Search for notes by fellow students, in your own course and all over the country.
Browse our notes for titles which look like what you need, you can preview any of the notes via a sample of the contents. After you're happy these are the notes you're after simply pop them into your shopping cart.
Title: CCNP Routing and Switching
Description: CCNP switch portable command guide
Description: CCNP switch portable command guide
Document Preview
Extracts from the notes are below, to see the PDF you'll receive please use the links above
CCNP SWITCH
Portable Command Guide
Scott Empson
Hans Roth
Cisco Press
800 East 96th Street
Indianapolis, IN 46240 USA
ii
CCNP SWITCH Portable Command Guide
Scott Empson
Hans Roth
Copyright© 2010 Cisco Systems, Inc
...
No part of this book may be reproduced or transmitted in any form or
by any means, electronic or mechanical, including photocopying, recording, or by any
information storage and retrieval system, without written permission from the publisher,
except for the inclusion of brief quotations in a review
...
ISBN-13: 978-1-58720-248-3
ISBN-10: 1-58720-248-4
Warning and Disclaimer
This book is designed to provide information about the CCNP SWITCH exam (642-813)
...
The information is provided on an “as is” basis
...
shall have neither liability nor responsibility to any person or entity with
respect to any loss or damages arising from the information contained in this book or from
the use of the discs or programs that may accompany it
...
Trademark Acknowledgments
All terms mentioned in this book that are known to be trademarks or service marks have
been appropriately capitalized
...
, cannot attest to the
accuracy of this information
...
iii
Corporate and Government Sales
The publisher offers excellent discounts on this book when ordered in quantity for bulk
purchases or special sales, which may include electronic versions and/or custom covers and
content particular to your business, training goals, marketing focus, and branding interests
...
S
...
com
For sales outside the United States please contact:
International Sales international@pearsoned
...
Each book is crafted with care and precision, undergoing rigorous development that
involves the unique expertise of members from the professional technical community
...
If you have any comments
regarding how we could improve the quality of this book, or otherwise alter it to better suit
your needs, you can contact us through e-mail at feedback@ciscopress
...
Please make
sure to include the book title and ISBN in your message
...
Publisher
Associate Publisher
Cisco Representative
Cisco Press Program Manager
Executive Editor
Managing Editor
Development Editor
Senior Project Editor
Copy Editor
Technical Editor
Editorial Assistant
Book Designer
Cover Designer
Composition
Proofreader
Americas Headquarters
Cisco Systems, Inc
...
Ltd
...
Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www
...
com/go/offices
...
and/or its affiliates in the United States and certain other countries
...
The use of the word partner does not imply a partnership relationship between Cisco and any other company
...
Scott is also the program coordinator of the Cisco Networking
Academy Program at NAIT, a Regional Academy covering central and northern Alberta
...
Scott is
currently completing his Master of Education from the University of Portland
...
Prior to
instructing at NAIT, he was a junior/senior high school English/Language Arts/Computer
Science teacher at different schools throughout Northern Alberta
...
Hans Roth is an instructor in the electrical engineering technology department at Red River
College in Winnipeg, Manitoba, Canada
...
He has been with the Cisco
Networking Academy since 2000, teaching CCNP curricula
...
About the Technical Reviewer
Sean Wilkins is an accomplished networking consultant and has been in the field of IT
since the mid-1990s, working with companies such as Cisco, Lucent, Verizon, AT&T, and
several other private companies
...
He also has a Master of
Science degree in information technology with a focus in network architecture and design,
a Master’s certificate in network security, a Bachelor of Science degree in computer
networking, and an Associate of Applied Science degree in computer information systems
...
Dedications
This book is again dedicated to my wonderful family—Trina, Zach, and Shae
...
—Scott
I’d like to again thank my wife, Carol, and daughter, Tess, for their constant support and
understanding during those times I’ve spent cloistered in the basement writing
...
Our names might be on the cover, but there is no way
that we can take credit for all that occurred to get this book from idea to publication
...
Paul, Dave, Mary Beth, Drew,
Tonya, and Dayna—thank you for your continued support and belief in my little
engineering journal
...
Without your hard work, no one would
even know about these books, and for that I thank you (as does my wife and her credit card
companies)
...
A big thank you goes to my co-author, Hans Roth, for helping me through this with all of
your technical expertise and willingness to assist in trying to make my ideas a reality
...
The overall
effort is large and the involvement is wide to get any book completed
...
Your ongoing professionalism,
understanding, and patience have consistently helped me do a little better each time I sit
down to write
...
To the technical reviewer, Sean Wilkins, thank you for your clarifications and questions
...
It’s always a great
pleasure to try to keep up with you
...
1x Port-Based Authentication 115
Mitigating VLAN Hopping: Best Practices 117
VLAN Access Maps 117
Verifying VLAN Access Maps 119
Configuration Example: VLAN Access Maps 120
DHCP Snooping 121
Verifying DHCP Snooping 123
Implementing Dynamic ARP Inspection 124
Verifying DAI 125
Configuring IP Source Guard 125
Understanding Cisco Discovery Protocol Security Issues
Link Layer Discovery Protocol Configuration 126
Configuring the Secure Shell Protocol 127
Restricting Management Access with ACLs 128
Telnet Sessions 128
Web Interface Sessions 128
Disabling Unneeded Services 129
Securing End-Device Access Ports 129
Chapter 8 Accommodating Voice and Video in
Campus Networks 131
Communications Subsystems 132
Configuring and Verifying Voice VLANs 132
Power over Ethernet 133
High Availability for Voice and Video 134
126
xi
Configuring AutoQoS: 2960/3560/3750 137
Verifying Auto QoS Information: 2960/3560/3750
Configuring AutoQoS: 6500 139
Verifying AutoQoS Information: 6500 140
138
Chapter 9 Integrating Wireless LANs into a Campus Network 141
Wireless Roaming and Controllers 141
Switch Configuration for Standalone APs and
HREAPs 142
Switch Configuration for WLC and Controller-Based
APs 143
Configuration for the LWAP Connection 144
Configuration for the WLC Connection 144
Switch Configuration for 4400 Series Controllers
(EtherChannel) 145
The Wireless Services Module 146
Configuring Communication Between the Supervisor 720
and Cisco WiSM 146
The Initial WiSM Configuration 152
Configuration Example: 4402 WLAN Controller Using the Configuration Wizard 153
Configuration Example: 4402 WLAN Controller Using the Web
Interface 162
Configuration Example: Configuring a 3560 Switch to Support
WLANs and APs 171
Configuration Example: Configuring a Wireless Client 173
Appendix A Private VLAN Catalyst Switch Support Matrix
Appendix B Create Your Own Journal Here
179
177
xii
Command Syntax Conventions
The conventions used to present command syntax in this book are the same conventions
used in the IOS Command Reference
...
In
actual configuration examples and output (not general command syntax), boldface
indicates commands that are manually input by the user (such as a show command)
...
• Vertical bars (|) separate alternative, mutually exclusive elements
...
• Braces ({ }) indicate a required choice
...
xiii
Introduction
Welcome to CCNP SWITCH Portable Command Guide
...
Where will I find the time?” Because of those
thoughts, two more soon followed: “I wonder what Hans is up to?” and “I hope Carol is in
a good mood, as I am about to ask to take Hans away again…
...
For those of you who have worked with my books before, thank you for looking at this one
...
For those of you who are new to my books, you are reading what is essentially a cleanedup version of my own personal engineering journals—a small notebook that I carry around
with me that contains little nuggets of information; commands that I use but then forget; IP
address schemes for the parts of the network I work with only occasionally; and quick
refreshers for those concepts that I work with only once or twice a year
...
Having a journal of commands at your fingertips, without having to search the Cisco
website, can be a real time-saver (or a job-saver if the network is down and you are
responsible for getting it back online)
...
The engineering journal can be that central repository of information that won’t
weigh you down as you carry it from the office or cubicle to the server and infrastructure
rooms in some remote part of the building or some branch office
...
That way, this book will look less like the authors’ journals
and more like your own
...
The following is a list of the equipment used in the
preparation of these books:
• C2620 router running Cisco IOS Release 12
...
4(3g)
• C2821 ISR bundle with HWICD 9ESW, a WIC 2A/S, running 12
...
2(25)SE
• WS-C3550-24-EMI Catalyst Switch, running Cisco IOS Release 12
...
2(25)SE
• WS-2950-12 Catalyst Switch, running version C2950-C3
...
3)WC(1) Enterprise
Edition Software
• WS-C3750-24TS Catalyst Switches, running ipservicesk9 release 12
...
4(11)T2
You might notice that some of the devices were not running the latest and greatest IOS
...
Those of you familiar with Cisco devices will recognize that a majority of these commands
work across the entire range of the Cisco product line
...
In fact, in most cases, these devices are adequate for
someone to continue their studies beyond the CCNP level as well
...
Who Should Read This Book?
This book is for those people preparing for the CCNP SWITCH exam, whether through
self-study, on-the-job training and practice, study within the Cisco Academy Program, or
study through the use of a Cisco Training Partner
...
It is small enough that
you will find it easy to carry around with you
...
For example, if you have attended the SWITCH course, you might take a
different approach than someone who learned routing via on-the-job training
...
For instance, there is no need for you to practice or read about VLANs or Spanning Tree if
you fully understand it already
...
Several book features help you gain
the confidence you need to be convinced that you know some material already, and
determine which topics you need to study more
...
The book is
designed to be a simple listing of those commands that you need to understand to pass the
SWITCH exam
...
This book roughly follows the list of objectives for the CCNP SWITCH exam:
• Chapter 1: “Analyzing Campus Network Designs”—This chapter shows the Cisco
Hierarchical Model of Network Design; the Cisco Enterprise Composite Network
Model, the Cisco Service-Oriented Network Architecture (SONA), and the PPDIOO
network lifecycle
...
• Chapter 3: “Implementing Spanning Tree”—This chapter provides information on
the configuration of Spanning Tree, along with commands used to verify the protocol
and to configure enhancements to Spanning Tree, such as Rapid Spanning Tree and
Multiple Spanning Tree
...
DHCP and CEF are also covered in this chapter
...
• Chapter 6: “Implementing a First Hop Redundancy Protocols Solution”—This
chapter provides information needed to ensure you have first hop redundancy—
HSRO, VRRP, and GLBP are covered here
...
Topics covered include port security, 802
...
• Chapter 8: “Accommodating Voice and Video in Campus Networks”—This
chapter covers topics such as configuring and verifying voice VLANs, Power over
Ethernet (POE), High Availability for Voice and Video, and configuring and verifying
AutoQoS
...
xvi
Did We Miss Anything?
As educators, we are always interested in hearing how our students, and now readers of our
books, do on both vendor exams and future studies
...
Did
we miss anything? Let us know
...
ca or through the Cisco
Press website, www
...
com
...
Cisco Hierarchical Model of Network Design
Figure 1-1 shows the Cisco Hierarchical Network Model
...
Figure 1-2
Cisco Enterprise Composite Network Model
Enterprise Campus
Building Access
Building Distribution
Campus Backbone
Campus Infrastructure Module
Management
Enterprise
Edge
Service
Provider
Edge
E-Commerce
ISP A
Edge
Distribution
Internet
Connectivity
RemoteAccess VPN
ISP B
PSTN
V
Server Farm
WAN
Frame Relay,
ATM, PPP
Cisco Service-Oriented Network Architecture
Cisco Service-Oriented Network Architecture
Figure 1-3 shows the Cisco Service-Oriented Network Architecture (SONA) framework
...
Figure 1-4
Prepare, Plan, Design, Implement, Operate, and Optimize Lifecycle
PPDIOO Network Lifecycle Approach
Coordinated Planning and Strategy
Make sound financial decisions
...
Optimize
Plan
Assess Readiness
Can the network support
the proposed system?
Maintain Network Health
Manage, resolve,
repair, and replace
...
Implement
Implement the Solution
Integrate without disruption
or causing vulnerability
...
Creating Static VLANs
Static VLANs occur when the network administrator manually assigns a switch port to
belong to a VLAN
...
By default, all ports are
originally assigned to VLAN 1
...
n
Switch(config-vlan)#name Engineering
Assigns a name to the VLAN
...
e
Switch(config-vlan)#exit
Applies changes, increases the
revision number by 1, and returns to
global configuration mode
...
NOTE: Regardless of the method used to create VLANs, the VTP revision number
is increased by one each time a VLAN is created or changed
...
It is recommended to use only VLAN-configuration
mode
...
v
Switch(vlan)#vlan 4 name Sales
Creates VLAN 4 and names it Sales
...
v
Switch(vlan)#vlan 10
Creates VLAN 10 and gives it a name of
VLAN0010 as a default
...
e
Switch(vlan)#exit
Applies changes to the VLAN database,
increases the revision number by 1, and exits
VLAN Database mode
...
You must use either the apply command or the exit command to do so
...
Using the Ctrl-z command to exit out of the VLAN database
does not work in this mode because it will abort all changes made to the VLAN
database—you must either use exit or apply and then the exit command
...
An access port can belong to only one VLAN
...
NOTE: There is a space before and
after the hyphen in the interface
range command
...
s
Switch(config-if-range)#switchport
access vlan 10
Assigns ports 1–9 to VLAN 10
...
s
Switch(config-if)#switchport mode
dynamic desirable
Makes the interface actively attempt
to convert the link to a trunk link
...
s
Switch(config-if)#switchport mode
dynamic auto
Enables the interface to convert into a
trunk link
...
s
Switch(config-if)#switchport
nonegotiate
Prevents the interface from generating
DTP frames
...
You must manually configure
the neighboring interface to establish
a trunk link
...
NOTE: With the switchport mode
trunk command set, the interface
becomes a trunk link even if the
neighboring interface is not a trunk
link
...
For the 2960, 3560, and
the 3760, the default mode is dynamic auto
...
s
3560Switch(config-if)#switchport
mode trunk
Puts the interface into permanent
trunking mode and negotiates to
convert the link into a trunk link
...
s
3560Switch(config-if)#switchport
trunk encapsulation dot1q
Specifies 802
...
s
3560Switch(config-if)#switchport
trunk encapsulation negotiate
Specifies that the interface negotiate
with the neighboring interface to
become either an ISL or Dot1Q trunk,
depending on the capabilities or
configuration of the neighboring
interface
...
CAUTION:
The 2960 series switch supports only Dot1Q trunking
...
As
long as the apply or exit command is executed in VLAN Database mode, changes are
saved
...
If you are using the VLAN database configuration at startup and the startup configuration
file contains extended-range VLAN configuration, this information is lost when the system
boots
...
If the VTP mode is transparent in the startup configuration, and the VLAN database and the
VTP domain name from the VLAN database matches that in the startup configuration file,
the VLAN database is ignored (cleared), and the VTP and VLAN configurations in the
startup configuration file are used
...
Virtual Local Area Networks
11
Erasing VLAN Configurations
d
Switch#delete flash:vlan
...
CAUTION: Make sure there is no space
between the colon (:) and the characters
vlan
...
You can potentially erase the entire
contents of the flash with this command if
the syntax is not correct
...
If you need to
cancel, press Ctrl-C to escape back to
privileged mode:
(Switch#)
d
Switch#delete flash:vlan
...
dat]?
Delete flash:vlan
...
n
Switch(config-if)#no switchport
access vlan 5
Removes port from VLAN 5 and reassigns it
to VLAN 1—the default VLAN
...
n
Switch(config)#no vlan 5
Removes VLAN 5 from the VLAN database
...
n
Switch(vlan)#no vlan 5
Removes VLAN 5 from the VLAN database
...
NOTE: When you delete a VLAN from a switch that is in VTP server mode, the
VLAN is removed from the VLAN database for all switches in the VTP domain
...
NOTE: You cannot delete the default VLANs for the different media types:
Ethernet VLAN 1 and FDDI or Token Ring VLANs 1002 to 1005
...
They remain associated with the VLAN (and thus inactive) until you
assign them to a new VLAN
...
Verifying VLAN Trunking
s
Switch#show interface
fastethernet 0/1 switchport
Displays the administrative and
operational status of a trunking port
VLAN Trunking Protocol
VLAN Trunking Protocol (VTP) is a Cisco proprietary protocol that allows for VLAN
configuration (addition, deletion, or renaming of VLANS) to be consistently maintained
across a common administrative domain
...
v
Switch(config)#vtp mode server
Changes the switch to VTP server mode
...
NOTE: By default, all Catalyst switches
are in server mode
...
v
Switch(config)#vtp domain domainname
Configures the VTP domain name
...
NOTE: All switches operating in VTP
server or client mode must have the same
domain name to ensure communication
...
In Cisco IOS
Software Release 12
...
If you are using a Cisco
IOS release earlier than 12
...
NOTE: To communicate with each other,
all switches must have the same VTP
password set
...
This
command is for Cisco IOS Software
Release 12
...
If you are using a
Cisco IOS release earlier than 12
...
NOTE: VTP Versions 1 and 2 are not
interoperable
...
The biggest difference
between Versions 1 and 2 is that Version 2
has support for Token Ring VLANs
...
NOTE: By default, VTP pruning is
disabled
...
NOTE: Only VLANs included in the pruning-eligible list can be pruned
...
Reserved VLANs and
extended-range VLANs cannot be pruned
...
Recommended practice dictates using only the
VLAN-configuration mode
...
v
Switch(vlan)#vtp client
Changes the switch to VTP client mode
...
v
Switch(vlan)#vtp transparent
Changes the switch to VTP transparent
mode
...
14
Virtual Local Area Networks
v
Switch(vlan)#vtp domain domainname
Configures the VTP domain name
...
NOTE: All switches operating in VTP
server or client mode must have the same
domain name to ensure communication
...
In Cisco IOS
Release 12
...
If
you are using a Cisco IOS release earlier
than IOS 12
...
NOTE: All switches must have the same
VTP password set to communicate with
each other
...
This
command is used in VLAN Database
configuration mode
...
NOTE: VTP Versions 1 and 2 are not
interoperable
...
The biggest difference
between Versions 1 and 2 is that Version 2
has support for Token Ring VLANs
...
NOTE: By default, VTP pruning is
disabled
...
Virtual Local Area Networks
15
NOTE: Only VLANs included in the
pruning-eligible list can be pruned
...
Reserved VLANs
and extended-range VLANs cannot be
pruned
...
e
Switch(vlan)#exit
Applies changes to VLAN database,
increases the revision number by 1, and
exits back to privileged mode
...
s
Switch#show vtp counters
Displays the VTP counters for the switch
...
However, because
VTP information is advertised only every 300 seconds (5 minutes) unless a change
has been made to force an update, it can take several minutes for VTP information
to be propagated
...
Figure 2-1
Network Topology for VLAN Configuration Example
VTP Domain
10
...
1
...
1
...
0/24
10
...
1
...
1
...
2/24
GigabitEthernet0/1
2960
GigabitEthernet0/1
Si
Accounting
VLAN 20
Ports: 1-8
10
...
10
...
1
...
0/24
Ports: 9-15
10
...
20
...
1
...
0/24
WS1
WS2
10
...
30
...
1
...
10/24
Engineering
VLAN 30
Ports: 16-24
10
...
30
...
c
Switch#configure terminal
Moves to global configuration mode
...
v
3560(config)#vtp mode server
Changes the switch to VTP server mode
...
v
3560(config)#vtp domain southwest1
Configures the VTP domain name to
southwest1
...
v
3560(config)#vlan 10
Creates VLAN 10 and enters VLANconfiguration mode
...
Virtual Local Area Networks
e
3560(config-vlan)#exit
Increases the revision number by 1 and
returns to global configuration mode
...
n
3560(config-vlan)#name Accounting
Assigns a name to the VLAN
...
Note that you do
not have to exit back to global
configuration mode to execute this
command
...
e
3560(config-vlan)#exit
Increases the revision number by 1 and
returns to global configuration mode
...
s
3560(config-if-range)#switchport
mode access
Sets ports 1–8 as access ports
...
i
3560(config-if-range)#interface
range fastethernet 0/9 - 15
Enables you to set the same
configuration parameters on multiple
ports at the same time
...
s
3560(config-if-range)#switchport
access vlan 20
Assigns ports 9–15 to VLAN 20
...
s
3560(config-if-range)#switchport
mode access
Sets ports 16–24 as access ports
...
e
3560(config-if-range)#exit
Returns to global configuration mode
...
s
3560(config-if)#switchport trunk
encapsulation dot1q
Specifies 802
...
s
3560(config-if)#switchport mode
trunk
Puts the interface into permanent
trunking mode and negotiates to convert
the link into a trunk link
...
e
3560(config)#exit
Returns to privileged mode
...
2960 Switch
e
Switch>enable
Moves to privileged mode
...
h
Switch(config)#hostname 2960
Sets the host name
...
v
2960(config)#vtp domain southwest1
Configures the VTP domain name to
southwest1
...
s
2960(config-if-range)#switchport
mode access
Sets ports 1–8 as access ports
...
i
2960(config-if-range)#interface
range fastethernet 0/9 - 15
Enables you to set the same
configuration parameters on multiple
ports at the same time
...
s
2960(config-if-range)#switchport
access vlan 20
Assigns ports 9–15 to VLAN 20
...
s
2960(config-if-range)#switchport
mode access
Sets ports 16–24 as access ports
...
e
2960(config-if-range)#exit
Returns to global configuration mode
...
s
2960(config-if)#switchport mode
trunk
Puts the interface into permanent
trunking mode and negotiates to convert
the link into a trunk link
...
e
2960(config)#exit
Returns to privileged mode
...
Private Virtual Local Area Networks
This section covers configuring private VLANs (PVLAN), configuring PVLAN trunks,
verifying PVLANs, and configuring protected ports
...
Some switches can implement PVLANs, which
keep some switch ports shared and some isolated, even though all ports are in the same
VLAN
...
20
Private Virtual Local Area Networks
NOTE: Private VLANs are implemented to varying degrees on Catalyst 6500/
4500/3750/3560 as well as the Metro Ethernet line of switches
...
For more
information, see Appendix A, “Private VLAN Catalyst Switch Support Matrix
...
v
Switch(config)#vlan 20
Creates VLAN 20 and moves to VLANconfiguration mode
...
v
Switch(config-vlan)#vlan 101
Creates VLAN 101 and moves to VLANconfig mode
...
NOTE: An isolated VLAN can
communicate only with promiscuous ports
...
v
Switch(config)#vlan 102
Creates VLAN 102 and moves to VLANconfig mode
...
NOTE: A community VLAN can
communicate with all promiscuous ports
and with other ports in the same
community
...
v
Switch(config)#vlan 103
Creates VLAN 103 and moves to VLANconfig mode
...
v
Switch(config-vlan)#vlan 20
Returns to VLAN-config mode for VLAN
20
...
Private Virtual Local Area Networks
21
NOTE: Only one isolated VLAN can be
mapped to a primary VLAN, but more than
one community VLAN can be mapped to a
primary VLAN
...
s
Switch(config-if)#switchport
private-vlan h ost-association 20
101
Associates the port with primary private
VLAN 20 and secondary private VLAN
101
...
i
Switch(config)#interface
fastethernet 0/21
Moves to interface config mode
...
s
Switch(config-if)#switchport
private-vlan mapping 20 101 102
103
Maps VLAN 20, 101, 102, and 103 to
promiscuous port
...
Switch(config-if)# switchport
trunk encapsulation dot1q
Specifies 802
...
Switch(config-if)# switchport
trunk native vlan 99
Specifies the native VLAN as 99
...
NOTE: Do not prohibit primary or
secondary private VLANs on the trunk
through policy or pruning
...
Switch(config)# interface
fastethernet 5/2
Moves to interface configuration mode
...
Switch(config-if)# switchport
private-vlan t runk native vlan 10
Specifies the native VLAN as 10
...
Switch(config-if)# switchport
private-vlan as sociation trunk 3
301
Associates the secondary private VLAN
301 to the primary private VLAN 3
...
The
Switch Virtual Interface (SVI) is the primary VLAN
...
All other configuration, including creating and
configuring primary and secondary VLANs and applying those VLANs to switch ports,
remains the same
...
Switch(config-if)# ip address
172
...
100
...
255
...
0
Specifies an IP address for SVI interface
VLAN 1
...
NOTE: Dynamic or static routing must be
configured
...
s
Switch#show interface
fastethernet 0/20 switchport
Verifies all configuration on fastethernet
0/20, including private VLAN associations
...
The following network
functionality is required:
• DNS, WWW, and SMTP are in server farm, same subnet
...
• DNS servers can communicate with each other and with router
...
• One switch is required to route traffic (L3) from the servers
...
1q Trunk
DNS1
SW1
fa0/24
/1
fa0
2
0/
fa
Other Server(s)
Community VLAN 102
WWW
Other Server(s)
Isolated VLAN 101
fa0/24
Primary VLAN 100
172
...
100
...
v
SW1(config)#vtp mode transparent
Specifies the VTP device mode as
transparent
...
n
SW1(dhcp-config)#network
172
...
100
...
255
...
0
Provides IP addresses for DHCP clients in
the 172
...
100
...
d
SW1(dhcp-config)#default-router
172
...
100
...
e
SW1(dhcp-config)#exit
Exits DHCP configuration mode
...
20
...
1
172
...
100
...
v
SW1(config-vlan)#vlan 101
Creates VLAN 101
...
v
SW1(config-vlan)#vlan 102
Creates VLAN 102
...
v
SW1(config)#vlan 100
Creates VLAN 100
...
p
SW1(config-vlan)#private-vlan
association 101-102
Associates the secondary VLANs to the
primary VLAN 100
...
i
SW1(config)#interface
FastEthernet0/1 - 2
Moves to interface range configuration
mode
...
s
SW1(config-if)#switchport mode
private-vlan host
Configures the interfaces as private-VLAN
host ports
...
s
SW1(config-if)#switchport
private-vlan host-association
100 102
Defines the switch ports as private and
associated with primary VLAN 100 and
secondary (community) VLAN 102
...
i
SW1(config)#interface
FastEthernet0/23
Moves to interface configuration mode
...
i
SW1(config-if)#ip address
172
...
100
...
255
...
0
Applies an IP address to the routed
interface
...
s
SW1(config-if)#switchport trunk
encapsulation dot1q
Sets the interface to an 802
...
NOTE: This trunk connects the primary
and secondary PVLANs between SW1 and
SW2
...
1q encapsulation is
supported
...
NOTE: Do not prohibit primary or
secondary private VLANs on the trunk
through policy or pruning
...
i
SW1(config-if)#ip address
172
...
100
...
255
...
0
Applies an IP address to the SVI
...
i
SW1(config)#ip route 0
...
0
...
0
...
0 172
...
100
...
25
26
Private Virtual Local Area Networks
Switch SW2
h
Switch(config)#hostname SW2
Names the switch SW2
...
v
SW2(config)#vlan 101
Creates VLAN 101
...
v
SW2(config-vlan)#vlan 102
Creates VLAN 102
...
v
SW2(config)#vlan 100
Creates VLAN 100
...
p
SW2(config-vlan)#private-vlan
association 101-102
Associates the secondary VLANs to the
primary VLAN
...
s
SW2(config-if)#switchport
private-vlan host-association
100 101
Defines the switch ports as private and
associated with primary VLAN 100 and
secondary VLAN 101
...
i
SW2(config)#interface
FastEthernet0/3 - 4
Moves to interface range configuration
mode
...
s
SW2(config-if)#switchport mode
private-vlan host
Configures the interfaces as private-VLAN
host ports
...
s
SW2(config-if)#switchport trunk
encapsulation dot1q
Sets the interface to an 802
...
EtherChannel
27
NOTE: This trunk connects the primary
and secondary PVLANs between SW1 and
SW2
...
1q encapsulation is
supported
...
s
SW2(config-if)#switchport mode
private-vlan promiscuous
Sets the trunk port to promiscuous mode
...
EtherChannel
EtherChannel provides fault-tolerant high-speed links among switches, routers, and
servers
...
If a link within an EtherChannel fails, traffic previously
carried over that failed link changes to the remaining links within the EtherChannel
...
Channel exists only if connected to another interface
group also in On mode
...
Desirable
PAgP
Places the interface into an active negotiating state—will send
PAgP packets to start negotiations
...
Active
LACP
Places the interface into an active negotiating state—will send
LACP packets to start negotiations
...
• LACP is defined in 802
...
28
EtherChannel
• Can combine from two to eight parallel links
...
• To create a channel in PAgP, sides must be set to
— Auto-Desirable
— Desirable-Desirable
• To create a channel in LACP, sides must be set to
— Active-Active
— Active-Passive
• To create a channel without using PAgP or LACP, sides must be set to On-On
...
• An interface that is already configured to be a Switched Port Analyzer (SPAN)
destination port will not join an EtherChannel group until SPAN is disabled
...
• Interfaces with different native VLANs cannot form an EtherChannel
...
Configuring L2 EtherChannel
i
Switch(config)#interface range
fastethernet 0/1 - 4
Moves to interface range config mode
...
or
c
Switch(config-if-range)#channelprotocol lacp
Specifies the LACP protocol to be used
in this channel
...
Use
whichever mode is necessary, depending
on your choice of protocol
...
Once in the interface configuration mode,
you can configure additional parameters
...
Valid channel numbers are 1–48
...
i
3560Switch(config-if)#ip address
172
...
10
...
255
...
0
Assigns IP address and netmask
...
i
3560Switch(config)#interface range
fastethernet 0/20 - 24
Moves to interface range config mode
...
3560Switch(config-ifc
range)#channel-protocol pagp
Specifies the PAgP protocol to be used in
this channel
...
NOTE: Either PAgP or LACP can be
used as the port aggregation protocol
...
Use
whichever mode is necessary, depending
on your choice of protocol
...
Verifying EtherChannel
s
Switch#show running-config
Displays list of what is currently running
on the device
...
s
Switch#show interfaces
fastethernet 0/12 etherchannel
Displays interface EtherChannel
information
...
s
Switch#show etherchannel 1 portchannel
Displays port channel information
...
s
Switch#show pagp neighbor
Shows PAgP neighbor information
...
c
Switch#clear lacp 1 counters
Clears LACP channel group 1
information
...
NOTE: The following methods are
allowed when load balancing across a port
channel:
dst-ip—Distribution is based on
destination host IP address
...
Packets to the
same destination are sent on the same port,
but packets to different destinations are
sent on different ports in the channel
...
src-dst-mac—Distribution is based on
source and destination MAC address
...
src-mac—Distribution is based on source
MAC address
...
s
Switch#show etherchannel loadbalance
Displays EtherChannel load-balancing
information
...
Figure 2-3
Network Topology for EtherChannel Configuration
FEC
IEEE 802
...
1q
Trunk
ALSwitch1 (2960)
ALSwitch2 (2960)
Fa0/1
Fa0/3
Fa0/1
Fa0/2
Fa0/6
Fa0/1
Fa0/2
Fa0/4
Fa0/2
Fa0/12
Fa0/6
Fa0/12
Accounting
VLAN 10
Fa 0/5-8
172
...
10
...
16
...
0/24
Accounting
VLAN 10
Fa 0/5-8
172
...
10
...
16
...
0/24
WS1
WS2
WS3
WS4
172
...
10
...
16
...
2/24
172
...
10
...
16
...
3/24
DLSwitch (3560)
e
Switch>enable
Moves to privileged mode
...
h
Switch(config)#hostname DLSwitch
Sets host name
...
v
DLSwitch(config)#vtp mode server
Changes the switch to VTP server
mode
...
v
DLSwitch(config)#vlan 10
Creates VLAN 10 and enters VLANconfig mode
...
e
DLSwitch(config-vlan)#exit
Returns to global config mode
...
32
EtherChannel
n
DLSwitch(config-vlan)#name Marketing
Assigns a name to the VLAN
...
i
DLSwitch(config)#interface range
fastethernet 0/1 - 4
Moves to interface range config mode
...
1Q encapsulation on the
trunk link
...
e
DLSwitch(config-if)#exit
Returns to global config mode
...
c
DLSwitch(config-if)#channel-group 1
mode desirable
Creates channel group 1 and assigns
interfaces 0/1–0/2 as part of it
...
i
DLSwitch(config)#interface range
fastethernet 0/3 - 4
Moves to interface range config mode
...
e
DLSwitch(config-if)#exit
Moves to global config mode
...
e
DLSwitch(config)#exit
Moves to privileged mode
...
ALSwitch1 (2960)
e
Switch>enable
Moves to privileged mode
...
h
Switch(config)#hostname ALSwitch1
Sets the host name
...
EtherChannel
33
v
ALSwitch1(config)#vtp mode client
Changes the switch to VTP client
mode
...
i
ALSwitch1(config)#interface range
fastethernet 0/5 - 8
Moves to interface range config mode
...
ALSwitch1(config-ifs
range)#switchport access vlan 10
Assigns ports to VLAN 10
...
i
ALSwitch1(config)#interface range
fastethernet 0/9 – 12
Moves to interface range config mode
...
ALSwitch1(config-ifs
range)#switchport access vlan 20
Assigns ports to VLAN 20
...
i
ALSwitch1(config)#interface range
fastethernet 0/1 - 2
Moves to interface range config mode
...
c
ALSwitch1(config-if-range)#channelgroup 1 mode desirable
Creates channel group 1 and assigns
interfaces 0/1–0/2 as part of it
...
e
ALSwitch1(config)#exit
Moves to privileged mode
...
ALSwitch2 (2960)
e
Switch>enable
Moves to privileged mode
...
34
EtherChannel
h
Switch(config)#hostname ALSwitch2
Sets the host name
...
v
ALSwitch2(config)#vtp mode client
Changes the switch to VTP client
mode
...
i
ALSwitch2(config)#interface range
fastethernet 0/5 - 8
Moves to interface range config mode
...
ALSwitch2(config-ifs
range)#switchport access vlan 10
Assigns ports to VLAN 10
...
i
ALSwitch2(config)#interface range
fastethernet 0/9 - 12
Moves to interface range config mode
...
ALSwitch2(config-ifs
range)#switchport access vlan 20
Assigns ports to VLAN 20
...
i
ALSwitch2(config)#interface range
fastethernet 0/1 - 2
Moves to interface range config mode
...
c
ALSwitch2(config-if-range)#channelgroup 1 mode desirable
Creates channel group 1 and assigns
interfaces 0/1–0/2 as part of it
...
e
ALSwitch2(config)#exit
Moves to privileged mode
...
CHAPTER 3
Implementing
Spanning Tree
This chapter provides information and commands concerning the following topics:
• Enabling Spanning Tree Protocol
• Configuring the root switch
• Configuring a secondary root switch
• Configuring port priority
• Configuring the path cost
• Configuring the switch priority of a VLAN
• Configuring STP timers
• Verifying STP
• Optional STP configurations
— PortFast
— BPDU Guard
— BPDU Filtering
— UplinkFast
— BackboneFast
— Root Guard
— Loop Guard
— Unidirectional Link Detection
• Changing the spanning-tree mode
• Extended System ID
• Enabling Rapid Spanning Tree
• Enabling Multiple Spanning Tree
• Verifying MST
• Troubleshooting STP
Enabling Spanning Tree Protocol
s
Switch(config)#spanning-tree vlan 5
Enables Spanning Tree
Protocol (STP) on VLAN 5
...
36
Configuring the Root Switch
NOTE: If more VLANs are defined in the VLAN Trunking Protocol (VTP) than there
are spanning-tree instances, you can have only STP on 64 VLANs
...
Configuring the Root Switch
s
Switch(config)#spanning-tree
vlan 5 root
Modifies the switch priority from the default
32768 to a lower value to enable the switch
to become the root switch for VLAN 5
...
If any other switch has a
priority set to below 24576 already, this
switch sets its own priority to 4096 less than
the lowest switch priority
...
s
Switch(config)#spanning-tree
vlan 5 root primary
Switch recalculates timers along with
priority to enable the switch to become the
root switch for VLAN 5
...
s
Switch(config)#spanning-tree
vlan 5 root primary diameter 7
Configures the switch to be the root switch
for VLAN 5 and sets the network diameter
to 7
...
The range is from 2 to 7
switches
...
TIP: The hello-time keyword sets the hellodelay timer to any amount between 1 and 10
seconds
...
Configuring Port Priority
37
Configuring a Secondary Root Switch
s
Switch(config)#spanning-tree
vlan 5 root secondary
Switch recalculates timers along with
priority to enable the switch to become the
root switch for VLAN 5 if the primary root
switch fails
...
Therefore, if the root
switch fails, and all other switches are set to
the default priority of 32768, this becomes
the new root switch
...
s
Switch(config)#spanning-tree
vlan 5 root secondary diameter 7
Configures the switch to be the secondary
root switch for VLAN 5 and sets the
network diameter to 7
...
Configuring Port Priority
i
Switch(config)#interface
gigabitethernet 0/1
Moves to interface configuration mode
...
s
Switch(config-if)#spanning-tree
vlan 5 port-priority 64
Configures the VLAN port priority for an
interface that is a trunk port
...
The number
can be between 0 and 255
...
The lower the number, the
higher the priority
...
s
Switch(config-if)#spanning-tree
cost 100000
Configures the cost for the interface that is
an access port
...
NOTE: If a loop occurs, STP uses the path
cost when trying to determine which
interface to place into the forwarding state
...
The range of the cost
keyword is 1 through 200000000
...
Configuring the Switch Priority of a VLAN
s
Switch(config)#spanning-tree vlan
5 priority 12288
Configures the switch priority of VLAN 5
to 12288
...
The default is 32768
...
Only the following numbers can be used as a priority value:
0
4096
8192
12288
16384
20480
24576
28672
32768
36864
40960
45056
49152
53248
57344
61440
CAUTION: Cisco recommends caution when using this command
...
FlexLinks
39
Configuring STP Timers
s
Switch(config)#spanning-tree vlan
5 hello-time 4
Changes the hello-delay timer to 4
seconds on VLAN 5
...
s
Switch(config)#spanning-tree vlan
5 max-age 25
Changes the maximum-aging timer to 25
seconds on VLAN 5
...
The default is
2 seconds
...
The
default is 15 seconds
...
The default is 20 seconds
...
Cisco further
recommends that the spanning-tree vlan x root primary or the spanning-tree
vlan x root secondary command be used instead to modify the switch timers
...
s
Switch(config-if)#switchport
backup interface fastethernet1/0/2
Configures FastEthernet 1/0/2 to provide
Layer 2 backup to FastEthernet 1/0/1
...
NOTE: FlexLink is an alternative solution
to the Spanning Tree Protocol
...
s
Switch#show spanning-tree active
Displays STP information on active
interfaces only
...
s
Switch#show spanning-tree detail
Displays a detailed summary of interface
information
...
s
Switch#show spanning-tree summary
Displays a summary of port states
...
s
Switch#show spanning-tree vlan 5
Displays STP information for VLAN 5
...
PortFast
i
Switch(config)#interface
fastethernet 0/10
Moves to interface config mode
...
s
Switch(config-if)#spanning-tree
portfast trunk
Enables PortFast on a trunk port
...
Using this command
on a port connected to a switch or hub could
prevent spanning tree from detecting loops
...
If
you disable voice VLAN, PortFast is still
enabled
...
BPDU Guard
s
Switch(config)#spanning-tree
portfast bpduguard default
Globally enables BPDU Guard
...
Switch(config-ifs
range)#spanning-tree portfast
Enables PortFast on all interfaces in the
range
...
e
Switch(config)#errdisable
recovery cause bpduguard
Enables the port to reenable itself if the
cause of the error is BPDU Guard by setting
a recovery timer
...
The
default is 300 seconds
...
s
Switch#show spanning-tree
summary totals
Verifies whether BPDU Guard is enabled or
disabled
...
BPDU Filtering
s
Switch(config)#spanning-tree
portfast bpdufilter default
Globally enables BPDU Filtering—
prevents ports in PortFast from sending
or receiving bridge protocol data units
(BPDU)
...
42
Optional STP Configurations
s
Switch(config-if-range)#spanningtree portfast
Enables PortFast on all interfaces in the
range
...
CAUTION: Enabling BPDU Filtering
on an interface, or globally, is the same
as disabling STP, which can result in
spanning-tree loops being created but
not detected
...
s
Switch(config-if)#spanning-tree
bpdufilter enable
Enables BPDU Filtering on the
interface without enabling the PortFast
feature
...
s
Switch#show running-config
Verifies BPDU Filtering is enabled on
interfaces
...
s
Switch(config)#spanning-tree
uplinkfast max-update-rate 200
Enables UplinkFast and sets the update
packet rate to 200 packets/second
...
The spanning-tree
uplinkfast command affects all
VLANs
...
The default is 150
...
This causes
STP to converge more slowly after a
loss of connectivity
...
Optional STP Configurations
43
NOTE: UplinkFast cannot be enabled on VLANs that have been configured for
switch priority
...
It is not appropriate for backbone devices
...
s
Switch#show spanning-tree summary
Verifies whether BackboneFast has
been enabled
...
s
Switch(config-if)#spanning-tree
guard root
Enables Root Guard on the interface
...
s
Switch#show running-config
Verifies whether Root Guard is enabled on
the interface
...
NOTE: Root Guard enabled on an interface applies to all VLANs to which the
interface belongs
...
Loop Guard
s
Switch#show spanning-tree active
Shows which ports are alternate or root
ports
...
44
Optional STP Configurations
c
Switch#configure terminal
Enters global configuration mode
...
e
Switch(config)#exit
Returns to privileged mode
...
NOTE: You cannot enable both Root Guard and Loop Guard at the same time
...
NOTE: Loop Guard operates only on ports that are considered to be point to
point by the STP
...
NOTE: By default, UDLD is disabled
...
i
Switch(config)#interface
fastethernet 0/24
Moves to interface config mode
...
NOTE: On a fiber-optic interface, the interface
command udld port overrides the global
command udld enable
...
s
Switch#show udld
Displays UDLD information
...
Extended System ID
u
Switch#udld reset
45
Resets all interfaces shut down by UDLD
...
Changing the Spanning-Tree Mode
Different types of spanning tree can be configured on a Cisco switch
...
This is a Cisco proprietary protocol
...
• Rapid PVST+—This mode is the same as PVST+ except that it uses a rapid
convergence based on the 802
...
• Multiple Spanning Tree Protocol (MSTP)—IEEE 802
...
Extends the 802
...
Multiple VLANs
can map to a single instance of RST
...
s
Switch(config)#spanning-tree mode mst
Enables MSTP
...
s
Switch(config)#spanning-tree mode pvst
Enables PVST—this is the default
setting
...
Extended System ID
s
Switch(config)#spanning-tree extend
system-id
Enables Extended System ID, also
known as MAC Address
Reduction
...
1(8)EA1 do not support
the Extended System ID
...
s
Switch#show running-config
Display the current volatile device
configuration
...
i
Switch(config)#interface
fastethernet 0/1
Moves to interface config mode
...
NOTE: By setting the link type to
point-to-point, this means that if you
connect this port to a remote port, and
this port becomes a designated port, the
switch will negotiate with the remote
port and transition the local port to a
forwarding state
...
1D switch
...
i
Switch(config-mst)#instance 1 vlan 4
Maps VLAN 4 to a Multiple Spanning
Tree (MST) instance
...
i
Switch(config-mst)#instance 1 vlan
10,20,30
Maps VLANs 10, 20, and 30 to MST
instance 1
...
n
Switch(config-mst)#name region12
Specifies the configuration name to be
region12
...
r
Switch(config-mst)#revision 4
Specifies the revision number
...
s
Switch(config-mst)#show pending
Verifies the configuration by displaying
a summary of what you have
configured for the MST region
...
s
Switch(config)#spanning-tree mst 1
Enables MST
...
NOTE: You cannot run both MSTP
and PVST at the same time
...
The
primary root switch priority is 24576
...
The secondary root switch priority is
28672
...
Verifying MST
s
Switch#show spanning-tree mst
configuration
Displays the MST region
configuration
...
s
Switch#show spanning-tree mst
interface fastethernet 0/1
Displays the MST information for
interface fastethernet 0/1
...
s
Switch#show spanning-tree mst 1
detail
Shows detailed information about
MST instance 1
...
d
Switch#debug spanning-tree events
Displays spanning-tree debugging
topology events
...
d
Switch#debug spanning-tree
uplinkfast
Displays spanning-tree debugging
UplinkFast event
...
d
Switch#debug spanning-tree switch
state
Displays spanning-tree port state
changes
...
Configuration Example: STP
49
Configuration Example: STP
Figure 3-1 shows the network topology for the configuration that follows, which shows how
to configure STP using commands covered in this chapter
...
Fa0/3
10
1
10 20
Access2
Fa0/8
VLAN 10 - Forwarding
Fa0/4
20
Fa0/5
Fa0/8
Access2 (2960)
VTP Client
VLAN 20 - Blocking
Core Switch (3560)
e
Switch>enable
Moves to privileged mode
...
h
Switch(config)#hostname Core
Sets the host name
...
v
Core(config)#vtp mode server
Changes the switch to VTP server
mode
...
v
Core(config)#vtp domain stpdemo
Configures the VTP domain name to
stpdemo
...
n
Core(config-vlan)#name Accounting
Assigns a name to the VLAN
...
v
Core(config)#vlan 20
Creates VLAN 20 and enters VLANconfig mode
...
e
Core(config-vlan)#exit
Returns to global config mode
...
u
Core(config)#udld enable
Enables UDLD
...
c
Core#copy running-config startupconfig
Saves the configuration to NonVolatile RAM (NVRAM)
...
c
Switch#configure terminal
Moves to global configuration mode
...
n
Distribution1(config)#no ip domainlookup
Turns off DNS queries so that spelling
mistakes will not slow you down
...
v
Distribution1(config)#vtp mode client
Changes the switch to VTP client
mode
...
u
Distribution1(config)#udld enable
Enables UDLD on all FO interfaces
...
Configuration Example: STP
51
s
Distribution1(config-if)#spanningtree guard root
Prevents switch on the other end of the
link (Access2) from becoming the root
switch
...
e
Distribution1(config)#exit
Returns to privileged mode
...
Distribution 2 Switch (3560)
e
Switch>enable
Moves to privileged mode
...
h
Switch(config)#hostname
Distribution2
Sets the host name
...
v
Distribution2(config)#vtp domain
stpdemo
Configures the VTP domain name to
stpdemo
...
s
Distribution2(config)#spanning-tree
vlan 20 root primary
Configures the switch to become the
root switch of VLAN 20
...
i
Distribution2(config)#interface
range fastethernet 0/3 - 4
Moves to interface range mode
...
e
Distribution2(config-if)#exit
Returns to global config mode
...
c
Distribution2#copy running-config
startup-config
Saves the configuration to NVRAM
...
c
Switch#configure terminal
Moves to global configuration mode
...
n
Access1(config)#no ip domain-lookup
Turns off DNS queries so that spelling
mistakes will not slow you down
...
v
Access1(config)#vtp mode client
Changes the switch to VTP client mode
...
s
Access1(config-if-range)#switchport
mode access
Places all interfaces in access mode
...
s
Access1(config-if-range)#spanningtree bpduguard enable
Enables BPDU Guard
...
s
Access1(config)#spanning-tree
uplinkfast
Enables UplinkFast to reduce STP
convergence time
...
s
Access1(config-if)#spanning-tree
guard root
Prevents the switch on the other end of
link (Access2) from becoming the root
switch
...
u
Access1(config)#udld enable
Enables UDLD on all FO interfaces
...
c
Access1#copy running-config
startup-config
Saves the configuration to NVRAM
...
c
Switch#configure terminal
Moves to global configuration mode
...
n
Access2(config)#no ip domain-lookup
Turns off DNS queries so that spelling
mistakes will not slow you down
...
v
Access2(config)#vtp mode client
Changes the switch to VTP client mode
...
s
Access2(config-if-range)#switchport
mode access
Places all interfaces in access mode
...
s
Access2(config-if-range)#spanningtree bpduguard enable
Enables BPDU Guard
...
e
Access2(config)#exit
Returns to privileged mode
...
This page intentionally left blank
CHAPTER 4
Implementing
Inter-VLAN Routing
This chapter provides information and commands concerning the following topics:
Inter-VLAN communication
• Inter-VLAN communication using an external router: router-on-a-stick
• Inter-VLAN communication tips
• Inter-VLAN communication on a multilayer switch through a switch virtual
interface
— Removing L2 switchport capability of a switch port
— Configuring SVI Autostate
— Configuring a Layer 3 EtherChannel
— Configuring inter-VLAN communication
• Configuration example: inter-VLAN communication
DHCP
• Configuring DHCP server on a Router or Layer 3 Switch
• Verifying and troubleshooting DHCP configuration
• Configuring a DHCP helper address
• DHCP client on a Cisco IOS Software Ethernet interface
• Configuration example: DHCP
CEF
• Configuring Cisco Express Forwarding (CEF)
• Verifying CEF
• Troubleshooting CEF
Inter-VLAN Communication Using an External Router: Routeron-a-Stick
i
Router(config)#interface
fastethernet 0/0
Moves to interface configuration mode
...
n
Router(config-if)#no shutdown
Enables interface
...
1
Creates subinterface 0/0
...
56
Inter-VLAN Communication Tips
d
Router(config-subif)#description
Management VLAN 1
(Optional) Sets locally significant
descriptor of the subinterface
...
VLAN 1 is the native VLAN
...
1Q trunking
protocol
...
168
...
1 255
...
255
...
i
Router(config-subif)#interface
fastethernet 0/0
...
10 and moves
to subinterface configuration mode
...
e
Router(config-subif)#encapsulation
dot1q 10
Assigns VLAN 10 to this subinterface
...
1Q
trunking protocol
...
168
...
1 255
...
255
...
e
Router(config-subif)#exit
Returns to interface configuration mode
...
Router(config)#
NOTE: The subnets of the VLANs are directly connected to the router
...
In a more
complex topology, these routes need to either be advertised with whatever
dynamic routing protocol is used, or be redistributed into whatever dynamic
routing protocol is used
...
Inter-VLAN Communication Tips
• Although most routers support both Inter-Switch Link (ISL) and Dot1Q
encapsulation, some switch models support only Dot1Q, such as the 2950 and 2960
series
...
Inter-VLAN Communication on a Multilayer Switch Through a Switch Virtual Interface
57
• Recommended best practice is to use the same number of the VLAN number for the
subinterface number
...
10 than on fastethernet0/0
...
• The native VLAN (usually VLAN 1) cannot be configured on a subinterface for Cisco
IOS releases that are earlier than 12
...
Native VLAN IP addresses will, therefore,
need to be configured on the physical interface
...
168
...
1 255
...
255
...
10
e
Router(config-subif)#encapsulation dot1q 10
i
Router(config-subif)#ip address 192
...
10
...
255
...
0
Inter-VLAN Communication on a Multilayer Switch Through a
Switch Virtual Interface
Rather than using an external router to provide inter-VLAN communication, a multilayer
switch can perform the same task through the use of a switched virtual interface (SVI)
...
n
3750Switch(config-if)#no switchport
Creates a Layer 3 port on the switch
...
Configuring SVI Autostate
i
3750Switch(config)#interface
fastethernet 0/1
Moves to interface configuration mode
...
NOTE: This command is commonly
used for ports that are used for
monitoring, for example, so that a
monitoring port does not cause the SVI
to remain “up” when no other ports are
active in the VLAN
...
The switchport auto-state exclude command excludes a port
from the SVI interface line-state up-or-down calculation
...
n
Switch(config-if)#no switchport
Changes interface to Layer 3 to enable
the use of the IP address command
...
32
...
10 255
...
255
...
i
Switch(config)#interface range
fastethernet 5/4 - 5
Moves to interface range configuration
mode
...
c
Switch(config-if-range)#channelprotocol pagp
Configures port aggregation protocol
...
Configuring Inter-VLAN Communication
i
3550Switch(config)#interface vlan 1
Creates a virtual interface for VLAN 1
and enters interface configuration
mode
...
16
...
1 255
...
255
...
n
3550Switch(config-if)#no shutdown
Enables the interface
...
i
3550Switch(config-if)#ip address
172
...
10
...
255
...
0
Assigns IP address and netmask
...
i
3550Switch(config)#interface vlan 20
Creates a virtual interface for VLAN 20
and enters interface configuration
mode
...
16
...
1 255
...
255
...
n
3550Switch(config-if)#no shutdown
Enables the interface
...
i
3550Switch(config)#ip routing
59
Enables routing on the switch
...
Some
commands used in this configuration are from previous chapters
...
133
...
1/24
Internet
s 0/0/0 DCE
192
...
7
...
31
...
6/30
fa 0/1
172
...
1
...
1 – VLAN 1 (Native) - 192
...
1
...
10 – VLAN 10 - 192
...
10
...
20 – VLAN 20 - 192
...
20
...
30 – VLAN 30 - 192
...
30
...
1q Trunk
fa0/1
fa 0/24
172
...
1
...
1q
Gigabit Trunk
Native
VLAN 1
192
...
1
...
168
...
0/24
Engineering
VLAN 20
fa 0/5-8
192
...
20
...
168
...
0/24
WS3
Gi0/1
WS4
WS5
192
...
10
...
168
...
20/24
192
...
30
...
16
...
0/24
Accounting
VLAN 10
fa 0/1-4
172
...
10
...
16
...
0/24
WS1
WS2
172
...
10
...
16
...
2/24
60
Configuration Example: Inter-VLAN Communication
ISP Router
e
Router>enable
Moves to privileged mode
...
h
Router(config)#hostname ISP
Sets the host name
...
d
ISP(config-if)#description simulated
address representing remote website
Sets the locally significant
interface description
...
133
...
1
255
...
255
...
i
ISP(config-if)#interface serial 0/0/0
Moves to interface configuration
mode
...
i
ISP(config-if)#ip address 192
...
7
...
255
...
252
Assigns IP address and netmask
...
n
ISP(config-if)#no shutdown
Enables the interface
...
r
ISP(config-if)#router eigrp 10
Creates Enhanced Interior Gateway
Routing Protocol (EIGRP) routing
process 10
...
133
...
0
Advertises directly connected
networks (classful address only)
...
31
...
0
Advertises directly connected
networks (classful address only)
...
e
ISP(config-router)#exit
Returns to global configuration
mode
...
c
ISP#copy running-config startup-config
Saves the configuration to
NVRAM
...
c
Router>#configure terminal
Moves to global configuration
mode
...
i
ISP(config)#interface serial 0/0/0
Moves to interface configuration
mode
...
i
CORP(config-if)#ip address 192
...
7
...
255
...
252
Assigns IP address and netmask
...
i
CORP(config)#interface fastethernet 0/1
Moves to interface configuration
mode
...
i
CORP(config-if)#ip address 172
...
1
...
255
...
252
Assigns the IP address and
netmask
...
e
CORP(config-if)#exit
Returns to global configuration
mode
...
d
CORP(config-if)#duplex full
Enables full-duplex operation to
ensure trunking will take effect
between here and L2Switch2
...
61
62
Configuration Example: Inter-VLAN Communication
i
CORP(config-if)#interface fastethernet
0/0
...
d
CORP(config-subif)#description
Management VLAN 1 – Native VLAN
Sets the locally significant
interface description
...
VLAN 1 is the native
VLAN
...
1Q trunking protocol
...
168
...
1 255
...
255
...
i
CORP(config-subif)#interface
fastethernet 0/0
...
d
CORP(config-subif)#description Sales
VLAN 10
Sets the locally significant
interface description
...
This subinterface
uses the 802
...
i
CORP(config-subif)#ip address
192
...
10
...
255
...
0
Assigns the IP address and
netmask
...
20
Creates a virtual subinterface and
moves to subinterface
configuration mode
...
e
CORP(config-subif)#encapsulation dot1q
20
Assigns VLAN 20 to this
subinterface
...
1Q trunking protocol
...
168
...
1 255
...
255
...
i
CORP(config-subif)#interface
fastethernet 0/0
...
Configuration Example: Inter-VLAN Communication
63
d
CORP(config-subif)#description
Marketing VLAN 30
Sets the locally significant
interface description
...
This subinterface
uses the 802
...
i
CORP(config-subif)#ip add 192
...
30
...
255
...
0
Assigns the IP address and
netmask
...
e
CORP(config-if)#exit
Returns to global configuration
mode
...
n
CORP(config-router)#network 192
...
1
...
168
...
0
network
...
168
...
0
Advertises the 192
...
10
...
n
CORP(config-router)#network
192
...
20
...
168
...
0
network
...
168
...
0
Advertises the 192
...
30
...
n
CORP(config-router)#network 172
...
0
...
31
...
0 network
...
31
...
0
Advertises the 192
...
7
...
n
CORP(config-router)#no auto-summary
Turns off automatic summarization
at classful boundary
...
e
CORP(config)#exit
Returns to privileged mode
...
64
Configuration Example: Inter-VLAN Communication
L2Switch2 (Catalyst 2960)
e
Switch>enable
Moves to privileged mode
...
h
Switch(config)#hostname L2Switch2
Sets the host name
...
n
L2Switch2(config-vlan)#name Sales
Assigns a name to the VLAN
...
v
L2Switch2(config)#vlan 20
Creates VLAN 20 and enters
VLAN-configuration mode
...
v
L2Switch2(config-vlan)#vlan 30
Creates VLAN 30 and enters
VLAN-configuration mode
...
n
L2Switch2(config-vlan)#name Marketing
Assigns a name to the VLAN
...
i
L2Switch2(config)#interface range
fastethernet 0/2 - 4
Enables you to set the same
configuration parameters on
multiple ports at the same time
...
s
L2Switch2(config-if-range)#switchport
access vlan 10
Assigns ports 2–4 to VLAN 10
...
s
L2Switch2(config-if-range)#switchport
mode access
Sets ports 5–8 as access ports
...
i
L2Switch2(config-if-range)#interface
range fastethernet 0/9 - 12
Enables you to set the same
configuration parameters on
multiple ports at the same time
...
s
L2Switch2(config-if-range)#switchport
access vlan 30
Assigns ports 9–12 to VLAN 30
...
i
L2Switch2(config)#interface fastethernet
0/1
Moves to interface configuration
mode
...
s
L2Switch2(config-if)#switchport mode
trunk
Puts the interface into trunking
mode and negotiates to convert
the link into a trunk link
...
i
L2Switch2(config)#interface vlan 1
Creates virtual interface for
VLAN 1 and enters interface
configuration mode
...
168
...
2 255
...
255
...
n
L2Switch2(config-if)#no shutdown
Enables the interface
...
i
L2Switch2(config)#ip default-gateway
192
...
1
...
e
L2Switch2(config)#exit
Returns to privileged mode
...
65
66
Configuration Example: Inter-VLAN Communication
L3Switch1 (Catalyst 3560)
e
Switch>enable
Moves to privileged mode
...
h
Switch(config)#hostname L3Switch1
Sets the host name
...
v
L3Switch1(config)#vtp domain testdomain
Configures the VTP domain name
to testdomain
...
n
L3Switch1(config-vlan)#name Accounting
Assigns a name to the VLAN
...
v
L3Switch1(config)#vlan 20
Creates VLAN 20 and enters
VLAN-configuration mode
...
e
L3Switch1(config-vlan)#exit
Returns to global configuration
mode
...
s
L3Switch1(config-if)#switchport trunk
encapsulation dot1q
Specifies 802
...
s
L3Switch1(config-if)#switchport mode
trunk
Puts the interface into trunking
mode and negotiates to convert
the link into a trunk link
...
i
L3Switch1(config)#ip routing
Enables IP routing on this device
...
Configuration Example: Inter-VLAN Communication
67
i
L3Switch1(config-if)#ip address
172
...
1
...
255
...
0
Assigns the IP address and
netmask
...
i
L3Switch1(config-if)#interface vlan 10
Creates a virtual interface for
VLAN 10 and enters interface
configuration mode
...
16
...
1 255
...
255
...
n
L3Switch1(config-if)#no shutdown
Enables the interface
...
i
L3Switch1(config-if)#ip address
172
...
20
...
255
...
0
Assigns the IP address and mask
...
e
L3Switch1(config-if)#exit
Returns to global configuration
mode
...
n
L3Switch1(config-if)#no switchport
Creates a Layer 3 port on the
switch
...
31
...
6 255
...
255
...
e
L3Switch1(config-if)#exit
Returns to global configuration
mode
...
n
L3Switch1(config-router)#network
172
...
0
...
16
...
0 classful
network
...
31
...
0
Advertises the 172
...
0
...
68
Configuration Example: Inter-VLAN Communication
n
L3Switch1(config-router)#no auto-summary
Turns off automatic
summarization at classful
boundary
...
e
L3Switch1(config)#exit
Returns to privileged mode
...
L2Switch1 (Catalyst 2960)
e
Switch>enable
Moves to privileged mode
...
h
Switch(config)#hostname L2Switch1
Sets the host name
...
v
L2Switch1(config)#vtp mode client
Changes the switch to VTP client
mode
...
s
L2Switch1(config-if-range)#switchport
mode access
Sets ports 1–4 as access ports
...
i
L2Switch1(config-if-range)#interface
range fastethernet 0/5 - 8
Enables you to set the same
configuration parameters on
multiple ports at the same time
...
s
L2Switch1(config-if-range)#switchport
access vlan 20
Assigns ports 5–8 to VLAN 20
...
Configuring DHCP Server on a Router or Layer 3 Switch
i
L2Switch1(config)#interface
gigabitethernet 0/1
Moves to interface configuration
mode
...
e
L2Switch1(config-if)#exit
Returns to global configuration
mode
...
i
L2Switch1(config-if)#ip address
172
...
1
...
255
...
0
Assigns the IP address and
netmask
...
e
L2Switch1(config-if)#exit
Returns to global configuration
mode
...
16
...
1
Assigns the default gateway
address
...
c
L2Switch1#copy running-config startupconfig
69
Saves the configuration in
NVRAM
...
n
Router(dhcp-config)#network 172
...
10
...
255
...
0
Defines the range of addresses to be
leased
...
16
...
1
Defines the address of the default
router for the client
...
16
...
10
Defines the address of the Domain
Name System (DNS) server for the
client
...
16
...
10
Defines the address of the NetBIOS
server for the client
...
ca
Defines the domain name for the
client
...
l
Router(dhcp-config)#lease infinite
Sets the lease time to infinity; the
default time is 1 day
...
i
Router(config)#ip dhcp excluded-address
172
...
10
...
16
...
9
Specifies the range of addresses not
to be leased out to clients
...
n
Router(config)#no service dhcp
Turns off the DHCP service
...
Verifying and Troubleshooting DHCP Configuration
s
Router#show ip dhcp binding
Displays a list of all bindings created
...
x
...
z
Displays the bindings for a specific DHCP
client with an IP address of w
...
y
...
c
Router#clear ip dhcp binding
a
...
c
...
c
Router#clear ip dhcp binding *
Clears all automatic DHCP bindings
...
c
Router#clear ip dhcp conflict
a
...
c
...
c
Router#clear ip dhcp conflict *
Clears conflicts for all addresses
...
s
Router#show ip dhcp server
statistics
Displays a list of the number of messages
sent and received by the DHCP server
...
d
Router#debug ip dhcp server
e
{events | packets | linkage | class}
Displays the DHCP process of addresses
being leased and returned
...
The switchport auto-state exclude command excludes a port
from the SVI interface line-state up-or-down calculation
...
i
Router(config-if)#ip helperaddress 172
...
20
...
Layer 3 Switch
i
Switch(config)#interface vlan
10
Moves to SVI configuration mode
...
16
...
2
DHCP broadcasts will be forwarded as a
unicast to this specific address rather than be
dropped by the router
...
The following command stops the forwarding of broadcasts to port 49:
n
Router(config)#no ip forward-protocol udp 49
To open other UDP ports, use the ip forward-helper udp x command, where x is
the port number you want to open:
i
Router(config)#ip forward-protocol udp 517
DHCP Client on a Cisco IOS Software Ethernet Interface
i
Router(config)#interface
fastethernet 0/0
Moves to interface configuration mode
...
NOTE: The ip address dhcp command
can also be applied on an L3 switch at the
SVI as well as any port where the no
switchport command has been used
...
Figure 4-2
Network Topology for DHCP Configuration
NetBIOS Server
10
...
0
...
0
...
3/8
Fa0/0
172
...
1
...
168
...
2/30
s0/0/1
192
...
1
...
16
...
2/24
DHCP
Client
DHCP
Client
Configuration Example: DHCP
73
Edmonton Router
e
router>enable
Moves to privileged mode
...
h
router(config)#host Edmonton
Sets the host name
...
d
Edmonton(config-if)#description
LAN Interface
Sets the local description of the interface
...
0
...
1 255
...
0
...
n
Edmonton(config-if)#no shutdown
Enables the interface
...
d
Edmonton(config-if)#description
Link to Gibbons Router
Sets the local description of the interface
...
168
...
2 255
...
255
...
c
Edmonton(config-if)#clock rate
56000
Assigns the clock rate to the DCE cable
on this side of link
...
e
Edmonton(config-if)#exit
Returns to global configuration mode
...
n
Edmonton(config-router)#network
10
...
0
...
0
...
0 network
...
168
...
0
Advertises the 192
...
1
...
e
Edmonton(config-router)#exit
Returns to global configuration mode
...
i
Edmonton(config)#ip dhcp excludedaddress 10
...
0
...
0
...
5
Specifies the range of addresses not to be
leased out to clients
...
n
Edmonton(dhcp-config)#network
10
...
0
...
0
...
0
Defines the range of addresses to be
leased
...
0
...
1
Defines the address of the default router
for clients
...
0
...
2
Defines the address of the NetBIOS server
for clients
...
0
...
3
Defines the address of the DNS server for
clients
...
ca
Defines the domain name for clients
...
e
Edmonton(dhcp-config)#exit
Returns to global configuration mode
...
168
...
168
...
n
Edmonton(dhcp-config)#network
192
...
3
...
255
...
0
Defines the range of addresses to be
leased
...
168
...
1
Defines the address of the default router
for clients
...
0
...
2
Defines the address of the NetBIOS server
for clients
...
0
...
3
Defines the address of the DNS server for
clients
...
ca
Defines the domain name for clients
...
e
Edmonton(dhcp-config)#exit
Returns to global configuration mode
...
c
Edmonton#copy running-config
startup-config
Saves the configuration to NVRAM
...
c
router#configure terminal
Enters global configuration mode
...
i
Gibbons(config)#interface
fastethernet 0/0
Enters interface configuration mode
...
i
Gibbons(config-if)#ip address
192
...
3
...
255
...
0
Assigns an IP address and netmask
...
168
...
2
DHCP broadcasts will be forwarded as a
unicast to this address rather than be
dropped
...
i
Gibbons(config-if)#interface
serial 0/0/1
Enters interface configuration mode
...
i
Gibbons(config-if)#ip address
192
...
1
...
255
...
252
Assigns an IP address and netmask
...
e
Gibbons(config-if)#exit
Returns to global configuration mode
...
n
Gibbons(config-router)#network
192
...
3
...
168
...
0 network
...
168
...
0
Advertises the 192
...
1
...
e
Gibbons(config-router)#exit
Returns to global configuration mode
...
c
Gibbons#copy running-config
startup-config
Saves the configuration to NVRAM
...
Routing
between these subnets does not require a dynamic routing protocol
...
16
...
0
e
3750Switch(config-router)#exit
3750Switch(config)#
Configuring Cisco Express Forwarding
i
Switch(config)#ip cef
Enables standard CEF
...
n
Switch(config)#no ip cef
Disables CEF globally
...
i
Switch(config-if)#ip route-cache cef
Enables CEF on the interface
...
s
Switch#show ip cef summary
Displays a summary of the FIB
...
s
Switch#show ip cef fastethernet 0/1
Displays the FIB entry for the specified
interface
...
s
Switch#show interface fastethernet
0/1 | begin L3
Displays switching statistics for the
interface beginning at the section for
L3
...
s
Switch#show adjacency fastethernet
0/20 detail
77
Displays the content of the information
to be used during L2 encapsulation
...
s
Switch#show cef drop
Displays packets that are dropped
because adjacencies are incomplete or
nonexistent
...
Troubleshooting CEF
d
Switch#debug ip cef
Displays debug information for CEF
...
d
Switch#debug ip cef drops x
Records CEF dropped packets that match
access-list x
...
d
Switch#debug ip cef events
Displays general CEF events
...
d
Switch#debug ip cef table
Produces a table showing events related
to the FIB table
...
This page intentionally left blank
CHAPTER 5
Implementing a Highly
Available Network
This chapter provides information and commands concerning the following topics:
• Implementing network logging
• Service Level Agreements (SLA)
Implementing Network Logging
Configuring Syslog
Cisco routers and switches are capable of logging information relating to a number of
different kinds of events that occur—configuration changes, ACL violations, interface
status, and so on
...
To get the most out of your device log messages, it is imperative that your devices
display the correct time; using NTP helps facilitate your routers all having the correct
time
...
Within each facility, messages are listed by the
severity level, from highest to lowest and a description mnemonic
...
Figure 5-1 shows the message structure and format of Cisco network device System
Message Log messages
...
333: %SYS-5-CONFIG_I: Configured from console by console
Message-text
MNEMONIC
SEVERITY
FACILITY-SUBFACILITY
Date and time of the error
...
For example, Level 6
means you will receive Level 6 down to Level 0 messages
...
The default reporting level is typically Level 7 (debugging)
...
l
Switch(config)#logging buffered warnings
Enables local logging for
events that are warnings
and more serious
...
l
Switch(config)#logging 192
...
10
...
168
...
53
...
l
Switch(config)#logging sysadmin
Sends logging messages to
a syslog server host named
sysadmin
...
l
Switch(config)#logging source-interface
loopback 0
Sets the source IP address
of the syslog packets,
regardless of the interface
where the packets actually
exit the router
...
CAUTION: If any debugging is enabled and the logging buffer is configured to
include Level 7 (debugging) messages, the debug output will be included in the
system log
...
Configuring an SNMP Managed Node
c
Switch#configure terminal
Enters global
configuration mode
...
1
...
0 0
...
0
...
s
Switch(config)#snmp-server community CISCONET2
Configures the community
string
...
Optionally specifies an
access list permitting
management traffic
...
s
Switch(config)#snmp-server engineID local
1234567890
Sets a string to identify the
local device as
1234567890
...
s
Switch(config)#snmp-server group scottgroup v3
auth
Defines an SNMP group
named scottgroup for
SNMPv3 using
authentication
...
s
Switch(config)#snmp-server user Scott
scottgroup v3 auth md5 scott2passwd
Defines a user Scott
belonging to the group
scottgroup
...
No encryption parameters
are set
...
Authentication
uses MD5 for the
password hans2passwd
...
NOTE: The snmp-server
user command is specific
to the 6500 platform
...
16
...
200
inform version 3 noauth Hans
83
Specifies the recipient—
172
...
31
...
The
SNMPv3 security level of
noauth is used
...
Service Level Agreements (SLA)
Configuring IP SLA (Catalyst 3750)
Cisco IOS IP SLAs sends data across the network to measure performance between
multiple network locations or network paths
...
IP SLAs can send also SNMP traps
that are triggered by events such as the following:
• Connection loss
• Timeout
• Round-trip time threshold
• Average jitter threshold
• One-way packet loss
• One-way jitter
• One-way mean opinion score (MOS)
• One-way latency
84
Service Level Agreements (SLA)
Figure 5-2 is the network topology for the IP SLA commands
...
19
...
2/30
Border
10
...
3
...
1
...
1/24
LAN
10
...
1
...
i
DLS1(config)#ip sla 11
Creates an IP SLAs operation and
enter IP SLAs configuration mode
...
1
...
1
source-ip 10
...
1
...
NOTE: The ICMP ECHO
operation does not require the IP
SLAs responder to be enabled
...
e
DLS1(config-ip-sla-echo)#exit
Exits sla-echo configuration mode
...
NOTE: The start time for the SLA
can be set to a particular time and
day, to be recurring, to be activated
after a threshold is passed, and kept
as an active process for a
configurable number of seconds
...
1
...
1 port 10000
Configures switch DLS2 as an IP
SLA responder with 10
...
1
...
i
DLS1(config)#ip sla 12
Creates an IP SLAs operation and
enters IP SLAs configuration
mode
...
19
...
2 source-ip 10
...
1
...
NOTE: The path-jitter SLA sends
10 packets per operation with a 20
ms time interval between them by
default
...
t
DLS1(config-ip-sla-pathJitter)#tos 0x80
Sets the type of service to value to
0x80
...
i
DLS1(config)# DLS1(config)#ip sla
schedule 12 recurring start-time 07:00
life 3600
Configures the IP SLAs operation
scheduling parameters to start at
7:00 AM and continue for 1 hour
every day
...
NOTE: The show ip sla
application command
displays supported SLA
operation types and
supported SLA protocols
...
Chapter 6
Implementing
a First Hop Redundancy
Protocols Solution
This chapter provides information and commands concerning the following topics:
• Hot Standby Routing Protocol (HSRP)
— Configuring HSRP
— Default HSRP configuration settings
— Verifying HSRP
— HSRP optimization options
— Multiple HSRP groups
— HSRP IP SLA tracking
— Debugging HSRP
• Virtual Router Redundancy Protocol (VRRP)
— Configuring VRRP
— Verifying VRRP
— Debugging VRRP
• Gateway Load Balancing Protocol (GLBP)
— Configuring GLBP
— Verifying GLBP
— Debugging GLBP
• Configuration example: HSRP on L3 Switch
• Configuration example: GLBP
Hot Standby Routing Protocol
The Hot Standby Routing Protocol (HSRP) provides network redundancy for IP
networks, ensuring that user traffic immediately and transparently recovers from firsthop failures in network edge devices or access circuits
...
i
Switch(config)#interface
vlan 10
Moves to interface configuration mode
...
16
...
10
255
...
255
...
s
Switch(config-if)#standby
1 ip 172
...
0
...
16
...
1 for use in HSRP
...
The
default is 0
...
NOTE: The priority value can be from 1 to 255
...
A higher priority results in that switch
being elected the active switch
...
Default HSRP Configuration Settings
Feature
Default Setting
HSRP version
Version 1
NOTE: HSRPv1 and HSRPv2 have different packet
structure
...
HSRP groups
None configured
Standby group number
0
Standby MAC address
System assigned as 0000
...
acXX, where XX is
the HSRP group number
Standby priority
100
Standby delay
0 (no delay)
Standby track interface priority
10
Standby hello time
3 seconds
Standby holdtime
10 seconds
Hot Standby Routing Protocol
89
Verifying HSRP
s
Switch#show running-config
Displays what is currently running on
the switch
...
s
Switch#show standby brief
Displays a single-line output summary
of each standby group
...
HSRP Optimization Options
There are options available that make it possible to optimize HSRP operation in the campus
network
...
Preempt
i
Switch(config)#interface vlan
10
Moves to interface configuration mode
...
s
Switch(config-if)#standby 1
preempt delay minimum 180
Causes the local switch to postpone taking over
as the active switch for 180 seconds since that
switch was last restarted
...
n
Switch(config-if)#no standby
1 preempt delay reload
Disables the preemption delay, but preemption
itself is still enabled
...
NOTE: If the preempt argument is not
configured, the local switch assumes control as
the active switch only if the local switch
receives information indicating that there is no
switch currently in the active state
...
s
Switch(config-if)#standby 1
timers 5 15
Sets the hello timer to 5 seconds and sets the
hold timer to 15 seconds
...
NOTE: The hello timer can be from 1 to 254;
the default is 3
...
The default unit of time is
seconds
...
NOTE: If the msec argument is used, the timers
can be an integer from 15 to 999
...
s
Switch(config-if)#standby 1
track fastethernet 0/0 25
HSRP tracks the availability of interface
FastEthernet 0/0
...
NOTE: The default value of the track argument
is 10
...
The
track argument assigns a value that the priority
will be decreased if the tracked interface goes
down
...
Hot Standby Routing Protocol
91
Multiple HSRP
Figure 6-1 shows the network topology for the configuration that follows, which shows two
HSRP groups with a different active forwarder for each VLAN
...
1q Trunk
802
...
1q
Trunk
Uplink for VLAN 20
H2
s
DLS1(config)#spanning-tree
vlan 10 root primary
Configures spanning-tree root primary for
VLAN 10
...
NOTE: Load balancing is accomplished by
having one switch as the active HSRP L3-Switch
forwarding for half of the VLANs and the
standby L3-Switch for the remaining VLANs
...
Care must be taken
to ensure that spanning-tree is forwarding to the
active L3-Switch for the correct VLANs by
making that L3-Switch the Spanning-Tree
Primary Root for those VLANs
...
92
Hot Standby Routing Protocol
i
DLS1(config-if)#ip address
10
...
10
...
255
...
0
Assigns an IP address and netmask
...
1
...
1
Activates HSRP group 10 on the interface and
creates a virtual IP address of 10
...
10
...
s
DLS1(config-if)#standby 10
priority 110
Assigns a priority value of 110 to standby group
10
...
s
DLS1(config-if)#standby 10
preempt
Preempts, or takes control of, VLAN 10
forwarding if the local priority is higher than the
active switch VLAN 1 priority
...
i
DLS1(config-if)#ip address
10
...
20
...
255
...
0
Assigns an IP address and netmask
...
1
...
1
Activates HSRP group 20 on the interface and
creates a virtual IP address of 10
...
20
...
s
DLS1(config-if)#standby 20
priority 90
Assigns a priority value of 90 to standby group
20
...
s
DLS1(config-if)#standby 20
preempt
Preempts, or takes control of, VLAN 20
forwarding if the local priority is higher than the
active switch VLAN 20 priority
...
i
switch(config-sla)#icmp-echo
172
...
10
...
19
...
1
...
i
switch(config)#ip sla
schedule 10 start-time now
life forever
Configures the scheduling for SLA 10 to start
now and continue indefinitely
...
”
Hot Standby Routing Protocol
93
t
switch(config)#track 90 ip
sla 10 state
Creates an object, 90, to track the state of SLA
process 10
...
i
switch(config-if)#ip address
192
...
10
...
255
...
0
Assigns IP address and netmask
...
168
...
254
Activates HSRP group 10 on the interface and
creates a virtual IP address of 192
...
10
...
s
switch(config-if)#standby 10
priority 110
Assigns a priority value of 110 to standby group
10
...
s
switch(config-if)#standby 10
track 90 decrement 20
Tracks the state of object 90 and decrements the
device priority if the object fails
...
d
Switch#debug standby errors
Displays HSRP error messages
...
d
Switch#debug standby events
terse
Displays all HSRP events except for hellos and
advertisements
...
d
Switch#debug standby packets
Displays HSRP packet messages
...
94
Virtual Router Redundancy Protocol
Virtual Router Redundancy Protocol
NOTE: HSRP is Cisco proprietary
...
NOTE: The VRRP is not supported on the Catalyst 3750-E, 3750, 3560, or 3550
platforms
...
VRRP is an election protocol that dynamically assigns responsibility for one or more virtual
switches to the VRRP switches on a LAN, enabling several switches on a multiaccess link
to use the same virtual IP address
...
Configuring VRRP
i
Switch(config)#interface
vlan 10
Moves to interface configuration mode
...
16
...
5
255
...
255
...
v
Switch(config-if)#vrrp 10
ip 172
...
100
...
16
...
1
...
v
Switch(config-if)#vrrp 10
description Engineering
Group
Assigns a text description to the group
...
The range is
from 1 to 254
...
v
Switch(config-if)#vrrp 10
preempt
Preempts, or takes over, as the virtual switch
master for group 10 if it has a higher priority than
the current virtual switch master
...
NOTE: The default delay period is 0 seconds
...
NOTE: The default interval value is 1 second
...
If switches have different
timer values set, the VRRP group does not
communicate with each other
...
If you use the msec argument, you
change the timer to measure in milliseconds
...
v
Switch(config-if)#vrrp 10
timers learn
Configures the switch, when acting as a virtual
switch backup, to learn the advertisement interval
used by the virtual switch master
...
n
Switch(config-if)#no vrrp
10 shutdown
Reenables the VRRP group using the previous
configuration
...
s
Switch#show vrrp
Displays VRRP information
...
s
Switch#show vrrp all
Displays detailed information about all VRRP
groups, including groups in the disabled state
...
s
Switch#show vrrp interface
vlan 10 brief
Displays a brief summary about VRRP on
interface VLAN 10
...
d
Switch#debug vrrp error
Displays all VRRP error messages
...
d
Switch#debug vrrp packets
Displays messages about packets sent and
received
...
96
Gateway Load Balancing Protocol
Gateway Load Balancing Protocol
Gateway Load Balancing Protocol (GLBP) protects data traffic from a failed router or
circuit, like HSRP and VRRP, while allowing packet load sharing between a group of
redundant routers
...
i
Router(config)#interface
vlan 10
Moves to interface config mode
...
16
...
5 255
...
255
...
g
Router(config-if)#glbp 10 ip
172
...
100
...
16
...
1
...
g
Router(config-if)#glbp 10
preempt
Configures the switch to preempt, or take over, as
the active virtual gateway (AVG) for group 10 if this
switch has a higher priority than the current AVG
...
g
Router(config-if)#glbp 10
forwarder preempt
Configures the router to preempt, or take over, as
AVF for group 10 if this router has a higher
priority than the current AVF
...
g
Router(config-if)#glbp 10
preempt delay minimum 60
Configures the router to preempt, or take over, as
AVF for group 10 if this router has a higher priority
than the current AVF after a delay of 60 seconds
...
Other
group members provide backup for the AVG in
case the AVG becomes unavailable
...
Each gateway assumes
responsibility for forwarding packets sent to the
virtual MAC address assigned to it by the AVG
...
Virtual forwarder redundancy is similar to virtual
gateway redundancy with an AVF
...
NOTE: The glbp preempt command uses
priority to determine what happens if the AVG
fails as well as the order of ascendancy to
becoming an AVG if the current AVG fails
...
g
Router(config-if)#glbp 10
priority 150
Sets the priority level of the switch
...
The default priority of GLBP is 100
...
g
Router(config-if)#glbp 10
timers 5 15
Configures the hello timer to be set to 5 seconds
and the hold timer to be 15 seconds
...
NOTE: The default hello timer is 3 seconds
...
If the msec argument is used, the timer
is measured in milliseconds, with a range of 50 to
60000
...
The
range of the hold timer is 1 to 180 seconds
...
The hello timer measures the interval between
successive hello packets sent by the AVG in a
GLBP group
...
It is recommended that, unless
you are extremely familiar with your network
design and with the mechanisms of GLBP, you do
not change the timers
...
g
Router(config-if)#glbp 10
load-balancing hostdependent
Specifies that GLBP will load balance using the
host-dependent method
...
g
Router(config-if)#glbp 10
weighting 80
Assigns a maximum weighting value for this
interface for load balancing purposes
...
g
Router(config-if)#glbp 10
load-balancing round-robin
Specifies that GLBP loads balance using the
round-robin method
...
This is used with stateful Network Address
Translation (NAT) because NAT requires each host to be returned to the same
virtual MAC address each time it sends an ARP request for the virtual IP
address
...
• Weighted enables GLBP to place a weight on each device when calculating the
amount of load sharing
...
To assign a weighting
value, use the glbp x weighting y interface configuration command, where x is
the GLBP group number and y is the weighting value, a number from 1 to 254
...
Round-robin is suitable
for any number of end hosts
...
Configuration Example: HSRP on L3 Switch
99
Verifying GLBP
s
Router#show running-config
Displays the contents of dynamic RAM
...
s
Router#show glbp brief
Displays a brief status of all GLBP groups
...
s
Router#show glbp vlan 10
Displays GLBP information on interface
VLAN 10
...
Debugging GLBP
d
Router#debug condition glbp
Displays GLBP condition messages
...
d
Router#debug glbp events
Displays all GLBP event messages
...
d
Router#debug glbp terse
Displays a limited range of debugging
messages
...
Note that the example
shows only the commands specific to HSRP
...
19
...
1/24
Border1
fa0/0/1
172
...
20
...
19
...
1/24
fa0/0/0
172
...
30
...
19
...
2/24
fa0/11
DLS1
C3750
Address
192
...
1
...
168
...
1/24
192
...
20
...
168
...
1/24
fa0/2
172
...
40
...
19
...
2/24
DLS2
C3750
fa0/12
EtherChannel
802
...
1q
Trunk
fa0/9
fa0/7
802
...
1q
Trunk
fa0/9
Address
192
...
1
...
168
...
1/24
192
...
20
...
168
...
1/24
fa0/7
ALS1
C3550
Interface Address
VLAN 1 192
...
1
...
1q
Trunk
fa0/9
fa0/7
fa0/1
172
...
30
...
168
...
254
10
192
...
10
...
168
...
254
30
192
...
30
...
168
...
32/24
Interface Address
VLAN 1 192
...
1
...
168
...
32/24
The network devices are configured as follows:
• DLS1 and DLS2 are configured as Layer 3 devices; ALS1 and ALS2 are configured as
Layer 2 devices
...
Border1 and Border2 also provide
default routing into the cloud
...
• Four VLANs are configured on DLS1
...
• A Layer 2 EtherChannel connects DLS1 and DLS2
...
1Q trunks
...
• DLS2 is the spanning-tree primary root for VLAN 20 and 30, and DLS1 is the
secondary root for VLAN 1 and 10
...
s
DLS1(config-if)#standby 1 ip
192
...
1
...
168
...
254 for use in
HSRP
...
s
DLS1(config-if)#standby 1 preempt
Preempts, or takes control of, VLAN 1
forwarding if the local priority is
higher than the active switch VLAN 1
priority
...
If
FastEthernet 0/1 goes down, the
priority of the switch in group 1 is
decremented by 20
...
If
FastEthernet 0/2 goes down, the
priority of the switch in group 1 is
decremented by the default value of
10
...
i
DLS1(config)#interface vlan 10
Moves to interface configuration
mode
...
168
...
254
Activates HSRP group 10 on the
interface and creates a virtual IP
address of 192
...
10
...
s
DLS1(config-if)#standby 10 priority
105
Assigns a priority value of 105 to
standby group 1
...
102
Configuration Example: HSRP on L3 Switch
s
DLS1(config-if)#standby 10 track
fastEthernet 0/1 20
HSRP tracks the availability of
interface FastEthernet 0/1
...
s
DLS1(config-if)#standby 10 track
fastEthernet 0/2
HSRP tracks the availability of
interface FastEthernet 0/2
...
e
DLS1(config-if)#exit
Moves to global configuration mode
...
s
DLS1(config-if)#standby 20 ip
192
...
20
...
168
...
254 for use in
HSRP
...
s
DLS1(config-if)#standby 20 track
fastEthernet 0/1 20
HSRP tracks the availability of
interface FastEthernet 0/1
...
s
DLS1(config-if)#standby 20 track
fastEthernet 0/2
HSRP tracks the availability of
interface FastEthernet 0/2
...
e
DLS1(config-if)#exit
Moves to global configuration mode
...
s
DLS1(config-if)#standby 30 ip
192
...
30
...
168
...
254 for use in
HSRP
...
s
DLS1(config-if)#standby 30 track
fastEthernet 0/1 20
HSRP tracks the availability of
interface FastEthernet 0/1
...
s
DLS1(config-if)#standby 30 track
fastEthernet 0/2
HSRP tracks the availability of
interface FastEthernet 0/2
...
e
DLS1(config-if)#exit
Moves to global configuration mode
...
s
DLS2(config-if)#standby 1 ip
192
...
1
...
168
...
254 for use in
HSRP
...
s
DLS2(config-if)#standby 1 track
fastEthernet 0/1 20
HSRP tracks the availability of
interface FastEthernet 0/1
...
s
DLS2(config-if)#standby 1 track
fastEthernet 0/2
HSRP tracks the availability of
interface FastEthernet 0/2
...
e
DLS2(config-if)#exit
Moves to global configuration mode
...
104
Configuration Example: HSRP on L3 Switch
s
DLS2(config-if)#standby 10 ip
192
...
10
...
168
...
254 for use in
HSRP
...
s
DLS2(config-if)#standby 10 track
fastEthernet 0/1 20
HSRP tracks the availability of
interface FastEthernet 0/1
...
s
DLS2(config-if)#standby 10 track
fastEthernet 0/2
HSRP tracks the availability of
interface FastEthernet 0/2
...
e
DLS2(config-if)#exit
Moves to global configuration mode
...
s
DLS2(config-if)#standby 20 ip
192
...
20
...
168
...
254 for use in
HSRP
...
s
DLS2(config-if)#standby 20 preempt
Preempts, or takes control of, VLAN
20 forwarding if the local priority is
higher than the active switch VLAN
20 priority
...
If
FastEthernet 0/1 goes down, the
priority of the switch in group 20 is
decremented by 20
...
If
FastEthernet 0/2 goes down, the
priority of the switch in group 20 is
decremented by the default value of
10
...
i
DLS2(config)#interface vlan 30
Moves to interface configuration
mode
...
168
...
254
Activates HSRP group 30 on the
interface and creates a virtual IP
address of 192
...
30
...
s
DLS2(config-if)#standby 30 priority
105
Assigns a priority value of 105 to
standby group 30
...
s
DLS2(config-if)#standby 30 track
fastEthernet 0/1 20
HSRP tracks the availability of
interface FastEthernet 0/1
...
s
DLS2(config-if)#standby 30 track
fastEthernet 0/2
HSRP tracks the availability of
interface FastEthernet 0/2
...
e
DLS2(config-if)#exit
Moves to global configuration mode
...
i
DLS1(config-ip-sla)#icmp-echo
192
...
10
...
168
...
1
...
i
DLS1(config)#ip sla schedule 10
start-time now life forever
Configures the scheduling for SLA 10
process to start now and continue
indefinitely
...
106
Configuration Example: GLBP
e
DLS1(config-track)#exit
Moves to global configuration mode
...
s
DLS1(config-if)#standby 10 track 90
decrement 20
Tracks the state of object 90 and
decrements the device priority by 20 if
the object fails
...
Configuration Example: GLBP
Figure 6-3 shows the network topology for the configuration that follows, which shows how
to configure GLBP using commands covered in this chapter
...
NOTE: The Gateway Load Balancing Protocol (GLBP) is not supported on the
Catalyst 3750-E, 3750, 3560, or 3550 platforms
...
Figure 6-3
Network Topology for GLBP Configuration Example
ISP
Border1
Border2
Fa1/0/7
Fa1/0/8
fa1/0/5
fa1/0/3
DLS1
C6509
fa1/0/6
fa1/0/2
Fa1/0/1
Interface
VLAN 10
VLAN 20
DLS2
C6509
Fa1/0/4
Address
172
...
10
...
18
...
2/24
Interface
VLAN 10
VLAN 20
fa0/1
fa0/4
fa0/2
fa0/3
ALS1
ALS2
VLAN 10
VLAN 20
H1
H2
Address
172
...
10
...
18
...
3/24
Configuration Example: GLBP
107
DLS1 and DLS2 belong to GLBP groups 10 and 20
...
DLS2 is the AVG for GLBP group 20 and backup for
GLBP group 10
...
18
...
1 on VLAN 10 and
172
...
20
...
DLS1
t
DLS1(config)#track 90 interface
p
fastethernet 1/0/7 line-protocol
Configures tracking object 90 to monitor
the line-protocol on interface fastEthernet
1/0/7
...
i
DLS1(config)#interface vlan 10
Moves to interface configuration mode
...
18
...
2 255
...
255
...
g
DLS1(config-if)#glbp 10 ip
172
...
10
...
18
...
1
...
g
DLS1(config-if)#glbp 10 timers
msec 200 msec 700
Configures the hello timer to be 200
milliseconds and the hold timer to be 700
milliseconds
...
g
DLS1(config-if)#glbp 10 preempt
delay minimum 300
Configures the switch to take over as AVG
for group 10 if this switch has a higher
priority than the current active virtual
forwarder (AVF) after a delay of 300
seconds
...
108
Configuration Example: GLBP
g
DLS1(config-if)#glbp 10 weighting
track 90 decrement 10
Configures object 90 to be tracked in group
10
...
g
DLS1(config-if)#glbp 10 weighting
track 91 decrement 20
Configures object 91 to be tracked in group
10
...
i
DLS1(config)#interface vlan 20
Moves to interface configuration mode
...
18
...
2 255
...
255
...
g
DLS1(config-if)#glbp 20 ip
172
...
20
...
18
...
1
...
g
DLS1(config-if)#glbp 20 timers
msec 200 msec 700
Configures the hello timer to be 200
milliseconds and the hold timer to be 700
milliseconds
...
g
DLS1(config-if)#glbp 20 preempt
delay minimum 300
Configures the switch to take over as AVG
for group 10 if this switch has a higher
priority than the current active virtual
forwarder (AVF) after a delay of 300
seconds
...
g
DLS1(config-if)#glbp 20 weighting
track 90 decrement 10
Configures object 90 to be tracked in group
20
...
g
DLS1(config-if)#glbp 20 weighting
track 91 decrement 10
Configures object 91 to be tracked in group
20
...
Configuration Example: GLBP
109
DLS2
t
DLS2(config)#track 90 interface
fastethernet 1/0/8 line-protocol
Configures tracking object 90 to monitor
the line-protocol on interface fastEthernet
1/0/8
...
i
DLS2(config)#interface vlan 10
Moves to interface configuration mode
...
18
...
3 255
...
255
...
g
DLS2(config-if)#glbp 10 ip
172
...
10
...
18
...
1
...
g
DLS2(config-if)#glbp 10 timers
msec 200 msec 700
Configures the hello timer to be 200
milliseconds and the hold timer to be 700
milliseconds
...
g
DLS2(config-if)#glbp 10 preempt
delay minimum 300
Configures the switch to take over as AVG
for group 10 if this switch has a higher
priority than the current active virtual
forwarder (AVF) after a delay of 300
seconds
...
g
DLS2(config-if)#glbp 10 weighting
track 90 decrement 10
Configures object 90 to be tracked in
group 10
...
g
DLS2(config-if)#glbp 10 weighting
track 91 decrement 20
Configures object 91 to be tracked in
group 10
...
i
DLS2(config)#interface vlan 20
Moves to interface configuration mode
...
18
...
3 255
...
255
...
g
DLS2(config-if)#glbp 20 ip
172
...
20
...
18
...
1
...
g
DLS2(config-if)#glbp 20 timers
msec 200 msec 700
Configures the hello timer to be 200
milliseconds and the hold timer to be 700
milliseconds
...
g
DLS2(config-if)#glbp 20 preempt
delay minimum 300
Configures the switch to take over as AVG
for group 10 if this switch has a higher
priority than the current active virtual
forwarder (AVF) after a delay of 300
seconds
...
g
DLS2(config-if)#glbp 20 weighting
track 90 decrement 10
Configures object 90 to be tracked in
group 20
...
g
DLS2(config-if)#glbp 20 weighting
track 91 decrement 10
Configures object 91 to be tracked in
group 20
...
CHAPTER 7
Minimizing Service Loss
and Data Theft in
a Campus Network
This chapter provides information and commands concerning the following topics:
• Configuring static MAC addresses
• Configuring switch port security
• Programming authentication methods
• Adding 802
...
This MAC address can be either a unicast or a multicast
address, and the entry does not age and is retained when the switch restarts
...
1943
...
1943
...
Packets with this address
are forwarded out interface fastethernet
0/3
...
1(11)EA1, the mac
address-table static command (no
hyphen) replaces the mac-address-table
command (with the hyphen)
...
112
Configuring Switch Port Security
m
Switch(config)#mac address-table
static 1234
...
90ab vlan 4
interface gigabitethernet 0/1
Destination MAC address
1234
...
90ab is added to the MAC
address table
...
Configuring Switch Port Security
i
Switch(config)#interface
fastethernet 0/1
Moves to interface configuration mode
...
s
Switch(config-if)#switchport portsecurity maximum 4
Sets a maximum limit of four MAC
addresses that are allowed on this port
...
s
Switch(config-if)#switchport portsecurity mac-address
1234
...
90ab
Sets a specific secure MAC address
1234
...
90ab
...
s
Switch(config-if)#switchport portsecurity violation shutdown
Configures port security to shut down the
interface if a security violation occurs
...
s
Switch(config-if)#switchport portsecurity violation restrict
Configures port security to restrict mode
if a security violation occurs
...
The interface remains
operational
...
NOTE: In protect mode, frames from a
non-allowed address are dropped but no
log entry is made
...
Verifying Switch Port Security
s
Switch#show port-security
Displays security information for all
interfaces
...
s
Switch#show port-security address
Displays MAC address table security
Information
...
c
Switch#clear mac address-table
dynamic
Deletes all dynamic MAC addresses
...
bbbb
...
c
Switch#clear mac address-table
d y n a mi c i n t e r f ac e f a s t e t h er n e t 0 / 5
Deletes all dynamic MAC addresses on
interface FastEthernet 0/5
...
c
Switch#clear mac address-table
notification
Clears MAC notification global counters
...
1(11)EA1, the clear
mac address-table command (no
hyphen) replaces the clear mac-addresstable command (with the hyphen)
...
114
Programming Authentication Methods
Sticky MAC Addresses
Sticky MAC addresses are a feature of port security
...
These addresses are stored in the running configuration file
...
i
Switch(config)#interface
fastethernet 0/5
Moves to interface config mode
...
s
Switch(config-if)#switchport portsecurity mac-address sticky vlan
10 voice
Converts all dynamic port securitylearned MAC addresses to sticky secure
MAC addresses on voice VLAN 10
...
Programming Authentication Methods
u
Switch(config)#username admin
secret cisco
Creates a user with username admin and
encrypted password cisco
...
168
...
12 auth-port 1812 key
S3CR3TKEY
Specifies a RADIUS server at
192
...
55
...
a
Switch(config)#aaa new-model
Enables the authentication, authorization,
and accounting (AAA) access control
mode
...
Authenticates to the RADIUS
server first and locally defined users
second, and uses the line password as the
last resort
...
l
Switch(config)#line vty 0 15
Enters VTY configuration mode
...
1x Port-Based Authentication
115
l
Switch(config-line)#login
authentication default
Uses the IOS AAA service to authenticate
the default user group
...
l
Switch(config-line)#line console 0
Enters console 0 configuration mode
...
NOTE: If authentication is not
specifically set for a line, the default is to
deny access and no authentication is
performed
...
1x Port-Based Authentication
The IEEE 802
...
The authentication server authenticates each host connected to a
switch port before making available any services offered by the switch or the LAN
...
a
Switch(config)#aaa
au t he n ti c at io n do t 1x d e fa ul t
group radius
Creates an 802
...
This method specifies using a
RADIUS server for authentication
...
The software uses the first
method listed to authenticate users; if that
method fails to respond, the software selects the
next authentication method in the method list
...
If authentication fails at any point in
this cycle, the authentication process stops, and
no other authentication methods are attempted
...
116
Adding 802
...
none—Uses no authentication
...
This
method should only be used as a second method
...
In this case, no authentication is used
...
1x port-based
authentication
...
Switch(config-if)#
authentication port-control
auto
Enables 802
...
NOTE: The authentication port-control
command supercedes the dot1x port-control
command in IOS version 12
...
Both
commands are supported
...
This enables
only Extensible Authentication Protocol over
LAN (EAPOL) frames to be sent and received
through the port
...
1x
authentication and causes the port to transition to
the authorized state without any authentication
exchange required
...
force-unauthorized—Causes the port to remain
in the unauthorized state, ignoring all attempts
by the client to authenticate
...
s
Switch#show dot1x
Verifies your 802
...
Mitigating VLAN Hopping: Best Practices
117
Mitigating VLAN Hopping: Best Practices
Configure all unused ports as access ports so that trunking cannot be negotiated across those
links
...
When establishing a trunk link, purposefully configure the following:
• The native VLAN to be different from any data VLANs
• Trunking as on rather than negotiated
• The specific VLAN range to be carried on the trunk
VLAN Access Maps
VLAN access maps are the only way to control filtering within a VLAN
...
VLAN access
maps do not work on the 2960 platform, but they do work on the 3560, 3750, and the 6500
platforms
...
p
Switch(config-ext-nacl)#permit
tcp any any
The first line of an extended ACL permits
any TCP packet from any source to travel to
any destination address
...
e
Switch(config-ext-nacl)#exit
Exits named ACL configuration mode and
returns to global config mode
...
p
Switch(config-ext-macl)#permit
any host 0000
...
2222
Permits traffic from any source to the
destination specified by the MAC address
0000
...
2222
...
118
Mitigating VLAN Hopping: Best Practices
v
Switch(config)#vlan access-map
DROP1 5
Creates a VLAN access map named DROP1
and moves into VLAN access map
configuration mode
...
If no
sequence number is given at the end of the
command, a default number of 10 is
assigned
...
In this case, packets filtered out by
the named ACL test1 will be acted upon
...
NOTE: You can configure the following
actions:
Drop
Forward
Redirect (works only on a Catalyst 6500)
v
Switch(config)#vlan access-map
DROP1 10
Creates line 10 of the VLAN access map
named DROP1
...
a
Switch(config-map)#action drop
Drops all traffic permitted by the MAC
access-list SERVER2
...
a
Switch(config-map)#action
forward
Forwards traffic not specified to be dropped
in line 5 and 10 of the VLAN access-map
DROP1
...
v
Switch(config)#vlan filter
DROP1 vlan-list 20-30
Applies the VLAN map named DROP1 to
VLANs 20–30
...
Spaces around the comma and hyphen are
optional
...
s
Switch#show vlan access-map
DROP1
Displays the VLAN access map named
DROP1
...
s
Switch#show vlan filter accessmap DROP1
Displays the filter for the specific VLAN
access map named DROP1
...
Figure 7-1
Network Topology for VLAN Access Map Configuration
192
...
10
...
168
...
0/24
VLAN 20
WS3
WS2
WS1
192
...
10
...
A specific host in VLAN 10 with an IP address of
192
...
10
...
All other IP traffic is allowed
...
i
3560(config)#ip access-list
extended DENY_SERVER_ACL
Creates a named ACL called
DENY_SERVER_ACL and moves to
named ACL configuration mode
...
168
...
0 0
...
0
...
168
...
10
Filters out all IP packets from a source
address of 192
...
20
...
168
...
10
...
168
...
40 host
192
...
10
...
168
...
40 destined for the
server at 192
...
10
...
e
3560(config-ext-nacl)#exit
Returns to global config mode
...
If no
sequence number is given at the end of the
command, a default number of 10 is
assigned
...
In this case, packets filtered out
by the named ACL DENY_SERVER_ACL
are acted upon
...
e
3560(config-access-map)#exit
Returns to global config mode
...
a
3560(config-access-map)#action
forward
Any packet not filtered out by the ACL in
line 10 is forwarded
...
v
3560(config)#vlan filter
DENY_SERVER_MAP vlan-list 10
Applies the VLAN map to VLAN 10
...
i
Switch(config)#ip dhcp snooping
Enables DHCP snooping globally
...
i
Switch(config)#ip dhcp snooping
vlan 20
Enables DHCP snooping on VLAN 20
...
i
Switch(config)#ip dhcp snooping
vlan 20 30
Enables DHCP snooping on VLANs 20–30
...
i
Switch(config)#ip dhcp snooping
information option
Enables DHCP option 82 insertion
...
In some networks, you might need
additional information to determine which
IP address to allocate
...
The relay
agent adds the circuit identifier suboption
and the remote ID suboption to the relay
information option and forwards this all to
the DHCP server
...
s
Switch(config-if)#switchport
trunk encapsulation dot1q
Creates an uplink trunk with 802
...
s
Switch(config-if)#switchport
mode trunk
Forces the switchport to be a trunk
...
i
Switch(config-if)#ip dhcp
snooping trust
Configures the interface as trusted
...
It is usually the port connected to
the DHCP server or to uplink ports
...
i
Switch(config-if)#ip dhcp
snooping limit rate 75
Configures the number of DHCP packets per
second that an interface can receive
...
The default is no rate configured
...
i
Switch(config-if)#ip dhcp
snooping verify mac-address
Configures the switch to verify that the
source MAC address in a DHCP packet that
is received on an untrusted port matches the
client hardware address in the packet
...
s
Switch#show ip dhcp snooping
binding
Displays only the dynamically configured
bindings in the DHCP snooping binding
database
...
124
Implementing Dynamic ARP Inspection
Implementing Dynamic ARP Inspection
Dynamic ARP Inspection (DAI) determines the validity of an ARP packet
...
DAI does not work on the 2960
...
i
3560Switch(config)#ip arp
inspection vlan 10
Enables DAI on VLAN 10
...
i
3560Switch(config)#ip arp
inspection vlan 10-20
Enables DAI on VLANs 10 to 20 inclusive
...
This check is performed on both
APR requests and responses
...
This check is performed on
both APR requests and responses
...
0
...
0,
255
...
255
...
Sender IP addresses are checked
in all ARP requests and responses, and
target IP addresses are checked only in ARP
responses
...
i
Switch(config-if)#ip arp
inspection trust
Configures the connection between
switches as trusted
...
Configuring IP Source Guard
125
Verifying DAI
s
Switch#show ip arp inspection
interfaces
Verifies the dynamic ARP configuration
...
s
Switch#show ip arp inspection
statistics vlan 10
Displays the dynamic ARP inspection
statistics for VLAN 10
...
IP
Source Guard dynamically maintains a per-port table with IP-to-MAC-to-switch port
bindings
...
The
binding table can also be manually populated
...
i
witch(config)#ip dhcp snooping
vlan number 10-35
Enables DHCP snooping on VLANs 10–
35
...
i
Switch(config-if)#ip verify source
port-security
Enables IP Source Guard with IP and
MAC address filtering on the port
...
Switch(config)# ip source binding
0000
...
2222 vlan 35 10
...
1
...
1111
...
1
...
1, and interface
gigabitethernet1/0/1
...
s
Switch#show ip verify source
Displays the IP Source Guard
configuration on the switch or on a
specific interface
...
126
Understanding Cisco Discovery Protocol Security Issues
Understanding Cisco Discovery Protocol Security Issues
Although Cisco Discovery Protocol (CDP) is necessary for some management applications,
CDP should still be disabled in some instances
...
• The device is located in an insecure environment
...
• The interface is a nontrunk interface
...
Use the interface configuration command no cdp enable to disable CDP on a specific
interface:
i
Switch(config)#interface fastethernet 0/12
n
Switch(config-if)#no cdp enable
Link Layer Discovery Protocol Configuration
IEEE 802
...
l
Switch(config)#lldp run
Enables LLDP globally
...
l
Switch(config)#lldp reinit 2
Configures the delay time (seconds) for
LLDP to initialize on an interface
...
i
Switch(config)#interface
fastethernet 0/0
Moves to interface configuration mode
...
Configuring the Secure Shell Protocol
127
l
Switch(config-if)#lldp receive
Enables the interface to receive LLDP
packets
...
s
Switch#show lldp interface
fastethernet 0/10
Limits display information about LLDP
to interface fastethernet 0/10
...
Configuring the Secure Shell Protocol
CAUTION: Secure Shell (SSH) version 1 implementations have known security
issues
...
NOTE: To work, SSH requires a local username database, a local IP domain, and
an RSA key to be generated
...
u
Switch(config)#username Roland
password tower
Creates a locally significant username/
password combination
...
i
Switch(config)#ip domain-name
test
...
c
Switch(config)#crypto key
generate rsa
Enables the SSH server for local and
remote authentication on the switch and
generates an RSA key pair
...
l
Switch(config)#line vty 0 15
Moves to VTY configuration mode
...
t
Switch(config-line)#transport
input ssh
Configures SSH communication protocol
...
s
Switch#show ssh
Shows the status of the SSH server
...
168
...
15
Creates a standard ACL that filters out
traffic from source address 192
...
1
...
l
Switch(config)#line vty 0 15
Moves to VTY line mode
...
a
Switch(config-line)#access-class
10 in
Restricts incoming VTY connections to
addresses filtered by ACL 10
...
Web Interface Sessions
a
Switch(config)#access-list 10
permit host 192
...
1
...
168
...
15
...
i
Switch(config)#ip http secureserver
Enables the HTTPS server on the switch
...
i
Switch(config)#ip http
authentication local
Authenticates HTTP sessions with the router
using the local user database
...
Securing End-Device Access Ports
129
Disabling Unneeded Services
TIP: Cisco devices implement various TCP and User Datagram Protocol (UDP)
servers to help facilitate management and integration of devices
...
n
Switch(config)#no service tcpsmall-servers
Disables minor TCP services—echo, discard,
chargen, and daytime—available from hosts
on the network
...
n
Switch(config)#no ip finger
Disables the finger service
...
NOTE: The previous version of the [no] ip
finger command was the [no] service finger
command
...
n
Switch(config)#no service
config
Disables the config service
...
n
Switch(config)#no ip http
server
Disables the HTTP server service
...
All commands entered in this mode are
applied to all interfaces in the range
...
130
Securing End-Device Access Ports
NOTE: The switchport host command is a macro that performs the following
actions:
• Sets the switch port mode to access
• Enables Spanning Tree PortFast
• Disables channel grouping
The switchport host command does not have a no keyword to disable it
...
Figure 8-1
Router Switch and Phone
WAN
PSTN
GW
LAN
Si
Si
L3 Switch
TRUNK
Data VLAN (native)
Voice VLAN (802
...
IP phones perform voice-to-IP (and vice versa) coding and compression using special
hardware
...
Switches provide aggregation and centralized 48Vdc power for the end voice devices using
802
...
The switches also perform basic quality of service (QoS)
functions
...
It also provides scalability and availability
using clustering and distributed processing
...
Link efficiency mechanisms, such as compression, can also be implemented at the voice
gateway
...
An auxiliary VLAN is configured at the voice and data aggregation access switch
...
This feature
places the VoIP phones in their own VLANs without any end-user intervention
...
The multi-VLAN access ports are
not trunk ports, even though the hardware is set to the dot1q trunk
...
s
Switch(config-if)#switchport mode
access
Configures the port to be an access port
only
...
s
Switch(config-if)#switchport voice
vlan 110
Assigns this port to be a member port
in the auxiliary voice VLAN 110
...
Power over Ethernet
s
Switch(config-if)#spanning-tree
bpduguard enable
133
Puts this interface in the error-disabled
state if it receives a bridge protocol data
unit (BPDU) from another switch
...
c
Switch(config-if)#cdp enable
Enables Cisco Discovery Protocol
(CDP) at the interface
...
When a Cisco IP
Phone is detected, the ingress
classification on the port is set to trust
the QoS label received in the packet
...
s
Switch#show vlan
Displays the VLANs created on the
switch and the switch ports assigned to
them
...
3af standard
...
No specific configuration is required to choose the Cisco pre-standard or the
802
...
Power over Ethernet device detection is enabled through CDP when using
a Cisco inline power network device
...
3at amendment of the PoE standard was approved in
September 2009
...
Cisco’s
pre-standard interim solution, Enhanced PoE, provided 20 watts of power per
port
...
Every switch has a dedicated maximum amount of power available for
PoE
...
134
High Availability for Voice and Video
i
Switch(config)#interface
fastethernet 0/10
Moves into interface configuration
mode
...
If
enough power is available,
automatically allocates power to the
PoE port after device detection
...
NOTE: The powered device sends
CDP messages to a PoE switch port
requesting the amount of power it
requires
...
s
Switch#show power inline
Displays the overall PoE budget
balance sheet as well as individual port
usage and the Cisco device being
powered
...
High Availability for Voice and Video
Typical campus networks are designed with oversubscription because most campus links
are underutilized
...
QoS is needed when congestion occurs
...
NOTE: The switch QoS is disabled by
default
...
i
Switch(config)#interface
fastethernet 0/10
Moves to interface configuration mode
...
m
Switch(config-if)#mls qos trust cos
Configures the interface to believe the
L2 class of service (CoS) markings on
incoming traffic packets
...
The default port CoS value is 0
...
Ingress traffic is trusted,
and classification is performed by
examining the packet differentiated
services code point (DSCP), class of
service (CoS), or IP-precedence field
...
m
Switch(config-if)#mls qos trust dscp
Configures the interface to believe the
L3 differentiated services code point
(DSCP) markings on incoming traffic
packets
...
For an untagged packet, the
default port CoS value is used
...
For a non-IP
packet, the packet CoS value is used if
the packet is tagged
...
m
Switch(config-if)#mls qos trust
device cisco-phone
Configures the switch port to believe
the QoS markings of a Cisco IP phone
if detected
...
In this case, the CoS value is set
to 0
...
The
default value is CoS 0
...
The
trust argument configures the IP Phone
access port to trust the priority received
from the PC or attached device
...
Although the 6500 series
switch is not tested on the BCMSN
certification exam, the mls qos trust
extend command has been placed in
this command guide because of the
large number of network professionals
working with the 6500 series switch
...
If you set the phone to
untrusted mode, all traffic coming from
the PC are re-marked with the
configured CoS value before being sent
to the 6500 series switch
...
If the mode was set to
trusted, the result of this command is to
change the mode to untrusted
...
s
Switch#show interfaces fastethernet
0/10 switchport
Displays the administrative and
operational status of the switching port
FastEthernet 0/10
...
s
Switch#show mls qos interface
fastethernet 0/10
Shows port-level QoS information for
FastEthernet 0/10
...
Configuring AutoQoS: 2960/3560/3750
137
CAUTION: Although the QoS mechanisms for voice and video are the same,
great care must be taken due to the high bandwidth requirements typical to
video
...
Configuring AutoQoS: 2960/3560/3750
Auto QoS automatically configures quality of service for voice over IP within a QoS
domain
...
When AutoQoS is enabled on a port, it uses
the label on the incoming packet to categorize traffic, to assign other packet labels, and to
configure input and output queues
...
NOTE: The switch applies the auto-QoS–generated commands as if the
commands were entered sequentially from the command-line interface (CLI)
...
TIP:
QoS is globally enabled when AutoQoS is enabled on the first interface
...
a
Switch(config-if)#auto qos voip
trust
Identifies this port as connected to a
trusted switch or router, and
automatically configures QoS for VoIP
...
a
Switch(config-if)#auto qos voip
cisco-phone
Identifies this port as connected to a
Cisco IP Phone, and automatically
configures QoS for VoIP
...
If
a phone is not detected, the port is set
not to trust the QoS label
...
s
Switch#show auto qos
Displays the QoS commands entered
on all interfaces
...
The following commands generate the output shown in Example 8-1:
i
c3750(config)#interface fastethernet 0/2
a
c3750(config-if)#auto qos voip trust
e
c3750(config-if)#end
s
c3750#show running-config
Explanations for each of the mapping and queuing commands in Example 8-1 can be found
in the IOS Command Reference for each specific switching platform
...
19
...
2 255
...
255
...
The
6500 series switch uses the Catalyst operating system as opposed to the Cisco IOS
found on the 2960/3560 series
...
Console> (enable) set port qos
3/1 - 48 autoqos trust cos
Applies AutoQoS to ports 3/1–48 and
specifies that the ports should trust CoS
markings
...
Console> (enable) set port qos 4/1
autoqos voip ciscoipphone
Applies AutoQoS settings for any
Cisco IP Phone on module 4, port 1
...
Verifying AutoQoS Information: 6500
Console> show port qos
Displays all QoS-related information
...
CHAPTER 9
Integrating Wireless
LANs into a
Campus Network
This chapter provides information and commands concerning the following topics:
• Wireless roaming and controllers
• The Wireless Services Module (WiSM)
• Configuration example: 4402 WLAN Controller using the Configuration Wizard
• Configuration example: 4402 WLAN Controller using the web interface
• Configuration example: Configuring a 3560 switch to support WLANs and APs
• Configuration example: Configuring a wireless client
Wireless Roaming and Controllers
Layer 2 roaming is moving between access points that reside on a single IP subnet (or
VLAN)
...
Roaming between access points that reside in different IP subnets is
considered Layer 3 (network layer) roaming
...
The WLC handles all the logical functions of the WLAN, including
security and QoS
...
WLAN Controllers (WLC) come in the form of appliance controllers such as the 2100,
4400, and 5500 series as well as integrated controllers as modules for ISR routers and
6500 switches
...
Data and control messages are encapsulated between the Lightweight Access Point
and the WLAN controller using Control And Provisioning of Wireless Access Points
(CAPWAP) or Lightweight Access Point Protocol (LWAPP)
...
LAN-deployed Lightweight Access Points (LAP) obtain an IP address via DHCP, and
then join a controller via a CAPWAP/LWAPP discovery mechanism
...
The Remote Edge Access Point (REAP) mode enables a LAP to reside across a wide
area network (WAN) link and still be able to communicate with the WLC
...
This mode enables customers to configure and control two or three access
points in a branch or remote office from the corporate office through a WAN link
142
Wireless Roaming and Controllers
without the need to deploy a controller in each office but still offer client connectivity if the
connection to their controller is lost
...
The WLC can be a standalone appliance or an integrated module in a
C3750, ISR router, or 6500 switch
...
Figure 9-1
Switch Configuration Overview in a Controller-Based WLAN Deployment
Switch
Port
QoS
Native
VLAN
Management
Data
Standalone
AP/Bridge
Trunk
Trust
CoS
Management
Native VLAN
Local VLAN
ControllerBased AP
Access
Trust
DSCP
AP IP
Network
Via Controller
Via
Controller
HREAP
Trunk
Trust
DSCP
AP IP
Network
Via Controller
Local VLAN or
via Controller
WLAN
Controller
Trunk
Trust
CoS
Not
Required
Management
VLAN
VLAN
Figure 9-2 shows the network diagram to be used as a reference for the switch
configurations for standalone APs and HREAPS
...
1q TRUNK
WS1
WS2
Switch Configuration for Standalone APs and HREAPs
i
Switch(config)#interface
fastethernet 0/1
Moves to interface configuration mode
...
1Q as the trunking
protocol
...
s
Switch(config-if)#switchport
allowed vlan 10,20
Enables traffic for VLAN 10 and 20 on
the trunk
...
s
Switch(config-if)#spanning-tree
portfast trunk
Configures the port to start forwarding
immediately for every VLAN on the
trunk while determining spanning-tree
port status
...
This feature affects
all VLANs on the interface
...
m
Switch(config-if)#mls qos trust cos
Classifies the inbound packet by Class
of Service (CoS) value
...
m
Switch(config-if)#mls qos trust dscp
Classifies the inbound packet by
Differentiated Code Point (DSCP)
value
...
For
an untagged packet, the default port
CoS value is used
...
144
Wireless Roaming and Controllers
Figure 9-3
Switch Configuration for Controller-Based APs
fa0
fa0/2
ACCESS Port
WS1
Wireless LAN
Controller
L2/L3 Switch
Lightweight AP
fa0/3
802
...
s
Switch(config-if)#switchport access
vlan 10
Configures the port to be an access port
on VLAN 10
...
s
Switch(config-if)#spanning-tree
portfast
Configures the port to start forwarding
immediately while determining
spanning-tree status
...
Configuration for the WLC Connection
Switch(config)# interface
fastethernet 0/3
Moves to interface configuration mode
...
1Q as the trunking
protocol
...
s
Switch(config-if)#switchport trunk
allowed vlan 10,20
Enables traffic for VLAN 10 and 20 on
the trunk
...
Wireless Roaming and Controllers
145
s
Switch(config-if)#spanning-tree
portfast trunk
Configures the port to start forwarding
immediately for every VLAN on the
trunk while determining spanning-tree
port status
...
Switch Configuration for 4400 Series Controllers (EtherChannel)
Figure 9-4 shows the network diagram to be used as a reference for the switch
configurations for 4400 series controller using an EtherChannel
...
1q
EtherChannel
TRUNK
WS1
WS2
i
Switch(config)#interface
gigabitethernet 0/1
Moves to interface configuration mode
...
i
Switch(config)#interface
gigabitethernet 0/2
Moves to interface configuration mode
for gigabitethernet 0/2
...
i
Switch(config)#interface portchannel 1
Creates the port-channel logical
interface port-channel 1
...
1Q as the trunking
protocol for the port channel
...
146
The Wireless Services Module
s
Switch(config-if)#switchport trunk
allowed vlan 10,20
Enables traffic for VLAN 10 and 20 on
the trunk
...
s
Switch(config-if)#spanning-tree
portfast trunk
Configures the port to start forwarding
immediately for every VLAN on the
trunk while determining spanning-tree
port status
...
The Wireless Services Module
The Cisco Wireless Services Module (WiSM) is a member of the Cisco wireless LAN
controller family
...
The Cisco WiSM consists of two separate Cisco 4404 controllers on a single module
...
Interfaces and IP addressing must be considered on both cards
independently
...
• AP-Manager interface is used as the source IP address for all Layer 3 communications
between the controller and the lightweight access points
...
Configuring Communication Between the Supervisor 720 and Cisco WiSM
Figure 9-5 shows the network diagram to be used as a reference for the 6500 switch
configurations for the WiSM’s controllers
...
40
...
10
AP Manager: 10
...
1
...
40
...
15
AP Manager: 10
...
1
...
LWAP
LWAP
LWAP
LWAP
LWAP
Create a VLAN local to the Sup720 chassis, which is used for
communication between Cisco WiSM controllers and Catalyst Supervisor
720 over a Gigabit interface on the Supervisor and Service-Port in the
Cisco WiSM
...
i
Sup720(config)#interface vlan 222
Moves to SVI configuration mode
...
168
...
1 255
...
255
...
n
Sup720(config-if)#no shutdown
Turns on the interface
...
Step 2
...
Then associate the previous VLAN
for the service port
...
148
The Wireless Services Module
n
Sup720(dhcp-config)#network
192
...
222
...
255
...
0
Configures the IP segment used for
Service-Port addressing
...
168
...
1
Configures the gateway IP for the
Service-Port IP segment
...
168
...
0/24 segment
...
Step 3
...
w
Sup720(config)#wism service-vlan 222
Links a common IP segment between
the Sup720 and the WiSM controllers
...
168
...
0/24 segment
...
Step 4
...
v
Sup720(config)#vlan 40
Creates VLAN 40 for the Management
and AP-Manager IP segment
...
i
Sup720(config-if)#ip address
10
...
1
...
255
...
0
Assigns an IP address for the
Management/AP Manager segment
...
e
Sup720(config-if)#exit
Moves to global configuration mode
...
2
...
Before proceeding with
manual port channel creation (Steps 5
and 6), verify that the port channels are
not already created with the show ip
interface brief command
...
Create two port-channel interfaces for the two independent controllers in
the Cisco WiSM, and assign VLAN 40 as the native interface
...
s
Sup720(config-if)#switchport
Configures the port to be a Layer 2
switched port
...
1Q as the trunking
protocol for the port channel
...
s
Sup720(config-if)#switchport mode
trunk
Hard codes the port as a trunk
...
s
Sup720(config-if)#spanning-tree
portfast
Configures the port to start forwarding
immediately for every VLAN on the
trunk while determining spanning-tree
port status
...
s
Sup720(config-if)#switchport
Configures the port to be a Layer 2
switched port
...
1Q as the trunking
protocol for the port channel
...
s
Sup720(config-if)#switchport mode
trunk
Hard codes the port as a trunk
...
s
Sup720(config-if)#spanning-tree
portfast
Configures the port to start forwarding
immediately for every VLAN on the
trunk while determining spanning-tree
port status
...
Configure the Gigabit Ethernet interfaces as trunk ports with VLAN 40 as
the native VLAN
...
NOTE: The Gigabit interfaces 3/1–4
correspond to the first controller in
Cisco WiSM and should be a member
of channel group one
...
s
Sup720(config-if)#switchport trunk
encapsulation dot1q
Chooses 802
...
s
Sup720(config-if)#switchport mode
trunk
Hard codes the port as a trunk
...
s
Sup720(config-if)#spanning-tree
portfast
Configures the port to start forwarding
immediately for every VLAN on the
trunk while determining spanning-tree
port status
...
The Wireless Services Module
151
n
Sup720(config-if)#no shutdown
Turns on the interfaces
...
i
Sup720(config)#interface range
gigabitethernet3/5 - 8
Moves to interface range configuration
mode
...
s
Sup720(config-if)#switchport
Configures the ports to be a Layer 2
switched port
...
1Q as the trunking
protocol for the port channel
...
s
Sup720(config-if)#switchport trunk
native vlan 40
Defines VLAN 40 at the native VLAN
for this trunk
...
c
Sup720(config-if)#channel-group 2
mode on
Creates channel group 1 and assigns
interfaces 3/5–8 as part of it
...
e
Sup720(config-if)#exit
Returns to global configuration mode
...
The following commands can be used to configure the port-channel with
native and allowed VLANs
...
w
Sup720(config)#wism module 3
controller 1 native-vlan 40
Configures VLAN 40 as the native
VLAN on the EtherChannel trunk
between the Sup720 and controller 1 of
the WiSM module in slot 3
...
w
Sup720(config)#wism module 3
controller 1 allowed-vlan 30,40
Enables VLAN 30 and 40 on the
EtherChannel trunk between the
Sup720 and controller 1 of the WiSM
module in slot 3
...
w
Sup720(config)#wism module 3
controller 1 qos trust cos
Classifies the frame inbound to the
WiSM controller 1 by CoS value
...
NOTE: The controllers in the Cisco
WiSM are automatically assigned to a
channel group, usually a high number,
and the necessary commands are added
automatically
...
To start the WiSM
configuration, initiate a session to the WiSM from the supervisor
...
After the administrator establishes a session with the Cisco WiSM, the basic configuration
is completed with the help of the setup script
...
With the completion of basic configuration, the
administrator can configure the Cisco WiSM controller through the console CLI or through
the Cisco WiSM controller web interface
...
Configuration Example: 4402 WLAN Controller Using the Configuration Wizard
153
Configuration Example: 4402 WLAN Controller Using the
Configuration Wizard
NOTE: In the WLC Configuration Wizard, all available options appear in brackets after each parameter
...
Commands are case sensitive
...
o88b
...
d8888
...
88
...
o88b
...
...
Y8
...
8P
88
88
'Y8b
...
4
...
25
...
0 MB = 0
...
Press
...
Select 2 to boot the
backup image (the image
used before the last
software upgrade)
...
Boot Options
Please choose an option from below:
1
...
0
...
8)
(active)
2
...
0
...
8)
Select 4 to set the
backup image as the
primary image
...
3
...
Change active boot image
5
...
NOTE: Option 3 is for
recovery only
...