cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2845
Views
20
Helpful
25
Replies

Purchase comparison

fbeye
Level 4
Level 4

Hello I was going over the link https://blog.router-switch.com/2016/07/cisco-switches-comparison-and-solutions/ trying to figure out what will work best for my needs. 

The 2 items I have unofficially chosen are 

SG350XG and the 

WS-C3650-24PD-S

 

but I really am not getting a defining difference. To be honest I am sort of confused between the SG Series and the Catalyst (in general). Is there a link or database that could explain to me the main differences? Why would one choose a Catalyst over the SG?

Ideally I am interested in the SG 12 port 10gig access over the 2 spf+ 10gig ports. Clearly there’s a reason why a Cat with 12 10gig is thousands and and thousands of $$ more. 
Any links or advice on the nitty gritty differences of why one over the other? 

25 Replies 25

This discussion is getting quite complex and I am not understanding all of it (especially what may very well be some host issue) but let me try to address some parts of it.

First it may be helpful to remember that vlans are layer 2 things that exist on switches. Routers (and ASAs) can have interfaces/subinterfaces that talk to vlans. But vlans do not really exist on routers or ASAs. (some routers (and the ASA5505) have what is essentially an imbedded switch, so these devices can have vlans, but the vlans are really on the imbedded switch and not on the router/ASA and this makes the distinction a bit fuzzy) Switch interfaces are by default layer 2 interfaces and belong to some vlan (by default switch interfaces belong to vlan 1 and can be configured to be members of other vlans).

And we should understand the relationship between a vlan and a vlan interface. A vlan operates at layer 2. A switch with vlans can forward traffic based on destination mac address. If we want the switch to forward traffic based on IP address then the switch must have a layer 3 interface. A vlan interface is a layer 3 interface and can be used to route traffic to and from the subnet on that vlan.

It might also help to remember the relationship between vlan and subnet. A vlan runs at layer 2 while a subnet runs at layer 3. Usually there is a one to one relationship between vlan and subnet. Usually a vlan has a single subnet and a subnet should run on a single vlan.

A device connected to a switch port probably has an IP address and a subnet mask which define the subnet that the device belongs to. And the device can communicate directly with any other device in that subnet (they arp for each other and communicate without needing any routing). But if the device wants to communicate with something in a different subnet or network then the device needs a default gateway. The default gateway can forward traffic from the device to remote networks and route traffic from remote networks to the device. The default gateway for the vlan/subnet might be the vlan interface address on the switch. Or the default gateway might be on the router or ASA that connects to the vlan/subnet. 

Usually it would not matter whether the default gateway was the switch vlan interface (SVI) or the router, as long as the gateway device has visibility to all of the networks/subnets being used. In a previous post by @fbeye there was a situation very similar to what is described here with 3 vlans and 3 subnets. The unique thing in that discussion was that each subnet had its own path to the Internet and an IP packet in one vlan should use only its specified Internet gateway and not use an Internet gateway associated with another subnet. In that case it was important the the default gateway be the router/ASA IP address and not the switch vlan interface IP address.

HTH

Rick

Having given those general explanations I would like to respond to a few specific comments in this discussion:

- It asks "Is there a chance at all that the servers respond differently by having a vlan interface ip as a gateway between subnets rather than an interface IP address as is currently has". I think this is asking about the difference of default gateway on switch vs default gateway on router. In the other discussion with @fbeye we suggested that the switch should have local routes but not have a default route. In that case there is certainly a big difference for the devices in the vlan whether their default gateway was the SVI or the router interface. 

- It also asks "Would Routing be seen differently between an interface or vlan ip setup?" Again it depends on what the router or switch knows. There is not anything inherent about a router interface or a switch SVI that makes routing any different. But if the routes that the router knows are different from the routes that the switch knows then certainly routing would be seen differently.

- I do not understand this statement "Correct me if I am wrong but if I make vlan 1,2,3 on Switch with IP routing should it NOT ping each other? They don’t."  

- the next statement makes it sound like the switches had vlans but not SVI "So I do vlan 1 192.168.1.5, vlan 2 10.0.1.5 and vlan 3 10.0.2.5. They don’t ping." With SVIs with IP addresses and with ip routing enabled it should be possible to ping between vlans. If that is not working it suggests that the default gateways on the individual devices are not set up correctly.

Basically we do not have enough detail of switch configuration and device configuration to really understand the issue. 

HTH

Rick

I have a lot to reply to but before I lose my current thought process... Aside from "can and should" be able to route between vlans, is this then only achieved if the Hosts connected to the Switch with the vlans having 'vlan interface ip's' use the vlan's IP as the hosts Gateway IP? Yes this was a discussion at another time as well and it was "choose internet or subnet access" but I never changed the Gateways of the SERVERS I could not connect to.

I am just without knowledge or experience to know that if I change the Host Gateways to the vlan IP addresses of their respective subnets, will those hosts still retain their INTERNET access and not cross over I.E... If I change 192.168.1.12 (Host) Gateway from its natural 192.168.1.1 GW to 192.168.1.5 GW and yes now I can connect to the 10.0.2.x and 10.0.1.x subnets/hosts, will 192.168.1.12 still know to get to 192.168.1.1 for Internet? I would then assume the Switch would need a default route of 0.0.0.0 0.0.0.0 192.168.1.1. But then how would 10.0.2.0 or 10.0.1.0 Subnets know to go to their respective .1 Gateways if they too are going through the Switch.

My next assumption would be to have default routes for each vlan, but I am under the impression a Switch can have one default route.

I believe I was getting lost on changing Gateways of the Hosts (not just the 192.168.1.0) but of the Servers too to the Switch vlans.

 

In a couple of posts you have asked if there were differences between switch vlan (virtual) interfaces and router Ethernet (physical) interfaces. Let me clarify that in terms of IP routing there is no functional difference between a switch vlan interface and a router Ethernet interface.

There might be differences in the routing information that each has and so there might be differences in behavior depending on where the device's default gateway is configured. In your most recent post you have very nicely identified the issue that comes up if the switch has a static default route (or a dynamic default route).

Since I believe that some of the participants in this discussion might not have been in the previous discussion, let me review the environment of that earlier discussion:

- there are 3 layer 3 devices (2 routers and 1 ASA) and 3 subnets (192.168.1.0, 10.0.1.0, and 10.0.2.0). Each of the layer 3 devices has a subnet that is "locally connected". (and therefore 2 subnets that are "remote") There is a layer 3 switch which connects to each of the layer 3 devices, and that switch has configured 3 vlans for the 3 subnets. Some network devices are connected to the layer 3 switch in each of the 3 vlans. (it is not clear whether there are some devices connected to the layer 3 devices not through the switch). Each of the devices should access the Internet using its locally connected layer 3 device and should not be able to access the Internet using the other layer 3 devices. @fbeye if anything I have described is not correct please provide correction and clarification.

- we suggested that the switch should have ip routing enabled (to provide forwarding between subnets) and that the switch should not have a default route configured.

- we suggested that each device should have its default gateway as the layer 3 device for that subnet and not the switch SVI.

- we suggested that each layer 3 device in addition to its default route for Internet access should have static routes for the 2 subnets that are not locally connected on that layer 3 device with the switch SVI connecting to that layer 3 device as the next hop.

- given these suggestions this should be the expected behavior:

+ any device should be able to communicate with other devices in its own subnet/vlan directly.

+ any device attempting to send to the Internet should send its packet to its L3 gateway which forwards to the Internet (no ability to send to any other L3 device for Internet access).

+ any device attempting to send to a destination in the other 2 subnets should send its packet to its L3 gateway, which will forward the packet to the switch, which will forward to the destination subnet and to the destination device.

@fbeye if these are not the results that you are seeing please provide details of the devices where this is not working.

HTH

Rick

Leo Laohoo
Hall of Fame
Hall of Fame

I would never recommend anyone buy 3650/3850 platform nowadays -- End-of-Sale and End-of-Life Announcement for the Cisco Catalyst 3650

Catalyst 1000 switches is an enterprise-grade that still runs on "classic IOS".  If the requirement is for a switch doing simple "static VLAN assignments" and nothing else (no DNAC, no SD-Access, no Dot1X, no PBR), then Catalyst 1000 is a prime candidate.  

fbeye
Level 4
Level 4

Morning

 

Alright.. So I can see how the discussion gets confusing and kind of changes things around. This is mostly due to me not having good explanations because what I see in my head #1 isn't explained well and #2 may just not be something that can be done.

I am posting a picture of what I am trying to do. It may change some variables but the idea is the same. 

In the picture, as is, I can get onto the Internet with the 3 listed hosts, I can see every host from each other host but can not connect 1 vlan to the other vlan and access data, though I can see them.

Though primitive, this picture is how I am currently set up and having the aforementioned issues. 

I am at a loss. Am I missing an ip route. are my gateways wrong. does the switch too need a route?

I truly hope this consolidates and simplifies my intentions. 

Yes, there are other variables not mentioned such as the 10.0.1.0 Network but I want to rid all of the unneeded complexities and just get this here to work and then I can later by example progress. 

Thus far you guys have kept me on my toes with thoughts and ideas and patience. 

 

hopeful.jpg

 

I was thinking.... Even though 'ip routing' is enabled and the vlan's have IP's do I still need ACL's for data to pass?

I also noticed I have Catalyst Switch, I meant to put SG350X Switch.

This most recent question is easy to answer. No you do not need an acl for data to pass. It is sufficient for the switch to have ip routing enabled and to have multiple local subnets. The switch can have local subnets by have vlans with vlan interfaces with IP addresses or by having switch interfaces configured with no switchport (which converts the interface from layer 2 to layer 3 - this is supported on some Catalyst switches, not sure if it is supported on SG350).

The picture that you post is a simplified version of the previous discussion, and that may make it easier to understand and to discuss what is going on. One detail that is not in your picture is that both the ASA and the router have a default route for sending traffic to the Internet. Otherwise I believe that it has the necessary information. Here are the essential points:

- on the switch there is a vlan/subnet that is local to the ASA and another vlan/subnet that is local to the router.

- the switch has ip routing enabled. And if you look at its local routing table you should see only those 2 subnets.

- the switch does not have any static routes, (no dynamic routes), and no default route.

- the ASA and the router have 1 local subnet, have 1 static route for the remote subnet, and have a default route for Internet access.

 

You have said that any device in either of the subnets can ping to any active IP address in either of the subnets. And that devices in both subnets are successful in access to the Internet. I believe that this demonstrates that IP routing is working successfully for both subnets.

There is a problem and it is that you are not able to access data on 2 servers (.111 and .126). If you are successful in ping to both servers then the problem is not a routing problem. If data access is not successful then I would guess that there is either some security policy implemented somewhere, or there is something in the configuration of the servers that limits what they will respond to.

HTH

Rick

Interesting.

 

You are  correct.  The Router does have 0.0.0.0 0.0.0.0 207.108.x.182 on “outside” for its Route and then the 10.2 Router also had its own WAN route. ASA 192.168.1.0 uses that subnet and Router so on so forth.

If you imagine the picture, remove vlan INTERFACES (leave vlan) and leave the rest 100% on the Switch and then on the ASA make GE 1/4 with ‘ip address 10.0.2.124 255.255.255.0’  I can then ping and access. 
This leaves me confused as far as pursuing any sort of Firewall on Windows or Router (10.2). Maybe there is a MAC address firewall issue. Maybe in this scenario I am supposed to have all hosts that connect to the switch, regardless of vlan, use their vlans IP as their Gateway.. I suppose that would then make “common ground” the Switch. If this is the case I suppose I’ll have to make routes for each host to use their Router for internet. For a switch I know can only have 1 default route. 

 

But like you said, if pinging can work all day up and down left and right then he routing is spot on.

I suppose as far as Cisco configurations goes there is nothing more to do. I just have to realize that maybe what I want is unrealistic and not how networking works.

We have discussed the issue involved if the switch has a default route. And without a default route you do not want the switch to be the default gateway for the devices in those subnets. The connected devices need their default gateway to be the ASA or the router.

It is puzzling that if you connect the subnet for 10.0.2.0 to the ASA that you can access the data as well as ping.I continue to believe that if ping is successful then the issue is not a routing issue. The fact that access is successful when the subnet is connected to the ASA would seem to suggest that there may be some issue related to the switch.

To investigate this further please do these:

- remove the connection for the vlan/subnet on the ASA and make the traffic from host to server go through the switch.

- then do a tracert from the PC to the server and post the output.

- from the PC do a ping to the server. Specify that the ping use a size of 1500 (rather than the default of a very small data packet) and if possible specify do not fragment for the ping. and post the results.

HTH

Rick

Hello

 

So I am going to post you the current [working] Config files from the ASA and the Switch. I will also post the Tracert and Ping replies from my Windows PC 192.168.1.5 192.168.1.1 GW to NAS 10.0.2.111 10.0.2.1 GW and 10.0.2.126 10.0.2.1 GW.

I will then only disable the GE on the ASA that associates with the 10.0.2.0 vlan/subnet and post those responses. With that being said, my Switch has 0 vlan INTERFACES, only vlan (L2) and I get the 2nd series of responses. So I added 192.168.1.6 vlan1, 10.0.1.5 vlan 10 and 10.0.2.124 vlan 11 and get the 3rd series of responses which are successful.

The problem I seem to have is that while the ASA was connected to the 10.0.2.0 on it's GE I could ping,tracert AND ACCESS Data whereas eliminating the ASA from the 10.2 and going through the Switch, I can ping, tracert but ONLY access data on 10.0.2.126. 10.0.2.111 and 10.0.2.1 (Router) I can not.

I only changed this;

remove 10.2 from asa and the ip route to it

added an ip route to the 10.2 through the 192.168.1.6 ip

added 3 vlan interfaces to the Switch in reference to their vlan subnet. Had I not made the vlan interfaces and add the ip route to the 10.2 through the 192.168.1.6 I got no ping or trace.

 

Working Tracert and PING ;

 

tracert 10.0.2.111

Tracing route to TS1400R549 [10.0.2.111]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms TS1400R549 [10.0.2.111]

Trace complete.

 

tracert 10.0.2.126

Tracing route to NAS [10.0.2.126]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms 10.0.2.1
2 <1 ms <1 ms <1 ms NAS [10.0.2.126]

 

ping -l 1500 10.0.2.111

Pinging 10.0.2.111 with 1500 bytes of data:
Reply from 10.0.2.111: bytes=1500 time<1ms TTL=64
Reply from 10.0.2.111: bytes=1500 time=1ms TTL=64
Reply from 10.0.2.111: bytes=1500 time<1ms TTL=64
Reply from 10.0.2.111: bytes=1500 time<1ms TTL=64

Ping statistics for 10.0.2.111:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms

 

ping -l 1500 10.0.2.126

Pinging 10.0.2.126 with 1500 bytes of data:
Reply from 10.0.2.126: bytes=1500 time<1ms TTL=64
Reply from 10.0.2.126: bytes=1500 time<1ms TTL=64
Reply from 10.0.2.126: bytes=1500 time<1ms TTL=64
Reply from 10.0.2.126: bytes=1500 time<1ms TTL=64

Ping statistics for 10.0.2.126:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

 

NOW PING/Tracert NOT going through ASA

 

tracert 10.0.2.111

Tracing route to 10.0.2.111 over a maximum of 30 hops

1 * * * Request timed out.
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 *

 

tracert 10.0.2.126

Tracing route to 10.0.2.126 over a maximum of 30 hops

1 * * * Request timed out.
2 * * * Request timed out.
3 *

 

tracert 10.0.2.126

Tracing route to 10.0.2.126 over a maximum of 30 hops

1 * * * Request timed out.
2 * * * Request timed out.
3 *

 

PING 10.0.2.126

Pinging 10.0.2.126 with 32 bytes of data:
Request timed out.
Request timed out.

 

tracert 10.0.2.111

Tracing route to 10.0.2.111 over a maximum of 30 hops

1 1 ms 1 ms 1 ms NAS [192.168.1.6]
2 <1 ms 2 ms <1 ms 10.0.2.111

 

tracert 10.0.2.126

Tracing route to 10.0.2.126 over a maximum of 30 hops

1 2 ms 1 ms 1 ms NAS [192.168.1.6]
2 <1 ms <1 ms <1 ms 10.0.2.126

 

ping -l 1500 10.0.2.111

Pinging 10.0.2.111 with 1500 bytes of data:
Reply from 10.0.2.111: bytes=1500 time=1ms TTL=63
Reply from 10.0.2.111: bytes=1500 time=1ms TTL=63
Reply from 10.0.2.111: bytes=1500 time<1ms TTL=63
Reply from 10.0.2.111: bytes=1500 time<1ms TTL=63

Ping statistics for 10.0.2.111:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms

 

ping -l 1500 10.0.2.126

Pinging 10.0.2.126 with 1500 bytes of data:
Reply from 10.0.2.126: bytes=1500 time=1ms TTL=64
Reply from 10.0.2.126: bytes=1500 time<1ms TTL=64
Reply from 10.0.2.126: bytes=1500 time<1ms TTL=64
Reply from 10.0.2.126: bytes=1500 time<1ms TTL=64

Ping statistics for 10.0.2.126:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms

 

ASA;

 

: Hardware: ASA5508, 8192 MB RAM, CPU Atom C2000 series 2000 MHz, 1 CPU (8 cor es)
:
ASA Version 9.15(1)7
!
hostname Cisco
service-module 1 keepalive-timeout 4
service-module 1 keepalive-counter 6
service-module sfr keepalive-timeout 4
service-module sfr keepalive-counter 6
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
no mac-address auto

!
interface GigabitEthernet1/1
description WAN
nameif outside
security-level 0
pppoe client vpdn group pppoewan
ip address pppoe setroute
!
interface GigabitEthernet1/2
description Uses Router WAN Address
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1/3
description 10.1
nameif 10.1
security-level 100
ip address 10.0.1.1 255.255.255.0
!
interface GigabitEthernet1/4
shutdown
no nameif
security-level 0
no ip address
!
interface GigabitEthernet1/5
description Inner Access to LAN side of VPN Cliet Server
nameif 10.2
security-level 100
ip address 10.0.2.124 255.255.255.0
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
description Static Servers
nameif Servers
security-level 100
ip address 192.168.4.1 255.255.255.0
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
shutdown
nameif management
security-level 0
no ip address
!
boot system disk0:/asa9-15-1-7-lfbff-k8.SPA
boot system disk0:/asa951-lfbff-k8.SPA
ftp mode passive
dns server-group DefaultDNS
domain-name Cisco
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network 10.1
subnet 10.0.1.0 255.255.255.0
object network DLink
host 192.168.4.178
object network mail
host 192.168.4.180
object network inside
subnet 192.168.1.0 255.255.255.0
object network 10.0.1.0SUBNET
subnet 10.0.1.0 255.255.255.0
object network Switch-Gateway
host 192.168.1.5
object network 10.0.2.0SUBNET
subnet 10.0.2.0 255.255.255.0
object network pvpn
host 10.0.2.126
description 10.0.2.126
object network ceyea
host 192.168.4.179
object network 10.0.1.5
host 10.0.1.5
description 10.0.1.5
object network 10.2
host 10.0.2.1
object network 10.0.2.0
subnet 10.0.2.0 255.255.255.0
description 10.0.2.0
object-group service 993 tcp
description 993
port-object eq 993
object-group service TCP587 tcp
description TCP587
port-object eq 587
object-group network DM_INLINE_NETWORK_1
network-object object 10.0.1.0SUBNET
network-object object 10.0.2.0SUBNET
access-list OUTSIDE extended permit tcp any object mail eq 993
access-list OUTSIDE extended permit tcp any object mail eq smtp
pager lines 24
mtu outside 1500
mtu inside 1500
mtu 10.1 1500
mtu 10.2 1500
mtu Servers 1500
mtu management 1500
no failover
no failover wait-disable
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network 10.1
nat (10.1,outside) dynamic 207.108.121.x7
object network DLink
nat (Servers,outside) static 207.108.121.x8
object network mail
nat (Servers,outside) static 207.108.121.x0
object network inside
nat (inside,outside) dynamic interface
object network ceyea
nat (Servers,outside) static 207.108.121.x9
access-group OUTSIDE in interface outside
route outside 0.0.0.0 0.0.0.0 207.108.121.x2 1
route 10.2 10.0.2.126 255.255.255.255 10.0.2.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.0.2.0 255.255.255.0 10.2
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group pppoewan request dialout pppoe
vpdn group pppoewan localname xx
vpdn group pppoewan ppp authentication chap
vpdn username xx password *****

dhcpd auto_config outside
!
dhcpd address 192.168.1.5-192.168.1.10 inside
dhcpd enable inside
!
dhcpd address 10.0.1.101-10.0.1.200 10.1
dhcpd enable 10.1
!
dhcpd address 192.168.4.176-192.168.4.182 Servers
dhcpd enable Servers
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect xdmcp
inspect snmp
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection

 

SWITCH;

 

Current configuration : 4954 bytes
!
version 12.2
!
hostname Switch
!
boot-start-marker
boot-end-marker
!
ip routing
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
interface GigabitEthernet1/0/1
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/2
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/3
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/4
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/5
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/6
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/7
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/8
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/9
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/10
switchport access vlan 10
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/11
switchport access vlan 11
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/12
switchport access vlan 11
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/13
switchport access vlan 11
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/14
switchport access vlan 11
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/15
switchport access vlan 11
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/16
switchport access vlan 11
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/17
switchport access vlan 11
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/18
switchport access vlan 11
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/19
switchport access vlan 11
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/20
switchport access vlan 11
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/21
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/22
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/23
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/24
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface Vlan1
description ASA
no ip address
!
ip http server
ip http authentication local
ip http secure-server
!
logging esm config
no cdp run

Review Cisco Networking for a $25 gift card