Switch configs
Layer2 etherchannel layer 3 etherchannel
VLAN Protected Ports Private VLAN VTP Trunking
STP-Root-force PortFast BPDU Guard BPDU Filtring Root Guard Flex link
Port security SPAN DHCP Snooping ARP inspection IP Source Guard MAC drop Storm control PORT ACL
802.1x Guest Vlan Restricted Vlan MAC Authentication Bypass
Double Core switch Configuring the
Fabric Extender
Switch |
Switch# configure terminal Switch(config)# interface range gigabitethernet0/4 -5 Switch(config-if-range)# switchport mode access Switch(config-if-range)# switchport access vlan
10 Switch(config-if-range)# channel-group 5 mode on Switch(config-if-range)# end ! |
Switch |
Switch# configure terminal Switch(config)# interface
port-channel 5 Switch(config-if)# no switchport Switch(config-if)# ip address 172.10.20.10 255.255.255.0 Switch(config-if)# exit Switch(config)# interface range gigabitethernet0/4 -5 Switch(config-if-range)# no ip address Switch(config-if-range)# channel-group 5 mode desirable Switch(config-if-range)# end ! |
Switch |
3524XL#vlan database !-- You have to enter into vlan database, to configure any VLAN 3524XL(vlan)#vtp server Device mode already VTP SERVER. 3524XL(vlan)#vlan 2 name cisco_vlan_2 VLAN 2 added: Name: cisco_vlan_2 !You have to exit from the VLAN database, for the changes to be committed 3524XL(vlan)#exit APPLY completed. Exiting.... 3524XL# 3524XL#configure terminal 3524XL(config)#interface fastEthernet 0/2 3524XL(config-if)#switchport access vlan 2 !-- Assigning interface fa0/2 to vlan 2 3524XL(config-if)#exit 3524XL(config)#interface fastEthernet 0/3 3524XL(config-if)#switchport access vlan 2 !-- Assigning interface fa0/3 to vlan 2 3524XL(config-if)#end 3524XL#wr mem !-- Saving the configuration |
HEY SMOKER, THIS IS YOUR END
A protected port does not forward any traffic to any other port that is also a protected port in the same switch. All traffic passing between protected ports must be forwarded through a Layer 3 (L3) device. |
interface FastEthernet0/1 switchport protected ! interface FastEthernet0/2 switchport protected ! interface FastEthernet0/3
|
In this example PCs connected
to Fe0/1 and 0/2 cannot communicate with each other but can communicate with
0/3 |
Isolated VLANs—Ports within an isolated VLAN
cannot communicate with each other at the Layer 2 level. Community VLANs—Ports within a community VLAN
can communicate with each other but cannot communicate with ports in other
communities at the Layer 2 level. Promiscuous— A promiscuous port can communicate with all interfaces, including the isolated and community ports within a PVLAN. |
vtp mode transparent ! vlan 202 private-vlan primary private-vlan association 303,440 ! vlan 303 private-vlan community ! vlan 440 private-vlan isolated ! ! interface FastEthernet0/1 switchport access vlan 303 switchport private-vlan host-association 202 303 switchport mode private-vlan host ! interface FastEthernet0/2 switchport access vlan 303 switchport private-vlan host-association 202 303 switchport mode private-vlan host ! interface FastEthernet0/3 switchport access vlan 440 switchport private-vlan host-association 202 440 switchport mode private-vlan host ! interface FastEthernet0/4 switchport access vlan 440 switchport private-vlan host-association 202 440 switchport mode private-vlan host ! interface FastEthernet0/5 switchport access vlan 202 switchport private-vlan mapping 202 303,440 switchport mode private-vlan
promiscuous ! Interface FastEthernet0/48 description trunk port switchport private-vlan host-association 202 303 440 switchport private-vlan trunk ! interface Vlan202 no ip address private-vlan mapping 303,440 ! |
In this example : PCs connected to Fe0/1 and
0/2 can communicate with each other PCs connected to Fe0/3 and
0/4 can communicate with each other PCs connected to Fe0/1, 0/2,
0/3 and 0/4 can communicate with server in 0/5 |
The VTP Server
maintains a full list of all VLANs within the VTP domain. Information is
stored in NVRAM. The server can add, delete, and rename VLANs. The VTP Client also
maintains a full list of all VLANs. However, it will not store in NVRAM. The
client can not add, delete or rename VLANs. Any
changes made must be received from a VTP Server advertisement. The VTP Transparent does not participate in VTP. However, it will pass on a VTP advertisement. VLAN, as defined, is only local to the switch and is stored in NVRAM |
Switch# config terminal Switch(config)# vtp mode server Switch(config)# vtp domain eng_group Switch(config)# vtp password mypassword Switch(config)# vtp version 2 Switch(config)# vtp pruning |
You can only enable VTP
pruning on a switch in VTP server mode You can only configure the
version on switches in VTP server or transparent mode |
A trunk is configured
between two devices when they need to carry traffic from multiple VLANs. |
!-- Enable trunking on the interface fastEthernet 0/1 3524xl(config)#int fastEthernet 0/1 3524xl(config-if)#switchport mode trunk !-- Enter the trunking encapsulation as either isl 3524xl(config-if)#switchport trunk encapsulation isl (ou dot1q ) !-- And then allow all VLANs on the trunk. 3524xl(config-if)#switchport
trunk allowed vlan all 3524xl(config-if)#exit |
Console>(enable )set trunk 2/12 on 1-5 isl Adding vlans 1-5 to allowed list. Please use the
'clear trunk'command to remove vlans
from allowed list. Port(s)2/12
allowed vlans modified to 1-1005. Port(s)2/12
trunk mode set to on. Port(s)2/12
trunk type set to isl |
We need to permit only ssh traffic from vlan10 that has no IP address. |
Sw(config)#ip access-list extended sshacl
|
Forces switch A to become root for all vlans by changing priority |
SwitchA(config)# spanning-tree vlan 1-4096 root primary |
Causes all L2 access interface to transit from blocking to forwarding, bypassing listening and learning. |
Switch(config)# spanning-tree portfast default |
Causes all PortFast-configurd interfaces to become in error-disabled state if they receive a BPDU frame. |
Causes one interface to become in error-disabled state if it receives a BPDU frame. |
Switch(config)# spanning-tree portfast bpduguard default |
Switch(config-if)# spanning-tree bpduguard enable |
Causes all PortFast-configurd interfaces to lose their PortFast Status if they receive a BPDU frame. |
Causes one interface to ignore all BPDU frames it receives. |
Switch(config)# spanning-tree portfast bpdufilter default |
Switch(config-if)# spanning-tree bpdufilter enable |
We know that swA must be the root and we want to ignore any BPDU that will make an other sw as root. So use Root guard. |
Switch(config-if)# spanning-tree guard root Switch#Show spanning tree inconsistentports |
We need one MAC address by switch port. If more than one then shutdown the interface. |
We need one MAC address by switch port. This MAC address must be 1000.2000.3000. |
Switch(config)# interface fastethernet0/12 Switch(config-if)# switchport mode access Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security maximum 1 Switch(config-if)# switchport port-security violation shutdown |
Switch(config)# interface fastethernet0/12 Switch(config-if)# switchport mode access Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security maximum 1 Switch(config-if)# switchport port-security violation shutdown Switch(config-if)# switchport port-security mac-address 1000.2000.3000 |
Optionally: you can enable the port automatically after timeout Switch(config)# errdisable recovery cause psecure-violation Switch(config)# errdisable recovery interval 30 |
interface FastEthernet0/8 port monitor FastEthernet0/12 !we receive port 12 traffic in interface 8 |
monitor
session 1 source interface Fa0/9 monitor
session 1 destination interface Fa0/5 |
Trusted ports can send DHCP REQ and ACK. Untrusted ports can forward only DHCP REQ. by default all ports r untrusted. The switch will build a DHCP snooping database. |
Conf t ip dhcp snooping ip dhcp snooping vlan 6 (will let the switch compare source MAC @ and the
one in its DHCP snooping database. If no
match à drop) ! Interface fastethernet
0/1 Description connected to DHCP server
or uplink toward DHCP server ip dhcp snooping trust ip dhcp snooping limit rate 300 |
We need to protect the IP address of one VLAN from ARP poisoning. So we associate its IP with its real MAC and we deny any other MAC address. |
arp access-list arp-inspection |
If we are
using DHCP snooping, the switch will build the snooping database. So we don't
need to configure the arp acl. Trunk/uplinks
must be trusted because DHCP snooping DB is local to the switch. |
Configure
terminal ip arp inspection vlan 10 interface fastethernet 0/24 description uplink to switch2 ip arp inspection trust switchport
mode trunk |
IPSG restricts IP traffic on nonrouted, Layer 2 interfaces by filtering traffic based
on the DHCP snooping binding database and on manually configured IP source bindings.
You can use IP source guard to prevent traffic attacks if a host tries to use
the IP address of its neighbor. |
Configure terminal ip dhcp snooping ip dhcp snooping vlan 6 ip dhcp snooping
information option ! Interface
fast 0/1 Ip verify
source [port-security] (source: control only on source IP || source
port-security : control on source IP and MAC ! !You can manually bind an IP to a port ip source binding 0100.0022.0010 vlan 6 10.0.0.2 interface gigabitethernet1/0/1 |
In distribution switch you deny one MAC address to enter one vlan |
mac-address-table static 0004.231c.d91f vlan 111 drop |
A LAN storm occurs when packets flood the
LAN, creating excessive traffic and degrading network performance |
SW # configure terminal SW (config)# interface
Gigabitethernet1/0/1 SW (config-if)# storm-control broadcast
level 60 SW(config-if)#
storm-control action trap (or shutdown) |
Applied
to layer 2 interfaces on the switch |
configure terminal mac access-list extended deny-to-osama-mac deny any
host 0000.861f.3745 permit
any any exit interface Gigabitethernet1/0/1
mac access-group deny-to-osama-mac in |
Clients use 802.1x with MD5-challenge option. In radius
add attributes 64, 65, and 81
to dynamically vlan assignment. for more details: http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a00801d11a4.shtml |
aaa new-model aaa authentication dot1x default group radius aaa authorization network default group radius ! dot1x system-auth-control ! interface FastEthernet0/1 switchport mode access dot1x
port-control auto ! interface FastEthernet0/2 description connected to HUB (many users) switchport mode access dot1x port-control
auto dot1x host-mode multi-host ! radius-server host 10.10.10.10 auth-port 1645 acct-port 1646 radius-server source-ports 1645-1646 radius-server key blablabla radius-server vsa
send ! |
To let dot1x client uses windows credentials (SSO) choose PEAP and check the option to use automatically windows username/password. To integrate ACS with domain controller,
join it to the domain and follow instructions here
(https://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0e4.shtml#config-acs)
to install certificate on it. In ACS use
database group mapping to map windows group to ACS group (that represents a vlan) |
If client does not support .1x feature, it will be
assigned to a guest vlan after 90s. |
Dot1x guest-vlan
supplicant (the client will be moved to guest vlan
even if it fails authentication) ! Interface fast 0/1 Dot1x port-control auto Dot1x guest-vlan 15 ! |
If dot1x client fails, it will be assigned to a restricted
vlan.
after 60s it can re-authenticate. |
Dot1x guest-vlan
supplicant (the client will be moved to guest vlan
even if it fails authentication) ! Interface fast 0/1 Dot1x port-control auto Dot1x guest-vlan 15 ! |
If a printer is connected to dot1x port, we will
authenticate it using its Mac @. MAC @ will be stored in ACS. |
Interface fast 0/1 Dot1x port-control auto Dot1x mac-auth-bypass ! |
6509_1 |
6509_2 |
! spanning-tree
mode mst spanning-tree
portfast default no spanning-tree optimize bpdu transmission spanning-tree extend system-id ! spanning-tree mst configuration name MST_XY revision 1 instance 1 vlan 1, 120, 101 instance 2 vlan 10 ! spanning-tree mst 1 priority 4096 spanning-tree mst 2 priority 8192 ! vtp mode server vtp domain eng_group vtp password mypassword vtp version 2 vtp pruning ! interface Port-channel1 no ip address speed nonegotiate switchport switchport trunk encapsulation dot1q switchport mode trunk switchport nonegotiate ! interface GigabitEthernet9/1 description **** UPLINK to 7E *** no ip address speed nonegotiate switchport switchport trunk encapsulation dot1q switchport mode trunk switchport nonegotiate spanning-tree bpduguard disable ! interface GigabitEthernet9/2 description **** UPLINK to 3E *** no ip address speed nonegotiate switchport switchport trunk encapsulation dot1q switchport mode trunk switchport nonegotiate spanning-tree bpduguard disable ! ..... interface GigabitEthernet9/47 description inter-chassis trunk no ip address speed nonegotiate switchport switchport trunk encapsulation dot1q switchport mode trunk switchport nonegotiate spanning-tree bpduguard enable channel-group 1 mode on ! interface GigabitEthernet9/48 description inter-chassis trunk no ip address speed nonegotiate switchport switchport trunk encapsulation dot1q switchport mode trunk switchport nonegotiate spanning-tree bpduguard enable channel-group 1 mode on ! ..... ! interface Vlan120 ip address 10.120.120.252 255.255.255.0 standby 120 ip 10.120.120.254 standby 120 timers 1 4 standby 120 priority 150 standby 120 preempt ! interface Vlan10 ip address 10.10.10.252 255.255.255.0 standby 10 ip 10.10.10.254 standby 10 timers 1 4 standby 10 preempt ! …………. |
! spanning-tree
mode mst spanning-tree
portfast default no spanning-tree optimize bpdu transmission spanning-tree extend system-id ! spanning-tree mst configuration name MST_XY revision 1 instance 1 vlan 1, 120, 101 instance 2 vlan 10 ! spanning-tree mst 1 priority 8192 spanning-tree mst 2 priority 4096 ! vtp mode server vtp domain eng_group vtp password mypassword vtp version 2 vtp pruning ! interface Port-channel1 no ip address speed nonegotiate switchport switchport trunk encapsulation dot1q switchport mode trunk switchport nonegotiate ! interface GigabitEthernet9/1 description **** UPLINK to 7E *** no ip address speed nonegotiate switchport switchport trunk encapsulation dot1q switchport mode trunk switchport nonegotiate spanning-tree bpduguard disable ! interface GigabitEthernet9/2 description **** UPLINK to 3E *** no ip address speed nonegotiate switchport switchport trunk encapsulation dot1q switchport mode trunk switchport nonegotiate spanning-tree bpduguard disable ! ..... interface GigabitEthernet9/47 description inter-chassis trunk no ip address speed nonegotiate switchport switchport trunk encapsulation dot1q switchport mode trunk switchport nonegotiate spanning-tree bpduguard enable channel-group 1 mode on ! interface GigabitEthernet9/48 description inter-chassis trunk no ip address speed nonegotiate switchport switchport trunk encapsulation dot1q switchport mode trunk switchport nonegotiate spanning-tree bpduguard enable channel-group 1 mode on ! ..... ! interface Vlan120 ip address 10.120.120.253 255.255.255.0 standby 120 ip 10.120.120.254 standby 120 timers 1 4 standby 120 preempt ! interface Vlan10 ip address 10.10.10.253 255.255.255.0 standby 10 ip 10.10.10.254 standby 10 timers 1 4 standby 10 priority 150 standby 10 preempt ! …………. |
Configuring the Fabric Extender
This example shows how to associate the Fabric Extender to a port
channel interface on the parent device |
switch# configure terminal switch(config)#
interface port-channel 4 switch(config-if)#
switchport mode fex-fabric switch(config-if)#
fex associate 100 switch(config-if)#
exit switch(config)#
interface ethernet 1/37 switch(config-if)#
switchport mode fex-fabric switch(config-if)#
fex associate 100 switch(config-if)#
channel-group 4 switch(config-if)#
exit switch(config)#
interface ethernet 1/38 switch(config-if)#
switchport mode fex-fabric switch(config-if)#
fex associate 100 switch(config-if)#
channel-group 4 switch(config-if)#
exit switch(config)#
interface ethernet 1/39 switch(config-if)#
switchport mode fex-fabric switch(config-if)#
fex associate 100 switch(config-if)#
channel-group 4 switch(config-if)#
exit switch(config)#
interface ethernet 1/40 switch(config-if)#
switchport mode fex-fabric switch(config-if)#
fex associate 100 switch(config-if)#
channel-group 4 |