Command Line Based Switch (CLI)

Basic Configuration
Switch > enable Switch # Switch# erase startup-config Switch# del flash:vlan.dat Switch(config)# hostname name Switch(config)# no hostname Used to enter privileged mode from normal mode on CLI switch Privileged mode Erases the switch configuration but not the VLAN configuration Erases the VLAN configuration To rename the switch Converts the switch name back to Switch Sets enable password Sets enable password in encrypted form To prevent switch from trying to find a misspelled command To enter line configuration mode for the console port Configures a password on the console port Enables password checking Sets the idle timeout period in minutes and seconds Modifies message logging facilities for synchronized output Configures terminal line settings Configures a password on the terminal lines (telnet)

Switch(config)# enable password password Switch(config)# enable secret password Switch(config)# no ip domain-lookup Switch(config)# line con 0 Switch(config-line)# password password Switch(config-line)# login Switch(config-line)# exec-timeout 0 0 Switch(config-line)# logging synchronous Switch(config)# line vty 0 15 Switch(config-line)# password password Switch(config-line)# login Switch# show version Switch# show vlan Switch# show interface interface

Indicates IOS version, system image file, base MAC address, model #, configuration register (0xF), serial #, and more Shows what VLANs are configured on the switch and which ports are in which VLANs. Shows interface settings including MAC address, duplex, speed

Note: MAC address of an interface = Base MAC address of switch + port # Switch# dir flash: Switch# show flash Both of these commands show information about flash memory

To telnet, ping, or globally manage the switch, you must assign an IP address. If the IP address is on the same subnet as the management VLAN, the switch will automatically be associated with VLAN 1. Switch# config t Switch(config)# interface vlan 1 Switch(config)# ip address 10.1.1.1 255.255.255.0 Switch(config)# exit Switch# ip default-gateway 10.1.1.254 Enters global configuration mode Enters vlan 1 configuration Assigns an IP address to vlan 1 Sets a default gateway so that you may access the switch via a router To view the switchs interfaces To view switch configuration

Switch# show interface Switch# show config

Switch(config-if)# description comments

To describe an interface. Surround the comments with quotes if you want to leave spaces. Sets port speed Sets the port duplex. Full is default for 100Mbps and half is default for 10Mbps ports.

Switch(config-if)# speed 10|100|auto Switch(config-if)# duplex auto|full|half

IOS-based switches remember the last 10 commands in the history buffer. Use the bang (!) symbol to recall previous commands. !! !n ^aa^bb Recall previous command Recall command number n (use history command to see commands stored in the buffer) Recalls command with aa and replaces aa with bb

Port Security
Switch# show mac-address-table Switch# show mac address-table Switch# clear mac address-table dynamic Displays MAC forwarding table Newer command to display MAC forwarding table (no hyphen) Reset MAC address table

Switch(config)# mac address-table static mac-addr vlan vlan-id interface interface-id Used to set a static MAC address to be accepted on a given port. Enter the MAC address in the form xxxx.xxxx.xxxx Switch(config-if)# switchport mode access Sets mode on port to access only Switch(config-if)# switchport port-security Enables port-security Switch(config-if)# switchport port-security mac-address sticky Allows port to accept only one device Switch(config-if)# port security max-mac-count # Switch(config-if)# switchport port-security maximum # On 2900s: Limits the amount of hosts per port On 2950s: Limits the amount of hosts per port

Switch(config-if)# switchport port-security violation [shutdown | protect | restrict] Action to take when there has been a security violation. Restrict sends a trap to the network management station. Protect drops packets when the packet limit is reached.

Removing Port Security

If a security violation occurs and the port has been disabled, first try shutting the port down (shut) and then bringing it back up (no shut). If it tries to come back up but shuts down again: Switch(config-if)# Switch(config-if)# Switch(config-if)# Switch(config-if)# Switch(config-if)# no switchport port-security no switchport port-security mac-address sticky no switchport port-security mac-address sticky mac_address shut no shut

Password recovery
(Procedures may be found on Ciscos website at http://www.cisco.com/warp/public/474/.) On a 2900XL or 2950, the procedure is as follows: o Use HyperTerminal to start a console session with the switch. o Unplug the switch. o While holding the MODE button in, turn plug the switch to turn it back on. o Release the MODE button when the STAT LED goes out. o Initialize the file system and finish loading the operating system by typing: Flash_init initializes flash file system Load_helper loads and initializes a helper image Dir flash: to see what is in flash o Rename flash:config.text flash:config.old renames the configuration file o Type boot to reboot the switch o Choose N to not continue with the configuration dialog. The operating system will finish loading without a configuration file. This has effectively bypassed the passwords. o Switch# rename flash:config.old flash:config.text Renames config file back to original o Switch# copy flash:config.text system:running-config Copies config into DRAM o Now you may change the passwords and save the new configuration file. Note: Since you cannot get to the power cord on the other side of the switch, you may use the following procedure to get to the flash init step: Type reload. Press Enter to confirm the reload. As soon as you seen Reload requested on the screen, hold the MODE button in. Release the MODE button when you see the SYSTEM light change to solid green (not blinking). On a 1900: o Console into the switch. o Unplug the switch. o Hold the MODE button in while plugging the switch back in. o Release the MODE button when you see the Cisco Systems Diagnostics Console or a couple seconds after the LED above port 1x goes off. o Press Enter to continue o Observe the firmware revision number. If 1.09 or earlier, call Cisco for the factory-installed password. If 1.10 or later, choose C to continue with standard system start up. The system will take a minute to perform a self-test. Then you will be asked if you wish to clear the passwords.

Firmware Upgrades
Switch# Switch# Switch# Switch# Switch# show boot dir flash: rename flash: IOS_file_name.bin no ip http server delete flash:html/* shows config file shows contents of flash memory flash: IOS_file_name.old Disables access to switch HTML pages temporarily Removes existing html files

Download the switch IOS and HTML files from Cisco Connection Online with a CCO account. You will need the .tar file. Switch# archive tar /x tftp://ip_address_of_tftp_server/IOS_image_file.tar flash: Extracts new IOS image and HTML files to flash memory. Switch# ip http server Re-enables access to HTML pages Switch# boot system flash:IOS_file_name.bin Associates the new IOS file Switch# reload

TFTP Servers
Switch# copy flash:c2900XL-c3h2s-mz-120-5.3.WC.1.bin tftp Copies the IOS in flash memory with the given file name (case sensitive) to a tftp server. Switch# copy tftp flash Copies an image on a tftp server into flash memory on the switch. Switch# copy run tftp Switch# copy start tftp Switch# copy tftp run Switch# copy tftp start Copies running-config on switch to a tftp server Copies startup-config on switch to a tftp server Copies running-config from a tftp server to the switch Copies startup-config from a tftp server to the switch

Spanning Tree Protocol

Bridge ID (BID) = Bridge priority.Base MAC Address Root Bridge: lowest BID Switch# show spanning-tree brief Switch# show spanning-tree For version 12.0 For version 12.1

Switch(config)# spanning-tree priority # Changes priority for version 12.0 Switch(config)# spanning-tree vlan 1 priority 4096 Changes priority in increments of 4096 for version 12.1 Root port is the port closest to the root bridge (lowest cost to get to the root bridge). Designated ports are the ports with lowest cost to the root bridge. STP States

VLANs
Switch# show vlan Switch# show vlan-membership Switch# vlan database Switch(vlan)# vlan # name name Switch# config t Switch(config)# vlan # name name Switch(config-if)# switchport mode access Switch(config-if)# switchport access vlan # Switch(config-if)# vlan static # Displays vlans Displays vlans on a 1900 switch From priviledged mode, enters vlan database mode to configure VLANs Add, delete, or modify values of a vlan Used on 1900s for the above commands.

Sets truning mode to access Assigns interface to the vlan Used on a 1900 series switch instead of the above two commands Displays information about a specific vlan only Alternate command Used on a 1900 series switch Removes an interface from a vlan

Switch# show vlan id # Switch# show vlan name VLAN # Switch# show vlan # Switch(config-if)# no switchport mode access Switch(config-if)# no switchport access vlan # Switch# vlan database Switch# no vlan #

Deletes a vlan

Trunking
Switch(config)# int fa0/1 Switch(config-if)# switchport mode trunk Switch(config-if)# switchport trunk encapsulation [isl | dot1q]

Sets port to trunk Sets the trunking encapsulation on port This line is not needed on a 2950 since it only supports dot1q trunking. To view trunking information on interface

Switch# show interface # switchport

Switch(config-if)# switchport trunk allowed vlan remove vlan_ids To remove trunk links Notes: Both sides of a trunk must use the same encapsulation. o The Catalyst 2950 only supports dot1q o The Catalyst 2900XL and 3550 support both dot1q and isl For hosts to communicate thru a switch, they must be on the same vlan. In order for hosts to communicate on different VLANs, a layer 3 device must route the traffic.

VLAN Trunking Protocol (VTP) Client and Server Configuration

Switch# vlan database Switch(vlan)# vtp v2-mode Switch(vlan)# vtp [server | client] Switch(vlan)# vtp password password Switch(vlan)# vtp domain name

Changes the version of VTP to a newer version. Use only if all switches support version 2. Version 1 is the default. Configures switch to be a VTP server or client. Server is the default. To secure the domain. Optional. Sets the name of the VTP administrative domain

The above commands may also be entered in global configuration mode: Switch(config)# Switch(config)# Switch(config)# Switch(config)# vtp vtp vtp vtp version 2 domain name password password mode [server | clent]

Adding o o o

a Switch to a VTP Domain: Erase start to clear the configuration of the new switch Power cycle the switch to clear NVRAM Switch# show vtp status Determines whether server or client. Make sure the Configuration revision number is set to zero.

Verification Commands: Switch# show vtp status Switch# show vtp counters

Configure Inter-VLAN Routing

Router(config)# interface # Router(config-if)# no shutdown Router(config)# interface #.sub Router(config-if)# encapsulation [isl | dot1q} vlan Router(config-if)# ip address address subnet Access the physical interface Turn the physical interface on Configure a subinterface on the router-on-a-stick Configure the encapsulation and vlan # Configure the IP address for the subinterface