Metro Ethernet handoff - 3560 - Layer 2

Todd.Thiel · ‎12-17-2012

Folks, I'll try to keep this as organized as possible. After lurking the board, I've yet to find any posts that address this exact question.

Requirements:

Connect a Catalyst 3560C (8 port) switch to our metro fiber ethernet handoff. Goal would be moving away from the 'daisy chain' configuration that currently exists. I want to make sure that there's separation and no host device is dependant upon an upstream network should there be a failure, or schedued maintenace, etc.

Hosts connecting on public IP's to the Catalyst 3560:

ASA 5512x

Edgemark 4502 (VOIP router)

ASA 5505 (config Test network)

Test Server

Other Notes/thoughts/assumptions:

There's no publicly accessible IP on this switch, it's accessed internally.

Goal is to treat this switch like a DMZ

Has to connect to Ethernet handoff via Layer 2.

I have 5 public IP's allocated on a 255.255.255.248 subnet.

Wasnt sure if I needed 'ip route 0.0.0.0 0.0.0.0 [gateway IP address]' However there's going to have to be some default, not sure how to approach.

Wasnt sure if there's a need for switchport mode vlan [#] & switchport mode access

I'd like to say flat out that any direction or configuration advice would be greatly appreciated. Thank you,

Here's the config:

Current configuration : 3931 bytes

!

version 12.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname TWFiberLink

!

boot-start-marker

boot-end-marker

!

enable secret 5 xxxxxx.

!

username XXXXXX privilege 15 secret xxxxxx

!

no aaa new-model

system mtu routing 1500

!

no ip domain-lookup

!

crypto pki trustpoint TP-self-signed-962718592

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-962718592

revocation-check none

rsakeypair TP-self-signed-962718592

!

crypto pki certificate chain TP-self-signed-962718592

certificate self-signed 01

xxxxxxxxxx

quit

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

interface GigabitEthernet0/1

switchport access vlan 28

!

interface GigabitEthernet0/2

switchport access vlan 20

switchport mode access

!

interface GigabitEthernet0/3

switchport access vlan 21

switchport mode access

!

interface GigabitEthernet0/4

switchport access vlan 22

switchport mode access

!

interface GigabitEthernet0/5

switchport access vlan 23

switchport mode access

!

interface GigabitEthernet0/6

switchport access vlan 24

switchport mode access

!

interface GigabitEthernet0/7

switchport access vlan 25

switchport mode access

!

interface GigabitEthernet0/8

description Management interface for ethernet handoff

switchport access vlan 29

!

interface GigabitEthernet0/9

!

interface GigabitEthernet0/10

!

interface Vlan1

no ip address

no ip route-cache

no ip mroute-cache

!

interface Vlan20

no ip address

no ip route-cache

no ip mroute-cache

!

interface Vlan21

no ip address

no ip route-cache

no ip mroute-cache

!

interface Vlan22

no ip address

no ip route-cache

no ip mroute-cache

!

interface Vlan23

no ip address

no ip route-cache

no ip mroute-cache

!

interface Vlan24

no ip address

no ip route-cache

no ip mroute-cache

!

interface Vlan25

no ip address

no ip route-cache

no ip mroute-cache

!

interface Vlan26

no ip address

no ip route-cache

no ip mroute-cache

!

interface Vlan28

no ip address

no ip route-cache

no ip mroute-cache

!

interface Vlan29

description Management access to Ethernet handoff 3560 switch

ip address 10.50.150.2 255.255.255.254

!

ip classless

ip http server

ip http secure-server

!

ip sla enable reaction-alerts

!

snmp-server community XXXXX! RO

!

line con 0

privilege level 15

logging synchronous

login local

line vty 0 4

privilege level 15

logging synchronous

login local

line vty 5 15

login

!

end