Enterprise Network on GNS3 - Part 3 - Distribution and Core Layers

This is the third from the series of the articles that discuss configuration of the entire enterprise network. The article focuses on the configuration of the distribution and core switches. The distribution layer consists of two multilayer switches vEOS-DIS-I and vEOS-DIS-II. The switches are Arista vEOS version 4.17.2F Qemu appliances installed on VMware disks. Each appliance has assigned 1536 MB RAM.

The distribution switches route traffic between end user VLANs and they connect the lower layer network to a Core layer. The layer 3 (routed) interfaces connect both distribution switches to each other and to the Core switches.  The interfaces toward the Access layer are layer 2 (switchports). The OSPF routing protocol is running on the distribution switches so there is only l3 connectivity between distribution and core layer.

Picture 1 - Distribution and Core Layers of Enterprise Campus Network

Note: The configuration files of the distribution switches are: vEOS-DIS-I and  vEOS-DIS-II.

The core layer consists of the switches vIOS-Core-I and vIOS-Core-II. These are the Cisco vIOS-l2 Qemu appliances on qcow2 disks, version 15.2. Each switch has assigned 768 MB RAM by GNS3. The core layer is completely layer3. It si connected to the lower distribution layer with l3 P2P links configured with the IP addresses from the subnet 10.0.0.0/24.  The core switches connect distribution and access layers to Cisco Adaptive Security Virtual Appliance (ASAv) configured with the IP addresses from the subnet 172.16.0.0/24.

Note: The configuration files of the core switches are: vIOS-Core-I and vIOS-Core-II.

1. Distribution Switch vEOS-DIS-I Configuration

Login to the Arista appliance with a default username admin, no password is set. The EOS CLI is Cisco like. As a first step, configure the hostname.

1.1. vEOS-Dis-I Configuration

localhost> en
localhost# conf t
localhost(config)# hostname vEOS-Dis-I

1.2 Vlan Configuration

vEOS-Dis-I(config)# vlan 10
vEOS-Dis-I(config-vlan-10)# vlan 20
vEOS-Dis-I(config-vlan-20)# vlan 30
vEOS-Dis-I(config-vlan-30)# vlan 40
vEOS-Dis-I(config-vlan-40)# exit

1.3 IP Address and Trunk Port Configuration

Assign the IP address 10.1.1.1/32 from the subnet 10.1.1.0/24 to the loopback interface . The interface is used for switch management.

vEOS-Dis-I(config)# interface loopback 0
vEOS-Dis-I(config-if-Lo0)# ip address 10.1.1.6/32

Now configure trunk ports. Trunk ports are layer2 interfaces (switchports) that carry traffic from multiple VLANs. Ethernet ports Eth4 and Eth5 are configured as trunks on both distribution switches.

vEOS-Dis-I(config)# interface eth4
vEOS-Dis-I(config-if-Et4)# description Link to OpenSwitch-Acc-I
vEOS-Dis-I(config-if-Et4)# switchport
vEOS-Dis-I(config-if-Et4)# switchport mode trunk
vEOS-Dis-I(config-if-Et4)# switchport trunk allowed vlan 10,20
vEOS-Dis-I(config-if-Et4)# no shutdown
vEOS-Dis-I(config-if-Et4)# exit

vEOS-Dis-I(config)# interface eth5
vEOS-Dis-I(config-if-Et5)# description Link to OpenSwitch-Acc-II
vEOS-Dis-I(config-if-Et5)# switchport
vEOS-Dis-I(config-if-Et5)# switchport mode trunk
vEOS-Dis-I(config-if-Et5)# switchport trunk allowed vlan 30,40
vEOS-Dis-I(config-if-Et5)# no shutdown
vEOS-Dis-I(config-if-Et4)# exit

The ports Eth6 on the both distribution switches are the layer3 (routed) interfaces that connect the management port of the particular access switch to the network. They have the IP addresses assigned from the network 10.1.1.0/24.

vEOS-Dis-I(config)# interface eth6
vEOS-Dis-I(config-if-Et6)# description Link to Management OpenSwitch-Acc-I
vEOS-Dis-I(config-if-Et6)# no switchport
vEOS-Dis-I(config-if-Et6)# ip address 10.1.1.10/30
vEOS-Dis-I(config-if-Et6)# no shutdown
vEOS-Dis-I(config-if-Et6)# exit

The port eth3 is a routed port between distribution switches. As the port is layer3, there is not a a loop for Ethernet frames thus STP is not needed. All point-to-point (p2p) links in the campus netwrok have IP addresses assigned from the subnet 10.0.0.0/24.

vEOS-Dis-I(config)# interface eth3
vEOS-Dis-I(config-if-Et3)# description Link to vEOS-Dis-II
vEOS-Dis-I(config-if-Et3)# no switchport
vEOS-Dis-I(config-if-Et3)# ip address 10.0.0.1/30
vEOS-Dis-I(config-if-Et3)# no shutdown
vEOS-Dis-I(config-if-Et3)# exit

The ports Eth1 and Eth2 connect a distribution switch to the core switches vIOS-Core-I and vIOS-Core-II.

vEOS-Dis-I(config)# interface eth1
vEOS-Dis-I(config-if-Et1)# description Link to vIOS-Core-II
vEOS-Dis-I(config-if-Et1)# no switchport
vEOS-Dis-I(config-if-Et1)# ip address 10.0.0.21/30
vEOS-Dis-I(config-if-Et1)# no shutdown
vEOS-Dis-I(config-if-Et1)# exit

vEOS-Dis-I(config)# interface eth2
vEOS-Dis-I(config-if-Et2)# description Link to vIOS-Core-I
vEOS-Dis-I(config-if-Et2)# no switchport
vEOS-Dis-I(config-if-Et2)# ip address 10.0.0.9/30
vEOS-Dis-I(config-if-Et2)# no shutdown
vEOS-Dis-I(config-if-Et2)# exit

Shutdown and describe unused Interfaces to prevent connect another network device accidentally.

vEOS-Dis-I(config)# interface eth7
vEOS-Dis-I(config-if-Et7)# desc Unused
vEOS-Dis-I(config-if-Et7)# shutdown
vEOS-Dis-I(config-if-Et7)# exit

1.4 Switch Virtual Interfaces and IP Addresses Configuration

We have to create SVI interfaces on both switches and assign particular IP addresses to SVI in order to route between VLAN subnets. The switch vEOS-Dis-I has the IP address 192.168.x.253/24 configured on the interface SVI10, 20, 30 and 40, where x is the VLAN_ID.

vEOS-Dis-I(config)# interface vlan 10
vEOS-Dis-I(config-if-Vl10)# ip address 192.168.10.253/24
vEOS-Dis-I(config-if-Vl10)# no shutdown
vEOS-Dis-I(config-if-Vl10)# exit

vEOS-Dis-I(config)# interface vlan 20
vEOS-Dis-I(config-if-Vl20)# ip address 192.168.20.253/24
vEOS-Dis-I(config-if-Vl20)# no shutdown
vEOS-Dis-I(config-if-Vl20)# exit

vEOS-Dis-I(config)# interface vlan 30
vEOS-Dis-I(config-if-Vl30)# ip address 192.168.30.253/24
vEOS-Dis-I(config-if-Vl30)# no shutdown
vEOS-Dis-I(config-if-Vl30)# exit

vEOS-Dis-I(config)# interface vlan 40
vEOS-Dis-I(config-if-Vl40)# ip address 192.168.40.253/24
vEOS-Dis-I(config-if-Vl40)# no shutdown
vEOS-Dis-I(config-if-Vl40)# exit

Note: The same SVI interfaces are configured with the IP address 192.168.x.252/24 on the switch vEOS-DIs_II.

1.5 OSPF Protocol and Authentication Configuration

Enable IP routing on the switch with the command below.

vEOS-Dis-I(config)# ip routing

We need to configure Open Shortest Path First (OSPF) to ensure that routes are propagated inside the campus and DC network. However routing updates should be to suppressed  on the trunk ports, SVI interfaces and connected management interface of the Access switch. For this reason we configure the interfaces as passive interfaces. Thanks to it, OSPF Hello messages are not sent out of these ports thus adjacency is not formed. This measue also saves CPU cycles of the switch.

vEOS-Dis-I(config)# router ospf 1
vEOS-Dis-I(config-router-ospf)# router-id 10.1.1.6
vEOS-Dis-I(config-router-ospf)# network 10.1.1.6/32 area 0
vEOS-Dis-I(config-router-ospf)# network 10.1.1.8 0.0.0.3 area 0
vEOS-Dis-I(config-router-ospf)# network 10.0.0.0/30 area 0
vEOS-Dis-I(config-router-ospf)# network 10.0.0.20/30 area 0
vEOS-Dis-I(config-router-ospf)# network 10.0.0.8/30 area 0
vEOS-Dis-I(config-router-ospf)# network 192.168.10.0/24 area 0
vEOS-Dis-I(config-router-ospf)# network 192.168.20.0/24 area 0
vEOS-Dis-I(config-router-ospf)# network 192.168.30.0/24 area 0
vEOS-Dis-I(config-router-ospf)# network 192.168.40.0/24 area 0
vEOS-Dis-I(config-router-ospf)# passive-interface ethernet 4
vEOS-Dis-I(config-router-ospf)# passive-interface ethernet 5
vEOS-Dis-I(config-router-ospf)# passive-interface Ethernet 6
vEOS-Dis-I(config-router-ospf)# passive-interface vlan 10,20,30,40

The password authentication for OSPF neighbors using Message-Digest algorithm 5 (MD5) is configured in order exchange routing updates in a secure manner. To avoid Designated Router (DR) and Backup DR (BDR) election on routed p2p Ethernet links between distribution and Core layer and between distribution switches themsleves, we have to tune OSPF. We will change the default OSPF broadcast network type to OSPF Point-to-Point type. It will reduce the time needed for establishing adjacency because election of the DR and BDR is not performed in this case.

vEOS-Dis-I(config)# interface eth1
vEOS-Dis-I(config-if-Et1)# ip ospf authentication message-digest
vEOS-Dis-I(config-if-Et1)# ip ospf message-digest-key 1 md5 #MyPass!034
vEOS-Dis-I(config-if-Et1)# ip ospf network point-to-point

vEOS-Dis-I(config-if-Et1)# int eth2
vEOS-Dis-I(config-if-Et2)# ip ospf authentication message-digest
vEOS-Dis-I(config-if-Et2)# ip ospf message-digest-key 1 md5 #MyPass!034
vEOS-Dis-I(config-if-Et2)# ip ospf network point-to-point

vEOS-Dis-I(config-if-Et2)# int eth3
vEOS-Dis-I(config-if-Et3)# ip ospf authentication message-digest
vEOS-Dis-I(config-if-Et3)# ip ospf message-digest-key 1 md5 #MyPass!034
vEOS-Dis-I(config-if-Et3)# ip ospf network point-to-point

Picture 2 - Checking OSPF Neighbor Adjacency

1.6 VRRP  Configuration

The Virtual Router Redundancy Protocol (VRRP) is an election protocol that provides automatic assignment of the IP address one of the VRRP routers on the LAN. The VRRP router controlling the IP address associated with a virtual router is called the Master. The Master forwards packets sent to this IP address. The switch vEOS-DIS-I is a Master for the VLAN10 and 20 and it forwards packets that are sent to the IP address 192.168.10.254 and 192.168.20.254 (default gateway). It also acts as a VRRP Backup router for the VLAN30 and 40, forwarding packets from these VLANs in case the Master server (vEOS-DIS-II)  fails. Similarly, the vEOS-DIS-II is a Master server for VLAN30 and 40 and the Backup server for VLANs 10 and 20. The priority configured for a VRRP router determines whether the router becomes a Master. The router with a higher priority has the higher probability to be elected as  Master router.  The switch vEOS-DIS-I has configured VRRP priority 150 for the SVI interfaces 10 and 20, while the switch vEOS-DIS-II uses the default priority 100 for these interfaces. For this reason, the switch vEOS-DIS-I wins an election process and becomes a Master for the VLANs 10 and 20.

Note: The switch VRRP virtual IP addresses (192.168.x.254, where x is VLAN ID) are the default gateway IP addresses and they are assigned by DHCP server to clients.

vEOS-Dis-I(config)# interface vlan 10
vEOS-Dis-I(config-if-Vl10)# vrrp 10 priority 150
vEOS-Dis-I(config-if-Vl10)# vrrp 10 ip 192.168.10.254
vEOS-Dis-I(config-if-Vl10)# vrrp 10 authentication ietf-md5 key-string MiKei10!

vEOS-Dis-I(config)# interface vlan 20
vEOS-Dis-I(config-if-Vl20)# vrrp 20 priority 150
vEOS-Dis-I(config-if-Vl20)# vrrp 20 ip 192.168.20.254
vEOS-Dis-I(config-if-Vl20)# vrrp 20 authentication ietf-md5 key-string Mikei10!

vEOS-Dis-I(config)# interface vlan 30
vEOS-Dis-I(config-if-Vl30)# vrrp 30 priority 100
vEOS-Dis-I(config-if-Vl30)# vrrp 30 ip 192.168.30.254
vEOS-Dis-I(config-if-Vl30)# vrrp 30 authentication ietf-md5 key-string MiKei10!

EOS-Dis-I(config)# interface vlan 40
vEOS-Dis-I(config-if-Vl40)# vrrp 40 priority 100
vEOS-Dis-I(config-if-Vl40)# vrrp 40 ip 192.168.40.254
vEOS-Dis-I(config-if-Vl40)# vrrp 40 authentication ietf-md5 key-string MiKei10!

Note: We also configure MD5 authentication in order to avoid rogue VRRP server to participate in an election process and potentially become a Master. This is prevention against Man-in-the-Middle attack.

Picture 3 - Checking VRRP States

1.7 NTP Configuration

The time is synchronized with NTP server running on the Server1 (172.16.50.1).

vEOS-Dis-I(config)# ntp server 172.16.50.1
vEOS-Dis-I(config)# clock timezone Europe/Bratislava
vEOS-Dis-I(config)# ntp source loopback 0

Picture 4 - Checking NTP Synchronization Status

1.8 IP Helper Address Configuration

The DHCP server for the PCs assigned to VLANs 10, 20 and 20 is running on the Server1 (172.16.50.1). The DHCP is located in the different subnets than PCs. For this reason we have to enable DHCP relay agent on the SVI interfaces with the command ip helper-address. The command enables the DHCP broadcast to be forwarded to the configured DHCP server as unicasts.

vEOS-Dis-I(config)# interface vlan 10
vEOS-Dis-I(config-if-Vl10)# ip helper-address 172.16.50.1
vEOS-Dis-I(config-if-Vl10)# exit
vEOS-Dis-I(config)# interface vlan 20
vEOS-Dis-I(config-if-Vl20)# ip helper-address 172.16.50.1
vEOS-Dis-I(config-if-Vl20)# exit
vEOS-Dis-I(config)# interface vlan 30
vEOS-Dis-I(config-if-Vl30)# ip helper-address 172.16.50.1
vEOS-Dis-I(config-if-Vl20)# exit

Note: We do not need to configure IP helper address for an interface Vlan40 as all the devices in Management VLAN40 have statically configured IP addresses.

1.9 DNS Server Configurations

vEOS-Dis-I(config)# ip name-server 172.16.50.1

Picture 5 - Checking DNS Configuration Pinging Cisco.com

1.10 Radius Client Configuration

We use Remote Authentication Dial-In User Service (RADIUS) for centralized authentication of user logging to network devices. The Radius server is running on Server1 (172.16.50.1). First, we create a local user with full access in case RADIUS server is not reachable.

vEOS-Dis-I(config)# username admin privilege 15 secret cisco

We will do the same for access to a privileged exec mode.

vEOS-Dis-I(config)# enable secret cisco

A RADIUS server and a Cisco router use a shared secret text string to encrypt passwords and exchange responses. To configure RADIUS to use the AAA security commands, we must specify the host running the RADIUS server daemon and a secret text (key) string that it shares with the router.

vEOS-Dis-I(config)# radius-server host 172.16.50.1 auth-port 1812 acct-port
vEOS-Dis-I(config)# radius-server key test123

Define a source interface.

vEOS-Dis-I(config)# ip radius source-interface loopback 0

Define login method. Radius will be used first and if it is not available  a local user authentication is used instead.

vEOS-Dis-I(config)# aaa authentication login default group radius local

Enable privileged exec mode authentication. First, we are authenticated against the privileged exec password defined in Radius server. If Radius server is not available then locally configured privileged exec password authentication will be used.

vEOS-Dis-I(config)# aaa authentication enable default group radius local

To use Radius server for login to console and VTY we need to enable authorization for console and for exec terminal session.

vEOS-Dis-I(config)# aaa authorization console
vEOS-Dis-I(config)# aaa authorization exec default group radius local

To see the current logged in users and their user-roles use the command show aaa sessions. The username raadmin defined on RADIUS server is logged.

Picture 6 - Checking Logged Users when RADIUS Is Reachable  

Now we will use the same command when RADIUS server is not reachable. In this case a local user admin is used for logging to console of the switch.

Picture 7 -Checking Logged Users when RADIUS Is Not Reachable  

1.11 Logging Configuration

To ensure that logs are stored on a centralized syslog-ng server running on Server1 (172.16.50.1) we will configured following:

Set syslog server logging level 5 - notification.

vEOS-Dis-I(config)# logging trap notifications

Set syslog server IP address and parameters.

vEOS-Dis-I(config)# logging host 172.16.50.1

Configure logging source interface.

vEOS-Dis-I(config)# logging source-interface Loopback0

Log messages are stored in the directory /var/log/syslog-ng/10.1.1.6/. We collect log messages with the severity notice level 5 and lower (0 - system unusable, 7 - debug).

2. Distribution Switch vEOS-DIS-II Configuration

The configuration of the second distribution switch vEOS-DIS-II is similar to the configuration of the switch vEOS-DIS-I. Therefore I only share the configuration of the switch without further explanation.

3. Core Switches vIOS-Core-I and vIOS-Core-II Configuration

The configuration of the both core switches is  straightforward so it does not need any explanation. For his reason, I have just attached the configuration files at the begging of the tutorial.

Share

Leave a comment

Your email address will not be published. Required fields are marked *