This article is the second in a small series designed to help the common network engineer with practical configurations for networking devices. In the last tip I focused on using base configurations such as SNMP and NTP as well as configuring the access devices in your network. This week I will move the focus onto the configuration of the distribution devices.
Access Recap
Recall from the last tip that we have configured VLANs, user ports and VTP on the access devices. Remember to use the following topology as a guideline:
Range Helps
Don't forget that using the interface range command can help save time in configurations. By not having to configure each individual port separately, this command can help you to apply large interface-based command sets quickly. Remember that last week we configured our Access-1 switch's user ports to belong to VLAN10 (user-vlan) with the following commands:
Access-1(config)#interface range fa0/0 – 24
Access-1(config-if)#switchport mode access
Access-1(config-if)#switchport access vlan 10
Access-1(config-if)#duplex full/half
Access-1(config-if)#speed 100
Access-1(config-if)#spanning-tree portfast
Spanning Tree
I mentioned in the last article that Spanning Tree was beyond the scope of what we were trying to accomplish with the access switches. In this article, however, STP is fair game.
The purpose of the portfast command on user ports is to allow for fast transition of these ports to forwarding mode. As an engineer you don't want to have to wait ~50s for a customer to come up after you've plugged them into your switch. The delay of course is due to the transition of the port from listening to forwarding. This command is NOT to be used on ports connecting to other Layer 2 devices; doing so could seriously damage your network. The other item relevant to STP on the access devices (and this article) is the switch priority. Generally it is best practice to manipulate the spanning tree priorities so the root bridge is not an access device. I am assuming at this point that the distribution layer in the network is comprised of Layer 3 switches. The reason for this is that many networks are configured in such a manner that the distribution layer is the first routing point in the network – meaning the users first hit a router at the distribution layer! Configuring the STP priorities so that these distribution layer devices and not the access layer devices become the root of the spanning tree is important in troubleshooting and overall knowledge of traffic flow.
In the diagram above, D1 has been configured as the primary Root of the Spanning Tree in the default VLAN. This configuration will assure that traffic (L2) will travel from Access-1 to D1. If a failure occurs, traffic will shift from Access-1 to D2. This topology is very common in networks today. Hot Standby Router Protocol (HSRP) is also commonly used for gateway redundancy – in this case between D1 and D2. See Below.
It's important to know that when using L2 topologies such as this with HSRP the Active HSRP gateway must also be the STP root bridge.
Configuring STP, HSRP and OSPF
Using the diagram below, I'll show you how to configure all of the topics I've talked about in this article. Remember that I am assuming all the base configurations have been applied.
The configurations below will incorporate each of the topics in this article. I will use the above diagram as a reference for these configurations. It's important when configuring each device that you "develop and verify" each layer of your configurations. This means don't configure OSPF before you verify your STP operation. This will allow you to methodically move from Layer 1 to Layer 3+ configurations without having to waste time troubleshooting an underlying issue which you might not have seen otherwise.
Access-1
Access-1(config)#vlan 100
Access-1(config-vlan)#name user-vlan
Access-1(config)#interface g0/0
Access-1(config-if)#switchport encapsulation dot1q
Access-1(config-if)#switchport mode trunk
Access-1(config-if)#switchport trunk allowed vlan 100
Access-1(config)#interface g0/1
Access-1(config-if)#switchport encapsulation dot1q
Access-1(config-if)#switchport mode trunk
Access-1(config-if)#switchport trunk allowed vlan 100
Access-1(config)#interface vlan 100
Access-1(config-if)#description Layer 3 Address for Device Management
Access-1(config-if)#ip address 10.1.1.4 255.255.255.0
Access-1(config-if)#no shut
D1
D1(config)#vlan 100
D1(config-vlan)#name user-vlan
D1(config)#spanning-tree vlan 100 root primary
D1(config)#interface g0/0
D1(config-if)#switchport encapsulation dot1q
D1(config-if)#switchport mode trunk
D1(config-if)#switchport trunk allowed vlan 100
D1(config)#interface vlan 100
D1(config-if)#ip address 10.1.1.2 255.255.255.0
D1(config-if)#standby 1 ip 10.1.1.1
D1(config-if)#standby 1 priority 110
D1(config-if)#standby 1 preempt
D1(config)#interface loopback0
D1(config-if)#description Interface used for OSPF, BGP, Logging, etc.
D1(config-if)#ip address 1.1.1.1 255.255.255.255
D1(config)#router ospf 1
D1(config-router)#router-id 1.1.1.1
D1(config-router)#network 1.1.1.1 0.0.0.0 area 0
D1(config-router)#network 10.1.1.0 0.0.0.255 area 0
D2
D2(config)#vlan 100
D2(config-vlan)#name user-vlan
D2(config)#spanning-tree vlan 100 root secondary
D2(config)#interface g0/0
D2(config-if)#switchport encapsulation dot1q
D2(config-if)#switchport mode trunk
D2(config-if)#switchport trunk allowed vlan 100
D2(config)#interface vlan 100
D2(config-if)#ip address 10.1.1.3 255.255.255.0
D2(config-if)#standby 1 ip 10.1.1.1
D2(config)#interface loopback0
D2(config-if)#description Interface used for OSPF, BGP, Logging, etc.
D2(config-if)#ip address 2.2.2.2 255.255.255.255
D2(config)#router ospf 1
D2(config-router)#router-id 2.2.2.2
D2(config-router)#network 2.2.2.2 0.0.0.0 area 0
D2(config-router)#network 10.1.1.0 0.0.0.255 area 0
OK, now I've shown you how to configure the L2 and L3 portions of our ever growing network (within this series) from the Access to Distribution Layers. Notice how in each configuration the Layer 2 command entries come before the Layer 3 commands ensuring you don't get caught troubleshooting say, OSPF when the real problem is a mis-configured VLAN.
The stage is now set for the next article in the series, when I show you how to configure the core devices. We'll also look at what commands can be useful in verifying operations are running smoothly.
Doug Downer (CCIE #9848) is a Sr. Consultant with Callisma, INC, a wholly owned subsidiary of SBC Communications. Doug has over 7 years in the industry and currently provides high level business and technology consulting for various federal clients in the Washington D.C. area.
