Enterprise Network on GNS3 - Part 2 - Access Layer

This is the second from the series of the articles that discuss a complete configuration of the enterprise network. Our enterprise campus network consists of the core, distribution and access layer. This network infrastructure design is called a three-tier network model. Each layer has specific function. The access layer provides access for end users to the network . They are two access switches located inside the access layer. The access switches OpenSwitch-Acc-I and OpenSwitch-Acc-II are OpenSwitch Qemu appliances installed on VMware VMDK disks. The switches run OpenSwitch network OS version 0.4.0 and they have assigned 1024 MB memory by GNS3. More details about building OpenSwitch appliance prior to version 2.0 can be found here.

The ports Ethernet 3 a and 4 on both switches are configured as access ports and they connect PC1 and PC4 to the campus network. The ports Ethernet 1 and Ethernet 2 are uplinks that connect access switches to the distribution switches. They are configured as trunk ports, carrying traffic from multiple VLANs. Thanks to redundant uplink connection, the access switches remain connected to the upper layer, even in case of the failure one of the distribution switches.

Picture 1 - Access Switches Connected to Distribution Layer

End user computers are assigned to VLANs 10, 20, 30 and 40. Thanks to segmentation to VLAN, user traffic is sent to the distribution layer without being spread across the other access switches in campus. The PC4 is connected to the port Ethernet 4 that is assigned to the management VLAN 40. Management of the access switches is provided by connection of the management port Ethernet0 to the port Ethernet6 of the particular distribution switch. The both ports are configured as the routed (layer3) ports and they have assigned IP addresses from the subnet with /30 mask.

The Switch Virtual Onterface (SVI) created on both access switches allow the access switches to synchronize their time with NTP server running on the appliance Server1 172.16.50.1 in the Data Center (DC). The switches also send logs to the syslog-ng server installed on the same appliance.

Note: The configuration files of the both access switches are: OpeSwitch-Acc-I and OpenSwitch-Acc-II.

1. OpenSwitch-Acc-I Configuration

Login to the OpenSwitch OpenSwitch-Acc-I appliance with the default username netop and the password netop. As a first step, we will change the hostname.

switch# conf t
switch(config)# hostname OpenSwitch-Acc-I

1.1 VLANs Configuration

The VLANs 10,20 are end user VLANs. The VLAN 999 is "parking" VLAN that is configured on ports that are not used. If someone accidentally brings disabled switchports up, the connection is not working. It is because the VLAN 999 is not configured on uplink trunk ports.

OpenSwitch-Acc-I(config)# vlan 10
OpenSwitch-Acc-I(config-vlan)# no shutdown
OpenSwitch-Acc-I(config)# vlan 20
OpenSwitch-Acc-I(configb-vlan)# no shutdown
OpenSwitch-Acc-I(config)# vlan 999
OpenSwitch-Acc-I(config-vlan)# no shutdown
OpenSwitch-Acc-I(config-vlan)# exit

Note: If you encounter strange connectivity problem that you cannot troubleshoot, restart of the particular VLAN might help.

1.2 IP Address and Trunk Port Configuration

In order to access the switches remotely, we have to configure the appropriate IP address and mask on the management port. The management port mgmt is the only interface that is presented in underlying Linux Yocto Linux (except the loopback). However it can by comfortably configured using OpenSwitch CLI.

OpenSwitch-Acc-I(config)# interface mgmt
OpenSwitch-Acc-I(config-if-mgmt)# ip static 10.1.1.9/30
OpenSwitch-Acc-I(config-if-mgmt)# default-gateway 10.1.1.10
OpenSwitch-Acc-I(config-if-mgmt)# nameserver 172.16.50.1
OpenSwitch-Acc-I(config-if-mgmt)# exit

The access switch OpenSwitch-Acc-I has configured SVI20 interface. It allows the switch to access the Server1 located in a DC.

OpenSwitch-Acc-I(config)# interface vlan 20
OpenSwitch-Acc-I(config-if-vlan)# ip address 192.168.20.250/24
OpenSwitch-Acc-I(config-if-vlan)# no shutdown
OpenSwitch-Acc-I(config-if-vlan)# exit

OpenSwitch-Acc-I(config)# int eth1
OpenSwitch-Acc-I(config-if)# no routing
OpenSwitch-Acc-I(config-if)# vlan trunk allowed 10,20
OpenSwitch-Acc-I(config-if)# no shutdown

OpenSwitch-Acc-I(config-if)# int eth2
OpenSwitch-Acc-I(config-if)# no routing
OpenSwitch-Acc-I(config-if)# vlan trunk allowed 10,20
OpenSwitch-Acc-I(config-if)# no shutdown

OpenSwitch-Acc-I(config-if)# int eth3
OpenSwitch-Acc-I(config-if)# no routing
OpenSwitch-Acc-I(config-if)# vlan access 10
OpenSwitch-Acc-I(config-if)# no shutdown

OpenSwitch-Acc-I(config-if)# int eth4
OpenSwitch-Acc-I(config-if)# no routing
OpenSwitch-Acc-I(config-if)# vlan access 20
OpenSwitch-Acc-I(config-if)# no shutdown

Secure unused interfaces.

OpenSwitch-Acc-I(config-if)# int eth5
OpenSwitch-Acc-I(config-if)# no routing
OpenSwitch-Acc-I(config-if)# vlan access 999
OpenSwitch-Acc-I(config-if)# shutdown

OpenSwitch-Acc-I(config-if)# int eth6
OpenSwitch-Acc-I(config-if)# no routing
OpenSwitch-Acc-I(config-if)# vlan access 999
OpenSwitch-Acc-I(config-if)# shutdown

OpenSwitch-Acc-I(config-if)# int eth7
OpenSwitch-Acc-I(config-if)# no routing
OpenSwitch-Acc-I(config-if)# vlan access 999
OpenSwitch-Acc-I(config-if)# shutdown
OpenSwitch-Acc-I(config-if)# exit

To allow the access switch reach NTP and syslog server in the DC, we have to create a static default route for the switch.

OpenSwitch-Acc-I(config)# ip route 0.0.0.0/0 192.168.20.254

1.3 NTP Configuration

OpenSwitch-Acc-I(config)# ntp server 172.16.50.1
OpenSwitch-Acc-I(config)# timezone set europe/bratislava

Picture 2 - Time Synchronization with NTP Server 172.16.50.1

1.4 Logging

Logs are sent to the syslog-ng server 172.16.50.1 and stored in the directory /var/log/syslog-ng/192.168.20.250/. We collect log messages with the severity notice level 2 and above (0 - debug, 7 - emergency).

OpenSwitch-Acc-I(config)# logging 172.16.50.1 severity notice

1.5 Password Configuration

Even OpenSwitch version 4.0.0 supports Radius client configuration I was not successful with remote login authentication using Radius server. Therefore we will only change password for default local accounts. To do so we need to switch to underlying Linux Yocto OS. Login as root with no password set and change passwords to cisco for all the accounts below.

root@OpenSwitch-Acc-I:~# passwd root
root@OpenSwitch-Acc-I:~# passwd admin
root@OpenSwitch-Acc-I:~# passwd netop

2. OpenSwitch-Acc-II Configuration

The configuration of the switch OpenSwitch-Acc-II is similar to the configuration of the switch OpenSwitch-Acc-II. Therefore I only share the configuration without further explanation.

3. PCs Configuration

The PC4 is used for administration of network devices in the topology therefore it has statically configured IP address. The other PCs have their IP addresses assigned from the DHCP server 172.16.50.1. All PCs are Core LInux Qemu appliances, running Core Linux 6.3. They have assigned 64MB RAM by GNS3. Below is a static IP address configuration for PC4.

$ vim /opt/bootlocal.sh

hostname PC4
ifconfig eth0 192.168.40.1 netmask 255.255.255.0
route add default gw 192.168.40.254
echo "nameserver 172.16.50.1" > /etc/resolv.conf

To save configuration we need to enter the command below.

$ /usr/bin/filetool.sh -b

Share

5 thoughts on “Enterprise Network on GNS3 - Part 2 - Access Layer

  1. Excelent contribution to learn, I didn't know OpenSwith is so powerfull. waiting for the remaining posts of this series.

Leave a comment

Your email address will not be published. Required fields are marked *