= sw-top = This is the root switch to the Orbit network.That also includes firewall and Internal switch ports. == Legacy switch layout == VLAN 50 is the publicly exposed VLAN - 4 ports (DMZ, 2 planet lab, firewall out) VLAN 1001-1005 - Cisco associated (ignore) 9,10- not used ports can be divided up into 3 groups 1. Infrastructure - Not really visible to user - Aruba, Internal, Instrumental ect - VLANs 1-6 2. Experimental - Pertains to Grid, outdoor, Sandboxes - VLANs 7,8,11-38 3. Public - Visible from outside - VLAN 50 == IP8800 sw-top layout == We want to combine the internal, firewall feed, and top switch port configs onto one NEC IP8800. The ports that comprise this setup are: 1. 4 VLAN 50 ports (ports 1-4) 1. 4 firewall ports (only 3 actually needed to go into ASA) 1. 10 Internal (VLAN 2) Ports 1. 16 Top switch ports (Assorted, originally 20 including 4 VLAN 50 ports) references (these are in Japanese): * port config parameter specs: http://www.nec.co.jp/ip88n/s36_sw/html/cfref/cfref-chap1-4.html * interface vlan context specs: http://www.nec.co.jp/ip88n/s36_sw/html/cfref/cfref-chap11-03.html * vlan context specs: http://www.nec.co.jp/ip88n/s36_sw/html/cfref/cfref-chap11-22.html === Creating VLANs === < A table of the vlans coming up soon. > === Associating VLANs with ports === Now that you have properly named VLANs, you can associate them with ports. <> first, the 4 publically visible VLAN 50 ports: {{{ (config)# int range gi 0/1-4 (config-if-range)# switchport access vlan 50 }}} Then, the firewall ports feeding the VLANs into the ASA; These are specialized trunk ports: * geth0/7 - VLAN 50 * geth0/8 - VLANs 1-6 * geth0/9 - VLANs 7,8 * geth0/10 - VLANs 11-38 The commands to make this happen are the following. First make four ports into trunk ports using the 'interface range' context: {{{ (config)# int ran gi 0/7-10 (config-if-range)# sw mo tru !(config-if-range)# }}} Then, specify allowed VLANs for each port. This is according to the list above. {{{ !(config-if-range)# ##geth0/7 - VLAN 50## !(config-if-range)# interface gigabitethernet 0/7 !(config-if)# swi trunk allowed vlan 50 !(config-if)# ##geth0/8 - VLANs 1-6## !(config-if)# interface gi 0/8 !(config-if)# swi trunk allow vlan 1-6 !(config-if)# ##geth0/9 - VLANs 7,8## !(config-if)# interface gi 0/9 !(config-if)# swi tru all vl 7,8 !(config-if)# ##geth0/10 - VLANs 11-37## !(config-if)# interface gi 0/10 !(config-if)# swi tru all vl 11-38 !(config-if)# save (config-if)# exit }}} the configuration results: {{{ (config)# int ran gi 0/7-10 (config-if-range)# sh interface gigabitethernet 0/7 switchport mode trunk switchport trunk allowed vlan 50 ! interface gigabitethernet 0/8 switchport mode trunk switchport trunk allowed vlan 1-6 ! interface gigabitethernet 0/9 switchport mode trunk switchport trunk allowed vlan 7-8 ! interface gigabitethernet 0/10 switchport mode trunk switchport trunk allowed vlan 11-38 ! }}} Next, the 10 Internal ports; These are regular switchports all associated to VLAN 2. {{{ (config)# int ran gi 0/13-22 (config-if-range)# sw mo dot1q-tunnel !(config-if-range)# sw acc vlan 2 }}} Finally, the sw_top configurations; This is perhaps the most complicated part. the ports will be configured from 0/48 to leave ample space between the Internal ports and these ports, which are all specialized trunk ports (we won't want people to accidentally be able to plug into them!). organizing them: Infrastructure VLANs ||port ||VLANs ||Description || ||0/29 ||1,2 ||Internal (1) || ||0/30 ||1,2 ||Internal (2) || ||0/31 ||1,3 ||CM || ||0/32 ||1,4,5 ||Aruba, Instrumental || ||0/33 ||1,6 ||DMZ || ||0/34 ||1-6 ||Main Subnets || Testbed VLANs ||0/37 ||1,3,29,30 ||CM, Outdoor Data and Ctrl || ||0/38 ||1,7,31:2:37 ||Grid and VGrid Ctrl || ||0/39 ||1,8 ||Grid Data || ||0/40 ||7,8 ||Grid Data and Ctrl || ||0/41 ||1,6-8 ||DMZ, Grid Data and Ctrl || ||0/42 ||11-48 ||?? || ||0/43 ||1,11-38 ||Testbed Data and Ctrl || ||0/44 ||1,3,11-38 ||CM, Testbed Data and Ctrl || Master Trunk ||0/47 ||1 ||Access Net || ||0/48 ||1-38 ||Master Trunk || === killing Spanning Tree === Spanning Tree Protocol should be disabled. Both PVST and PVST+ count as spanning tree. {{{ !(config)# no spanning-tree vlan 3,7,8,11-38 !(config)# save }}}