Please consider donating: https://www.corelan.be/index.php/donate/


18,438 views

Cisco switch IOS cheat sheet

Reset to factory defaults :

  • connect console (9600/8/None/1, no flow control)
  • take out power cable
  • press mode button (at the front), hold it,  and put power cable back
  • switch will go into recovery mode
  • run :
    • flash_init
    • load_helper
  • rename the config file :
    • rename flash:config.txt flash:config.old
  • run :
    • boot
  • When asked to enter the initial configuration (which happens when no config.text file is found), reply “no”
  • press return a couple of times
  • At switch> prompt, go in enable mode (no password needed)
  • If you wanted to do a full reset :
    • Set a password. save config with “wr mem” and reload (run “reload”)
  • If you wanted to reset the password, but keep the config :
    • copy the old config to running config :
      • copy flash:config.old running-config
    • now reset the password (you already have an enable prompt)
    • save the config (wr mem)
    • a file config.text should be created again (check with dir flash:)
    • reload

Initial switch config

Activate administrative vlan 1, set IP address, gateway, hostname, DNS and time, NTP, and then save config

enable
conf t
interface vlan1
no shut
ip address 1.1.1.2 255.255.255.0
exit
ip default-gateway 1.1.1.254
ip domain-name mydomain.com
ip domain-lookup
ip name-server 1.1.1.10
ip name-server 1.1.1.20
clock timezone GMT+1 1
ntp server 1.1.1.15
hostname switch1
service password-encryption
wr mem

If you don’t have a NTP server, you can set the clock with the "clock" command as well :

clock set 14:04 23 June 2008

Set timezone settings :

clock timezone GMT+1 1
clock summertime SummerTime recurring last Sun Mar 2:00 last Sun Oct 2:00

first command : “GMT+1” is just a string.  The trailing value indicates the offset

second command : “SummerTime” is just a string.  The summertime setting displayed here applies to Belgium, so you may have to figure out your own settings.

Set a banner

enable
conf t
banner motd # Unauthorized access is prohibited ! #

(The characters at the beginning and the end of the banner string should not be part of the banner string itself !  When looking at the config, you’ll see that they will be replaced by ^C)

Update : in this document, I’m referring to f0/x and G0/x interfaces, but sometimes these interfaces names can vary from switch type to switch type. Verify how the interfaces are called on your switch and use the corresponding interface names. The f in f0 refers to FastEthernet (100Mbit), the g in g0 refers to Gigabit.

Set terminal length and width

enable
conf t
length 24
width 80
end
wr mem

these are the default settings.  If you are tired of the — more — prompt when generating an output, you can set lines to 0

Set passwords

Password protecting your switch -  Passwords can be set on 5 places :

Telnet

enable
conf t
line vty 0 15
password ThisIsABadPassword
exit
exit
wr mem
(as long as you have not set a password for telnet, you won’t be able to connect over telnet)
For Enterprise routers, you have more than 5 lines (0 4). Use the ? to find out how many lines are available (may be 1180)
line vty 0 1180
Console
enable
conf t
line console 0
password ThisIsABadPassword
exit
wr mem
Auxiliary
enable
conf t
line aux 0
password ThisIsABadPassword
exit
wr mem
Enable secret
enable
conf t
enable secret ThisIsABadPassword
exit
wr mem
 
Make sure "service password-encryption" is set to avoid that passwords are shown in clear text in the config !
Add admin useraccount :
username admin1 privilege 15 password BadPassword

(you need to specify an account if you want to use ssh !)

 

Before you connect the switch to the network, make sure vtp and spanning tree is set up correctly. (see below)
Set logging parameters
enable
conf t
  line cons 0
    logging synchronous
    end
  line vty 0
    logging synchronous
    end
  end

service timestamps debug datetime localtime showtimezone
service timestamps log datetime localtime showtimezone

logging buffered 64000
end

wr m

Enable ssh

Telnet will work on most switches, but it is a clear text protocol and is not secure.  Depending on the IOS version, you can use ssh as well.
This is how you can activate ssh :
enable
conf t
hostname switch01
ip domain-name mydomain.com
crypto key generate rsa general-keys modulus 1024
ip ssh time-out 60
ip ssh authentication-retries 2
line vty 0 4
transport input ssh
The last command will deactivate telnet on all 5 vty lines, and only activate ssh. If you want to allow both ssh and telnet, use
transport input ssh telnet
If you also want to use ssh to connect from a switch to another switch, then do  :
transport output ssh

Port speed and duplex mode

First set speed, then set duplex

Autonegotiate :

enable
conf t
int f0/1
speed auto
duplex auto

100Mbit full duplex :

enable
conf t
int f0/1
speed 100
duplex full

VLANs

Default (native) VLAN = vlan 1.  (The native vlan is not being tagged !)

Create new VLAN 10 in VLAN database (older switches)

enable
vlan database
vlan 10 name Test-Vlan
apply
show
exit

(vlan is saved upon exit)

Note : the vlan database has its own configuration mode and commands.  This also means that a "write erase" and "reload" will not clear the VLAN database. It just may be easier to configure vlans using global commands instead of using the separate database.

Create new VLAN 10 using global commands

conf t
vlan 10
name Test-Vlan

Assign a port to Vlan 10 (after vlan has been distributed using VTP)

enable
conf t
int f0/1
switchport access vlan 10

Assign multiple ports to Vlan 10

enable
conf t
interface range f0/1 - 3
switchport access vlan 10
Show vlan assignments :
enable
show vlan
If you want to remove vlan from a port, use the following commands :
enable
conf t
int f0/1
no switchport mode access
no switchport access vlan name-or-id

Set the switch IP address in a particular vlan : (example set 1.1.1.1 to switch interface in vlan10)

enable
conf t
int vlan10
ip address 1.1.1.1 255.255.255.0
exit
wr m

(the int vlan10 command will create a new interface)

Note : you can only set up VTP when

  • there is at least one trunk port
  • the trunk port is up  (you can connect it to a small switch or something… the port just needs to be up

If not, the changes will not be saved

Interesting article on VLANs and Trunking : VLAN Configuration
You can get a list of all interfaces (interface name, description, vlan id and port status) using the following command :
enable
show interface status

Trunking

Trunk = interface/link that can carry traffic from multiple VLANs. Both sides of the trunk need to use the same protocol. CIsco supports 2 protocols :

802.1Q = IEEE standard (alters existing frames, adds VLAN tags) : +4bytes ("baby giant")

ISL = Cisco proprietary (encapsulates entire frame into new frame : ISL header – orig frame – checksum) : +30bytes ("giant")

DTP : Dynamic Trunking Protocol (dynamic Trunk negotiation)

More info on trunking : Read Cisco requirements to implement trunking

Trunking & portfast : do not set a trunk port in portfast mode ! (see later), and never allow a switchport to autonegotiate trunk !

Set port in trunk mode :

enable
conf t
int f0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate

(The last command turns of DTP, if used)

The statement "switchport trunk encapsulation dot1q" may not work on all switches.

Without specifying specific vlans, the trunk will only work with the native vlan, which is set to 1 by default. You can change the native vlan for trunks using

enable
conf t
int f0/1
switchport trunk native vlan 20
^Z

In this example, the native vlan for the trunk on FastEthernet0/1 is now set to vlan 20.  Keep in mind that your trunk will be broken now, unless you have specified the same trunk native vlan at the other side of the trunk.

Define which VLANs are allowed via the trunk on FastEthernet0/1:

enable
conf t
int f0/1
switchport trunk allowed vlan 10

(only allows vlan 10)

Allow all vlans except vlan 100 :

enable
conf t
int f0/1
switchport trunk allowed vlan except 100

Show interface trunk properties :

enable
show int trunk

Remove vlan  200 and 300 from the trunk port :

enable
conf t
int f0/1
switchport trunk allowed vlan remove 200
switchport trunk allowed vlan remove 300

Remove trunking from an interface and make sure the interface cannot be tricked into negotiation to become a trunk anyway :

enable
conf t
int f0/1
no switchport mode trunk
switchport mode access

(Reminder : if you are using portfast for non-trunk/uplink ports, you’ll have to manually re-enable portfast for that interface again)

Switchport modes

Access : Port will never be a trunk, not even when other side is set to dynamic or trunk. I recommend applying this to all non-trunk ports, for security.

Dynamic : Port may become a trunk :

– desirable : port will actively try to convert the link to a trunk.  Link will become a trunk when other side is set to trunk, auto, or desirable

– auto : port will become a trunk if other side is set to trunk or desirable. Port will not actively attempt to become a trunk though

Trunk : Port will be a trunk, regardless of settings at other side

VLAN Trunking Protocol (VTP)

Manages vlan numbers and names centrally. Configuration is then distributed to other devices.  Changes are made on vtp servers, and then propagated to vtp clients. Scope of a vlan ‘database’ is set to a VTP domain.   A switch can be configured to be a vtp server, a vtp client, or vtp transparent (only forwards info, does not update its own config)

You can have multiple vtp servers in the domain. Each change contains a revision number. 2 changes (on different vtp serverts) for the same configuration : first one that arrives on the vtp client wins. The second change may have the same revision number, but no update will be applied when update contains same revision number.

Many switches are vtp server by default. Make sure to verify switch status before connecting it to the network !

Default VTP domain is null. Trunks negotiated using null domain will break if you assign another domain to one side only !  Some switches will not negotiate a trunk unless a VTP domain has been set for each switch !

Set VTP domain on a switch to VTPDomain1

enable
conf t
vtp domain VTPDomain1

Set switch mode (choose between client,server or transparent)

If you want to add an additional server, then first set up the swith as client, and after it has received all vlan’s, change it to server)

A transparent vtp switch will only pass on VTP information, but will not store it.

enable
conf t
vtp mode client
vtp mode server
vtp mode transparent

Set a VTP password to ensure that only switches with the same password will accept VTP advertisements :

enable
conf t
vtp password ThisIsABadPassword

If you need to remove this password, use :

enable
conf t
no vtp password

If you want to see the vtp password :

enable
show vtp pass

Get vtp configuration

enable
sh vtp status

VTP Version                     : 2
Configuration Revision          : 10
Maximum VLANs supported locally : 128
Number of existing VLANs        : 11
VTP Operating Mode              : Client
VTP Domain Name                 : VTPDomain1
VTP Pruning Mode                : Disabled
VTP V2 Mode                     : Disabled
VTP Traps Generation            : Enabled
MD5 digest                      : 0x22 0x85 0x44 0x0A 0xDE 0x0C 0xF7 0xC6
Configuration last modified by 1.1.1.1 at 6-20-08 06:49:18

 

VTP pruning : when certain vlan are only used on certain switches, you may not want their broadcasts be transferred on all of your trunks because this will only increase network load. Pruning prevents traffic originating from a particular vlan from being sent to switches on which that vlan is not active.

By default, all vlans are eligible for pruning

Pruning must be enabled or disable throughout the entire vtp domain.

Enable vtp pruning :

enable
conf t
vtp pruning

Check which vlans are eligible for pruning : Assuming that f0/15 is a trunk port

enable
show int f0/15 switchport

Switchport: Enabled
Administrative Mode: dynamic desirable
Operational Mode: down
Administrative Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk private VLANs: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Appliance trust: none

Look for "Pruning VLans Enabled"

Define switch to only set vlan 10 eligible for pruning

enable
conf t
int f0/15
switchport trunk pruning vlan 10

(this will remove all other vlan pruning settings !)

You can add or remove vlans from the pruning list :

enable
conf t
int f0/15
switchport trunk pruning vlan add 10-20
switchport trunk pruning vlan remove 20

Note : even though an interface may show that it is connected (sh int fa0/2), if the VLAN that is assigned to that port is missing, the port won’t work. (sh int fa0/2 switchport)

Etherchannel

http://www.cisco.com/en/US/tech/tk389/tk213/technologies_tech_note09186a0080094714.shtml

Enables bonding of up to 8 links into one logical link.  Total logical link speed is equal to sum of all speeds of the physical links. Each conversation however cannot use more than the link speed of one physical link.

Protocol and mode used to set up channel between two switches depends on type/brand/make of switch.  Cisco supports LACP (Link Aggregation Control Protocol, IEEE 802.3ad), which can be used to connect to servers or non-Cisco devices.   The other protocol is PAgP (Port Aggregation Control Protocol), which is Cisco proprietary.  You can also set the protocol to "none" and mode to "on" to set channel mode without negotiation

Modes :

PAgP : auto (will not initiate negotiations) or desirable (will initiate negotiations)

LACP : passive (will not initiate negotiations) or active (will initiate negotiations)

Creating an etherchannel, bind it to vlan 110,  and setting interface G0/1 and G0/2 to be part of the channel, using PAgP, mode desirable :

enable
conf t
interface Port-channel1
    description 2Gbit Etherchannel
    no ip address
    switchport
    switchport access vlan 110

interface GigabitEthernet0/1
    description Link1 in Port-Channel1
    no ip address
    switchport
    channel-group 1 mode desirable

interface GigabitEthernet0/2
    description Link2 in Port-Channel1
    no ip address
    switchport
    channel-group 1 mode desirable

(You’ll need to do this on both switches that are part of the Etherchannel, using exact the same port settings (except for the description))

After configuring the etherchannel, a "shut" and "no shut" may be required to properly activate the etherchannel.  You can verify the etherchannel configuration using

enable
sh etherchannel    

Channel-group listing:
----------------------
Group: 1
----------
Group state = L2
Ports: 2
Maxports = 8
Port-channels: 1
Max Port-channels = 1
Protocol:    -

see the portchannel interface properties using

enable

show int Port-channel1

Port-channel1 is up, line protocol is up (connected)
  Hardware is EtherChannel, address is 0015.628a.a885 (bia 0015.628a.a885)
  MTU 1500 bytes, BW 2000000 Kbit, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Full-duplex, 1000Mb/s, link type is auto, media type is unknown
  input flow-control is off, output flow-control is unsupported
  Members in this channel: Gi0/4 Gi0/5
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input never, output 00:00:01, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 4000 bits/sec, 2 packets/sec
  5 minute output rate 31000 bits/sec, 13 packets/sec
     2954263967 packets input, 2454361023 bytes, 0 no buffer
     Received 3584016 broadcasts (0 multicast)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 2383 multicast, 0 pause input
     0 input packets with dribble condition detected
     1178085823 packets output, 3695013096 bytes, 0 underruns
     0 output errors, 0 collisions, 1 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     0 output buffer failures, 0 output buffers swapped out

Note : if you use servers with multiple network interfaces that are configured to use Link Aggregation, and both interfaces are connected to your switch, don’t forget to create an etherchannel for the server.   Etherchannel is not only usefull for uplinks between switches, but also for server network interface redunancy.

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_6_ea2c/configuration/guide/swgports.html

Spanning Tree

STP is a link management protocol that provides path redundancy and prevents layer2 loops in the network. Without STP, if you have a loop in the network, the network would suffer from broadcast storms. However, for redundancy and failover, sometimes you need to create a loop in the network.  The STP protocol will not only prevent broadcast storms to take down the network, but it will also provide for "reswitching" of the traffic in case one of the loop links goes down.  If your environment does not support spanning tree, you can still use a loop, but you’ll need to set one of the loop links "shut", and bring it up manually when the other loop link is down.

Spanning Tree is enabled by default.

Every switch on the network that supports STP sends out frames that are call BPDUs (Bridge Protocol Data Units) every 2 seconds.  Based on the contents of these frames, STP can perform the following functions :

– Elects a root bridge (switch) in the network. This is the bridge that all other bridges need to reach via the shortest path possible. When a switch boots, it thinks that it is the root bridge and sets the root ID to the local bridge ID. If it receives a BPDU that has a lower root ID, it adjusts the local root ID setting.   The bridge ID is based upon a switch MAC address and priority. The switch with the lowest bridge ID becomes the root.

The default bridge priority is set to 32768. If you want a particular switch to become the root bridge, you should lower its priority value (to e.g. 1. Note – some stp version will require you to set either 0 or 4096 as minimum value !)

enable
conf t
int f0/1
spanning-tree priority 1

In IOS 12.1, you can use

enable
conf t
spanning-tree vlan 1 priority 4096

(the value 4096 is generarly used as the root switch priority.  Lower priority is preferred over higher)

Calculate the cost for each path from each bridge to the root bridge.  It is recommended to configure a switch to become the root bridge instead of letting the algorithm selecting the root bridge itself. This will ensure that, if you add a switch with a lower MAC address than the root bridge that has been elected by the algo, doesn’t become a root bridge, and sets an important trunk link in your network to a disabled state.  The root bridge switch should be one of the central or core switches. After all, if your central servers are connected to this switch, then data flow in your network occurs from the perspective of this switch. There’s a short section on how to set the root bridge manually later in this post.  Just remember : always manually set one or two core switches in the network with a low root bridge priority (e.g. value 1 and 10, ensuring that you have controlled root bridge elections)

Determines the root port on each bridge. This is the port that has the shortest path to the root bridge.

Determines the designated port on each segment, which is the port on the segment that has the shortest path to the root.

Elects a designated bridge on each segment.   The bridge on a given segment with the designated port becomes the designated bridge.

Block nonforwarding ports.   Ports that have received BPDUs and are not designated or root ports, will be placed into blocking state.  These ports are up, but are not allowed to forward traffic.

Spanning tree defines a tree that spans all switches in the extended network. STP forces certain redundant paths into a standby (blocked) state. If one of the segments in the STP becomes unreachable, or if costs change, the algorithm reconfigures the topology and reestablishes the link by activating the redundant standby path.

Cisco supports 3 types of STP : PVST+, PVRST+ and MSTP

You can find more information on STP on http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/sw_ntman/cwsimain/cwsi2/cwsiug2/vlan2/stpapp.htm

The cost of a link is calculated based on bandwidths :

Link speed Cost
10 Gbps 2
1 Gbps 4
100 Mbps 19
10 Mbps 100

Note : you can configure your Cisco switches to perform Per-VLAN spanning tree. This will allow STP for each VLAN when used with ISL trunks.  PVST+ allows the same functionality for 802.1q trunks.

You can enable PVST using the following command :

enable
conf t
spanning-tree mode pvst

Rapid Per VLAN Spanning Tree is an evolution of the STP standard. It performs better than STP, and it can revert back to STP for interoperability with legacy devices. Using STP, it can take up to 40 seconds before a link state change is fixed.  Using rapid STP, this process could be complete in 2 seconds.

Enable Rapid Spanning Tree :

enable
conf t
spanning-tree mode rapid-pvst

You can read more on Rapid Spanning Tree on Understanding Rapid Spanning Tree Protocol (802.1w)

Note : spanning-tree changes take effect immediately. This means that normal traffic may be interrupted when configuring STP.

You can see what type of Spanning Tree Protocol is used by running

enable
show spanning-tree

(Look for "Spanning tree enabled protocol…" – followed by the type of STP that is being used). If you are only interested in information about STP within a give vlan, you can use

enable
show spanning-tree vlan 10

If the "Spanning tree enabled protocol" states "rstp", then the switch is running PVRST+, which is the Cisco RSTP implementation.  If "ieee" is stated, the switch is running pvst

View STP configuration/parameters on a switch :

enable
show spanning-tree
VLAN0001
  Spanning tree enabled protocol ieee
  Root ID    Priority    32768
             Address     0002.fd2f.37c0
             Cost        27
             Port        25 (GigabitEthernet0/1)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)
             Address     001a.e2b7.ec40
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

The text in red indicates the priority, the MAC address of the root bridge, the cost and port used to get to the root bridge.  The priority value in this example most likely indicates that the root bridge has been elected dynamically. This is not a good idea. It’s recommended to manually configure the root bridge, to avoid that another switch (e.g. with a lower mac address value) would become root bridge all of a sudden).

The text after “Bridge ID” refers to the STP settings on the local switch

You can manually override the priority value (and thus set the root bridge manually) by using the following commands (on the switch that needs to become root bridge) :

enable
conf t
spanning-tree priority 1

You can see a summary (including the status) using the following command :

enable

show spanning-tree summary

Switch is in pvst mode
Root bridge for: none
EtherChannel misconfig guard is enabled
Extended system ID           is enabled
Portfast Default             is disabled
PortFast BPDU Guard Default  is disabled
Portfast BPDU Filter Default is disabled
Loopguard Default            is disabled
UplinkFast                   is disabled
BackboneFast                 is disabled
Pathcost method used         is short
Name                   Blocking Listening Learning Forwarding STP Active
---------------------- -------- --------- -------- ---------- ----------
VLAN0001                     0         0        0          9          9
VLAN0020                     0         0        0          1          1
VLAN0030                     0         0        0          1          1
VLAN0040                     0         0        0          1          1
VLAN0050                     0         0        0          1          1
VLAN0060                     0         0        0          1          1
VLAN0100                     0         0        0          1          1
---------------------- -------- --------- -------- ---------- ----------
7 vlans                      0         0        0         15         15

 

 

If all goes well, all of the VLANs are set to Forwarding. As you can see, STP is enabled for every VLAN by default.

You can get info about the root bridge for every VLAN using :

enable
show spanning-tree root

                                        Root Hello Max Fwd
Vlan                   Root ID          Cost  Time Age Dly  Root Port
---------------- -------------------- ------ ----- --- ---  ----------------
VLAN0001         32768 0002.fd2f.37c0     27    2   20  15  Gi0/1
VLAN0020         32788 000b.5f6d.9940      8    2   20  15  Gi0/1
VLAN0030         32798 000b.5f6d.9940      8    2   20  15  Gi0/1
VLAN0040         32808 000b.5f6d.9940      8    2   20  15  Gi0/1
VLAN0050         32818 000b.5f6d.9940      8    2   20  15  Gi0/1
VLAN0060         32828 000b.5f6d.9940      8    2   20  15  Gi0/1
VLAN0100         32868 000b.5f6d.9940      8    2   20  15  Gi0/1

More information about STP topology changes can be found at http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a0080094797.shtml

If you want to disable STP, use the following command :

enable
conf t
no spantree 10
no spantree 20
(etc – you need to disable STP for every VLAN)
If you want to re-enable STP, use
enable
conf t
spantree 10
spantree 20
(again, you need to do this for every VLAN)
Note : in order to prevent Duplex mismatches on your STP, make sure to set both sides of uplingk to the same speed and duplex values.

Portfast

Portfast is a feature that allows a port to bypass all of the spanning tree states (Initializing, Blocking, Listening, Learning, Forwarding, Disabled).   This will essentially speed up the process for an interface to become usable, however in a STP environment.  If you turn off portfast (which is the default behaviour), it might take up to 30 seconds before an interface becomes usable. If you use DHCP, these 30 seconds may be too long for a host to get an IP address, so in most cases it is advised to enable portfast on ports that are connected directly to hosts. However, since portfast bypasses all STP modes, portfast can and should only be used for hosts, and not for uplinks to other switches. Otherwise, the entire STP model will fail.

If you want to enable portfast on a port, use the following command :

enable
conf t
int f0/1
spanning-tree portfast

If you want to disable portfast, use this command :

enable
conf t
int f0/1
no spanning-tree portfast

Note : as explained above, do NOT activate portfast on a trunk or uplink port ! On the other hand, apply this to all other interfaces !!

For regular switch ports (ports that only connect to nodes), you can also do :

enable
conf t
int fa0/1
   switchport host
   end
wr mem

This will

  • enable portfast
  • disable trunk, and disable dot1q
  • disable etherchannel

Jumbo frames

If you need jumbo frames, you need to change the MTU on an interface basis :

enable
conf t
int fa0/1
  mtu 9216
  end
wr mem

Possible values for mtu are between 1500 and 9216. Make sure the values on all endpoints and all components (switches, but also routers !) between the endpoints use the same value.

IP Phones / Power Over Ethernet

Enable power over ethernet for ipphones  (per interface !)

enable
conf t
int fa0/1
   power inline auto
   end
wr mem

On ports that will never host an ip phone, you can disable poe using the “power inline never” command.

Allow an ip phone and a PC to operate on the same switch, but in different vlan’s :  (dexample : data = vlan 10, voice = vlan 50),  + restrict only one computer and one phone per interface :

enable
conf t
int fa0/1
   switchport mode access
   switchport access vlan 10
   switchport voice vlan 50
   switchport port-security maximum 1 vlan access
   switchport port-security maximum 1 vlan voice
   end
wr mem

Span ports

This has nothing to do with spanning tree. A span is an association of a destination port with one or more source ports.  You can use a span to monitor incoming or outgoing traffic, or both.   Span sessions do not interfere with normal operation of the switch.

In order to set up a span, you need to select one or more source ports (the ports that you want to monitor for traffic analysis e.g. using a sniffer).  It can be any port (including a trunk port), but it cannot be a port that is configured as a destination port.  Each source port needs to be configured with a direction (inbound or ingress, outbound or egress, or both).  Source ports can be in multiple and different VLANs.

A destination port (monitoring port) will receive a copy of all traffic from the source port.    The destination port must be on the same switch, and cannot be one of the source ports. When a span port is active, it is disabled. It will not forward any traffic except the traffic for the span session itself.  It does not participate in STP, VTP, CDP etc.

Set up span session to monitor all incoming traffic on FastEthernet 1, all outgoing traffic on FastEthernet 2 and all traffic on FastEthernet 3 and send the copy to FastEthernet 4 :

enable
conf t
no monitor session 1
monitor session 1 source interface fe/1 incoming
monitor session 1 source interface fe/2 outgoing
monitor session 1 source interface fe/3 both
monitor session 1 destination interface fe/4

Note : You can specify multiple source interfaces in one line, by entering the ports after each other, separated with a comma.

Get monitor configuration :

enable
show monitor

Additional security configurations

Limit number of mac addresses per port (to make sure nobody attaches another switch and multiple hosts to your network) :

en
conf t
  int fa0/1
  switchport mode access
  switchport port-security maximum 1 vlan access
  end
wr mem

=> do this for every non-trunk and/or non-uplink port

Protect against DHCP snooping (basically prevent anyone from hooking up a rogue DHCP server on your network) :

en
conf t
  ip dhcp snooping
wr mem

Then, set all trunk ports to trusted :

en
conf t
  int fa0/24
    ip dhcp snooping trust
  end
wr mem

Finally, on the port that serves the DHCP server :

en
conf t
   int fa0/2
     ip dhcp snooping trust
   end
wr mem

Broadcast storm control : shut down a port when broadcasts take more than 50% of the bandwidth :

en
conf t
  int fa0/1
    storm-control broadcast level 50.00
    storm-control action shutdown
    end
end
wr mem

bpduguard

Enable on all switchports (not on trunks, uplinks, or ip phones) :

en
conf t
  int fa0/1
  spanning-tree bpduguard enable
  end
wr mem

Allow recovery of certain security events (so the port will be released again after a certain interval) :

enable
conf t
   errdisable recovery cause udld
   errdisable recovery cause bpduguard
   errdisable recovery cause security-violation
   errdisable recovery cause loopback
   errdisable recovery interval 60
wr mem

udld is used when a port is udld enabled.  udld will detect unidirectional links (for example a fiber where one of the 2 links are broken). Unidirectional links can lead to unexpected behaviour, so it may be a good idea to enable udld on those ports.

Access list : If you don’t use a separate management lan, restrict who can access the switch over telnet, ssh :

Create access-list and only allow ip 1.1.1.14 to access the vty

enable
conf t
  access-list 10 permit ip 1.1.1.14 255.255.255.255
  access-list 10 deny any log
  end
wr mem

Apply the access list to the vty :

enable
conf t
  line vty 0 15
    access-class 10 in
  end
wr mem

Session timeout

enable
conf t
absolute-timeout 0

this is the default (no timeout).  The parameter refers to the number of minutes of inactivity before the session will be disconnected.

cdp

If you are using cdp, it’s advised to disable cdp on all ports except for the ones that are connected to other Cisco devices (uplinks, trunks)

Enable cdp globally :

enable
conf t
  cdp run
  end
wr mem

Disable cdp for a certain port :

enable
conf t
  int fa0/1
    no cdp enable
    end
wr mem

Verify that you can still see all cdp neighbors :

enable
show cdp nei

Links

http://networking.ringofsaturn.com/Cisco/ciscojuniper.php

© 2008 – 2021, Peter Van Eeckhoutte (corelanc0d3r). All rights reserved.

Comments are closed.

Corelan Training

We have been teaching our win32 exploit dev classes at various security cons and private companies & organizations since 2011

Check out our schedules page here and sign up for one of our classes now!

Donate

Want to support the Corelan Team community ? Click here to go to our donations page.

Want to donate BTC to Corelan Team?



Your donation will help funding server hosting.

Corelan Team Merchandise

You can support Corelan Team by donating or purchasing items from the official Corelan Team merchandising store.

Protected by Copyscape Web Plagiarism Tool

Corelan on Slack

You can chat with us and our friends on our Slack workspace:

  • Go to our facebook page
  • Browse through the posts and find the invite to Slack
  • Use the invite to access our Slack workspace
  • Categories