Is there a lab file link?
thank you!
CCNP Switch Lab
Scenario:
For this lab you need REAL hardware. You can't use switches in GNS3!
Minimum Equipment needed: (Or use rack rentals...)
- Core Switches: Cisco 3560 or Cisco 3550 (3550 can't do Private Vlan)
- Distribution Switches: Cisco 3560 or Cisco 3550 (doesn't matter which one) perhaps a 2950 could do.
- Access Layer: Cisco 2950
- Clients: PC or router connected to the access switches, this is optional however.
You never liked hierarchy and so routing isn't your way to go....who needs a subnet mask anyway!? Switching is what you love and that's why you became the senior network engineer responsible for all of the switches in the Hotel you work for. Multiple users are depending on you to keep the network running so you need to know what to do. You decide to get some new switches and start your configuration!
Goal:
- This topology is very similar to what you will find in the CCNP SWITCH material.·
- C1 and C2 are the Core layer switches.
- D1 and D2 are the Distribution layer switches.
- A1 and A2 are the Access layer switches.
- Delete all configurations from your switches, don't forget the vlan database by typing in "del flash:vlan.dat".
- All links between switches with the following exceptions:
- Do not form a trunk between C1 and D1.
- Use a Cisco Protocol to form a trunk between D1 and A1.
- The link between D1 and A2 should use a dynamic mode to form a trunk.
- The link between C1 and D1 should never negotiate to form a trunk, setting the port to 'access' mode is not the answer to this question. - All redundant links should be bundled in a portchannel.
- Use a standard-based protocol for the portchannel between C1 and C2.
- C1 should start the portchannel negotiation.
- C2 should only form a portchannel when C1 requests it.
- Configure the port channel between C2 and D2 to use a Cisco protocol.
- Configure the port channel between C2 and D2 never to use negotiation.
- C1 should be able to create all new vlans, the domainname should be VAULT.
- All other switches only need to synchronize to the latest vlan information, they are not able to create/modify/delete vlans.
- D2 should be configured so it does not sync with the latest vlan information but forwards advertisements to other switches.
- Create vlan 10,20,30,40,50 and 500.
- Take 2 ports on A1 with nothing connected to it. These ports will be used in the future for clients...make sure that any client connected to these ports are unable to communicate with each other. They should be able to communicate with any other port on the switch.
- To enhance security R1 and R2 should only be able to communicate with each other and interface fax/x (pick an interface with nothing connected to it). The routers should be in vlan 50 and you are allowed to use vlan 500 for your configuration.
- There have been complaints about the convergence time of your network. Choose another STP protocol which has a better convergence time and creates a spanning-tree instance per vlan.
- C1 should be the root bridge for vlan 10, C2 should be the backup.
- C2 should be the root bridge for vlan 20, C1 should be the backup.
- Your security officer comes to you and has some requests...
- BPDU packets coming from one of the client interfaces on A1 should be filtered, when it receives a BPDU it should be filtered.
- BPDU packets coming from one of the client interfaces on A2 should be error disabled when you receive a BPDU.
- D2 will be used as a default gateway for the clients on vlan 10. Use the IP addres 10.10.10.10 for the default gateway address.
- The link between C1 and C2 should become a routed port. Change the portchannel so it's a layer3 link instead of layer2. You can use the 192.168.12.0 / 30 subnet. C1 can use .1 and C2 can use .2
- Create a VACL (Vlan access-list) on D2 so IPv6 traffic will be dropped in vlan 30.
- There is a (fictional) DHCP server behind R1. Make sure you protect vlan 20 on A2 from fake DHCP replies.
- There have been reports of ARP poisoning, configure A2 so invalid ARP-replies are blocked.
- Configure A1 on interface Fx/x (pick any interface with nothing or a client connected to it) so it only allows 2 mac addresses. The port should not be error-disabled but you should see the counter increase when mac address number 3 shows up. Mac addresses should be learned dynamically.
- Configure D2 so A1 and A2 can never become the root· bridge. Test this by setting the priority to a lower value on A1 or A2.
- Configure A2 so port fax/x (pick an interface with nothing connected to it) skips all STP states and goes to forwarding immediately.
IOS:
Basic IOS for the switches should be sufficient. No special features needed.
Topology:
- Related Articles
Only registered users can write comments!
Comments (12)
-
ReneMolenaar 2011-01-04 11:17:30Hello Scott,
You can't run switches in GNS3...you need real hardware to do this lab (or get a rack rental).
Rene
-
anudeep404 2011-01-04 15:03:02Guys can I get hands on experience with 2 3550s and 2 2950s.
Can we integrate routers on gns3 with these real Switches, coz it pumps down our lab budget drastically.Or shall I go with 1-3550, 1-Cisco 3750, 2- 2950 and a high performance computer, that have mulitple eth ports?
-
ReneMolenaar 2011-01-04 18:44:56
Hi Anudeep,
The 3550 switch is more than enough to practice anything you need to know for your CCNP. You can do all the layer 2 + 3 stuff.
There's only 1 thing you cannot do on the 3550 and that's Private VLANs. You'll need a 3560 or 3750 to do this but i doubt the price difference is worth it just to configure private VLANs.
The 2950's are fine but can only do layer2 stuff...they are nice for the access-layer to practice vlan / spanning-tree.
Rene
-
tavati 2011-01-22 20:12:15but can't we simulate switch with vlan database command on the router in gns3 and practice ?
-
ReneMolenaar 2011-01-24 13:01:16
You can use the NM16-SW module and do some of the vlan/switching stuff in GNS3. However it's kinda different compared to using a real switch. I'd recommend getting Cisco 2950's (layer2) or 3550's (layer3) switches if you want to study switching for CCNA or CCNP.
-
ReneMolenaar 2011-03-21 20:01:58
Glad to hear you passed your ROUTE exam.
About the switches, using the NM16-SW isn't the same as configuration of a switch...some of the commands are not there or work differently.
I'm not too fond of using GNS3 for switches, if you use the real switches you'll gain the experience needed for beating the SWITCH exam or real life experience. Besides switches are cheap...
You would only need 2-3 switches to test everything you need for your CCNP.
Rene
-
kumar981 2011-03-20 20:14:29Hi Rene,
Just cleared my CCNP Route exam last week and I have to thank your labs for it. They have been very informative.
I am now preparing for CCNP Switch exam. I see you have mentioned that we may have to buy Cisco 2950 or 3550 for the same. Aren't the NM16-SW on GNS3 enough for the same?
Thanks
-
Waschman 2011-04-07 09:58:59If you are going to take the CCNP Multilayer switching course then I really think you should buy a c3550 and one c2950 on eBay or somewhere similar. It's very handy and you get real hands on practice. But do not buy routers becuase they can be simulated in GNS3.
To connect for example a c3550 switch to a simulated router you can find some guides on the Internet, but I think you need a network card (1-4) that supports 802.1Q tagging. Then you can create a VLAN trunk or just a regular network connection from the switch to your PC.
When I say that you gain the most out of your education if you buy some real switches is becuase I have experience from that. When I studied Computer Networks and Advanced Routing & Switching in Halmstad University in Sweden, I lived 100km away from the school and then I didn't have all the time in my life to stay at school in the evening to practice, because of the time spent to travel by train to the university. I found Dynamips and then GNS3, the best software ever which saved a lot of time. But in the Multilayer switching course I bought some switches, which I'll never regret. I learned so much more when I also could study the hardware and configuration at home.
In the university they had c3560 that could to private vlan and at home I had my c3550 and two c2950, including GNS3. Perfect combination.
GNS3 can still handle some switching in the 16-module for the 3640 routers but I think it's not enough. You miss alot of the fun stuff.
Now I have the following and I bought one c26xx router to support real VoIP. I bough some cheap stuff from IKEA and built my own lab rack. Maybe this setup is not for you but i pretty nice to have the possibility to practice. I am also thinking about renting my hardware via Internet access but that is another story.
- 2x c3550 (4x GBIC's)
- 3x c2950
- 1x 2509 (terminal server; every Cisco course should have this one)
- 2x 2502 (very old routers I got from a friend)
- 1x 2620XM (mostly for VoIP; with one FXS and one FXO)
- 2x Wireless AP Aironet 1200
- 2x VoIP Cisco Phone 7940Total cost: about 1300$ USD but it's worth it becuase I can sell it in the future for maybe half that cost or more.
I am a very big Cisco fan but I have started to also look at Juniper's solutions. Why? Becuause Cisco is not the only one and it's good to know multi-vendor networks. Then you can't use EIGRP and maybe have to choose OSPF instead. Juniper's JUNOS can be simulated in GNS3 and this morning I got OSPF working between a c3640 and JUNOS 8.3R2, nice!
Challenge yourself, try multi-vendor networks like Cisco, Juniper and HP. You don't have to buy hardware but it always good to have.
-
ReneMolenaar 2011-04-10 09:57:01
Nice post Waschman. I agree 100% with you.
I'm currently "upgrading" my CCIE lab to a mixed virtual/physical lab. I have all the routers/switches here but i'm getting sick of cabling (serial links ugh) and after my frame-relay switch died yesterday morning I decided to change things a bit.
If you have 4 physical switches and a computer that can do 802.1Q trunking you can hook up the gns3 routers to the switches.
I'll post an article once i'm done
-
dppjaya 2012-01-20 09:30:17I have request ..please someone can upload the way configure this lab as video..It will help most learners ..Thanks