{"id":669,"date":"2008-06-22T13:38:20","date_gmt":"2008-06-22T11:38:20","guid":{"rendered":"http:\/\/www.corelan.be:8800\/index.php\/2008\/06\/22\/cisco-switch-ios-cheat-sheet\/"},"modified":"2008-06-22T13:38:20","modified_gmt":"2008-06-22T11:38:20","slug":"cisco-switch-ios-cheat-sheet","status":"publish","type":"post","link":"https:\/\/www.corelan.be\/index.php\/2008\/06\/22\/cisco-switch-ios-cheat-sheet\/","title":{"rendered":"Cisco switch IOS cheat sheet"},"content":{"rendered":"<h4>Reset to factory defaults :<\/h4>\n<ul>\n<li>connect console (9600\/8\/None\/1, no flow control) <\/li>\n<li>take out power cable <\/li>\n<li>press mode button (at the front), hold it,&#160; and put power cable back <\/li>\n<li>switch will go into recovery mode <\/li>\n<li>run :\n<ul>\n<li>flash_init <\/li>\n<li>load_helper <\/li>\n<\/ul>\n<\/li>\n<li>rename the config file :\n<ul>\n<li>rename flash:config.txt flash:config.old <\/li>\n<\/ul>\n<\/li>\n<li>run :\n<ul>\n<li>boot <\/li>\n<\/ul>\n<\/li>\n<li>When asked to enter the initial configuration (which happens when no config.text file is found), reply \u201cno\u201d <\/li>\n<li>press return a couple of times <\/li>\n<li>At switch&gt; prompt, go in enable mode (no password needed) <\/li>\n<li>If you wanted to do a full reset :\n<ul>\n<li>Set a password. save config with \u201cwr mem\u201d and reload (run \u201creload\u201d) <\/li>\n<\/ul>\n<\/li>\n<li>If you wanted to reset the password, but keep the config :\n<ul>\n<li>copy the old config to running config :\n<ul>\n<li>copy flash:config.old running-config <\/li>\n<\/ul>\n<\/li>\n<li>now reset the password (you already have an enable prompt) <\/li>\n<li>save the config (wr mem) <\/li>\n<li>a file config.text should be created again (check with dir flash:) <\/li>\n<li>reload <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h4>Initial switch config<\/h4>\n<p>Activate administrative vlan 1, set IP address, gateway, hostname, DNS and time, NTP, and then save config<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nconf t\ninterface vlan1\nno shut\nip address 1.1.1.2 255.255.255.0\n<span style=\"color: #0000ff\">exit<\/span>\nip <span style=\"color: #0000ff\">default<\/span>-gateway 1.1.1.254\nip domain-name mydomain.com\nip domain-lookup\nip name-server 1.1.1.10\nip name-server 1.1.1.20\n<span style=\"color: #0000ff\">clock<\/span> timezone GMT+1 1\nntp server 1.1.1.15\nhostname <span style=\"color: #0000ff\">switch<\/span>1\nservice password-encryption\nwr mem<\/pre>\n<p>If you don't have a NTP server, you can set the clock with the &quot;clock&quot; command as well :<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">clock set 14:04 23 June 2008<\/pre>\n<p>Set timezone settings :<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">clock timezone GMT+1 1\nclock summertime SummerTime recurring last Sun Mar 2:00 last Sun Oct 2:00<\/pre>\n<p>first command : \u201cGMT+1\u201d is just a string.&#160; The trailing value indicates the offset<\/p>\n<p>second command : \u201cSummerTime\u201d is just a string.&#160; The summertime setting displayed here applies to Belgium, so you may have to figure out your own settings.<\/p>\n<p>Set a banner<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nconf t\nbanner motd # Unauthorized access is prohibited ! #<\/pre>\n<p>(The characters at the beginning and the end of the banner string should not be part of the banner string itself !&#160; When looking at the config, you\u2019ll see that they will be replaced by ^C)<\/p>\n<p><strong><span style=\"color: #ff0000\">Update : in this document, I'm referring to f0\/x and G0\/x interfaces, but sometimes these interfaces names can vary from switch type to switch type. Verify how the interfaces are called on your switch and use the corresponding interface names.<\/span><\/strong> The f in f0 refers to FastEthernet (100Mbit), the g in g0 refers to Gigabit.<\/p>\n<p>Set terminal length and width<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nconf t\nlength 24\nwidth 80\nend\nwr mem<\/pre>\n<p>these are the default settings.&#160; If you are tired of the -- more -- prompt when generating an output, you can set lines to 0<\/p>\n<h4>Set passwords<\/h4>\n<p>Password protecting your switch -&#160; Passwords can be set on 5 places :<\/p>\n<p><span style=\"text-decoration: underline\">Telnet<\/span><\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nconf t\nline vty 0 15\npassword ThisIsABadPassword\nexit\nexit\nwr mem<\/pre>\n<div>(as long as you have not set a password for telnet, you won't be able to connect over telnet)<\/div>\n<div>For Enterprise routers, you have more than 5 lines (0 4). Use the ? to find out how many lines are available (may be 1180)<\/div>\n<div>line vty 0 1180<\/div>\n<div><span style=\"text-decoration: underline\">Console<\/span><\/div>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nconf t\nline console 0\npassword ThisIsABadPassword\nexit\nwr mem<\/pre>\n<div><span style=\"text-decoration: underline\">Auxiliary<\/span><\/div>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nconf t\nline aux 0\npassword ThisIsABadPassword\nexit\nwr mem<\/pre>\n<div><span style=\"text-decoration: underline\">Enable secret<\/span><\/div>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nconf t\nenable secret ThisIsABadPassword\n<span style=\"color: #0000ff\">exit<\/span>\nwr mem<\/pre>\n<div>&#160;<\/div>\n<div>Make sure &quot;service password-encryption&quot; is set to avoid that passwords are shown in clear text in the config !<\/div>\n<div>Add admin useraccount :<\/div>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">username admin1 privilege 15 password BadPassword<\/pre>\n<p>(you need to specify an account if you want to use ssh !)<\/p>\n<p>&#160;<\/p>\n<div><strong>Before you connect the switch to the network, make sure vtp and spanning tree is set up correctly. (see below)<\/strong><\/div>\n<div>Set logging parameters<\/div>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nconf t\n  line cons 0\n    logging synchronous\n    end\n  line vty 0\n    logging synchronous\n    end\n  end\n\nservice timestamps debug datetime localtime showtimezone\nservice timestamps log datetime localtime showtimezone\n\nlogging buffered 64000\nend\n\nwr m<\/pre>\n<h4>Enable ssh<\/h4>\n<div>Telnet will work on most switches, but it is a clear text protocol and is not secure.&#160; Depending on the IOS version, you can use ssh as well.<\/div>\n<div>This is how you can activate ssh :<\/div>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nconf t\nhostname switch01\nip domain-name mydomain.com\ncrypto key generate rsa general-keys modulus 1024\nip ssh time-out 60\nip ssh authentication-retries 2\nline vty 0 4\ntransport input ssh<\/pre>\n<div>The last command will deactivate telnet on all 5 vty lines, and only activate ssh. If you want to allow both ssh and telnet, use<\/div>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">transport input ssh telnet<\/pre>\n<div>If you also want to use ssh to connect from a switch to another switch, then do&#160; :<\/div>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">transport output ssh<\/pre>\n<h4>Port speed and duplex mode<\/h4>\n<p>First set speed, then set duplex<\/p>\n<p>Autonegotiate :<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nconf t\nint f0\/1\nspeed auto\nduplex auto<\/pre>\n<p>100Mbit full duplex :<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nconf t\nint f0\/1\nspeed 100\nduplex full<\/pre>\n<h4>VLANs<\/h4>\n<p>Default (native) VLAN = vlan 1.&#160; (The native vlan is not being tagged !)<\/p>\n<p>Create new VLAN 10 in VLAN database (older switches)<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nvlan database\nvlan 10 name Test-Vlan\napply\nshow\nexit<\/pre>\n<p>(vlan is saved upon exit)<\/p>\n<p>Note : the vlan database has its own configuration mode and commands.&#160; This also means that a &quot;write erase&quot; and &quot;reload&quot; will not clear the VLAN database. It just may be easier to configure vlans using global commands instead of using the separate database.<\/p>\n<p>Create new VLAN 10 using global commands<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">conf t\nvlan 10\nname Test-Vlan<\/pre>\n<p>Assign a port to Vlan 10 (after vlan has been distributed using VTP)<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nconf t\nint f0\/1\nswitchport access vlan 10<\/pre>\n<p>Assign multiple ports to Vlan 10<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nconf t\ninterface range f0\/1 - 3\nswitchport access vlan 10<\/pre>\n<div>Show vlan assignments :<\/div>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nshow vlan<\/pre>\n<div>If you want to remove vlan from a port, use the following commands :<\/div>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nconf t\nint f0\/1\nno switchport mode access\nno switchport access vlan name-or-id<\/pre>\n<p>Set the switch IP address in a particular vlan : (example set 1.1.1.1 to switch interface in vlan10)<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nconf t\nint vlan10\nip address 1.1.1.1 255.255.255.0\nexit\nwr m<\/pre>\n<p>(the int vlan10 command will create a new interface)<\/p>\n<p>Note : you can only set up VTP when<\/p>\n<ul>\n<li>there is at least one trunk port <\/li>\n<li>the trunk port is up&#160; (you can connect it to a small switch or something\u2026 the port just needs to be up <\/li>\n<\/ul>\n<p>If not, the changes will not be saved<\/p>\n<div>Interesting article on VLANs and Trunking : <a title=\"VLAN Configuration\" href=\"http:\/\/www.ciscopress.com\/articles\/article.asp?p=29803&amp;seqNum=1\">VLAN Configuration<\/a><\/div>\n<div>You can get a list of all interfaces (interface name, description, vlan id and port status) using the following command :<\/div>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nshow interface status<\/pre>\n<h4>Trunking<\/h4>\n<p>Trunk = interface\/link that can carry traffic from multiple VLANs. Both sides of the trunk need to use the same protocol. CIsco supports 2 protocols :<\/p>\n<p>802.1Q = IEEE standard (alters existing frames, adds VLAN tags) : +4bytes (&quot;baby giant&quot;)<\/p>\n<p>ISL = Cisco proprietary (encapsulates entire frame into new frame : ISL header - orig frame - checksum) : +30bytes (&quot;giant&quot;)<\/p>\n<p>DTP : Dynamic Trunking Protocol (dynamic Trunk negotiation)<\/p>\n<p>More info on trunking : Read <a href=\"http:\/\/www.cisco.com\/en\/US\/tech\/tk389\/tk689\/technologies_tech_note09186a008017f86a.shtml\" target=\"_blank\" rel=\"noopener\">Cisco requirements to implement trunking<\/a><\/p>\n<p>Trunking &amp; portfast : do not set a trunk port in portfast mode ! (see later), and never allow a switchport to autonegotiate trunk !<\/p>\n<p>Set port in trunk mode :<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nconf t\nint f0\/1\nswitchport trunk encapsulation dot1q\nswitchport mode trunk\nswitchport nonegotiate<\/pre>\n<p>(The last command turns of DTP, if used)<\/p>\n<p>The statement &quot;switchport trunk encapsulation dot1q&quot; may not work on all switches.<\/p>\n<p>Without specifying specific vlans, the trunk will only work with the native vlan, which is set to 1 by default. You can change the native vlan for trunks using<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nconf t\nint f0\/1\nswitchport trunk native vlan 20\n^Z<\/pre>\n<p>In this example, the native vlan for the trunk on FastEthernet0\/1 is now set to vlan 20.&#160; Keep in mind that your trunk will be broken now, unless you have specified the same trunk native vlan at the other side of the trunk.<\/p>\n<p>Define which VLANs are allowed via the trunk on FastEthernet0\/1:<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nconf t\nint f0\/1\nswitchport trunk allowed vlan 10<\/pre>\n<p>(only allows vlan 10)<\/p>\n<p>Allow all vlans except vlan 100 :<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nconf t\nint f0\/1\nswitchport trunk allowed vlan except 100<\/pre>\n<p>Show interface trunk properties :<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nshow int trunk<\/pre>\n<p>Remove vlan&#160; 200 and 300 from the trunk port :<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nconf t\nint f0\/1\nswitchport trunk allowed vlan remove 200\nswitchport trunk allowed vlan remove 300<\/pre>\n<p>Remove trunking from an interface and make sure the interface cannot be tricked into negotiation to become a trunk anyway :<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nconf t\nint f0\/1\nno switchport mode trunk\nswitchport mode access<\/pre>\n<p>(Reminder : if you are using portfast for non-trunk\/uplink ports, you'll have to manually re-enable portfast for that interface again)<\/p>\n<p><span style=\"text-decoration: underline\">Switchport modes<\/span><\/p>\n<p><span style=\"text-decoration: underline\"><em>Access<\/em><\/span> : Port will never be a trunk, not even when other side is set to dynamic or trunk. I recommend applying this to all non-trunk ports, for security.<\/p>\n<p><span style=\"text-decoration: underline\"><em>Dynamic <\/em><\/span>: Port may become a trunk :<\/p>\n<p>- desirable : port will actively try to convert the link to a trunk.&#160; Link will become a trunk when other side is set to trunk, auto, or desirable<\/p>\n<p>- auto : port will become a trunk if other side is set to trunk or desirable. Port will not actively attempt to become a trunk though<\/p>\n<p><span style=\"text-decoration: underline\"><em>Trunk <\/em><\/span>: Port will be a trunk, regardless of settings at other side<\/p>\n<h4>VLAN Trunking Protocol (VTP)<\/h4>\n<p>Manages vlan numbers and names centrally. Configuration is then distributed to other devices.&#160; Changes are made on vtp servers, and then propagated to vtp clients. Scope of a vlan 'database' is set to a VTP domain.&#160;&#160; A switch can be configured to be a vtp server, a vtp client, or vtp transparent (only forwards info, does not update its own config)<\/p>\n<p>You can have multiple vtp servers in the domain. Each change contains a revision number. 2 changes (on different vtp serverts) for the same configuration : first one that arrives on the vtp client wins. The second change may have the same revision number, but no update will be applied when update contains same revision number.<\/p>\n<p>Many switches are vtp server by default. Make sure to verify switch status before connecting it to the network !<\/p>\n<p>Default VTP domain is null. Trunks negotiated using null domain will break if you assign another domain to one side only !&#160; Some switches will not negotiate a trunk unless a VTP domain has been set for each switch !<\/p>\n<p>Set VTP domain on a switch to VTPDomain1<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nconf t\nvtp domain VTPDomain1<\/pre>\n<p>Set switch mode (choose between client,server or transparent)<\/p>\n<p>If you want to add an additional server, then first set up the swith as client, and after it has received all vlan\u2019s, change it to server)<\/p>\n<p>A transparent vtp switch will only pass on VTP information, but will not store it.<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nconf t\nvtp mode client\nvtp mode server\nvtp mode transparent<\/pre>\n<p>Set a VTP password to ensure that only switches with the same password will accept VTP advertisements :<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nconf t\nvtp password ThisIsABadPassword<\/pre>\n<p>If you need to remove this password, use :<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nconf t\nno vtp password<\/pre>\n<p>If you want to see the vtp password :<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nshow vtp pass<\/pre>\n<p>Get vtp configuration<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nsh vtp status\n\nVTP Version                     : 2\nConfiguration Revision          : 10\nMaximum VLANs supported locally : 128\nNumber of existing VLANs        : 11\nVTP Operating Mode              : Client\nVTP Domain Name                 : VTPDomain1\nVTP Pruning Mode                : Disabled\nVTP V2 Mode                     : Disabled\nVTP Traps Generation            : Enabled\nMD5 digest                      : 0x22 0x85 0x44 0x0A 0xDE 0x0C 0xF7 0xC6\nConfiguration last modified by 1.1.1.1 at 6-20-08 06:49:18<\/pre>\n<blockquote>\n<div>\n<p><span style=\"color: #000080\">&#160;<\/span><\/p>\n<p>VTP pruning : when certain vlan are only used on certain switches, you may not want their broadcasts be transferred on all of your trunks because this will only increase network load. Pruning prevents traffic originating from a particular vlan from being sent to switches on which that vlan is not active.<\/p>\n<\/p><\/div>\n<\/blockquote>\n<p>By default, all vlans are eligible for pruning<\/p>\n<p>Pruning must be enabled or disable throughout the entire vtp domain.<\/p>\n<p>Enable vtp pruning :<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nconf t\nvtp pruning<\/pre>\n<p>Check which vlans are eligible for pruning : Assuming that f0\/15 is a trunk port<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nshow int f0\/15 switchport\n\nSwitchport: Enabled\nAdministrative Mode: dynamic desirable\nOperational Mode: down\nAdministrative Trunking Encapsulation: dot1q\nNegotiation of Trunking: On\nAccess Mode VLAN: 1 (default)\nTrunking Native Mode VLAN: 1 (default)\nVoice VLAN: none\nAdministrative private-vlan host-association: none\nAdministrative private-vlan mapping: none\nAdministrative private-vlan trunk native VLAN: none\nAdministrative private-vlan trunk encapsulation: dot1q\nAdministrative private-vlan trunk normal VLANs: none\nAdministrative private-vlan trunk private VLANs: none\nOperational private-vlan: none\nTrunking VLANs Enabled: ALL\nPruning VLANs Enabled: 2-1001\nCapture Mode Disabled\nCapture VLANs Allowed: ALL\nProtected: false\nAppliance trust: none<\/pre>\n<p><em>Look for &quot;Pruning VLans Enabled&quot;<\/em><\/p>\n<p>Define switch to only set vlan 10 eligible for pruning<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nconf t\nint f0\/15\nswitchport trunk pruning vlan 10<\/pre>\n<p>(this will remove all other vlan pruning settings !)<\/p>\n<p>You can add or remove vlans from the pruning list :<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nconf t\nint f0\/15\nswitchport trunk pruning vlan add 10-20\nswitchport trunk pruning vlan remove 20<\/pre>\n<p>Note : even though an interface may show that it is connected (sh int fa0\/2), if the VLAN that is assigned to that port is missing, the port won't work. (sh int fa0\/2 switchport)<\/p>\n<h4>Etherchannel<\/h4>\n<p><a title=\"http:\/\/www.cisco.com\/en\/US\/tech\/tk389\/tk213\/technologies_tech_note09186a0080094714.shtml\" href=\"http:\/\/www.cisco.com\/en\/US\/tech\/tk389\/tk213\/technologies_tech_note09186a0080094714.shtml\">http:\/\/www.cisco.com\/en\/US\/tech\/tk389\/tk213\/technologies_tech_note09186a0080094714.shtml<\/a><\/p>\n<p>Enables bonding of up to 8 links into one logical link.&#160; Total logical link speed is equal to sum of all speeds of the physical links. Each conversation however cannot use more than the link speed of <strong>one<\/strong> physical link.<\/p>\n<p>Protocol and mode used to set up channel between two switches depends on type\/brand\/make of switch.&#160; Cisco supports LACP (Link Aggregation Control Protocol, IEEE 802.3ad), which can be used to connect to servers or non-Cisco devices.&#160;&#160; The other protocol is PAgP (Port Aggregation Control Protocol), which is Cisco proprietary.&#160; You can also set the protocol to &quot;none&quot; and mode to &quot;on&quot; to set channel mode without negotiation<\/p>\n<p>Modes :<\/p>\n<p>PAgP : auto (will not initiate negotiations) or desirable (will initiate negotiations)<\/p>\n<p>LACP : passive (will not initiate negotiations) or active (will initiate negotiations)<\/p>\n<p>Creating an etherchannel, bind it to vlan 110,&#160; and setting interface G0\/1 and G0\/2 to be part of the channel, using PAgP, mode desirable :<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nconf t\ninterface Port-channel1\n    description 2Gbit Etherchannel\n    no ip address\n    switchport\n    switchport access vlan 110\n\ninterface GigabitEthernet0\/1\n    description Link1 in Port-Channel1\n    no ip address\n    switchport\n    channel-group 1 mode desirable\n\ninterface GigabitEthernet0\/2\n    description Link2 in Port-Channel1\n    no ip address\n    switchport\n    channel-group 1 mode desirable<\/pre>\n<p>(You'll need to do this on both switches that are part of the Etherchannel, using exact the same port settings (except for the description))<\/p>\n<p>After configuring the etherchannel, a &quot;shut&quot; and &quot;no shut&quot; may be required to properly activate the etherchannel.&#160; You can verify the etherchannel configuration using<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nsh etherchannel    \n\nChannel-group listing:\n----------------------\nGroup: 1\n----------\nGroup state = L2\nPorts: 2\nMaxports = 8\nPort-channels: 1\nMax Port-channels = 1\nProtocol:    -<\/pre>\n<p>see the portchannel interface properties using<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\n\nshow int Port-channel1\n\nPort-channel1 is up, line protocol is up (connected)\n  Hardware is EtherChannel, address is 0015.628a.a885 (bia 0015.628a.a885)\n  MTU 1500 bytes, BW 2000000 Kbit, DLY 10 usec,\n     reliability 255\/255, txload 1\/255, rxload 1\/255\n  Encapsulation ARPA, loopback not set\n  Full-duplex, 1000Mb\/s, link type is auto, media type is unknown\n  input flow-control is off, output flow-control is unsupported\n  Members in this channel: Gi0\/4 Gi0\/5\n  ARP type: ARPA, ARP Timeout 04:00:00\n  Last input never, output 00:00:01, output hang never\n  Last clearing of &quot;show interface&quot; counters never\n  Input queue: 0\/75\/0\/0 (size\/max\/drops\/flushes); Total output drops: 0\n  Queueing strategy: fifo\n  Output queue: 0\/40 (size\/max)\n  5 minute input rate 4000 bits\/sec, 2 packets\/sec\n  5 minute output rate 31000 bits\/sec, 13 packets\/sec\n     2954263967 packets input, 2454361023 bytes, 0 no buffer\n     Received 3584016 broadcasts (0 multicast)\n     0 runts, 0 giants, 0 throttles\n     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored\n     0 watchdog, 2383 multicast, 0 pause input\n     0 input packets with dribble condition detected\n     1178085823 packets output, 3695013096 bytes, 0 underruns\n     0 output errors, 0 collisions, 1 interface resets\n     0 babbles, 0 late collision, 0 deferred\n     0 lost carrier, 0 no carrier, 0 PAUSE output\n     0 output buffer failures, 0 output buffers swapped out<\/pre>\n<p>Note : if you use servers with multiple network interfaces that are configured to use Link Aggregation, and both interfaces are connected to your switch, don't forget to create an etherchannel for the server.&#160;&#160; Etherchannel is not only usefull for uplinks between switches, but also for server network interface redunancy.<\/p>\n<p>http:\/\/www.cisco.com\/en\/US\/docs\/switches\/lan\/catalyst2950\/software\/release\/12.1_6_ea2c\/configuration\/guide\/swgports.html<\/p>\n<h4>Spanning Tree<\/h4>\n<p>STP is a link management protocol that provides path redundancy and prevents layer2 loops in the network. Without STP, if you have a loop in the network, the network would suffer from broadcast storms. However, for redundancy and failover, sometimes you need to create a loop in the network.&#160; The STP protocol will not only prevent broadcast storms to take down the network, but it will also provide for &quot;reswitching&quot; of the traffic in case one of the loop links goes down.&#160; If your environment does not support spanning tree, you can still use a loop, but you'll need to set one of the loop links &quot;shut&quot;, and bring it up manually when the other loop link is down.<\/p>\n<p>Spanning Tree is enabled by default.<\/p>\n<p>Every switch on the network that supports STP sends out frames that are call BPDUs (Bridge Protocol Data Units) every 2 seconds.&#160; Based on the contents of these frames, STP can perform the following functions :<\/p>\n<p>- Elects a root bridge (switch) in the network. This is the bridge that all other bridges need to reach via the shortest path possible. When a switch boots, it thinks that it is the root bridge and sets the root ID to the local bridge ID. If it receives a BPDU that has a lower root ID, it adjusts the local root ID setting.&#160;&#160; The bridge ID is based upon a switch MAC address and priority. The switch with the lowest bridge ID becomes the root.<\/p>\n<p>The default bridge priority is set to 32768. If you want a particular switch to become the root bridge, you should lower its priority value (to e.g. 1. Note - some stp version will require you to set either 0 or 4096 as minimum value !)<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nconf t\nint f0\/1\nspanning-tree priority 1<\/pre>\n<p>In IOS 12.1, you can use<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nconf t\nspanning-tree vlan 1 priority 4096<\/pre>\n<p>(the value 4096 is generarly used as the root switch priority.&#160; Lower priority is preferred over higher)<\/p>\n<p>- <span style=\"text-decoration: underline\">Calculate the cost for each path from each bridge to the root bridge<\/span>.&#160; It is recommended to configure a switch to become the root bridge instead of letting the algorithm selecting the root bridge itself. This will ensure that, if you add a switch with a lower MAC address than the root bridge that has been elected by the algo, doesn't become a root bridge, and sets an important trunk link in your network to a disabled state.&#160; The root bridge switch should be one of the central or core switches. After all, if your central servers are connected to this switch, then data flow in your network occurs from the perspective of this switch. There's a short section on how to set the root bridge manually later in this post.&#160; Just remember : always manually set one or two core switches in the network with a low root bridge priority (e.g. value 1 and 10, ensuring that you have controlled root bridge elections)<\/p>\n<p>- <span style=\"text-decoration: underline\">Determines the root port on each bridge<\/span>. This is the port that has the shortest path to the root bridge.<\/p>\n<p>- <span style=\"text-decoration: underline\">Determines the designated port on each segment<\/span>, which is the port on the segment that has the shortest path to the root.<\/p>\n<p>- <span style=\"text-decoration: underline\">Elects a designated bridge on each segment<\/span>.&#160;&#160; The bridge on a given segment with the designated port becomes the designated bridge.<\/p>\n<p>- <span style=\"text-decoration: underline\">Block nonforwarding por<\/span>ts.&#160;&#160; Ports that have received BPDUs and are not designated or root ports, will be placed into blocking state.&#160; These ports are up, but are not allowed to forward traffic.<\/p>\n<p>Spanning tree defines a tree that spans all switches in the extended network. STP forces certain redundant paths into a standby (blocked) state. If one of the segments in the STP becomes unreachable, or if costs change, the algorithm reconfigures the topology and reestablishes the link by activating the redundant standby path.<\/p>\n<p>Cisco supports 3 types of STP : PVST+, PVRST+ and MSTP<\/p>\n<p>You can find more information on STP on http:\/\/www.cisco.com\/univercd\/cc\/td\/doc\/product\/rtrmgmt\/sw_ntman\/cwsimain\/cwsi2\/cwsiug2\/vlan2\/stpapp.htm<\/p>\n<p>The cost of a link is calculated based on bandwidths :<\/p>\n<table cellspacing=\"0\" cellpadding=\"0\" width=\"361\" border=\"1\">\n<tbody>\n<tr>\n<td valign=\"top\" width=\"199\"><span style=\"font-size: xx-small; font-family: tahoma\">Link speed<\/span><\/td>\n<td valign=\"top\" width=\"160\"><span style=\"font-size: xx-small; font-family: tahoma\"><strong>Cost<\/strong> <\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"199\"><span style=\"font-size: xx-small; font-family: tahoma\">10 Gbps<\/span><\/td>\n<td valign=\"top\" width=\"160\"><span style=\"font-size: xx-small; font-family: tahoma\">2<\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"199\"><span style=\"font-size: xx-small; font-family: tahoma\">1 Gbps<\/span><\/td>\n<td valign=\"top\" width=\"160\"><span style=\"font-size: xx-small; font-family: tahoma\">4<\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"199\"><span style=\"font-size: xx-small; font-family: tahoma\">100 Mbps<\/span><\/td>\n<td valign=\"top\" width=\"160\"><span style=\"font-size: xx-small; font-family: tahoma\">19<\/span><\/td>\n<\/tr>\n<tr>\n<td valign=\"top\" width=\"199\"><span style=\"font-size: xx-small; font-family: tahoma\">10 Mbps<\/span><\/td>\n<td valign=\"top\" width=\"160\"><span style=\"font-size: xx-small; font-family: tahoma\">100<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Note : you can configure your Cisco switches to perform Per-VLAN spanning tree. This will allow STP for each VLAN when used with ISL trunks.&#160; PVST+ allows the same functionality for 802.1q trunks.<\/p>\n<p>You can enable PVST using the following command :<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nconf t\nspanning-tree mode pvst<\/pre>\n<p>Rapid Per VLAN Spanning Tree is an evolution of the STP standard. It performs better than STP, and it can revert back to STP for interoperability with legacy devices. Using STP, it can take up to 40 seconds before a link state change is fixed.&#160; Using rapid STP, this process could be complete in 2 seconds.<\/p>\n<p>Enable Rapid Spanning Tree :<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nconf t\nspanning-tree mode rapid-pvst<\/pre>\n<p>You can read more on Rapid Spanning Tree on <a title=\"Understanding Rapid Spanning Tree Protocol (802.1w)\" href=\"http:\/\/www.cisco.com\/en\/US\/tech\/tk389\/tk621\/technologies_white_paper09186a0080094cfa.shtml\">Understanding Rapid Spanning Tree Protocol (802.1w)<\/a><\/p>\n<p>Note : spanning-tree changes take effect immediately. This means that normal traffic may be interrupted when configuring STP.<\/p>\n<p>You can see what type of Spanning Tree Protocol is used by running<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nshow spanning-tree<\/pre>\n<p>(Look for &quot;Spanning tree enabled protocol...&quot; - followed by the type of STP that is being used). If you are only interested in information about STP within a give vlan, you can use<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nshow spanning-tree vlan 10<\/pre>\n<p>If the &quot;Spanning tree enabled protocol&quot; states &quot;rstp&quot;, then the switch is running PVRST+, which is the Cisco RSTP implementation.&#160; If &quot;ieee&quot; is stated, the switch is running pvst<\/p>\n<p>View STP configuration\/parameters on a switch :<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nshow spanning-tree\nVLAN0001\n  Spanning tree enabled protocol ieee\n<strong><span style=\"color: #ff0000\">  Root ID    Priority    32768\n             Address     0002.fd2f.37c0\n             Cost        27\n             Port        25 (GigabitEthernet0\/1)<\/span><\/strong>\n             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec\n  Bridge ID  Priority    32769  (priority 32768 sys-id-ext 1)\n             Address     001a.e2b7.ec40\n             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec\n             Aging Time 300<\/pre>\n<p>The text in red indicates the priority, the MAC address of the root bridge, the cost and port used to get to the root bridge.&#160; The priority value in this example most likely indicates that the root bridge has been elected dynamically. This is not a good idea. It's recommended to manually configure the root bridge, to avoid that another switch (e.g. with a lower mac address value) would become root bridge all of a sudden).<\/p>\n<p>The text after \u201cBridge ID\u201d refers to the STP settings on the local switch<\/p>\n<p>You can manually override the priority value (and thus set the root bridge manually) by using the following commands (on the switch that needs to become root bridge) :<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nconf t\nspanning-tree priority 1<\/pre>\n<p>You can see a summary (including the status) using the following command :<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\n\nshow spanning-tree summary\n\nSwitch is in pvst mode\nRoot bridge for: none\nEtherChannel misconfig guard is enabled\nExtended system ID           is enabled\nPortfast Default             is disabled\nPortFast BPDU Guard Default  is disabled\nPortfast BPDU Filter Default is disabled\nLoopguard Default            is disabled\nUplinkFast                   is disabled\nBackboneFast                 is disabled\nPathcost method used         is short\nName                   Blocking Listening Learning Forwarding STP Active\n---------------------- -------- --------- -------- ---------- ----------\nVLAN0001                     0         0        0          9          9\nVLAN0020                     0         0        0          1          1\nVLAN0030                     0         0        0          1          1\nVLAN0040                     0         0        0          1          1\nVLAN0050                     0         0        0          1          1\nVLAN0060                     0         0        0          1          1\nVLAN0100                     0         0        0          1          1\n---------------------- -------- --------- -------- ---------- ----------\n7 vlans                      0         0        0         15         15<\/pre>\n<p><span style=\"color: #000080\">&#160;<\/span><\/p>\n<p><span style=\"color: #000080\">&#160;<\/span><\/p>\n<p>If all goes well, all of the VLANs are set to Forwarding. As you can see, STP is enabled for every VLAN by default.<\/p>\n<p>You can get info about the root bridge for every VLAN using :<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nshow spanning-tree root\n\n                                        Root Hello Max Fwd\nVlan                   Root ID          Cost  Time Age Dly  Root Port\n---------------- -------------------- ------ ----- --- ---  ----------------\nVLAN0001         32768 0002.fd2f.37c0     27    2   20  15  Gi0\/1\nVLAN0020         32788 000b.5f6d.9940      8    2   20  15  Gi0\/1\nVLAN0030         32798 000b.5f6d.9940      8    2   20  15  Gi0\/1\nVLAN0040         32808 000b.5f6d.9940      8    2   20  15  Gi0\/1\nVLAN0050         32818 000b.5f6d.9940      8    2   20  15  Gi0\/1\nVLAN0060         32828 000b.5f6d.9940      8    2   20  15  Gi0\/1\nVLAN0100         32868 000b.5f6d.9940      8    2   20  15  Gi0\/1<\/pre>\n<p>More information about STP topology changes can be found at http:\/\/www.cisco.com\/en\/US\/tech\/tk389\/tk621\/technologies_tech_note09186a0080094797.shtml<\/p>\n<p>If you want to disable STP, use the following command :<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nconf t\nno spantree 10\nno spantree 20<\/pre>\n<div>(etc - you need to disable STP for every VLAN)<\/div>\n<div>If you want to re-enable STP, use<\/div>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nconf t\nspantree 10\nspantree 20<\/pre>\n<div>(again, you need to do this for every VLAN)<\/div>\n<div>Note : in order to prevent Duplex mismatches on your STP, make sure to set both sides of uplingk to the same speed and duplex values.<\/div>\n<h4>Portfast<\/h4>\n<p>Portfast is a feature that allows a port to bypass all of the spanning tree states (Initializing, Blocking, Listening, Learning, Forwarding, Disabled).&#160;&#160; This will essentially speed up the process for an interface to become usable, however in a STP environment.&#160; If you turn off portfast (which is the default behaviour), it might take up to 30 seconds before an interface becomes usable. If you use DHCP, these 30 seconds may be too long for a host to get an IP address, so in most cases it is advised to enable portfast on ports that are connected directly to hosts. However, since portfast bypasses all STP modes, portfast can and should only be used for hosts, and not for uplinks to other switches. Otherwise, the entire STP model will fail.<\/p>\n<p>If you want to enable portfast on a port, use the following command :<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nconf t\nint f0\/1\nspanning-tree portfast<\/pre>\n<p>If you want to disable portfast, use this command :<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nconf t\nint f0\/1\nno spanning-tree portfast<\/pre>\n<p>Note : as explained above, do NOT activate portfast on a trunk or uplink port ! On the other hand, apply this to all other interfaces !!<\/p>\n<p>For regular switch ports (ports that only connect to nodes), you can also do :<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nconf t\nint fa0\/1\n   switchport host\n   end\nwr mem<\/pre>\n<p>This will<\/p>\n<ul>\n<li>enable portfast <\/li>\n<li>disable trunk, and disable dot1q <\/li>\n<li>disable etherchannel <\/li>\n<\/ul>\n<h4>Jumbo frames<\/h4>\n<p>If you need jumbo frames, you need to change the MTU on an interface basis :<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nconf t\nint fa0\/1\n  mtu 9216\n  end\nwr mem<\/pre>\n<p>Possible values for mtu are between 1500 and 9216. Make sure the values on all endpoints and all components (switches, but also routers !) between the endpoints use the same value.<\/p>\n<h4>IP Phones \/ Power Over Ethernet<\/h4>\n<p>Enable power over ethernet for ipphones&#160; (per interface !)<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nconf t\nint fa0\/1\n   power inline auto\n   end\nwr mem<\/pre>\n<p>On ports that will never host an ip phone, you can disable poe using the \u201cpower inline never\u201d command.<\/p>\n<p>Allow an ip phone and a PC to operate on the same switch, but in different vlan\u2019s :&#160; (dexample : data = vlan 10, voice = vlan 50),&#160; + restrict only one computer and one phone per interface :<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nconf t\nint fa0\/1\n   switchport mode access\n   switchport access vlan 10\n   switchport voice vlan 50\n   switchport port-security maximum 1 vlan access\n   switchport port-security maximum 1 vlan voice\n   end\nwr mem<\/pre>\n<h4>Span ports<\/h4>\n<p>This has nothing to do with spanning tree. A span is an association of a destination port with one or more source ports.&#160; You can use a span to monitor incoming or outgoing traffic, or both.&#160;&#160; Span sessions do not interfere with normal operation of the switch.<\/p>\n<p>In order to set up a span, you need to select one or more source ports (the ports that you want to monitor for traffic analysis e.g. using a sniffer).&#160; It can be any port (including a trunk port), but it cannot be a port that is configured as a destination port.&#160; Each source port needs to be configured with a direction (inbound or ingress, outbound or egress, or both).&#160; Source ports can be in multiple and different VLANs.<\/p>\n<p>A destination port (monitoring port) will receive a copy of all traffic from the source port.&#160;&#160;&#160; The destination port must be on the same switch, and cannot be one of the source ports. When a span port is active, it is disabled. It will not forward any traffic except the traffic for the span session itself.&#160; It does not participate in STP, VTP, CDP etc.<\/p>\n<p>Set up span session to monitor all incoming traffic on FastEthernet 1, all outgoing traffic on FastEthernet 2 and all traffic on FastEthernet 3 and send the copy to FastEthernet 4 :<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nconf t\nno monitor session 1\nmonitor session 1 source interface fe\/1 incoming\nmonitor session 1 source interface fe\/2 outgoing\nmonitor session 1 source interface fe\/3 both\nmonitor session 1 destination interface fe\/4<\/pre>\n<p>Note : You can specify multiple source interfaces in one line, by entering the ports after each other, separated with a comma.<\/p>\n<p>Get monitor configuration :<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nshow monitor<\/pre>\n<h4>Additional security configurations<\/h4>\n<p><strong>Limit number of mac addresses<\/strong> per port (to make sure nobody attaches another switch and multiple hosts to your network) :<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">en\nconf t\n  int fa0\/1\n  switchport mode access\n  switchport port-security maximum 1 vlan access\n  end\nwr mem<\/pre>\n<p>=&gt; do this for every non-trunk and\/or non-uplink port<\/p>\n<p>Protect against <strong>DHCP snooping <\/strong>(basically prevent anyone from hooking up a rogue DHCP server on your network) :<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">en\nconf t\n  ip dhcp snooping\nwr mem<\/pre>\n<p>Then, set all trunk ports to trusted :<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">en\nconf t\n  int fa0\/24\n    ip dhcp snooping trust\n  end\nwr mem<\/pre>\n<p>Finally, on the port that serves the DHCP server :<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">en\nconf t\n   int fa0\/2\n     ip dhcp snooping trust\n   end\nwr mem<\/pre>\n<p><strong>Broadcast storm control<\/strong> : shut down a port when broadcasts take more than 50% of the bandwidth :<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">en\nconf t\n  int fa0\/1\n    storm-control broadcast level 50.00\n    storm-control action shutdown\n    end\nend\nwr mem<\/pre>\n<p><strong>bpduguard<\/strong><\/p>\n<p>Enable on all switchports (not on trunks, uplinks, or ip phones) :<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">en\nconf t\n  int fa0\/1\n  spanning-tree bpduguard enable\n  end\nwr mem<\/pre>\n<p><strong>Allow recovery<\/strong> of certain security events (so the port will be released again after a certain interval) :<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nconf t\n   errdisable recovery cause udld\n   errdisable recovery cause bpduguard\n   errdisable recovery cause security-violation\n   errdisable recovery cause loopback\n   errdisable recovery interval 60\nwr mem<\/pre>\n<p>udld is used when a port is udld enabled.&#160; udld will detect unidirectional links (for example a fiber where one of the 2 links are broken). Unidirectional links can lead to unexpected behaviour, so it may be a good idea to enable udld on those ports.<\/p>\n<p><strong>Access list : <\/strong>If you don\u2019t use a separate management lan, restrict who can access the switch over telnet, ssh :<\/p>\n<p>Create access-list and only allow ip 1.1.1.14 to access the vty<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nconf t\n  access-list 10 permit ip 1.1.1.14 255.255.255.255\n  access-list 10 deny any log\n  end\nwr mem<\/pre>\n<p>Apply the access list to the vty :<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nconf t\n  line vty 0 15\n    access-class 10 in\n  end\nwr mem<\/pre>\n<p><strong>Session timeout<\/strong><\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nconf t\nabsolute-timeout 0<\/pre>\n<p>this is the default (no timeout).&#160; The parameter refers to the number of minutes of inactivity before the session will be disconnected.<\/p>\n<p><strong>cdp<\/strong><\/p>\n<p>If you are using cdp, it\u2019s advised to disable cdp on all ports except for the ones that are connected to other Cisco devices (uplinks, trunks)<\/p>\n<p>Enable cdp globally :<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nconf t\n  cdp run\n  end\nwr mem<\/pre>\n<p>Disable cdp for a certain port :<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nconf t\n  int fa0\/1\n    no cdp enable\n    end\nwr mem<\/pre>\n<p>Verify that you can still see all cdp neighbors :<\/p>\n<pre style=\"border-right: #cecece 1px solid; padding-right: 5px; border-top: #cecece 1px solid; padding-left: 5px; min-height: 40px; padding-bottom: 5px; overflow: auto; border-left: #cecece 1px solid; width: 650px; padding-top: 5px; border-bottom: #cecece 1px solid; background-color: #f0f0f0\">enable\nshow cdp nei<\/pre>\n<h4>Links<\/h4>\n<p><a title=\"http:\/\/networking.ringofsaturn.com\/Cisco\/ciscojuniper.php\" href=\"http:\/\/networking.ringofsaturn.com\/Cisco\/ciscojuniper.php\">http:\/\/networking.ringofsaturn.com\/Cisco\/ciscojuniper.php<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Reset to factory defaults : connect console (9600\/8\/None\/1, no flow control) take out power cable press mode button (at the front), hold it,&#160; and put power cable back switch will go into recovery mode run : flash_init load_helper rename the config file : rename flash:config.txt flash:config.old run : boot When asked to enter the initial &hellip; <a href=\"https:\/\/www.corelan.be\/index.php\/2008\/06\/22\/cisco-switch-ios-cheat-sheet\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> \"Cisco switch IOS cheat sheet\"<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[997,164],"tags":[3742,1007,998],"class_list":["post-669","post","type-post","status-publish","format-standard","hentry","category-cisco","category-networking","tag-networking","tag-ios","tag-cisco"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Cisco switch IOS cheat sheet - Corelan | Exploit Development &amp; Vulnerability Research<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.corelan.be\/index.php\/2008\/06\/22\/cisco-switch-ios-cheat-sheet\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Cisco switch IOS cheat sheet - Corelan | Exploit Development &amp; Vulnerability Research\" \/>\n<meta property=\"og:description\" content=\"Reset to factory defaults : connect console (9600\/8\/None\/1, no flow control) take out power cable press mode button (at the front), hold it,&#160; and put power cable back switch will go into recovery mode run : flash_init load_helper rename the config file : rename flash:config.txt flash:config.old run : boot When asked to enter the initial &hellip; Continue reading &quot;Cisco switch IOS cheat sheet&quot;\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.corelan.be\/index.php\/2008\/06\/22\/cisco-switch-ios-cheat-sheet\/\" \/>\n<meta property=\"og:site_name\" content=\"Corelan | Exploit Development &amp; Vulnerability Research\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/corelanconsulting\" \/>\n<meta property=\"article:published_time\" content=\"2008-06-22T11:38:20+00:00\" \/>\n<meta name=\"author\" content=\"corelanc0d3r\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@corelanc0d3r\" \/>\n<meta name=\"twitter:site\" content=\"@corelanc0d3r\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"TechArticle\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2008\\\/06\\\/22\\\/cisco-switch-ios-cheat-sheet\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2008\\\/06\\\/22\\\/cisco-switch-ios-cheat-sheet\\\/\"},\"author\":{\"name\":\"corelanc0d3r\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/person\\\/3be5542b9b0a0787893db83a5ad68e8f\"},\"headline\":\"Cisco switch IOS cheat sheet\",\"datePublished\":\"2008-06-22T11:38:20+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2008\\\/06\\\/22\\\/cisco-switch-ios-cheat-sheet\\\/\"},\"wordCount\":3853,\"publisher\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\"},\"keywords\":[\"networking\",\"ios\",\"Cisco\"],\"articleSection\":[\"Cisco\",\"Networking\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2008\\\/06\\\/22\\\/cisco-switch-ios-cheat-sheet\\\/\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2008\\\/06\\\/22\\\/cisco-switch-ios-cheat-sheet\\\/\",\"name\":\"Cisco switch IOS cheat sheet - Corelan | Exploit Development &amp; Vulnerability Research\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#website\"},\"datePublished\":\"2008-06-22T11:38:20+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2008\\\/06\\\/22\\\/cisco-switch-ios-cheat-sheet\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2008\\\/06\\\/22\\\/cisco-switch-ios-cheat-sheet\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2008\\\/06\\\/22\\\/cisco-switch-ios-cheat-sheet\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.corelan.be\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cisco switch IOS cheat sheet\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#website\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/\",\"name\":\"Corelan CyberSecurity Research\",\"description\":\"Corelan publishes in-depth tutorials on exploit development, Windows exploitation, vulnerability research, heap internals, reverse engineering and security tooling used by professionals worldwide.\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.corelan.be\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\",\"name\":\"Corelan CyberSecurity Research\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/corelanlogo2_small-20.png\",\"contentUrl\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/corelanlogo2_small-20.png\",\"width\":200,\"height\":200,\"caption\":\"Corelan CyberSecurity Research\"},\"image\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/corelanconsulting\",\"https:\\\/\\\/x.com\\\/corelanc0d3r\",\"https:\\\/\\\/x.com\\\/corelanconsulting\",\"https:\\\/\\\/instagram.com\\\/corelanconsult\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/person\\\/3be5542b9b0a0787893db83a5ad68e8f\",\"name\":\"corelanc0d3r\",\"pronouns\":\"he\\\/him\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"caption\":\"corelanc0d3r\"},\"description\":\"Peter Van Eeckhoutte is the founder of Corelan and a globally recognized expert in exploit development and vulnerability research. With over two decades in IT security, he built Corelan into a respected platform for deep technical research, hands-on training, and knowledge sharing. Known for his influential exploit development tutorials, tools, and real-world training, Peter combines a strong research mindset with a passion for education\u2014helping security professionals understand not just how exploits work, but why.\",\"sameAs\":[\"https:\\\/\\\/www.corelan-training.com\",\"https:\\\/\\\/instagram.com\\\/corelanc0d3r\",\"https:\\\/\\\/www.linkedin.com\\\/in\\\/petervaneeckhoutte\\\/\",\"https:\\\/\\\/x.com\\\/corelanc0d3r\"],\"url\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/author\\\/admin0\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Cisco switch IOS cheat sheet - Corelan | Exploit Development &amp; Vulnerability Research","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.corelan.be\/index.php\/2008\/06\/22\/cisco-switch-ios-cheat-sheet\/","og_locale":"en_US","og_type":"article","og_title":"Cisco switch IOS cheat sheet - Corelan | Exploit Development &amp; Vulnerability Research","og_description":"Reset to factory defaults : connect console (9600\/8\/None\/1, no flow control) take out power cable press mode button (at the front), hold it,&#160; and put power cable back switch will go into recovery mode run : flash_init load_helper rename the config file : rename flash:config.txt flash:config.old run : boot When asked to enter the initial &hellip; Continue reading \"Cisco switch IOS cheat sheet\"","og_url":"https:\/\/www.corelan.be\/index.php\/2008\/06\/22\/cisco-switch-ios-cheat-sheet\/","og_site_name":"Corelan | Exploit Development &amp; Vulnerability Research","article_publisher":"https:\/\/www.facebook.com\/corelanconsulting","article_published_time":"2008-06-22T11:38:20+00:00","author":"corelanc0d3r","twitter_card":"summary_large_image","twitter_creator":"@corelanc0d3r","twitter_site":"@corelanc0d3r","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"TechArticle","@id":"https:\/\/www.corelan.be\/index.php\/2008\/06\/22\/cisco-switch-ios-cheat-sheet\/#article","isPartOf":{"@id":"https:\/\/www.corelan.be\/index.php\/2008\/06\/22\/cisco-switch-ios-cheat-sheet\/"},"author":{"name":"corelanc0d3r","@id":"https:\/\/www.corelan.be\/#\/schema\/person\/3be5542b9b0a0787893db83a5ad68e8f"},"headline":"Cisco switch IOS cheat sheet","datePublished":"2008-06-22T11:38:20+00:00","mainEntityOfPage":{"@id":"https:\/\/www.corelan.be\/index.php\/2008\/06\/22\/cisco-switch-ios-cheat-sheet\/"},"wordCount":3853,"publisher":{"@id":"https:\/\/www.corelan.be\/#organization"},"keywords":["networking","ios","Cisco"],"articleSection":["Cisco","Networking"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.corelan.be\/index.php\/2008\/06\/22\/cisco-switch-ios-cheat-sheet\/","url":"https:\/\/www.corelan.be\/index.php\/2008\/06\/22\/cisco-switch-ios-cheat-sheet\/","name":"Cisco switch IOS cheat sheet - Corelan | Exploit Development &amp; Vulnerability Research","isPartOf":{"@id":"https:\/\/www.corelan.be\/#website"},"datePublished":"2008-06-22T11:38:20+00:00","breadcrumb":{"@id":"https:\/\/www.corelan.be\/index.php\/2008\/06\/22\/cisco-switch-ios-cheat-sheet\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.corelan.be\/index.php\/2008\/06\/22\/cisco-switch-ios-cheat-sheet\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.corelan.be\/index.php\/2008\/06\/22\/cisco-switch-ios-cheat-sheet\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.corelan.be\/"},{"@type":"ListItem","position":2,"name":"Cisco switch IOS cheat sheet"}]},{"@type":"WebSite","@id":"https:\/\/www.corelan.be\/#website","url":"https:\/\/www.corelan.be\/","name":"Corelan CyberSecurity Research","description":"Corelan publishes in-depth tutorials on exploit development, Windows exploitation, vulnerability research, heap internals, reverse engineering and security tooling used by professionals worldwide.","publisher":{"@id":"https:\/\/www.corelan.be\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.corelan.be\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.corelan.be\/#organization","name":"Corelan CyberSecurity Research","url":"https:\/\/www.corelan.be\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.corelan.be\/#\/schema\/logo\/image\/","url":"https:\/\/www.corelan.be\/wp-content\/uploads\/2026\/03\/corelanlogo2_small-20.png","contentUrl":"https:\/\/www.corelan.be\/wp-content\/uploads\/2026\/03\/corelanlogo2_small-20.png","width":200,"height":200,"caption":"Corelan CyberSecurity Research"},"image":{"@id":"https:\/\/www.corelan.be\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/corelanconsulting","https:\/\/x.com\/corelanc0d3r","https:\/\/x.com\/corelanconsulting","https:\/\/instagram.com\/corelanconsult"]},{"@type":"Person","@id":"https:\/\/www.corelan.be\/#\/schema\/person\/3be5542b9b0a0787893db83a5ad68e8f","name":"corelanc0d3r","pronouns":"he\/him","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","url":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","caption":"corelanc0d3r"},"description":"Peter Van Eeckhoutte is the founder of Corelan and a globally recognized expert in exploit development and vulnerability research. With over two decades in IT security, he built Corelan into a respected platform for deep technical research, hands-on training, and knowledge sharing. Known for his influential exploit development tutorials, tools, and real-world training, Peter combines a strong research mindset with a passion for education\u2014helping security professionals understand not just how exploits work, but why.","sameAs":["https:\/\/www.corelan-training.com","https:\/\/instagram.com\/corelanc0d3r","https:\/\/www.linkedin.com\/in\/petervaneeckhoutte\/","https:\/\/x.com\/corelanc0d3r"],"url":"https:\/\/www.corelan.be\/index.php\/author\/admin0\/"}]}},"views":19122,"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts\/669","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/comments?post=669"}],"version-history":[{"count":0,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts\/669\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/media?parent=669"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/categories?post=669"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/tags?post=669"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}