Related posts:

1. Configure VLAN trunks on Cisco Switches VLAN trunks allow multiple networks to pass over a single...
2. Working with VLANS on Cisco Switches Historically, creating multiple networks required multiple switches, but VLANs (Virtual...
3. Configure Port Mirrors on Cisco Switches Switches make network troubleshooting a bit more difficult because not...

Related posts brought to you by Yet Another Related Posts Plugin.

VLAN diagram on Cisco Switches

Step 2: Configure the trunk interfaces
For this example, the gigabit interfaces are used for the trunk links.

Switch A
switchA(config)#interface gigbbit 0/1
switchA(config-if)#switchport mode trunk

Switch B
switchB(config)#interface gigbbit 0/1
switchB(config-if)#switchport mode trunk


At this point, the two networks should start communicating across switches once the gigabit interfaces are connected, but it is a good practice to manually configure a few parameters to improve the stability and reliability of the trunk connection.

Switch A
switchA(config)#interface gigabit 0/1
switchA(config-if)#switchport trunk encapsulation dot1q

This command specifies the protocol that the two switches will use to communicate vlan information in the data that is transfered rather than leaving it to auto-negotiate.  Two Cisco switches will negotiate to ISL (Interswitch Switch Link) protocol which is Cisco proprietary rather than 802.1x, a recognized standard that is compatible with almost all switches and servers.

switchA(config-if)#switchport trunk native vlan 5

The native vlan command specifies the vlan that will be transmitted without VLAN tag information. It does not mtter which vlan is used, but both switches must agree for the link to operate properly. If a native vlan is not specified, then the switches will use vlan 1 by default. Using vlan 1 can cause problems because it is used as the default for so many other things in a switch network.

switchA(config-if)#switchport trunk allowed vlan 5,10
The allowed vlan command specifies which VLANs will be allowed to communicte over the trunk link. Otherwise, unnecessary traffic may go over the link.

Switch B
switchB(config)#interface gigbbit 0/1
switchB(config-if)#switchport trunk encapsulation dot1q
switchB(config-if)#switchport trunk native vlan 5
switchB(config-if)#switchport trunk allowed vlan 5,10


Adding or removing a VLAN
If VLAN 15 was configured on the switches, then it would need to be added to the trunk port on each switch.

Switch A
switchA(config)#interface gigbbit 0/1
switchA(config-if)#switchport trunk allowed vlan add 15

Switch B
switchB(config)#interface gigbbit 0/1
switchB(config-if)#switchport trunk allowed vlan add 15

A VLAN can be removed with a similar command:

Switch A
switchA(config)#interface gigbbit 0/1
switchA(config-if)#switchport trunk allowed vlan remove 15

Switch B
switchB(config)#interface gigbbit 0/1
switchB(config-if)#switchport trunk allowed vlan remove 15

Be Carefull
Verify that you used the add or remove option in the command or it will overwrite the allowed VLANS with only the VLAN that was to be added and communication between the other VLANs wil be broken.

For more detailed information, visit Cisco’s technical article on configuring VLAN trunks.

Related posts:

1. Troubleshoot VLAN trunks The syntax for setting up VLAN trunks on Cisco switches...
2. Working with VLANS on Cisco Switches Historically, creating multiple networks required multiple switches, but VLANs (Virtual...
3. Configure Port Mirrors on Cisco Switches Switches make network troubleshooting a bit more difficult because not...

Related posts brought to you by Yet Another Related Posts Plugin.

If the switch has 24 ports, then it can have 24 separate networks on it. In most cases, Cisco switches support 1024 or more created VLANs per switch. Cisco’s command structure for creating multiple networks and assigning them to ports is simple and straight forward.

What are VLANs anyway?
VLANs are simply a way of separating traffic logically rather than physically. Each data packet that the switch receives is labeled with a VLAN id that tells the switch which network that the packet belongs to. Sometimes the process is called “tagging” because of the VLAN id tag that is added to the data packet. The switchport access VLAN command demonstrated above tells the switch to remove the VLAN id before the data packet is forwarded onto the computer connected to that switch port.

First, create the VLANs.
switchA>en
switchA#configure terminal
switchA(config)#vlan 5
switchA(config-vlan)#description Accounting
switchA(config)#vlan 10
switchA(config-vlan)#description Marketing

This defines two separate networks on the switch that can by used for ports. VLAN 5 could be used for the Accounting department and VLAN 10 could be used for the Marketing department. After the ports are assigned to the correct VLAN, computers in the Accounting department will not be able to see the Marketing department. It will be as if each department had its own switch.

Configure the ports
switchA(config)#int fa0/1
switchA(config-if)#description Markg-1
switchA(config-if)#switchport mode acess
switchA(config-if)#switchport access vlan 5
switchA(config)#int fa0/2
switchA(config-if)#description Acctg-1
switchA(config-if)#switchport mode acess
switchA(config-if)#switchport access vlan 10

In some versions of the software, Cisco switches will allow the administrator to create VLAN assignments without first creating VLANs. If the VLAN is not properly created, the switch will discard the packets and the computers on that VLAN will not be able to communicate. The VLANs can be created after the ports are assigned.
Viewing VLAN information
Information on the switch’s configured VLANs can be viewed in two ways. First with the show vlan command and second with the show interface command. If the
switchA>show vlan

VLAN Name Status Ports
—- ——————————– ———
5 Accounting active fa0/1
10 Marketing active fa0/2

switchA>show interface status
Port Name Status Vlan Duplex Speed
fa0/1 Markg-1 connected 5 full 100
fa0/1 Acctg-1 inactive 10 full 100

VLAN 1 is default:
The default configuration for a Cisco switch is for every port to be on VLAN 1. Even when the the configuration does not show a switchport access vlan command on the port, it is assumed that the port is on VLAN 1. Once a port is assigned to a new VLAN, like the Accounting VLAN 5, it can no longer communicate directly with the other unconfigured ports.

Related posts:

1. Configure VLAN trunks on Cisco Switches VLAN trunks allow multiple networks to pass over a single...
2. Troubleshoot VLAN trunks The syntax for setting up VLAN trunks on Cisco switches...
3. Configure Port Mirrors on Cisco Switches Switches make network troubleshooting a bit more difficult because not...

Related posts brought to you by Yet Another Related Posts Plugin.

Channels can also offer redundancy fault tolerance for physical connections. If one of the links involved in a channel loses connection, the channel will continue on with the existing ports and three quarters of the bandwidth.

Ports involved in a channel must be on the same blade in a modular switch like a Catalyst 4500 or 6500.

Configuring port channels has become much easier in recent IOS versions. First, designate the desired ports into a channel group.

My_Switch(config)#interface GigabitEthernet2/1
My_Switch(config-if)#description Core Connection
My_Switch(config-if)#channel-group 2 mode desirable

My_Switch(config)#interface GigabitEthernet2/2
My_Switch(config-if)#description Core Connection
My_Switch(config-if)#channel-group 2 mode desirable

The desirable option will create a channel to another Cisco switch in etherchannel format and drop a single channel if necessary. In contrast, using the on option would force a port channel, but would drop the entire channel if a single link.

Etherchannel is Cisco’s proprietary channel protocol, sometimes called PAGP or Port Aggregation Protocol. In order to create channel with a server or non-Cisco switch, the channel will have to be configured in LACP (Link Aggregation Control Protocol) format, which is a multivendor standard.

My_Switch(config)#interface GigabitEthernet2/1
My_Switch(config-if)#description Core Connection
My_Switch(config-if)#channel-group 2 mode passive

My_Switch(config)#interface GigabitEthernet2/2
My_Switch(config-if)#description Core Connection
My_Switch(config-if)#channel-group 2 mode passive

Using the active flag instead of the passive mode option will force the ports into a LACP channel without negotiation much like the on option for PAGP. The entire channel will go down if a single line is disconnected and will not be fault tolerant.

Next, create a virtual port channel interface.

My_Switch(config)#interface Port-channel4
My_Switch(config-if)#description Core Connection
My_Switch(config-if)#switchport

The virtual port channel configuration merely controls the aggregate port. For instance, if the port-channel interface is disabled, or shut down as Cisco calls it, then the channel will not work even though all four member ports are enabled.

Display active channels with the show neighbor command.

My_switch> show pagp neighbors
<output ommitted>

My_switch> show lacp neighbors
<output ommitted>

The output gives much detail about the channels and their state.

Disable channels
Channels are a handy tool, but most Cisco switches ship in auto mode by default and that can sometimes causes problems with workstations that do not understand how to disregard the channel auto-negotiation. The switchport mode access command disables channel negotiation as well as disabling vlan trunking negotiation. It prepares the port for use by a single workstation.

My_Switch(config)#interface gig6/5
My_Switch(config-if)#description My favorite PC
My_Switch(config-if)#switchport mode access

Channels are often a quick way to add bandwidth and add redundancy with existing hardware.
Related Posts:
Configuring Secure Shell (SSH) in IOS

Related posts:

1. Configure Port Mirrors on Cisco Switches Switches make network troubleshooting a bit more difficult because not...
2. Working with VLANS on Cisco Switches Historically, creating multiple networks required multiple switches, but VLANs (Virtual...
3. Showing the configuration at the interface level One of the pains about Cisco is that once you...

Related posts brought to you by Yet Another Related Posts Plugin.

To work around this for troubleshooting and analysis, either a network hardware mirror, most often called a tap, or a mirror (sometimes called a span) on the switch is required. Most business-class switches have this feature and cisco includes it on all of its switches.

Configure a mirror on port 1 like this.

My_Switch(config)#monitor session 1 source interface Fa0/1 both
My_Switch(config)#monitor session 1 destination interface Fa0/10

The both option on the command tells the switch to send both transmit and receive packets to the destination port. Once a switchport is configured as a destination mirror port, the port will not accept traffic. A sniffer cannot transmit data, it can only listen.

Cisco Switches actually allow you create more than one mirror, although the number of allowed mirrors depends on the model of Cisco switch. To create a second mirror, just designate a second mirror session.
My_Switch(config)#monitor session 2 source interface Fa0/2 both
My_Switch(config)#monitor session 2 destination interface Fa0/11

Cisco’s syntax also allows you to specify multiple sources to a single port or a single source to multiple destinations. This is handy when setting up Intrusion Detection Systems that monitor the network.

My_Switch(config)#monitor session 2 source interface Fa0/2 both
My_Switch(config)#monitor session 2 destination interface Fa0/11
My_Switch(config)#monitor session 2 destination interface Fa0/12

In some cases, looking at the traffic for just one port is not good enough or the number of mirrors needed exceeds the number of mirrors that the switch is capable of. In that case, Cisco switches allow you to create a vlan mirror that grabs traffic from the entire vlan or vlans and sends it to a destination port for monitoring.

My_Switch(config)#monitor session 1 source vlan 33 rx
My_Switch(config)# monitor session 1 destination interface Gi1/1

Specifying both in the source command would create duplicate packets as packets go in and out of the vlan, so only specify receive or transmit with the tx or rx options. The both option would look like a network echo from a sniffer perspective.

The Show Monitor command summarizes all of the configured mirrors on the entire switch.

My_Switch>show monitor
Session 1
———
Type : Local Session
Source Ports:
RX Only: None
TX Only: None
Both: Fa0/1
Source VLANs:
RX Only: None
TX Only: None
Both: None
Source RSPAN VLAN: None
Destination Ports: Fa0/10
Encapsulation: Native
Reflector Port: None
Filter VLANs: None
Dest RSPAN VLAN: None

Session 2
———
Type : Local Session
Source Ports:
RX Only: None
TX Only: None
Both: Fa0/2
Source VLANs:
RX Only: None
TX Only: None
Both: None
Source RSPAN VLAN: None
Destination Ports: Fa0/11
Encapsulation: Native
Reflector Port: None
Filter VLANs: None
Dest RSPAN VLAN: None

Mirrors can be disabled two ways:
My_Switch(config)#monitor session 1

This command will only remove session 1.
My_Switch(config)#no monitor

The no monitor command will remove all monitors on the switch.

Similar Posts
Configure SSH in IOS

Related posts:

1. Configure Port Channels in IOS Port Channels are a quick way to get more bandwidth...
2. Configure VLAN trunks on Cisco Switches VLAN trunks allow multiple networks to pass over a single...
3. Working with VLANS on Cisco Switches Historically, creating multiple networks required multiple switches, but VLANs (Virtual...

Related posts brought to you by Yet Another Related Posts Plugin.

RouterA#configure terminal
RouterA(config)# line vty 0 4
A router’s telnet interface is called a vty, short for Virtual Teletype Terminal.
RouterA(config)# password letmein
RouterA(config)# end
This will allow access to router via telnet by just the password letmein. Below is an example of configuring a router for username and password authentication from a local database stored on the router itself. If you have more than one router or switch, each router will need to be configured. Either way is more secure than just a password by itself. A more complex password increases security, so use passwords that are difficult to guess and create usernames that are not as simple to guess like admin or cisco..

RouterA#configure terminal
RouterA(config)# username Jane password Doe
RouterA(config)# username Bob password Smith
RouterA(config)# aaa new-model
RouterA(config)# aaa authentication login default local
RouterA(config)# end

The configuration creates the usernames Jane and Bob with the passwords Doe and Smith respectively. AAA stands for authentication, authorization and accounting. The line ‘aaa authentication login default local’ specifies that local authentication should be used for login by default. The passwords will show up in the configuration just as you typed them and be readable by everyone that has access to the router configuration file unless the service password-encryption command is used. For example:

RouterA#configure terminal
RouterA(config)# service password-encryption
RouterA(config)# end

Now your passwords will be encrypted in the configuration. There are tools available that can decrypt these passwords, so configurations should still be stored in a secure place.

Here is a look at configuring TACACS+ authentication, a centralized authentication protocol that passes authentication of to a server. In this example, the switch or router will first look to TACACS+ for authentication and then if that fails, it will look in the local user database. This will give you access if your network device loses network connectivity to the TACACS+ server. This example assumes there is a working TACACS+ server already running on your network. If not, notes on configuring a TACACS+ server on linux can be found here.

RouterA#configure terminal
RouterA(config)# aaa new-model
RouterA(config)# aaa authentication login default group tacacs+ local
RouterA(config)# tacacs-server host 10.1.1.1
RouterA(config)# tacacs-server host 10.1.1.2
RouterA(config)# tacacs-server key SecretPassword
RouterA(config)# end

If the switch or router has access to the authentication server, then the next time that you log in, the device should prompt you for a username rather than just a password. Complete details on configuring aaa access can be found on Cisco’s website.

Related posts:

1. Configuring SSH on Cisco routers/switches (How-to) With all of the security problems out there today, it...
2. Showing the configuration at the interface level One of the pains about Cisco is that once you...
3. Working with VLANS on Cisco Switches Historically, creating multiple networks required multiple switches, but VLANs (Virtual...

Related posts brought to you by Yet Another Related Posts Plugin.