CLEAR SWITCH

> enable
# conf t
# no ip domain lookup

# delete flash:vlan.dat delete vlan database

# erase startup config
# reload

# sh vlan br
# interface range fa 0/1-24
# no vlan 2-999 jesli takie byly
# shutdown
# vtp mode transparent

PREPARE SWITCH FOR USE

>enable
# conf t
# hostname SWITH1
# interface vlan 1 vlan 1 is
management vlan
# ip add 10.1.1.101 255.255.255.0 config IP for
man.vlan
# no sh

# enable secret cisco

# line vty 0 15 allow network access for other
devices
# pass cisco
# loign
VLANS VLAN-TRUNKING & VTP

Conf vtp
# sh vtp status VLAN information is not propagated
until a domain name is specified and
# vtp domain andrelab trunks are set up between the device
# vtp version 2
All switches in the VTP domain must run
sw1> vtp mode server the same VTP version.
sw2> vtp mode client

sw1> sh vtp status always verify

sw2> sh vtp status always verify

Conf trunks
command lists the configured mode of
# sh interacs switchport each port in detail

# interface range fa 0/1-2

# switchport trunk encapsultion dot1q albo isl zalezy
czy cisco only czy nie
# switchport mode trunk

# sh interace trunk
Conf switchports
# interface fa 0/6
# switchport mode ?
# switchport mode access

# sh int fa 0/6 switchport always verify

Vlans
Before configuring VLANS make sure VTP configuration within domain LAN 1 is the management VLAN by
is the same default. By default, all ports are set to
# sh vtp status dynamic mode and their access
VLAN is set to 1
assign vlan 100 to fa 0/6 There is no need to create a VLAN 1,
# int fa 0/6 assign ports to it, or to set the mode of
# switchport access vlan 100 each port

shutdown (NOT-DELETE) vlan local on port create a VLAN is to as

#(config)# vlan 120 sign a port to a VLAN that does not yet
#(config-vlan)# shutdown | no shutdown exist. If the switch is
#(config-vlan)# state suspend | active in VTP Server or Transparent mode, it
automatically creates the VLAN to the
port that it has been assigned
to
configure ETHER-CAHNEL
Basic confguraion must be set up like * trunking *
# sh int trunk Configure ether-channel
# interface range gigabitethernet 0/1-2 1. make sure ports are trunk,
#channel-group 1 mode ? will show you which one LACP or PagP same speed and duplex

2. create port-channel group (this

# channel-group 1 mode desirable <--this indicates that you is logical interface)
want the switch to actively negotiate to form a PAgP link
3. on your logical interface create
# interface port-channel 1 trunk
# switchport mode trunk

# show etherchannel summary <-- if this doesnt come up, check

SPANNING TREE & TRUNK

# switchport mode trunk <-- trunking must be OK

# sh spanning-tree <-- interface status must be FWD

-----------------------------------
Now configure LACP
-------------------
# interface range fa 0/11-12
again , remember you are setting
# channel-group 2 mode active up
# interface port-channel 2
# switchport trunk encapsulatin dot1q 1 interface range as channel-gr
# switchport mode trunk 2 channel gr as switchport mode
trunk
# show etherchannel summary
# show etherchannel 2 detail
# show etherchannel port-channel

#show interfaces fa0/13 | include line protocol

-----------------------------------
Now configure L3 etherchannel
# interface range fa 0/11-12
# no switchport WHY? Because L3 , pamietaj o tym
no switchport bo switchport to L2 -------------------
# channel-group 3 mode desirable
# interface port-channel 3
# ip address 10.0.0.1 255.255.255.0

Load-balancing
# show etherchannel load-balance By default, source MAC address

# port-channel load-balance src-dst-mac Other methods of load balancing

are: ,
# port-channel load-balance dst-ip
both source and destination MAC

Some older platforms, like Catalyst 2950 and Catalyst 3550 switches, may not addresses,
support all of these methods from next column !
source IP address,

destination IP address,

and both source and destination

IP
 addresses.

STP
Display default spanning tree info for all switches By default, spanning tree runs on
# sh spanning-tree every port. When a new
link becomes active, the port goes
through the
IEEE 802.1D spanning tree listening
and
learning
states before transitioning to
forwarding state.
During this
switch root in our STP topology period, the switch discovers if it is
connected to another switch or an
end-
user device
Spanning tree operation is based on
the MAC address
es of the switches.

spanning tree, you can also modify

# show spanning-tree root port priorities to determine which
By default your root bridge is root for all vlans , you can change it on vlan basis ports are forwarding and which are
sw1 # spanning-tree vlan 1 root primary blocking.
sw2 # spannig-tree vlan 1 root secondary
To choose which port becomes the
root on a non-root switch when faced
you can change priority of the port if you want to alter route BUT always check with equal-cost redundant root paths
priorities before altering via the same neighbor, the switch
# show spanning-tree looks at the port priorities first.

Port priorities range from 0 to 240, in

increments of 16. The default priority
is 128, and a lower priority is
preferred.
change them on the switch closer to
the root

# int fa 0/12
# spanning-tree port-priority 112
. -------------------
Another way of changing which port
# show spanning-tree becomes the root is to modify the port
costs
cost of 4 gigabyt
cost of 19 fastethernet
cost of 100 10base Ethernet port

lower better !

-------------------
RSTP (rapid spanning tree
protocol), which greatly reduces the
----------------------------------- time for a port
check current cost with simple show spanning-tree to transition to forwarding
# sh spanning-tree state
while s
till preventing
# interface fa 0/24 bridging loops.
# spanning-tree cost 10 Cisco
----------------------------------- -proprietary per
-VLAN rapid spanning tree (PVRST+)
combines the functionality of
# spannig-tree mode mst RSTP and PVST.

# show spanning-tree mst configuration -------------------

## name CISCO
## revision 1
## instance 1 vlan 20-50
## instance 2 vlan 100,110,111 MST you configure globally
## show current OR show pending we can configure the MST region
## settings to group VLAN

put vlans into instances

PORT-FAST on access port

initialy port must be shutdown PortFast is feature of STP that
# interface fa 0/1 allows you bypass normal states
# shutdown of IEEE 802.1D
# spanning-tree portfast and moving port into forwarding
state as soon as its turned on
# no shutdown
spanning-tree portfast trunk
# spanning-tree portfast trunk command is to be used only on
trunks connected to non-
switching
devices

You will configure a group of switches and a router for the International Travel Agency. The
network includes two distribution switches, DLS1 and DLS2, and two access layer switches,
ALS1 and ALS2. External router R1 and DLS1 provide inter-VLAN routing. Design the addressing
scheme using the address space 172.16.0.0/16 range. You can subnet it any way you want,
although it is recommended to use /24 subnets for simplicity.

1. Disable the links between the access layer switches. czy to ma byc zrobione na
wszystkich linkach ? NIE ! Tylko fa0/11 & fa0/12
# interface range fa 0/11-12 fa 0/7-12
# shutdown
 2. Place all switches in the VTP domain CISCO. Make DLS1 the VTP server and all other
switches VTP clients.
# show vtp status
# vtp version 2
# vtp domain CISCO
# vtp mode server | client
# show vtp status

3. On DLS1, create the VLANs shown in the VLAN table and assign the names given. For
subnet planning, allocate a subnet for each VLAN.

VLANS are created on switches first, when you create a VLAN on a switch you don't need a default gateway or ip address
because the VLANS are local to the switch.

If you want intervlan routing you need a router. You then setup a trunking port between the switch and router (ISL, 802.1Q).
Because we have trunk now between switch and router we need to configure sub-interfaces with default gateways and subnet
masks for each vlan ,

But if you use L3 SWITCH you dont need any subinterfaces

Management VLAN is a VLAN that you assign to access switch management capabilities, you assign the management VLAN IP
and subnet mask, oczywiscie IP na innym switchu bedzie inne,

sw1# interface vlan 99 sw2# interface vlan 99 sw3# interface vlan 99

sw1# ip add 172.168.99.11 sw2# ip add 172.168.99.12 sw3# ip add 172.168.99.13
sw1# no sh sw2# no sh sw3# no sh

ON-ROUTER:
# Interface FastEthernet0/0.1
# Encapsulation dot1q 10 (10 represent VLAN ID 10 )
# IP address 10.1.1.1 255.255.255.0
IF you are using L3-SWITH you can create VLAN interface with default gateway but you need to enable IP-routing on your

Poprostu create VLANs & VLANs names, subnet planning only so just keep it in mind:
# vlan 10
# name RED
# vlan 20
# name BLUE
# vlan 30
# name ORANGE
# vlan 40
# name GREEN

4. Configure DLS1 as the primary spanning-tree root bridge for all VLANs. Configure DLS2
as the backup root bridge for all VLANs.
DLS1> spanning-tree vlan 1 root primary
!!! jesli to nie zmienia dla innych VLANow to zrob #vlan 1-4096 root primary
DLS2> spanning-tree vlan 1 root secondary

5. Configure Fa0/12 between DLS1 and DLS2 as a Layer 3 link and assign a subnet to it.
DLS1> interface fa 0/12
DLS1> no switchport zrobione na L3 witchu
DLS1> ip add 172.16.100.10 255.255.255.0
DLS1> no sh

DLS2> interface fa 0/12

DLS2> no switchport zrobione na L3 switchu
DLS2> ip add 172.16.100.20 255.255.255.0
DLS2> no sh
6. Create a loopback interface on DLS1 and assign a subnet to it.

DLS1> interface loopback 0

DLS1> no sh
DLS1> ip add 200.200.200.1 255.255.255.0
DLS1> sh interface loopback

7. Configure the Fa0/11 link between DLS1 and DLS2 as an ISL trunk.
DLS1> int fa 0/11
DLS1> switchport trunk encapsulation ? dot1q | isl
DLS1> switchport mode trunk
DLS1> no sh

8. Configure all other trunk links using 802.1Q.

ALL_SW> int range fa 0/7-10
ALL_SW> switchport trunk encapsulation ? dot1q | isl
ALL_SW> switchport mode trunk
ALL_SW> no sh

9. Bind together the links from DLS1 to each access switch together in an EtherChannel.
DLS1> in range fa 0/7-10
DLS1> channel-group 1 mode desirable jak dalej nie dziala to pamietaj o trunku
( ustawiales go w kroku poprzednim )

10.Enable PortFast on all access ports.

ALL_SW> spanning-tree portfast default

11.Place Fa0/15 through Fa0/17 on ALS1 and ALS2 in VLAN 10.

ALS1_ALS2> int range fa 0/15-17
ALS1_ALS2> switchport mode access przeciez to jest access port, najpierw
access port !
ALS1_ALS2> switchport access vlan 10 pozniej dodajesz vlan do portu

Place Fa0/18 and Fa0/19 on ALS1 and ALS2 in VLAN 20.

ALS1_ALS2> int range fa 0/18-19
ALS1_ALS2> switchport mode access
ALS1_ALS2> switchport access vlan 20

Place Fa0/20 on ALS1 and ALS2 in VLAN 30.

ALS1_ALS2> int range fa0/20-21
ALS1_ALS2> switchport mode access
ALS1_ALS2> switchport access vlan 30

12.Create an 802.1Q trunk link between R1 and ALS2. Allow only VLANs 10 and 40 to pass
through the trunk.
ALS2> int fa0/1
ALS2> switchport trunk encapsulation dot1q
ALS2> switchport mode trunk
ALS2> switchport trunk allowed vlan 10,40

13.Configure R1 subinterfaces for VLANs 10 and 40.

R1> int fa 0/1
 R1> no sh
R1> int ethernet fastethernet zalezy jak jest podlaczone 0/1.10
R1> encapsulation dot1q 10

R1> interface ethernet0/1.40

R1> encapsulation dot1q 40

R1> interface ethernet 0/1.10

R1> ip add 172.16.10.50 255.255.255.0

R1> int ethernet 0/1.40

R1> ip add 172.16.40.50 255.255.255.0

14.Create an SVI on DLS1 in VLANs 20, 30, and 40. Create an SVI on DLS2 in VLAN 10, an
SVI on ALS1 in VLAN 30, and an SVI on ALS2 in VLAN 40.
SVI - switched virtual interface is configured after VTP trunking has been configured for
the switches, its configured on distribution switch to route between these VLANs ,
route czyli L3 interface !
DLS1> interface vlan 20
DLS1> ip add 172.16.20.10 255.255.255.0
DLS1> no sh

DLS1> interface vlan 30

DLS1> ip add 172.16.30.10 255.255.255.0
DLS1> no sh

DLS1> interface vlan 40

DLS1> ip add 172.16.40.10 255.255.255.0
DLS1> no sh

15.Enable IP routing on DLS1. On R1 and DLS1, configure EIGRP for the whole major
network (172.16.0.0/16) and disable automatic summarization.
DLS1>iprouting you need to allow switch to act like L3 device to route
between this vlan you set IPs , routing on now routing protocol, eigrp
DLS1> router eigrp 1
DLS1> no auto-summary
DLS1> network 172.16.0.0

R1> router eigrp 1

R1> no auto-summary
R1> network 172.16.0.0
 HOT STANDBY ROUTER HSRP
HSRP Redundancy protocol for establishing fault tolerant default gateway if primary gateway becomes inaccessible.
VIRTUAL ROUTER REDUNDANCY PROTOCOL = VRRP is standards-based alternative to HSRP , not
compatible, not cisco.
# hostname ASL1
# enable secret cisco Standards settings first , as always !
# line vty 0 15
# password cisco
# login Layer2 devices doesnt have IP so if you want
# exit to set up management IP you need to assign
# interface vlan 1 VLAN first (default management VLAN is 1
# ip add 172.16.1.101 255.255.255.0 kazdy switch ) and then assign IP within VLAN subnet,
ma inny IP pamietaj o tym! To jest management IP czyli IP 4 just one of free IP in subnet.
ssh / putty
# no shutdown

DLS1> interface range fa 0/7-8 Configure trunks & ether channels between
DLS1> switchport trunk encapsulation dot1q switches.....
DLS1> switchport mode trunk
DLS1> channel-group 1 mode desirable
ten sam switch nastepny port channel
DLS1> interface range fa 0/11-12
DLS1> switchport trunk encapsulation dot1q
DLS1> switchport mode trunk
DLS1> channel-group 2 mode desirable
ostatni port channel na tym switchu
DLS1> interface range fa 0/13-14
DLS1> switchport trunk encapsulation dot1q
DLS1> switchport mode trunk
DLS1> channel-group 3 mode desirable
takie same port channel z tymi samymi numerami i interface
range na wszystkich switchach
DLS2> interface range fa 0/7-8
DLS2> switchport trunk encapsulation dot1q
DLS2> switchport mode trunk
DLS2> channel-group 1 mode desirable
ten sam switch nastepny port channel
DLS2> interface range fa 0/11-12
DLS2> switchport trunk encapsulation dot1q
DLS2> switchport mode trunk
DLS2> channel-group 2 mode desirable
ostatni port channel na tym switchu
DLS2> interface range fa 0/13-14
DLS2> switchport trunk encapsulation dot1q
DLS2> switchport mode trunk
DLS2> channel-group 3 mode desirable

# show interface trunk

# show etherchannel summary

# show vtp status jesli nie ma albo cos nie tak to

robisz vtp na kazdym switchu !
DLS1> vtp domain lab
DLS1> vtp version 2

Access ports & vlans na kazdym switchu

DLS1> vlan 10
DLS1> name finance
DLS1> vlan 20
DLS1> name engineering
DLS1> vlan 30
DLS1> name server-farm1 create VLANs before assigning them to
DLS1> vlan 40 interfaces
DLS1> name server-farm2

DLS1> interface fa 0/6 port do PC u

DLS1> switchport mode access
DLS1> switchport access vlan 30
DLS1> spanning-tree portfast

DLS2> interface fa 0/6 pamietaj zeby podlaczyc PC musisz miec

DLS2> switchport mode access accessports & vlans ustawione
DLS2> switchport access vlan 40
DLS2> spanning-tree portfast
na kazdym switchu ustaw vlany tak jak jest na diagram
dopiero jak masz to wsysztko ustawione :
1. standard settings
2. management IPs
3. trunks
4. vtp
5. vlans
6. port-channel
7. HSRP & enable ROUTING
HSRP gives you redundancy, VLANs can
be load-balanced with standby group
priority and ip routing command gives you
L3 capabilities ale wiesz ze tylko na L3
switches , each route processor can route
between various SVIs configured on each
switch,
Traditionally, switches send traffic only to hosts within the same broadcast domain (czyli SINGLE VLAN) and routers handled
traffic between different broadcast domains (Different VLANs). ( Broadcast is logical division of network )

Thats why we have SVIs switch virtual interface , with SVI switch will use virtual Layer 3 interface to route traffic to other Layer
3 interface thus eliminating the need for a physical router.
You have SVI on switches (Layer 3 and Layer 2) but switch should have a routing engine, ie. it should be a L3 switch.

There is one-to-one mapping between a VLAN and SVI, thus only a single SVI can be mapped to a VLAN. In default setting, an
SVI is created for the default VLAN (VLAN1) to permit remote switch administration.

In most typical designs we have the default gateway for the hosts pointing to the switches SVI, then the switch will route the
packets to rest of the Layer 3 domain.

Note: An SVI cannot be activated unless the VLAN itself is created and at least one physical port is associated and active in that VLAN. Unless the
VLAN is created there will be no spanning tree instance running hence the line protocol will be down for the SVI VLAN.

DLS1> ip routing 7. HSRP & enable ROUTING

DLS1> interface vlan 1
DLS1> standby 1 ip 172.16.1.1 standby configures IP of virtual gateway,
DLS1> standby 1 preempt
DLS1> standby 1 priority 150
preemption allows the router with higher
DLS1> interface vlan 10 priority become active router
DLS1> ip address 172.16.10.3 255.255.255.0
DLS1> standby 1 ip 172.16.10.1 priority 150 on DLS1 giving making it
DLS1> standby 1 preempt active router for vlans 1, 10, 20
DLS1> standby 1 priority 150

DLS1> interface vlan 20

DLS1> ip address 172.16.20.3 255.255.255.0
DLS1> standby 1 ip 172.16.20.1
DLS1> standby 1 preempt
DLS1> stanby 1 priority 150

DLS1> interface vlan 30

DLS1> ip address 172.16.30.3 255.255.255.0
DLS1> standby 1 ip 172.16.30.1
DLS1> standby 1 preempt
DLS1> standby 1 priority 100

DLS1> interface vlan 40

DLS1> ip address 172.16.40.3 255.255.255.0
DLS1> standby 1 ip 172.16.40.1
DLS1> standby 1 preempt
DLS1> standby 1 priority 100
on DLS2 are similar pay attention to priority 100 lub 150
depends which switch is active and which is standby ? ! priority 100 on DLS1 makes this switch a
DLS2> ip routing standby switch for vlan 40 czyli teraz musisz
ustawic DLS2 jako active router for vlan 40
DLS2> interface vlan 1
DLS2> standby 1 ip 172.16.1.1 str_102
DLS2> standby 1 preempt
DLS2> stanby 1 priority 100 ten switch jest stanby
for VLAN 1
DLS2> interface vlan 10
DLS2> ip address 172.16.10.4 255.255.255.0
DLS2> standby 1 ip 172.16.10.1
DLS2> standby 1 preempt
DLS2> stanbdy 1 priority 100

DLS2> interface vlan 20

DLS2> ip address 172.16.20.4 255.255.255.0
DLS2> standby 1 ip 172.16.20.1
DLS2> standby 1 preempt
DLS2> standby 1 priority 100

DLS2> interface vlan 30

DLS2> ip address 172.16.30.4 255.255.255.0
DLS2> standby 1 ip 172.16.30.1
DLS2> standby 1 preempt
DLS2> standby 1 priority 150 ten switch jest active
for VLAN3
DLS2> vlan 40
DLS2> ip add 172.16.40.4 255.255.255.0
DLS2> standby 1 ip 172.16.40.1
DLS2> standby 1 preempt
DLS2> standby 1 priority 150 ten switch jest active
for VLAN4

# show standby
TESTING ? Interface range fa0/7-8 shutdown a twoj drugi
switch staje sie ACTIVE dla VLANs ktore mial switch z
ktorego zabiles interfaces
# show standby brief && # sh IP route
HSRP _ v2
Implement IP SLAs - monito various network performance characteristics
 SLA - IP service level agreements allow
ALS1 # hostname ALS1 us to monitor network performance between
ALS1 # enable secret cisco swithes and routers or to remote IP device.
ALS1 # line vty 0 15 1. standard settings
ALS1 # password cisco
ALS1 # login
same settings for ALS2
ALS1 # interface vlan 1 2. management IPs
ALS1 # ip address 172.16.1.101 255.255.255.0
ALS1 # no sh

ALS2 # interface vlan 1

ALS2 # ip address 172.16.1.102 255.255.255.0
ALS2 # no sh

DLS1 # interface vlan 1

DLS1 # ip address 172.16.1.1 255.255.255.0
DLS1 # no sh

ALS1 # ip default-gateway 172.16.1.1

3. configure default-gateways on access
ALS2 # ip default-gateway 172.16.1.1
layer switches only ! WHY ? Because
distribution layer switch acts like L3 device.

DLS1 # interface range fa 0/7-8 4. Trunks & EtherChannels

DLS1 # switchport trunk encapsulation dot1q Want to distribute VLANs and VTP info so
DLS1 # switchport mode trunk we need trunks...
DLS1 # channel-group 1 mode desirable
DLS1 # exit
DLS1 # interface range fa 0/9-10 channel-group NUMBER musi byc taki
DLS1 # switchport trunk encapsulation dot1q sam na obu koncach linku !
DLS1 # switchport mode trunk
DLS1 # channel-group 2 mode desirable

ALS1 # interface range fa 0/11-12

ALS1 # switchport mode trunk
ALS1 # channel-group 1 mode desirable
ALS1 # exit
ALS1 # interface range fa 0/9-10
ALS1 # switchport mode trunk
ALS1 # channel-group 2 mode desirable

ALS2 # interface range fa 0/11-12

ALS2 # switchport mode trunk
ALS2 # channel-group 1 mode desirable
ALS2 # exit
ALS2 # interface range fa 0/9-10
ALS2 # switchport mode trunk
ALS2 # channel-group 2 mode desirable

Ustawiamy VTP client na dwuch L2 switches and server on L3

ALS2 # vtp domain andre VTP pamietaj by default switch jest w
ALS2 # vtp mode client server mode, good to change it to client and
make VLAN changes on one server in your
ALS1 # vtp domain andre network
ALS1 # vtp mode client
teraz mozesz zmienac VLAN database
DLS1 # vtp domain andre
DLS1 # vtp version 2

DLS1 # vlan 100

DLS1 # name Finance
DLS1 # vlan 200
DLS1 # name Engineering
ALS1 # interface fa 0/6
ALS1 # switchport mode access
ALS1 # switchport access vlan 100 ACCESS PORTS jak juz mamy VTP
ustawione, VLANy dodane dopiero wtedy
ALS2 # interface fa 0/6 konfigurujemy accessports
ALS2 # switchport mode access
ALS2 # switchport access vlan 200
 MAC flooods.......DHCP spoofing.......AAA
ALS1> hostname ALS1 again basic configuration
ALS1> no ip domain lookup
ALS1> enable secret cisco pamietaj haslo do CML na hostname
switchu
ALS1> line vty 0 15 pamietaj VTY passwords
jest for telnet !
ALS1> password cisco
ALS1> login
IP addressses , management IP
ALS1> interface vlan 1 addresses right
ALS1> ip address 172.16.1.101 255.255.255.0
ALS1> no sh
ALS1> ip default-gateway 172.16.1.1
ALS1> interface range fa 0/7-12 default gateway on access layer
ALS1> switchport mode trunk devices bo distribution layer (L3)
TERAZ TO SAMO NA ALS2 doesnt need, its IP is default gateway
for access layer devices !
DLS1> interface vlan 1
DLS1> ip address 172.16.1.103 255.255.255.0
DLS1> no sh
DLS1> interface range fa 0/7-12
Dwie roznice na L3 switches
DLS1> switchport trunk encapsulatio dot1q
DLS1> switchport mode trunk 1. ty jestes default gateway wiec
ustawiasz tylko management IP for
# sh interface trunk vlan 1
# sh spanning-tree 2. ustawiasz encapsulation type
dodatkowo na trunku
ALS1> vtp mode client client mode bo chcemy miec inny
switch jako server i na jednym tylko switchu ustawiamy
wtedy VLANs
ALS1> interface range fa0/15-20
ALS1> switchport mode access
ALS1> switchport access vlan 100
ALS1> spanning-tree portfast
TERAZ TO SAMO NA ALS2 roznica VLAN 200 na ALS2
DLS1> vtp domain andre mode is server and it pushed all
info to clients, domain and new VLANs are pushed to
every other switch now configure vtp / vlans
DLS1> vtp version 2
DLS1> vlan 100
DLS1> name staff
DLS1> vlan 200
DLS1> name students
DLS1> ip routing

DLS1> interface vlan 1

DLS1> standby 1 ip 172.16.1.1
DLS1> standby 1 preempt
DLS1> standby 1 priority 150

DLS2> ip routing
DLS2> intarface vlan 1
DLS2> standby 1 ip 172.16.1.1
DLS2> standby 1 preemtp
DLS2> standby 1 priority 100 now configure SVIs & HSRP
DLS1> interface vlan 100
DLS1> ip add 172.16.100.3 255.255.255.0
DLS1> standby 1 ip 172.16.100.1
DLS1> standby 1 preempt
DLS1> standby 1 priority 150

DLS2> interface vlan 100

DLS2> ip add 172.16.100.4 255.255.255.0
DLS2> standby 1 ip 172.16.100.1
DLS2> standby 1 preempt
DLS2> standby 1 priority 100
DLS1> interface vlan 200
DLS1> ip add 172.16.200.3 255.255.255.0
DLS1> standby 1 ip 172.16.200.1
DLS1> standby 1 preempt
DLS1> standby 1 priority 100

DLS2> interface vlan 200

DLS2> ip add 172.16.200.4 255.255.255.0
DLS2> standby 1 ip 172.16.200.1
DLS2> standby 1 preempt
DLS2> standby 1 priority 150

# show vtp status

# show standby brief

# show ip route
NOW jesli wszystko dobrze jest zrobione i dziala dopiero teraz PORT SECURITY
# show port-security Protect against MAC flooding or
# show port-security interface fa0/15 spoofing
ALS2> interface range fa 0/15-20
ALS2> switchport port-security VLAN 200 must allow MAC
addresses assigned to port to change
because its students vlan, MAC
ALS1> interface range fa0/15-20 address is allowed at a given time.
ALS1> switchport port-security poprostu enable
port-sec VLAN 100 use sticky learning czyli
ALS1> switchport port-security maximum 2 enable MAC learned on port is added to
maxiumum of 2 MAC addresses learned on given port configuration on switch as if MAC
, because we assume admins use workstations and dont were configured using switchport
change MAC addresses often..... port-security mac-address
ALS1> switchport port-security mac-address sticky
sticky command allow the two MAC addresses to be learned
dynamicaly
# show port-security interface fa0/15

we are trusting relay information from ALS1 & ALS2 so we

will respond to ALS1 & ALS2 trusted ports requests ! DHCP snooping attack used to
DLS1> ip dhcp relay information trust-all assign IP addresses and all dhcp
DLS2> ip dhcp relay information trust-all config from unauthorised device. . .
attacker replays to DHCP requests
configure ALS1 & ALS2 to trust DHCP info on trunks only, and acts like gateway....
and limit the rate that requests are received on that
access port....
ALS1> ip dhcp snooping GLOBALNIE aktywuje snooping
czyli teraz trzeba skonfigurowac trusted ports (te
pomiedzy switchami) i untrusted wszystkie inne
ALS1> interface range fa 0/7-12
ALS1> ip dhcp snooping trust
exit
ALS1> interface range fa 0/15-20
ALS1> ip dhcp snooping limit rate 20 only 20
requests per second as prevention of starvation
attacks on ports
exit
ALS1> ip dhcp snooping vlan 100, 200
.... to samo na ALS2
# show ip dhcp snooping

- - - - - - - - - - - - - - -
ALS1> username andre password 0 cisco ---------------
ALS1> username andrzej password 0 cisco
ALS1> aaa new-model turn AAA authentication ON
ALS1> aaa authentication dot1x default local AAA authentication requires user to
authentication of users and its passwords from local be identified before allowing him to
database access network .
ALS1> dot1x system-auth-control activates global
support for 802.1x authentication
ALS1> int range fa0/15-20 Przypomnij sobie RADIUS server &
ALS1> dot1x port-control auto local konfigurujemy LOCAL database for authentication
nasz VLAN 100 staff VLAN zeby uzywaly authentication
dot1x, auto znaczy ze port begins in unauthorised state
and allows negotiations between client & server to
authenticate user.
# show dot1x interface

SECURING SPANNING-TREE-PROTOCOL
# show spanning-tree vlan 1
# show interfaces trunk
Why setting up spanning-tree root?
DLS1> spanning-tree vlan 1,100 root primary TO optimize paths throughout the L2
DLS1> spanning-tree vlan 200 root secondary network...

DLS2> spanning-tree vlan 1,100 root secondary

DLS2> spanning-tree vlan 200 root primary

# show spanning-tree

DLS1> interface range 0/13-14 WHY root guard in STP ?

DLS1> spannig-tree guard root To maintain efficient STP topology we
teraz podlanczamy do fa 13 another switch & switch doesnt get vlans / vtp / want to have root bridge that is
predictible.
By default bpdu guard is enabled on all PortFast enabled ports czyli naszych IF malicioius or accidently new bridge is
VLANs staff & students.... added with lower BID can take ower our
ALS1> spanning-tree portfast bpduguard default network, we dont want that !
ALS2> spanning-tree portfast bpduguard default Root guard prevents that by putting a
port that hears these BPDUs in the root-
# show spanning-tree inconsistentports inconsistent state and data can not be sent
nor received. . .
# show spanning-tree summary root guard is enabled on per-port basis
global ta komenda powinna ci pokazac EtherChannel miscong with spanning-tree gard root
command which you should use on switch
ports where you would never expect to
find root bridge for VLAN.

Broadcast storm controll & & UDLD

ALS1> interface fa 0/7 If unmanaged switch is connected
ALS1> storm-control broadcast level 50 to an access port a broadcast
ALS1> interface fa 0/8 storm can result, which can lead
ALS1> storm-control broadcast level 50
to network failure, so we implement
DLS1> conf t broadcast storm protection on trunk
DLS1> udld ? interfaces....
DLS1> interface range fa0/1-24
DLS1> udld port aggressive udld unidirectinal link occurs when
DLS1> exit traffic is transmitted between
DLS1> udld enable neighbors in one direction only.
same settings on all switches Unidirectional links can cause
# show udld fa 0/15
spanning-tree loops.
Udld allows to detect this and shut
down affected interface.
PRIVATE VLANs | ACLs | VLAN ACLs
PRIVATE VLANs pierwszy krok to set up primary VLAN on our VTP server switch Private VLAN remember from book &
DLS1 # vlan 150 videos, divide vlan that way so all vlans
DLS1 # name server-farm can access router / gateway but can not
listen to each others.ISOLATED &
mamy nowy VLAN wiec standardwowo ustawiamy HSRP robimy DLS2 primary COMMUNITY
switch for this vlan :
DSL1 # interface vlan 150
DLS1 # ip add 172.16.150.3 255.255.255.0
DLS1 # standby 1 ip 172.16.150.1
DLS1 # standby 1 priority 100
DLS1 # standby 1 preempt

DSL2 # interface vlan 150

DLS2 # ip add 172.16.150.4 255.255.255.0
DLS2 # standby 1 ip 172.16.150.1
DLS2 # standby 1 priority 150
DLS2 # standby 1 preempt
Set up the primary and secondary private VLAN (PVLAN):
DLS1 # vtp mode transparent
DLS1 # vlan 151
DLS1 # private-vlan isolated remember to place switch into vtp
mode transparent kiedy ustawiasz
primary and secondary private VLANs
DLS1 # vlan 152
DLS1 # private-vlan community

DLS1 # vlan 150

DLS1 # private-vlan primary
DLS1 # private-vlan association 151,152 Set up this
PVLANs in global configuration mode, meaning they will be assigned to specific
interfaces later dokladnie te same settings for DLS2

DLS1 # interface vlan 150

DLS1 # private-vlan mapping 151-152 Private VLAN mapping permits
PVLAN traffic to be switched through L3
DLS2 # interface vlan 150 always configuting this command on
DLS2 # private-vlan mapping 151-152 interface vlan ID for primary vlan

Now assign interface fa 0/6 for isolated vlan 151 switchport mode private-vlan host
DLS2 # interface fa 0/6 command sets the mode on
DLS2 # switchport mode private-vlan host the interface and the switchport private-
DLS2 # switchport private-vlan host-association 150 151 vlan host-association primary-vlan-id
secondary-vlan-id
Now assign interface fa 0/18-20 for isolated vlan 152 command assigns the appropriate VLANs
DLS2 # interface range fa 0/18-20 to the interface.
DLS2 # switchport mode private-vlan host
DLS2 # switchport private-vlan host-association 150 152

# show vlan private-vlan

DLS1# access-list 100 permit tcp 172.16.200.0 0.0.0.255 Router ACL prevents traffic from
172.16.100.0 0.0.0.255 established student VLAN to staff VLAN,

DLS1# access-list 100 permit icmp 172.16.200.0 0.0.0.255 Vlan ACL for temporary staff, so it
172.16.100.0 0.0.0.255 echo-reply allows you set up machine on staff vlan
but is issolated from the rest staff
DLS1# access-list 100 deny ip 172.16.200.0 0.0.0.255 172.16.100.0 machines.
0.0.0.255
DLS1# access-list 100 permit ip any any

DLS1# interface vlan 100

DLS1# ip access-group 100 in

DLS1# interface vlan 200
DLS1# ip access-group 100 in

DLS2# access-list 100 permit tcp 172.16.200.0 0.0.0.255

172.16.100.0 0.0.0.255 established
DLS2# access-list 100 permit icmp 172.16.200.0 0.0.0.255
172.16.100.0 0.0.0.255 echo-reply

DLS# access-list 100 deny ip 172.16.200.0 0.0.0.255 172.16.100.0

0.0.0.255

DLS2# access-list 100 permit ip any any

DLS2# interface vlan 100
DLS2# ip access-group 100 in
DLS2# interface vlan 200
DLS2# ip access-group 100 in

# show access-lists
# show ip interface vlan 100
 IP telephony support
Wszystkie standardowe ustawienia jak wczesniejsze laby: In this lab, you configure the quality of
service (QoS) on the access and
1. passwords
distribution layer switches so that they
# hostname ALS1 a-jak-access
# enable secret cisco
trust the class of service (CoS) mapping
# line vty 0 15 provided by the IP phone through Cisco
# login Discovery Protocol (CDP). To ensure
2. vlan 1 with ip redundancy for the phones and user end
# inetrface vlan 150 stations, you will use Hot Standby Router
# ip add 172.16.1.101 255.255.255.0 Protocol (HSRP) on the distribution layer
# no sh
switches.
3. default gaeteway
# ip default-gateway 172.16.1.1

Jedna mala ruznica access layer switch od L3 switch jest taka ze

access layer switch ustawiasz mu deafult gateway
A L3 switch jest ta gateway !

1. passwords / management vlan

# hostname DLS1 d-jak-distribution
# enable secret cisco
# line vty 0 15
# login
# interface vlan 1
# ip add 172.16.1.3 255.255.255.0
# no sh A port channel is an aggregation of
multiple physical interfaces that creates a
2. trunks and etherchannels
logical interface. You can bundle up to
# interface range fa0/7-8
eight individual active links into a port
# switchport trunk encapsulation dot1q
channel to provide increased bandwidth
# switchport mode trunk
and redundancy. Port channeling also load
# channel group 1 mode active balances traffic across these physical
3. VTP on access layer switches interfaces. The port channel stays
# vtp mode client operational as long as at least one
4. VTP on distribution layer switches physical interface within the port channel
# vtp domain andre is operational.
# vtp version 2
# vlan 1
# name CP-DATA
# vlan 20
# name VOICE
# vlan 30
# name VIDEO
5. Configure HSRP on distribution switches
# ip routing
# interface vlan 1
# standby 1 ip 172.16.1.1
# standby 1 preempt
# standby 1 priority 150

# interface vlan 10
# ip add 172.16.10.3 255.255.255.0
# standby 1 ip 172.16.10.1
# standby 1 preempt
# standby 1 priority 150
.... and same for vlan 30 on DLS1 and then on DLS2 with different
IPs and priority !
6. VOICE VLAN
# interface range fa 0/18-20
# switchport mode access
# switchport access vlan 10
# switchport voice vlan 20
# auto qos voip cisco-phone

# show mls qos interface fa 0/1