This article is the second in a small series designed to help the common network engineer with practical configurations for networking devices. In the last tip I focused on using base configurations such as SNMP and NTP as well as configuring the access devices in your network. This week I will move the focus onto the configuration of the distribution devices.
Recall from the last tip that we have configured VLANs, user ports and VTP on the access devices. Remember to use the following topology as a guideline:
Don't forget that using the interface range command can help save time in configurations. By not having to configure each individual port separately, this command can help you to apply large interface-based command sets quickly. Remember that last week we configured our Access-1 switch's user ports to belong to VLAN10 (user-vlan) with the following commands:
Access-1(config)#interface range fa0/0 – 24 Access-1(config-if)#switchport mode access Access-1(config-if)#switchport access vlan 10 Access-1(config-if)#duplex full/half Access-1(config-if)#speed 100 Access-1(config-if)#spanning-tree portfast
I mentioned in the last article that Spanning Tree was beyond the scope of what we were trying to accomplish with the access switches. In this article, however, STP is fair game.
The purpose of the portfast command on user ports is to allow for fast transition of these ports to forwarding mode. As an engineer you don't want to have to wait ~50s for a customer to come up after you've plugged them into your switch. The delay of course is due to the transition of the port from listening to forwarding. This command is NOT to be used on ports connecting to other Layer 2 devices; doing so could seriously damage your network. The other item relevant to STP on the access devices (and this article) is the switch priority. Generally it is best practice to manipulate the spanning tree priorities so the root bridge is not an access device. I am assuming at this point that the distribution layer in the network is comprised of Layer 3 switches. The reason for this is that many networks are configured in such a manner that the distribution layer is the first routing point in the network – meaning the users first hit a router at the distribution layer! Configuring the STP priorities so that these distribution layer devices and not the access layer devices become the root of the spanning tree is important in troubleshooting and overall knowledge of traffic flow.
In the diagram above, D1 has been configured as the primary Root of the Spanning Tree in the default VLAN. This configuration will assure that traffic (L2) will travel from Access-1 to D1. If a failure occurs, traffic will shift from Access-1 to D2. This topology is very common in networks today. Hot Standby Router Protocol (HSRP) is also commonly used for gateway redundancy – in this case between D1 and D2. See Below.
It's important to know that when using L2 topologies such as this with HSRP the Active HSRP gateway must also be the STP root bridge.
Configuring STP, HSRP and OSPF
Using the diagram below, I'll show you how to configure all of the topics I've talked about in this article. Remember that I am assuming all the base configurations have been applied.
The configurations below will incorporate each of the topics in this article. I will use the above diagram as a reference for these configurations. It's important when configuring each device that you "develop and verify" each layer of your configurations. This means don't configure OSPF before you verify your STP operation. This will allow you to methodically move from Layer 1 to Layer 3+ configurations without having to waste time troubleshooting an underlying issue which you might not have seen otherwise.
Access-1 Access-1(config)#vlan 100 Access-1(config-vlan)#name user-vlan Access-1(config)#interface g0/0 Access-1(config-if)#switchport encapsulation dot1q Access-1(config-if)#switchport mode trunk Access-1(config-if)#switchport trunk allowed vlan 100 Access-1(config)#interface g0/1 Access-1(config-if)#switchport encapsulation dot1q Access-1(config-if)#switchport mode trunk Access-1(config-if)#switchport trunk allowed vlan 100 Access-1(config)#interface vlan 100 Access-1(config-if)#description Layer 3 Address for Device Management Access-1(config-if)#ip address 10.1.1.4 255.255.255.0 Access-1(config-if)#no shut D1 D1(config)#vlan 100 D1(config-vlan)#name user-vlan D1(config)#spanning-tree vlan 100 root primary D1(config)#interface g0/0 D1(config-if)#switchport encapsulation dot1q D1(config-if)#switchport mode trunk D1(config-if)#switchport trunk allowed vlan 100 D1(config)#interface vlan 100 D1(config-if)#ip address 10.1.1.2 255.255.255.0 D1(config-if)#standby 1 ip 10.1.1.1 D1(config-if)#standby 1 priority 110 D1(config-if)#standby 1 preempt D1(config)#interface loopback0 D1(config-if)#description Interface used for OSPF, BGP, Logging, etc. D1(config-if)#ip address 188.8.131.52 255.255.255.255 D1(config)#router ospf 1 D1(config-router)#router-id 184.108.40.206 D1(config-router)#network 220.127.116.11 0.0.0.0 area 0 D1(config-router)#network 10.1.1.0 0.0.0.255 area 0 D2 D2(config)#vlan 100 D2(config-vlan)#name user-vlan D2(config)#spanning-tree vlan 100 root secondary D2(config)#interface g0/0 D2(config-if)#switchport encapsulation dot1q D2(config-if)#switchport mode trunk D2(config-if)#switchport trunk allowed vlan 100 D2(config)#interface vlan 100 D2(config-if)#ip address 10.1.1.3 255.255.255.0 D2(config-if)#standby 1 ip 10.1.1.1 D2(config)#interface loopback0 D2(config-if)#description Interface used for OSPF, BGP, Logging, etc. D2(config-if)#ip address 18.104.22.168 255.255.255.255 D2(config)#router ospf 1 D2(config-router)#router-id 22.214.171.124 D2(config-router)#network 126.96.36.199 0.0.0.0 area 0 D2(config-router)#network 10.1.1.0 0.0.0.255 area 0
OK, now I've shown you how to configure the L2 and L3 portions of our ever growing network (within this series) from the Access to Distribution Layers. Notice how in each configuration the Layer 2 command entries come before the Layer 3 commands ensuring you don't get caught troubleshooting say, OSPF when the real problem is a mis-configured VLAN.
The stage is now set for the next article in the series, when I show you how to configure the core devices. We'll also look at what commands can be useful in verifying operations are running smoothly.
Doug Downer (CCIE #9848) is a Sr. Consultant with Callisma, INC, a wholly owned subsidiary of SBC Communications. Doug has over 7 years in the industry and currently provides high level business and technology consulting for various federal clients in the Washington D.C. area.