Professional Documents
Culture Documents
Basic Configuration
Switch > enable Switch # Switch# erase startup-config Switch# del flash:vlan.dat Switch(config)# hostname name Switch(config)# no hostname Used to enter privileged mode from normal mode on CLI switch Privileged mode Erases the switch configuration but not the VLAN configuration Erases the VLAN configuration To rename the switch Converts the switch name back to Switch Sets enable password Sets enable password in encrypted form To prevent switch from trying to find a misspelled command To enter line configuration mode for the console port Configures a password on the console port Enables password checking Sets the idle timeout period in minutes and seconds Modifies message logging facilities for synchronized output Configures terminal line settings Configures a password on the terminal lines (telnet)
Switch(config)# enable password password Switch(config)# enable secret password Switch(config)# no ip domain-lookup Switch(config)# line con 0 Switch(config-line)# password password Switch(config-line)# login Switch(config-line)# exec-timeout 0 0 Switch(config-line)# logging synchronous Switch(config)# line vty 0 15 Switch(config-line)# password password Switch(config-line)# login Switch# show version Switch# show vlan Switch# show interface interface
Indicates IOS version, system image file, base MAC address, model #, configuration register (0xF), serial #, and more Shows what VLANs are configured on the switch and which ports are in which VLANs. Shows interface settings including MAC address, duplex, speed
Note: MAC address of an interface = Base MAC address of switch + port # Switch# dir flash: Switch# show flash Both of these commands show information about flash memory
To telnet, ping, or globally manage the switch, you must assign an IP address. If the IP address is on the same subnet as the management VLAN, the switch will automatically be associated with VLAN 1. Switch# config t Switch(config)# interface vlan 1 Switch(config)# ip address 10.1.1.1 255.255.255.0 Switch(config)# exit Switch# ip default-gateway 10.1.1.254 Enters global configuration mode Enters vlan 1 configuration Assigns an IP address to vlan 1 Sets a default gateway so that you may access the switch via a router To view the switchs interfaces To view switch configuration
To describe an interface. Surround the comments with quotes if you want to leave spaces. Sets port speed Sets the port duplex. Full is default for 100Mbps and half is default for 10Mbps ports.
IOS-based switches remember the last 10 commands in the history buffer. Use the bang (!) symbol to recall previous commands. !! !n ^aa^bb Recall previous command Recall command number n (use history command to see commands stored in the buffer) Recalls command with aa and replaces aa with bb
Port Security
Switch# show mac-address-table Switch# show mac address-table Switch# clear mac address-table dynamic Displays MAC forwarding table Newer command to display MAC forwarding table (no hyphen) Reset MAC address table
Switch(config)# mac address-table static mac-addr vlan vlan-id interface interface-id Used to set a static MAC address to be accepted on a given port. Enter the MAC address in the form xxxx.xxxx.xxxx Switch(config-if)# switchport mode access Sets mode on port to access only Switch(config-if)# switchport port-security Enables port-security Switch(config-if)# switchport port-security mac-address sticky Allows port to accept only one device Switch(config-if)# port security max-mac-count # Switch(config-if)# switchport port-security maximum # On 2900s: Limits the amount of hosts per port On 2950s: Limits the amount of hosts per port
Switch(config-if)# switchport port-security violation [shutdown | protect | restrict] Action to take when there has been a security violation. Restrict sends a trap to the network management station. Protect drops packets when the packet limit is reached.
Password recovery
(Procedures may be found on Ciscos website at http://www.cisco.com/warp/public/474/.) On a 2900XL or 2950, the procedure is as follows: o Use HyperTerminal to start a console session with the switch. o Unplug the switch. o While holding the MODE button in, turn plug the switch to turn it back on. o Release the MODE button when the STAT LED goes out. o Initialize the file system and finish loading the operating system by typing: Flash_init initializes flash file system Load_helper loads and initializes a helper image Dir flash: to see what is in flash o Rename flash:config.text flash:config.old renames the configuration file o Type boot to reboot the switch o Choose N to not continue with the configuration dialog. The operating system will finish loading without a configuration file. This has effectively bypassed the passwords. o Switch# rename flash:config.old flash:config.text Renames config file back to original o Switch# copy flash:config.text system:running-config Copies config into DRAM o Now you may change the passwords and save the new configuration file. Note: Since you cannot get to the power cord on the other side of the switch, you may use the following procedure to get to the flash init step: Type reload. Press Enter to confirm the reload. As soon as you seen Reload requested on the screen, hold the MODE button in. Release the MODE button when you see the SYSTEM light change to solid green (not blinking). On a 1900: o Console into the switch. o Unplug the switch. o Hold the MODE button in while plugging the switch back in. o Release the MODE button when you see the Cisco Systems Diagnostics Console or a couple seconds after the LED above port 1x goes off. o Press Enter to continue o Observe the firmware revision number. If 1.09 or earlier, call Cisco for the factory-installed password. If 1.10 or later, choose C to continue with standard system start up. The system will take a minute to perform a self-test. Then you will be asked if you wish to clear the passwords.
Firmware Upgrades
Switch# Switch# Switch# Switch# Switch# show boot dir flash: rename flash: IOS_file_name.bin no ip http server delete flash:html/* shows config file shows contents of flash memory flash: IOS_file_name.old Disables access to switch HTML pages temporarily Removes existing html files
Download the switch IOS and HTML files from Cisco Connection Online with a CCO account. You will need the .tar file. Switch# archive tar /x tftp://ip_address_of_tftp_server/IOS_image_file.tar flash: Extracts new IOS image and HTML files to flash memory. Switch# ip http server Re-enables access to HTML pages Switch# boot system flash:IOS_file_name.bin Associates the new IOS file Switch# reload
TFTP Servers
Switch# copy flash:c2900XL-c3h2s-mz-120-5.3.WC.1.bin tftp Copies the IOS in flash memory with the given file name (case sensitive) to a tftp server. Switch# copy tftp flash Copies an image on a tftp server into flash memory on the switch. Switch# copy run tftp Switch# copy start tftp Switch# copy tftp run Switch# copy tftp start Copies running-config on switch to a tftp server Copies startup-config on switch to a tftp server Copies running-config from a tftp server to the switch Copies startup-config from a tftp server to the switch
Switch(config)# spanning-tree priority # Changes priority for version 12.0 Switch(config)# spanning-tree vlan 1 priority 4096 Changes priority in increments of 4096 for version 12.1 Root port is the port closest to the root bridge (lowest cost to get to the root bridge). Designated ports are the ports with lowest cost to the root bridge. STP States
VLANs
Switch# show vlan Switch# show vlan-membership Switch# vlan database Switch(vlan)# vlan # name name Switch# config t Switch(config)# vlan # name name Switch(config-if)# switchport mode access Switch(config-if)# switchport access vlan # Switch(config-if)# vlan static # Displays vlans Displays vlans on a 1900 switch From priviledged mode, enters vlan database mode to configure VLANs Add, delete, or modify values of a vlan Used on 1900s for the above commands.
Sets truning mode to access Assigns interface to the vlan Used on a 1900 series switch instead of the above two commands Displays information about a specific vlan only Alternate command Used on a 1900 series switch Removes an interface from a vlan
Switch# show vlan id # Switch# show vlan name VLAN # Switch# show vlan # Switch(config-if)# no switchport mode access Switch(config-if)# no switchport access vlan # Switch# vlan database Switch# no vlan #
Deletes a vlan
Trunking
Switch(config)# int fa0/1 Switch(config-if)# switchport mode trunk Switch(config-if)# switchport trunk encapsulation [isl | dot1q]
Sets port to trunk Sets the trunking encapsulation on port This line is not needed on a 2950 since it only supports dot1q trunking. To view trunking information on interface
Switch(config-if)# switchport trunk allowed vlan remove vlan_ids To remove trunk links Notes: Both sides of a trunk must use the same encapsulation. o The Catalyst 2950 only supports dot1q o The Catalyst 2900XL and 3550 support both dot1q and isl For hosts to communicate thru a switch, they must be on the same vlan. In order for hosts to communicate on different VLANs, a layer 3 device must route the traffic.
Changes the version of VTP to a newer version. Use only if all switches support version 2. Version 1 is the default. Configures switch to be a VTP server or client. Server is the default. To secure the domain. Optional. Sets the name of the VTP administrative domain
The above commands may also be entered in global configuration mode: Switch(config)# Switch(config)# Switch(config)# Switch(config)# vtp vtp vtp vtp version 2 domain name password password mode [server | clent]
Adding o o o
a Switch to a VTP Domain: Erase start to clear the configuration of the new switch Power cycle the switch to clear NVRAM Switch# show vtp status Determines whether server or client. Make sure the Configuration revision number is set to zero.
Verification Commands: Switch# show vtp status Switch# show vtp counters