch(config-if)#switchport access vlan 10

Switch(config-if)#exit

Switch(config)#interface ethernet 0/2

Switch(config-if)#switchport mode access

Switch(config-if)#switchport access vlan 20

Switch(config-if)#exit

Trang 17

Configure redundant Interface

ASA(config)# interface redundant 1

ASA(config-if)# member-interface ethernet 0

INFO: security-level and IP address are cleared on Ethernet0 ASA(config-if)# member-interface ethernet 1

INFO: security-level and IP address are cleared on Ethernet1 ASA(config-if)# no shutdown

ASA(config-if)# nameif outside

INFO: Security level for "outside" set to 0 by default

Trang 18

ASA(config-network-object)# object network vlan20

Create ACL to permit ICMP

ASA(config)# access-list out-in permit icmp object out-pc object vlan10

ASA(config)# access-list out-in permit icmp object out-pc object vlan20

ASA(config)# access-group out-in in interface outside

Trang 19

Cisco SD-WAN is a cloud-first architecture that separates data and control planes, managed through the Cisco vManage console You can quickly establish an SD-WAN overlay fabric to connect data centers, branches, campuses, and co-location facilities to improve network speed, security, and efficiency

Benefits of Cisco SD-WAN

Customers deploying Cisco SD-WAN have:

● 65% lower cost of connectivity

● 38% lower five-year cost of operations per 100 users

● 33% more efficient WAN management

● 59% faster onboarding of new services

● 58% faster implementation of policy and configuration changes

● 94% reduction in unplanned downtime

● 40% improvement in Microsoft 365 performance

● 48% reduction in application latency

Why software-defined WAN?

Enhanced application experience

• Predictable SLA for voice, cloud, and other critical enterprise applications

• Dynamic path selection that automatically steers critical applications around network problems

• Multiple hybrid active-active links for all scenarios

• Zero-trust foundation with authentication, encryption, and segmentation

• Web security, enterprise firewall, IPS, AMP next-generation antivirus, DNS layer enforcement, URL filtering, and SSL decryption proxy

Optimized for multicloud

• Enables SD-WAN to extend to major public cloud and colocation providers with Cloud OnRamp

• Automatically selects the fastest, most reliable path for real-time optimized performance with Microsoft 365, Salesforce, and other major SaaS applications

• Automated workflow integration for AWS, Azure, and Google Cloud

• Regionalized internet access using colocation facilities to quickly spin up new services and provide consistent policy for employees, partners, and guests across the WAN

Trang 20

Operational simplicity

• Full integration of unified communications, multicloud, and security into SD-WAN

• End-to-end visibility, segmentation policy management, and security enforcement across the network with a single dashboard

• Automation with template-based zero-touch provisioning and RESTful integration

Visibility and actionable insight

• Granular visibility into applications and infrastructure, enabling rapid failure correlation and mitigation

• Sophisticated forecasting and what-if analysis for effective resource planning

• Insightful policy recommendations and root cause analysis based on traffic patterns

The most widely deployed SD-WAN

• Cisco boasts large deployments in all major sectors, such as retail, healthcare, financial services, and energy, and is the most widely deployed SD-WAN across the Fortune 2000, with

deployments in 70% of Fortune 100 enterprises

• Thousands of production sites in every major industry

• Rich analytics with benchmarking data across the industry

• Deployed in PCI- and HIPAA-compliant industry sectors

Cisco Viptela SD-WAN components

Trang 21

vManage Network Management System (NMS)—The vManage NMS is a centralized network

management system that lets you configure and manage the entire overlay network from a simple

graphical dashboard – in the data center

vSmart Controller—The vSmart controller is the centralized brain of the Viptela solution, controlling

the flow of data traffic throughout the network The vSmart controller works with the vBond orchestrator

to authenticate Viptela devices as they join the network and to orchestrate connectivity among the vEdge

routers – in the data center

vBond Orchestrator—The vBond orchestrator automatically orchestrates connectivity between vEdge

routers and vSmart controllers If any vEdge router or vSmart controller is behind a NAT, the vBond

orchestrator also serves as an initial NAT-traversal orchestrator – in the DMZ

vEdge Routers—The vEdge routers sit at the perimeter of a site (such as remote offices, branches,

campuses, data centers) and provide connectivity among the sites They are either hardware devices or software, vEdge Cloud router vEdge routers handle the transmission of data traffic

Định dạng
Số trang	30
Dung lượng	1,52 MB