Good evening, I'm Lao Yang.
Today, let's talk about configuring switches. Yesterday, a friend outside the industry asked me, what is a switch, what can it be used for, and how to configure it?
I thought about it for a moment and told him that this thing is not the main console of the spaceship, nor is it Iron Man's artificial intelligence butler, it is actually a "traffic commander" between the networks of various departments in the enterprise. As for how to configure the switch, it is really not clear in two words.
For friends who want to enter the industry or want to be more proficient, you can take a look at my previous articles:
To understand what a switch is, see here: How to tell the difference between a router and a switch with a story? Lao Yang come and try! 》。
What can the switch be used for, refer to this article: "Deploying a switch, you still have to read this article".
How to configure, Lao Yang also has related cases, more articles about switches, you can click the search box below, one click directly.
Today, I will share the classic process of switch configuration, and tell you how the configuration of the switch is done step by step in a project.
Today's article reading benefits: Huawei Switch Learning Guide
This book is a must-see guide to learning the classic introduction to switches, and it has been well received. Private message Lao Yang, note "switch", you can get the high-definition resource.
01 Classic process of switch configuration
Take Huawei's small-campus networking scenario as an example.
01 Case topology diagram
First, draw a topology diagram according to the case situation, and in the small campus, it is divided into two departments, each department is independent of each other, but communicates, and the networking is as follows.
02 Case study
After getting the project, the first thing is to analyze the project and figure out the deployment of switches, core switches, and routes. Before configuration, make relevant instructions according to the required operations, preparation items, and data.
The access layer here takes switch ACC1 (S2750), core switch CORE (S5700) and egress router router (AR series router) as examples.
In small network projects, S2700&S3700 is usually deployed in the access layer of the network, S5700&S6700 switches are usually deployed in the core of the network, and AR series routers are generally used for egress routers.
1. The access switch and the core switch ensure reliability through ETH - trunk networking.
2. The services of each department are divided into a VLAN, and the services between departments are interconnected at Layer 3 on the core switch.
3. The core switch acts as a DHCP server to assign IP addresses to campus users.
4. Configure DHCP Snooping function on the access switch to prevent private connection of internal network users to small routers to assign IP addresses; At the same time, the IPSG function is configured to prevent intranet users from changing IP addresses without permission.
03 Data planning
Before configuring, it is best to prepare the data according to the table below. This data is used later in the configuration
04 Quickly configure small campuses
After doing a good job of network data planning, it is time to configure the switch, most of the difficulties of Xiaoyou are here, Lao Yang tried to explain to you in detail in this regard.
You can configure the data of each device according to the following classic process to connect internal users in the park and enable internal users to access the external network.
Referring to this step, combined with the actual situation of the project, there will be no key information missing in the configuration process.
Next, I will tell you a specific practical case of Layer 3 switch.
02 Layer 3 switch enterprise application configuration instance
In the enterprise, there are generally multiple departments, different departments may need to separate management, set different network permissions, but also need certain security protection, then we need to use a three-layer network management switch as the core switch.
This topic uses the TL-SG5428PE as the core switch as an example to introduce how to configure a Layer 3 switch in an enterprise network. The schematic network topology is as follows:
First, what are the requirements of the configuration
1. The guest network has access to the Internet, but not other internal networks;
2. Different departments cannot access each other;
3. The product department can access the Internet and the server, and the R&D department cannot access the Internet, only the server;
4. The server CIDR block cannot access the Internet.
Second, the problem analysis of configuration
1. Set VLANs for each network to restrict access rights of different networks by setting access controls;
2. Enable ARP protection and DHCP listening to ensure network security.
Third, the step planning of configuration
01 Network planning
In order to facilitate device management, routers, switches, ACs, APs and other devices need to be divided into a VLAN, and each network needs to be divided into VLANs. In this example, port 1 of the Layer 3 managed switch is connected to the router and port 2 is connected to AC, and the specific VLAN division and port planning are as follows:
Note: The size of the network address should be flexibly configured according to the scale of the enterprise, and the netmask in this example is configured to be 24 bits.
02 Set up VLANs
1. Set the port type
According to the planning table, in VLAN->802.1Q VLAN-> Port Configuration, select ports 1-18, select GENERAL from the Port Type drop-down list, and click Submit.
2. Divide VLANs
In VLAN->802.1Q VLAN-> VLAN Configuration, create VLAN10, select ports 3-6 in the Tagged port list, and click Submit.
Repeat the steps for the remaining VLANs, and the list of VLANs is as follows:
3. Set the interface parameters
In "Routing Function - > Interface", enter the VLAN ID number, select Static for IP address mode, enter the network parameters as shown in the following figure, and click Create.
Repeat the steps for the remaining VLANs, and the interface list is as follows:
4. Set up a DHCP server
In Routing Features - > DHCP Server - > DHCP Server, enable the DHCP service. Note that because the AC management AP is required, the option field needs to be filled in the DHCP server, as follows, option 60 fill in "TP-LINK", option 138 fill in the IP address of AC, in this example 192.168.23.253.
In "Routing Function->DHCP Server-> Address Pool Settings", enter the corresponding network parameters as shown in the following figure, and click Add.
Repeat the steps for the remaining VLANs, and the list of DHCP address pools is as follows:
5. Set the routing parameters
Since the product department, employee wireless network, and guest network need to connect to the Internet, it is necessary to set up corresponding routes so that data can be forwarded.
In Route Function-> Static Route->IPv4 Static Route, set the corresponding parameters as shown in the following figure, note that the next hop is the router address, which in this case is 192.168.23.1.
03 Network permission settings
In the switch, access is mainly controlled through ACLs, which are configured using standard IP ACLs in this example, and the rest of the MAC ACLs and other principles are similar.
Since the default rule of the switch is to forward all data, and the ACL control is matched one by one, the required rules for each network are as follows:
- Product Department: Access to the R&D department network is prohibited.
- R&D Department: Only allow access to the server, prohibit access to the rest of the network.
- Employee wireless network: It is forbidden to access the product department, R&D department, and server network.
- Guest network: Do not access the product department, R&D department, employee wireless network, server network.
Taking the R&D department as an example, the specific settings are as follows:
1. First, create an ACL ID
The ID number range for standard IP ACLs is 500-1499, and 520 is used in this example. In Access Control > ACL Configuration - >Create ACL, enter 520 and click Create.
2. Create ACL rules based on requirements
In Access Control - > ACL Configuration - > Standard IP ACL, select the created ACL 520, enter Rule ID 21, and select Allow for Security Operation, the source IP address is the R&D department, and the destination IP is the server IP. As shown in the figure below, click Submit when you're done.
The rules that prohibit access to the rest of the networks are as follows:
After completion, the list of ACL 520s is shown in the following figure:
3. Finally, bind to the corresponding VLAN
In Access Control > ACL Bonding Configuration - >VLAN Teaming, select ACL 520 from the drop-down list, enter VLAN ID number 20, and click Add. As shown in the following figure:
Repeat the above three steps for the remaining networks, noting that each network needs to create an ACL ID number for VLAN binding.
The list of ACLs created for the remaining networks is as follows:
04 Network security settings
To ensure network security on the internal network, we recommend that you enable ARP protection and DHCP listening in Layer 3 switches.
1. ARP protection
The protection function requires quaternary binding first. In Network Security-> Quad Binding, there are manual bindings and scan bindings, and you can enter the corresponding parameters for manual binding, and the scan binding settings are shown in the following figure. After binding, you can select protection within the protection range.
2. Enable ARP spoofing prevention
In Network Security - > ARP Protection - > Anti-ARP Spoofing, select Enable Source MAC, Destination MAC and IP Authentication, fill in the VLAN ID number, and click Enable. As shown below:
3. DHCP listening
The main role of DHCP is to centrally allocate and manage IP addresses, usually we play the role of DHCP server through routers or three-layer network management switches, but if there are other illegal servers in the network that can allocate DHCP, it will also assign incorrect IPs to clients, resulting in terminals unable to access the Internet, network structure disorder. By enabling the "DHCP listening" function and adding a credit port, the terminal and server can only receive and send DHCP Offer packets from the credit port, so that network communication can be carried out correctly.
Setup method:
In Network Security > DHCP Listening - > Global Configuration, enable DHCP Listener, enter the VLAN ID, and click Submit, as shown in the following figure:
If the switch is connected to a legitimate DHCP server, such as a router, AC or other server, you need to configure the port and set the port where the DHCP server is located as a trusted port. Set as the trusted port in Network Security > DHCP Listening - > Port Configuration, as shown in the following figure.
In this example, neither the router nor the AC need to enable DHCP service, so no configuration is required.
Through the above settings, the setting of the three-layer network management switch in the enterprise network is completed, and the corresponding access control and network security requirements are realized. Be careful to save the configuration to avoid loss of configuration due to power loss.
The following briefly describes the important settings in the ER Series router and web managed switch in this example.
Some basic management settings, Internet settings, and wireless settings in routers, ACs, and web network management switches are not introduced here.
05 Router settings
After data is forwarded to the router, you need to set NAPT rules to forward the data out, and you need to set a static route to the core switch to forward Internet data to the private network.
Here, the TL-ER6220G is used as an example to briefly introduce the setting method of ER series routers.
In Transmission Control > NAT Settings >NAPT, click Add, enter the parameters as shown in the following figure, and click OK.
Repeat the steps for the remaining VLANs, and the list of NAPT rules is as follows:
Note: Since the R&D department and the server network segment cannot access the Internet, NAPT settings are not done.
In Transmission Control-> Route Settings-> Static Routes, click Add, enter the parameters as shown in the following figure, and click OK. Notice that the next hop address here is the Layer 3 managed switch address, which in this example is 192.168.23.2
After completion, the list of static routes is as follows:
Note: Since the R&D department and the server network segment cannot access the Internet, static route settings are not made.
06 Layer 2 switch VLAN settings
VLAN division is also required in Layer 2 switches to dock Layer 3 switches.
In this topic, VLAN 30 is set using the switch where the employee network resides as an example. The switch settings for the rest of the networks are the same.
1. In VLAN->802.1Q VLAN, select Enable and click Apply
Enter 30 in the input box, select the corresponding port, select Tagged, and click Add when finished.
After the VLANs are added, the list of VLANs is as follows:
2. Set the port PVID
In VLAN->802.1Q VLAN PVID Settings, select the port of Untagged in VLAN30, enter 30 in the PVID box, and click Apply to save it. The 16 ports with the port type Tagged are used as cascade ports, and the default PVID value can be kept at 1.
After setting, it looks like this:
All the setup is now complete.
Finishing: Lao Yang丨10 years of senior network engineer, more network workers to improve dry goods, please pay attention to the public number: network engineer club