CCNP Switch Command

Clearing a Switch

For nomarl switch1. > ena2. # Delete flash:vlan.dat3. # Erase startup-config4. # Reload

For Switch used connect to larger Network1. > Ena2. # Delete vlan.dat3. # Erase startup-config4. # Reload5. # Show vlan brief6. (config)# Interface rage f0/1-247. (config-if)# Shutdown8. # Conf t9. (config)# Vtp mode transparent

Config Switch first

1. > Ena2. # Conf t3. (config)# Hostname Switch_Access24. (config)# enable secret class5. (config)# line console 06. (config-line)# logging synch7. (config-line)# exec-timeout 008. (config-line)# password cisco9. (config-line)# login

Nguy n Hoàng Vũ – NP11.03ễ Page 1

10. (config)# enable secret cisco11. (config)# line vty 0 1512. (config-line)# password cisco13. (config-line)#

Config Vlan-Vtp

Step1: show vlan1. Show Vlan2. Show vtp status

Step 1: config Vlan1. (config)# interface vlan12. (config-if)# ip address 10.1.1.101 255.255.255.03. (config-if)# no shutdown

Step 2: config vtp1. Vtp domain CCNP11032. Vtp version 23. Vtp mode server/client/transparent4. Vtp password cisco123

Step 3: config interface modeTrunk

1. Interface f0/61. Switchport trunk encapsulation dot1q2. Swichport mode trunk

Access

3. Interface f0/14. Switchport mode access

Show:

1. show interface F0/7 switchport2. show interface trunk

Nguy n Hoàng Vũ – NP11.03ễ Page 2

Step4: configure vlan in configuration mode1. (confg)# Vlan 202. (config-vlan)# Name Server-13. (config)# Interface f0/64. (config-if)# Switchport access vlan20

modified vlan

Vlan 120 Shutdown No shutdown State active

Config Ethernet-Channel

Step 1: config basic switch parameter1. Conf t2. (config)# Interface range f0/7-123. (config-if-range)# Switchport trunk encapsulation dot1q4. (config-if-range)# Switchport mode trunk

Step2: configure Enther Channel with Cisco PAagP1. (config)# Interface range f0/7-122. (config-if-range)# Channel-group 1 mode desirable3. (config)# interface port-channel 14. (config-if)# switchport mode trunk

Step3: configure layer3 entherchannel1. (config)# Interface range fastethernet 0/11-122. (config-if-range)# No switchport3. (config-if-range)# Channel-group 3 mode desirable4. (config-if-range)# Interface port-channel 35. (config-if)# No switchport6. (config-if)# Ip address 10.0.0.1 255.255.255.0

Step4: configure loadbalancing1. (config)# Port-channel load-balance src-dst-mac2. # show ethernetchannel load-balance

Nguy n Hoàng Vũ – NP11.03ễ Page 3

Configuration Spanning-tree

basic

Step1: prepare the switches for the lab:1. (config)# Interface range fastenthernet 0/7-122. (config-if-range)# Switchport trunk encapsulation dot1q3. (config-if-range)# Switchport mode trunk

Step 2: configure specific switch to be primary and secondary root1. # debug spanning-tree events2. DSL1 (config)# spanning-tree vlan 1 root primary3. ADSL (config)# spanning-tree vlan 1 root secondary4. #show run |include span

Step 3: change the root port using the spanning-tree1. (config)# int f0/122. (config)# spanning-tree port-priority 112 3. (config)# int f0/64. (confg)# spanning-tree cost 10

Step 5: config portfast on an access port1. (config)# int f0/62. (confg)# switchport mode access3. (config-if)# no shut4. (config-if)# int f0/65. (config-if)# spanning-tree portfast

PVST students

step1: prepare the switches on the lab1. (config)# int range f0/7-122. (config-if-range)# switchport trunk encapsulation dot1q3. (config-if-range)# switchport mode trunk

step 2: config VLAN

step3: assign a root switch of each vlan1. (config)# spanning-tree vlan 10 priority 4096

Step 3: config RSTP1. (config)# spanning-tree mode rapid-pvst

Nguy n Hoàng Vũ – NP11.03ễ Page 4

Configure MTS

Step1: prepare the switches for the lab1. (config)# Interface range fastenthernet 0/7-122. (config-if-range)# Switchport trunk encapsulation dot1q3. (config-if-range)# Switchport mode trunk

Step2: configure VTP and Vlans1. (config)# Vtp mode transparent2. (config)# vtp domain Cisco

Step 3: configure MTS globally1. (config)# spanning-tree mode mst

Step 4: config the MTS region and instance2. (config)# spanning-tree mst configuration3. (config-mst)# name CISCO4. (config-mst)# revision 15. (config-mst)# instance 1 vlan 20-50

Show command

1. (config-mst)# show current2. (config-mst)# show pending3. (config-mst)# show span mst configuration4. (config)# show spanning-tree5. (config)# show interface trunk6. (config)# show spanning-tree root7. (config)# debug spanning-tree events

Configure Inter-Vlan

Step 3: configure the route 1. (config)# hostname ISP2. (config)# int s0/13. (config-if)# ip address 192.168.1.2 255.255.255.04. (config-if)# clockrate 640005. (config-if)# no shutdown6. (config)# ip route 172.16.0.0 255.255.0.0 192.168.1.1

Nguy n Hoàng Vũ – NP11.03ễ Page 5

Step4: configure the switches1. (config)# int vlan 12. (config-if)# ip address 172.16.1.101 255.255.255.03. (config-if)# no shutdown4. (config-if)# exit5. (config)# ip default-gateway 172.16.1.1

Step 6: configure trunk links and ethernetchannel on switches1. (config)# int range f0/7-122. (config-if-range)# switchport mode trunk3. (config-if-range)# channel-group 1 mode desirable4. (config-if-range)# end5. # show etherchannel 1 summary

Step 7: config VTP and Vlan

Step 8: config Accessport- fastport1. (config)# int f0/62. (config-if)# switchport mode access3. (config-if) switch access vlan 1004. (config-if)# spanning-tree portfast

step 10: config the gateway router fast Ethernet interface for vlan trunking1. (config)# interface f0/1.12. (config-subif)# description management VLan13. (config-subif)# encapsulation dot1q native4. (config-subif)# ip address 172.16.1.1 255.255.255.0

Config HSRP

1. Step1: prepare the switch for the lab2. Step 2: configure the host ip setting3. Step 3: configure basic parameter4. Step 4: configure trunks and ethernetchannel between switches5. Step 5: configure vtp on adls6. Step 6: configure vtp on dsl7. Step7: configure accessport fast

Step8 configure HSRP interface and enable routing1. (config)# ip routing

Nguy n Hoàng Vũ – NP11.03ễ Page 6

2. (config)# interface vlan 13. (config-if)# standby 1 ip 172.16.1.14. (config-if)# standby 1 preempt5. (config-if)# standby 1 priority 1506. (config-if)# exit

Step9: verify the HSRP configuration 1. # Show standby2. # Show standby brief

Configure SLA campus

Step1: prepare the switches for the lab

Step2: config the host PCs

Step3: config basic parameter switches configure the hostname, password and optionally, remote access configure a management IP address on VLAN 1

o (config)# int vlan1

o (config-if)# ip address 172.1.16.10 255.255.255.0

o (config-if)# no shut

config default gatewayo (config)# ip default-gateway 172.16.1.1

step 4: config trunks and ethernetchannel between switches

step 5&6: config VLan and VTP

Step 7: config accessport

step8: config VLAN interface and enable routing

(config)# int vlan 100 (config-if)# ip address 10.172.16.1 255.255.255.0 (config)# ip routing

Step9: configure cisco IP SLA responders (config)# ip sla responder (config)# ip sla responder udp-echo ipaddress 172.16.1.1 port 5000

Nguy n Hoàng Vũ – NP11.03ễ Page 7

Step10: configure cisco ios ip sla source to menasure network performance1. (config)# ip sla 12. (config-ip-sla)# icmp-echo 172.16.100.1013. (config-ip-sla)# exit4. (config)# ip sla schedule 1 life forver start-time now

Step11: monitor ip sla operation1. # show ip sla configuration 12. #show ip sla application3. #show ip sla responder4. #show ip sla statistics 1.

Securing layer 2

Step 1: prepare the switch for the lab

Step 2: configure the basic parameter and trunking (config)# hostname ADLS1 (config)# enable secret class (config)# line vty 0 15 (config-line)# password cisco (config-line)# login (config-lien) exit

o (config)# interface vlan 1

o (config-if)# ip address 172.16.101.1 255.255.255.0

o (config-if)# no shutdown

o (config-if)# exit

o (config)# ip default-gateway 172.16.1.1

o (config)# int range f0/7p12

o (config-if)switchport mode trunk

Step 3: configure vtp on adsl1 and adsl2

step4: configure IP routing. the vlan. vlan SVIs, HSRPa) config VTP, VLAN, and IP routing

o (config)# vtp domain SPWOD

o (config)# vtp version 2

Nguy n Hoàng Vũ – NP11.03ễ Page 8

o (config)# vlan 100

o (config-if)# name stafff

o (config-if)#exit

o (confi)# ip routing

b) config switch vitural interface (SVIs) and HSRP o (config)# int vlan 1

o (config-if)# standby 1 ip 172.16.1.1

o (config-if)# standby 1 preempt

o (config-if)# standby 1 priority 150

c) veryfyo show vlan brief

o show vtp status

o show standby brief

o show ip route

Step 6: config port-sercuritya) By default, issuing the switchport port-security command by itself sets the maximum

number of MAC addresses to 1, and the violation mode to shutdown. It is not necessary to specify the maximum number of addresses, unless it is greater than 1.

o ALS2(config)# interface range fastethernet 0/15 - 24

o ALS2(config-if-range)# switchport port-security

b) Verifyo show port-security

c) Enter the configuration of the staffo (confg)# int range f0/15-24

o (config-if-range)# switchport port-sercurity

o (config-if-range)# switchport port-sercurity maximum 2

o (config-if-range)# switchport port-sercurity mac-address sticky

Step 7: config DHCP snoopinga) enable to trust DHCP relay information

(config)# ip dhcp relay information trust-allb) config switches to trust DHCP on the trunk port

ALS1(config)# ip dhcp snooping ALS1(config)# interface range fastethernet 0/7 - 12 ALS1(config-if-range)# ip dhcp snooping trust ALS1(config-if-range)# exit ALS1(config)# interface range fastethernet 0/15 - 24 ALS1(config-if-range)# ip dhcp snooping limit rate 20 ALS1(config-if-range)# exit

Nguy n Hoàng Vũ – NP11.03ễ Page 9

ALS1(config)# ip dhcp snooping vlan 100,200

Step 8: config AAA (config)# username vu password cisco (config)# username vu password cisco (config)# username vu password cisco (config)# aaa new-model (config)# aaa authentication dot1x default local (config)# dot1x system-auth-control (config)# int range f0/15-24 (config-if-range)# dot1x port-control auto

Sercuring Spanning tree protocol

step1: load or verify the configuration

step2: Config the primary and secondary root bridges for the vlansa) command

(config)# spanning-tree vlan 1,100 root primary (config)# spanning-tree vlan 20 root secondary

b) verify : show spanning-tree

Step3: configure root guard (config)# int range f0/13-14 (config)# spanning-tree guard root

Step4: demonstrate root guard functionallya) command show

show spanning-tree vlan 1 show spanning-tree inconsistentports

b) undo (config-if)# no spanning-tree guard root

Step5: config BPDU (config)# spanning-tree portfast bpduguard default show spanning-tree summary

Step6: enable broardcast storm control on trunk port (config)# int f0/7 (config-if)# storm-control broadcast level 50

Nguy n Hoàng Vũ – NP11.03ễ Page 10

show running-config interface

Step7: configure UDLD (config)# int range f0/1-24 (config-if-range)# udld port aggressive (config)# udld enable show udld f0/15

Sercuring Vlan

step1: verify configure from switches show vlan show interface trunk show standby brief

step2: configure private vlana) config HSRP

(config)# int vlan 50 (config-vlan)# name server-farm (config)# int f0/5 (config-if)# ip address 10.172.16.1 255.255.255.0 (config-if)# standby 1 ip 10.172.16.3 (config-if)# standby 1 priority 100 (config-if)# standby 1 preempt show standby vlan 150 brief

b) config vlan (config) vlan 151 (config-van) primary-vlan isolated (config) vlan 150 (config-vlan) primary-vlan community (config) vlan 152 (confi-vlan) primary-vlan isolated (config-vlan) primary-vlan association 150,151

c) the VLan mapping (config) int vlan 152 (config-if) private-vlan mapping 150-151

d) The switchport mode private-vlan host-association (config) int range f0/18-20 (config-if-range) switchport mode private-vlan host

Nguy n Hoàng Vũ – NP11.03ễ Page 11

(config-if-range) switchport private-vlan host-association 150 151

Step 3: configure RACLs between VLANsa) config access list

DLS1(config)# access-list 100 permit tcp 172.16.200.0 0.0.0.255 172.16.100.0 0.0.0.255 established

DLS1(config)# access-list 100 permit icmp 172.16.200.0 0.0.0.255 172.16.100.0 0.0.0.255 echo-reply

DLS1(config)# access-list 100 deny ip 172.16.200.0 0.0.0.255 172.16.100.0 0.0.0.255

DLS1(config)# access-list 100 permit ip any any DLS1(config)# interface vlan 100 DLS1(config-if)# ip access-group 100 in DLS1(config)# interface vlan 200 DLS1(config-if)# ip access-group 100 in

b) show command show access-lists show ip interface vlan 100

c) ip vlan (config) int vlan 100 (config-if) ip address 172.16.100.100 255.255.255.0

d) verify ping 172.16.100.1 source vl100

step4: configure VACLsa) configure access list

(config) ip access-list extended temp-host (config-ext-nacl) permit ip host 172.16.100.150 172.16.100.0 0.0.0.255

b) configure vlan access map (config) vlan access-map block-temp 10 (config-access-map) match ip address temp-host (config-access-map) action drop (config-access-map) vlan access-map block-temp 20 (config-access-map) action forward

c) define vlan filter (config) vlan filter block-temp vlan-list 100

d) show command show vlan access map

Nguy n Hoàng Vũ – NP11.03ễ Page 12

Switch IP telephone stundent

step1: prepare the switches lab

step2: config the basic parameter

step3: config the trunk and ethernetchannel

step4: config VTP and vlan

step5: config IP routing, VLAN SVIs, HSRP

step7: config access-port to trusth IP phone CoS

(config)#: int range f0/15-24 (config-if)# switchport mode access (config-if-range)# switchport access vlan 10 (config-if-range)# switchport voice vlan 20 (config-if-range)# auto qos voip cisco-phone

step9: config the distribution layer switches to trust access layer

(config)# mls qos (config)# int range f0/15-24 (config-if-range)# auto qos voip trust

step10: manual assign access layer CoS for the camera

(config)# int f0/5 (config-if)# switchport mode access (config-if)# switchport access vlan 100 (config-if)# mls qos trust cos (config-if)# mls qos cos 3 show mls qos cos interface

Nguy n Hoàng Vũ – NP11.03ễ Page 13