Switch

Switch# configure terminal

Switch(config)# interface range gigabitethernet0/4 -5

Switch(config-if-range)# switchport mode access

Switch(config-if-range)# switchport access vlan 10

 Switch(config-if-range)# channel-group 5 mode on

 Switch(config-if-range)# end

!

Switch

Switch# configure terminal

Switch(config)# interface port-channel 5

Switch(config-if)# no switchport

Switch(config-if)# ip address 172.10.20.10 255.255.255.0

Switch(config-if)# exit

Switch(config)# interface range gigabitethernet0/4 -5

Switch(config-if-range)# no ip address

Switch(config-if-range)# channel-group 5 mode desirable

Switch(config-if-range)# end

!

Switch

3524XL#vlan database

!-- You have to enter into vlan database, to configure any VLAN

3524XL(vlan)#vtp server

Device mode already VTP SERVER.

3524XL(vlan)#vlan 2 name cisco_vlan_2

VLAN 2 added: Name: cisco_vlan_2

!You have to exit from the VLAN database, for the changes to be committed 3524XL(vlan)#exit

APPLY completed.

Exiting.... 3524XL#

3524XL#configure terminal

3524XL(config)#interface fastEthernet 0/2

3524XL(config-if)#switchport access vlan 2

!-- Assigning interface fa0/2 to vlan 2

3524XL(config-if)#exit

3524XL(config)#interface fastEthernet 0/3

3524XL(config-if)#switchport access vlan 2

!-- Assigning interface fa0/3 to vlan 2

3524XL(config-if)#end

3524XL#wr mem

!-- Saving the configuration

A protected port does not forward any traffic to any other port that is also a protected port in the same switch. All traffic passing between protected ports must be forwarded through a Layer 3 (L3) device.

interface FastEthernet0/1

 switchport protected

!

interface FastEthernet0/2

 switchport protected

!

interface FastEthernet0/3

In this example PCs connected to Fe0/1 and 0/2 cannot communicate with each other but can communicate with 0/3

Isolated VLANs—Ports within an isolated VLAN cannot communicate with each other at the Layer 2 level.

Community VLANs—Ports within a community VLAN can communicate with each other but cannot communicate with ports in other communities at the Layer 2 level.

Promiscuous— A promiscuous port can communicate with all interfaces, including the isolated and community ports within a PVLAN.

vtp mode transparent

!

vlan 202

  private-vlan primary

  private-vlan association 303,440

!

vlan 303

  private-vlan community

!

vlan 440

  private-vlan isolated

!

!

interface FastEthernet0/1

 switchport access vlan 303

 switchport private-vlan host-association 202 303

 switchport mode private-vlan host

 !

interface FastEthernet0/2

 switchport access vlan 303

 switchport private-vlan host-association 202 303

 switchport mode private-vlan host

!

interface FastEthernet0/3

 switchport access vlan 440

 switchport private-vlan host-association 202 440

 switchport mode private-vlan host

!

interface FastEthernet0/4

 switchport access vlan 440

 switchport private-vlan host-association 202 440

 switchport mode private-vlan host

!

interface FastEthernet0/5

 switchport access vlan 202

 switchport private-vlan mapping 202 303,440

 switchport mode private-vlan promiscuous

!

Interface FastEthernet0/48

 description trunk port

 switchport private-vlan host-association 202 303 440

 switchport private-vlan trunk

!

interface Vlan202

 no ip address

 private-vlan mapping 303,440

!

In this example :

PCs connected to Fe0/1 and 0/2 can communicate with each other

PCs connected to Fe0/3 and 0/4 can communicate with each other

PCs connected to Fe0/1, 0/2, 0/3 and 0/4 can communicate with server in 0/5

The VTP Server maintains a full list of all VLANs within the VTP domain. Information is stored in NVRAM. The server can add, delete, and rename VLANs.

The VTP Client also maintains a full list of all VLANs. However, it will not store in NVRAM. The client can not add, delete or rename VLANs. Any changes made must be received from a VTP Server advertisement.

The VTP Transparent does not participate in VTP. However, it will pass on a VTP advertisement. VLAN, as defined, is only local to the switch and is stored in NVRAM

Switch# config terminal

Switch(config)# vtp mode server

Switch(config)# vtp domain eng_group

Switch(config)# vtp password mypassword

Switch(config)# vtp version 2

Switch(config)# vtp pruning

You can only enable VTP pruning on a switch in VTP server mode

You can only configure the version on switches in VTP server or transparent mode

A trunk is configured between two devices when they need to carry traffic from multiple VLANs.

!-- Enable trunking on the interface fastEthernet 0/1

3524xl(config)#int fastEthernet 0/1

3524xl(config-if)#switchport mode trunk

!-- Enter the trunking encapsulation as either isl 

3524xl(config-if)#switchport trunk encapsulation isl (ou dot1q )

!-- And then allow all VLANs on the trunk.

 3524xl(config-if)#switchport trunk allowed vlan all

3524xl(config-if)#exit

Console>(enable )set trunk 2/12 on 1-5 isl

Adding vlans 1-5 to allowed list.

Please use the 'clear trunk'command to remove

vlans from allowed list.

Port(s)2/12 allowed vlans modified to 1-1005.

Port(s)2/12 trunk mode set to on.

Port(s)2/12 trunk type set to isl

We need to permit only ssh traffic from vlan10 that has no IP address.

Sw(config)#ip access-list extended sshacl
Sw (config-ext-nacl)#permit tcp 10.10.10.0 0.0.0.255 any eq 22

Sw (config)#vlan access-map tt 1
Sw (config-access-map)# match ip address sshacl
Sw (config-access-map)# action forward
Sw (config-access-map)# exit

Sw (config)# vlan filter tt vlan-list 10.

We need to permit only tcp traffic from physical port 5.

Switch(config)# ip access-list extended simple-ip-acl 

Switch(config-ext-nacl)# permit tcp any any

Switch(config)# interface 0/5

Switch(config)# ip access-group simple-ip-acl in

Forces switch A to become root for all vlans by changing priority

SwitchA(config)# spanning-tree vlan 1-4096 root primary

Causes all L2 access interface to transit from blocking to forwarding, bypassing listening and learning.

Switch(config)# spanning-tree portfast default

Causes all PortFast-configurd interfaces to become in error-disabled state if they receive a BPDU frame.

Causes one interface to become in error-disabled state if it receives a BPDU frame.

Switch(config)# spanning-tree portfast bpduguard default

Switch(config-if)# spanning-tree bpduguard enable

Causes all PortFast-configurd interfaces to lose their PortFast Status if they receive a BPDU frame.

Causes one interface to ignore all BPDU frames it receives.

Switch(config)# spanning-tree portfast bpdufilter default

Switch(config-if)# spanning-tree bpdufilter enable

We know that swA must be the root and we want to ignore any BPDU that will make an other sw as root. So use Root guard.

Switch(config-if)# spanning-tree guard root

Switch#Show spanning tree inconsistentports

Flex Links are a pair of a Layer 2 interfaces (switchports or port channels), where one interface is configured to act as a backup to the other

Switch(conf)# interface fastethernet0/1

Switch(conf-if)# switchport backup interface fastethernet0/2

Switch(conf-if)# end

Switch# show interface switchport backup

We need one MAC address by switch port. If more than one then shutdown the interface.

We need one MAC address by switch port. This MAC address must be 1000.2000.3000.

Switch(config)# interface fastethernet0/12

Switch(config-if)# switchport mode access

Switch(config-if)# switchport port-security

Switch(config-if)# switchport port-security maximum 1

Switch(config-if)# switchport port-security violation  shutdown

Switch(config)# interface fastethernet0/12

Switch(config-if)# switchport mode access

 Switch(config-if)# switchport port-security

Switch(config-if)# switchport port-security maximum 1

Switch(config-if)# switchport port-security violation  shutdown

Switch(config-if)# switchport port-security mac-address 1000.2000.3000

Optionally: you can enable the port automatically after timeout

Switch(config)# errdisable recovery cause psecure-violation

Switch(config)# errdisable recovery interval 30

interface FastEthernet0/8

 port monitor FastEthernet0/12

!we receive  port 12 traffic in interface 8

monitor session 1 source interface Fa0/9

monitor session 1 destination interface Fa0/5

Trusted ports can send DHCP REQ and ACK. Untrusted ports can forward only DHCP REQ. by default all ports r untrusted.

The switch will build a DHCP snooping database.

Conf t

ip dhcp snooping

ip dhcp snooping vlan 6 (will let the switch compare source MAC @ and the one in its DHCP snooping database. If no match à drop)

!

Interface fastethernet 0/1

 Description connected to DHCP server or uplink toward DHCP server

 ip dhcp snooping trust

 ip dhcp snooping limit rate 300

We need to protect the IP address of one VLAN from ARP poisoning. So we associate its IP with its real MAC and we deny any other MAC address.

arp access-list arp-inspection
 permit ip host 10.10.10.254 mac host 1111.2222.3333 log
 deny   ip host 10.10.10.254 mac any log
 permit ip any mac any
!
ip arp inspection vlan 10
ip arp inspection filter arp-inspection vlan 10 static

If we are using DHCP snooping, the switch will build the snooping database. So we don't need to configure the arp acl.

Trunk/uplinks must be trusted because DHCP snooping DB is local to the switch.

Configure terminal

 ip arp inspection vlan 10

interface fastethernet 0/24

 description uplink to switch2

 ip arp inspection trust

 switchport mode trunk

IPSG restricts IP traffic on nonrouted, Layer 2 interfaces by filtering traffic based on the DHCP snooping binding database and on manually configured IP source bindings. You can use IP source guard to prevent traffic attacks if a host tries to use the IP address of its neighbor.

Configure terminal

ip dhcp snooping

ip dhcp snooping vlan 6

ip dhcp snooping information option

!

Interface fast 0/1

 Ip verify source [port-security] (source: control only on source IP || source port-security : control on source IP and MAC

!

 !You can manually bind an IP to a port

ip source binding 0100.0022.0010 vlan 6 10.0.0.2 interface gigabitethernet1/0/1

In distribution switch you deny one MAC address to enter one vlan

mac-address-table static 0004.231c.d91f vlan 111 drop

A LAN storm occurs when packets flood the LAN, creating excessive traffic and degrading network performance

SW # configure terminal

SW (config)# interface Gigabitethernet1/0/1

SW (config-if)# storm-control broadcast level 60

SW(config-if)# storm-control action trap (or shutdown)

Applied to layer 2 interfaces on the switch

  configure terminal

  mac access-list extended deny-to-osama-mac

    deny any host 0000.861f.3745 

    permit any any

exit

interface Gigabitethernet1/0/1

  mac access-group deny-to-osama-mac in

Clients use 802.1x with MD5-challenge option. In radius add attributes 64, 65, and 81 to dynamically vlan assignment. for more details: http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a00801d11a4.shtml

aaa new-model

aaa authentication dot1x default group radius

aaa authorization network default group radius

!

dot1x system-auth-control

!

interface FastEthernet0/1

 switchport mode access

dot1x port-control auto

!

interface FastEthernet0/2

description connected to HUB (many users)

 switchport mode access

dot1x port-control auto

dot1x host-mode multi-host

!

radius-server host 10.10.10.10 auth-port 1645 acct-port 1646

radius-server source-ports 1645-1646

radius-server key blablabla

radius-server vsa send

!

To let dot1x client uses windows credentials (SSO) choose PEAP and check the option to use automatically windows username/password.

To integrate ACS with domain controller, join it to the domain and follow instructions here (https://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0e4.shtml#config-acs) to install certificate on it.

In ACS use database group mapping to map windows group to  ACS group (that represents a vlan)

If client does not support .1x feature, it will be assigned to a guest vlan after 90s.

Dot1x guest-vlan supplicant (the client will be moved to guest vlan even if it fails authentication)

!

Interface fast 0/1

 Dot1x port-control auto

 Dot1x guest-vlan 15

!

If dot1x client fails, it will be assigned to a restricted vlan.  after 60s it can re-authenticate.

Dot1x guest-vlan supplicant (the client will be moved to guest vlan even if it fails authentication)

!

Interface fast 0/1

 Dot1x port-control auto

 Dot1x guest-vlan 15

!

If a printer is connected to dot1x port, we will authenticate it using its Mac @. MAC @ will be stored in ACS.

Interface fast 0/1

 Dot1x port-control auto

 Dot1x mac-auth-bypass

!

6509_1

6509_2

!

spanning-tree mode mst

spanning-tree portfast default

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

!

spanning-tree mst configuration

 name MST_XY

 revision 1

 instance 1 vlan 1, 120, 101

 instance 2 vlan 10

!

spanning-tree mst 1 priority 4096

spanning-tree mst 2 priority 8192

!

vtp mode server

vtp domain eng_group

vtp password mypassword

vtp version 2

vtp pruning

!

interface Port-channel1

 no ip address

 speed nonegotiate

 switchport

 switchport trunk encapsulation dot1q

 switchport mode trunk

 switchport nonegotiate

!

interface GigabitEthernet9/1

 description **** UPLINK to 7E   ***

 no ip address

 speed nonegotiate

 switchport

 switchport trunk encapsulation dot1q

 switchport mode trunk

 switchport nonegotiate

 spanning-tree bpduguard disable

!

interface GigabitEthernet9/2

 description **** UPLINK to 3E   ***

 no ip address

 speed nonegotiate

 switchport

 switchport trunk encapsulation dot1q

 switchport mode trunk

 switchport nonegotiate

 spanning-tree bpduguard disable

!

.....

interface GigabitEthernet9/47

 description inter-chassis trunk

 no ip address

 speed nonegotiate

 switchport

 switchport trunk encapsulation dot1q

 switchport mode trunk

 switchport nonegotiate

 spanning-tree bpduguard enable

 channel-group 1 mode on

!

interface GigabitEthernet9/48

 description inter-chassis trunk

 no ip address

 speed nonegotiate

 switchport

 switchport trunk encapsulation dot1q

 switchport mode trunk

 switchport nonegotiate

 spanning-tree bpduguard enable

 channel-group 1 mode on

!

.....

!

interface Vlan120

 ip address 10.120.120.252 255.255.255.0

 standby 120 ip 10.120.120.254

 standby 120 timers 1 4

 standby 120 priority 150

 standby 120 preempt

!

interface Vlan10

 ip address 10.10.10.252 255.255.255.0

 standby 10 ip 10.10.10.254

 standby 10 timers 1 4

 standby 10 preempt

!

………….

!

spanning-tree mode mst

spanning-tree portfast default

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

!

spanning-tree mst configuration

 name MST_XY

 revision 1

 instance 1 vlan 1, 120, 101

 instance 2 vlan 10

!

spanning-tree mst 1 priority 8192

spanning-tree mst 2 priority 4096

!

vtp mode server

vtp domain eng_group

vtp password mypassword

vtp version 2

vtp pruning

!

interface Port-channel1

 no ip address

 speed nonegotiate

 switchport

 switchport trunk encapsulation dot1q

 switchport mode trunk

 switchport nonegotiate

!

interface GigabitEthernet9/1

 description **** UPLINK to 7E   ***

 no ip address

 speed nonegotiate

 switchport

 switchport trunk encapsulation dot1q

 switchport mode trunk

 switchport nonegotiate

 spanning-tree bpduguard disable

!

interface GigabitEthernet9/2

 description **** UPLINK to 3E   ***

 no ip address

 speed nonegotiate

 switchport

 switchport trunk encapsulation dot1q

 switchport mode trunk

 switchport nonegotiate

 spanning-tree bpduguard disable

!

.....

interface GigabitEthernet9/47

 description inter-chassis trunk

 no ip address

 speed nonegotiate

 switchport

 switchport trunk encapsulation dot1q

 switchport mode trunk

 switchport nonegotiate

 spanning-tree bpduguard enable

 channel-group 1 mode on

!

interface GigabitEthernet9/48

 description inter-chassis trunk

 no ip address

 speed nonegotiate

 switchport

 switchport trunk encapsulation dot1q

 switchport mode trunk

 switchport nonegotiate

 spanning-tree bpduguard enable

 channel-group 1 mode on

!

.....

!

interface Vlan120

 ip address 10.120.120.253 255.255.255.0

 standby 120 ip 10.120.120.254

 standby 120 timers 1 4

  standby 120 preempt

!

interface Vlan10

 ip address 10.10.10.253 255.255.255.0

 standby 10 ip 10.10.10.254

 standby 10 timers 1 4

 standby 10 priority 150

 standby 10 preempt

!

………….

This example shows how to associate the Fabric Extender to a port channel interface on the parent device

switch# configure terminal

switch(config)# interface port-channel 4

switch(config-if)# switchport mode fex-fabric

switch(config-if)# fex associate 100

switch(config-if)# exit

switch(config)# interface ethernet 1/37

switch(config-if)# switchport mode fex-fabric

switch(config-if)# fex associate 100

switch(config-if)# channel-group 4

switch(config-if)# exit

switch(config)# interface ethernet 1/38

switch(config-if)# switchport mode fex-fabric

switch(config-if)# fex associate 100

switch(config-if)# channel-group 4

switch(config-if)# exit

switch(config)# interface ethernet 1/39

switch(config-if)# switchport mode fex-fabric

switch(config-if)# fex associate 100

switch(config-if)# channel-group 4

switch(config-if)# exit

switch(config)# interface ethernet 1/40

switch(config-if)# switchport mode fex-fabric

switch(config-if)# fex associate 100

switch(config-if)# channel-group 4