Switching & Wireless (CCNA Unit 3) Summary Sheet

Contents: 1) Switch Initial Configuration 2) VLANs 3) VTP 4) STP (including RPVST+) 5) Etherchannels 6) Wireless 7) Multilayer Switch Config

1) Switch Initial Configuration

Switch (config) # hostname S2 S2 (config) # banner motd 8No unauthorised access8 (NOTE the 8's are simply a character not used in the message) S2 (config) # no ip domain-lookup S2 (config) # enable password password OR enable secret secretpassword S2 (config) # line console 0 S2 (config-line)# logging synchronous S2 (config-line) # password password S2 (config-line) # login S2 (config-line) # exit S2 (config) # line vty 0 15 S2 (config-line) # password password S2 (config-line) # login S2 (config-line) # end S2 # copy running-config startup-config (or S2# wr) Useful Troubleshooting S2# show ip arp S2# show mac-address-table

2) VLANs
VLAN numbers range from 1(default) to 1001 for standard VLANs (1002 - 1005 are reserved as can be seen in S# show vlan br output). You can configure VLAN numbers from 1005 - 4094 but these are "extended" VLANs and aren't supported by VTP until VTP version 3. Troubleshooting: Switch# show vlan br

Switch# show vlan id vlanID Switch# show vlan name nameofvlan Switch# show interface trunk (ports in trunking mode won't be visible in show vlan br output, but can be seen with this) Essentials:

* * * *This initial point is very strict and can probably be skipped in a lab* * * * * * * *

0) Set all ports to shutdown mode, then specific ports can be activated later, this increases security: (config) #int range fa0/1 - 24 (config-if-range) #shut (config) #int range fi1/1 - 2 (config-if-range) #shut**

* * * * * * The above point is very strict and can probably be skipped in a lab* * * * * *

1) Create Ordinary VLANs (config) #vlan 10 (config-vlan) #name nameofvlan (config) #vlan 20 (config-vlan) #name nameofvlan (config) #vlan 30 (config-vlan) #name nameofvlan 2) Create Management VLAN and assign IP : By default VLAN1 is the management vlan, this is bad because it's also the default native vlan, so please set up a management vlan using an id different from 1. In this tutorial I have made the management vlan and the native the same vlan i.e. 99, but they don't have to be the same. (config)# vlan 99 (config-vlan)# name nameofmanagementvlan (config-vlan)# exit (config)# interface vlan 99 (config-if)# ip address 172.17.99.11 255.255.255.0 (config-if)# no shutdown 3) Configure default gateway (config)# ip default-gateway ipAddress (no subnet mask needed) This is needed for you to be able to manage your switch from a remote device, e.g. telnet into this switch. 4) Configure ports for VLAN access (config) #int range fa0/6 - 10 (config-if-range) #switchport access vlan 30 (config-if-range) #exit

(config) #int range fa0/11 - 17 (config-if-range) #switchport access vlan 10 (config-if-range) #exit (config) #int range fa0/11 - 17 (config-if-range) #switchport access vlan 20 (config-if-range) #end 5) Activate ports which have computers attached (config) #int range fa0/6, fa0/11, fa0/18 (config-if-range) # switchport mode access (config-if-range) # no shut

6) Configure trunking and native Vlan on inter-switch ports (good practise to not use vlan 1, though this is not the default) Trunks allow all traffic from all vlans to travel along them. (config) #int range fa0/1 - 5 (config-if-range) # switchport mode trunk (config-if-range) # switchport trunk native vlan 99 (note all switches must use the same native vlan, or there will be a native vlan mismatch, so you need to change this on all switches) (config-if-range) # switchport trunk allowed vlan [name/id | all | except | none | add | remove ] (if you don't use this command, the default is to allow all VLANs) (config-if-range) # switchport nonegotiate (once mode is set to access or trunk, you can use this command to remove any ambiguity of the port's mode, by stopping DTP) (config-if-range) # no shut (config-if-range) # end #show interface trunk #copy running-config startup-config Switchport mode is by default set to "dynamic desirable", which tries to actively negotiate with the neighboring interface to create a trunk between switches. However if you set the mode to either access or trunk (as above) then you can use the nonegotiate command (as above) to ensure that there will be no ambiguity about the mode of this switchport. This command stops DTP frames from being sent (Dynamic Trunking Protocol) and there is no negotiation between neighboring ports about what mode to be in. Inter-VLAN Routing with Router-On-A-Stick You pretty much need to create gateway subinterfaces for each vlan. This can be done on one physical interface like fa0/0 and using a dot to create subinterfaces, as below...... Configure ordinary vlan gateway..... (config)# int fa0/0.207 (for example I used .207 as the subinterface number out of convenience as it matches the vlan number. But you could use any number here) (conf-subif)# encapsulation dot1q 207(207 is the vlan number in this case) (conf-subif)# ip address 192.168.207.254 255.255.255.0 (for example) Configure native vlan gateway..... (config)# int fa0/0.150 (for example) (conf-subif)# encapsulation dot1q 150 native (150 is the native vlan number, then the "native"

keyword tells the router that this vlan is the native one) (conf-subif)# ip address 172.16.35.254 255.255.255.0 (for example)

3) VTP
Essentials: VTP Server Manage Domain and VLAN configurations. VTP Transparent Able to manage local VLAN Updates VTP configurations configurations. VTP client switches cannot Local VLAN configurations change VLAN not shared with VTP configurations. network. Only Forwards VTP Participates fully. advertisements No, global configurations No, local VLAN stored in RAM, not in configuration only is stored NVRAM. in NVRAM. Yes No VTP Client

Description

Respond to VTP advertisements? Global VLAN configuration preserved on restart? Update other VTP enabled switches?

Participates fully. Yes, global configurations stored in NVRAM. Yes

All switches in a vtp domain need to have operating mode, domain name and VTP password individually configured on them. The VTP domain name can be learned by a client switch from a server switch, but only if the client switch domain is in the null state. It does not learn a new name if one has been previously set. For that reason, it is good practice to manually configure the domain name on all switches to ensure that the domain name is configured correctly. Switches in different VTP domains do not exchange VLAN information. e.g for three switches: S1(config)# vtp mode server Device mode already VTP SERVER. S1(config)# vtp domain Lab4 Changing VTP domain name from NULL to Lab4 S1(config)# vtp password cisco Setting device VLAN database password to cisco S2(config)# vtp mode client Setting device to VTP CLIENT mode S2(config)# vtp domain Lab4 Changing VTP domain name from NULL to Lab4 S2(config)# vtp password cisco Setting device VLAN database password to cisco S3(config)# vtp mode transparent (transparent mode doesn't act on updates Setting device to VTP TRANSPARENT mode. S3(config)# vtp domain Lab4 Changing VTP domain name from NULL to Lab4 S3(config)# vtp password cisco

Setting device VLAN database password to cisco Pruning: VTP pruning allows a VTP server to suppress IP broadc ast traffic for specific VLANs to switches that do not have any ports in that VLAN. By default, all unknown unicasts and broadcasts in a VLAN are flooded over the entire VLAN. All switches in the network receive all broadcasts, even in situations in which few users are connected in that VLAN. VTP pruning is used to eliminate or prune this unnecessary traffic. Pruning saves LAN bandwidth because broadcasts do not have to be sent to switches that do not need them. Pruning is configured on the server switch with the vtp pruning command in global configuration mode. The configuration is pushed to client switches, eg: S1(config)# vtp pruning (note this doesn't work in Packet Tracer) Troubleshooting: S1# show vtp [status | counters | password]

4) STP
Essentials: Basic Spanning-Tree functionality is automatically switch on in a cisco switch, S1# show spanning-tree Shows details of spanning tree in use on the switch You may want to change the version of spanning tree from basic STP to perhaps RPVST+ which converges much faster. S1# config t S1(config)# spanning-tree mode [ pvst | rapid-pvst ] Changes to more advanced version of spanning tree You may also want to set access ports to use portfast, which means that as soon as they are brought into an up state they are ready to forward normal user data. If portfast was not used, access ports would be included in the ports which send and receive BPDUs as part of the root bridge elections, which would cause some user programs on end devices to timeout as they wait for the port to become ready. As a safety precaution to prevent portfast being set on ports which are actually connected to another switch, use BPDU guard first. S1(config)# spanning-tree bpduguard enable S1(config)# spanning-tree portfast default (This allows all access ports to transition immediately to forwarding mode by default) This can also be done instead on a per-interface basis as follows, however it's easier to use the above command: S1(config)# interface fa0/12 (for example) S1(config-if)# spanning-tree portfast Bridge Priorities: A network of switches will elect a root bridge between them for STP. They do this by exchanging BPDU

frames which contain information such on Bridge Priority, VLAN ID (used in PVST+), and MAC address. The bridge ID is the Bridge Priority value with the VLAN value added on, the switch with the lowest BID is elected as root bridge. If BIDs are the same then the switch with the lowest MAC address value is elected as root bridge, which makes elections random if you don't manually change the bridge priority value. By default switches have bridge priority of 32768 which is 65536/2. Priority can be set from 4096 upward in increments of 4096. You can either set priority using metaphors..... S1(config)# spanning-tree vlan 10 root primary S3(config)# spanning-tree vlan 10 root secondary .....Or by explicitly choosing values: S1(config)# spanning-tree vlan 10 priority 24576 S3(config)# spanning-tree vlan 10 priority 28672 By default Cisco use PVST which means that each VLAN runs its own instance of STP, and each instance adds the vlan number to the bridge priority value. So if your bridge has the default priority of 32768, and you issue the show spanning-tree command, you will see output for each vlan. For vlan 1 the priority will be 32769, for vlan 2 the priority will be 32770 and so on. Port Roles: Using basic STP, port roles are decided during a root bridge election, as BPDUs are received, instead of waiting till after a root bridge has been picked, which means that a port may change role multiple times during a root bridge election as the root bridge changes.....

The root bridge sets all ports to be "Designated". The other switches each set one port as their "Root" port - the one with the lowest path cost to the root bridge. If the cost is the same for two ports, port priority (which can be configured manually) is used to make the choice, if port priority is the same, port ID is used. These switches whether their other ports are "Designated" or "Non-Designated". Each segment can only have one designated port in order to avoid loops. The port with lowest cost path to the root bridge wins, but if path costs are equal then BIDs are compared and the switch with the lower BID wins the Designated port.

Cost to root bridge is cumulative, you add up all links along the route to the root to get the total cost, based on: 10BaseT links are 100. Fastethernet links are 19. Gigabit links are 4. 10Gb links are 2.

"Designated" ports forward normal traffic. "Non-Designated" ports block normal traffic. Spanning-Tree Port States The ports on a bridge or switch running IEEE 802.1d STP can transition through five different states:

- Blocking: A blocked port wont forward frames; it just listens to BPDUs. The purpose of the blocking state is to prevent the use of looped paths. All ports are in blocking state by default when the switch is powered up. - Listening: The port listens to BPDUs to make sure no loops occur on the network before passing data frames. A port in listening state prepares to forward data frames without populating the MAC address table. - Learning: The switch port listens to BPDUs and learns all the paths in the switched network. A port in learning state populates the MAC address table but still doesnt forward data frames. Forward delay means the time it takes to transition a port from listening to learning mode (or from learning to forwarding mode), which is set to 15 seconds by default and can be seen in the show spanning-tree output. - Forwarding: The port sends and receives all data frames on the bridged port. If the port is still a designated or root port at the end of the learning state, it enters the forwarding state. - Disabled: (technically not a transition state) A port in the disabled state (administratively) does not participate in the frame forwarding or STP. A port in the disabled state is virtually nonoperational.

Configure port priority: S1(config-if)# switchport priority extend cos [ 0 - 7 ] (see more details on 'CCNA Additional Resources & Info' page) PVST+: Instead of having one root bridge for the network, root bridges can be assigned for certain VLANs. So S1 may be root bridge for half the VLANs, and S3 be root bridge for the other half. Which makes things more complicated when figuring out port roles, as now a port can be forwarding for some VLANs but also blocking

for other VLANs, which works fine as long as there are no loops for each VLAN. Debug: S1# debug spanning-tree events (doesn't work in packet tracer) Port Security: Configure ports to allow only a single host and learn the MAC address of the host dynamically. S2(config)# interface range fa0/6 - fa0/10 S2(config-if-range)# switchport port-security (this commands enables port security, you need to do this first without any of the options below) S2(config-if-range)# switchport port-security maximum 1 S2(config-if-range)# switchport port-security mac-address sticky S2(config-if-range)# switchport port-security violation [ shutdown | protect | restrict ] (shutdown shuts the port down when an alien mac address is detected; protect allows the alien to connect but stops its frames from being forwarded; while restrict allows the alien to connect and forward traffic, but sends a log of the infringement via SNMP) S2(config-if-range)# spanning-tree bpduguard enable (puts port into "error disable" state if a BPDU is detected) S2(config-if-range)# spanning-tree portfast (allows the port to transition immediately to forwarding mode, bypassing stp decision process) BPDUguard is useful for 2 reasons, firstly if somebody tries to attach a rogue switch and spread rogue BPDUs this will be prevented. Secondly if you mistakenly configure a port connected to another switch as an access port, setting bpduguard and portfast, then bpdu will save you from loops by disabling the port. So always configure bpduguard before portfast.

5) Etherchannels
When you aggregate multiple separate physical links together into one logical link, it's called an etherchannel. There are two protocols which deal with this and negotiate the aggregated links...... one is the IEEE version which uses LACP, and the cisco version which uses PAgP, but both versions are essentially the same. Configure Etherchannel S2(config)# interface port-channel <1-6> (instigate an etherchannel and assign a number of 1 to 6) S2(config-if)# interface range fa0/3 - fa0/4 (choose the links you want to include in etherchannel) S2(config-if)# switchport mode trunk S2(config-if)# switchport nonegotiate (eliminates any DTP negotiation, this interface will be a trunk without a doubt)

S2(config-if)# channel-group 1 mode desirable (enable PAgP unconditionally) S2(config-if)# end S2# show interfaces etherchannel (shows etherchannel info for interfaces) Switchport mode is by default set to "dynamic desirable", which tries to actively negotiate with the neighboring interface to create a trunk between switches. However if you set the mode to either access or trunk (as above) then you can use the nonegotiate command (as above) to ensure that there will be no ambiguity about the mode of this switchport. For etherchannels, instead of desirable there are lots of options, "desirable" is unconditionally use PAgP, but if you'd chosen active that would have enabled LACP unconditionally instead. Then go to the switch on the other end of the etherchannel and configure the interfaces at the opposite ends of the links as above.

6) Wireless

Data-Rate-Shift 802.11a, b, g and n are all capable of data-rate-shifting, which is where the speed at which a client communicates can change. So a client may be too far away from an 802.11g access point to get the full 54Mbps, but as it is brought closer the speed of its connection changes from 1Mbps, to 2, then 5.5, etc. This happens seamlessly. MIMO 802.11n has 3 major benefits over previous 802.11 wireless standards.... 1) MIMO(multiple input multiple output):- Multiple antennae on an AP (access point) allows frames to be sent from multiple sources over multiple paths, and then recombined by the receiving set of antennae to optimise throughput and multipath resistance... this is called spatial multiplexing. The cool thing about spatial multiplexing is that what was once a problem (frames being received out of sequence or repeated due to taking different paths) is now used to advantage.

2) It uses 40Mhz channels instead of the usual 20Mhz, which gives more throughput. 3) Previous standards require each frame to be acknowledged, but with 802.11n a number of frames may be received before an acknowledgement needs to be sent, this is called "block acknowledgement", very similar to TCP windowing. Types of Wireless Networks IBSS (independent basic service set): this is where 2 clients talk directly to each other without going through an access point, which is called "ad-hoc" mode. BSS (basic service set): this is where you have an AP which clients talk to each other through, which is called "infrastructure" mode. SSID (service set ID) is the name of the network. ESS (extended service set): this is where you have multiple APs connected to your physical network, each with the same SSID, which allows clients to roam between their coverage cells, but effectively still be connected to the same network. ESS APs should overlap coverage cells by 10 to 20% in order for roaming to happen seamlessly. To avoid interference, use a different channel on each AP. Channels 1, 6 and 11 are guaranteed to not interfere with each other. Wireless Security Traditionally security options were "open" (just have to configure the correct SSID on the client) or "wep" which is crackable. In the year 2002:- 802.11i task group and the Wi-Fi Alliance joined forces to create TKIP, which the Wi-Fi Alliance brand as WPA (Wi-Fi Protected Access). TKIP (temporal key integrity protocol) was great because new hardware wasn't needed to updgrade to it, as it uses the RC4 algorithm which WEP used. However TKIP improves in three areas: firstly it uses key mixing of the root password and an initialization vector, rather than concatenating them as WEP did, before passing to the RC4 routine. Secondly it introduced a sequence counter for packets, where any received out of order were rejected. Thirdly it provides a rekeying mechanism, dynamically creating a unique key for each packet, which limits the volume of data encrypted with the same key. These 3 improvements address the major weaknesses of WEP. See here on wikipedia for full details. In the year 2004:- 802.11i task group complete their final specifications of TKIP, calling it 802.11i-2004 which now included additional features such as 802.1X and AES-CCMP, with RC4 consigned to the bin. The Wi-Fi Alliance welcome this finalised version and brand it WPA2. Uses 802.1X PNAC (port-based network access control) for authentication and AES-CCMP (which plugs some TKIP 2002 holes) for authentication and encryption. AES (advanced encryption standard, also called AES-CCMP) is a more efficient and more secure encryption method than RC4, but requires a cryptographic processor to run it. WPA2-PSK (pre-shared key): just means that password is set on the access point, which the client has to also have configured on it. This password is also used to generate an encryption key for each packet of transmitted data. WPA2 Enterprise: uses 802.1X with EAP (extensible authentication protocol). EAP consists of the supplicant (client), the authenticator (AP), and the authentication server.

Configure Wireless on a cisco router (config)# interface dot11radio0/0/0 (config-if)# ip address 192.168.1.1 255.255.255.0 (for example) (config-if)# description blah (config-if)# no shut (config-if)# ssid whatever (config-if-ssid)# guest-mode (int will broadcast SSID) (doesn't work in Packet Tracer) (config-if-ssid)# authentication open (hmmm, not very secure, maybe open is a bad option!) (doesn't work in PT) (config-if-ssid)# infrastructure-ssid (rather than ad-hoc) (doesn't work in PT)

7) Multilayer Switch Configuration (also in CCNA General Info)

Configure Routing Switch(config)# ip routing (not needed on routers, but needed on a multilayer switch) Switch(config)# router eigrp 1 Switch(config-router)# network 192.168.1.0 etc, etc, etc, see CCNA Cheat Sheet 2 for how to configure routing on a cisco device.... Configure OSI Layer 3 Interfaces ... configure interfaces which have routers as neighbors..... Switch(config)# interface fa0/0 Switch(config-if)# no switchport (can now be given an IP address like on a router) Switch(config-if)# ip address ipAddress subnetMask Switch(config-if)# no shutdown ...configure VLAN Gateways as you would any other layer 3 interface Switch(config)# interface vlan 5 (for example) Switch(config-if)# ip address 192.168.25.128 255.255.255.128 (for example) Configure Layer 2 Trunking Interfaces ...to configure VLAN gateways on trunking interfaces Switch(config)# interface fa0/5 (for example) Switch(config-if)# switchport mode trunk (if you get an error here, use switchport mode access, then switchport mode trunk again) Switch(config-if)# switchport trunk encapsulation dot1q (similar to subinterfaces on Router-on-a-stick, except you don't specify vlan number here, but you do specify trunk) Switch(config-if)# switchport trunk native vlan number (only needed if native vlan has been changed from the default of 1) Switch(config-if)# exit