Saturday, November 1, 2014

Basic Multi Layer Switch (MLS) configuration

Okay, so a fairly common thing would be to have a multi layer switch in your network - at least when your network becomes larger than what can usually be plugged into a switch or two.

It may look something like this: some beefy core MLS that can push packets real quick, some less beefy, but still awesome, distribution MLS and finally some relatively inexpensive layer 2 switches to connect your clients, printer, access points, servers and whatever else you may have need of connecting to the network.

Core-Distribution-Access Diagram
For the sake of simplicity we will just assume the access layer switches are configured and functions only at layer 2. In this example we will focus solely on the distribution switches/routers (MLS).

Let's start out by getting the layer 2 functions working. We configure our VTP mode to be transparent and then create 4 VLANs (10, 20, 30 and 40).
DIST-SW-01(config)#vtp mode transparent
Setting device to VTP Transparent mode for VLANS.
DIST-SW-01(config)#vlan 10,20,30,40
The same configuration is done on DIST-SW-02, but not shown here to keep this example somewhat brief and manageable.

Then we create the layer 2 port-channel between the two distribution switches and configures it as a trunk port for all VLANs.
DIST-SW-01(config)#interface range FastEthernet0/23-24
DIST-SW-01(config-if-range)#switchport trunk encapsulation dot1q
DIST-SW-01(config-if-range)#switchport mode trunk
DIST-SW-01(config-if-range)#switchport nonegotiate
DIST-SW-01(config-if-range)#channel-group 1 mode active
Before we configure any of the layer 3 features we will need to enable IP routing on the two distribution switches. You can enable IP interfaces and configure redundancy protocols, but what you will experience is a complete lack of routing ability if this command is absent.
DIST-SW-01(config)#ip routing
 DIST-SW-02(config)#ip routing
Secondly, we will configure a first hop redundancy protocol for the clients connected to the access switches to use as their default gateways. We will make distribution switch 1 the active forwarder for odd numbered VLANs and distribution switch 2 will be the active forwarder for evenly numbered VLANs.

Distribution switches with VLANS and HSRP configured
Configuration on Distribution Switch 1
interface Vlan10
 ip address 10.0.10.1 255.255.255.0
 standby 10 ip 10.0.10.254
 standby 10 priority 110
 standby 10 name VLAN_10
!
interface Vlan20
 ip address 10.0.20.1 255.255.255.0
 standby 20 ip 10.0.20.254
 standby 20 name VLAN_20
!
interface Vlan30
 ip address 10.0.30.1 255.255.255.0
 standby 30 ip 10.0.30.254
 standby 30 priority 110
 standby 30 name VLAN_30
!
interface Vlan40
 ip address 10.0.40.1 255.255.255.0
 standby 40 ip 10.0.40.254
 standby 40 name VLAN_40
Configuration on Distribution Switch 2
interface vlan 10
 ip address 10.0.10.2 255.255.255.0
 standby 10 ip 10.0.10.254
 standby 10 name VLAN_10
!
interface vlan 20
 ip address 10.0.20.2 255.255.255.0
 standby 20 priority 110
 standby 20 preempt
 standby 20 ip 10.0.20.254
 standby 20 name VLAN_20
!
interface vlan 30
 ip address 10.0.30.2 255.255.255.0
 standby 30 ip 10.0.30.254
 standby 30 name VLAN_30
!
interface vlan 40
 ip address 10.0.40.2 255.255.255.0
 standby 40 priority 110
 standby 40 preempt
 standby 40 ip 10.0.40.254
 standby 40 name VLAN_40
Because we use FHRP with the default gateway set differently for the odd and even numbered VLANs, we would want to make sure that the spanning-tree configuration chooses the correct root bridge for those VLANs as well - making Distribution Switch 1 the root for odd numbered VLANs and Distribution Switch 2 the root for evenly numbered VLANs.
DIST-SW-01(config)#spanning-tree vlan 1,10,30 priority 4096
DIST-SW-01(config)#spanning-tree vlan 20,40 priority 8192
DIST-SW-02(config)#spanning-tree vlan 1,10,30 priority 8192
DIST-SW-02(config)#spanning-tree vlan 20,40 priority 4096
Now we will configure the trunk ports from the distribution layer to the access layer. Again, we assume that the access switches are already configured appropriately for this scenario.
DIST-SW-01(config)#interface range fa0/19 , fa0/21
DIST-SW-01(config-if-range)# switchport trunk encapsulation dot1q
DIST-SW-01(config-if-range)# switchport mode trunk
DIST-SW-01(config-if-range)# switchport nonegotiate
The same commands are issued on DIST-SW-02.

Verify the configuration by examining the output of the commands shown in the sections below:

VTP and VLAN configuration
DIST-SW-01#show vtp status
DIST-SW-01#show vlan brief
EtherChannel (port-channel) configuration
DIST-SW-01#show etherchannel summary
DIST-SW-01#show etherchannel 1 detail
HSRP (standby) configuration
DIST-SW-01#show standby brief
DIST-SW-01#show standby vlan [10 | 20 | 30 | 40]
Spanning-tree configuration
DIST-SW-01#show spanning-tree vlan [10 | 20 | 30 | 40]
DIST-SW-01#show spanning-tree root
Switchport trunk configuration
DIST-SW-01#show interfaces trunk
DIST-SW-01#show interfaces [port-channel 1 | fa0/19 | fa0/21] trunk
DIST-SW-01#sh interfaces [port-channel 1 | fa0/19 | fa0/21] switchport

Now we should be able to reach our FHRP default gateways from a client connected to the VLANs 10,20,30 or 40 in the access switches. Here we show only for VLAN 10 and 20 as they should show connectivity through DIST-SW-01 and DIST-SW-02 respectively. Notice that the trace to 8.8.8.8 fails at 10.0.100.10 because that router doesn't have a route towards the destination - what matters here is that it goes to 10.0.10.1 and 10.0.20.2 even though the default gateway is set to .254.

Trace and ARP table on VLAN 10

Trace and ARP table on VLAN 20

Note: some Catalyst multi layer switches, like the Catalyst 3560 used in this example, there may be some commands unavailable if the Switch Database Management (SDM) template is configured to not support the configuration you are attempting.

To troubleshoot issues like these you must first verify that the commands you are trying to configure are supported by referring to the documentation for the specific platform. Secondly, make sure the image and licensing is correct. The command show version gives you the information regarding the platform and the image you are on and some information on the licensing (only on some platforms/IOS versions).

If the image and licensing is in order, but you still cannot input the desired commands, you may be using the incorrect SDM template. Check the currently used template with this command:
DIST-SW-01#show sdm prefer
 The current template is "desktop default" template.
 The selected template optimizes the resources in
 the switch to support this level of features for
 8 routed interfaces and 1024 VLANs.
  number of unicast mac addresses:                             6K
  number of IPv4 IGMP groups + multicast routes:    1K
  number of IPv4 unicast routes:                                  8K
  number of directly-connected IPv4 hosts:                 6K
  number of indirect IPv4 routes:                                 2K
  number of IPv4 policy based routing aces:               0
  number of IPv4/MAC qos aces:                                0.5K
  number of IPv4/MAC security aces:                         1K
This will display some of the maximums of the current SDM template in use. With this specific template I am unable to configure any policy based routing aces - meaning I cannot configure policy based routing (PBR).

If I had to do PBR on this MLS I would have to change the SDM template. The below command shows how that would be done - bear in mind that you cannot fine tune anything in the SDM templates they come pre-configured.
DIST-SW-01(config)#sdm prefer ?
  access              Access bias
  default             Default bias
  dual-ipv4-and-ipv6  Support both IPv4 and IPv6
  routing             Unicast bias
  vlan                VLAN bias
DIST-SW-01(config)#sdm prefer routing
Also, the switch will need to be reloaded for the new template to take effect.
Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)