Cisco: Troubleshooting and Fault Management Commands 2

[OSPF] Route Filtering with Standard ACL

CCNP Route, Cisco, Network September 3, 2014 Leave a comment

Filtering in OSPF is configured using the distribute-list router subcommand, which can reference either an ACL, prefix list, or a route map to determine whether or not routes should be filtered, in which direction and on which interface.

In this post, we are interesting how filtering using Standard ACL.

After configuring OSPF, on R2 we should see all the three routes

R2#show ip route ospf

10.0.0.0/32 is subnetted, 3 subnets

O 10.10.1.1 [110/11] via 192.168.1.1, 00:00:09, FastEthernet0/0

O 10.10.3.1 [110/11] via 192.168.1.1, 00:00:09, FastEthernet0/0

O 10.10.2.1 [110/11] via 192.168.1.1, 00:00:09, FastEthernet0/0

R2#

Now, we want to filter 10.10.2.0/24 to be advertised to R2 by creating an ACL, deny 10.10.2.0, notice that permit any to allow other routes to be advertised..

R2(config)#access-list 1 deny 10.10.2.0 0.0.0.255

R2(config)#access-list 1 permit any

R1(config)#

Now, we have to apply the distribute-list with the ACL number 1 in the inbound direction

PS: The OSPF algorithm requires that every router in an area receive all of the LSAs for that area, so you cannot filter outbound routing information, for this we will apply the ACL on R2 inbound:

R2(config)#router ospf 1

R2(config-router)#distribute-list 1 ?

in Filter incoming routing updates

out Filter outgoing routing updates

R2(config-router)#distribute-list 1 in fastEthernet 0/0

R2(config-router)#

And finally, the routing table on R2 should looks like (no route to 10.10.2.0/24):

R2#show ip route ospf

10.0.0.0/32 is subnetted, 2 subnets

O 10.10.1.1 [110/11] via 192.168.1.1, 00:00:13, FastEthernet0/0

O 10.10.3.1 [110/11] via 192.168.1.1, 00:00:13, FastEthernet0/0

R2#

[RIPv2] Configuring Route Summarization

CCNP Route, Cisco, Network September 15, 2014 Leave a comment

In this lab, we will see how to configure RIP route summarization.

Here’s the topology we will use:

Here’s the RIPv2 configuration before summarization:

For R1:

R1(config)#router rip

R1(config-router)#version 2

R1(config-router)#no auto-summary

R1(config-router)#network 192.168.1.0

R1(config-router)#network 172.16.0.0

For R2:

R1(config)#router rip

R2(config-router)#version 2

R2(config-router)#no auto-summary

R2(config-router)#network 192.168.1.0

The routing table of router R2 will look like this:

R2#show ip route rip

172.16.0.0/24 is subnetted, 2 subnets

R 172.16.0.0 [120/1] via 192.168.1.1, 00:00:24, FastEthernet0/0

R 172.16.1.0 [120/1] via 192.168.1.1, 00:00:24, FastEthernet0/0

Above you see both networks. Now let’s create a summary:

172.16.0.0 = 172.16.00000000.0/24

172.16.1.0 = 172.16.00000001.0/24

--------------------

= 172.16.0.0/23

The /23 is the more specific because it only covers 172.16.0.0/24 and 172.16.1.0/24

1 2	R1(config)#interface fastEthernet 0/0 R1(config-if)#ip summary-address rip 172.16.0.0 255.255.254.0

This is what it looks like on router R2:

R2#show ip route rip

172.16.0.0/23 is subnetted, 1 subnets

R 172.16.0.0 [120/1] via 192.168.1.1, 00:00:22, FastEthernet0/0

[EIGRP] Configuring Route Summarization

CCNP Route, Cisco, Network September 20, 2014 Leave a comment

In this lab, we will see how to configure EIGRP route summarization.

Here’s the topology we will use:

Here’s the RIPv2 configuration before summarization:

For R1:

R1(config)#router eigrp 100

R1(config-router)#no auto-summary

R1(config-router)#network 192.168.1.1 0.0.0.0

R1(config-router)#network 172.16.0.1 0.0.0.0

R1(config-router)#network 172.16.1.1 0.0.0.0

For R2:

R2(config-if)#router eigrp 100

R2(config-router)#no auto-summary

R2(config-router)#network 192.168.1.2 0.0.0.

The routing table of router R2 will look like this:

R2#show ip route eigrp

172.16.0.0/24 is subnetted, 2 subnets

D 172.16.0.0 [90/156160] via 192.168.1.1, 00:00:26, FastEthernet0/0

D 172.16.1.0 [90/156160] via 192.168.1.1, 00:00:26, FastEthernet0/0

Above you see both networks. Now let’s create a summary:

172.16.0.0 = 172.16.00000000.0/24

172.16.1.0 = 172.16.00000001.0/24

--------------------

= 172.16.0.0/23

The /23 is the more specific because it only covers 172.16.0.0/24 and 172.16.1.0/24

R1(config)#interface fastEthernet 0/0

R1(config-if)#ip summary-address eigrp 100 172.16.0.0 255.255.254.0

*Mar 1 00:04:44.787: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.1.2 (FastEthernet0/0) is down: summary configured

R1(config-if)#

*Mar 1 00:04:44.791: destroy peer: 192.168.1.2

*Mar 1 00:04:47.031: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 100: Neighbor 192.168.1.2 (FastEthernet0/0) is up: new adjacency

As you can see, the neighborship between the two routers goes down/up, because a new summary was configured.

This is what it looks like on router R2:

R2#show ip route eigrp

172.16.0.0/23 is subnetted, 1 subnets

D 172.16.0.0 [90/156160] via 192.168.1.1, 00:00:39, FastEthernet0/0

[RIPv2] Configure Unicast Updates

CCNP Route, Cisco, Network September 25, 2014 Leave a comment

RIPv1 sends everything using broadcasts compared to RIPv2, which uses multicast however you can use unicast to send RIPv2 updates, which is our topic today.

We have the following topology, we want R1, R2 and R3 to send RIPv2 advertisement using unicast instead of multicast.

After configuring RIPv2 on all routers, we need to set the interface on R1, R2 and R3 that is connected to the switch as passive interface and configure a static neighbor on these routers.

For R1:

R1(config)#router rip

R1(config-router)#passive-interface FastEthernet0/0

R1(config-router)#neighbor 10.1.123.2

R1(config-router)#neighbor 10.1.123.3

For R2:

R2(config)#router rip

R2(config-router)#passive-interface FastEthernet0/0

R2(config-router)#neighbor 10.1.123.1

R2(config-router)#neighbor 10.1.123.3

For R3:

R3(config)#router rip

R3(config-router)#passive-interface FastEthernet0/0

R3(config-router)#neighbor 10.1.123.1

R3(config-router)#neighbor 10.1.123.2

The neighbor command turns on unicast for RIP updates. However, a router still uses multicast (224.0.0.9) as well. To turn off multicast RIP updates completely, the passive-interface command is required.

[CCNA] Packet Forwarding Techniques

CCNA RnS, Cisco, Network August 1, 2014 Leave a comment

Cisco uses three types of packet-forwarding techniques

Process Switching:

this process is now extremely complex and involves looking up every destination in the routing table and finding the exit interface for every packet, has the big process problem.

Fast Switching:

This solution was created to make the slow performance of process switching faster and more efficient. Fast-switching uses a cache to store the most recently used destinations so that lookups are not required for every packet. By caching the exit interface of the destination device, as well as the layer 2 header, performance was dramatically improved.

Cisco Express Forwarding (CEF):

This is Cisco’s newer creation, and it’s the default packet-forwarding method used on all the latest Cisco routers. CEF makes many different cache tables to help improve performance and is change triggered, not packet triggered.

[CCNA] Static and Default Route

CCNA RnS, Cisco, Network June 24, 2014 Leave a comment

In this lab, you have to config the routers both HQ and BR-1 to make the connection throughout the network and with the Internet.

So all you have to do are:

1. Enable and set IP address on LAN interface of each router to be the last assignable IP of each subnet.

2. Enable serial interface on each router and set IP address on each interface as:

o s0/0/0 on BR-1: last IP of 52.7.9.220/30

o s0/0/0 on HQ: first IP of 52.7.9.220/30

o s0/1/0 on HQ: last IP of 77.7.7.252/30

3. Set static route of each LAN on each router to let PC-1 connect to PC-2. (Use destination interface instead of IP next hop.)

4. Set default route on each router to let both PC-1 and PC-2 be able to connect to the Server (72.76.5.3) in the internet.

On HQ:

HQ>en

HQ#conf t

Enter configuration commands, one per line. End with CNTL/Z.

HQ(config)#interface fastEthernet 0/0

HQ(config-if)#ip address 52.7.9.206 255.255.255.240

HQ(config-if)#no shutdown

HQ(config-if)#

%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up

HQ(config-if)#

HQ(config-if)#int serial 0/0/0

HQ(config-if)#ip address 52.7.9.221 255.255.255.252

HQ(config-if)#no shutdown

%LINK-5-CHANGED: Interface Serial0/0/0, changed state to down

HQ(config-if)#

HQ(config-if)#int serial 0/1/0

HQ(config-if)#ip address 77.7.7.254 255.255.255.252

HQ(config-if)#no shutdown

HQ(config-if)#

%LINK-5-CHANGED: Interface Serial0/1/0, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1/0, changed state to up

HQ(config-if)#

On BR1:

BR1>en

BR1#conf t

Enter configuration commands, one per line. End with CNTL/Z.

BR1(config)#interface fastEthernet 0/0

BR1(config-if)#ip address 52.7.9.214 255.255.255.248

BR1(config-if)#no shutdown

BR1(config-if)#

%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up

BR1(config-if)#int serial 0/0/0

BR1(config-if)#clock rate 64000

BR1(config-if)#ip address 52.7.9.222 255.255.255.252

BR1(config-if)#no shutdown

BR1(config-if)#

%LINK-5-CHANGED: Interface Serial0/0/0, changed state to up

BR1(config-if)#

To configure the static route and default route also:

1. Static route: allows you to educate the router to new places.

2. Default route: acts as “Catch-All”

On HQ :

HQ(config)#ip route 52.7.9.208 255.255.255.248 serial 0/0/0

HQ(config)#ip route 0.0.0.0 0.0.0.0 serial 0/1/0

HQ(config)#^Z

HQ#

%SYS-5-CONFIG_I: Configured from console by console

HQ#show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

52.0.0.0/28 is subnetted, 1 subnets

C 52.7.9.192 is directly connected, FastEthernet0/0

77.0.0.0/30 is subnetted, 1 subnets

C 77.7.7.252 is directly connected, Serial0/1/0

S* 0.0.0.0/0 is directly connected, Serial0/1/0

HQ#

On BR-1:

BR1(config)#ip route 52.7.9.192 255.255.255.240 serial 0/0/0

BR1(config)#ip route 0.0.0.0 0.0.0.0 serial 0/0/0

BR1(config)#do show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

52.0.0.0/8 is variably subnetted, 3 subnets, 3 masks

S 52.7.9.192/28 is directly connected, Serial0/0/0

C 52.7.9.208/29 is directly connected, FastEthernet0/0

C 52.7.9.220/30 is directly connected, Serial0/0/0

S* 0.0.0.0/0 is directly connected, Serial0/0/0

BR1(config)#

[CCNA] Port Security Configuration

CCNA RnS, Cisco, Network June 18, 2014 Leave a comment

In this lab, a hub has been connected to interface Fa0/1 of Switch 1. It is an 8-port hub but only 5 hosts are allowed to connect to it. The administrator wants to ensure that only 5 hosts can connect. PC-1 and PC-2 along with any 3 other hosts can connect to the hub.

Configure port security on Fa0/1 to fulfill this requirement. In case of a violation, the port should not be put in an error disabled mode but the administrator should be informed.

Depending on the action you want a switch to take when a security violation occurs, you can configure the behavior of a switch port to one of the following:

Shutdown: this is the default behavior on a switch. In this mode, the switch ports shuts down when the violation occurs. Also, a SNMP trap is sent and the message is logged. You can enable the port again with the no shutdown interface configuration command.
Protect: when the maximum number of secure MAC addresses has been reached, packets from devices with unknown source addresses are dropped until you remove the necessary number of secure MAC addresses from the table. In this mode, you are not notified when a security violation occurs.
Restrict: is identical with protect mode, but notifies you when a security violation occurs. Specifically, a SNMP trap is sent, a syslog message is logged and the violation counter increments.

SW1#conf t

Enter configuration commands, one per line. End with CNTL/Z.

SW1(config)#int fa0/1

SW1(config-if)#switchport mode access

SW1(config-if)#switchport port-security maximum 5

! --- We can also use: switchport port-security mac-address sticky

SW1(config-if)#switchport port-security mac-address 000C.CFC9.45BD

SW1(config-if)#switchport port-security mac-address 0005.5E41.B252

SW1(config-if)#switchport port-security violation restrict

SW1(config-if)#switchport port-security

switchport port-security mac-address sticky: configures the port to dynamically learn the MAC address and automatically configure the MAC address as a static MAC address associated with the port.

You can verify the configuration using the show port-security command as shown below:

SW1#show port-security

Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action

(Count) (Count) (Count)

--------------------------------------------------------------------

Fa0/1 5 2 0 Restrict

----------------------------------------------------------------------

SW1#

SW1#show port-security address

Secure Mac Address Table

-------------------------------------------------------------------------------

Vlan Mac Address Type Ports Remaining Age

(mins)

---- ----------- ---- ----- -------------

1 0005.5E41.B252 SecureConfigured FastEthernet0/1 -

1 000C.CFC9.45BD SecureConfigured FastEthernet0/1 -

------------------------------------------------------------------------------

Total Addresses in System (excluding one mac per port) : 1

Max Addresses limit in System (excluding one mac per port) : 1024

SW1#

SW1#show port-security interface fastEthernet 0/1

Port Security : Enabled

Port Status : Secure-up

Violation Mode : Restrict

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 5

Total MAC Addresses : 2

Configured MAC Addresses : 2

Sticky MAC Addresses : 0

Last Source Address:Vlan : 0000.0000.0000:0

Security Violation Count : 0

SW1#

[CCNA] Basic VTP Configuration #1

CCNA RnS, Cisco, Network June 14, 2014 Leave a comment

VTP is a Layer 2 messaging protocol that maintains VLAN configuration consistency by managing the addition, deletion, and renaming of VLANs on a network-wide basis. VTP minimizes misconfigurations and configuration inconsistencies that can result in a number of problems, such as duplicate VLAN names, incorrect VLAN-type specifications, and security violations.

In this basic lab, we will be configure a single VTP Domain over three switches, one (DSW-1) as the VTP Server and the other two (ASW-1,2) as VTP Clients, also we will configure a VTP password for security.

1. Basic switch configuration

DSW-1:

Switch>en

Switch#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)#hostname DSW-1

DSW-1(config)#line console 0

DSW-1(config-line)#password cisco

DSW-1(config-line)#login

DSW-1(config-line)#logging synchronous

DSW-1(config-line)#no exec-timeout

DSW-1(config-line)#line vty 0 15

DSW-1(config-line)#password cisco

DSW-1(config-line)#no exec-timeout

DSW-1(config-line)#exit

DSW-1(config)#enable secret cisco

DSW-1(config)#no ip domain-lookup

DSW-1(config)#

DSW-1(config)#^Z

DSW-1#

%SYS-5-CONFIG_I: Configured from console by console

DSW-1#

ASW-1

Switch>enable

Switch#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)#hostname ASW-1

ASW-1(config)#line console 0

ASW-1(config-line)#password cisco

ASW-1(config-line)#login

ASW-1(config-line)#logging synchronous

ASW-1(config-line)#no exec-timeout

ASW-1(config-line)#line vty 0 15

ASW-1(config-line)#password cisco

ASW-1(config-line)#no exec-timeout

ASW-1(config-line)#exit

ASW-1(config)#enable secret cisco

ASW-1(config)#no ip domain-lookup

ASW-1(config)#exit

ASW-1#

%SYS-5-CONFIG_I: Configured from console by console

ASW-1#

ASW-2

Switch>en

Switch#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)#host ASW-2

ASW-2(config)#line con 0

ASW-2(config-line)#pass cisco

ASW-2(config-line)#login

ASW-2(config-line)#logging synchronous

ASW-2(config-line)#no exec-timeout

ASW-2(config-line)#line vty 0 15

ASW-2(config-line)#pass cisco

ASW-2(config-line)#no exec-timeout

ASW-2(config-line)#exit

ASW-2(config)#ena secret cisco

ASW-2(config)#no ip domain-lookup

ASW-2(config)#exit

ASW-2#

%SYS-5-CONFIG_I: Configured from console by console

ASW-2#

2. Configure the VTP domain on all three switches as CCNA

DSW-1

DSW-1#conf t

Enter configuration commands, one per line. End with CNTL/Z.

DSW-1(config)#vtp domain CCNA

Changing VTP domain name from NULL to CCNA

DSW-1(config)#

ASW-1

ASW-1#conf t

Enter configuration commands, one per line. End with CNTL/Z.

ASW-1(config)#vtp domain CCNA

Changing VTP domain name from NULL to CCNA

ASW-1(config)#

ASW-2

ASW-2#conf t

Enter configuration commands, one per line. End with CNTL/Z.

ASW-2(config)#vtp domain CCNA

Changing VTP domain name from NULL to CCNA

ASW-2(config)#

3. Set the VTP domain password as cisco on all three switches

DSW-1

DSW-1(config)#vtp password cisco

Setting device VLAN database password to cisco

DSW-1(config)#

ASW-1

ASW-1(config)#vtp password cisco

Setting device VLAN database password to cisco

ASW-1(config)#

ASW-2

ASW-2(config)#vtp password cisco

Setting device VLAN database password to cisco

ASW-2(config)#

4. Configure DSW-1 as a VTP Server switch

DSW-1(config)#vtp mode server

Device mode already VTP SERVER.

DSW-1(config)#

5. Configure ASW-1 and ASW-2 as a VTP Client switch

ASW-1

ASW-1(config)#vtp mode client

Setting device to VTP CLIENT mode.

ASW-1(config)#

ASW-2

ASW-2(config)#vtp mode client

Device mode already VTP CLIENT.

ASW-2(config)#

6. Configure and verify an 802.1q trunk between Gig0/1 on DSW-1 and Gig1/1 on ASW-1

DSW-1

DSW-1(config)#interface gigabitEthernet 0/1

DSW-1(config-if)#switchport trunk encapsulation dot1q

DSW-1(config-if)#switchport mode trunk

DSW-1(config-if)#

%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to down

%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/1, changed state to up

DSW-1(config-if)#do show int trunk

Port Mode Encapsulation Status Native vlan

Gig0/1 on 802.1q trunking 1

Port Vlans allowed on trunk

Gig0/1 1-1005

Port Vlans allowed and active in management domain

Gig0/1 1

Port Vlans in spanning tree forwarding state and not pruned

Gig0/1 none

DSW-1(config-if)#

ASW-1

ASW-1(config)#interface gigabitEthernet 1/1

ASW-1(config-if)#switchport mode trunk

ASW-1(config-if)#do sh int trunk

Port Mode Encapsulation Status Native vlan

Gig1/1 on 802.1q trunking 1

Port Vlans allowed on trunk

Gig1/1 1-1005

Port Vlans allowed and active in management domain

Gig1/1 1

Port Vlans in spanning tree forwarding state and not pruned

Gig1/1 1

ASW-1(config-if)#

7. Configure and verify an 802.1q trunk between Gig0/2 on DSW-1 and Gig1/2 on ASW-2

DSW-1

DSW-1(config)#interface gigabitEthernet 0/2

DSW-1(config-if)#switchport trunk encapsulation dot1q

DSW-1(config-if)#do sh int trunk

Port Mode Encapsulation Status Native vlan

Gig0/1 on 802.1q trunking 1

Port Vlans allowed on trunk

Gig0/1 1-1005

Port Vlans allowed and active in management domain

Gig0/1 1

Port Vlans in spanning tree forwarding state and not pruned

Gig0/1 1

DSW-1(config-if)#

%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/2, changed state to down

%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/2, changed state to up

ASW-2

ASW-2(config)#interface gigabitEthernet 1/2

ASW-2(config-if)#switchport mode trunk

ASW-2(config-if)#

%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/2, changed state to down

%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/2, changed state to up

ASW-2(config-if)#do sh int trunk

Port Mode Encapsulation Status Native vlan

Gig1/2 on 802.1q trunking 1

Port Vlans allowed on trunk

Gig1/2 1-1005

Port Vlans allowed and active in management domain

Gig1/2 1

Port Vlans in spanning tree forwarding state and not pruned

Gig1/2 1

ASW-2(config-if)#

8. Configure and verify VLANs 10 and 20 on DSW-1 with the names provided in the table below

VLAN 10: Administration

ASW-1 : Fa0/1
ASW-2 : Fa0/1

VLAN 20: Sales

ASW-1 : Fa0/2
ASW-2 : Fa0/2

DSW-1(config-if)#vlan 10

DSW-1(config-vlan)#name Administration

DSW-1(config-vlan)#vlan 20

DSW-1(config-vlan)#name Sales

DSW-1(config-vlan)#interface vlan 10

DSW-1(config-if)#

%LINK-5-CHANGED: Interface Vlan10, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan10, changed state to up

DSW-1(config-if)#ip address 192.168.10.1 255.255.255.0

DSW-1(config-if)#int vlan 20

DSW-1(config-if)#

%LINK-5-CHANGED: Interface Vlan20, changed state to up

%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan20, changed state to up

DSW-1(config-if)#ip address 192.168.20.1 255.255.255.0

DSW-1(config-if)#

9. Assign the VLANs to fa0/1 and fa0/2 of ASW-1 and ASW-2 as shown in the table below

ASW-1

ASW-1(config-if)#int fa0/1

ASW-1(config-if)#switchport mode access

ASW-1(config-if)#switchport access vlan 10

ASW-1(config-if)#int fa0/2

ASW-1(config-if)#switchport mode access

ASW-1(config-if)#switchport access vlan 20

ASW-1(config-if)#

ASW-2

ASW-2(config-if)#int fa0/1

ASW-2(config-if)#switchport mode access

ASW-2(config-if)#switchport access vlan 10

ASW-2(config-if)#int fa0/2

ASW-2(config-if)#switchport mode access

ASW-2(config-if)#switchport access vlan 20

ASW-2(config-if)#

The last step, is assigning IP address to PC-1, 2, 3, and 4 as shown in the network diagram, and test connectivity via your VLANs by pinging PC-3 from PC-1 and vice versa, PC-4 from PC-2 and vice versa.

Finally, this is some show command about VLANs and VTP:

DSW-1

DSW-1#show vlan brief

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4

Fa0/5, Fa0/6, Fa0/7, Fa0/8

Fa0/9, Fa0/10, Fa0/11, Fa0/12

Fa0/13, Fa0/14, Fa0/15, Fa0/16

Fa0/17, Fa0/18, Fa0/19, Fa0/20

Fa0/21, Fa0/22, Fa0/23, Fa0/24

10 Administration active

20 Sales active

1002 fddi-default active

1003 token-ring-default active

1004 fddinet-default active

1005 trnet-default active

DSW-1#show vtp status

VTP Version : 2

Configuration Revision : 4

Maximum VLANs supported locally : 1005

Number of existing VLANs : 7

VTP Operating Mode : Server

VTP Domain Name : CCNA

VTP Pruning Mode : Disabled

VTP V2 Mode : Disabled

VTP Traps Generation : Disabled

MD5 digest : 0x4D 0x9F 0xCA 0xFE 0x77 0xCB 0x66 0xAD

Configuration last modified by 0.0.0.0 at 3-1-93 00:17:06

Local updater ID is 192.168.10.1 on interface Vl10 (lowest numbered VLAN interface found)

DSW-1#show vtp password

VTP Password: cisco

DSW-1#

ASW-1

ASW-1#show vlan brief

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Fa0/3, Fa0/4, Fa0/5, Fa0/6

Fa0/7, Fa0/8, Fa0/9, Fa0/10

Fa0/11, Fa0/12, Fa0/13, Fa0/14

Fa0/15, Fa0/16, Fa0/17, Fa0/18

Fa0/19, Fa0/20, Fa0/21, Fa0/22

Fa0/23, Fa0/24, Gig1/2

10 Administration active Fa0/1

20 Sales active Fa0/2

1002 fddi-default active

1003 token-ring-default active

1004 fddinet-default active

1005 trnet-default active

ASW-1#show vtp status

VTP Version : 2

Configuration Revision : 4

Maximum VLANs supported locally : 255

Number of existing VLANs : 7

VTP Operating Mode : Server

VTP Domain Name : CCNA

VTP Pruning Mode : Disabled

VTP V2 Mode : Disabled

VTP Traps Generation : Disabled

MD5 digest : 0x4D 0x9F 0xCA 0xFE 0x77 0xCB 0x66 0xAD

Configuration last modified by 0.0.0.0 at 3-1-93 00:17:06

Local updater ID is 0.0.0.0 (no valid interface found)

ASW-1#

ASW-2

ASW-2#show vlan brief

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Fa0/3, Fa0/4, Fa0/5, Fa0/6

Fa0/7, Fa0/8, Fa0/9, Fa0/10

Fa0/11, Fa0/12, Fa0/13, Fa0/14

Fa0/15, Fa0/16, Fa0/17, Fa0/18

Fa0/19, Fa0/20, Fa0/21, Fa0/22

Fa0/23, Fa0/24, Gig1/1

10 Administration active Fa0/1

20 Sales active Fa0/2

1002 fddi-default active

1003 token-ring-default active

1004 fddinet-default active

1005 trnet-default active

ASW-2#show vtp status

VTP Version : 2

Configuration Revision : 4

Maximum VLANs supported locally : 255

Number of existing VLANs : 7

VTP Operating Mode : Client

VTP Domain Name : CCNA

VTP Pruning Mode : Disabled

VTP V2 Mode : Disabled

VTP Traps Generation : Disabled

MD5 digest : 0x4D 0x9F 0xCA 0xFE 0x77 0xCB 0x66 0xAD

Configuration last modified by 0.0.0.0 at 3-1-93 00:17:06

ASW-2#

[CCNA] Basic VLAN Configuration

CCNA RnS, Cisco, Network June 16, 2014 Leave a comment

In this lab we will configure a Cisco Catalyst 2950 with three new VLANs. Also, we will then use the available Cisco IOS show commands to verify the configuration.

Create and Configure VLANs and Names on Switch:

SW1#conf t

Enter configuration commands, one per line. End with CNTL/Z.

SW1(config)#vlan 10

SW1(config-vlan)#name Admin

SW1(config-vlan)#exit

SW1(config)#vlan 20

SW1(config-vlan)#name Sales

SW1(config-vlan)#exit

SW1(config)#vlan 30

SW1(config-vlan)#name Engineering

SW1(config-vlan)#exit

SW1(config)#

Check your configuration:

SW1(config)#do show vlan brief

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4

Fa0/5, Fa0/6, Fa0/7, Fa0/8

Fa0/9, Fa0/10, Fa0/11, Fa0/12

Fa0/13, Fa0/14, Fa0/15, Fa0/16

Fa0/17, Fa0/18, Fa0/19, Fa0/20

Fa0/21, Fa0/22, Fa0/23, Fa0/24

Gig1/1, Gig1/2

10 Admin active

20 Sales active

30 Engineering active

1002 fddi-default active

1003 token-ring-default active

1004 fddinet-default active

1005 trnet-default active

SW1(config)#

Assign a switchport to a VLAN:

SW1(config)#int fa0/1

SW1(config-if)#switchport access vlan 10

SW1(config-if)#switchport mode access

SW1(config-if)#

SW1(config-if)#int fa0/2

SW1(config-if)#switchport access vlan 20

SW1(config-if)#switchport mode access

SW1(config-if)#int fa0/3

SW1(config-if)#switchport access vlan 30

SW1(config-if)#switchport mode access

SW1(config-if)#

Check the configuration after assigning the ports:

SW1(config)#do show vlan brief

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Fa0/4, Fa0/5, Fa0/6, Fa0/7

Fa0/9, Fa0/10, Fa0/11, Fa0/8

Fa0/13, Fa0/14, Fa0/15, Fa0/12

Fa0/17, Fa0/18, Fa0/19, Fa0/16

Fa0/21, Fa0/22, Fa0/23, Fa0/20

Fa0/24, Gig1/1, Gig1/2

10 Admin active Fa0/1

20 Sales active Fa0/2

30 Engineering active Fa0/3

1002 fddi-default active

1003 token-ring-default active

1004 fddinet-default active

1005 trnet-default active

SW1(config)#

[CCNA] Configuring SSH

CCNA RnS, Cisco, Network June 10, 2014 1 Comment

It’s not an easy way to configure your device using the console port each time, however you’ll use the Telnet or SSH to access to your device remotely, but Telnet is not secure at all, for this, configuring the SSH on your Cisco device is so important.

We’ll work through this steps one by one:

1. Configure the device hostname

2. Define the default domain name

3. Generate encryption keys

4. Configure SSH options

5. Create local user account(s)

6. Define transport protocols for console port (Telnet and/or SSH)

7. Enable local login

Of course the device must have an IP address, check this post for the initial configuration.

1. Configure the device hostname

Switch>enable

Password:

Switch#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)#hostname MainSwitch

MainSwitch(config)#

2. Define the default domain name

MainSwitch(config)#ip domain-name ?

WORD Default domain name

MainSwitch(config)#ip domain-name locallab.com

MainSwitch(config)#

3. Generate encryption keys

MainSwitch(config)#crypto key generate ?

rsa Generate RSA keys

MainSwitch(config)#crypto key generate rsa

The name for the keys will be: MainSwitch.locallab.com

Choose the size of the key modulus in the range of 360 to 2048 for your

General Purpose Keys. Choosing a key modulus greater than 512 may take

a few minutes.

How many bits in the modulus [512]: 2048

% Generating 2048 bit RSA keys, keys will be non-exportable...[OK]

MainSwitch(config)#

*mars 1 0:15:4.695: %SSH-5-ENABLED: SSH 1.99 has been enabled

MainSwitch(config)#

4. Configure SSH options

Set the SSH version to version 2

MainSwitch(config)#ip ssh ?

authentication-retries Specify number of authentication retries

time-out Specify SSH time-out interval

version Specify protocol version to be supported

MainSwitch(config)#ip ssh version ?

Protocol version

MainSwitch(config)#ip ssh version 2

MainSwitch(config)#

Set the max failed for SSH connection

MainSwitch(config)#ip ssh authentication-retries ?

Number of authentication retries

MainSwitch(config)#ip ssh authentication-retries 2

MainSwitch(config)

Of course, you must set also the max idle timer for a SSH session

1 2	MainSwitch(config)#ip ssh time-out 60 MainSwitch(config)

5. Create local user account(s)

MainSwitch(config)#username ?

WORD User name

MainSwitch(config)#username boubakr ?

password Specify the password for the user

privilege Set user privilege level

secret Specify the secret for the user

MainSwitch(config)#username boubakr secret ?

0 Specifies an UNENCRYPTED secret will follow

5 Specifies a HIDDEN secret will follow

LINE The UNENCRYPTED (cleartext) user secret

MainSwitch(config)#username boubakr secret cisco

MainSwitch(config)#

Do you know why secret and not password ahmm ?!

MainSwitch(config)#do show run

Building configuration...

! ...

hostname MainSwitch

! ...

ip ssh version 2

ip domain-name locallab.com

username boubakr secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0

! ...

6. Define transport protocols for console port (Telnet and/or SSH)

MainSwitch(config-line)#transport input ?

all All protocols

none No protocols

ssh TCP/IP SSH protocol

telnet TCP/IP Telnet protocol

MainSwitch(config-line)#transport input ssh

MainSwitch(config-line)#

You can use both SSH and Telnet, in this case Telnet session will also require the username to login.

7. Enable local login: use the local database for users login

MainSwitch(config-line)#login ?

local Local password checking

MainSwitch(config-line)#login local

MainSwitch(config-line)#

[CCNA] Base Switch Configuration

CCNA RnS, Cisco, Network June 8, 2014 1 Comment

In this post, we’ll see how can we performing an initial switch configuration (can also done with a router).

We’ll work through this Todo one by one:

1. Hostname

2. Console password

3. Telnet password

4. Enable password

5. Management IP address (VLAN 1)

6. Default gateway

7. Shutdown

8. Login banner

9. Saving configuration

1. The first thing is to name the switch, using the hostname command from the global configuration mode; each company has its own naming schema (like the region number, floor, switch… etc), in our case we’ll use a simple name.

Switch>enable

Switch#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Switch(config)#hostname ?

WORD This system's network name

Switch(config)#hostname MainSwitch

MainSwitch(config)#

2. 5 passwords are used to secure your Cisco device: console, auxiliary, vty (telnet), enable password, enable secret. To set the console user-mode password go the the console configuration mode.

MainSwitch(config)#line console ?

First Line number

MainSwitch(config)#line console 0

MainSwitch(config-line)#password ?

7 Specifies a HIDDEN password will follow

LINE The UNENCRYPTED (cleartext) line password

MainSwitch(config-line)#password cisco

MainSwitch(config-line)#end

MainSwitch#

%SYS-5-CONFIG_I: Configured from console by console

MainSwitch#

Until now, the switch doesn’t ask you for the password when trying to login using the console port, why ? because we forgot to tell it to check the password

MainSwitch#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

MainSwitch(config)#line console 0

MainSwitch(config-line)#?

Line configuration commands:

...

MainSwitch(config-line)#login

MainSwitch(config-line)#exec-timeout ?

Timeout in minutes

MainSwitch(config-line)#exec-timeout 0 ?

Timeout in seconds

MainSwitch(config-line)#exec-timeout 0 0

MainSwitch(config-line)#

MainSwitch(config-line)#logging synchronous

MainSwitch(config-line)#

exec-timeout: sets the timeout for the console execute session, in this case 0 minute, 0 second => disable the time-out, because it’s a lab-env.
logging synchronous: stops annoying console messages (syslog) from popping up and disrupting the input you’re trying to type (you can fix it using the Tab key).

3. Telnet is what allows you to manage the switch remotely, using the line mode to set the password, taking two arguments the first and the last line number, by default Cisco allows 5 sessions simultaneous, but you can go until 16.

MainSwitch#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

MainSwitch(config)#line ?

First Line number

console Primary terminal line

vty Virtual terminal

MainSwitch(config)#line vty ?

First Line number

MainSwitch(config)#line vty 0 ?

Last Line number

MainSwitch(config)#line vty 0 15

MainSwitch(config-line)#password cisco

MainSwitch(config-line)#

The VTY doesn’t require the login command, because it’s already setting by Cisco, that’s Cisco’s form of security.

MainSwitch#show running-config | begin line vty

line vty 0 4

password cisco

line vty 5 15

password cisco

end

MainSwitch#

4. The enable password protects the transition from the User Mode to the Privileged Mode, it is similar to other passwords, however it’s from the global config mode, because it’s affect the whole device. enable password and enable secret commands do exactly the same thing:

enable password sets the password in clear text.
enable secret encrypts it using the MD5 algorithm.

MainSwitch(config)#enable ?

password Assign the privileged level password

secret Assign the privileged level secret

MainSwitch(config)#enable password ?

7 Specifies a HIDDEN password will follow

LINE The UNENCRYPTED (cleartext) 'enable' password

level Set exec level password

MainSwitch(config)#enable password cisco

MainSwitch(config)#enable secret ?

0 Specifies an UNENCRYPTED password will follow

5 Specifies an ENCRYPTED secret will follow

LINE The UNENCRYPTED (cleartext) 'enable' secret

level Set exec level password

MainSwitch(config)#enable secret c1sc0

MainSwitch(config)#^Z

%SYS-5-CONFIG_I: Configured from console by console

MainSwitch#show running-config

Building configuration...

...

hostname MainSwitch

enable secret 5 $1$mERr$fUHfKnbAzwSaPfCLSoNMr1

enable password cisco

MainSwitch#

If the secret password is setting, the enable is no longer allowing you to use the enable password anymore because Cisco prefer the securing way.

All the console, Telnet password as enable password are saved in clear text, Cisco has a command that allows you to encrypt those passwords:

MainSwitch(config)#service ?

password-encryption Encrypt system passwords

timestamps Timestamp debug/log messages

MainSwitch(config)#service password-encryption

MainSwitch(config)#

5. Assigning IP address to a switch has a relation with VLAN, by default switch ports are all part of VLAN 1

MainSwitch#show vlan

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4

Fa0/5, Fa0/6, Fa0/7, Fa0/8

Fa0/9, Fa0/10, Fa0/11, Fa0/12

Fa0/13, Fa0/14, Fa0/15, Fa0/16

Fa0/17, Fa0/18, Fa0/19, Fa0/20

Fa0/21, Fa0/22, Fa0/23, Fa0/24

Gig1/1, Gig1/2

...

MainSwitch#conf t

Enter configuration commands, one per line. End with CNTL/Z.

MainSwitch(config)#interface vlan 1

MainSwitch(config-if)#ip address ?

A.B.C.D IP address

dhcp IP Address negotiated via DHCP

MainSwitch(config-if)#ip address 172.16.30.11 255.255.255.0

MainSwitch(config-if)#no shutdown

MainSwitch(config-if)#

%LINK-5-CHANGED: Interface Vlan1, changed state to up

MainSwitch(config-if)#

6. Now, we move on to the default gateway, that allows you to manage the switch remotely (really remotely, outside the LAN), the default gateway is the IP address of the router interface (to communicate out of your network).

MainSwitch(config)#ip default-gateway ?

A.B.C.D IP address of default gateway

MainSwitch(config)#ip default-gateway 172.16.30.1

MainSwitch(config)#

Now, that switch knows how can get off its own network.

7. The shutdown command allows you to shutdown interfaces (turn off) as well as turn on using the negative command (no shutdown), so to shutdown an interface:

MainSwitch#show ip interface brief

Interface IP-Address OK? Method Status Protocol

FastEthernet0/1 unassigned YES manual down down

FastEthernet0/2 unassigned YES manual down down

FastEthernet0/3 unassigned YES manual down down

FastEthernet0/4 unassigned YES manual down down

FastEthernet0/5 unassigned YES manual down down

FastEthernet0/6 unassigned YES manual down down

FastEthernet0/7 unassigned YES manual down down

FastEthernet0/8 unassigned YES manual down down

FastEthernet0/9 unassigned YES manual down down

FastEthernet0/10 unassigned YES manual down down

--More--

MainSwitch#conf t

Enter configuration commands, one per line. End with CNTL/Z.

MainSwitch(config)#interface fastEthernet 0/1

MainSwitch(config-if)#shutdown

%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down

MainSwitch(config-if)#

Also, you can turn off a list of interfaces, using the rang argument:

MainSwitch(config)#interface range fastEthernet 0/1 - 10

MainSwitch(config-if-range)#shutdown

%LINK-5-CHANGED: Interface FastEthernet0/2, changed state to administratively down

%LINK-5-CHANGED: Interface FastEthernet0/3, changed state to administratively down

%LINK-5-CHANGED: Interface FastEthernet0/4, changed state to administratively down

%LINK-5-CHANGED: Interface FastEthernet0/5, changed state to administratively down

%LINK-5-CHANGED: Interface FastEthernet0/6, changed state to administratively down

%LINK-5-CHANGED: Interface FastEthernet0/7, changed state to administratively down

%LINK-5-CHANGED: Interface FastEthernet0/8, changed state to administratively down

%LINK-5-CHANGED: Interface FastEthernet0/9, changed state to administratively down

%LINK-5-CHANGED: Interface FastEthernet0/10, changed state to administratively down

MainSwitch(config-if-range)#

You can notice that the syslog messages inform you about what really happening on your device.

8. There are more than banner that can use on Cisco device, here we are focusing on the motd banner (Message Of The Day)

MainSwitch#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

MainSwitch(config)#banner ?

motd Set Message of the Day banner

...

MainSwitch(config)#banner motd ?

LINE c banner-text c, where 'c' is a delimiting character

MainSwitch(config)#banner motd #

Enter TEXT message. End with the character '#'.

Welcome To The MainSwitch

Unauthorized Access Prohibited

MainSwitch(config)#

Where # is the eliminated character (marks the beginning and the end of the message). So, when you try to connect to the switch:

Welcome To The MainSwitch

Unauthorized Access Prohibited

User Access Verification

Password:

9. Finally, the great piece is to save the configuration, running-config is running on RAM not NVRAM (Non-Volatile) where the the startup-config is saved:

MainSwitch#copy running-config startup-config

Destination filename [startup-config]?

Building configuration...

[OK]

MainSwitch#

MainSwitch#write memory

Building configuration...

[OK]

MainSwitch#

MainSwitch#wr

Building configuration...

[OK]

MainSwitch#

write memory (or wr as shortcut) do the same as copy running-config startup-config

10. To verify your configuration, you can use the show commands:

MainSwitch#show running-config

Building configuration...

Current configuration : 1263 bytes

version 12.2

no service timestamps log datetime msec

no service timestamps debug datetime msec

no service password-encryption

hostname MainSwitch

enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0

enable password 7 0822455D0A16

...

Catalyst 3750

Introduction

This document can be used as a cheat-sheet for troubleshooting on Cisco 3750 switches..

Requirements

There are no specific requirements for this document.

Commands

For CPU related issues

Show process cpu sorted
Show process cpu history
Show platform port-asic stats drop
Show controllers cpu- interface
Debug platform cpu-queues
Show plat for ip

For memory issues

Show memory statistics
Show process memory sorted
Show buffers

Layer 2 forwarding issues

Show interface <> status
Show spanning-tree interface <>
Show interface <> counter
Show mac address-table interface <>
Show mac address-table dynamic address <>
Show spanning-tree vlan <>
Show interface status error-disabled
Show interface <> counter error
Show platform forward
Show spanning-tree vlan <> detail

Layer 3 IP Unicast issues

Ping
Sh ip arp vlan
Show mac address-table address
Show ip route
Show ip arp
Show platform forward ip

QOS issues

Show mls qos interface <> stats
Show mls qos map dscp-output-q
Show platform port-asic stats drop
Show mls qos queue-set
Show mls qos maps dscp-output-q
Mls qos queue-set output <> threshold

TCAM issues

Show platform tcam utilization
Show platform acl oacltcamfull
Show platform acl label <> detail
Show sdm prefer

Stacking issues

Show switch {detail}
Show platform stack manager
Show switch stack-ring <>
Show controllers utilization
Show switch stack-ports summary

Cisco: Troubleshooting and Fault Management Commands 2

Catalyst 3750

Introduction

Requirements

Commands

For CPU related issues

For memory issues

For link issues

Layer 2 forwarding issues

Layer 3 IP Unicast issues

QOS issues

TCAM issues

Stacking issues

Admin

0 Response to "Cisco: Troubleshooting and Fault Management Commands 2"

Post a Comment