Basic router configurations login in router

In this article I will show how can you can configure router. For demonstration purpose I used packet tracer software. If you havent install packet tracer read our pervious article to download and install packet tracer. Link is given on the top side of left. Create a simple topology by dragging dives on workspace as shown in figure.

Click inside the Router and select CLI and press Enter to get started. Setup mode start automatically if there is no startup configuration present. The answer inside the square brackets [ ], is the default answer. If this is the answer you want, just press enter. Pressing CTRL+C at any time will end the setup process, shut down all interfaces, and take you to user mode(Router>). You cannot use setup mode to configure an entire router. It does only the basics. For example, you can only turn on either RIPv1 or Interior Gateway Routing Protocol (IGRP), but not Open Shortest Path First Protocol (OSPF) or Enhanced Interior Gateway Routing Protocol (EIGRP). You cannot create access control lists (ACL) here or enable Network Address Translation (NAT). You can assign an IP address to an interface, but not to a subinterface. All in all, setup mode is very limiting. --- System Configuration Dialog --- Continue with configuration dialog? [yes/no]: Write no and press enter. To get router prompt You are now connected to Router and are in user mode prompt. The prompt is broken down into two parts, the hostname and the mode. "Router" is the Router0's hostname and ">" means you are in user mode. Press RETURN to get started Router> User mode is indicated with the '>' next to the router name. in this mode you can look at settings but can not make changes. In Privilege mode(indicated by the '#', you can do anything). To get into privilege mode the keyword is enable. Next type the command enable to get to the privileged mode prompt. Router > enable Router#

To get back to the user mode, simply type disable. From the user mode type logout or exit to leave the router. Router#disable Router> Router>exit Router con0 is now available Press RETURN to get started press enter to get back router prompt Router> You are now in User mode. Type ?to view all the available commands at this prompt. Router>? From privilege mode you can enter in configuration mode by typing configure terminal you can exit configuration mode typeexit or <CTL>+z Router>enable Router#config terminal Router(config)#exit Router# To view all commands available from this mode type ? and press enter This will give you the list of all available commands for the router in your current mode. You can also use the question mark after you have started typing a command. For example if you want to use a show command but you do not remember which one it uses 'show ?' will output all commands that you can use with the show command. Router#show ? access-expression List access expression access-lists List access lists backup Backup status cdp CDP information clock Display the system clock cls DLC user information compress Show compression statistics configuration Contents of Non-Volatile memory --More--

Basic Global Configurations mode Commands

Configuring a Router Name
This command works on both routers and switches Router(config)#hostname Lucknow Lucknow(config)# You could choose any descriptive name for your cisco devices

Configuring Passwords

This command works on both routers and switches Router(config)#enable password test Router(config)#enable secret vinita Router(config)#line console 0 Router(config-line)#password console Router(config-line)#login Router(config)#line vty 0 4 Router(config-line)#password telnet Router(config-line)#login Router(config)#line aux 0 Router(config-line)#password aux Router(config-line)#login Sets enable password to test Sets enable secret password to vinita Enters console line mode Sets console line mode password to console Enables password checking at login Enters vty line mode for all five vty lines Sets vty password to telnet Enables password checking at login Enters auxiliary line mode Sets auxiliary line mode password to aux Enables password checking at login

CAUTION: The enable secret password is encrypted by default. The enable password is not. For this reason, recommended practice is that you never use the enable password command. Use only the enable secret password command in a router or switch configuration. You cannot set both enable secret password and enable password to the same password. Doing so defeats the use of encryption.

Configuring a Fast Ethernet Interface

Router(config)#interface fastethernet 0/0 Router(config-if)#description Student Lab LAN Router(config-if)#ip address 192.168.20.1 255.255.255.0 Router(config-if)#no shutdown Moves to Fast Ethernet 0/0 interface configuration mode Optional descriptor of the link is locally significant Assigns address and subnet mask to interface Turns interface on

Creating a Message of the Day Banner

Router(config)#banner motd # Next Schedule metting with manager is Postponed # Router(config)#

The MOTD banner is displayed on all terminals and is useful for sending messages that affect all users. Use the no banner motd command to disable the MOTD banner. The MOTD banner displays before the login prompt and the login banner, if one has been created.

Creating a Login Banner

Router(config)#banner login # Unauthorized access is prohibited ! Please enter your username and password. # Router(config)# The login banner displays before the username and password login prompts. Use the no banner login command to disable the login banner. The MOTD banner displays before the login banner. # is known as a delimiting character. The delimiting character must surround the banner and login message and can be any character so long as it is not a character used within the body of the message

Assigning a Local Host Name to an IP Address

Router(config)#ip host Lucknow 172.16.1.1 Assigns a host name to the IP address. After this assignment, you can use the host name rather than an IP address when trying to Telnet or ping to that address

The no ip domain-lookup Command

Router(config)#no ip domain-lookup Router(config)# Turns off trying to automatically resolve an unrecognized command to a local host name Ever type in a command incorrectly and are left having to wait for a minute or two as the router tries to translate your command to a domain server of 255.255.255.255? The router is set by default to try to resolve any word that is not a command to a Domain Name System (DNS) server at address 255.255.255.255. If you are not going to set up DNS, turn off this feature to save you time as you type, especially if you are a poor typist

The logging synchronous Command

Router(config)#line console 0 Router(config-line)#exec-timeout 0 0 Router(config-line)# Sets the time limit when the console automatically logs off. Set to 0 0 (minutes seconds) means the console never logs off.

The command exec-timeout 0 0 is great for a lab environment because the console never logs out. This is considered to be bad security and is dangerous in the real world. The default for the exec-timeout command is 10 minutes and zero (0) seconds (exec-timeout 10 0).

Saving and erasing configurations

Router(config)#exit Router#copy running-config startup-config Router#copy running-config tftp Router#erase startup-config Bring you back in Privilege exec mode Saves the running configuration to local NVRAM Saves the running configuration remotely to a TFTP server Deletes the startup configuration file from NVRAM

Configuration Example: Basic Router Configuration

For example purpose we will use the topology created in start of this article. Create a simple topology by dragging dives on workspace as shown in figure.

Click inside the Router and select CLI and press Enter to get started. --- System Configuration Dialog --Continue with configuration dialog? [yes/no]: no Press RETURN to get started! Router>enable Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname R1 R1(config)#interface fastethernet 0/0 R1(config-if)#description Student Lab LAN R1(config-if)#ip address 192.168.20.1 255.255.255.0 R1(config-if)#no shutdown %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up R1(config-if)#exit R1(config)#banner motd # Next Schedule metting with is postponed # R1(config)#banner login # Unauthorized access is prohibited ! Enter you user name and password # R1(config)#ip host Lucknow 172.16.1.1 R1(config)#no ip domain-lookup

R1(config)#line console 0 R1(config-line)#exec-timeout 0 0 R1(config-line)#logging synchronous R1(config-line)#password consloe R1(config-line)#login R1(config-line)#exit R1(config)#line vty 0 4 R1(config-line)#password telnet R1(config-line)#login R1(config-line)#exit % Unrecognized command R1(config)#enable password test R1(config)#enable secret vinita R1(config)#exit %SYS-5-CONFIG_I: Configured from console by console R1#copy running-config startup-config Destination filename [startup-config]? Building configuration... [OK] R1# Share this post In this tutorial I will demonstrate that how can you Configure Access or Trunk links Create VLAN Assign VLAN membership Configure Intra VLAN routing Configure VTP Server Make VTP Clients Show STP Static Configure DTP port To complete these lab either create a topology as shown in figure or download this file and load it in packet tracer

Download Advance switch configuration packet tracer file

PC configurations Devices IP Address PC0 PC1 PC2 PC3 PC4 PC5 10.0.0.2 20.0.0.2 10.0.0.3 20.0.0.3 10.0.0.4 20.0.0.4 VLAN VLAN10 VLAN20 VLAN10 VLAN20 VLAN10 VLAN20 Connected With Switch1 on F0/1 Switch1 on F0/2 Switch2 on F0/1 Switch2 on F0/2 Switch3 on F0/1 Switch3 on F0/2

2960 24 TTL Switch 1 Configuration Port Connected to F0/1 With PC0 F0/2 With PC1 Gig1/1 With Router Gig 1/2 With Switch2 F0/24 Witch Switch2 VLAN VLAN10 VLAN20 VLAN 10,20 VLAN 10,20 VLAN 10,20 LINK Access Access Trunk Trunk Trunk STATUS OK OK OK OK OK

2960 24 TTL Switch 2 Configuration F0/1 With PC0 F0/2 With PC1 Gig 1/2 With Switch1 Gig 1/1 With Switch3 F0/24 Witch Switch1 F0/23 Witch Switch3 VLAN10 VLAN20 VLAN 10,20 VLAN 10,20 VLAN 10,20 VLAN 10,20 Access Access Trunk Trunk Trunk Trunk OK OK OK OK Blocked OK

2960 24 TTL Switch 3 Configuration F0/1 With PC0 F0/2 With PC1 Gig 1/1 With Switch2 F0/24 Witch Switch1 VLAN10 VLAN20 VLAN 10,20 VLAN 10,20 Access Access Trunk Trunk OK OK OK Blocked

Task
You are the administrator at ComputerNetworkingNotes.com. company have two department sales and management. You have given three pc for sales and three pc in management. You created two VLAN. VLAN 10 for sales and VLAN20 for management. For backup purpose you have interconnected switch with one extra connection. You have one router for intera VLAN communications. Let's start configuration first assign IP address to all pc's To assign IP address double click on pc and select ip configurations from desktop tab and give ip address as shown in table given above

VLAN Trunking Protocol

Configure VTP Server
We will first create a VTP Server so it can automatically propagate VLAN information to other switch. Double click on Switch1 and select CLI. Set hostname to S1 and create VTP domain name example and set password to vinita ( Remember password is case sensitive ). Switch 1 Switch>enable Switch#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#hostname S1 S1(config)#vtp mode server Device mode already VTP SERVER. S1(config)#vtp domain example Changing VTP domain name from NULL to example S1(config)#vtp password vinita Setting device VLAN database password to vinita

Configure VTP clients

Once you have created a VTP domain. Configure remaining Switch to Client mode. Switch 2 Switch>enable Switch#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#hostname S2 S2(config)#vtp mode client Setting device to VTP CLIENT mode. S2(config)#vtp domain example Changing VTP domain name from NULL to example S2(config)#vtp password vinita Setting device VLAN database password to vinita S2(config)#

Switch 3 Switch>enable Switch#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#hostname S3 S3(config)#vtp mode client Setting device to VTP CLIENT mode. S3(config)#vtp domain example Changing VTP domain name from NULL to example S3(config)#vtp password vinita Setting device VLAN database password to vinita S3(config)#

Dynamic Trunking Protocol

Configure DTP port
All Switch ports remain by default in access mode. Access port can not transfer the trunk frame. Change mode to trunk on all the port those are used to interconnect the switches Switch 1 S1(config)#interface fastEthernet 0/24 S1(config-if)#switchport mode trunk %LINEPROTO-5-UPDOWN: Line protocol on Interface changed state to down %LINEPROTO-5-UPDOWN: Line protocol on Interface changed state to up S1(config-if)#exit S1(config)#interface gigabitEthernet 1/1 S1(config-if)#switchport mode trunk S1(config-if)#exit S1(config)#interface gigabitEthernet 1/2 S1(config-if)#switchport mode trunk %LINEPROTO-5-UPDOWN: Line protocol on Interface changed state to down %LINEPROTO-5-UPDOWN: Line protocol on Interface changed state to up S1(config-if)#exit S1(config)#

FastEthernet0/24, FastEthernet0/24,

GigabitEthernet1/2, GigabitEthernet1/2,

Switch 2 S2(config)#interface gigabitEthernet 1/1 S2(config-if)#switchport mode trunk %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/1, changed state to down %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/1, changed state to up S2(config-if)#exit S2(config)#interface gigabitEthernet 1/2 S2(config-if)#switchport mode trunk S2(config-if)#exit S2(config)#interface fastEthernet 0/23 S2(config-if)#switchport mode trunk %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/23,

changed state to down %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/23, changed state to up S2(config-if)#exit S2(config)#interface fastEthernet 0/24 S2(config-if)#switchport mode trunk S2(config-if)#exit Switch 3 S3(config)#interface fastEthernet 0/24 S3(config-if)#switchport mode trunk S3(config-if)#exit S3(config)#interface gigabitEthernet 1/1 S3(config-if)#switchport mode trunk S3(config-if)#exit

Virtual LAN (VLAN)

Create VLAN
After VTP server configuration its time to organize VLAN. We need only to create VLAN on VTP server and reset will be done by VTP Server automatically. Switch 1 S1(config)#vlan 10 S1(config-vlan)#exit S1(config)#vlan 20 S1(config-vlan)#exit S1(config)# As we have already configure VTP server in our network so we don't need to create VLAN on S2 or S3. We need only to associate VLAN with port.

Assign VLAN membership

Switch 1 S1(config)#interface fastEthernet 0/1 S1(config-if)#switchport access vlan 10 S1(config-if)#interface fastEthernet 0/2 S1(config-if)#switchport access vlan 20 Switch 2 S2(config)#interface fastEthernet 0/1 S2(config-if)#switchport access vlan 10 S2(config-if)#interface fastEthernet 0/2 S2(config-if)#switchport access vlan 20 Switch 3 S3(config)#interface fastEthernet 0/1 S3(config-if)#switchport access vlan 10 S3(config-if)#interface fastEthernet 0/2 S3(config-if)#switchport access vlan 20

Now we have two working vlan. To test connectivity do ping form 10.0.0.2 to 10.0.0.3 and 10.0.0.4. if you get successfully replay then you have successfully created VLAN and VTP server.

Spanning-Tree Protocol
In this configuration STP will block these ports F0/24 of S1 , F0/23 and F0/24 of S2 and F0/24 of S3 to avoid loop at layer to two. Verify those ports blocked due to STP functions

Verify STP ports

Switch 2 S2#show spanning-tree active VLAN0001 Spanning tree enabled protocol ieee Root ID Priority 32769 Address 0002.174D.7794 Cost 4 Port 26(GigabitEthernet1/2) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority Address Hello Time Aging Time 32769 (priority 32768 sys-id-ext 1) 00D0.FF08.82E1 2 sec Max Age 20 sec Forward Delay 15 sec 20 Cost --------19 19 19 19 4 4 Prio.Nbr -------128.1 128.2 128.23 128.24 128.25 128.26 Type --------------------------P2p P2p P2p P2p P2p P2p

Interface Role ---------------- ---Fa0/1 Desg Fa0/2 Desg Fa0/23 Desg Fa0/24 Altn Gi1/1 Desg Gi1/2 Root [Output is omitted] S2#

Sts --FWD FWD FWD BLK FWD FWD

You can test STP protocols status on S1 and S3 also with show spanning-tree active command

Router on Stick
At this point of configuration you have two successfully running VLAN but they will not connect each other. To make intra VLAN communications we need to configure router . To do this double click on router and select CLI.

Configure intra VLAN

Router Router>enable

Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#interface fastEthernet 0/0 Router(config-if)#no ip address Router(config-if)#no shutdown Router(config-if)#exit Router(config)#interface fastEthernet 0/0.10 Router(config-subif)#encapsulation dot1Q 10 Router(config-subif)#ip address 10.0.0.1 255.0.0.0 Router(config-subif)#exit Router(config)#interface fastEthernet 0/0.20 Router(config-subif)#encapsulation dot1Q 20 Router(config-subif)#ip address 20.0.0.1 255.0.0.0 Router(config-subif)#exit To test connectivity between different vlan do ping form any pc to all reaming pc. it should be ping successfully. If you have error download this configured topology and cross check that where you have committed mistake. Configured VLAN VTP STP topology

VLAN VTP Server STP DTP command reference sheet

Switch(config)#vlan 10 Switch(config-vlan)#name Sales Creates VLAN 10 and enters VLAN configuration mode for further definitions. Assigns a name to the VLAN. The length of the name can be from 1 to 32 characters. Switch(config-vlan)#exit Switch(config)#interface fastethernet 0/1 Switch(config-if)#switchport mode access Switch(config-if)#switchport access vlan 10 Switch#show vlan Switch#show vlan brief Switch#show vlan id 10 Switch#show vlan name sales Applies changes, increases the revision number by 1, and returns to global configuration mode. Moves to interface configuration mode

Sets the port to access mode

Assigns this port to VLAN 10

Displays VLAN information Displays VLAN information in brief Displays information about VLAN 10 only Displays information about VLAN named sales only

Switch#show interfaces vlan x

Displays interface characteristics for the specified VLAN Removes the entire VLAN database from flash. Make sure there is no space between the colon (:) and the characters vlan.dat. You can potentially erase the entire contents of the flash with this command if the syntax is not correct. Make sure you read the output from the switch. If you need to cancel, press ctrl+c to escape back to privileged mode:

Switch#delete flash:vlan.dat Delete filename [vlan.dat]? Delete flash:vlan.dat? [confirm] Switch#

Switch(config)#interface fastethernet 0/5 Switch(config-if)#no switchport access vlan 5 Switch(config-if)#exit Switch(config)#no vlan 5 Switch#copy running-config startupconfig Switch(config-if) #switchport mode trunk Switch(config)#vtp mode server Switch(config)#vtp mode client Switch(config)#vtp mode transparent Switch(config)#no vtp mode Switch(config)#vtp domain domain-name Switch(config)#vtp password password Switch(config)#vtp pruning Switch#show vtp status Switch#show vtp counters

Moves to interface configuration mode.

Removes port from VLAN 5 and reassigns it to VLAN 1the default VLAN.

Moves to global configuration mode. Removes VLAN 5 from the VLAN database.

Saves the configuration in NVRAM Puts the interface into permanent trunking mode and negotiates to convert the link into a trunk link. Changes the switch to VTP server mode. Changes the switch to VTP client mode.

Changes the switch to VTP transparent mode.

Returns the switch to the default VTP server mode.

Configures the VTP domain name. The name can be from 1 to 32 characters long. Configures a VTP password .

Enables VTP pruning Displays general information about VTP configuration Displays the VTP counters for the switch

Share this post Bridges and switches are layer 2 devices that segment (break up) collision domains. A collision domain basically includes all the devices that share a media type at layer 1.

Difference between bridge and switch

Functions Form of switching Method of switching port Duplex Collision domains Broadcast domains STP instances Bridges Software Store and forward 2-20 Half 1 per port 1 1 Switches Hardware Store and forward, cut-through, Fragment-free 100 plus Half and full 1 per port per vlan 1

Methods of Switching
Store and Forward
Store and Forward is the basic mode that bridges and switches use. It is the only mode that bridges can use, but many switches can use one or more of the other modes as well, depending on the model. In Store-and-Forward switching, the entire frame is buffered (copied into memory) and the Cyclic Redundancy Check (CRC), also known as the FCS or Frame Check Sequence is run to ensure that the frame is valid and not corrupted.

Cut Through
Cut Through is the fastest switching mode. The switch analyzes the first six bytes after the preamble of the frame to make its forwarding decision. Those six bytes are the destination MAC address, which, if you think about it, is the minimum amount of information a switch has to look at to switch efficiently. After the forwarding decision has been made, the switch can begin to send the frame out the appropriate port(s), even if the rest of the frame is still arriving at the inbound port. The chief advantage of Cut-Through switching is speed; no time is spent running the CRC, and the frame is forwarded as fast as possible

Fragment-free

Switching will switch a frame after the switch sees at least 64 bytes, which prevents the switching of runt frames. This is the default switching method for the 1900 series. 2950 doesnt support cut -through Fragment-Free switching is sometimes called "runtless" switching for this reason. Because the switch only ever buffers 64 bytes of each frame, Fragment Free is a faster mode than Store and Forward, but there still exists a risk of forwarding bad frames, so the previously described mechanisms to change to Store and Forward if excessive bad CRCs are received are often implemented as well.

Functions of Bridging and Switching

Learning
Address learning refers to the intelligent capability of switches to dynamically learn the source MAC addresses of devices that are connected to its various ports. These addresses are stored in RAM in a table that lists the address and the port on which a frame was last received from that address. This enables a switch to selectively forward the frame out the appropriate port(s), based on the destination MAC address of the frame. Anytime a device that is connected to a switch sends a frame through the switch, the switch records the source MAC address of the frame in a table and associates that address with the port the frame arrived on. Bridges place learned source MAC addresses and their corresponding ports in a CAM (content addressable memory

Forwarding
Address learning refers to the intelligent capability of switches to dynamically learn the source MAC addresses of devices that are connected to its various ports. These addresses are stored in RAM in a table that lists the address and the port on which a frame was last received from that address. This enables a switch to selectively forward the frame out the appropriate port(s), based on the destination MAC address of the frame. Anytime a device that is connected to a switch sends a frame through the switch, the switch records the source MAC address of the frame in a table and associates that address with the port the frame arrived on. There are some situations in which a switch cannot make its forwarding decision and flood the frame. Three frame types that are always flooded: Broadcast address Destination MAC address of FFFF.FFFF.FFFFF Multicast address Destination MAC addresses between 0100.5E00.0000 and 0100.5E7F.FFFF

Unknown unicast destination MAC addresses The MAC address is not found in the CAM table

Removing layer-2 loops

Spanning Tree Protocol (STP - 802.1d) The main function of the Spanning Tree Protocol (STP) is to remove layer-2 loops from your topology

Static MAC Addresses

In addition to having the switches learn MAC addresses dynamically, you can manually create static entries. You might want to do this for security reasons. Statically configuring MAC addresses on the switch is not very common today. If configured, static entries are typically used for network devices, such as servers and routers.

Port Security Feature

Port security is a switch feature that allows you to lock down switch ports based on the MAC address or addresses associated with the interface, preventing unauthorized access to a LAN. Three options are possible if a security violation occursthe MAC address is seen connected to a different port. protect When the number of secure addresses reaches the maximum number allowed, any additionally learned addresses will be dropped. restrict Causes the switch to generate a security violation alert. shutdown Causes the switch to generate an alert and to disable the interface. The only way to re-enable the interface is to use the no shutdown command. This is the default violation mode if you dont specify the mode.

EtherChannels
An EtherChannelis a layer 2 solution that allows you to aggregate multiple layer 2 Ethernet-based connections between directly connected devices. Basically, an EtherChannel bundles together multiple Ethernet ports between devices, providing what appears to be single logical interface. EtherChannels provide these advantages:

Redundancy If one connection in the channel fails, you can use other connections in the channel. More bandwidth each connection can be used simultaneously to send frames. Simplified management Configuration is done on the logical interface, not on each individual connection in the channel.

EtherChannel Restrictions
Interfaces in an EtherChannel must be configured identically: speed, duplexing, and VLAN settings (in the same VLAN if they are access ports or the same trunk properties) must be the same. When setting up EtherChannels, you can use up to eight interfaces bundled together: Up to eight Fast Ethernet connections, providing up to 800 Mbps Up to eight Gigabit Ethernet connections, providing up to 8 Gbps Up to eight 10-Gigabit Ethernet connections, providing up to 80 Gbps You can have a total of six EtherChannels on a switch.

EtherChannel Operations
Channels can be formed dynamically between devices by using one of two protocols: Port Aggregation Protocol (PAgP) or Link Aggregation Control Protocol (LACP). Remember that ports participating in a channel must be configured identically. Once a channel is formed, load balancing can be used by the connected devices to utilize all the ports in the channel. Load balancing is performed by reducing part of the binary addressing in the frame or packet to a numeric value and then associating the numeric value to one of the ports in the channel. Load balancing can use MAC or IP addresses, source or destination addresses, or both source and destination address pairs. With this fashion, you are guaranteed that all links in the channel will be utilized; however, you are not guaranteed that all the ports will be utilized the same. For example, if you are load balancing based on source addresses; you are guaranteed that different source MAC addresses will use different ports in the channel. All traffic from a single-source MAC address, however, will always use the same port in the channel. Given this situation, if you have one device generating a lot of traffic, that link will possibly be utilized more than other links in the channel. In this situation, you might want to load balance based on destination or both source and destination addresses. In our last article we learn about basic functions of switching. We mentioned that one of the functions of a switch was Layer 2 Loop removal. The Spanning Tree Protocol (STP) carries out this function. STP is a

critical feature; without it many switched networks would completely stop to function. Either accidentally or intentionally in the process of creating a redundant network, the problem arises when we create a looped switched path. A loop can be defined as two or more switches that are interconnected by two or more physical links. Switching loops create three major problems: Broadcast stormsSwitches must flood broadcasts, so a looped topology will create multiple copies of a single broadcast and perpetually cycle them through the loop. MAC table instabilityLoops make it appear that a single MAC address is reachable on multiple ports of a switch, and the switch is constantly updating the MAC table. Duplicate frames Because there are multiple paths to a single MAC, it is possible that a frame could be duplicated in order to be flooded out all paths to a single destination MAC. All these problems are serious and will bring a network to an effective standstill unless prevented

Removing layer-2 loops

Spanning Tree Protocol (STP - 802.1d) The main function of the Spanning Tree Protocol (STP) is to remove layer-2 loops from your topology. For STP to function, the switches need to share information. What they share are bridge protocol data units

Root Port
After the root switch is elected, every other switch in the network needs to choose a single port on itself that it will use to reach the root. This port is called the root port. The root port is always the link directly connected to the root bridge, or the shortest path to the root bridge. If more than one link connects to the root bridge, then a port cost is determined by checking the bandwidth of each link. The lowest-cost port becomes the root port. If multiple links have the same cost, the bridge with the lower advertising bridge ID is used. Since multiple links can be from the same device, the lowest port number will be used.

Root Bridge
Switch with the lowest switch ID is chosen as root. The switch ID is made up of two components: The switch's priority, which defaults to 32,768 on Cisco switches (two bytes in length) The switch's MAC address (six bytes in length)

All other decisions in the network such as which port is to be blocked and which port is to be put in forwarding modeare made from the perspective of this root bridge

BPDUs
Which are sent out as multicast information that only other layer-2 devices are listening to. BPDUs are used to share information, and these are sent out as multicasts every two seconds. The BPDU contains the bridge's or switch's ID, made up of a priority value and the MAC address. BPDUs are used for the election process.

Path Costs
Path costs are calculated from the root switch. A path cost is basically the accumulated port costs from the root switch to other switches in the topology. When the root advertises BPDUs out its interfaces, the default path cost value in the BPDU frame is 0. When a connected switch receives this BPDU, it increments the path cost by the cost of its local incoming port. If the port was a Fast Ethernet port, then the path cost would be figured like this: 0 (the root's path cost) + 19 (the switch's port cost) = 19. This switch, when it advertises BPDUs to switches behind it, will include the updated path cost. As the BPDUs propagate further and further from the root switch, the accumulated path cost values become higher and higher. Connection Type 10Gb 1Gb 100Mb 10Mb New Cost Value 2 4 19 100 Old Cost Value 1 1 10 100

Remember that path costs are incremented as a BPDU comes into a port, not when a BPDU is advertised out of a port. Designated Port A designated port is one that has been determined as having the best (lowest) cost. A designated port will be marked as a forwarding port. Each (LAN) segment also has a single port that is uses to reach the root. This port is called adesignated port Forwarding port A forwarding port forwards frames. Blocked port A blocked port is the port that, in order to prevent loops, will not forward frames. However, a blocked port will always listen to frames

Nondesignated port A nondesignated port is one with a higher cost than the designated port. Nondesignated ports are put in blocking modethey are not forwarding ports.

Port States
Blocking
Ports will go into a blocking state under one of three conditions: Election of a root switch (for instance, when you turn on all the switches in a network) When a switch receives a BPDU on a port that indicates a better path to the root switch than the port the switch is currently using to reach the root If a port is not a root port or a designated port. A port in a blocked state will remain there for 20 seconds by default during this state; the port is only listening to and processing BPDUs on its interfaces. Any other frames that the switch receives on a blocked port are dropped.

Listening
the port is still listening for BPDUs and double-checking the layer-2 topology. Again, the only traffic that is being processed in this state consists of BPDUs; all other traffic is dropped. default for this value is 15 seconds.

Learning
Port is still listening for and processing BPDUs on the port; however, unlike while in the listening state, the port begins to process user frames. When processing user frames, the switch is examining the source addresses in the frames and updating its CAM table, but the switch is still not forwarding these frames out destination ports. Defaults to 15 seconds

Forwarding
the port will process BPDUs, update its CAM table with frames that it receives, and forward user traffic through the port.

Disabled
A port in a disabled state is not participating in STP.

Convergence
STP convergence has occurred when all root and designated ports are in a forwarding state and all other ports are in a blocking state.

Per-VLAN STP
STP doesn't guarantee an optimized loop-free network. PVST supports one instance of STP per VLAN.

Rapid Spanning Tree Protocol

The 802.1d standard was designed back when waiting for 30 to 50 seconds for layer 2 convergence wasnt a problem. However, in todays networks, this can cause serious performance problems for networks that use real-time applications, such as voice over IP (VoIP) or video. The Rapid Spanning Tree Protocol (RSTP) is an IEEE standard, defined in 802.1w, which is interoperable with 802.1d and an extension to it. With RSTP, there are only three port states: discarding (it is basically the grouping of 802.1ds blocking, listening, and disabled states). Learning Forwarding

Additional Port Roles

With RSTP, there is still a root switch and there are still root and designated ports, performing the same roles as those in 802.1d. However, RSTP adds two additional port types: alternate ports and backup ports. These two ports are similar to the ports in a blocking state in 802.1d. An alternate port is a port that has an alternative path or paths to the root but is currently in a discarding state. A backup port is a port on a segment that could be used to reach the root switch, but an active port is already designated for the segment. The best way to look at this is that an alternate port is a secondary, unused root port, and a backup port is a secondary, unused designated port.

RSTP BPDUs

With 802.1w, if a BPDU is not received in three expected hello periods (6 seconds), STP information can be aged out instantly and the switch considers that its neighbor is lost and actions should be taken. This is different from 802.1d, where the switch had to miss the BPDUs from the roothere, if the switch misses three consecutive hellos from a neighbor, actions are immediately taken. Share this post A virtual LAN (VLAN) is a logical grouping of network devices in the same broadcast domain that can span multiple physical segments.

Advantages of VLANs:
Increase the number of broadcast domains while reducing their size. Provide additional security. Increase the flexibility of network equipment. Allow a logical grouping of users by function, not location. Make user adds, moves, and changes easier.

Subnets and VLANs

Logically speaking, VLANs are also subnets. A subnet, or a network, is a contained broadcast domain. A broadcast that occurs in one subnet will not be forwarded, by default, to another subnet. Routers, or layer-3 devices, provide this boundary function. Switch provide this function at layer 2 by VLAN.

Scalability
VLANs provide for location independence. This flexibility makes adds, changes, and moves of networking devices a simple process. It also allows you to group people together, which also makes implementing your security policies straightforward. IP protocols supports 500 devices per vlans.

VLAN Membership
A device's membership in a VLAN can be determined by one of two methods: static or dynamic Static: - you have to assign manually Dynamic:- Configure VTP server and it will automatically do rest

VLAN Connections

two types of connections: access links and trunks. Access-Link Connections An access-link connection is a connection between a switch and a device with a normal Ethernet NIC, where the Ethernet frames are transmitted unaltered. Trunk Connections trunk connections are capable of carrying traffic for multiple VLANs. Cisco supports two Ethernet trunking methods: Cisco's proprietary Inter Switch Link (ISL) protocol for Ethernet IEEE's 802.1Q, commonly referred to as dot1q for Ethernet ISL is Cisco-proprietary trunking method that adds a 26-byte header and a 4-byte trailer to the original Ethernet frame. Cisco's 1900 switch supports only ISL 802.1Q is a standardized trunking method that inserts a four-byte field into the original Ethernet frame and recomputed the FCS. The 2950 only supports 802.1Q. 802.1Q trunks support two types of frames: tagged and untagged. An untagged frame does not carry any VLAN identification information in itbasically, this is a standard, unaltered Ethernet frame. A tagged frame contains VLAN information, and only other 802.1Q-aware devices on the trunk will be able to process this frame

Trunk Tagging
For VLANs to span across multiple switches, you obviously need to connect the switches to each other. Although it is possible to simply plug one switch into another using an Access port just as you would plug in a host or a hub, doing so kills the VLAN-spanning feature and a bunch of other useful stuff too. A switch-to-switch link must be set up as a trunk link in order for the VLAN system to work properly. A trunk link is a special connection; the key difference between an ordinary connection (an Access port) and a Trunk port is that although an Access port is only in one VLAN at a time, a Trunk port has the job of carrying traffic for all VLANs from one switch to another. Any time you connect a switch to another switch, you want to make it a trunk. Trunking methods create the illusion that instead of a single physical connection between the two trunking devices, a separate logical connection exists for each VLAN between them. When trunking, the switch adds the source port's VLAN identifier to the frame so that the device (typically a switch) at the other end of the trunk understands what VLAN originated this frame and the destination switch can make intelligent forwarding decisions on not just the destination MAC address, but also the source VLAN

identifier. Since information is added to the original Ethernet frame, normal NICs will not understand this information and will typically drop the frame. Therefore, you need to ensure that when you set up a trunk connection on a switch's interface, the device at the other end also supports the same trunking protocol and has it configured. If the device at the other end doesn't understand these modified frames or is not set up for trunking, it will, in most situations, drop them. The modification of these frames, commonly called tagging. By default, all VLANs are permitted across a trunk link. Switch-to-Switch trunk links always require the use of a crossover cable, never a straight-through cable. Key feature about DTP A trunk can be created only on a Fast Ethernet or Gigabit Ethernet connection; 10Mb Ethernet ports are not fast enough to support the increased traffic from multiple VLANs, so the commands are not available for a regular Ethernet port. By default, traffic from all VLANs is allowed on a trunk. You can specify which VLANs are permitted (or not) to cross a particular trunk if you have that requirement, but these functions are not covered in the CCNA exam. Switches (whether trunked or not) are always connected with crossover cables, not straight-through cables. Dynamic Trunk Protocol (DTP) DTP supports five trunking modes On or Trunk interface always assumes the connection is a trunk, even if the remote end does not support trunking. Desirable the interface will generate DTP messages on the interface, but it make the assumption that the other side is not trunk-capable and will wait for a DTP message from the remote side. In this state, the interface starts as an access-link connection. If the remote side sends a DTP message, and this message indicates that trunking is compatible between the two switches, a trunk will be formed and the switch will start tagging frames on the interface. If the other side does not support trunking, the interface will remain as an access-link connection Auto-negotiate interface passively listens for DTP messages from the remote side and leaves the interface as an access-link connection. If the interface receives a DTP message, and the message matches trunking capabilities of the interface, then the interface will change from an access-link connection to a trunk connection and start tagging frames

No-negotiate, interface is set as a trunk connection and will automatically tag frames with VLAN information; however, the interface will not generate DTP messages: DTP is disabled. This mode is typically used when connecting trunk connections to non-Cisco devices that don't understand Cisco's proprietary trunking protocol and thus won't understand the contents of these messages.

Off If an interface is set to off, the interface is configured as an access link. No DTP messages are generated in this mode, nor are frames tagged.

VLAN Trunk Protocol (VTP)

VTP is a Layer 2 protocol that takes care of the steps of creating and naming VLANs on all switches in the system. We still have to set port membership to VLANs at each switch, which we can do either statically or using a VMPS. VTP works by establishing a single switch as being in charge of the VLAN information for a domain. In this case, a domain is simply a group of switches that all have the same VTP domain name. This simply puts all the switches into a common administrative group. The VLAN Trunk Protocol (VTP) is a proprietary Cisco protocol used to share VLAN configuration information between Cisco switches on trunk connections When you are setting up VTP, you have three different modes: Server client and transparent. Server mode This is the one switch that is in charge of the VLAN information for the VTP domain. You may add, delete, and change VLAN information on this switch, and doing so affects the entire VTP domain. This way, we only have to enter our VLAN information once, and the Server mode switch propagates it to all the other switches in the domain. Client mode Client mode switches get VLAN information from the Server. You cannot add, delete, or change VLAN information on a Client mode switch; in fact, the commands to do so are disabled. Transparent mode A Transparent mode switch is doing its own thing; it will not accept any changes to VLAN information from the Server, but it will forward those changes to other switches in the system. You can add, delete, and change VLANsbut those changes only affect the Transparent mode switch and are not sent to other switches in the domain.

VTP Messages

An advertisement request message is a VTP message a client generates When the server responds to a client's request, it generates a subset advertisement A summary advertisement is also generated by a switch in VTP server mode. Summary advertisements are generated every five minutes by default (300 seconds), or when a configuration change takes place on the server switch

VTP Pruning
VTP gives you a way to preserve bandwidth by configuring it to reduce the amount of broadcasts, multicasts, and unicast packets. This is called pruning. VTP pruning enabled switches sends broadcasts only to trunk links that actually must have the information. VTP pruning is used on trunk connections to dynamically remove VLANs not active between the two switches. It requires all of the switches to be in server mode In this article I will show you that how can you Configuring the IP address and subnet mask Setting the IP default gateway Enable telnet session for switch Enable Ethereal Channel Enable port security To perform this activity download this lab topology and load in packet tracer or create your own topology as shown in figure Switch Port Security

Configure IP address subnet mask and default gateway

IP address and default gateway is used to configure switch remotely via telnet or SSH. Without this essential configurations you have connect with switch via console cable each time. That's very tedious as you have to go near to switch each time. Switch>enable Switch#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#hostname S1 S1(config)#interface vlan 1 S1(config-if)#ip address 10.0.0.10 255.0.0.0 S1(config-if)#no shutdown %LINK-5-CHANGED: Interface Vlan1, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up S1(config-if)#exit S1(config)#ip default-gateway 10.0.0.1

Enable Telnet and password protect the line

You can secure a switch by using passwords to restrict various levels of access. Using passwords and assigning privilege levels are simple ways of providing both local and remote terminal access control in a network. Passwords can be established on individual lines, such as the console, and to the privileged EXEC (enable) mode. Passwords are case sensitive. By default There are five VTY ports on the switch, allowing five simultaneous Telnet sessions, noting that other Cisco devices might have more than five logical VTY ports. The five total VTY ports are numbered from 0 through 4 and are referred to all at once as line vty 0 4. S1(config)#line console 0 S1(config-line)#password vinita S1(config-line)#login S1(config-line)#exit S1(config)#line vty 0 4 S1(config-line)#password vinita S1(config-line)#login S1(config-line)#exit S1(config)#

Enable Switch port security

this feature set allows you (among several other options) to disable a port if more than one MAC address is detected as being connected to the port. This feature is commonly applied to ports that connect security-sensitive devices such as servers. You can use the port security feature to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port. When you

assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses. Switch>enable Switch#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#hostname S2 S2(config)#interface fastEthernet 0/1 S2(config-if)#switchport mode access S2(config-if)#switchport port-security S2(config-if)#switchport port-security maximum 1 S2(config-if)#switchport port-security mac-address sticky S2(config-if)#switchport port-security violation shutdown S2(config-if)#exit S2(config)# You can verify port security. Click on the red x button on the right hand portion of the PT window. This will allow you to delete a connection in the topology. Place the x over the connection between Server and S2 and click. The connection should disappear. Select the lightening bolt button on the bottom left-hand corner of the PT window to pull up connection types. Click thecopper straight-through connection. Click the TestPC device and select the fastethernet port. Next, click on S2 and select port Fa0/1. From the command prompt of TestPC type the command ping 10.0.0.4. The ping should fail. On S3, enter the command show port-security interface fa0/1. Port security is enabled, port-status is secure-shutdown, security violation count is 1.

Configure Ethereal channel

Ethereal Channel allows you to combine switch ports to increase more bandwidth. If you connect switch ports without Ethereal Channel configurations STP switchs in built function will shutdown one of these port to avoid loop. You can download this example topology for practice of Ethereal Channel . Ethereal Channel

To enable EtherChannel on DLS1, enter the interface range mode for ports F0/11 and F0/12 on with the command interface range f0/11 - 12.

Enter the command switchport mode trunk. Enter the command channel-group 1 mode desirable. Repeat steps a through c on DLS2. DLS1>enable DLS1#configure terminal DLS1(config)#interface range fastEthernet 0/11 - 12 DLS1(config-if-range)#switchport mode trunk DLS1(config-if-range)#channel-group 1 mode desirable DLS1(config-if-range)#exit DLS1(config)#exit DLS1# Share this post