Академический Документы
Профессиональный Документы
Культура Документы
Configuring the Port Security feature is relatively easy. In its simplest form, port security
requires going to an already enabled switch port and entering the port-security Interface Mode
command. Here’s an example:
Switch)# config t
Switch(config)# int fa0/18
Switch(config-if)# switchport port-security ?
aging Port-security aging commands
mac-address Secure mac address
maximum Max secure addresses
violation Security violation mode
By entering the most basic command to configure port security, we accepted the default settings
of only allowing one MAC address, determining that MAC address from the first device that
communicates on this switch port, and shutting down that switch port if another MAC address
attempts to communicate via the port. But you don’t have to accept the defaults.
Port-Security Options
As you can see in the example, there are a number of other port security commands that you can
configure. Here are some of your options:
Switch)# config t
Switch(config)# int range fastEthernet 0/1 - 24
Switch(config-if)# switchport port-security
However, you need to be very careful with this option if you enter this command on an uplink
port that goes to more than one device. As soon as the second device sends a packet, the entire
port will shut down.
Once you’ve configured port security and the Ethernet device on that port has sent traffic, the
switch will record the MAC address and secure the port using that address. To find out the status
of port security on the switch, you can use the show port-security address and show port-security
interface commands. Below are examples for each command’s output:
Switch#
Select multiple ports to configure
Switch1#enable
Switch1(config-if-range)#spanning-tree portfast
Switch1(config-if-range)#^Z
Switch1#show running-configuration
Set up VLAN
VLANs are Virtual LANs. They allow you to logically divide up your switched network to
improve network speed, security, and reliability. If you have other Cisco equipment in your
network, such as Cisco wireless access points or Cisco PIX firewalls, setting up your switch
correctly will give you a big return as all the Cisco equipment is VLAN aware. What does this
mean? it means you can have two networks shared out via wireless using one access point. It also
means you can separate out sections of your network for servers, clients, VPN clients, etc.. which
will greatly improve your network efficiency.
Before you begin defining VLANs on your network, first decide what the purpose is for each
VLAN. For example, let’s say we have two offices: one in San Diego, and another in San Diego.
At each location we want to separate out Servers and clients. This means we have 4 categories:
In our example, we will set up each VLAN with the above IP configuration. The IP configuration
tells the switch what network segments are where which will allow your switch to do routing
between VLANs.
STEP 1: Login and Setup:
> en
Switch#
Switch# conf t
Switch (Config) #
You have now successfully set-up the 4 VLANs. They’re not functional yet- but lets make sure
our settings took…
1. We are going to run a command that will show us what VLANs are currently configured:
….
If you see extra vlans you do not want simply follow the step below:
Switch # conf t
Switch (Config) # no vlan XX where XX is the vlan number you want to
remove.
Switch (Config) # exit
Now run “show vlan” again and see if the vlan has been removed.
Now that we have the basic VLAN infrastructure in place we need to assign gateways for each
VLAN. The gateways will inform the switch what network segments each VLAN represents. In
this case, we see that SD uses 10.100.x.x and 10.150.x.x for their network and LA uses
10.200.x.x and 10.250.x.x. In order to keep things simple, we will assume that the gateways are
10.x.x.1.
Switch # conf t
Switch (config) # int vlan 2
Switch (config-if) # ip address 10.100.0.1 255.255.0.0
Switch (config-if) # exit
Switch (config) # int vlan 3
Switch (config-if) # ip address 10.150.0.1 255.255.0.0
Switch (config-if) # exit
Switch (config) # int vlan 4
Switch (config-if) # ip address 10.200.0.1 255.255.0.0
Switch (config-if) # exit
Switch (config) # int vlan 5
Switch (config-if) # ip address 10.250.0.1 255.255.0.0
Switch (config-if) # exit
Switch (config) # exit
Switch #
We now have now told the switch what address range is used in each VLAN. At this point we
have not created the VLANs and assigned address ranges to them. There are still three tasks left:
Switch # Conf t
Switch (config) # int range GigabitEthernet 0/1-10
Switch (config-if) # switchport access vlan 2
Switch (config-if) # switchport mode access
Switch (config-if) # exit
Switch (config) # int range GigabitEthernet 0/11-20
Switch (config-if) # switchport access vlan 3
Switch (config-if) # switchport mode access
Switch (config-if) # exit
Switch (config) # int range GigabitEthernet 0/21-30
Switch (config-if) # switchport access vlan 4
Switch (config-if) # switchport mode access
Switch (config-if) # exit
Switch (config) # int range GigabitEthernet 0/31-40
Switch (config-if) # switchport access vlan 5
Switch (config-if) # switchport mode access
Switch (config-if) # exit
Switch (config) # exit
Switch #
The result of the above commands is that each physical port on the switch has now been assigned
to a specific VLAN. To verify this run “show vlan” and you will now see that ports 1-4 are now
assigned to vlans 2-5.
The final step is to ensure VLAN routing is turned on. To do this run the commands below:
Switch # conf t
Switch (config) # ip routing
Switch (config) # exit
Switch #
Theoretically now, assuming you have hit no problems and got no errors when entering
commands, you are finished.
It is very important to save your changes now or they will be lost on reboot:
Step 5: Testing
To test, simply plug a computer into each port, assign a valid ip on the subnet (ie if the
subnet/vlan is 10.100.0.0 255.255.0.0 .. your pc would need to be 10.100.x.x / 255.255.0.0.)
• First test: See if you can ping your client from the switch using the ping command. You
can run ping directly from the Cisco interface.
o To do so, connect a client (using Ethernet cable) to GigabitEthernet 0/1 (vlan2) or
SwitchA. Assign 10.100.255.250/255.255.0.0 to this client Ethernet interface.
Turn on the ICMP ping enabled on this client. Then ping from SwitchA to
10.100.255.250.
• Second test: See if you can ping the gateway from the client.. (ie client 10.100.x.x would
ping 10.100.0.1)
o Ping 10.100.0.1 from the client.
• Third test: See if you can ping a gateway on another segment.. (ie Client 10.100.x.x
would ping 10.200.x.1)
o From the client, ping 10.200.0.1, the IP of vlan3. It should return 100%.
• Fourth test: See if you can ping a client on another segment.. (ie client on 10.100.x.x
would ping a client on 10.200.x.x)
o Add another client on vlan4 (which has 10.200.0.1/255.255.0.0)
If this works you are now finished. You now have successfully setup a basic Cisco Layer 3
Switch with VLANs and network routing.
VTP (VLAN Trunking Protocol) is the protocol that propagates the information about which
VLANs exist from one switch to another switch. If VTP did not provide this information,
VLANs would have to be created on all switches individually in the network.
Switch1#enable
Switch1(config-if-range)#spanning-tree portfast
Switch1(config-if-range)#^Z
Switch1#show running-configuration
How to configure VTP Client and Server?
VTP (VLAN Trunking Protocol) is the protocol that propagates the information about which
VLANs exist from one switch to another switch. If VTP did not provide this information,
VLANs would have to be created on all switches individually in the network.
VTP is a Cisco proprietary protocol. The default mode of a switch is configured as VTP server.
In any case, the server services are turned off, use the following command to turn it back on as
VTP server.
SwitchA#vlan database
SwitchA(vlan)#vtp server
SwitchA(vlan)#exit
First create multiple VLANs with name, assign multiple ports to them then create 802.1q trunk
link between the two switches to allow communication between VLANs.
To create a VLAN, first enter global configuration mode to run the following commands.
SwitchA(config)#configure terminal
SwitchA(config)#vlan 2
SwitchA(config)#vlan 3
SwitchA(config)#exit
Now assigning the ports 2 and 3 to VLAN 2, it must be done from the interface mode. Enter the
following commands to add port 2 and 3 to VLAN 2.
SwitchA(config)#configure terminal
SwitchA(config-if)#exit
Now assigning the ports 4 and 5 to VLAN 3, enter the following commands to add port 4 and 5
to VLAN 3.
SwitchA(config)#configure terminal
SwitchA(config-if)#exit
SwitchA(config-if)#exit
SwitchB#vlan database
SwitchB(vlan)#vtp client
SwitchB(vlan)#exit
Now create 802.1q trunk link between the two switches to allow communication between
VLANs.
On both switches, SwitchA and SwitchB type the following command with 802.1q at the
fastethernet 0/1 interface.
SwitchA(config)#configure terminal
SwitchA(config-if)#end
SwitchB(config-if)#end
To verify that fastethernet 0/1 has been established as trunk port, type the show interface
fastethernet 0/1 switchport at the privileged EXEC mode.
Although the VLAN definitions have migrated to the switch B using VTP, but it is necessary to
assign ports to these VLANs on switch B.
Now assigning the ports 2 and 3 to VLAN 2, it must be done from the interface mode. Enter the
following commands to add port 2 and 3 to VLAN 2.
SwitchB(config)#configure terminal
SwitchB(config-if)#exit
SwitchB(config-if)#exit
Now assigning the ports 4 and 5 to VLAN 3, enter the following commands to add port 4 and 5
to VLAN 3.
SwitchB(config)#configure terminal
SwitchB(config-if)#exit
SwitchB(config-if)#exit