Академический Документы
Профессиональный Документы
Культура Документы
A U T A N C R A B U T S A N C R A B UB T S AS N C R
Background / Preparation
Cable a network similar to the one in the diagram. We will use this diagram for all next labs. Start a HyperTerminal session.
A U T A N C R A B U T S A N C R A B UB T S AS N C R
b. What button is on the front of the switch? What is it used for? MODE button changes among these modes: STAT Port Status, led colors: Off no link Green link present Flashing Green port operational Alternating Green / Orange error frames, excessive collisions, CRC error packets Orange port is not forwarding or is disabled in management console, suspended due to MAC address violation or by STP due to loops. During first 30 seconds since the switch boots-up or cable is connected to switch port, the port is not forwarding because switch and host are agreeing on connection parameters UTL Utilization of the switch, led colors: First one third of switch ports indicate low utilization of switch, second indicate medium utilization, third indicate high-to-very high utilization of switch. Might be different from switch to switch. Check the switch manual. FDUP which ports operates at Full Duplex, led colors: Off port is operating at Half Duplex Green port is operating at Full Duplex 100 which ports operates at 100Mbps
A U T A N C R A B U T S A N C R A B UB T S AS N C R
f. Is there an IP address set on the switch? g. What is the MAC address of this virtual switch interface? ______________________________ h. Is this interface up? ___________________________________________________________ i. The IP properties of the interface can be shown by entering following the command: Switch# show ip interface vlan 1 VLAN1 is by default management VLAN of Cisco switches. If you want to configure the switch remotely, you have to be connected to a port that belong to management VLAN.
A U T A N C R A B U T S A N C R A B UB T S AS N C R
A U T A N C R A B U T S A N C R A B UB T S AS N C R
c. Are all the changes that were entered recorded in the file? _____________________________
b. The most important files stored here are: .bin extension vlan.dat config.text - IOS image file - VLAN configuration file - STARTUP configuration file
A U T A N C R A B U T S A N C R A B UB T S AS N C R
Lab 2: Managing the MAC Address Table, Creating and Deleting Static Entries
Objectives
Manage the switch MAC table. Create a static address entry in the switch MAC table and test it. Remove the created static MAC address entry.
Step 3 Determine the MAC addresses that the switch has learned
a. To determine the what MAC addresses the switch has learned use:
Catalyst# show mac-address-table b. How many dynamic addresses are there? __________________________________________ c. How many total MAC addresses are there? _________________________________________ d. Do the MAC addresses match the host MAC addresses? ______________________________
c. Show only MAC addresses that were learned dynamically. How many are there? _____
A U T A N C R A B U T S A N C R A B UB T S AS N C R
On Catalyst 2900XL (keyword static is not working as expected on Catalyst 2900XL, instead use keyword secure): 2900XL(config)# mac-address-table secure <MAC adr> fa0/4 vlan 1
b. Enter the following to verify the macaddress table entries. Catalyst# show mac-address-table c. How many total MAC addresses are there now? How many of them are static? _____________ d. Clear MAC address table and verify your static MAC is still there. e. Test the static entry pinging to the host
2900XL(config)# no mac-address-table secure <MAC adr> fa0/4 vlan 1 a. Enter the following to verify that the static MAC address was cleared: Catalyst# show mac-address-table static b. How many total MAC addresses are there now? _____________________________________
A U T A N C R A B U T S A N C R A B UB T S AS N C R
A U T A N C R A B U T S A N C R A B UB T S AS N C R
_________________________________________________________________
Step 5 Show the running configuration file
Are there statements that directly reflect the security implementation in the listing of the running configuration? List them here:
Catalyst# show interface fastethernet 0/4 b. What is the state of this interface? FastEthernet0/4 is _________________________, line protocol is ____________________ c. How would port 0/4 be reactivated? d. Before continuing remove port security, e.g. by using:
Catalyst# default interface fa0/4 This command will reset an interface to its default configuration.
A U T A N C R A B U T S A N C R A B UB T S AS N C R
In a valid configuration, PortFast enabled ports do not receive BPDUs. Receiving a BPDU on a PortFastenabled port signals an invalid configuration, such as the connection of an unauthorized device.
In the picture, switch A has priority 8192 and is the root for the VLAN. Switch B has priority 16384 and is the backup root for the same VLAN. Switches A and B, connected by a Gigabit Ethernet link, make up a core of the network. Switch C is an access switch and has PortFast configured on the port connected to device D. Given the other STP parameters being default, switch C port that connects to switch B will be in STP Blocking state. Device D (PC) is not participating in STP. The red arrows indicate the flow of STP BPDUs. Now, consider that device D started to participate in STP (for example, a software-based bridge application was launched on a PC). If the priority of software bridge is zero or any value below that of root bridge, the software bridge will take over the root bridge function (as bridge with lowest priority), and the Gigabit link connecting the two core switches will transition into blocking mode, thus causing all the data in that particular VLAN to flow via the 100 Mbps link. If there is more data flowing via the core in the VLAN than the link can accommodate, the dropping of frames will occur, leading to a connectivity outage. STP PortFast BPDU guard feature would prevent such a situation by disabling the port as soon as STP BPDU is received from device D. The BPDU guard feature puts the port in the error-disabled state and error message is printed to the console. The BPDU guard feature provides a secure response to invalid configurations because the port must be manually put back in service. To turn on BPDU guard feature use (issuing this command alone does not turn on PortFast mode on port): Catalyst(config)# spanning-tree portfast bpduguard
A U T A N C R A B U T S A N C R A B UB T S AS N C R
Configure one port on one switch as a trunk and connect this port to other swith port where the BPDU guard has been enabled. Note the displayed error here:
How would you bring up the port disabled by this error? ________________________________________ Now verify that BPDU guard is enabled using: Catalyst 2950: Catalyst 2900XL: show spanning-tree detail show spanning-tree summary
On Catalyst 2950, BPDU guard can be enabled or disabled on particular interfaces using: 2950(config-if)# spanning-tree bpduguard {enable|disable}
A U T A N C R A B U T S A N C R A B UB T S AS N C R
1.) Make sure that a PC is connected to the console port and a HyperTerminal window is open. 2.) Turn the switch off. Turn it back on while holding down the MODE button on the front of the switch at the same time that the switch is powered on. Release the MODE button after the first port LED goes out. 3.) The similar output should be displayed: C2950 Boot Loader (C2950-HBOOT-M) Version 12.1(11r)EA1, RELEASE SOFTWARE (fc1) Compiled Mon 22-Jul-02 18:57 by antonino WS-C2950-24 starting... Base ethernet MAC Address: 00:0a:b7:72:2b:40 Xmodem file system is available. The system has been interrupted prior to initializing the flash filesystem. The following commands will initialize the flash filesystem, and finish loading the operating system software: Type flash_init Type load_helper Type dir flash: (do not forget to type the : (colon) after the word flash) 4.) Enter the commands required to initialize the flash file system. First type flash_init, then type load_helper. Finally type dir flash: 5.) Type rename flash:config.text flash:config.old to rename the configuration file. This file contains the password definition. 6.). Type boot to boot the system. 7.) Enter N at the following prompt to start the Setup program: Continue with the configuration dialog? [yes/no] : N 8.) Type rename flash:config.old flash:config.text to rename the configuration file with its original name at the privileged exec mode prompt. 9.) Copy the configuration file into memory as follows: Switch# copy flash:config.text system:running-config Source filename [config.text]?[enter] Destination filename [running-config][enter] 10.) The configuration file is now reloaded. Now you may change the old unknown passwords 11.) Power cycle the switch and verify that the passwords are now functional. If not, repeat the procedure.
A U T A N C R A B U T S A N C R A B UB T S AS N C R
VLAN Configuration
Lab 1: Configuring Static VLANs
Objectives
Determine the switch firmware version. Create two VLANs, name them and assign member ports to them. Delete VLAN information
Background / Preparation
When managing a switch, the Management Domain is by default VLAN 1. The Network Administrator's workstation must have access to a port in the Management Domain in order to manage switch remotely. All ports are assigned to VLAN 1 by default.
Switch# show vlan [brief] b. Which ports belong to the default VLAN? ___________________________________________ c. How many VLANs are set up by default on the switch? ________________________________ d. What does the VLAN 1003 represent? _____________________________________________ e. How many ports are in the 1003 VLAN? ___________________________________________
A U T A N C R A B U T S A N C R A B UB T S AS N C R
On 2900XL switch, you have to repeat step 4 for each single port to be added to VLAN 3. Verify the proper port-to-VLAN assignment.
b. Do these command supply any more information than the show VLAN command? __________
A U T A N C R A B U T S A N C R A B UB T S AS N C R
f. Ping from the host in port 0/1 to the switch IP address. g. Was the ping successful? ______________________ h. Ping from the host in port 0/4 to the switch IP address. i. Was the ping successful? ______________________ j. Why? ______________________________________
A U T A N C R A B U T S A N C R A B UB T S AS N C R
When creating and deleting VLANs, keep in mind: A created VLAN remains unused until it is mapped to switch ports. The default configuration has all of the switch ports on VLAN 1.
When a VLAN is deleted, any ports assigned to that VLAN become inactive. They remain associated with the deleted VLAN until they are assigned to a new VLAN. Use caution when deleting VLANs. It is possible to cause a major loss of connectivity by accidentally eliminating a VLAN that still has active users on it. When a VLAN is deleted from a switch that is in the VLAN Trunking Protocol (VTP) server mode, the VLAN is removed from all switches in the VTP domain. When a VLAN is deleted from a switch that is in VTP transparent mode, the VLAN is deleted only on that specific switch. A VLAN cannot be deleted from a switch that is in VTP client mode. VTP will be practised in next lab.
A U T A N C R A B U T S A N C R A B UB T S AS N C R
Background / Preparation
Trunking changes the formatting of the packets. The ports need to be in agreement as to which format is being used to transmit data on the trunk or no data will be passed. If there is different trunking encapsulation on the two ends of the link they will not able to communicate. A similar situations will occur if one of the ports is configured in trunking mode and the other one as in access mode. Following lab will introduce operation of VTP Catalyst 2900XL will act as VTP server for domain class, other two switches SHOULD NOT create any VLANs they are VTP clients and VLAN information will be automatically propagated to them.
A U T A N C R A B U T S A N C R A B UB T S AS N C R
b. Now assign ports to appropriate VLANs. Set other two switches (2950_A and 2950_B) for VTP client mode, use same vtp domain name, but do not create any VLANs on them just assign right ports to right VLANs. VLAN information will be automatically advertised. c. Verify the VLAN configuration on all switches with the show vlan command.
________________________________________________________________
e. Now turn off DTP message advertising on all access and trunk ports and verify your trunk ports again using above command. What does the fragment Operational mode says? _____________________________________ f. To verify your trunk configuration, Catalyst 2950 supports also following command: 2950# show interfaces trunk
A U T A N C R A B U T S A N C R A B UB T S AS N C R
b. For routers that do support Inter-VLAN routing, dividing physical interface into logical subinterfaces is the way. While using just one physical interface, you will create one subinterface per each VLAN to be connected to the router. Remember, as long as at least one of your subinterfaces are connected to default, management VLAN, you can connect to switch remotely through telnet. For this connection to work, router interface must be connected to the switch using trunking connection. The switch should know about all VLANs that will be created on router.
A U T A N C R A B U T S A N C R A B UB T S AS N C R
2600(config)# interface ethernet 0/0 2600(config-if)# no shutdown 2600(config-if)# duplex full ! Set this also on the switch 2600(config-if)# interface ethernet 0/0.10 2600(config-subif)# encapsulation dot1q 10 2600(config-subif)# ip address <VLAN IP subnet> <subnet mask> 2600(config-subif)# interface ethernet 0/0.20 2600(config-subif)# encapsulation dot1q 20 2600(config-subif)# ip address <VLAN IP subnet> <subnet mask> 2600(config-subif)# interface ethernet 0/0.30 2600(config-subif)# encapsulation dot1q 30 2600(config-subif)# ip address <VLAN IP subnet> <subnet mask> 2600(config-subif)# end
port !
A U T A N C R A B U T S A N C R A B UB T S AS N C R
We can remove VLAN 10 frames from propagating via trunk 2 and VLAN 20 frames from propagating via trunk 1, because VLAN 10 does not extend over trunk 2 and VLAN 20 does not extend over trunk 1. Middle switch is only one which needs to be configured: Middle_Switch(config)# interface f0/11 Middle_Switch(config-if)# switchport mode trunk Middle_Switch(config-if)# switchport trunk allowed vlan remove 20 Middle_Switch(config-if)# interface f0/12 Middle_Switch(config-if)# switchport mode trunk Middle_Switch(config-if)# switchport trunk allowed vlan remove 10
Upper topology has one feature does not contain any physical loops. Under such condition we can disable STP completely for any configured VLAN using the command: Switch(config)# no spanning-tree vlan vlan-id STP is enabled by default on VLAN 1 and on all newly created VLANs up to the spanning-tree limit as specified (by default up to 64 VLANs). Disable STP only if there are no loops in the network topology. When STP is disabled and loops are present in the topology, excessive traffic and indefinite packet duplication can drastically reduce network performance.
A U T A N C R A B U T S A N C R A B UB T S AS N C R
Command summary
General switch configuration
Switch> enable Switch# erase startup-config Switch# reload Switch# configure terminal Switch# copy {running-config | tftp} {tftp | running-config} Switch(config)# hostname <name> Switch(config)# line con 0 Switch(config)# line vty 0 15 Switch(config-line)# login Switch(config-line)# password <password> Switch(config)# interface VLAN1 Switch(config-if)# ip address <address> <mask> Switch(config)# ip default-gateway <ip address> Switch(config-if)# duplex {full | half} Switch(config-if)# speed {10 | 100} Switch(config-if)# description <text> Switch(config)# ip http server Switch(config)# ip http port <port number>
Managing MAC address table
Switch# show mac-address-table Switch# clear mac-address-table 2950(config)# mac-address-table static <MAC address> vlan <id> interface <type number> 2900XL(config)# mac-address-table secure <MAC address> <interface type number> vlan <id> Switch(config)# mac-address-table aging-time <max-aging-time> 2950# show port security 2950(config-if)# switchport mode access 2950(config-if)# switchport port-security mac-address sticky 2950(config-if)# switchport port-security maximum <max MAC addresses> 2950(config-if)# switchport port-security violation {protect | restrict | shutdown} 2900XL# show mac-address-table secure 2900XL#(config-if)# port security max-mac-count <max MAC addresses> 2900XL#(config-if)# port security action {shutdown | trap}
Switch monitoring
show version show running-config show startup-config show interface [<interface type number> ] [switchport] show interface status show post show flash dir flash:
A U T A N C R A B U T S A N C R A B UB T S AS N C R
2950# show spanning-tree [detail | interface <type number>] 2900XL# show spanning-tree [brief | summary | interface <type number>] Switch(config-if)# spanning-tree portfast Switch(config)# spanning-tree portfast bpduguard
VLAN commands
Switch# show vlan [brief | id <vlan number> | name <vlan name>] Switch# delete flash:vlan.dat Switch# vlan database Switch(vlan)# vlan <vlan number> [name <name>] Switch(config-if)# switchport mode access Switch(config-if)# switchport access vlan <vlan number> Switch(config-if)# switchport trunk encapsulation {isl | dot1q} Switch(config-if)# switchport mode trunk Switch(config-if)# switchport trunk allowed <vlan-list> Switch(config-if)# switchport trunk allowed vlan remove <vlan-list> Switch# show port capabilities Switch# show trunk <port> 2950# show interface trunk
VTP VLAN Trunking Protocol
Switch# show vtp {counters | status} Switch# vlan database Switch(vlan)# vtp v2-mode Switch(vlan)# vtp domain <domain name-case sensitive> Switch(vlan)# vtp {client | server | transparent} Switch(vlan)# vtp password <password>
Router-on-a-stick
Router(config)# interface fastethernet <slot/port> Router(config-if)# duplex full Router(config-if)# no shutdown Router(config-if)# interface fastethernet <slot/port>.<subif number> Router(config-subif)# description <text> Router(config-subif)# encapsulation {isl | dot1q} <vlan number> Router(config-subif)# ip address <address-from-VLAN-space> <mask>