Subscribe:

Ads 468x60px

Pages

Wednesday, July 6, 2011

Cisco Switch Configuration


All the switch configuration from now on will be based on the below labelled diagram unless specified otherwise and also please bear my drawings as I am not a designer.

How to give Switch the ip address, default gateway and securing the switch

(config)#interface vlan 1 (I have assigned vlan interface an ip address as all the interface in the switch by default is in vlan 1)
config-if# ip address 192.168.0.10 255.255.255.0
# ip default-gateway 192.168.0.1
# show version
#show interfaces vlan 1

kundanswitch(config)#enable password cisco
kundanswitch(config)#enable secret cisco1 ( enable secret supercedes the enable password).

kundanswitch(config)#no enable password (removes the enable password cisco)
kundanswitch(config)#line console 0
kundanswitch(config-line)#password cisco
kundanswitch(config-line)#login

kundanswitch(config)#line vty 0 4 (line vty are for telnet session)
kundanswitch(config-line)#password cisco
kundanswitch(config-line)#login

kundanswitch(config-line)#line vty 0 4( set no login or password for telnet session)
kundanswitch(config-line)#no login
kundanswitch(config)#service password-encryption ( encrypts every single password on cisco routers)


How To set up ssh in switch
(config)# ip domain-name kundan.com
(config)# crypto key generate rsa
asks for size i.e 512/1024/2048 etc
(config)# ip ssh version 2 ( tells which version of ssh, standard is version 2)
(config)# line vty 0 4
(config-line)# transport input ssh ( this says telnet is disallowed, only ssh is allowed)
(config-line)# transport input telnet ssh ( allows both protocols to get into it)

How Setting up port security in cisco switch
port security : what/How many devices can plug in the switch
#terminal monitor ( this command gives you lot of information message in form of terminal messages)
kundanswitch#show mac-address-table ( shows mac address of attached devices)
kundanswitch(config)#inter
kundanswitch(config)#interface fa
kundanswitch(config)#interface fastEthernet 0/5 (we are going to set up port security in fa 0/5 port)
kundanswitch(config-if)#switchport mode acce
kundanswitch(config-if)#switchport mode access ( hardcode the port as access port, it is telling it is connecting end device like and not
connected to switch, alternative to access to trunk)
kundanswitch(config-if)#switchport port-security maxi
kundanswitch(config-if)#switchport port-security maximum 1 (maximum mac you can connect to this port is 1)

kundanswitch(config-if)#switchport port-security violation ? ( tells what happen the policy is violated, by default the port will shutdown and you will have to power back on)
  protect   Security violation protect mode (will just ignore another mac request, and does not allow transmission)
  restrict  Security violation restrict mode (will ignore it and log it when it happens, this option is highly recommended)
  shutdown  Security violation shutdown mode
kundanswitch(config-if)#switchport port-security violation shutdown

kundanswitch(config-if)#switchport port-security mac-address ?
  H.H.H   48 bit mac address ( you can hardcord the mac address for the port)
  sticky  Configure dynamic secure addresses as sticky ( automatically assigns to port whatever mac address is assigned in to the running configuration)
kundanswitch(config-if)#switchport port-security mac-address sticky

kundanswitch#show port-security interface fa0/5 ( shows detailed information of the port security applied and its state)
Port Security              : Enabled
Port Status                : Secure-down
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0000.0000.0000:0
Security Violation Count   : 0



How to change speed and duplex in cisco switch

(config)#interface fa 0/5 ( here we are changing the speed and duplex of fa    0/5)
(config-if)# speed 10
(config-if)# duplex half

user experience optimization in switch
(config-line)#logging synchronous ( auto lines up your command that are being cut by messages in the terminal)
(you have to do this both for console ie line console and vty ie line vty)
(config)# exec-timeout 30 ( idle timeout value, this should also be done for both. no exec-timeout will never timeout your session).
(config)# no ip domain-lookup ( turns off domain lookup)

How to configure Switch VLANs
vlans : divides or segments broadcast domains thus providing access control and QoS (quality of service)
if you want the two vlans to communicate then you would have to use routing between the two vlans.

Trunk port : port that allows vlans to move between switches.
Understanding trunks and vtp
trunking allows swithes to pass multi vlan information between each other. Trunking is also known as tagging.
If red vlan packet is passed from switch1 to switch2 then there must be some mechanism on switch 2 to find out that the packet belongs to
red vlan. This mechanism is known as tagging.  When switch1 need to send red vlan packets then it tags a header information in the packet
saying it belongs to red vlan and dispatch it to trunk line. Switch 2 receives the packets and sees the header information thus forwarding the
packets to red vlan ports. Tagging is a layer 2 feature (data link layer).

Trunking Protocols
1: 802.1q industry standard trunking protocols

VTP: vlan trunking protocol ( I would call this name mismatch becoz this is not actually a trunking protocol) . vtp basically describes
how vlans are replicated across the switches. suppose you have 20 switches and 2 vlans in your network. Now you want to add
2 more vlans in your network. You have to go to each switch and add 2 vlans each .
Vtp replicates the vlan. You can add the vlans in one switch and vtp does the rest of work of replication.


How to configure VTP Modes
1. server : power to change vlan information, sends and receives vtp updates, saves vlan configuration. Every switch by default is a server
2. Client: cannot change vlan information, sends and receives vtp updates , does not save vlan configuration
3. Transparent: can add, change modify vlan. it only forwards (passes through) vtp updates, does not listen to vtp advertisements.

Vlan Pruning : Keeps unnecessary broadcast traffic from crossing trunk links. only works on vtp servers.


configuration:
we are going to configure all the above mentioned in the switches 1,2 and 3 on the above figure

Trunk configuration ( switch 1 ---> switch2 ==trunklink, switch1 ----> switch3==trunklink)
switch1 configuration : switch1 has fa 0/1 and fa 0/2  as trunk ports
switch1(config)#interface fa0/1
switch1(config-if)# switchport trunk encapsulation dot1q
switch1(config-if)#switchport mode trunk

do the same for another trunk port of switch1 ie fa 0/2
note( after setting your trunk ports it is good to set all the other ports as access ports so that no other can plug in a switch and create trunk link) by doing
switch(config)# interface range fa 0/3 - 0/23
switch(config-if)# switchport mode access

do the same for switch 2 and switch 3

configuring VTP

switch1#show vtp status ( show vtp status)
VTP Version                     : 2
Configuration Revision          : 0
Maximum VLANs supported locally : 255
Number of existing VLANs        : 5
VTP Operating Mode              : Server
VTP Domain Name                 :
VTP Pruning Mode                : Disabled
VTP V2 Mode                     : Disabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0x7D 0x5A 0xA6 0x0E 0x9A 0x72 0xA0 0x3A
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
Local updater ID is 192.168.1.10 on interface Vl1 (lowest numbered VLAN interface found)

note: when switch1 is given the domain name, switch2 and 3 since its domain names are blank they will accept whatever domain names are first
advertised.

switch1(config)#vtp domain testkundan
Changing VTP domain name from NULL to testkundan
(now if you go to switch2 and 3 and do show vtp status then you can see they have adopted domain name testkundan.)

switch2(config)#vtp mode client
Setting device to VTP CLIENT mode. (since by default the vtp mode is server and switch1 is by default in vtp server mode).

do the same for switch3 as for switch2

configuring vlan to test replication between switches thrrough vtp
switch1(config)#vlan 10
switch1#sh vtp status
VTP Version                     : 2
Configuration Revision          : 1
Maximum VLANs supported locally : 255
Number of existing VLANs        : 6
VTP Operating Mode              : Server
VTP Domain Name                 : testkundan
VTP Pruning Mode                : Disabled
VTP V2 Mode                     : Disabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0x1E 0x25 0x96 0x95 0xB0 0xBD 0x0D 0x2A
Configuration last modified by 192.168.1.10 at 3-1-93 00:52:01
Local updater ID is 192.168.1.10 on interface Vl1 (lowest numbered VLAN interface found)

Now the vlan is created and it should be replicated to switch2 and switch 3, you can go to switch 2 and do
switch2#show vtp status
VTP Version                     : 2
Configuration Revision          : 1
Maximum VLANs supported locally : 255
Number of existing VLANs        : 6
VTP Operating Mode              : Client
VTP Domain Name                 : testkundan
VTP Pruning Mode                : Disabled
VTP V2 Mode                     : Disabled
VTP Traps Generation            : Disabled
MD5 digest                      : 0x1E 0x25 0x96 0x95 0xB0 0xBD 0x0D 0x2A
Configuration last modified by 192.168.1.10 at 3-1-93 00:52:01
you can see that configuration revision has been changed to 1 ie vlan replication is successful and also you can see configuration last modified by 192.168.1.10 which is the vtp server.

Now lets add 2 more vlans ie vlan 20 and vlan 30
switch1(config)#vlan 20
switch1(config-vlan)#exit
switch1(config)#vlan 30

Upto now only vlan is created and we have not assigned any port on the vlans, now lets configure ports on vlan
switch3(config)#inter ( we are putting pc attached to switch 3 to vlan 10)
switch3(config)#interface fa
switch3(config)#interface fastEthernet 0/8
switch3(config-if)#switchport mode acce
switch3(config-if)#switchport mode access
switch3(config-if)#swit
switch3(config-if)#switchport acc
switch3(config-if)#switchport access vl
switch3(config-if)#switchport access vlan 10

Now if you ping to the pc attached to switch 2 it will fail becoz pc attaached to switch3 is in vlan10 and pc attached to switch 2 is in vlan 1. so to bring back
connection lets put pc attached to switch2 in vlan 10


switch2(config)#interface fa 0/8
switch2(config-if)#siw
switch2(config-if)#swit
switch2(config-if)#switchport mo
switch2(config-if)#switchport mode ac
switch2(config-if)#switchport mode access
switch2(config-if)#swi
switch2(config-if)#switchport ac
switch2(config-if)#switchport access vl
switch2(config-if)#switchport access vlan 10

How to Spanning Tree Protocol
From this point on we will be refering to the below labelled diagram from spanning tree protocol on cisco switch






Spanning tree protocol reduces broadcast storm or network loop. Switches send BPDU( Bridge Protocol Data Unit) to discover loops. BPDU also help elect the core switch of the network known as Root Bridge. Every cisco switch runs stp by default ie you can plug redundant links between two switches but if the no of switch increases then the default stp is not that feasible.

Election of a root bridge: Every switch in a network has its bridge id. The bridge id is a combination of priority and mac address ie
Bridge id = priority.macaddress (ie you can elect the root bridge by lowering the priority of the switch)
Every switch by default has a priority of 32768. The lower the priority, the higher the chance of electing bridge id.  All the ports in root bridge has it port in forwarding mode.

After electing root bridge , every switch on the network finds out about the three types of port
Root port: port used to reach the root bridge. Root port is port from there the link cost to root bridge is minimum.
Designated Port : Forwarding port, one per link
Blocking / non designated ports: does not forward.

List below shows the link cost according to the bandwidth of the link

Bandwidth        link cost
10mbps            100
100mbps        19
1gbps            4
10gbps            2

When all the path to root bridge have equal link cost then the tie is either broken by
1>    Bridge id of the upstream router ie lower the bridge id higher the priority and higher priority will be chosen.
2>    Or the lower port is chosen.

Figureabove shows the election of root bridge, root port, designated port and blocked port
Configuration of spanning tree protocol
switchA#sh spanning-tree
VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    32769
             Address     0001.6378.287E
             Cost        19
             Port        1(FastEthernet0/1)
             Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     0090.2B89.4651
             Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  20

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1            Root FWD 19        128.1    P2p
Fa0/2            Altn BLK 19        128.2    P2p

Here show spanning tree shows that fa 0/1 is the rot port and fa 0/2 is the blocked port .
Root ID : segments describes the root bridge. Ie SwitchA is connected to root bridge through port fa 0/1
Bridge ID : segments describes switch own parameters.
And if you go to switch B and do show spanning-tree then you can find that switch B is the root bridge.
switchB#sh spanning-tree
VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    32769
             Address     0001.6378.287E
             This bridge is the root
             Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     0001.6378.287E
             Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  20

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1            Desg FWD 19        128.1    P2p
Fa1/1            Desg FWD 19        128.2    P2p

Now lets say we want switch A  to be our root
witchA(config)#spanning-tree vlan 1 root ?
  primary    Configure this switch as primary root for this spanning tree
  secondary  Configure switch as secondary root
switchA(config)#spanning-tree vlan 1 root primary ( this will decrease the priority thus making the switch root bridge)
switchA#sh spanning-tree
VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    24577
             Address     0090.2B89.4651
             This bridge is the root
             Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    24577  (priority 24576 sys-id-ext 1)
             Address     0090.2B89.4651
             Hello Time  2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  20

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Fa0/1            Desg FWD 19        128.1    P2p
Fa0/2            Desg LSN 19        128.2    P2p
You can find out the priority being changed as shown in bold
The other way to make a switch root is manually changing the switch priority by
switchA(config)#spanning-tree vlan 1 priority ?
  <0-61440>  bridge priority in increments of 4096

Enhancement to stp: modern version of stp
STP port transitioning process:
Listening: for 15 seconds switches listens for bpdu. Bpdu sending/receiving.
Learning : for 15 seconds switches learns mac addresses ie builts cam table
Forwarding : after 30 seconds port is forwarding traffic
Blocking: switch will wait upto 20 seconds before moving blocked port into listening mode
According to these above timer and ports when a blocked port in switch is forwarded then it may take about 50 seconds to be that port in forwarding mode. Suppose you pc is connected to switch port that just goes into forwarding state when pc started to boot. Now if pc boot in just 30 seconds then the pc would not be able to get ip address from dhcp server.
The solution to this is
1>    Portfast: ie you are disabling stp on the specific port. Usually it is done in port connected to pc and not in ports connected to another switch
2>    Rapid spanning tree

Iniial STP enhancement
PVST+ : Runs an instance of stp per vlan
        :allowed different root for different vlans.

Rapid spanning tree : 802.1w

RSTP improves performances by defining more logical port types
Root ports:
Designated ports:
Alternate ports:
Instead of blocked port in spanning tree protocol rstp uses altenate ports as backup path to root
The main disadvantage of using rstp is that for rstp to run efficiently every switch on the network must be running rstp. One single switch running stp can slow down the rstp.

switchA(config)#spanning-tree mode ?
  pvst        Per-Vlan spanning tree mode
  rapid-pvst  Per-Vlan rapid spanning tree mode
switchA(config)#spanning-tree mode rapid-pvst
do the same for all three switches.

Thank you all for being with me in this long post

0 comments:

Post a Comment