×
all 23 comments

[–]a_cute_epic_axisJust 'cause it ain't in my flair doesn't mean I don't have certs 3 points4 points  (0 children)

Looking good. Don't forget to kick on RSTP, portfast, and bpduguard or rootguard. (Though those are probably above CCENT level, to be fair).

Also ditch the http server!

[–]Cydunia 1 point2 points  (3 children)

You use DTP for trunking?

[–]JustAnotherITGuy-WGU-BSIT-Sec[S] 0 points1 point  (2 children)

honestly im not sure. i used switchport trunk command.

[–]zanfarCCENT 1 point2 points  (1 child)

He's asking because you don't use nonegotiate on your trunks.

[–]JustAnotherITGuy-WGU-BSIT-Sec[S] 0 points1 point  (0 children)

that was a leftover command i forgot to remove when it was set to switchport mode access

i also realized that i dont have to assign an ip to each vlan if im building it out as ROAS. burned three ip address there.

i left vlan 1 because the AP did not want to work right without vlan1.

Ubiquiti wanted to be in vlan 1 or it would not communicate back to the software. still researching that one. i ended up enabling a second nic on a server and placing that nic in vlan 1 to communicate back to the ap.

[–]zanfarCCENT 1 point2 points  (15 children)

[–]JustAnotherITGuy-WGU-BSIT-Sec[S] 0 points1 point  (2 children)

i just learned what each of those are. thanks for the info. I'll change those in the morning.

[–]zanfarCCENT 0 points1 point  (1 child)

I just noticed another minor annoyance of mine: don't use the 'admin' account, create a descriptive username.

[–]JustAnotherITGuy-WGU-BSIT-Sec[S] 0 points1 point  (0 children)

ha ha, 10-4.

[–]JustAnotherITGuy-WGU-BSIT-Sec[S] 0 points1 point  (7 children)

i'm still having a hard time wrapping my head around not using vlan1. i get that i can put any interface in any vlan. but "dumb" devices / untagged traffic has to go somewhere. if i drop vlan 1 and put everything in vlan 10, would it not have to also be changed to the default vlan so untagged traffic could flow? wouldnt that end up being where all new interfaces were added.

or is this a security measure in that any other device would have to be set to use vlan 10 to communicate, meaning all other devices default to vlan 1, so no communication?

[–]zanfarCCENT 1 point2 points  (6 children)

If you "put an interface in a VLAN" then the untagged traffic goes on that VLAN. Almost all devices are "dumb" and untagged and they get put in VLANs all the time. There are no host changes needed to communicate with a different VLAN on an access port.

The reason I suggest not to use VLAN 1 is exactly because it is the default. When someone does a half-ass job, forgets to set the Access VLAN, or plugs in a badly-configured switch, that traffic ends up on VLAN 1. I don't want that traffic in my production VLANs, so I black hole it. If a port doesn't work until you set an access VLAN, then there is a much greater chance you will pay attention to which VLAN it should be, instead of just plugging-and-praying.

Edit: this is the same reasoning behind setting your VTP domain and password even if you run in transparent mode, or being specific about your trunk's allowed VLANs, or using boot system flash messages instead of letting ROMMON pick, or using the 0.0.0.0 wildcard to select interfaces--the only times being specific is a nuisance is when you weren't paying attention in the first place.

[–]JustAnotherITGuy-WGU-BSIT-Sec[S] 1 point2 points  (0 children)

thanks, I'm not sure if you guys know how much even the little pieces of info tie larger units together. Make much more sense now. I'll see if i can dump vlan 1 tomorrow.

[–]JustAnotherITGuy-WGU-BSIT-Sec[S] 0 points1 point  (4 children)

so is this correct?

interface GigabitEthernet1/0/1

description NG port 1 Default

switchport access vlan 2

switchport trunk native vlan 2

switchport mode access

switchport nonegotiate

!

interface GigabitEthernet1/0/2

description NG port 2 Vlans (Trunk)

switchport access vlan 2

switchport trunk native vlan 2

switchport trunk allowed vlan 2,10,20

switchport mode trunk

!

interface GigabitEthernet1/0/8

switchport access vlan 10

switchport trunk native vlan 10

switchport mode access

switchport nonegotiate

spanning-tree portfast

!

interface GigabitEthernet1/0/9

switchport access vlan 10

switchport trunk native vlan 10

switchport mode access

switchport nonegotiate

spanning-tree portfast

!

interface GigabitEthernet1/0/10

switchport access vlan 2

switchport trunk native vlan 2

switchport mode access

switchport nonegotiate

spanning-tree portfast

!

interface GigabitEthernet1/0/11

description WIFI Vlans (trunk)

switchport access vlan 2

switchport trunk native vlan 2

switchport trunk allowed vlan 2,10,20

switchport mode trunk

[–]zanfarCCENT 0 points1 point  (3 children)

Looks better.

Another best practice is to use a black-hole VLAN for your trunk native traffic as well. The idea here is that all traffic on a trunk should be specifically addressed to a particular VLAN. This also helps prevent VLAN jumping with mismatched native VLANs.

My go-to switch config for an interface is:

spanning-tree mode rapid-pvst
spanning-tree portfast default
spanning-tree portfast bpduguard default
!
vlan 998
  name NO_ACCESS
vlan 999
  name TRUNK_NATIVE
!
interface GigabitEthernet0/0
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 999
  switchport trunk allowed vlan none
  switchport access vlan 998
  switchport mode access
  switchport nonegotiate
  shutdown

I can then allow what is necessary from there if I need the port. It has to be turned on, and either the access VLAN specified, or flipped to a trunk and the allowed VLANs specified. Either way, it's almost impossible to create a security hole by forgetting something or plugging somethin in.

[–]JustAnotherITGuy-WGU-BSIT-Sec[S] 0 points1 point  (2 children)

i guess i am confused as to the native vlan terminology. In my head, if i have vlan 100 and interfaces in that vlan then all those interfaces should use vlan 100 as native to keep untagged traffic on that vlan that they are members of. is this right or not?

[–]zanfarCCENT 0 points1 point  (1 child)

"interfaces in that VLAN" usually means access ports. Access ports don't have a native VLAN because all traffic is sent untagged. The understanding is that the host on the other end is ignorant of 802.1Q tagging (is ignoring VLANs). Most hosts work this way, so the switch adds a VLAN tag when a frame is received and strips the VLAN tag off before a frame is sent.

A Trunk is for communicating with devices that understand tagging--usually other network hardware, but also servers, hypervisors, and some advanced hosts. On a trunk, all traffic is sent tagged except for the native VLAN. The switch strips the tag from any frames in the native VLAN before sending and assumes that any untagged frames it receives belong to the native VLAN.

This is why it's important to use precise language. Access ports do not have native VLANs, and Trunk ports do not have access VLANs. You don't . "put an interface in a VLAN", you specify the access VLAN for an access port.

You almost never want most of your access interfaces in the same VLAN as your trunk native VLANs if you have a VLAN setup. The point of putting switch ports in different VLANs is so that they can be tagged and segregated.

In the config I posted, neither VLAN 998 or VLAN 999 should ever leave the switch--they should not be allowed on any trunks. This way, any untagged trunk traffic, or random devices on unconfigured access ports, doesn't go anywhere.

[–]JustAnotherITGuy-WGU-BSIT-Sec[S] 0 points1 point  (0 children)

is this correct?

!

interface GigabitEthernet1/0/1

description NG port 1 Default

switchport access vlan 2

switchport mode access

switchport nonegotiate

!

interface GigabitEthernet1/0/2

description NG port 2 Vlans (Trunk)

switchport trunk allowed vlan 2,10,20

switchport mode trunk

[–]JustAnotherITGuy-WGU-BSIT-Sec[S] 0 points1 point  (3 children)

how do you specify the specific vlans allow on a truck? switchport mode trunk vlan 10, 20 ?

[–]zanfarCCENT 0 points1 point  (2 children)

switchport trunk allowed vlan {all | none | [add | remove | except] vlan-atom [,vlan-atom...]}

[–]JustAnotherITGuy-WGU-BSIT-Sec[S] 0 points1 point  (1 child)

thanks, i actually wondered if i could restrict it when i set it up. but, if i didnt know the commands i didnt allow myself to go look them up. my version of pass fail.

[–]zanfarCCENT 1 point2 points  (0 children)

C3750X IOS 15.2 Command Reference: one of the two testaments of the Route/Switch bible.

[–]IDA_noob 1 point2 points  (0 children)

You are missing -

logging host x.x.x.x - point this to your syslog server

ntp server x.x.x.x - point this to your ntp server

[–]JustAnotherITGuy-WGU-BSIT-Sec[S] 0 points1 point  (0 children)

two reasons for doing this project. One I wanted to see if i could do it without having to look at a book. second reason is that Macs are chatty little bastards. I put the macs in vlan 20 and the windows boxes in vlan 10. vlan 10 is almost twice as fast before the project.