Professional Documents
Culture Documents
Switch Basics
(Domain-Name and Default-Gateway)
(config)# ip domain-name perthshire.cc (config)# ip default-gateway 148.183.229.6
(Port Configuration)
(config)# int fa0/1 (config-if)# no shutdown (config-if)# description aironet 1200 (config-if)# speed 100 (config-if)# duplex full (config-if)# int fa0/2 (config-if)# no shutdown (config)# int range fa0/3 - 4 (config-if-range)# shutdown
(Enable Passwords)
(config)# enable password default (config)# enable secret dates
(Logging)
(config)# (config)# (config)# (config)# (config)# (config)# (config)# (config)# logging logging logging logging logging logging logging logging on 212.72.52.7 buffer 440240 host 138.24.170.8 trap emergency monitor emergency console emergency buffer emergency
(HTTP Server)
(config)# (config)# (config)# (config)# (config)# ip ip ip ip ip http http http http http server port 1024 authentication local help-path file:///c:\wireless\help access-class 10
(Services)
(config)# service timestamps log datetime (config)# service sequence-numbers (config)# service dhcp
1|Page
(VLAN Maps)
(config)# vlan access-map utah (config-access-map)# action forward (config-access-map)# exit (config)# vlan filter utah vlan-list 1
(VLAN filtering)
Switch(config)# vlan access-map London 10 Switch(config-access-map)# match ip address test Switch(config-access-map)# action drop Switch(config-access-map)# exit Switch(config)# vlan filter test vlan-list 10
(Remote Monitoring)
(config)# rmon alarm 10 <MIBname> 20 delta rising-threshold 15 1 falling-threshold 0 owner jjohnson
2|Page
(AAA)
Define AAA. Define the local server. (config)# (config)# (config)# (config)# aaa new-model aaa authentication login default local username fred password bert username fred1 password bert2
(AAA RADIUS)
Define AAA. Define the radius server. (config)# (config)# (config)# (config)# (config)# (config)# (config)# aaa new-model radius-server host 39.100.234.1 radius-server key krinkle aaa authentication login default group radius aaa authentication ppp default radius aaa authorization network default group radius aaa authorization exec default group radius
(Restrictions on a user)
Define a single host access. Link the access to a user. (config)# (config)# (config)# (config)# access-list 6 permit 12.84.44.10 access-list 6 deny any username david access-class 6 username anne nopassword
(AAA Tacacs+)
Define AAA and the Tacacs+ server. Define privileges. Define command authorization for a Tacacs+ server. (config)# (config)# (config)# (config)# (config)# (config)# (config)# (config)# (config)# (config)# (config)# (config)# (config)# (config)# (config)# (config)# aaa new-model radius-server host 39.100.234.1 radius-server key krinkle aaa authentication login default group tacacs aaa authentication ppp default group tacacs aaa authorization network default group tacacs aaa authorization exec default group tacacs privilege configure level 7 snmp-server host privilege configure level 7 snmp-server enable privilege configure level 7 snmp-server privilege exec level 7 ping privilege exec level 7 configure terminal privilege exec level 7 configure aaa authorization commands 0 default group tacacs+ aaa authorization commands 15 default group tacacs+ aaa authorization commands 7 default group tacacs+
3|Page
(802.1x)
Enable Define Enable Enable Define Define AAA. the Radius server. radius server. 802.1x. re-authentication. Dot1x timeouts. Switch(config)# ip dhcp snooping vlan 4 Switch(config)# int fa0/1 Switch(config-if)# ip dhcp snooping trust Switch(config-if)# ip dhcp snooping limte rate 30
(config)# aaa new-model (config)# aaa accounting connection default start-stop group radius (config)# aaa accounting network default start-stop group radius (config)# aaa authentication dot1x default group radius local (config)# dot1x system-auth-control (config)# radius-server host 10.0.0.1 auth-port 1812 key test (config)# int fa0/1 (config-if)# switchport mode access (config-if)# dot1x port-control auto (config-if)# dot1x re-authentication (config-if)# dot1x timeout reauth-period 180 (config-if)# dot1x timeout tx-period 40 (config-if)# dot1x timeout quiet-period 10 (config-if)# dot1x max-req 3
(Storm control)
Enable storm control Switch(config)# int fa0/1 Switch(config-if)# storm-control multicast level 50
(MAC ACL)
Define a MAC ACL. Define a host to bar from FA0/1. Apply the MAC ACL on an interface (FA0/1). (config)# mac acc ex Edinburgh (config-ext-macl)# deny host 1.1.1 any (config-ext-macl)# permit any any (config-if)# mac access-group Edinburgh in
(Switch Security)
(config)# (config)# (config)# (config)# (config)# (config)# (config)# username fred username test username fred username test username test access-list 9 username fred password bert nopassword privilege 15 privilege 1 user-maxlinks 2 permit host 192.168.0.1 access-class 9
(802.1x)
(config)# aaa new-model (config)# aaa authentication dot1x default group radius (config)# int fa0/1 (config-if)# dot1x port-control auto (config-if)# int fa0/2 (config-if)# dot1x port-control auto (config-if)# int fa0/4 (config-if)# dot1x port-control auto
4|Page
(Auto QoS)
Define Auto QoS (config)# int fa0/1 (config-if)# switchport access vlan 10 (config-if)# switchport voice vlan 20 (config-if)# auto qos voip cisco-phone (config-if)# exit
(IGMP Snooping)
Enable IGMP snooping. (config)# ip igmp snooping vlan 1 immediate-leave (config)# ip igmp snooping vlan 2 immediate-leave
5|Page
(MSDP)
Enable MSDP. Switch(config)# ip msdp cache-sa-state Switch(config)# ip msdp filter-sa 1.2.3.4
(MVR)
Setup MVR (config)# (config)# (config)# (config)# mvr mvr mvr mvr group 224.1.23.4 querytime 5 vlan 12 mode dynamic
(CNS)
Enable CNS. (config)# cns event 10.0.0.1 keepalive 120 10 (config)# cns config connect-intf serial ping-interval 1 retries 1 (config-cns-conn-if)# config-cli ip address negotiated (config-cns-conn-if)# config-cli encapsulation ppp (config-cns-conn-if)# config-cli ip directed-broadcast (config-cns-conn-if)# config-cli no keepalive (config-cns-conn-if)# config-cli no shutdown (config-cns-conn-if)# exit (config)# cns id FA0/1 ipaddress
(Fallback bridging)
Define a bridge-group. Switch(config)# bridge 10 protocol vlan-bridge Switch(config)# bridge 10 aging-time 20 Switch(config)# bridge 10 hello-time 20 Switch(config)# bridge 10 forward-time 20 Switch(config)# bridge 10 max-age 10 Switch(config)# bridge 10 priority 10 Switch(config)# interface fa0/1 Switch(config-if)# no switchport Switch(config-if)# no shutdown Switch(config-if)# bridge-group 10 Switch(config-if)# bridge-group 10 path-cost 10 Switch(config-if)# bridge-group 10 spanning-disable
(Web cache)
Enable Web-cache. Apply redirection on FA0/2 and FA0/3. Switch(config)# ip wccp web-cache Switch(config)# interface fastethernet0/1 Switch(config-if)# no switchport Switch(config-if)# ip address 192.168.1.1 255.255.255.0 Switch(config-if)# no shutdown Switch(config)# interface fastethernet0/2 Switch(config-if)# no switchport Switch(config-if)# ip address 192.168.1.1 255.255.255.0 Switch(config-if)# no shutdown Switch(config-if)# ip wccp web-cache redirect in
(Multicast routing)
Enable multicasting routing. Define that the interface port should be defined as a Layer 3 port (using no switchport). Define PIM parameters on an interface port. Switch(config)# ip multicast Switch(config)# int fa0/1 Switch(config-if)# no switchport Switch(config-if)# ip pim version 2 Switch(config-if)# ip pim dense-mode Switch(config-if)# ip pim bsr-border Note: You will not see the ip pim command on an interface unless it is defined as a Layer 3 port.
Explanation
The Web Cache Communication Protocol (WCCP) is used to configure the switch to redirect traffic to cache engines, which transparently store frequently accessed content and then deliver the cached version to the clients. WCCP is enabled on the switch with: Switch(config)# ip wccp web-cache Then on the interface Layer 3 access is defined with: Switch(config-if)# no switchport Then to redirect the traffic to the client engine: Switch(config-if)# ip wccp web-cache redirect in
(RP)
Enable multicasting routing. Define an RP. Switch(config)# ip multicast Switch(config)# access-list 1 permit 224.1.1.1 0.0.0.0 Switch(config)# ip pim rp-address 1.2.3.4 1
6|Page
(RP spoofing)
Enable multicasting routing. Define an auto-RP. Switch(config)# Switch(config)# Switch(config)# Switch(config)# ip multicast access-list 5 permit 224.1.1.1 0.0.0.0 access-list 6 permit 19.10.11.12 ip pim rp-announce-filter rp-list 6 group-list 5
(IDRP)
Area: Define Enable Define Switches IP Unicast Routing (IDRP) Layer 3 operation on FA0/1. IDRP. IDRP details.
(config)# int fa0/1 (config-if)# no switchport (config-if)# ip address 1.2.3.4 255.255.0.0 (config-if)# no shutdown (config-if)# exit (config)# ip subnet-zero (config)# ip classless
(config)# int fa0/1 (config)# no switchport (config-if)# ip irdp multicast (config-if)# ip irdpmaxadvertinterval (config-if)# ip irdpholdtime 10 (config-if)# ip irdpminadvertinterval (config-if)# ip irdppreference 0
10 5
Notes The minadvertinterval and holdtime are based on the maxadvertinterval, where minadvertinterval is, as a default, set to 75% of the maxadvertinterval, and the holdtime is, by default, set to three times the maxadvertinterval. Thus maxadvertinterval must be set before the other two, as they will be set automatically to the default. After this the minadvertinterval and holdtime can then be customized.
7|Page
(config)# ip routing (config)# key chain test (config-keychain)# key 1 (config-keychain-key)# key-string mykey (config-keychain-key)# exit (config-keychain)# exit (config)# router rip (config-router)# version 2 (config)# int fa0/1 (config-if)# ip rip authentication key-chain test (config-if)# ip rip authentication mode md5
8|Page
(config)# ip routing (config)# router rip (config-router)# network 10.0.0.0 (config-router)# version 2 (config)# int fa0/1 (config-if)# no switchport (config-if)# ip summary-address rip 1.2.3.4 255.255.0.0 (config-if)# no ip split-horizon
IP Unicast Routing)
Area: Switches IP Unicast Routing (IP Routing/OSPF) Enable IP routing. Define OSPF. OSPF details on an interface. (config)# ip routing (config)# router ospf 111 (config-router)# net 1.2.3.4 255.255.255.0 area 0 (config)# int fa0/1 (config-if)# ip ospf cost 10 (config-if)# ip ospf dead-interval 10 (config-if)# ip ospf hello-interval 10 (config-if)# ip ospf priority 10 (config-if)# ip ospf retransmit-interval 10 (config-if)# ip ospf transmit-delay 10
(config)# ip routing (config)# router bgp 111 (config-router)# network 1.2.3.0 (config-router)# neighbor 1.2.3.4 remote-as 130 (config-router)# exit (config)# int fa0/1
9|Page
(Secure Addresses)
Area: Switches Secure Addresses Define secure MAC addresses. (config)# int fa0/1 (config-if)# switchport (config-if)# switchport (config-if)# int fa0/2 (config-if)# switchport (config-if)# switchport (config-if)# int fa0/3 (config-if)# switchport (config-if)# switchport (config-if)# end mode access port-security mac-address 1.2.3 mode access port-security mac-address 1.2.4 mode access port-security mac-address 1.2.5
(DHCP Reforwarding)
Area: Switches DHCP Reforwarding Define DHCP reforwarding. (config)# service dhcp (config)# ip dhcp relay information option (config)# ip dhcp relay information policy drop
Note The default for the ports might be: (config-if)# switchport mode dynamic desirable and thus must be changed to: (config-if)# switchport mode access As, with this, it gives: (config-if)# switchport port mac 1.2.3 FastEthernet0/x is dynamic port. port-security parameters cannot be set. If another address is added to an already defined interface gives: (config-if)# sw port- mac- 1.2.5 Total secure mac-addresses on interface FastEthernet0/x has reached maximum limit. The number of secure addresses can be changed with the: switchport port-security maximum x command.
10 | P a g e
(IGMP)
Area: Switches IGMP: Controlling access to IP Multicast Groups Define IGMP restriction. (config)# access-list 101 deny host 225.5.5.5 0.0.0.0 (config)# access-list 101 permit any any (config)# int fa0/1 (config-if)# no switchport (config-if)# ip igmp access-group 101 (config-if)# ip igmp join-group 224.0.0.1 (config-if)# ip igmp querier-timeout 10 (config-if)# ip igmp query-interval 10 (config-if)# ip igmp query-max-response-time 10 (config-if)# ip igmp version 2
(config)# int fa0/1 (config-if)# no switchport (config-if)# ip pim version 2 (config-if)# ip pim dense-mode (config-if)# ip pim bsr-border (config-if)# ip multicast boundary 11 (config-if)# exit (config)# access-list 10 permit 220.1.1.1 0.0.0.0 (config)# access-list 11 deny 220.1.1.1 0.0.0.0 (config)# ip pim rp-address 192.168.1.1 10 (config)# ip pim send-rp-announce fa0/1 scope 30 group-list 5 (config)# ip pim accept-rp 1.2.3.4 10 (config)# ip pim send-rp-discovery scope 10 (config)# ip pim rp-announce-filter rp-list 2 group-list 1
(CGMP)
Area: Switches CGMP Define CGMP servers. (config)# int fa0/1 (config-if)# no switchport (config-if)# ip cgmp (config)# int fa0/2 (config-if)# no switchport (config-if)# ip cgmp proxy (config)# int fa0/3 (config-if)# no switchport (config-if)# ip cgmp router-only
(IGMP)
Area: Switches Define IGMP. IGMP
(config)# int fa0/1 (config-if)# no switchport (config-if)# ip igmp join-group 224.0.0.1 (config-if)# ip igmp querier-timeout 10 (config-if)# ip igmp query-interval 10 (config-if)# ip igmp query-max-response-time 10 (config-if)# ip igmp version 2
(SDR)
Area: Switches SDR (Session Announcement Protocol (SAP) designated router) listener Define SDR cache timeout. Define SRD listener on an interface. (config)# ip sdr cache-timeout 10 (config)# int fa0/1 (config-if)# no switchport (config-if)# ip sdr listen (config)# int fa0/2 (config-if)# no switchport (config-if)# ip sdr listen (config)# int fa0/3 (config-if)# no switchport (config-if)# ip sdr listen
11 | P a g e