Home > Cisco, Switching > Cisco Switching notes

Cisco Switching notes

When setting up a switch, enable the following commands:
conf t
line con 0
logging synchronous <== cause console messages to be written on a newline instead of current
no exec-timeout
no ip domain-lookup
# Don't use VLAN1 as mgmt, security hole since all switches use VLAN1 as admin

show ip int brief
alias exec s show ip int brief <== create shortcut "s" for "show ip int brief"

# Set up mgmt VLAN
cont t
int vlan 128
ip address 192.168.1.2 255.255.255.0
## Use "ip default-gateway" only if switch is not L3 capable
username admin password pass
service password-encryption
enable secret pass
line con 0
login local
exit
line vty 1 15
login local
privilege level 15 <== allows user login to immediately gain privileged (enable) mode access
line con 0
privilege level 15

# 2 ways to create VLANs
# Method 1:
vlan database <== being deprecated
# Method 2:
conf t
vlan 50
name VLAN_50
vlan 100
name VLAN_150

conf t
int range fastEthernet 0/22 – 24
switchport trunk encapsulation dot1q <== ISL being phased out by Cisco, avoid using it
switchport mode trunk

conf t
vtp mode server
vtp domain vtpdom
vtp password vtpdom
vtp version 2 <== VTP version 3 checks authentication so your switch config will be safer from rogue switch added
show vtp status

show spanning-tree blockedports

# Etherchannel (layer2)
conf t
int range fastEthernet 0/22 – 24
channel-group 1 mode desirable <== use desirable for PAgP protocol and tries to Etherchannel all ports
show etherchannel

# Etherchannel (layer3)
interface port-channel 1
no switchport <== turns off switching and supports L3 and can now add IP

# VLAN access map (create a drop map in example below)
conf t
access-list 101 permit ip host 192.168.2.2 host 192.168.2.3
vlan access-map DROP_MAP 20 <== allows 19 more before it, 0-65535)
action drop <== drop or forward
match ip address 101 <== match using access list
conf t
vlan filter DROP_MAP vlan-list 200 <== deny IP traffic within VLAN 200

# VLAN access map by MAC addr
vlan access-map deny_mac 20
action drop
match mac address invalid_mac
exit
mac access-list extended invalid_mac
permit host 00e0.1e58.598a host 00e1.6543.1234
exit
vlan filter deny_mac vlan-list 200 <== deny traffic by mac

# Protected mode
Ports in "Protected mode" can only communicate with unprotected ports and cannot with other Protected ports on same VLAN
conf t
int fa0/5
switchport protected
switchport block [unicast|multicast] <== prevents unknown MAC addr from being sent out
show int fa0/5 switchport

Categories: Cisco, Switching
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: