Escolar Documentos
Profissional Documentos
Cultura Documentos
Clearing a Switch
For nomarl switch 1. > ena 2. # Delete flash:vlan.dat 3. # Erase startup-config 4. # Reload
For Switch used connect to larger Network 1. > Ena 2. # Delete vlan.dat 3. # Erase startup-config 4. # Reload 5. # Show vlan brief 6. (config)# Interface rage f0/1-24 7. (config-if)# Shutdown 8. # Conf t 9. (config)# Vtp mode transparent
10. (config)# enable secret cisco 11. (config)# line vty 0 15 12. (config-line)# password cisco 13. (config-line)#
Config Vlan-Vtp
Step1: show vlan 1. Show Vlan 2. Show vtp status Step 1: config Vlan 1. (config)# interface vlan1 2. (config-if)# ip address 10.1.1.101 255.255.255.0 3. (config-if)# no shutdown Step 2: config vtp 1. 2. 3. 4.
Vtp domain CCNP1103 Vtp version 2 Vtp mode server/client/transparent Vtp password cisco123
Step 3: config interface mode Trunk 1. Interface f0/6 1. Switchport trunk encapsulation dot1q 2. Swichport mode trunk Access 3. Interface f0/1 4. Switchport mode access Show: 1. show interface F0/7 switchport 2. show interface trunk
Page 2
Step4: configure vlan in configuration mode 1. (confg)# Vlan 20 2. (config-vlan)# Name Server-1 3. (config)# Interface f0/6 4. (config-if)# Switchport access vlan20
modified vlan
Vlan 120 Shutdown No shutdown State active
Config Ethernet-Channel
Step 1: config basic switch parameter 1. Conf t 2. (config)# Interface range f0/7-12 3. (config-if-range)# Switchport trunk encapsulation dot1q 4. (config-if-range)# Switchport mode trunk Step2: configure Enther Channel with Cisco PAagP 1. (config)# Interface range f0/7-12 2. (config-if-range)# Channel-group 1 mode desirable 3. (config)# interface port-channel 1 4. (config-if)# switchport mode trunk Step3: configure layer3 entherchannel 1. (config)# Interface range fastethernet 0/11-12 2. (config-if-range)# No switchport 3. (config-if-range)# Channel-group 3 mode desirable 4. (config-if-range)# Interface port-channel 3 5. (config-if)# No switchport 6. (config-if)# Ip address 10.0.0.1 255.255.255.0 Step4: configure loadbalancing 1. (config)# Port-channel load-balance src-dst-mac 2. # show ethernetchannel load-balance
Page 3
Configuration Spanning-tree
basic
Step1: prepare the switches for the lab: 1. (config)# Interface range fastenthernet 0/7-12 2. (config-if-range)# Switchport trunk encapsulation dot1q 3. (config-if-range)# Switchport mode trunk Step 2: configure specific switch to be primary and secondary root 1. # debug spanning-tree events 2. DSL1 (config)# spanning-tree vlan 1 root primary 3. ADSL (config)# spanning-tree vlan 1 root secondary 4. #show run |include span Step 3: change the root port using the spanning-tree 1. (config)# int f0/12 2. (config)# spanning-tree port-priority 112 3. (config)# int f0/6 4. (confg)# spanning-tree cost 10 Step 5: config portfast on an access port 1. (config)# int f0/6 2. (confg)# switchport mode access 3. (config-if)# no shut 4. (config-if)# int f0/6 5. (config-if)# spanning-tree portfast
PVST students
step1: prepare the switches on the lab 1. (config)# int range f0/7-12 2. (config-if-range)# switchport trunk encapsulation dot1q 3. (config-if-range)# switchport mode trunk step 2: config VLAN step3: assign a root switch of each vlan 1. (config)# spanning-tree vlan 10 priority 4096 Step 3: config RSTP 1. (config)# spanning-tree mode rapid-pvst Nguyn Hong V NP11.03 Page 4
Configure
MTS
Step1: prepare the switches for the lab 1. (config)# Interface range fastenthernet 0/7-12 2. (config-if-range)# Switchport trunk encapsulation dot1q 3. (config-if-range)# Switchport mode trunk Step2: configure VTP and Vlans 1. (config)# Vtp mode transparent 2. (config)# vtp domain Cisco Step 3: configure MTS globally 1. (config)# spanning-tree mode mst Step 4: config the MTS region and instance 2. (config)# spanning-tree mst configuration 3. (config-mst)# name CISCO 4. (config-mst)# revision 1 5. (config-mst)# instance 1 vlan 20-50
Show command
1. 2. 3. 4. 5. 6. 7. (config-mst)# show current (config-mst)# show pending (config-mst)# show span mst configuration (config)# show spanning-tree (config)# show interface trunk (config)# show spanning-tree root (config)# debug spanning-tree events
Configure Inter-Vlan
Step 3: configure the route 1. (config)# hostname ISP 2. (config)# int s0/1 3. (config-if)# ip address 192.168.1.2 255.255.255.0 4. (config-if)# clockrate 64000 5. (config-if)# no shutdown 6. (config)# ip route 172.16.0.0 255.255.0.0 192.168.1.1
Page 5
Step4: configure the switches 1. (config)# int vlan 1 2. (config-if)# ip address 172.16.1.101 255.255.255.0 3. (config-if)# no shutdown 4. (config-if)# exit 5. (config)# ip default-gateway 172.16.1.1 Step 6: configure trunk links and ethernetchannel on switches 1. (config)# int range f0/7-12 2. (config-if-range)# switchport mode trunk 3. (config-if-range)# channel-group 1 mode desirable 4. (config-if-range)# end 5. # show etherchannel 1 summary Step 7: config VTP and Vlan Step 8: config Accessport- fastport 1. (config)# int f0/6 2. (config-if)# switchport mode access 3. (config-if) switch access vlan 100 4. (config-if)# spanning-tree portfast step 10: config the gateway router fast Ethernet interface for vlan trunking 1. (config)# interface f0/1.1 2. (config-subif)# description management VLan1 3. (config-subif)# encapsulation dot1q native 4. (config-subif)# ip address 172.16.1.1 255.255.255.0
Config HSRP
1. 2. 3. 4. 5. 6. 7. Step1: prepare the switch for the lab Step 2: configure the host ip setting Step 3: configure basic parameter Step 4: configure trunks and ethernetchannel between switches Step 5: configure vtp on adls Step 6: configure vtp on dsl Step7: configure accessport fast
Step8 configure HSRP interface and enable routing 1. (config)# ip routing Nguyn Hong V NP11.03 Page 6
2. 3. 4. 5. 6.
(config)# interface vlan 1 (config-if)# standby 1 ip 172.16.1.1 (config-if)# standby 1 preempt (config-if)# standby 1 priority 150 (config-if)# exit
Step9: verify the HSRP configuration 1. # Show standby 2. # Show standby brief
Step9: configure cisco IP SLA responders (config)# ip sla responder (config)# ip sla responder udp-echo ipaddress 172.16.1.1 port 5000 Nguyn Hong V NP11.03 Page 7
Step10: configure cisco ios ip sla source to menasure network performance 1. (config)# ip sla 1 2. (config-ip-sla)# icmp-echo 172.16.100.101 3. (config-ip-sla)# exit 4. (config)# ip sla schedule 1 life forver start-time now Step11: monitor ip sla operation 1. # show ip sla configuration 1 2. #show ip sla application 3. #show ip sla responder 4. #show ip sla statistics 1.
Securing layer 2
Step 1: prepare the switch for the lab Step 2: configure the basic parameter and trunking (config)# hostname ADLS1 (config)# enable secret class (config)# line vty 0 15 (config-line)# password cisco (config-line)# login (config-lien) exit
o o o o o o o
(config)# interface vlan 1 (config-if)# ip address 172.16.101.1 255.255.255.0 (config-if)# no shutdown (config-if)# exit (config)# ip default-gateway 172.16.1.1 (config)# int range f0/7p12 (config-if)switchport mode trunk
Step 3: configure vtp on adsl1 and adsl2 step4: configure IP routing. the vlan. vlan SVIs, HSRP a) config VTP, VLAN, and IP routing o (config)# vtp domain SPWOD o (config)# vtp version 2 Nguyn Hong V NP11.03 Page 8
o (config)# vlan 100 o (config-if)# name stafff o (config-if)#exit o (confi)# ip routing b) config switch vitural interface (SVIs) and HSRP o (config)# int vlan 1 o (config-if)# standby 1 ip 172.16.1.1 o (config-if)# standby 1 preempt o (config-if)# standby 1 priority 150 c) veryfy o show vlan brief o show vtp status o show standby brief o show ip route Step 6: config port-sercurity a) By default, issuing the switchport port-security command by itself sets the maximum number of MAC addresses to 1, and the violation mode to shutdown. It is not necessary to specify the maximum number of addresses, unless it is greater than 1. o ALS2(config)# interface range fastethernet 0/15 - 24 o ALS2(config-if-range)# switchport port-security b) Verify o show port-security c) Enter the configuration of the staff o (confg)# int range f0/15-24 o (config-if-range)# switchport port-sercurity o (config-if-range)# switchport port-sercurity maximum 2 o (config-if-range)# switchport port-sercurity mac-address sticky Step 7: config DHCP snooping a) enable to trust DHCP relay information (config)# ip dhcp relay information trust-all b) config switches to trust DHCP on the trunk port ALS1(config)# ip dhcp snooping ALS1(config)# interface range fastethernet 0/7 - 12 ALS1(config-if-range)# ip dhcp snooping trust ALS1(config-if-range)# exit ALS1(config)# interface range fastethernet 0/15 - 24 ALS1(config-if-range)# ip dhcp snooping limit rate 20 ALS1(config-if-range)# exit ALS1(config)# ip dhcp snooping vlan 100,200 Nguyn Hong V NP11.03 Page 9
Step 8: config AAA (config)# username vu password cisco (config)# username vu password cisco (config)# username vu password cisco (config)# aaa new-model (config)# aaa authentication dot1x default local (config)# dot1x system-auth-control (config)# int range f0/15-24 (config-if-range)# dot1x port-control auto
Step7: configure UDLD (config)# int range f0/1-24 (config-if-range)# udld port aggressive (config)# udld enable show udld f0/15
Sercuring Vlan
step1: verify configure from switches show vlan show interface trunk show standby brief step2: configure private vlan a) config HSRP (config)# int vlan 50 (config-vlan)# name server-farm (config)# int f0/5 (config-if)# ip address 10.172.16.1 255.255.255.0 (config-if)# standby 1 ip 10.172.16.3 (config-if)# standby 1 priority 100 (config-if)# standby 1 preempt show standby vlan 150 brief b) config vlan (config) vlan 151 (config-van) primary-vlan isolated (config) vlan 150 (config-vlan) primary-vlan community (config) vlan 152 (confi-vlan) primary-vlan isolated (config-vlan) primary-vlan association 150,151 c) the VLan mapping (config) int vlan 152 (config-if) private-vlan mapping 150-151 d) The switchport mode private-vlan host-association (config) int range f0/18-20 (config-if-range) switchport mode private-vlan host Nguyn Hong V NP11.03 Page 11
Step 3: configure RACLs between VLANs a) config access list DLS1(config)# access-list 100 permit tcp 172.16.200.0 0.0.0.255 172.16.100.0 0.0.0.255 established DLS1(config)# access-list 100 permit icmp 172.16.200.0 0.0.0.255 172.16.100.0 0.0.0.255 echo-reply DLS1(config)# access-list 100 deny ip 172.16.200.0 0.0.0.255 172.16.100.0 0.0.0.255 DLS1(config)# access-list 100 permit ip any any DLS1(config)# interface vlan 100 DLS1(config-if)# ip access-group 100 in DLS1(config)# interface vlan 200 DLS1(config-if)# ip access-group 100 in b) show command show access-lists show ip interface vlan 100 c) ip vlan (config) int vlan 100 (config-if) ip address 172.16.100.100 255.255.255.0 d) verify ping 172.16.100.1 source vl100 step4: configure VACLs a) configure access list (config) ip access-list extended temp-host (config-ext-nacl) permit ip host 172.16.100.150 172.16.100.0 0.0.0.255 b) configure vlan access map (config) vlan access-map block-temp 10 (config-access-map) match ip address temp-host (config-access-map) action drop (config-access-map) vlan access-map block-temp 20 (config-access-map) action forward c) define vlan filter (config) vlan filter block-temp vlan-list 100 d) show command show vlan access map
Page 12
step9: config the distribution layer switches to trust access layer (config)# mls qos (config)# int range f0/15-24 (config-if-range)# auto qos voip trust
step10: manual assign access layer CoS for the camera (config)# int f0/5 (config-if)# switchport mode access (config-if)# switchport access vlan 100 (config-if)# mls qos trust cos (config-if)# mls qos cos 3 show mls qos cos interface
Page 13