Changes between Version 28 and Version 29 of Internal/OpenFlow/Notes

Timestamp:

Jan 4, 2010, 10:59:08 PM (15 years ago)

Author:

akoshibe

Comment:

—

Internal/OpenFlow/Notes

@@ -396 +396 @@
 moral of the story: double check configuration changes.  
 
+== 12/31-Top switch configs. ==
+
+VLAN 50 is the only real exposed VLAN - 4 ports (DMZ, 2 planet lab, firewall out)
+1001-1005 - Cisco associated (ignore)
+9,10- not used 
+
+ports can be divided up into 3 groups
+
+ 1. Infrastructure - Not really visible to user - Aruba, Internal, Instrumental ect - VLANs 1-6  
+ 2. Experimental - Pertains to Grid, outdoor, Sandboxes - VLANs 7,8,11-38
+ 3. Public - Visible from outside - VLAN 50
+
+We want to combine the internal, firewall feed, and top switch port configs onto one NEC IP8800. The ports that comprise this  setup are:
+
+ 1. 4 VLAN 50 ports (ports 1-4)
+ 1. 4 firewall ports (only 3 actually needed to go into ASA)
+ 1. 10 Internal (VLAN 2) Ports
+ 1. 16 Top switch ports (Assorted, originally 20 including 4 VLAN 50 ports)
+
+ 
+refrences (these are in Japanese):
+
+ * port config parameter specs: http://www.nec.co.jp/ip88n/s36_sw/html/cfref/cfref-chap1-4.html
+ * interface vlan context specs: http://www.nec.co.jp/ip88n/s36_sw/html/cfref/cfref-chap11-03.html
+ * vlan context specs: http://www.nec.co.jp/ip88n/s36_sw/html/cfref/cfref-chap11-22.html
+
+=== Creating VLANs ===
+
+Step 1 of switch configs always start off with creating vlans. you can create a single VLAN using the command [[BR]]
+`interface vlan <vlan-number>`
+
+However, VLAN creation cannot be done in groups using the command [[BR]]
+`interface range vlan <vlan-range>` 
+
+Like in group configs of ports. This will return an error 
+{{{
+(config)# interface range vlan 7-38
+interface : Not found VLAN-ID <7>.
+}}}
+
+Hence, when you need to make ranges of VLANs you must specify the range of VLANs to create using the command [[BR]]
+`vlan <vlan-range>`
+
+making the commands to create the vlans necessary for this switch into these lines on the CLI:
+{{{
+(config)# vlan 1-8 
+!(config-vlan)# vlan 11-48
+!(config-vlan)# vlan 50
+!(config-vlan)# save
+(config-vlan)# 
+}}}
+
+----
+<side-tracking!> 
+
+Then, you may ask, why have the "interface vlan" context?. To be able to understand this, you need to know that the "interface vlan" context lets you treat a VLAN as an abstraction layer that allows access to both Layer 2 and 3 information for a specific group of hosts. This means using the "interface vlan" context allows you to actually specify IP layer characteristics for groups of hosts based on which vlans they belong in. This is, as you may guess, quite useful.  
+
+The `interface range vlan` context can be used to configure groups of already existing vlans. So given that you have a group of vlans, you can configure them all at once like this: 
+
+{{{
+(config)# #this switch already has vlans 1-6 on it
+(config)# interface range vlan 1-5
+(config-if-range)# sh
+interface vlan 1
+!
+interface vlan 2
+!
+interface vlan 3
+!
+interface vlan 4
+!
+interface vlan 5
+!
+}}} 
+
+In this case, you can see that you enter the proper (config-if-range)# mode. doing a `show` in this mode lets you see which vlans you are configuring together.  
+
+</side-tracking!>
+----
+=== Naming VLANs ===
+
+Once all VLANs are created, you'd want to name them. this is done through the `vlan` context.
+
+{{{
+(config-vlan)# vlan 2
+(config-vlan)# name "Internal"
+}}}
+
+rinse and repeat this process. A table of the vlans coming up soon. 
+
+=== Associating VLANs with ports ===
+
+Now that you have properly named VLANs, you can associate them with ports. 
+
+<<here will be the diagram of the switchports layout of the configs.>>
+
+first, the 4 publically visible VLAN 50 ports:
+{{{
+(config)# int range gi 0/1-4
+(config-if-range)# switchport access vlan 50
+}}}
+
+Then, the firewall ports feeding the VLANs into the ASA; These are specialized trunk ports:
+
+ * geth0/7 - VLAN 50
+ * geth0/8 - VLANs 1-6
+ * geth0/9 - VLANs 7,8
+ * geth0/10 - VLANs 11-38
+
+The commands to make this happen are the following. First make four ports into trunk ports using the 'interface range' context:
+{{{
+(config)# int ran gi 0/7-10
+(config-if-range)# sw mo tru
+!(config-if-range)#
+}}}
+
+Then, specify allowed VLANs for each port. This is according to the list above. 
+{{{
+!(config-if-range)# ##geth0/7 - VLAN 50##
+!(config-if-range)# interface gigabitethernet 0/7
+!(config-if)# swi trunk allowed vlan 50 
+!(config-if)# ##geth0/8 - VLANs 1-6##
+!(config-if)# interface gi 0/8
+!(config-if)# swi trunk allow vlan 1-6
+!(config-if)# ##geth0/9 - VLANs 7,8##
+!(config-if)# interface gi 0/9
+!(config-if)# swi tru all vl 7,8
+!(config-if)# ##geth0/10 - VLANs 11-37##
+!(config-if)# interface gi 0/10
+!(config-if)# swi tru all vl 11-38
+!(config-if)# save
+(config-if)# exit
+}}}
+
+the configuration results:
+{{{
+(config)# int ran gi 0/7-10
+(config-if-range)# sh
+interface gigabitethernet 0/7
+  switchport mode trunk
+  switchport trunk allowed vlan 50
+!
+interface gigabitethernet 0/8
+  switchport mode trunk
+  switchport trunk allowed vlan 1-6
+!
+interface gigabitethernet 0/9
+  switchport mode trunk
+  switchport trunk allowed vlan 7-8
+!
+interface gigabitethernet 0/10
+  switchport mode trunk
+  switchport trunk allowed vlan 11-38
+!
+}}}
+
+Next, the 10 Internal ports; These are regular switchports all associated to VLAN 2.
+{{{
+(config)# int ran gi 0/13-22
+(config-if-range)# sw mo dot1q-tunnel 
+!(config-if-range)# sw acc vlan 2
+}}}
+
+Finally, the sw_top configurations; This is perhaps the most complicated part. the ports will be configured from 0/48 to leave ample space between the Internal ports and these ports, which are all specialized trunk ports (we won't want people to accidentally be able to plug into them!).  
+
+
+organizing them: 
+
+ Infrastructure VLANs                                   
+ ||port ||VLANs         ||Description                   ||
+ ||0/29 ||1,2           ||Internal (1)                  || 
+ ||0/30 ||1,2           ||Internal (2)                  || 
+ ||0/31 ||1,3           ||CM                            || 
+ ||0/32 ||1,4,5         ||Aruba, Instrumental           || 
+ ||0/33 ||1,6           ||DMZ                           || 
+ ||0/34 ||1-6           ||Main Subnets                  || 
+ 
+ Testbed VLANs                                  
+ ||0/37 ||1,3,29,30     ||CM, Outdoor Data and Ctrl     || 
+ ||0/38 ||1,7,31:2:37   ||Grid and VGrid Ctrl           || 
+ ||0/39 ||1,8           ||Grid Data                     || 
+ ||0/40 ||7,8           ||Grid Data and Ctrl            || 
+ ||0/41 ||1,6-8         ||DMZ, Grid Data and Ctrl       || 
+ ||0/42 ||11-48         ||??                            || 
+ ||0/43 ||1,11-38       ||Testbed Data and Ctrl         || 
+ ||0/44 ||1,3,11-38     ||CM, Testbed Data and Ctrl     || 
+ 
+ Master Trunk                                           
+ ||0/47 ||1             ||Access Net                    || 
+ ||0/48 ||1-38          ||Master Trunk                  || 
+----
+<side-tracking!> 
+
+The error messages are quite...verbose. 
+
+{{{
+!(config-if)# sw tru all vlan 10-48
+interface : Can't set switchport trunk allowed vlan which is not configured to use vlan vlan 10.
+}}}
+
+This simply means you are trying to add a nonexistent vlan to the list of allowed VLANs for a trunk. Make sure the VLAN exists before trying to add it! 
+
+</side-tracking!> 
+----
+
+=== killing Spanning Tree ===
+Spanning Tree Protocol should be disabled. Both PVST and PVST+ count as spanning tree. 
+
+{{{
+!(config)# no spanning-tree vlan 3,7,8,11-38
+!(config)# save
+}}}
+
+
 
 [[BR]]