1.34k likes | 1.59k Views
T-110.5101 Laboratory works. Router / Switch assignment Cisco Internetworking Operating System Fall 2011 Jere Mäkelä 8 .7.2011. Table of Contents. General 3 CCNA Requirements 4 Laboratory 5 Laboratory works 6 Cisco cabling 7 Connectivity Problems 8
E N D
T-110.5101 Laboratoryworks Router/Switchassignment CiscoInternetworkingOperatingSystem Fall 2011 Jere Mäkelä 8.7.2011 T-110.5101 Cisco IOS - (c) Jere Mäkelä
Table of Contents • General 3 • CCNA Requirements 4 • Laboratory 5 • Laboratoryworks 6 • Ciscocabling 7 • ConnectivityProblems 8 • Collision and broadcastdomains 9 • Ciscoconfiguration 10 • Ciscointerfacenomenclature 11 • Cisco IOS modes 14 • Ciscocommands 19 • Ciscoconfigurationstorage 21 • Ciscodevices 25 • Ciscodevicebootup 28 • Port security 29 • Basic switchconfiguration 31 • Running-configuration 37 • Basic switchconfiguration (cont.) 40 • Basic routerconfiguration 41 • Basic troubleshooting 42 • VLAN (VirtualLANs) and trunks 46 • VLAN trunkprotocol 56 • VTP pruning 60 • VTP configuration 64 • Dynamictrunkprotocol 66 • VLAN creation 69 • Router-on-a-stick 71 • L2 redundancy 73 • Private IP addressspaces 74 • Routingbasics 75 • Distancevectorprotocols 79 • Linkstateprotocols 82 • Hybridprotocols 85 • Staticroutes 86 • Classful and classlessroutingprotocols 90 • RIP 91 • ACL (Access controllists) 93 • NAT 117 • DHCP 130 • Preassignment 133 • Literature 134 T-110.5101 Cisco IOS - (c) Jere Mäkelä
General • Goal: • To beable to do the basic L2/L3 configurationswithCisco IOS devices (switch, router) • To familiarizewithCisco CLI interface (Command Line Interface) • The commandsinvoked, for the mostpart, belong to CCNA requirements • Ifyouwant to becomeproficientwithCisco IOS, the bestplace to startwith is one of the referencebooks and buy a simulator, ifyoudon’thave an access to Ciscodevices • Preassignment • Subnettingwith VLSM. The preassignment is in an Excel file ”VLSM-exercise”. Preassignment is worth 2 points • Usercommands: • The usertypingsare in boldtext T-110.5101 Cisco IOS - (c) Jere Mäkelä
CCNA requirements • CCNA knowledgebase is a solidfoundation, whichgivesyou a reasonableknowledge to workwithsmall and medium-sizenetworks • Passing CCNA certificate is quite a big task. Youneed to memorize a 1000p book and youneed to beable to subnet in yourhead and fast! • CCNA topics: • Internetworking, OSI model, TCP/IP model • Subnetting, VLSM (Variablelengthsubnetmask) and TCP/IP troubleshooting • Cisco IOS and SDM (SecurityDeviceManager: browserbaseduserinterface) • Managing a Cisconetwork • IP routing (staticrouting, RIP, IGRP, EIGRP, OSPF) • SpanningTreeProtocol, EtherChannel (L2 redundancy and loop-freetopology) • VirtualLANs (VLAN) • Security (ACL – Access ControlList) • NAT (NetworkAddressTranslation) • CiscoWirelesstechnologies • IPv6 • WAN (Wide Area Networks) T-110.5101 Cisco IOS - (c) Jere Mäkelä
Laboratory • The IOS commandsaredonewith a simulator: • CCNA NetworkVisualizer 6.0 • The commandssupportedby the simulator is a subset of CCNA commands. Somecommandsdonotworkcorrectlyornot at all • Ifyouhave to check the commandssupported, consult: • http://www.routersim.com/CCNA6_Supported_Commands.html • The switchmodel 2960 and the routermodel 2811 areemployed in tasks • In order to dosomethingusefulwithCiscodevices, youneed to know a wholelot of thingsbeforedelving into configurations. Thismakesthisassignmentchallenging and tedious • Ifyouwant to do the easyway, youcancopy&pastefrom the labbook ”CCNA PortableCommand Guide” butwhat is the use? T-110.5101 Cisco IOS - (c) Jere Mäkelä
Laboratoryworks • #1 Basic Switchconfigurationwithport-security and telnet • The reasonweconfiguretelnetinstead of SSH is that the simulatoronlysupportstelnetsessions • 5p • #2 VLAN and Router-on-a-stick • 4p • #3 Routing and ACL • Staticrouting and RIPv2 areemployed. Otherroutingprotocols, such as OSPF, areharder to configure and wereleft outside because of a shorttime per lab • 10p • #4 NAT + DHCP • 8p • The maximumpointsfromthislab is 29p • Ifyouarewellprepared, eachworkshouldtake no morethan 30-45 minutesmakingthis a 2-3 hourassignment • Writedown the complete IOS commandsequence for eachtaskbeforecoming to the lab. Beparticularlyaccurate, in whichCisco IOS modeyouhave to be and how to movebetween the modes. Beforeinvoking the commands, youshouldcheckfirst the CCNA PortableCommand Guide at the lab • Outside the labtimes, a groupcanborrow the CCNA PortableCommand Guide for threehours • The referencebook: Richard Deal: CCNA Study Guide. 3rd edition canalsobeborrowedifsomethings in theseslidesstayblur • Eitheryoupreparewell for the labsoryoufail, that’sguaranteed! T-110.5101 Cisco IOS - (c) Jere Mäkelä
Ciscocabling T-110.5101 Cisco IOS - (c) Jere Mäkelä
Connectivityproblems • Youdoneed a crossovercablebetweenCiscoswitches. This is a common source of connectivityfailures. If CDP (CiscoDiscoveryProtocol) shows no a neighborpresent, even the power is on in bothdevices and there is a cableconnectingthesetwo, checkthat the cable is a crossovercable T-110.5101 Cisco IOS - (c) Jere Mäkelä
Collision and broadcastdomains T-110.5101 Cisco IOS - (c) Jere Mäkelä
Ciscoconfiguration • Connections: • Consoleport, Auxiliary Port, Telnet, SSH, Browser (SDM), SNMP, Cisco Works and CiscoManagedServicesSolutions • Telnet and SSH arecalled VTY access (virtualtypeterminal) • Consoleport: • Hyper Terminal orPuTTY • Speed: 9600 bps • Data bits: 8 • Stop bits: 1 • Parity: None • FlowControl: None T-110.5101 Cisco IOS - (c) Jere Mäkelä
Ciscointerfacenomenclature (1/3) • Switch 2950, 2960 • Fixedinterfaces • ”Typeslot#/port#” • Type: ethernet (10M), fastethernet (100M), gigabit • Slot# is always 0 • Port# startsfrom 1 • i.e. ”fast 0/1” or ”f0/1” • Note, thatyoucanshorten just aboutany IOS commandor option providedthat the abbreviatedcommand is non-ambiguous T-110.5101 Cisco IOS - (c) Jere Mäkelä
Ciscointerfacenomenclature (2/3) • Routers and someswitches (6500) • Fixedormodularinterfaces • For fixedinterfaces: • ”Typeport#” • Type: atm, asynch, bri, ethernet, fastethernet, gigabitethernet, serial • Port# startsfrom 0 • i.e. ”serial 0” or ”s0” • For modularinterfaces: • ”Typeslot#/port# • Type: atm, asynch, bri, ethernet, fastethernet, gigabitethernet, serial • Slot# startsfrom 0 • Port# startsfrom 0 • i.e. ”giga 0/0”, ”fast 0/1” or ”f0/1” T-110.5101 Cisco IOS - (c) Jere Mäkelä
Ciscointerfacenomenclature (3/3) • To enter into an interfaceconfigurationmode, youhave to typeone of the following: • Router(config)#interfaceethernet 0/1 • Router(config)#interface ethernet0/1 • Router(config)#int e 0/1 • Router(config)#int e0/1 • Note, thatyoumustbe in the globalconfigurationmodebeforeentering an interfaceconfiguration • Routerinterfacesareshutdownbydefault, switchportsareopenbydefault. The VLAN interfaces of a switcharealsoshutdownbydefault • To open the interface, type: • Router(config-if)#no shutdown • To shutdown the interface, type: • Router(config-if)#shutdown • Youcanviewall the physicalinterfaces of a routeror a switchbytyping: • Router#shipinterface • Cisco IOS commandsarenegatedorrevokedbytyping ”no” before the command T-110.5101 Cisco IOS - (c) Jere Mäkelä
Cisco IOS modes (1/5) • Login • Upon connecting to the consoleport • HitEnterto enter the UserExec • UserExec • The promptbecomes: Router> • Basic and limitedaccess to IOS • Simplemonitoring and troubleshootingsuch as: ”show ?”, ”telnet”, ”ping”, ”traceroute” • Type ”Router>enable” (or ”Router>en” for short) to enterPrivilegedExec • Type ”logout” or ”exit” to return to login • PrivilegedExec • The promptbecomes: Router# • High-level management to IOS • Includesall the commandsfromUserExec • Youcandomostthingsexceptconfiguring the device • Type ”Router#configureterminal” (or ”Router#conf t” for short) to enter the configurationmode • Type ”disable” or ”disa” to return to UserExec • Type ”logout” or ”exit” to return to login • Reload to bootup the device T-110.5101 Cisco IOS - (c) Jere Mäkelä
Cisco IOS modes (2/5) • Configurationorglobalconfigurationmode • The promptbecomes: Router(config)# • Debug • Hostname • Enablesecret • Iproute • ACL • Typeexit, endorcntl-z to return to PrivilegeExec T-110.5101 Cisco IOS - (c) Jere Mäkelä
Cisco IOS modes (3/5) • To enter the interfaceconfigurationmode: • Router(config)#interfacefastethernet 0/1 - OR - Router(config)#int f0/1 • The promptbecomes: Router (config-if)# • Ipaddress + mask • Encapsulation • shutdown / no shutdown (orshut for short) • Typeexit to return to Configurationmode, endorcntl-z to return to PrivilegedExecmode • Routerenginecommands • Router(config)#routerrip|ospf|igrp|eigrp • The promptbecomes: Router(config-router)# • Network etc. • Line commands i.e. • Router(config)#linecon 0 • The promptbecomes: Router(config-line)# • Password • Login • Line console is the CLI interface to the device. The serialportconfigurationwasintroducedearlier. The cabletype is: ”Serial (PC) – RJ45” T-110.5101 Cisco IOS - (c) Jere Mäkelä
Cisco IOS modes (4/5) • Telnetsettings: • Router(config)#linevty 0 ? • The promptbecomes: Router(config-line)# • Type the questionmark, ifyoudon’tknow the number of VTY lines. The number of VTY lines is the number of maximumallowed, simultaneousTelnetsessions • Password • Login • SSH configuration is notincluded in thiscourse. But in the real life, SSH shouldbepreferredoverTelnetbecause of the security • SSH configuration is a verystraightforwardoperation • Youcanalwaysexitfromanymodebytyping ”exit” • cntl-zreturnsstraightback to the privilegedexecmode T-110.5101 Cisco IOS - (c) Jere Mäkelä
Cisco IOS modes (5/5) Figure: http://www.cisco.com/warp/cpropub/45/tutorial.htm T-110.5101 Cisco IOS - (c) Jere Mäkelä
Ciscocommands (1/2) • Context-sensitive help: • Router>? • Showsall the possiblecommands in thismode • TypeSpacebar to scrolldownonepage at a time • TypeEnter to scrolldownoneline at a time • Router>e? • Showsall the commandsstartingwith ”e” • ^ invalid input detected • Hit UP and DOWN ARROW to browsecommandhistory • To negate the command, you just typed, browse the commandfrom the commandhistory, typectrl-a (to place the cursor in the beginning of the line) and type ”no” before the command • Router#clock? • set Set the time and date • Router#clock set ? • Hh:mm:ssCurrent Time • Router#clock set 15:00:00 ? • <1-31> Day of the month • MONTH Month of the year • Router#clock set 15:00:00 17 Mar ? • <1993-2035> Year • Router#clock set 15:00:00 17 Mar 2011 • Router#showclock T-110.5101 Cisco IOS - (c) Jere Mäkelä
Ciscocommands (2/2) • The mostimportanthotkeys: • cntl-a – Moves the cursor to the beginning of the line • cntl-e – Moves the cursor to the end of the line • uparrow – Recalls the lastcommand • downarrow – Recalls the mostpreviouslyexecutedcommand • tab – IOS completes the word (if the characterstypedform a uniquestart for a command) • ? – Presentsall the possiblecommandsorparameters • The rest of the hotkeys: • esc-b – Moves the cursorbackoneword at a time • esc-f – Moves the cursorforwardoneword at a time • leftarrow – Moves the cursorbackonecharacter at a time • rightarrow – Moves the cursorforwardonecharacter at a time • cntl-d – Deletes the character the cursor is under • backspace – Deletes the characterpreceding the cursor • cntl-r – Redisplays the currentline • cntl-u – Erases the linecompletely • cntl-w – Erases the word the cursor is under • cntl-z – Returns to the PrivilegeExecmodefromConfigurationmode • $ - Indicatesthattherearemorecharacters to the right of the $ T-110.5101 Cisco IOS - (c) Jere Mäkelä
Ciscoconfigurationstorage (1/4) • running-config • RAM • Workingconfiguration • Storesall the configurationsyouinvoke • startup-config • NVRAM orflash • non-volatileconfiguration • Afterreloadorpoweroff, the devicecopies ”startup-config” into ”running-config” • Typicallyyouwant to save the givenconfigurations into the non-volatilememoryby: • Router#copyrunstart T-110.5101 Cisco IOS - (c) Jere Mäkelä
Ciscoconfigurationstorage (2/4) • Configurationregister • In NVRAM • Registeraffectshow the routerbootsup • ”Router>shversion” shows the IOS version, systemimagefile and the configurationregistervalue • ”Router(config)#config-register 0xHEX_VALUE” alters the registercontent • The defaultvalue is 0x2102 • With the configurationregisteryoucanrecover the password, in case youhaveforgottenit • Flash • Defaultlocation of IOS images • Canhavebackupconfigfiles • Switch#shflash T-110.5101 Cisco IOS - (c) Jere Mäkelä
Ciscoconfigurationstorage (3/4) • Router#showrun • Router#showstart • Router#copyrunstart(fromrun to start) • Router#copystartrun(fromstart to run. Obs! A mergeoperation, not a replacement) • Router#copystarttftp(copy start to TFTP server) • Router#copytftprun(copy runfrom TFTP server) • Routercanhavemultiplecopies of configurationfileswithdifferentnames in the flashmemory. However, it is moreadvisable to copy them to a tftp/ftp server • Router#copyrun|startflash:FILE_NAME T-110.5101 Cisco IOS - (c) Jere Mäkelä
Ciscoconfigurationstorage (4/4) • To wipe out the routerconfiguration: • Router#erasestart • Router#reload • To wipe out the switchconfiguration: • Switch#erasestart • Switch#deletevlan.dat • Switch#reload • To wipe out i.e. a backed-upconfig: • Switch#deleteflash:FILE_NAME • To backup an IOS image: • Switch#copyflashtftp • To load a new IOS image: • Switch#copytftpflash • Switch#reload T-110.5101 Cisco IOS - (c) Jere Mäkelä
Ciscodevices (1/3) No power on/offswitch! Ports and LEDs 2960 Front SYST RPS STAT DUPLX SPEED MODE Pushbutton 2960 Rear RJ-45 Consoleport FAN Exhaust RPS Outlet Power input T-110.5101 Cisco IOS - (c) JereMäkelä
Ciscodevices (2/3) • System LED • Green: The system is up and running • Amber: The systemhasexperienced a malfunction • Off: The system is powereddown • RPS (Redundantpowersystem) • Green: RPS is attached and operational • Amber: RPS is installedbutnotoperational • Flashingamber: Both the internal and external (RPS) installed, but RPS is providingpower • Off: RPS is notinstalled T-110.5101 Cisco IOS - (c) Jere Mäkelä
Ciscodevices (3/3) SYST RPS STAT DUPLX SPEED MODE The meaning of the LED above the portdepends on the LED’s Modesetting. When the Stat LED is lit, the portLEDs show the port status - Green: A powered-uphostconnection - Flashinggreen: Traffic is running in the port - Flashinggreen and amber: An operationalproblem - Amber: The porthasbeenmanuallydisabled, is in a blocking STP stateordisabledbecause of a securitybreach • Ifyoupush the MODE buttononce, the MODE LED willchange to Dublx. • The portLEDsreflect the dublexsetting: • Off: Half-duplex • Green: full-duplex • By pressing the MODE buttonagain, the MODE LED willchange • to Speed. The portLEDsreflect the speedsetting: • Off: 10 Mbps • Green: 100 Mbps • Blinkinggreen: 1000 Mbps T-110.5101 Cisco IOS - (c) Jere Mäkelä
Ciscodevicebootup • Afterpowerup: • #1 Flash is validated • #2 IOS is found, uncompressed and loaded. Notethattherecanbemorethanone IOS image. By default, the first IOS image is loadedbutcanbechangedwith ”bootsystemflash” command • #3 POST checksdifferentcomponents to seethattheyareoperational (takesabout a minute). First, system LED is off. The system LED turns into greenifeverything is ok. The amberusually is catastrophic to a switch • #4 Configuration is found and applied • #5 User is presented the UserExecpromptifhookedwith a terminalemulator • If a configuration is missing in NVRAM, the switchstartsup a setupscript. Youcanstart a setuplaterwith a ”setup” command in PrivilegeExec. Withsetup, however, youcandoonly the verybasics • Youcanreload IOS by ”reload” command (remember to saveyourconfigbeforethat: • Switch#copyrunstart • Switch#reload T-110.5101 Cisco IOS - (c) Jere Mäkelä
Port security (1/2) • Starting in IOS 12.1 (the latestcommercial IOS version is 15.0) • If and whenyouwant to hardenCisco IOS, the portsecurity is in yourtoolbox • Works onlywithaccessports, notwith: • Trunkport, SwitchportanalyzerportorEtherChannelport • Access portconnects a host (orseveralhosts, if a hub is present). Trunkportconnectsbetweenswitchesorrouters • Setup per interface as follows: T-110.5101 Cisco IOS - (c) Jere Mäkelä
Port security (2/2) • Configure a switchport to an accessportwith a VLAN number • Switch(config)#intfast 0/0 • Switch(config-if)#switchportmodeaccess • Switch(config-if)#switchportaccessvlan VLAN# • Enableport-security to thisport • Switch(config-if)#switchportport-security • Define the maximumnumber of hosts, thatcanbeconnected to thisswitchport (typically 1) • Switch(config-if)#switchportport-securitymaximum VALUE • Define, whatwillbe the action, if the port-security is violated (toomanyhostsor a hostwithnon-allowedMAC-address is found). Typicallyyouwant to shutdown the port • Switch(config-if)#switchportport-securityviolationprotect|restrict|shutdown • After a shutdown: • Switch(config-if)#no shutdown • Attach a MAC-address of a legalhost • Switch(config-if)#switchportport-securitymac-address MAC-ADDRESS • OR • Define the mac-address to besticky, whichattaches the firstencounteredmac-address • Switch(config-if)#switchportport-securitymac-addresssticky • Check the port-securitysettings: • Switch#shport-security T-110.5101 Cisco IOS - (c) Jere Mäkelä
Basic switchconfiguration (1/6) • Configure: • Switchname • Clock • Secretpassword (encrypts the password in the configurationfile). Required, whenentered into the privilegedmode • Loginbanner. The textthat a usergets, whenlogging in the device. Do NOT use a word ”welcome”. This is an invitation to a hacker and mightlead in troublesifyouhave to go to the court • Disable DNS queries. DNS query is done and telnetinvoked, if the IOS doesnotrecognize the commandyoutype. This is prettyannoyingwhenyoudo a typo. The command is: ”no ipdomain-lookup” • Consoleportpassword + login • ”loggingsynchronous” command, whichinhibits the garbledtext on a commandline • The idletime, afterwhich the consolelogsoff • Note, that the simulatordoesnotsupport ”no ipdomain-lookup” or ”loggingsynchronous” commands. Youhave to knowthesenevertheless • VTY password + login. The number of allowed VTY connectionsdepends on the switchmodel T-110.5101 Cisco IOS - (c) Jere Mäkelä
Basic switchconfiguration (2/6) • Configure (cont.): • IP defaultgateway. This is the IP address of the router’sinterfacethatconnects into thisswitch • Management VLAN. All the switchesareconfigured to belong into a single management VLAN. That is one common subnet. The IP address of the management VLAN is required, when the switch is configuredwith VTY. Notethat the VLAN interface is shutbydefault, soyouneed to open (enable) itwith ”no shut” command • By default, all the switchportsbelong to VLAN 1. Ifyoudon’tconfigureports, theybelongbydefault to VLAN 1 and areaccessports • Port-securitysettings. Youmustconfigure the switchport to an accessport (vs. trunk). Thenyouenable the port-security. Thenyoucan set the maximumnumber of hosts, thatcanbeconnected into thisport (number of MAC addresses). Youcanalso set the switchport to besticky, that is, youdon’thave to program the allowed MAC address (oraddresses) butlet the switchlearn the firstencountered MAC address on a port and attachit to the allowedaddress. Youalsoconfigure the action that is doneafter the portviolation. Typicallythiswouldbeshuttingdown the port • Finally, copy running-config into startup-configwith ”Router#copyrunstart” T-110.5101 Cisco IOS - (c) Jere Mäkelä
Basic switchconfiguration (3/6) • Switch Con0 is now available • Press RETURN to get started! • Switch>en • Switch#conf t • Enter configuration commands, one per line. End with CNTL/Z • Switch(config)#no ip domain-lookup • ^ • % Invalid input detected at '^' marker. OBS! Does not work in the simulator • Switch(config)#hostname MY_SWITCH • MY_SWITCH(config)#enable secret cisco • MY_SWITCH(config)#banner login $ • Enter TEXT message. End with the character '$'. • Authorized personnel only! • Violators will be prosecuted • to the fullest extent of the law. • $ T-110.5101 Cisco IOS - (c) Jere Mäkelä
Basic switchconfiguration (4/6) • MY_SWITCH(config)#line • MY_SWITCH(config)#line ? • <0-16> First Line number • console Primary terminal line • vty Virtual terminal • MY_SWITCH(config)#line con • MY_SWITCH(config)#line console 0 • MY_SWITCH(config-line)#logging synchronous • ^ • % Invalid input detected at '^' marker. OBS! Does not work in the simulator • MY_SWITCH(config-line)#passwor • MY_SWITCH(config-line)#password cisco • MY_SWITCH(config-line)#login • MY_SWITCH(config-line)#exec-timeout 5 0 • ^ • % Invalid input detected at '^' marker. OBS! ´Does not work in the simulator • MY_SWITCH(config-line)#exit • MY_SWITCH(config)#line • MY_SWITCH(config)#line ? • <0-16> First Line number • console Primary terminal line • vty Virtual terminal • MY_SWITCH(config)#line vty 0 ? • <1-15> Last Line number • <cr> • MY_SWITCH(config)#line vty 0 15 T-110.5101 Cisco IOS - (c) Jere Mäkelä
Basic switchconfiguration (5/6) • MY_SWITCH(config-line)#password cisco • MY_SWITCH(config-line)#login • MY_SWITCH(config-line)#exit • MY_SWITCH(config)#ip de • MY_SWITCH(config)#ip default-gateway 10.0.0.1 • MY_SWITCH(config)#inte • MY_SWITCH(config)#interface vlan 10 • MY_SWITCH(config-if)#ip add • MY_SWITCH(config-if)#ip address 10.0.0.2 255.255.255.0 • MY_SWITCH(config-if)#no shut • MY_SWITCH(config-if)#exit • MY_SWITCH(config)#int • MY_SWITCH(config)#interface fas • MY_SWITCH(config)#interface fastethernet 0/1 • MY_SWITCH(config-if)#des • MY_SWITCH(config-if)#description Link to Moscow • MY_SWITCH(config-if)#swi • MY_SWITCH(config-if)#switchportpor • MY_SWITCH(config-if)#switchport port-security • Command rejected: Not eligible for secure port. • MY_SWITCH(config-if)#swit • MY_SWITCH(config-if)#switchport mode • MY_SWITCH(config-if)#switchport mode acc • MY_SWITCH(config-if)#switchport mode access • MY_SWITCH(config-if)#switchportaccessvlan 10 • MY_SWITCH(config-if)#switchport port-security VLAN interface of a switch is shutdownbydefault. Openitwith ”no shut” commannd T-110.5101 Cisco IOS - (c) Jere Mäkelä
Basic switchconfiguration (6/6) • MY_SWITCH(config-if)#swi • MY_SWITCH(config-if)#switchportpor • MY_SWITCH(config-if)#switchport port-security max • MY_SWITCH(config-if)#switchport port-security maximum 1 • MY_SWITCH(config-if)#swi • MY_SWITCH(config-if)#switchportpor • MY_SWITCH(config-if)#switchport port-security viol • MY_SWITCH(config-if)#switchport port-security violation shu • MY_SWITCH(config-if)#switchport port-security violation shutdown • MY_SWITCH(config-if)#swi • MY_SWITCH(config-if)#switchportpor • MY_SWITCH(config-if)#switchport port-security mac • MY_SWITCH(config-if)#switchport port-security mac-address stic • MY_SWITCH(config-if)#switchport port-security mac-address sticky • MY_SWITCH(config-if)#cntl-z • MY_SWITCH#copy run start • Destination filename [startup-config]? • Building configuration... • [OK] • MY_SWITCH# T-110.5101 Cisco IOS - (c) Jere Mäkelä
Running-config (1/3) • MY_SWITCH Con0 is now available • Press RETURN to get started! • Authorized personnel only! • Violators will be prosecuted • to the fullest extent of the law. • User Access Verification • Password: password • MY_SWITCH>en • Enter password: ***** • MY_SWITCH#sh run • Building configuration... • Current configuration : 918 bytes • ! • version 12.2 • no service pad • service timestamps debug uptime • service timestamps log uptime • no service password-encryption • ! • hostname MY_SWITCH • ! • enable secret 5 $1$u76B$IOFVJ7VxfVXYVpGDrFTcI0 T-110.5101 Cisco IOS - (c) Jere Mäkelä
Running-config (2/3) • no aaa new-model • system mtu routing 1500 • no ip subnet-zero! • no file verify auto • spanning-tree mode pvst • spanning-tree extend system-id • ! • vlan internal allocation policy ascending • ! • interface FastEthernet0/1 • description "Link to Moscow" • switchport mode access • switchport port-security • switchport port-security maximum 1 • switchport port-security mac-address sticky • ! • interface FastEthernet0/2 • interface FastEthernet0/3 • interface FastEthernet0/4 • interface FastEthernet0/5 • interface FastEthernet0/6 • interface FastEthernet0/7 • interface FastEthernet0/8 • interface GigabitEthernet0/1 T-110.5101 Cisco IOS - (c) Jere Mäkelä
Running-config (3/3) • interface Vlan10 • ip address 10.0.0.2 255.255.255.0 • no ip route-cache! • ip default-gateway 10.0.0.1 • ip http server! • control-plane! • banner login ^C • Authorized personnel only! • Violators will be prosecuted • to the fullest extent of the law. • ^C • line con 0 • password cisco • login • line vty 0 4 • password cisco • login • line vty 5 15 • password cisco • login • end • MY_SWITCH# T-110.5101 Cisco IOS - (c) Jere Mäkelä
Basic Switchconfiguration (cont.) • In order to accessotherdevices in otherVLANs, orallow VTY connection to thishost, an IP address and a defaultgatewaymustbeconfiguredwith a switch • In switches, the IP addresssettingsaredone per VLAN (virtuallan), notphysicalinterfaces • VLAN 1 is the default management VLAN. The management protocols of a switch (CDP, VTP, DTP) occurwithin the switch’s management VLAN • Youshoulduse a different VLAN# than 1 to manageyourswitches. Alwaysuse the same management VLAN# in allswitches, for example VLAN 10 • For clarity, nameyour management VLAN as ”Management” • In routers, the IP addresssettingsaredone for interfaces T-110.5101 Cisco IOS - (c) Jere Mäkelä
Basic routerconfiguration • Verymuchlikethat of the switch, exceptthatyouconfigureeachinterfacewith IP settings • Youdon’tconfigure ”ipdefault-gateway” withrouters and youdon’tconfigure management VLAN • Eachinterface of a router is a separatenetwork of a subnet. The IP address of the routerinterfacebecomes the defaultgateway for the subnet. Typically, youchoose the firstavailable IP address for a routerinterface • Router#conf t • Router(conf)#int f0/0 • Router(conf-if)#ipaddress 192.168.1.1 255.255.255.0 • Router(conf-if)#no shut • Router(conf-if)#exit • Router(conf)#int serial0 • Router(conf-if)#ipaddress 192.168.2.1 255.255.255.0 • Router(conf-if)#no shut • Router(conf-if)#clockrate 64000 • Router(conf-if)#cntl-z • Router#copyrunstart • Note, that ”clockrate” command is appliedonlywithserialinterfacesthathave a DCE cableplugged into it. DTE (Data terminationequipment) and DCE (Data communicationsequipment) aretypicallyused in WAN connections • Use ”show interfaces” or ”show ipinterfaces” to verify the configuration • EIGRP and OSPF need a bandwidthvalue for a routerinterface: • Router(config)#intserial 0/0 • Router(config-if)#bandwidthrate_in_kbps • Nameresolution is doneeitherstatically (name to IP) ordynamically (DNS) • ipname-serverIP_address_of_DNS_server • Typically, DNS is disabled in routers: • Router(config)#no ipdomain-lookup • Router#showhosts T-110.5101 Cisco IOS - (c) Jere Mäkelä
Basic troubleshooting (1/4) T-110.5101 Cisco IOS - (c) Jere Mäkelä
Basic troubleshooting (2/4) • Switch#shiparp • Output shows the IP – MAC bindings and the interface • CDP – CiscoDiscoveryProtocol • CDP showsinformationonlyfrom the directlyconnecteddevices • Youcantest L2 connectivitywith CDP • The following info is gathered: • Name of the device (hostname) • IOS version • HW capabilities (routing, switching, bridging) • HW platform, such as 2960 • L3 addresses of the device • The interface on which the CDP updatewasgenerated • Switch#shcdpneighbors • Switch#shcdpneidetail • Youcandisableorenable CDP globallyor per port. Youshoulddisable CDP in the portthatconnects to the ISP • Switch(config)#int f0/1 • Switch(config-if)#no cdpenable T-110.5101 Cisco IOS - (c) Jere Mäkelä
Basic troubleshooting (3/4) • Ping • Executesfrom the Usermode and from the PrivilegedExecmode • Switch>pingIP_ADDRESS_or_HOST_NAME • !!!!! • 5 successful ICMP echorequest/reply • ….. • 5 unsuccessfulreplies • Also the extendedpingexists in the PrivilegedExecmode T-110.5101 Cisco IOS - (c) Jere Mäkelä
Basic troubleshooting (4/4) • Traceroute • Router>tracerouteIP_ADDRESS_or_HOST_NAME • Also the extendedtracerouteexists in the PrivilegeExecmode • Tracert is a windowscommand. It is notrecognized in IOS buttrace is, sinceit is unambiguous • Telnet (or SSH) • Ifyoucanping the destinationbut the telnetfails, youhave a L7 issue • Debug • Enablesyou to viewevents and problems in realtime • Weakens the IOS performancebecause of the data retrieval • ”debugall” canhalt the deviceoperation and mightcrashit T-110.5101 Cisco IOS - (c) Jere Mäkelä
VLAN (Virtual LAN) and trunks (1/10) T-110.5101 Cisco IOS - (c) Jere Mäkelä
VLAN (Virtual LAN) and trunks (2/10) T-110.5101 Cisco IOS - (c) Jere Mäkelä
VLAN (Virtual LAN) and trunks (3/10) • WithoutVLANs, youhave LAN segments, thathaveall the hosts in the samelogicalgroup (subnet) • WithoutVLANs, youmustconnect a hostbased on itsphysicallocation • WithVLANs, youcanconnect a hostbased on itslogicalgroup • I.e. Production, Finance, ProductDevelopment, Management, etc. • VLANshave a number and an optionalname • By default, all the switchportsareaccessports and belong to VLAN 1. Also, bydefault, all the inter-switchcommunicationoccur in VLAN 1 (VTP messages, CiscoDiscoveryProtocol = CDP etc.). Youshouldchangethisafteryouhavecomeupwithyour VLAN scheme • Connectall the managedswitches into the same VLAN. That is, all the IP addresses of switchesshouldbelong to the same VLAN and subnet. Use i.e. VLAN 10 for management T-110.5101 Cisco IOS - (c) Jere Mäkelä
VLAN (Virtual LAN) and trunks (4/10) • To routeinter-VLANtraffic, a router is needed • Router-on-a-stickusesonerouterinterface to routebetweenVLANs (the switchport to connect to a routerinterface is configured as a trunkport) • Comparethis to an old-fashionedway, where as manyrouterportswererequired as thereareVLANs • Requires a supportfrom a router • A router is configuredusingsub-interfaces (onesub-interface per VLAN) • Saves a lot of money (routerinterfacesareveryexpensive). So, useit • There is onespecial VLAN, called the native VLAN. In a trunkportif an untaggedframe is received, it is automaticallyassumed to belong to the native VLAN. By default, the native VLAN is VLAN 1. Hence, all the untagged (nativeEthernet) traffic is propagated into VLAN 1 ports • A native VLAN is born for example, when a hubwithhosts on it is connected into the trunkconnectionbetweenswitches • Evenifpossible, youshouldnotchange the number of the native VLAN (1) • A native VLAN is dot1q concept T-110.5101 Cisco IOS - (c) Jere Mäkelä
VLAN (Virtual LAN) and trunks (5/10) T-110.5101 Cisco IOS - (c) Jere Mäkelä