A Vlan access-map is placed on the whole Vlan, which means that the incoming and outgoing traffic in a Vlan are filterd by the VLan access-map. We can apply a VLAN access-map to a Layer3 access-list and also to a mac access-list.

We know that the usual access control list (ACL), which is the most well known concept, has an implied DENY IP ANY ANY at the end. Of course, a VACL has the same implied deny statement, but this is not recommended, as we will see next.

Because a normal ACL checks only Layer 3 packet traffic, therefore it doesn’t block Layer 2 protocols like STP, VTP, ARP etc. On the other hand, a VLAN access-map blocks L2 protocols (in addition to Layer3), if we don’t explicitly allow them. That’s why it’s recommended to have an implicit deny all at the end.

Looking now at the details, let’s consider the following example: we have two Routers R1 and R2 which are in the same VLAN (Broadcast Domain) and they are connected to each other via a switch as shown below. Let’s block only Telnet protocol from R1 and permit all the rest.

Before starting configuration, let’s check if telnet works from R1.

R1#telnet 192.168.10.2
Trying 192.168.10.2 … Open

User Access Verification

Password:

R1#quit

[Connection to 192.168.10.2 closed by foreign host]
R1#

As we see, telnet is working, so now let’s start the VLAN access-map configuration which will block telnet and permit everything else.

!Create access-list, by which interesting traffic will be matched. As I’ve already said, the principle of VLAN access-map config is similar to the route-map working principle. Later we snap this access-list to a VLAN access-map.

switch(config)#ip access-list extended  restrict_telnet_R2
switch(config-ext-nacl)#permit tcp host 192.168.10.1 host 192.168.10.2 eq 23

After this we’ll create a vlan access-map, which has two main parameters: action and match.

Match: by this parameter the interesting traffic is matched and here RACL or MAC ACL can be applied as well.

Action: what to do with matched traffic. Two main parameters exist: Drop and Forward. In case of Drop, matched traffic will be dropped, and in case of forward, matched traffic will be allowed. Also, on High-End devices, a Redirect and Capture parameters also exist in the Action statement.

In our case we must block matched traffic and permit all the rest.
switch(config-ext-nacl)#vlan access-map VACL 10
switch(config-access-map)#action drop
switch(config-access-map)#match ip address restrict_telnet_R2
switch(config-access-map)#vlan access-map VACL 20
switch(config-access-map)#action forward
switch(config-access-map)#exit

After creating the VLAN access-map, it should be applied to a VLAN or VLANs. In this case we’ll apply it to VLAN 10 which is specified by “vlan-list 10”.

switch(config)#vlan filter VACL vlan-list 10

By this configuration is completed. Let’s see if telnet is blocked and ping works.

R1#ping 192.168.10.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.2, timeout is 2 seconds:
!!!!!

R1#telnet 192.168.10.2
Trying 192.168.10.2 …
% Connection timed out; remote host not responding

As we see, ping is okay from R1 and telnet is blocked as we planned.

Often PVLANs are used in cases where servers are located in a DMZ on the same Layer2 Vlan and we want to restrict these servers to communicate between them. This helps a lot in security. If the servers are publicly accessible from the Internet, when one of the servers is compromised by hackers, we can block the attacker to access the other servers on the same Vlan. Of course we can do this with a L3 device or firewall, but in this case each server should have it’s own VLAN and as a result we’ll get a complex network. In the case of PVLAN, we’ll have one network (VLAN) and we’ll restrict the connection between servers by creating secondary VLANs.

Private VLAN Types and Port Types:

Promiscuous (P): Usually connects to a router (Default gateway) and also to span port – a type of a port which is allowed to send and receive frames from any other port on the Primary VLAN.

Isolated (I): This type of port is only allowed to communicate with P-ports – they are “stub”. This type of port usually connects to hosts. Only one isolated VLAN is created. The ports, which are in isolated VLAN, can communicate to each other.

Community (C): The ports in the same Community can communicate with each other and also are connected to Promiscuous port. There are multiple Communities available.

Community ports are allowed to talk to their buddies, sharing the same group (of course they can talk to P-ports).

Let’s see how to configure PVLANs

Equipment Used in this LAB:

Cisco  Catalyst 3560  – C3560-IPSERVICES-M  Version 12.2(50)SE
Cisco Router 2801 -  C2801-ADVIPSERVICESK9-M  Version 12.4(9)T4

Scenario: Create one Community vlan, in which SRV1 and SRV2 will belong to. Create also an Isolated VLAN, in which SRV3 and SRV4 will belong to. Make Ge0/1 promiscuous and connect to default gateway (router). According to this configuration, SRV1 and SRV2 can talk to each other and also with Router (Default Gateway). On the other hand, Servers in Isolated VLAN (SRV3 and SRV4) will not communicate between each other and also will not be able to talk with F0/0 (Router-Default Gateway).

Before starting PVLAN configuration, switching VTP Mode to Transparent is required. If VTP works in other mode, PVLAN will not work.

!switch to Transparent mode

Switch(config)# vtp mode transparent
Setting device to VTP TRANSPARENT mode.

!Create Isolated VLAN

Switch(config)# vlan 102
Switch(config-vlan)# private-vlan isolated

!create community vlan

Switch(config)# vlan 101

Switch(config-vlan)#private-vlan community

!Create Primary VLAN and map with secondary vlans
Switch(config-vlan)# vlan 100
Switch(config-vlan)# private-vlan primary
switch(config-vlan)# private-vlan association 101 102

Our Complete Configuration looks Like This:

vlan 100
private-vlan primary
private-vlan association 101 102
!
vlan 101
private-vlan community

vlan 102
private-vlan isolated

! Create promiscuous port and map with the other vlans

Switch(config)# interface ge0/1
Switch(config-if)# switchport mode private-vlan promiscuous
Switch(config-if)# switchport private-vlan mapping 100 101 102

! association of Ge0/2 and Ge0/3 ports with Primary and Secondary VLANS. According to our scenario Ge0/2 and Ge0/3 should be in community Vlan.

Switch(config)# interface range ge0/2-ge0/3
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association 100 101

! association Ge0/4 and Ge0/5 ports with Primary and Secondary VLANS. According to our !scenario Ge0/4 and Ge0/ should be in Isolated Vlan.

Switch(config)# interface range ge0/4-ge0/5
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association 100 102

Configuration is completed now so let’s see how the output looks like.

Switch# show interface status

Port      Name               Status       Vlan       Duplex  Speed Type
Gi0/1                        connected    100        a-full  a-100 10/100BaseTX
Gi0/2                        connected    100,101 a-full  a-100 10/100/0BaseTX
Gi0/3                        connected    100,101 a-full  a-100 10/100BaseTX
Gi0/4                        connected    100,102 a-full  a-100 10/100BaseTX
Gi0/5                        connected    100,102 a-full  a-100 10/100BaseTX

• High-performance switched Ethernet, capable of delivering 100 Mbps and 1Gbps to the desktop, and 1Gbps or 10Gbps uplinks.
• Quality of Service (QoS) features permitting prioritization of delay-sensitive traffic and control over packet delay and jitter.
• Simple, highly structured, and deterministic design (Predictable – in both normal and failure recovery modes).
• Support for both IP version 4 and IP version 6 protocols.
• Fault tolerance (Redundancy for critical components and links ‑ eliminating network single-points-of-failure).
• Flexibility (Network logically partitioned at Layers 2, 3 and 4, to direct traffic flow).
• Secured through authentication, authorization and accounting (AAA) controls.
• Modular design capable of supporting new applications and network growth without requiring “fork-lift” upgrades.
• Scalability for cost-effective delivery of the smallest to the largest telecommunications rooms and campuses
• Multicast protocol support for end-to-end management and optimization of streaming content delivery.
• Switches capable of powering IP telephones (via phantom power).
• Capable of being remotely monitored and managed using network management tools, such as HP Openview.

All Cisco switches are based on a distributed hardware architecture in which the LAN switching functions are separated from the “control plane” functions of switch management by utilizing both one or more general-purpose central processing chips and port or line card application-specific integrated circuits (ASICs).

The general-purpose CPU handles network management functions, like user logins, SNMP, and maintenance operations like operating system booting.  The general-purpose processor controls the configuration of the switch platforms with a command-line interface.  The ASICs optimize packet and frame switching at the port and line card level in order to reduce inter-frame delays and increase overall system throughput.

Older Cisco switches used an operating system called CatOS, with a command-line syntax based on set and clear statements.  Newer switch use an operating system referred to as the Cisco Internetwork Operating System (IOS), which is common across both switching and routing platforms.  The older CatOS is end-of-life and end-of-sale.  Only configurations involving IOS will be shown here.  A newer switching operating system based on the Cisco next-generation Nexus platforms is called NXOS, but is nearly identical to the IOS command syntax, and most of the Cisco switch product is based on IOS.

Cisco switching utilizes recommendations for a hierarchical design in switched network infrastructures, called core, distribution, and access layers.  It is acceptable to combine the functions of the core and distribution layers in smaller switched networks, which is called a collapsed core design.  The functions of each layer are as follows:

Core layer

• Links to WAN (Internet or other wide-area network)
• Links to distribution switches
• Additional Virtual Local Area Networks (VLANs) —Used by the system for routed ports as well as WAN ports

Distribution Layer

• Server connections
• Links to downstream (closet) access switches via layer 2 or layer 3 links.
• Site services, like wireless LAN controllers
• Service VLANs—To forward traffic to the service modules, such as the client VLAN of a content switch
• Fault tolerant VLANs—For redundancy with CSM, FWSM, CSS, and so forth

Access Layer

• Client connectivity at 10/100/1000Mbps

It is a good practice to completely erase everything on a switch (both switch configuration and switch Vlans) before using the switch in another part of your network. This is important in order to avoid any network conflicts because of any old configuration settings that are already configured on the switch.

Now let us see how to delete the configuration and Vlans from a Cisco switch.

1) Deleting the switch configuration

This is the easy part. It’s the same as deleting the configuration from any other Cisco network IOS device. Basically you need to delete the “startup-configuration” and then reboot the switch.

Switch#erase startup-config

Erasing the nvram filesystem will remove all configuration files! Continue?

[confirm]

[OK]

Erase of nvram: complete

Switch#reload

2) Deleting the switch Vlans

The strange part is that after deleting the switch configuration you will notice that the Vlans are still there.

Switch#show vlan brief

2   VLAN0002                         active
3   VLAN0003                         active
4   VLAN0004                         active

By executing the command “show vlan brief” you can see that there are 3 vlans configured on the switch. These vlans are stored in a file in flash memory called “vlan.dat”. You can see this file if you read what is stored in the flash:

Switch#show flash:

Directory of flash:/

1  -rw-     4414921          <no date>  c2960-lanbase-mz.122-25.FX.bin

2  -rw-         616          <no date>  vlan.dat

64016384 bytes total (59600847 bytes free)

As you can see from output above, the file “vlan.dat” is stored in flash. You have to delete this file in order to completely erase all vlans on the switch.

Switch#delete vlan.dat

Delete filename [vlan.dat]?

Delete flash:/vlan.dat? [confirm]

Switch#sh flash

Directory of flash:/

1  -rw-     4414921          <no date>  c2960-lanbase-mz.122-25.FX.bin

64016384 bytes total (59601463 bytes free)

Switch#reload

After executing the command “delete vlan.dat” just hit enter twice and it will be gone. Then you have to reload the switch.

Although a Cisco switch is a much simpler network device compared with other devices (such as routers and firewalls for example), many people have difficulties to configure a Cisco Catalyst Switch. Unlike other lower class switch vendors (which are plug-and-play), the Cisco switch needs some initial basic configuration in order to enable management, security and some other important features.

In this article I will describe the basic steps needed to configure a Cisco switch from scratch. I don’t like graphical GUI or web management at all, so I will show you command line configuration which is much more powerful and makes the administrators learn what they are doing on the device.

STEP1: Connect to the device via console

Use a terminal emulation software such as PuTTY and connect to the console of the switch. You will get the initial command prompt “Switch>”

Type “enable” and hit enter. You will get into privileged mode (“Switch#”)

 Now, get into Global Configuration Mode:

Switch# configure terminal
Switch(config)#

STEP2: Set up a hostname for the particular switch to distinguish it in the network

Switch(config)# hostname access-switch1
access-switch1(config)#

STEP3: Configure an administration password (enable secret password)

access-switch1(config)# enable secret somestrongpass

STEP4: Configure a password for Telnet access

access-switch1(config)# line vty 0 15
access-switch1(config-line)# password strongtelnetpass
access-switch1(config-line)# login
access-switch1(config-line)# exit
access-switch1(config)#

STEP5: Define which IP addresses are allowed to access the switch via Telnet

access-switch1(config)# ip access-list standard TELNET-ACCESS
access-switch1(config-std-nacl)# permit 10.1.1.100
access-switch1(config-std-nacl)# permit 10.1.1.101
access-switch1(config-std-nacl)# exit

!Apply the access list to Telnet VTY Lines
access-switch1(config)# line vty 0 15
access-switch1(config-line)# access-class TELNET-ACCESS in
access-switch1(config-line)# exit
access-switch1(config)#

STEP6: Assign IP address to the switch for management

!Management IP is assigned to Vlan 1 by default
access-switch1(config)# interface vlan 1
access-switch1(config-if)# ip address 10.1.1.200 255.255.255.0
access-switch1(config-if)# exit
access-switch1(config)#

STEP7: Assign default gateway to the switch

access-switch1(config)# ip default-gateway 10.1.1.254

STEP8: Disable unneeded ports on the switch

! This step is optional but enhances security
! Assume that we have a 48-port switch and we don’t need ports 25 to 48

access-switch1(config)# interface range fe 0/25-48
access-switch1(config-if-range)# shutdown
access-switch1(config-if-range)# exit
access-switch1(config)#

STEP9: Save the configuration

access-switch1(config)# wr

The above are some steps that can be followed for basic set-up of a Cisco switch. Of course there are more things you can configure (such as SNMP servers, NTP, AAA etc) but those depend on the requirements of each particular network.

Initial Post Question

Hello all,

I am relatively new to networking and am currently doing some theory work with network design to gain some knowledge. I’m sure you have all been there!!

I have a specification which details the needs for the network across a large campus, including number of users, their bandwidth usage, their locations, overall budget etc. I have chosen what servers are need and their locations, and the number of routers needed and their connectivity to each other to build in redundancy. My next step is to calculate how many switches will be needed for each building to get all the users onto the network and this is where I am getting quite confused.

My understanding is that a host connects to one port on the switch and a standard switch has generally around 24 ports. Therefore one switch can theoretically connect only 24 users to the network (perhaps 23 if one of those ports are used to connect to the router). My problem is that is some buildings I have over 400 users (Ive added a small percentage to allow for growth of the company). Does this mean that I need one switch to connect to the router and then another switch on each of the 24 ports to have enough ports to connect this many users? If this or something similar is true how is redundancy built in because if the switch that connects to the router goes down all the users in that building lose their connection. This seems a very expensive solution and probably quite an ugly one.

If anybody could guide me through a solution it would be very much appreciated. I have spent a long time reading articles and such on the internet but nowhere seems to go though this so if you know of a resource that walks you through design a medium/large network that would be great.

Many thanks in advance
Darren

Reply 1

Hi Darren,

To answer a couple of your points, you can get access switches with 48 ports (Cisco 2960 or 3560 for example).
If you have 400 users in a building, will all 400 user locations be cabled back to a single network cabinet (closet)?
If they are then you may be better off looking at a chassis based switch such as the 4500 series for example.
If not, you might want to to distribute the access switches in different cabinets around the building and link them back to a central distribution switch or router.
The final design will depend on the physical size of the building because don’t forget that you are restricted to 100 meters of UTP cabling between the user outlet port and the switch.

Hope that gives you some pointers.

Pete

Reply 2

Hi Darren,

To have redundancy in network you should have redundant pair of devices in your network to support redundancy and to support 400 users you can have chassis based switches with ethernet modules to support more number of users.

with you setup redundancy will be the main question as one router and local lan so the switch which is connected to router goes down then network outage.

The better way is to have dual router and dual switch in bundling mode and connect a cris cross cable between router and switch to have full redundancy in your network.In this fashion you can achive full redundancy and no network outage if any one of the device goes down.

Hope that helps out your query !!

Regards

Ganesh.H

Reply 3

Hello Darren,

IMHO the design is mainly dependent on how the connectivity and the requirements per floor( if any). If there is a per floor cabinet then may be you can use C3750 stack for access layer solution per floor.To increase any capacity needs you just keep adding to the stacks. Then if there is fiber wiring between floors available you can chose to interconnect access layer and distribution using that. Say one closet/cabinet on any floor as the collapsed distribution model, the choice is vast here c3750/4500/6503. The access layer c3750 do come with 48 ports and 4 SFP based uplink ports. so you can use the sfp based uplink ports to connected these back to your collapsed distribution layer, which becomes your default gateway and may be the STP root port too. Now for redundancy, IMHO the access layer needs to be dual connected to a redundant gateway model (each acccess stack connected to both gateways) as Ganesh suggested earlier. You can either use HSRP/VRRP to provide L3 gateway redundancy. You can also use etherchannel for uplinks to provide more redundancy. Of course if one switch fails in the stack then we loose those ports, but still the other switches on the stack will work. this is just my thoughts on you requirements.

Hope that helps.

Deesh

On a Layer3-capable switch, the port interfaces work as Layer 2 access ports by default, but you can also configure them as “Routed Ports” which act as normal router interfaces. That is, you can assign an IP address directly on the routed port. Moreover, you can configure also a Switch Vlan Interface (SVI) with the “interface vlan” command which acts as a virtual layer 3 interface on the Layer3 switch.

On this post I will describe a scenario with a Layer3 switch acting as “Inter Vlan Routing” device together with two Layer2 switches acting as closet access switches. See the diagram below:

Interface Fa0/48 of the Layer3 switch is configured as a Routed Port with IP address 10.0.0.1. Two Vlans are configured on the L3 switch, Vlan10 and Vlan20. For Vlan10 we will create an SVI with IP address 10.10.10.10 and for Vlan20 an SVI with IP address 10.20.20.20. These two IP addresses will be the default gateway addresses for hosts belonging to Vlan10 and Vlan20 on the Layer2 switches respectively. That is, hosts connected on Vlan10 on the closet L2 switches will have as default gateway the IP address 10.10.10.10. Similarly, hosts connected on Vlan20 on the closet switches will have address 10.20.20.20 as their default gateway. Traffic between Vlan10 and Vlan20 will be routed by the L3 Switch (InterVlan Routing). Also, all interfaces connecting the three switches must be configured as Trunk Ports in order to allow Vlan10 and Vlan20 tagged frames to pass between switches. Let’s see a configuration snapshot for all switches below:

Cisco L2 Switch (same configuration for both switches)

!  Create VLANs 10 and 20 in the switch database
Layer2-Switch# configure terminal
Layer2-Switch(config)# vlan 10
Layer2-Switch(config-vlan)# end

Layer2-Switch(config)# vlan 20
Layer2-Switch(config-vlan)# end

!  Assign Port Fe0/1 in VLAN 10
Layer2-Switch(config)# interface fastethernet0/1
Layer2-Switch(config-if)# switchport mode access
Layer2-Switch(config-if)# switchport access vlan 10
Layer2-Switch(config-if)# end

!  Assign Port Fe0/2 in VLAN 20
Layer2-Switch(config)# interface fastethernet0/2
Layer2-Switch(config-if)# switchport mode access
Layer2-Switch(config-if)# switchport access vlan 20
Layer2-Switch(config-if)# end

!  Create Trunk Port Fe0/24
Layer2-Switch(config)# interface fastethernet0/24
Layer2-Switch(config-if)# switchport mode trunk
Layer2-Switch(config-if)# switchport trunk encapsulation dot1q
Layer2-Switch(config-if)# end

Cisco Layer 3 Switch

! Enable Layer 3 routing
Layer3-Switch(config) # ip routing

!  Create VLANs 10 and 20 in the switch database
Layer3-Switch# configure terminal
Layer3-Switch(config)# vlan 10
Layer3-Switch(config-vlan)# end

Layer3-Switch(config)# vlan 20
Layer3-Switch(config-vlan)# end

!  Configure a Routed Port for connecting to the ASA firewall
Layer3-Switch(config)# interface FastEthernet0/48
Layer3-Switch(config-if)# description To Internet Firewall
Layer3-Switch(config-if)# no switchport
Layer3-Switch(config-if)# ip address 10.0.0.1 255.255.255.252

!  Create Trunk Ports Fe0/47 Fe0/46
Layer3-Switch(config)# interface fastethernet0/47
Layer3-Switch(config-if)# switchport mode trunk
Layer3-Switch(config-if)# switchport trunk encapsulation dot1q
Layer3-Switch(config-if)# end

Layer3-Switch(config)# interface fastethernet0/46
Layer3-Switch(config-if)# switchport mode trunk
Layer3-Switch(config-if)# switchport trunk encapsulation dot1q
Layer3-Switch(config-if)# end

!  Configure Switch Vlan Interfaces (SVI)
Layer3-Switch(config)# interface vlan10
Layer3-Switch(config-if)# ip address 10.10.10.10 255.255.255.0
Layer3-Switch(config-if)# no shut

Layer3-Switch(config)# interface vlan20
Layer3-Switch(config-if)# ip address 10.20.20.20 255.255.255.0
Layer3-Switch(config-if)# no shut

!  Configure default route towards ASA firewall
Layer3-Switch(config)# ip route 0.0.0.0 0.0.0.0 10.0.0.2

The Cisco Vlan Trunk Protocol (VTP) is a proprietary protocol available on all Cisco Catalyst switches and is designed to reduce the administration complexity and effort of managing many Layer 2 switches. Basically you select one switch in the network (usually a central switch) and configure it to be the VTP Server of the network. All other switches are configured as VTP Clients. Now, all VLAN administration is done on the VTP Server switch only. If you add a new VLAN on the VTP server switch, this configuration change is propagated on all VTP client switches which automatically add this VLAN to their database. Similarly, by deleting a VLAN on the server, all client switches delete that VLAN from their database.

A Cisco switch can be configured to operate in three VTP modes:

• VTP Server Mode – This is the default mode for switches. A VTP server switch can add, modify and delete VLANs for the whole VTP domain.
• VTP Transparent Mode – In this mode, the switch does not participate in the VTP domain. The switch passes VTP messages transparently to other switches but it does not synchronize its VLAN database according to these VTP messages.
• VTP Client Mode – This is the mode that you configure all switches that you need to have them synchronize their VLAN database according to the VTP server database.

 
Caution: Because VTP Server is the default mode, whenever you connect a new switch in the network, you need to make sure that you configure this switch as VTP Client BEFORE connecting it to the network. This is to avoid the situation where a new switch connected might take the role of the VTP Server for the whole domain and since its VLAN database is still empty, it will cause all other switches in the network to delete all their VLANs.

Another important precaution is to configure also a password for the VTP domain, so that any new switch connected must have the domain password configured by the administrator before participating in the domain.

Configuration:

VTP Server Switch:

! Configure first a name for the VTP domain
Vtp-server(config)# vtp domain mynetworkvtpname

! Configure the switch in server mode
Vtp-server(config)# vtp mode server

! Configure a password for the domain
Vtp-server(config)# vtp password vtp123

VTP Client Switch:

! Configure first a name for the VTP domain
Vtp-client(config)# vtp domain mynetworkvtpname

! Configure the switch in client mode
Vtp-client (config)# vtp mode client

! Configure the domain password in order to be able to participate
Vtp-client(config)# vtp password vtp123

The need to configure several Layer 2 VLANs on a switch arises from the need to segment an internal Local Area Network (LAN) into different IP subnetworks. If you want for example to separate the different departments of your enterprise into different IP subnetworks, then each department should belong to its own Layer 2 VLAN. For example, let’s assume the following scenario:

• Accounting Department: IP Subnet 192.168.2.0/24 –> VLAN 2
• Management Department: IP Subnet 192.168.3.0/24 –> VLAN 3
• Engineering Department: IP Subnet 192.168.4.0/24 –> VLAN 4

By separating the internal LAN into different IP subnets (and thus different VLANs) allows the network administrators to enforce traffic restrictions if needed between departments and have better control of internal hosts.

VLAN assignment on a switch is configured on a per-interface basis. That is, each switch port interface is assigned individually into a Layer 2 VLAN. If you have more than one switch connected and you want the same VLANs to belong across all switches, then a Trunk Port must be configured between the switches. The Trunk Port passes all VLANs between the switches. Let’s see the following network scenario to help us clarify some concepts.

On the LAN network above, we have three VLANs. VLAN 2,3, and 4. VLAN 4 belongs both to SWITCH 1 and SWITCH 2, therefore we need a Trunk Port between the two switches in order for hosts in VLAN4 in Switch 1 to be able to communicate with hosts in VLAN4 in Switch 2.

The ports of the two switches shall be configured as following:

SWITCH 1:
Fe0/1 – Fe0/2 –> VLAN 2 (Accounting)
Fe0/10 – Fe0/11 –> VLAN 4 (Engineering)
Fe0/24 –> Trunk Port

SWITCH 2:
Fe0/1 – Fe0/2 –> VLAN 3 (Management)
Fe0/10 – Fe0/11 –> VLAN 4 (Engineering)
Fe0/24 –> Trunk Port

Configuration:

Switch 1 Configuration:
!  Create VLANs 2 and 4 in the switch database
Switch1# configure terminal
Switch1(config)# vlan 2
Switch1(config-vlan)# name Accounting
Switch1(config-vlan)# end

Switch1(config)# vlan 4
Switch1(config-vlan)# name Engineering
Switch1(config-vlan)# end

!  Assign Ports Fe0/1 and Fe0/2 in VLAN 2
Switch1(config)# interface fastethernet0/1
Switch1(config-if)# switchport mode access
Switch1(config-if)# switchport access vlan 2
Switch1(config-if)# end
Switch1(config)# interface fastethernet0/2
Switch1(config-if)# switchport mode access
Switch1(config-if)# switchport access vlan 2
Switch1(config-if)# end

!  Assign Ports Fe0/10 and Fe0/11 in VLAN 4
Switch1(config)# interface fastethernet0/10
Switch1(config-if)# switchport mode access
Switch1(config-if)# switchport access vlan 4
Switch1(config-if)# end
Switch1(config)# interface fastethernet0/11
Switch1(config-if)# switchport mode access
Switch1(config-if)# switchport access vlan 4
Switch1(config-if)# end

!  Create Trunk Port Fe0/24
Switch1(config)# interface fastethernet0/24
Switch1(config-if)# switchport mode trunk
Switch1(config-if)# switchport trunk encapsulation dot1q
Switch1(config-if)# end

Switch 2 Configuration:
!  Create VLANs 3 and 4 in the switch database
Switch2# configure terminal
Switch2(config)# vlan 3
Switch2(config-vlan)# name Management
Switch2(config-vlan)# end

Switch2(config)# vlan 4
Switch2(config-vlan)# name Engineering
Switch2(config-vlan)# end

!  Assign Ports Fe0/1 and Fe0/2 in VLAN 3
Switch2(config)# interface fastethernet0/1
Switch2(config-if)# switchport mode access
Switch2(config-if)# switchport access vlan 3
Switch2(config-if)# end
Switch2(config)# interface fastethernet0/2
Switch2(config-if)# switchport mode access
Switch2(config-if)# switchport access vlan 3
Switch2(config-if)# end

!  Assign Ports Fe0/10 and Fe0/11 in VLAN 4
Switch2(config)# interface fastethernet0/10
Switch2(config-if)# switchport mode access
Switch2(config-if)# switchport access vlan 4
Switch2(config-if)# end
Switch2(config)# interface fastethernet0/11
Switch2(config-if)# switchport mode access
Switch2(config-if)# switchport access vlan 4
Switch2(config-if)# end

!  Create Trunk Port Fe0/24
Switch2(config)# interface fastethernet0/24
Switch2(config-if)# switchport mode trunk
Switch2(config-if)# switchport trunk encapsulation dot1q
Switch2(config-if)# end

The following Cisco Models support PoE:

• 2960
• 3750
• 3560
• 4500
• 6500