Reddit Feeds

Sign up and stay connected to your favorite communities.

sign uplog in
8
Posted byWGU-BSIT-Sec4 days ago

Finished my first working config

This is a dual internet connection, with one Ubiquiti AP Pro on site. Had to trunk the AP port. Had to use two switch ports due to the Barracuda NG. take a look and tell me what i could do diff. The switch provides working DHCP for VLAN 20 and it even works through the WIFI. I should be getting close to ready for the ccent, I hope

Current configuration : 8373 bytes

!

! Last configuration change at 14:58:18 CST Wed May 16 2018

! NVRAM config last updated at 15:09:49 CST Wed May 16 2018

!

version 15.0

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname MGM-2960s

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$5oAQ$NXSM0keyGxkChvJirU4j1/

! username admin secret 5 $1$DcU/$/K2xf4IneNtdxOs5qNwWp.

no aaa new-model

clock timezone CST -6 0

switch 1 provision ws-c2960s-48lps-l

ip dhcp excluded-address 192.168.20.1 192.168.20.99

ip dhcp excluded-address 192.168.20.200 192.168.20.254

!

ip dhcp pool VLAN20

network 192.168.20.0 255.255.255.0

domain-name REMOVED.com

default-router 192.168.20.1

dns-server 8.8.8.8

lease 5

!

!

ip dhcp snooping

ip domain-name REMOVED.com

ip dhcp-server 192.168.20.2

vtp mode transparent

!

!

crypto pki trustpoint TP-self-signed-533317760

enrollment selfsigned

CRYPTO STUFF REMOVED

spanning-tree mode pvst

spanning-tree extend system-id

!

!

vlan internal allocation policy ascending

!

vlan 10

name RENAMED1

!

vlan 20

name RENAMED2

!

vlan 99

name BlackHole

!

ip ssh version 2

!

!

interface FastEthernet0

no ip address

shutdown

!

interface GigabitEthernet1/0/1

description NG port 1 Default

switchport mode access

switchport nonegotiate

! interface GigabitEthernet1/0/2

description NG port 2 Vlan (Trunk)

switchport access vlan 20

switchport mode trunk

! interface GigabitEthernet1/0/3

switchport mode access

switchport nonegotiate

!

interface GigabitEthernet1/0/4

switchport mode access

switchport nonegotiate

! interface GigabitEthernet1/0/5

switchport mode access

switchport nonegotiate

!

interface GigabitEthernet1/0/6

description WIFI VlanS (Trunk)

switchport mode access

switchport nonegotiate

!

interface GigabitEthernet1/0/7

switchport mode access

switchport nonegotiate

! interface GigabitEthernet1/0/8

switchport access vlan 10

switchport mode access

switchport nonegotiate

! interface GigabitEthernet1/0/9

switchport access vlan 10

switchport mode access

switchport nonegotiate

! interface GigabitEthernet1/0/10

switchport mode access

switchport nonegotiate

! interface GigabitEthernet1/0/11

description WIFI Vlans

switchport mode trunk

switchport nonegotiate

! interface GigabitEthernet1/0/12

switchport mode access

switchport nonegotiate

!

interface GigabitEthernet1/0/13

switchport mode access

switchport nonegotiate

!

interface GigabitEthernet1/0/14

switchport mode access

switchport nonegotiate

!

interface GigabitEthernet1/0/15

switchport mode access

switchport nonegotiate

!

interface GigabitEthernet1/0/16

switchport mode access

switchport nonegotiate

!

interface GigabitEthernet1/0/17

switchport mode access

switchport nonegotiate

!

interface GigabitEthernet1/0/18

switchport mode access

switchport nonegotiate

!

interface GigabitEthernet1/0/19

switchport mode access

switchport nonegotiate

!

interface GigabitEthernet1/0/20

switchport mode access

switchport nonegotiate

!

interface GigabitEthernet1/0/21

switchport mode access

switchport nonegotiate

!

interface GigabitEthernet1/0/22

switchport mode access

switchport nonegotiate

!

interface GigabitEthernet1/0/23

switchport mode access

switchport nonegotiate

!

interface GigabitEthernet1/0/24

switchport mode access

switchport nonegotiate

! interface GigabitEthernet1/0/25

switchport access vlan 99

switchport mode access

switchport nonegotiate

shutdown

!

interface GigabitEthernet1/0/26

switchport access vlan 99

switchport mode access

switchport nonegotiate

shutdown

!

interface GigabitEthernet1/0/47

description Cisco ASA FirePower

switchport mode access

switchport nonegotiate

!

interface GigabitEthernet1/0/48

description Cisco ASA 5506

switchport mode access

switchport nonegotiate

! interface GigabitEthernet1/0/49

switchport mode access

switchport nonegotiate

! interface GigabitEthernet1/0/50

switchport mode access

switchport nonegotiate

shutdown

!

interface GigabitEthernet1/0/51

switchport mode access

switchport nonegotiate

shutdown

!

interface GigabitEthernet1/0/52

switchport mode access

switchport nonegotiate

shutdown

!

interface Vlan1

ip address 192.168.1.254 255.255.255.0

!

interface Vlan10

ip address 192.168.10.254 255.255.255.0

!

interface Vlan20

ip address 192.168.20.254 255.255.255.0

!

ip http server

ip http secure-server

! ! ! !

line con 0

password OOPS NOT TODAY

login

line vty 0 4

login local

transport input ssh

line vty 5 15

password OOPS NOT TODAY

login

!

end

MGM-2960s#

23 comments
100% Upvoted
What are your thoughts? Log in or Sign uplog insign up
Just 'cause it ain't in my flair doesn't mean I don't have certs4 points·4 days ago

Looking good. Don't forget to kick on RSTP, portfast, and bpduguard or rootguard. (Though those are probably above CCENT level, to be fair).

Also ditch the http server!

You use DTP for trunking?

WGU-BSIT-SecOriginal Poster1 point·4 days ago

honestly im not sure. i used switchport trunk command.

CCENT2 points·4 days ago

He's asking because you don't use nonegotiate on your trunks.

WGU-BSIT-SecOriginal Poster1 point·4 days ago

that was a leftover command i forgot to remove when it was set to switchport mode access

i also realized that i dont have to assign an ip to each vlan if im building it out as ROAS. burned three ip address there.

i left vlan 1 because the AP did not want to work right without vlan1.

Ubiquiti wanted to be in vlan 1 or it would not communicate back to the software. still researching that one. i ended up enabling a second nic on a server and placing that nic in vlan 1 to communicate back to the ap.

CCENT2 points·4 days ago
WGU-BSIT-SecOriginal Poster1 point·4 days ago

i just learned what each of those are. thanks for the info. I'll change those in the morning.

CCENT1 point·4 days ago

I just noticed another minor annoyance of mine: don't use the 'admin' account, create a descriptive username.

WGU-BSIT-SecOriginal Poster1 point·4 days ago

ha ha, 10-4.

WGU-BSIT-SecOriginal Poster1 point·4 days ago

i'm still having a hard time wrapping my head around not using vlan1. i get that i can put any interface in any vlan. but "dumb" devices / untagged traffic has to go somewhere. if i drop vlan 1 and put everything in vlan 10, would it not have to also be changed to the default vlan so untagged traffic could flow? wouldnt that end up being where all new interfaces were added.

or is this a security measure in that any other device would have to be set to use vlan 10 to communicate, meaning all other devices default to vlan 1, so no communication?

CCENT2 points·4 days ago·edited 4 days ago

If you "put an interface in a VLAN" then the untagged traffic goes on that VLAN. Almost all devices are "dumb" and untagged and they get put in VLANs all the time. There are no host changes needed to communicate with a different VLAN on an access port.

The reason I suggest not to use VLAN 1 is exactly because it is the default. When someone does a half-ass job, forgets to set the Access VLAN, or plugs in a badly-configured switch, that traffic ends up on VLAN 1. I don't want that traffic in my production VLANs, so I black hole it. If a port doesn't work until you set an access VLAN, then there is a much greater chance you will pay attention to which VLAN it should be, instead of just plugging-and-praying.

Edit: this is the same reasoning behind setting your VTP domain and password even if you run in transparent mode, or being specific about your trunk's allowed VLANs, or using boot system flash messages instead of letting ROMMON pick, or using the 0.0.0.0 wildcard to select interfaces--the only times being specific is a nuisance is when you weren't paying attention in the first place.

WGU-BSIT-SecOriginal Poster2 points·4 days ago

thanks, I'm not sure if you guys know how much even the little pieces of info tie larger units together. Make much more sense now. I'll see if i can dump vlan 1 tomorrow.

WGU-BSIT-SecOriginal Poster1 point·3 days ago

so is this correct?

interface GigabitEthernet1/0/1

description NG port 1 Default

switchport access vlan 2

switchport trunk native vlan 2

switchport mode access

switchport nonegotiate

!

interface GigabitEthernet1/0/2

description NG port 2 Vlans (Trunk)

switchport access vlan 2

switchport trunk native vlan 2

switchport trunk allowed vlan 2,10,20

switchport mode trunk

!

interface GigabitEthernet1/0/8

switchport access vlan 10

switchport trunk native vlan 10

switchport mode access

switchport nonegotiate

spanning-tree portfast

!

interface GigabitEthernet1/0/9

switchport access vlan 10

switchport trunk native vlan 10

switchport mode access

switchport nonegotiate

spanning-tree portfast

!

interface GigabitEthernet1/0/10

switchport access vlan 2

switchport trunk native vlan 2

switchport mode access

switchport nonegotiate

spanning-tree portfast

!

interface GigabitEthernet1/0/11

description WIFI Vlans (trunk)

switchport access vlan 2

switchport trunk native vlan 2

switchport trunk allowed vlan 2,10,20

switchport mode trunk

CCENT1 point·3 days ago

Looks better.

Another best practice is to use a black-hole VLAN for your trunk native traffic as well. The idea here is that all traffic on a trunk should be specifically addressed to a particular VLAN. This also helps prevent VLAN jumping with mismatched native VLANs.

My go-to switch config for an interface is:

spanning-tree mode rapid-pvst
spanning-tree portfast default
spanning-tree portfast bpduguard default
!
vlan 998
  name NO_ACCESS
vlan 999
  name TRUNK_NATIVE
!
interface GigabitEthernet0/0
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 999
  switchport trunk allowed vlan none
  switchport access vlan 998
  switchport mode access
  switchport nonegotiate
  shutdown

I can then allow what is necessary from there if I need the port. It has to be turned on, and either the access VLAN specified, or flipped to a trunk and the allowed VLANs specified. Either way, it's almost impossible to create a security hole by forgetting something or plugging somethin in.

WGU-BSIT-SecOriginal Poster1 point·3 days ago

i guess i am confused as to the native vlan terminology. In my head, if i have vlan 100 and interfaces in that vlan then all those interfaces should use vlan 100 as native to keep untagged traffic on that vlan that they are members of. is this right or not?

CCENT1 point·3 days ago

"interfaces in that VLAN" usually means access ports. Access ports don't have a native VLAN because all traffic is sent untagged. The understanding is that the host on the other end is ignorant of 802.1Q tagging (is ignoring VLANs). Most hosts work this way, so the switch adds a VLAN tag when a frame is received and strips the VLAN tag off before a frame is sent.

A Trunk is for communicating with devices that understand tagging--usually other network hardware, but also servers, hypervisors, and some advanced hosts. On a trunk, all traffic is sent tagged except for the native VLAN. The switch strips the tag from any frames in the native VLAN before sending and assumes that any untagged frames it receives belong to the native VLAN.

This is why it's important to use precise language. Access ports do not have native VLANs, and Trunk ports do not have access VLANs. You don't . "put an interface in a VLAN", you specify the access VLAN for an access port.

You almost never want most of your access interfaces in the same VLAN as your trunk native VLANs if you have a VLAN setup. The point of putting switch ports in different VLANs is so that they can be tagged and segregated.

In the config I posted, neither VLAN 998 or VLAN 999 should ever leave the switch--they should not be allowed on any trunks. This way, any untagged trunk traffic, or random devices on unconfigured access ports, doesn't go anywhere.

WGU-BSIT-SecOriginal Poster1 point·3 days ago

is this correct?

!

interface GigabitEthernet1/0/1

description NG port 1 Default

switchport access vlan 2

switchport mode access

switchport nonegotiate

!

interface GigabitEthernet1/0/2

description NG port 2 Vlans (Trunk)

switchport trunk allowed vlan 2,10,20

switchport mode trunk

WGU-BSIT-SecOriginal Poster1 point·4 days ago

how do you specify the specific vlans allow on a truck? switchport mode trunk vlan 10, 20 ?

CCENT1 point·4 days ago

switchport trunk allowed vlan {all | none | [add | remove | except] vlan-atom [,vlan-atom...]}

WGU-BSIT-SecOriginal Poster1 point·4 days ago

thanks, i actually wondered if i could restrict it when i set it up. but, if i didnt know the commands i didnt allow myself to go look them up. my version of pass fail.

CCENT2 points·4 days ago

C3750X IOS 15.2 Command Reference: one of the two testaments of the Route/Switch bible.

You are missing -

logging host x.x.x.x - point this to your syslog server

ntp server x.x.x.x - point this to your ntp server

WGU-BSIT-SecOriginal Poster1 point·4 days ago

two reasons for doing this project. One I wanted to see if i could do it without having to look at a book. second reason is that Macs are chatty little bastards. I put the macs in vlan 20 and the windows boxes in vlan 10. vlan 10 is almost twice as fast before the project.

Community Details

30.8k

Subscribers

130

Online

Create Post

r/ccna Rules

1.
No posting of illegal materials
2.
No posting of braindumps
3.
Be courteous and helpful
4.
Don't ask others to complete your labs