Mar 7, 2013

How to : Cisco Switch Configurations


How to : Cisco Switch Configurations

Hello and Welcome to this Cisco Switch Configurations

All the switch configuration from now on will be based on the below labelled diagram unless specified otherwise and also please bear my drawings as I am not a designer.


How to give Switch the ip address, default gateway and securing the switch

(config)#interface vlan 1 (I have assigned vlan interface an ip address as all the interface in the switch by default is in vlan 1)

config-if# ip address 192.168.0.10 255.255.255.0

# ip default-gateway 192.168.0.1

# show version

#show interfaces vlan 1

kundanswitch(config)#enable password cisco

kundanswitch(config)#enable secret cisco1 ( enable secret supercedes the enable password).

kundanswitch(config)#no enable password (removes the enable password cisco)

kundanswitch(config)#line console 0

kundanswitch(config-line)#password cisco

kundanswitch(config-line)#login

kundanswitch(config)#line vty 0 4 (line vty are for telnet session)

kundanswitch(config-line)#password cisco

kundanswitch(config-line)#login

kundanswitch(config-line)#line vty 0 4( set no login or password for telnet session)

kundanswitch(config-line)#no login

kundanswitch(config)#service password-encryption ( encrypts every single password on cisco routers)

How To set up ssh in switch

(config)# ip domain-name kundan.com

(config)# crypto key generate rsa

asks for size i.e 512/1024/2048 etc

(config)# ip ssh version 2 ( tells which version of ssh, standard is version 2)

(config)# line vty 0 4

(config-line)# transport input ssh ( this says telnet is disallowed, only ssh is allowed)

(config-line)# transport input telnet ssh ( allows both protocols to get into it)

How Setting up port security in cisco switch

port security : what/How many devices can plug in the switch

#terminal monitor ( this command gives you lot of information message in form of terminal messages)

kundanswitch#show mac-address-table ( shows mac address of attached devices)

kundanswitch(config)#inter

kundanswitch(config)#interface fa

kundanswitch(config)#interface fastEthernet 0/5 (we are going to set up port security in fa 0/5 port)

kundanswitch(config-if)#switchport mode acce

kundanswitch(config-if)#switchport mode access ( hardcode the port as access port, it is telling it is connecting end device like and not

connected to switch, alternative to access to trunk)

kundanswitch(config-if)#switchport port-security maxi

kundanswitch(config-if)#switchport port-security maximum 1 (maximum mac you can connect to this port is 1)

kundanswitch(config-if)#switchport port-security violation ? ( tells what happen the policy is violated, by default the port will shutdown and you will have to power back on)

protect Security violation protect mode (will just ignore another mac request, and does not allow transmission)

restrict Security violation restrict mode (will ignore it and log it when it happens, this option is highly recommended)

shutdown Security violation shutdown mode

kundanswitch(config-if)#switchport port-security violation shutdown

kundanswitch(config-if)#switchport port-security mac-address ?

H.H.H 48 bit mac address ( you can hardcord the mac address for the port)

sticky Configure dynamic secure addresses as sticky ( automatically assigns to port whatever mac address is assigned in to the running configuration)

kundanswitch(config-if)#switchport port-security mac-address sticky

kundanswitch#show port-security interface fa0/5 ( shows detailed information of the port security applied and its state)

Port Security : Enabled

Port Status : Secure-down

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 0

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Last Source Address:Vlan : 0000.0000.0000:0

Security Violation Count : 0

How to change speed and duplex in cisco switch

(config)#interface fa 0/5 ( here we are changing the speed and duplex of fa 0/5)

(config-if)# speed 10

(config-if)# duplex half

user experience optimization in switch

(config-line)#logging synchronous ( auto lines up your command that are being cut by messages in the terminal)

(you have to do this both for console ie line console and vty ie line vty)

(config)# exec-timeout 30 ( idle timeout value, this should also be done for both. no exec-timeout will never timeout your session).

(config)# no ip domain-lookup ( turns off domain lookup)

How to configure Switch VLANs

vlans : divides or segments broadcast domains thus providing access control and QoS (quality of service)

if you want the two vlans to communicate then you would have to use routing between the two vlans.

Trunk port : port that allows vlans to move between switches.

Understanding trunks and vtp

trunking allows swithes to pass multi vlan information between each other. Trunking is also known as tagging.

If red vlan packet is passed from switch1 to switch2 then there must be some mechanism on switch 2 to find out that the packet belongs to

red vlan. This mechanism is known as tagging. When switch1 need to send red vlan packets then it tags a header information in the packet

saying it belongs to red vlan and dispatch it to trunk line. Switch 2 receives the packets and sees the header information thus forwarding the

packets to red vlan ports. Tagging is a layer 2 feature (data link layer).

Trunking Protocols

1: 802.1q industry standard trunking protocols

VTP: vlan trunking protocol ( I would call this name mismatch becoz this is not actually a trunking protocol) . vtp basically describes

how vlans are replicated across the switches. suppose you have 20 switches and 2 vlans in your network. Now you want to add

2 more vlans in your network. You have to go to each switch and add 2 vlans each .

Vtp replicates the vlan. You can add the vlans in one switch and vtp does the rest of work of replication.

How to configure VTP Modes

1. server : power to change vlan information, sends and receives vtp updates, saves vlan configuration. Every switch

by default is a server

2. Client: cannot change vlan information, sends and receives vtp updates , does not save vlan configuration

3. Transparent: can add, change modify vlan. it only forwards (passes through) vtp updates, does not listen to vtp advertisements.

Vlan Pruning : Keeps unnecessary broadcast traffic from crossing trunk links. only works on vtp servers.

configuration:

we are going to configure all the above mentioned in the switches 1,2 and 3 on the above figure

Trunk configuration ( switch 1 ---> switch2 ==trunklink, switch1 ----> switch3==trunklink)

switch1 configuration : switch1 has fa 0/1 and fa 0/2 as trunk ports

switch1(config)#interface fa0/1

switch1(config-if)# switchport trunk encapsulation dot1q

switch1(config-if)#switchport mode trunk

do the same for another trunk port of switch1 ie fa 0/2

note( after setting your trunk ports it is good to set all the other ports as access ports so that no other can plug in a switch and create trunk link) by doing

switch(config)# interface range fa 0/3 - 0/23

switch(config-if)# switchport mode access

do the same for switch 2 and switch 3

configuring VTP

switch1#show vtp status ( show vtp status)

VTP Version : 2

Configuration Revision : 0

Maximum VLANs supported locally : 255

Number of existing VLANs : 5

VTP Operating Mode : Server

VTP Domain Name :

VTP Pruning Mode : Disabled

VTP V2 Mode : Disabled

VTP Traps Generation : Disabled

MD5 digest : 0x7D 0x5A 0xA6 0x0E 0x9A 0x72 0xA0 0x3A

Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00

Local updater ID is 192.168.1.10 on interface Vl1 (lowest numbered VLAN interface found)

note: when switch1 is given the domain name, switch2 and 3 since its domain names are blank they will accept whatever domain names are first

advertised.

switch1(config)#vtp domain testkundan

Changing VTP domain name from NULL to testkundan

(now if you go to switch2 and 3 and do show vtp status then you can see they have adopted domain name testkundan.)

switch2(config)#vtp mode client

Setting device to VTP CLIENT mode. (since by default the vtp mode is server and switch1 is by default in vtp server mode).

do the same for switch3 as for switch2

configuring vlan to test replication between switches thrrough vtp

switch1(config)#vlan 10

switch1#sh vtp status

VTP Version : 2

Configuration Revision : 1

Maximum VLANs supported locally : 255

Number of existing VLANs : 6

VTP Operating Mode : Server

VTP Domain Name : testkundan

VTP Pruning Mode : Disabled

VTP V2 Mode : Disabled

VTP Traps Generation : Disabled

MD5 digest : 0x1E 0x25 0x96 0x95 0xB0 0xBD 0x0D 0x2A

Configuration last modified by 192.168.1.10 at 3-1-93 00:52:01

Local updater ID is 192.168.1.10 on interface Vl1 (lowest numbered VLAN interface found)

Now the vlan is created and it should be replicated to switch2 and switch 3, you can go to switch 2 and do

switch2#show vtp status

VTP Version : 2

Configuration Revision : 1

Maximum VLANs supported locally : 255

Number of existing VLANs : 6

VTP Operating Mode : Client

VTP Domain Name : testkundan

VTP Pruning Mode : Disabled

VTP V2 Mode : Disabled

VTP Traps Generation : Disabled

MD5 digest : 0x1E 0x25 0x96 0x95 0xB0 0xBD 0x0D 0x2A

Configuration last modified by 192.168.1.10 at 3-1-93 00:52:01

you can see that configuration revision has been changed to 1 ie vlan replication is successful and also you can see configuration last modified by 192.168.1.10 which is the vtp server.

Now lets add 2 more vlans ie vlan 20 and vlan 30

switch1(config)#vlan 20

switch1(config-vlan)#exit

switch1(config)#vlan 30

Upto now only vlan is created and we have not assigned any port on the vlans, now lets configure ports on vlan

switch3(config)#inter ( we are putting pc attached to switch 3 to vlan 10)

switch3(config)#interface fa

switch3(config)#interface fastEthernet 0/8

switch3(config-if)#switchport mode acce

switch3(config-if)#switchport mode access

switch3(config-if)#swit

switch3(config-if)#switchport acc

switch3(config-if)#switchport access vl

switch3(config-if)#switchport access vlan 10

Now if you ping to the pc attached to switch 2 it will fail becoz pc attaached to switch3 is in vlan10 and pc attached to switch 2 is in vlan 1. so to bring back

connection lets put pc attached to switch2 in vlan 10

switch2(config)#interface fa 0/8

switch2(config-if)#siw

switch2(config-if)#swit

switch2(config-if)#switchport mo

switch2(config-if)#switchport mode ac

switch2(config-if)#switchport mode access

switch2(config-if)#swi

switch2(config-if)#switchport ac

switch2(config-if)#switchport access vl

switch2(config-if)#switchport access vlan 10


How to Spanning Tree Protocol

From this point on we will be refering to the below labelled diagram from spanning tree protocol on cisco switch



Spanning tree protocol reduces broadcast storm or network loop. Switches send BPDU( Bridge Protocol Data Unit) to discover loops. BPDU also help elect the core switch of the network known as Root Bridge. Every cisco switch runs stp by default ie you can plug redundant links between two switches but if the no of switch increases then the default stp is not that feasible.

Election of a root bridge: Every switch in a network has its bridge id. The bridge id is a combination of priority and mac address ie

Bridge id = priority.macaddress (ie you can elect the root bridge by lowering the priority of the switch)

Every switch by default has a priority of 32768. The lower the priority, the higher the chance of electing bridge id. All the ports in root bridge has it port in forwarding mode.

After electing root bridge , every switch on the network finds out about the three types of port

Root port: port used to reach the root bridge. Root port is port from there the link cost to root bridge is minimum.

Designated Port : Forwarding port, one per link

Blocking / non designated ports: does not forward.

List below shows the link cost according to the bandwidth of the link

Bandwidth link cost

10mbps 100

100mbps 19

1gbps 4

10gbps 2

When all the path to root bridge have equal link cost then the tie is either broken by

1> Bridge id of the upstream router ie lower the bridge id higher the priority and higher priority will be chosen.

2> Or the lower port is chosen.

Figureabove shows the election of root bridge, root port, designated port and blocked port

Configuration of spanning tree protocol

switchA#sh spanning-tree

VLAN0001

Spanning tree enabled protocol ieee

Root ID Priority 32769

Address 0001.6378.287E

Cost 19

Port 1(FastEthernet0/1)

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)

Address 0090.2B89.4651

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time 20

Interface Role Sts Cost Prio.Nbr Type

---------------- ---- --- --------- -------- --------------------------------

Fa0/1 Root FWD 19 128.1 P2p

Fa0/2 Altn BLK 19 128.2 P2p

Here show spanning tree shows that fa 0/1 is the rot port and fa 0/2 is the blocked port .

Root ID : segments describes the root bridge. Ie SwitchA is connected to root bridge through port fa 0/1

Bridge ID : segments describes switch own parameters.

And if you go to switch B and do show spanning-tree then you can find that switch B is the root bridge.

switchB#sh spanning-tree

VLAN0001

Spanning tree enabled protocol ieee

Root ID Priority 32769

Address 0001.6378.287E

This bridge is the root

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)

Address 0001.6378.287E

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time 20

Interface Role Sts Cost Prio.Nbr Type

---------------- ---- --- --------- -------- --------------------------------

Fa0/1 Desg FWD 19 128.1 P2p

Fa1/1 Desg FWD 19 128.2 P2p

Now lets say we want switch A to be our root

witchA(config)#spanning-tree vlan 1 root ?

primary Configure this switch as primary root for this spanning tree

secondary Configure switch as secondary root

switchA(config)#spanning-tree vlan 1 root primary ( this will decrease the priority thus making the switch root bridge)

switchA#sh spanning-tree

VLAN0001

Spanning tree enabled protocol ieee

Root ID Priority 24577

Address 0090.2B89.4651

This bridge is the root

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 24577 (priority 24576 sys-id-ext 1)

Address 0090.2B89.4651

Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Aging Time 20

Interface Role Sts Cost Prio.Nbr Type

---------------- ---- --- --------- -------- --------------------------------

Fa0/1 Desg FWD 19 128.1 P2p

Fa0/2 Desg LSN 19 128.2 P2p

You can find out the priority being changed as shown in bold

The other way to make a switch root is manually changing the switch priority by

switchA(config)#spanning-tree vlan 1 priority ?

<0-61440> bridge priority in increments of 4096

Enhancement to stp: modern version of stp

STP port transitioning process:

Listening: for 15 seconds switches listens for bpdu. Bpdu sending/receiving.

Learning : for 15 seconds switches learns mac addresses ie builts cam table

Forwarding : after 30 seconds port is forwarding traffic

Blocking: switch will wait upto 20 seconds before moving blocked port into listening mode

According to these above timer and ports when a blocked port in switch is forwarded then it may take about 50 seconds to be that port in forwarding mode. Suppose you pc is connected to switch port that just goes into forwarding state when pc started to boot. Now if pc boot in just 30 seconds then the pc would not be able to get ip address from dhcp server.

The solution to this is

1> Portfast: ie you are disabling stp on the specific port. Usually it is done in port connected to pc and not in ports connected to another switch

2> Rapid spanning tree

Iniial STP enhancement

PVST+ : Runs an instance of stp per vlan

:allowed different root for different vlans.

Rapid spanning tree : 802.1w

RSTP improves performances by defining more logical port types

Root ports:

Designated ports:

Alternate ports:

Instead of blocked port in spanning tree protocol rstp uses altenate ports as backup path to root

The main disadvantage of using rstp is that for rstp to run efficiently every switch on the network must be running rstp. One single switch running stp can slow down the rstp.

switchA(config)#spanning-tree mode ?

pvst Per-Vlan spanning tree mode

rapid-pvst Per-Vlan rapid spanning tree mode

switchA(config)#spanning-tree mode rapid-pvst

do the same for all three switches.

Thank you all for being with me in this long post

No comments:

Post a Comment