Switching
Lab's:
1.Basic
Switch Configuration.
switch(config)#hostname
switch(config)#enable secret
jedi
switch(config)#int
f0/2
switch(config)#description
connection to switch2
switch(config)#line
con 0
switch(config)#password
console
switch(config)#login
switch(config)#line
vty 0 15
switch(config)#password telnet
switch(config)#login
2.
VLAN creation and assigning a Port to it.
Switch(config)#vlan
11
Switch(config-vlan)#name linux
Switch(config-vlan)#int fa0/1
Switch(config-if)#switchport
mode access
Switch(config-if)#switchport
access vlan 11
Note
: VLAN's 1, 1002 to 1005 , are
reservered and cannot
be used
,changed,renamed or delete.
3.Management
VLAN , using default Native VLAN 1.
Switch(config)#int
vlan 1
Switch(config-if)#ip add
192.168.1.2 255.255.255.0
Switch(config-if)#no shut
1.
Switch(config)#vlan 500
Switch(config-vlan)#name
management
Switch(config-vlan)#int vlan
500
Switch(config-if)#
%LINK-5-CHANGED: Interface
Vlan500, changed state to up
Switch(config-if)#ip add
178.168.1.1 255.255.0.0
2.
Switch(config-vlan)#int vlan 1
Switch(config-if)#ip add
10.1.1.1 255.0.0.0
Switch(config-if)#no shut
Switch(config-if)#
%LINK-5-CHANGED: Interface
Vlan1, changed state to up
%LINEPROTO-5-UPDOWN: Line
protocol on Interface Vlan1, changed state to up
4.Management
VLAN , using different VLAN.
switch(config)#int
vlan 200
switch(config-if)#
%LINK-5-CHANGED:
Interface Vlan1000, changed state to up
switch(config-if)#ip add 1.1.1.1 255.255.255.0
switch(config-if)#no shut
switch(config)#int f0/1
switch(config-if)#switchport access vlan 200
switch(config-if)#no shut
switch(config-if)#end
switch#ping 1.1.1.1
[
Test by connecting a PC or Router to f0/1 and Ping , now
you can connect to the
switch and manage it using Telnet.]
5.Setting
a static MAC address to a port , mac
address-table command
Switch(config)#mac
address-table static aaaa.bbbb.cccc vlan 1 int f0/1
6.Same
VLAN across Two switches , Access Ports between switches.
Check using Ping.
7.Two
VLAN's Two Switch's
Steps:
1.VLAN's
created on both switches , should have same names.
2.Imagine
two switches as one big switch.
3.IP
assigned , different subnets different VLAN's, Ports assigned to
VLAN.
4.Trunk
port between Switches.
8.Inter
VLAN:Router Configuration
Note once VLAN's are
created , Hosts cannot
ping the Router Gateway.As VLAN's indicate
separate subnets.---check
ping the Router Gateway.As VLAN's indicate
separate subnets.---check
Step
1.
Router(config)#int
f0/0
Router(config-if)#no
ip address
Step
2.
interface
FastEthernet0/0.1
encapsulation dot1Q 10
ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/0.2
encapsulation dot1Q 20
ip address 192.168.2.1 255.255.255.0
!
interface FastEthernet0/0.3
encapsulation dot1Q 30
ip address 192.168.3.1 255.255.255.0
Step 3.
On the Switch VLAN's have to be created
and Ports should be assigned to them.
Layer
3 Switch SVI – 3560:
Verification
SVI
= Switched Virtual Interfaces.
Switch(config)#ip
routing
[This
command enables Layer 3 features of the Switch]
interface
FastEthernet0/1
switchport
access vlan 10
switchport
mode access
!
interface
FastEthernet0/2
switchport
access vlan 20
switchport
mode access
Switch(config)#int
vlan 10
Switch(config-if)#ip
add 192.168.1.1 255.255.255.0
Switch(config-if)#int
vlan 20
Switch(config-if)#ip
add 193.168.1.1 255.255.255.0
Enable
Routing:
Switch(config)#ip
routing
NOTE
ON L3 Switches Subinterfaces cannot be created.
3.
Same as above.
On
Switch:
interface
Vlan 10
ip
address 192.168.1.1 255.255.255.0
interface
Vlan 20
ip
address 192.168.2.1 255.255.255.0
PC0:
192.168.1.2
- IP Address
192.168.1.1
- Gateway
PC1:
192.168.2.2
- IP Address
192.168.2.1
- Gateway
Switch(config)#vlan
10
Switch(config-vlan)#name
one
Switch(config)#vlan
20
Switch(config-vlan)#name
two
Switch(config-if)#int
fa0/1
Switch(config-if)#switchport
mode access
Switch(config-if)#switchport
access vlan 10
Switch(config-if)#int
fa0/2
Switch(config-if)#switchport
mode access
Switch(config-if)#switchport
access vlan 20
Enable
Routing:
Switch(config)#ip
routing
9 .Switchport mode types :
Switch(config-if)#switchport
mode ?
access
Set trunking mode to ACCESS unconditionally
dynamic
Set trunking mode to dynamically negotiate access or trunk mode
trunk
Set trunking mode to TRUNK unconditionally
Access
– not trunk
Trunk
– unconditional trunk
Dynamic
Auto – trunk if neighbor port is trunk or deisrable
[Note
if both ports is in this mode , they will be in access state not
trunk]
Dynamic
desirable - trunk if neighbor port is trunk , deisrable or auto
nonegotiate
– DTP Frame generation stopped
10.
Changing or modifying the Trunk Native
VLAN
[Note has to be changed
across all other switches
meaning if a port on
one switch the trunk native vlan
is changed the opposite
end port should be changed also]
1.Native
VLAN is changed per Port basis.Like two interfaces
across
two switches, trunking.
2.
Commands:
Switch(config-if)#switchport
native ?
vlan
Set native VLAN when interface is in trunking mode
Switch(config-if)#switchport
native vlan ?
<1-1005>
VLAN ID of the native VLAN when this port is in trunking mode
or
Switch(config-if)#switchport
trunk ?
allowed
Set allowed VLAN characteristics when interface is in trunking mode
native
Set trunking native characteristics when interface is in trunking
mode
Switch(config-if)#switchport
trunk native ?
vlan
Set native VLAN when interface is in trunking mode
Switch(config-if)#switchport
trunk native vlan 10
Now
:
Switch#show
int f0/1 switchport
Name:
Fa0/1
Switchport:
Enabled
Administrative
Mode: trunk
Operational
Mode: down
Administrative
Trunking Encapsulation: dot1q
Operational
Trunking Encapsulation: dot1q
Negotiation
of Trunking: On
Access
Mode VLAN: 1 (default)
Trunking
Native Mode VLAN: 10 (Inactive) ( note changed )
Voice
VLAN: none
11.Configuring Trunk Port encapsulation type.
Router(config-subif)#encapsulation ?
dot1Q IEEE 802.1Q Virtual LAN
Router(config-subif)#encapsulation dot1q ?
<1-1005> IEEE 802.1Q VLAN ID
Router(config-subif)#encapsulation dot1q 1 ?
native Make this as native vlan
12.Shutting down unused Ports:
How To Secure Unused Ports
SW1(config)#interface fa0/10
SW1(config-if)#shutdown
SW1(config)#interface range fa0/1-24
SW1(config-if)#shutdown
Router(config-subif)#encapsulation ?
dot1Q IEEE 802.1Q Virtual LAN
Router(config-subif)#encapsulation dot1q ?
<1-1005> IEEE 802.1Q VLAN ID
Router(config-subif)#encapsulation dot1q 1 ?
native Make this as native vlan
12.Shutting down unused Ports:
How To Secure Unused Ports
SW1(config)#interface fa0/10
SW1(config-if)#shutdown
SW1(config)#interface range fa0/1-24
SW1(config-if)#shutdown
13.
Defining allowed VLAN's on a Trunk Port
Switch(config-if)#switchport
trunk allowed vlan 10,11,12
Switch(config-if)#switchport
trunk allowed vlan remove 4
Switch(config-if)#switchport
trunk allowed vlan ?
WORD
VLAN IDs of the allowed VLANs when this port is in trunking mode
add
add VLANs to the current list
all
all VLANs
except
all VLANs except the following
none
no VLANs
remove
remove VLANs from the current list
Switch(config-if)#switchport
trunk allowed vlan all
show
int trunk
13.Connection
between different switch models,L3
14.Switch
Port Security:
Topology:Screen
shot of the Topology used on Packet Tracer.
The
Topology used is very simple.
1.PC
connected to a 2960 Switch .
2.Hacker
Laptop on the side , seeking an unguarded Port.
3.PC to
Switch Straight through Cable.
Steps:
1. Run
this command on the switch
Switch#sh mac-address-table
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
1 0001.6426.8420 STATIC Fa0/1
2.Note
the PC Mac address is in the Table.
Make
sure the PC MAC is in the table before
enabling
port security commands.
3.How
to get PC MAC in the Switch MAC Table.
Ping a
IP which is different from the PC.
If a
Gateway is not given in the PC Configuration
than
ping packets to an IP from a different subnet will
not
leave the Computer.Even if Gateway is not given
and the
IP is from a similar subnet as the PC than the
Ping
packets will travel to the Switch and will light up
in the
mac-address-table.
4.Commands
to configure port security mac address sticky.
Sticky
means the port security binds to the first MAC
connected
to the Port.
Switch(config)#int
f0/1
Switch(config-if)#switchport port-security
Command rejected: FastEthernet0/1 is a dynamic port.
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Command rejected: FastEthernet0/1 is a dynamic port.
Switch(config-if)#switchport mode access
[Note
Port has to be changed to access]
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security maximum 1
Switch(config-if)#switchport port-security mac-address sticky
Switch(config-if)#switchport port-security violation shutdown
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security maximum 1
Switch(config-if)#switchport port-security mac-address sticky
Switch(config-if)#switchport port-security violation shutdown
Maximum 1 means only 1 MAC-ADDRESS will be allowed.
2 means
2 will be allowed.
5.Now connect the Laptop to the Port secured port f0/1
5.Now connect the Laptop to the Port secured port f0/1
and
than Ping.Violation mode is shutdown as configured
above,hence after ping the port gets shut down.
The
Rogue PC or laptop will get blocked that is the switch
port will get blocked(as violation mode is shutdown) only
after communication begins that is Ping.
port will get blocked(as violation mode is shutdown) only
after communication begins that is Ping.
6.Re-enabling
ports that are shut down.
The
user has to have privilege level access.
First issue shut and maybe no-shut and shut commands both again.
7.Port
security allowing only specific mac-address
Switch(config)#int
f0/1
Switch(config-if)#switchport
mode access
Switch(config-if)#switchport
port-security
Switch(config-if)#switchport
port-security mac-address 0001.6426.B420
Switch(config-if)#switchport
port-security violation shutdown
Rest is
same configuration as above , testing and all.
8.
Switch#show port-security interface fa0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0
9.
Switch#clear ?
access-list Clear access list statistical
information
arp-cache Clear the entire ARP cache
cdp Reset cdp information
mac MAC configuration
mac-address-table MAC forwarding table
port-security Clear secure addresses from MAC
table
vtp Clear VTP items
Switch#clear port-security ?
all Clear all secure MAC addresses
configured Clear all configured secure MAC
addresses
dynamic Clear all secure MAC address
auto-learned by hardware
sticky Clear all secure MAC address either
auto-learned or configured
Violation Modes:
Shutdown : (default mode)
shuts the port down, needs to be brought back up
by the admintsrator or someone who has privilege
level access.
Protect :
only allows frames from the allowed MAC
Restrict :
same
as protect but a message sent to syslog server
Switching
& VLAN Show commands:
Switch#show vlan name linux
Switch#show vlan id 11
Switch#show interfaces trunk
Switch#show interface trunk
Switch#show vlan
Switch#show vlan brief
Switch#show vtp status
Switch#show interfaces g1/1
switchport
Switch#show mac address-table
No comments:
Post a Comment