Narbik’s Soup-to-Nuts [Switching] Lab 1

<begin lab1 interesting stuff>

LAB 1:

  • 3550 by default would negotiate ISL trunk and two ports negotiate to “n-isl”, since by default ports are configured in Desirable state.
  • With 3560, ports are not in desirable mode, so the trunk must be configured statically to trunk or negotiate a trunk.
  • extended range vlans can only be created when vtp is in transparent mode. This configuration can only be performed in the global config mode and not in the VLAN Database. And you would see these vlans appearing in running/startup config but NOT in the vlan database.
  • CAT switches can be configured such that the IP address of any of it’s interfaces can be used as the source of all VTP messages. Use command: #vtp interface lo0. Verify it by looking at the last line in: show vtp status
  • The priority of a given vlan for a STP is the combination of base priority and the Vlan number, e.g, 32768 + (vlan) 12 = 32780.
  • Configuring a cat switch to be root for vlan 12 and 34 using the “root” command: #spanning-tree vlan 12,34 root primary. The keyword ‘root’ is a MACRO that REDUCES the BID of the switch for a given vlan by a value of 8192. For e.g. 32768 + 12 -8192 = 24588 (Priority of the above value after root macro is applied)
  • The “spanning-tree portfast bpduguard default” command in global config mode will shut the port down in “err-disable” mode if any portfast enabled port receives BPDU packets
  • switchport trunk encap command can have following options: 1) dot1q, 2) isl, 3) negotiate (local interface negotiates with neighboring interface to become either dot1q or isl).
  • switchport mode trunk puts the interface in permanent trunking mode.
  • MONITOR session: (local monitoring)
    • cat1(config)#monitor session 1 source interface f0/14 both
    • cat1(config)#monitor session 1 destination interface f0/15
    • there can only be two monitor sessions per switch. Their direction can be RX, TX or Both. Vlans can ONLY be configured in Rx direction.
    • Verify: #show monitor session 1
  • Configuring SNMP:
    • Must have an IP address configured on a switch otherwise snmp server cannot be configured.
    • Setup SNMP server: (config)# snmp-server host 192.168.1.1 private
    • Configure it to send mac-address traps to NMS: (config)# snmp-server enable traps mac-notific
    • Enable MAC-address notification: (config)#mac-address-table notification
    • Enable SNMP trap on interface Fa0/1 to send MAC notification traps whenever MAC-address is added. int fa0/1 –> #snmp trap mac-notification added
    • if we want to switch to report when MAC addresses that are learnt are expired then, “snmp trap mac-notification removed” needs to be added.
    • Verify: show mac-address-table notification interface f0/1
  • Regular and Smart Port Macro:
    • Define a port range (regular macro): (config)#define interface-range router-ports f0/1-6
    • Smartport Macro: (to configure port security)
      • config# macro name port-secur <– starts with a macro name, can be applied to int, int-range or a regular macro
      • Enter macro commands one per line. end with @
      • switchport mode access
      • switchport port-security
      • swithcport port-security mac-address sticky
      • switchport port-security max 1
      • switchport port-security violation shutdown.
      • @
    • applying the macro:
      • int range macro Router-ports
      • Macro apply port-secur
  • Configuring bandwidth utilization for broadcast traffic to 50%
    • int fa0/1 –> #storm-control broadcast level 50.00
    • value of 0.0 means that type of traffic is blocked permanently (could be unicast, broadcast or multicast)
    • on 3550 when the rate of MULTICAST traffic exceeds a predefined threshold, ALL incoming traffic (BC, MC, or Unicast) is dropped until the level of MCast traffic is dropped below the threshold level.
  • Protected ports:
    • You have two ports on the same vlan and you don’t want them to be able to talk to each other, issue this: int range fa0/15-16 –> switchport protected.
    • unknown Bcast and Ucast packets can be blocked (for security issues) by issuning –> switchport block unicast && switchport block multicast
  • Configuring Dot1x
    • config# dot1x system-auth-control (enables dot1x)
    • config#aaa new model (enable AAA services)
    • config#aaa authentication dot1x default group radius (specify auth method list)
    • config#radius server host <ip> key cisco (specify radius server and password)
    • Now configure dot1x on the port. MAKE SURE the port in not in dynamic mode otherwise dot1x won’t work. Make sure it’s in access mode: “switch mode access”
    • configure on interface fa0/15 –> dot1x port-control auto

</end of lab 1 interesting stuff>

Advertisements

3 thoughts on “Narbik’s Soup-to-Nuts [Switching] Lab 1

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s