User Tools

Site Tools


Layer 2 Network Design Lab


The purpose of these exercises is to build Layer 2 (switched) networks utilizing the concepts explained in today's design presentations. Students will see how star topology, aggregation, virtual LANs, Spanning Tree Protocol, etc. are put to work.

There will be 6 groups of students, with 6 switches per group. The distribution of IP address space for the building (Layer 2) networks will be as follows:

Building 1 Management172.2X.0.0/282001:db8:X:3::/64
Building 2 Management172.2X.0.16/282001:db8:X:4::/64

You will need to replace 'X' with the number of your campus group!

The overall architecture and the full address plan can be found in the IP Address Plan

Switch types used in the lab

Cisco Catalyst 3560 and Catalyst 3750.

The following diagram shows the layout of the devices on each campus:

The following table shows the connections between each device in the campus:

DeviceInterfaceRemote DeviceRemote Interface

Replace N with your building number and X with your campus number.

Lab access instructions

There are eight Cisco devices on the table in front of you. They will be used in the following ways:

2901Border router
3750Core router
3560Layer 2 switches

The bottom two 3560 switches in each stack will be used as the Edge switches and the top 3560 as the Aggregation switch for the two buildings shown in the diagram above.

We will use the console cables to connect to the devices until we have configured them more fully.

You can download and install the drivers for the USB cable from:

Choose the correct drivers for your operating system and install them.

Connecting from Windows

You can use Putty which we installed earlier to connect to the serial port created when the USB adapter is plugged in.

On the Putty window choose the Serial option and then change the Serial line to COM6. Leave the Speed set to 9600.

Select Open

You can disconnect from the switch by closing the window.

Connecting from Linux or Mac

You can use the command line application cu to connect to the the serial port created when the USB adapter is plugged in. You can identify the name of the device using:

$ ls /dev/cu.usbserial*

Then you can run:

$ sudo cu -9600 -l /dev/cu.usbserial-FTDX4U8N

You can disconnect from the switch by typing ~.

Once you are connected

You may need to hit Enter a few times to get a prompt from the switch which should look like:


If you are asked:

Would you like to enter the initial configuration dialog? [yes/no]:

answer no!

Basic Switch Configuration

Our building network consists of a aggregation switch and two edge switches in each building. The backbone switches connect to the core of our campus network and serve as aggregation points for all the edge switches. Edge switches serve the end users.

Each switch will be named according to the table above: sd1-b1-campus1, se2-b1-campus5, etc


Your switches should be given a basic configuration as follows:

Router> enable
Router# config terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# hostname sd1-b1-campusX

Turn Off Domain Name Lookups

Cisco devices will always try to look up the DNS for any name or address specified in the command line. You can see this when doing a trace on a router with no DNS server or a DNS server with no entries for the IP addresses. We will turn this lookup off for the labs for the time being to speed up traceroutes.

sd1-b1-campusX (config)# no ip domain-lookup

Configure console and other ports

sd1-b1-campusX (config)# line con 0
sd1-b1-campusX (config-line)# transport preferred none
sd1-b1-campusX (config-line)# line vty 0 4
sd1-b1-campusX (config-line)# transport preferred none

Usernames and Passwords

All router usernames should be cndlab with password being lab-PW. The enable password (which takes the operator into configuration mode) needs to be lab-EN.

Please do not change the username or password to anything else, or leave the password unconfigured (access to vty ports is not possible if no password is set). It is essential for a smooth operating lab that all participants have access to all routers.

sd1-b1-campusX (config)# username cndlab secret lab-PW
sd1-b1-campusX (config)# enable secret lab-EN
sd1-b1-campusX (config)# service password-encryption

The service password-encryption directive tells the router to encrypt all passwords stored in the router’s configuration (apart from enable secret which is already encrypted).

Note A: There is the temptation to simply have a username of cisco and password of cisco as a lazy solution to the username/password problem. Under no circumstances must any service provider operator ever use easily guessable passwords as these on their live operational network.

IMPORTANT: This sentence cannot be emphasized enough. It is quite common for attackers to gain access to networks simply because operators have used familiar or easily guessed passwords.

Note B: for IOS releases prior to 12.3, the username/secret pair is not available, and operators will have to configure username/password instead. The latter format uses type-7 encryption, whereas the former is the more secure md5 based encryption.

Enabling login access for other machines

In order to let you telnet into your router in future modules of this workshop, you need to configure a password for all virtual terminal lines.

sd1-b1-campusX (config)# aaa new-model
sd1-b1-campusX (config)# aaa authentication login default local
sd1-b1-campusX (config)# aaa authentication enable default enable

This series of commands tells the router to look locally for standard user login (the username password pair set earlier), and to the locally configured enable secret for the enable login. By default, login will be enabled on all vtys for other teams to gain access.

Configure system logging

A vital part of any Internet operational system is to record logs. The router by default will display system logs on the router console. However, this is undesirable for Internet operational routers, as the console is a 9600 baud connection, and can place a high processor interrupt load at the time of busy traffic on the network. However, the router logs can also be recorded into a buffer on the router – this takes no interrupt load and it also enables to operator to check the history of what events happened on the router. In a future module, the lab will configuration the router to send the log messages to a SYSLOG server.

sd1-b1-campusX (config)# no logging console
sd1-b1-campusX (config)# logging buffer 8192 debug

which disables console logs and instead records all logs in a 8192 byte buffer set aside on the router. To see the contents of this internal logging buffer at any time, the command “sh log” should be used at the command prompt.

Save the Configuration.

With the basic configuration in place, save the configuration. To do this, exit from enable mode by typing “end” or “<ctrl> Z”, and at the command prompt enter “write memory”.

sd1-b1-campusX# write memory
Building configuration...

It is highly recommended that the configuration is saved quite frequently to NVRAM. If the configuration is not saved to NVRAM, any changes made to the running configuration will be lost after a power cycle or virtual machine failure

Log off the router by typing “exit”, and then log back in again. Notice how the login sequence has changed, prompting for a “username” and “password” from the user. Note that at each checkpoint in the workshop, you should save the configuration to memory – remember that powering the router off will result in it reverting to the last saved configuration in NVRAM.

IP Address Configuration

Assign each switch a different IP address as follows:

int vlan 1
 ip address 172.2X.0.2
 ipv6 address 2001:db8:X:3::2/64
 no shut

Replace the “X” with your group number:


Verify connectivity by pinging each switch within the building. Do not continue until you can ping each switch from every other switch in the building.

HINT: If ping fails, but the configuration seems OK, try doing the following:

int vlan 1
 no shutdown

(this is not normal, but most likely a bug in the IOS code somewhere)

Question: Why can't you ping a switch in Building 2 from a switch in Building 1?

Answer: They're on different subnets and we haven't configured a router to connect the buildings at this stage.

Checking Neighbouring Switches

Cisco IOS has a command which let's you find out about other Cisco devices connected to the device you are on. Cisco has a proprietary protocol called Cisco Discovery Protocol (CDP). To find out about neighbouring devices connected to your switch, do:

show cdp neighbor

which will list everything connected to your switch. Note that the output of the command will list which interfaces are used to connect to which neighbouring devices.

Set up SNMP access on the Switches

Later in the week we're going to start using SNMP to manage the routers and switches. We'll add the necessary commands at this stage:

access-list 99 permit 100.68.X.130
snmp-server community NetManage RO 99
snmp ifmib ifindex persist

The access-list only allows SNMP queries from the NMM server.

If your switch doesn't take the above snmp commands, try the following instead. Even though Cisco IOS is one operating system, the implementation details on different platforms can well be different:

access-list 99 permit 100.68.X.130
snmp-server community NetManage RO 99
snmp-server ifindex persist

Spanning Tree Protocol

STP Status

Run the following commands and pay close attention to the output:

show spanning-tree brief
show spanning-tree blockedports
show spanning-tree
  1. What is the priority on each switch?
  2. Which switch is the root? Why?
  3. Which ports are blocked? Why?

Make a note of the answers to the above questions, as we will compare those with the answers once we do the next step. If the instructors ask you, please write them up on the classroom whiteboard too.

STP Configuration

Configure the STP priorities explicitly for each switch, according to the plan in Appendix A.

For example, on sd1-b1-campus1:

sd1-b1-campus1(config)#spanning-tree vlan 1 priority 12288


show spanning-tree brief

Why is it so important to set the priorities explicitly?

Check the output of the spanning-tree status command. What is happening on se1-bY-campusX? For example:

se1-b1-campus6#sh spanning-tree brief

  Spanning tree enabled protocol ieee
  Root ID    Priority    12288
             Address     c42c.3f2c.0000
             Cost        19
             Port        55 (FastEthernet0/47)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    24576
             Address     c42d.3f2c.0000
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interface                                   Designated
Name                 Port ID Prio Cost  Sts Cost  Bridge ID            Port ID
-------------------- ------- ---- ----- --- ----- -------------------- -------
FastEthernet0/47     128.55   128    19 FWD     0 12288 c42c.3f2c.0000 128.53
FastEthernet0/48     128.56   128    19 BLK     0 12288 c42c.3f2c.0000 128.54

There are actually two links from se1 to sd1 in each Building. We will use these two links later on in this lab exercise.

Notice how one link is in Forwarding Mode, and the other link is in Blocking Mode. This is so we do not have a loop between the se1 and sd1 switches. If spanning tree is turned off between these two switches, we end up with a loop, traffic would not be forwarded, and the CPU load on the switches would go to 100%.

Disabling STP

WARNING: Don't try this on a production network!

We will disable spanning tree to see what effect that has by typing:

no spanning-tree vlan 1

Can the switches ping each other reliably now? Why?

Watch the port counters on the inter-switch links.

show interface stats

What happens with the counters of the connected interfaces? What is going on?

Very quickly enable STP again on all switches:

spanning-tree vlan 1

This is known as a Broadcast Storm

WARNING: Don't try this on a production network!

Simulate a backbone failure

Disconnect sd1-b1-campusX from the rest of the network:

interface range fastEthernet 0/45 - 48

While it is cut off from the rest, verify spanning tree status on the other switches.

a. Who is the root now?

b. Verify port roles and status. Verify connectivity with ping.

Reconnect sd1-b1-campusX:

interface range fastEthernet 0/45 - 48
 no shutdown

What happens to the spanning tree when the switch comes back online?


We now want to segment the network to separate STAFF traffic from STUDENT and network management traffic. Each of these segments will be a separate subnet.

Configure the switches with a MGMT vlan.

VTP (VLAN Trunking Protocol) is a proprietary Cisco technology that allows for dynamic VLAN provisioning. We will not use it here.

Disable VTP by setting it to 'transparent mode':

vtp mode transparent

Add the vlan to the VLAN database on each switch and give them names to better identify them:

In Building 1:

vlan 41
 name MGMT1

In Building 2:

vlan 42
 name MGMT2

IMPORTANT: Make sure you've done this step before you go to step 3.

Move the IP address to the MGMT vlan

We originally set the switches so that we were using vlan 1 to manage them. It's better to manage them using a separate vlan.

In Building 1:

interface vlan 1
 no ip address
 no ipv6 address 2001:db8:X:3::Y/64
interface vlan 41
 ip address 172.2X.0.Y
 ipv6 address 2001:db8:X:3::Y/64
 no shutdown

In Building 2:

interface vlan 1
 no ip address
 no ipv6 address 2001:db8:X:4::Y/64
interface vlan 42
 ip address 172.2X.0.Y
 ipv6 address 2001:db8:X:4::Y/64
 no shutdown

Verify connectivity between switches. Can you ping? What's missing?

Configure trunk ports. Do the following for each port that needs to tag VLAN frames. For example:

interface FastEthernet0/48
 switchport trunk encapsulation dot1q
 switchport mode trunk

Note 1: The Cisco default is to use dot1q encapsulation (rather than the Cisco proprietary ISL). But we include the dot1q command in the configuration in any case.

Note 2: Check the table at the start of this lab to see which ports you need to modify. sd1-b1-campusX and sd1-b2-campusX are each connected to the core router, r1-core-campusX. These ports will also need to be configured as trunks.

Try pinging between switches again. It should work now.

Set up the default gateway on the switches

The switches need a default route added to them so that they can forward traffic to Network Monitoring and Management server we will configure later. On each switch we add this route to forward traffic to the Core router. These switches have different software versions and there are two possible options.

Building 1


ip route 172.2X.0.1
ipv6 route ::/0 2001:db8:X:3::1

If the IPv4 route doesn't work try:

ip default-gateway 172.2X.0.1

Building 2


ip route 172.2X.0.17
ipv6 route ::/0 2001:db8:X:4::1

If the IPv4 route doesn't work try:

ip default-gateway 172.2X.0.17

Configure the switches with STAFF and STUDENT vlans.

Add the VLANs to the VLAN database on each switch and give them names to better identify them:

In Building 1:

vlan 51
 name STAFF1
vlan 61
 name STUDENT1

In Building 2:

vlan 52
 name STAFF2
vlan 62
 name STUDENT2

Designate 5 edge ports each for STAFF and STUDENT VLAN access:

On the edge (se) switches only (example is for Building 1):

interface range Fast0/1 - 5
 description Access port 51 STAFF
 switchport mode access
 switchport access vlan 51
interface range Fast0/6 - 10
 description Access port 61 STUDENT
 switchport mode access
 switchport access vlan 61

Verify which ports are members or trunks of each vlan:

show vlan-switch id <VLAN ID>

Imagine that there are computers connected to the STAFF VLAN. Would they be able to ping the switch? Explain your response.

Check the spanning tree status

Verify the Spanning Tree status:

show spanning-tree

Notice the root and bridge priorities on each VLAN (1,41,51,61) and (1,42,52,62). Are they the same?

Use the table in Appendix A to set the correct priority for each VLAN.

Note: This is called “Per-VLAN spanning tree”, or PVST. This means that the switches are creating 4 separate trees, each with its own parameters, status, calculations, etc. Imagine if you had several hundred VLANs! This is certainly not ideal. There are better standards, like “Multiple Spanning Tree” (MST), that allow the administrator to create only the desired number of trees, and map groups of VLANs to each tree.

STP Extended Features


PortFast is a feature that allows end-user stations to be granted instant access to the L2 network. Instead of starting at the bottom of the Blocking-Listening- Learning-Forwarding hierarchy of states (30 seconds!), Portfast starts at the top. The port starts in Forwarding state, and if a loop is detected, STP does all its calculations and blocks the necessary ports. This feature should only be applied to ports that connect end-user stations.

Configure end-user ports on the edge (se) switches to be in PortFast mode:

interface range fast0/1 - 10
 spanning-tree portfast


With PortFast, end-user ports still participate in STP. That means that anything connected to those ports can send BPDUs and participate in (and affect the status of) the spanning tree calculations. For example, if the device connected to the edge port is configured with a lower bridge priority, it becomes the root switch and the tree topology becomes suboptimal.

Another useful Cisco feature that avoids this situation is BPDUGuard. At the reception of BPDUs, the BPDU guard operation disables the port that has PortFast configured.

Enable BPDUGuard on all ports with PortFast enabled:

spanning-tree portfast bpduguard

Port Bundling

We now want more capacity and link redundancy between the aggregation switches. The network diagram has been updated below to include a second link between the distribution switch and the first edge switch in each building.

Configure a Port Channel between sd1-bN-campusX and se1-bN-campusX (so, for example, between sd1-b1 and se1-b1, and between sd1-b2 and se1-b2, etc). Don't forget that we need to make the Port Channel interface a trunk port too - the Aggregated Link interface (known as a LAG - Link Aggregation Group) has to be of the same type as the original underlying interfaces.

On sd1-bN-campusX:

interface fast 0/46
 description First Link to se1-bN-campusX
 switchport mode trunk
interface fast 0/47
 description Second Link to se1-bN-campusX
 switchport mode trunk
interface port-channel 1
 description sd1-bN-campusX to se1-bN-campusX aggregate link
 switchport mode trunk
interface range fast0/46 - 47
 channel-group 1 mode on

On se1-bN-campusX:

interface fast 0/47
 description First Link to sd1-bN-campusX
 switchport mode trunk
interface fast 0/48
 description Second Link to sd1-bN-campusX
 switchport mode trunk
interface port-channel 1
 description sd1-bN-campusX to se1-bN-campusX aggregate link
 switchport mode trunk
interface range fast0/47 - 48
 channel-group 1 mode on

Verify the status:

show interface port-channel 1

What capacity do you have now on the new trunk? Hint: Look for the line that says BW … Kbit/sec

Disable one of the ports in the bundle on sd1-b1-campusX:

interface fast 0/46

Is the channel still up?

Enable it again:

interface fast 0/46
 no shutdown

Note: There is a standard protocol for port bundling. It's called “LACP” (Link Aggregation Control Protocol). All modern switches support LACP, so we strongly recommend using that, instead of any proprietary versions.

Appendix A - Spanning Tree Configuration

Refer to this priority table below for the appropriate priorities on each switch.

0Core NodeThe core switches/routers will not be participating in STP... reserved in case they ever are
4096Redundant Core NodeDitto
12288Building Backbone(sd1-b1-campusX; sd1-b2-campusX)
16384Redundant Backbones
20480Secondary BackboneThis is for building complexes
24576Access SwitchesThis is the normal edge-device priority (se1-b1-campusX; se2-b1-campusX; se1-b2-campusX; se2-b2-campusX)
28672Access SwitchesUsed for access switches that are daisy-chained from another access switch. We're using this terminology instead of "aggregation switch" because it's hard to define when a switch stops being an access switch and becomes an aggregation switch.
32768DefaultNo managed network devices should have this priority.
master/cnd/l2-net-design-alt.txt · Last modified: 2016/03/24 10:12 by philip