Alt Control IT » Switches

VLAN Trunking Protocol

James Gray — Fri, 15 Jan 2010 12:48:58 +0000

Most networks will have more than one switch. As a network administrator you don’t really want to have to go around and manually configure the VLAN information on each of these switches especially in a large environment. the switches in your network need to be aware of what VLANs have been configured on them. VTP or VLAN Trunking Protocol allows the switches within your network to share VLAN information between them. VTP is very easy to configure I am going to outline the steps in this post.

The first thing we need to do is configure the VTP mode. There are three different modes available when configuring VTP

Server – VLANs can be created deleted or modified VLAN configurations are stored in NVRAM
Client – VLANs cant be created deleted or modified
Transparent – VLANs can be created deleted or modified but VLAN information received from other switches within the network is ignored

In a large environment you should have two switches configured as VTP servers for redundancy. Start by logging into the switch and enter global configuration mode then change the VTP mode to Server as shown below (the default mode on a switch is server so this step might not be nessessary).

Switch(config)#vtp mode server

Now we need to configure the VTP domain by using the following command. Note that the domain name is case-sensitve.

Switch(config)#vtp domain ALTCONTROLIT

The next step is to configure a password for the VTP configuration this is also case-sensitive.

Switch(config)#vtp password PASSWORD

The next step is optional. VTP pruning reduces network bandwidth by reducing unnecessary flooded traffic.

Switch(config)#vtp pruning

The above will configure a VTP server, if you want to configure a VTP client you can use the steps below

Switch(config)#vtp mode client

Cisco Switch VLAN’s

James Gray — Sun, 10 Jan 2010 18:55:51 +0000

Switches have one broadcast domain by default, therefore a copy of a broadcast sent out by a host plugged into this switch will be received by all of the other attached hosts. The diagram below shows four hosts plugged into a switch.

VLANs allow you to do the following:

Group common network devices together and protect them by segregating them from other VLANs
Segment devices into smaller LANs creating smaller broadcast domains
Reduce the workload of Spanning Tree Protocol (STP) by limiting a VLAN to a single access switch
To separate traffic sent from IP phones and PCs

Without VLANs a switch considers all of its interfaces to be in the same broadcast domain, by default all interfaces are assigned to VLAN 1 this can be seen by running the following command on the switch

Switch#show vlan brief 
VLAN Name                             Status    Ports

——————————————————————————–

1    default                          active    Fa0/1, Fa0/2, Fa0/3, Fa0/4

                                                Fa0/5, Fa0/6, Fa0/7, Fa0/8

                                                Fa0/9, Fa0/10, Fa0/11, Fa0/12

                                                Fa0/13, Fa0/14, Fa0/15, Fa0/16

                                                Fa0/17, Fa0/18, Fa0/19, Fa0/20

                                                Fa0/21, Fa0/22, Fa0/23, Fa0/24

As you can see from the output above all of the ports are in VLAN1 and the name for this VLAN is default.

To put switch ports into separate VLANS you need to begin by making the ports access ports by using the command below in interface configuration mode.

Switch(config-if)#switchport mode access

The next command puts the port into the VLAN that you want

Switch(config-if)#switchport access vlan 13

% Access VLAN does not exist. Creating vlan 13

Note that the message states that VLAN 13 did not exist and has now been created. For this scenario I went and added the corresponding ports to the correct VLANs using the commands above making sure I put ports 2 and 4 into VLAN 24 my switch is now set up as shown below.

Please note that now we have two separate VLANs hosts 1 & 3 cant communicate with hosts 2 & 4 and vice versa. They can only communicate through a layer 3 device such as a router or a layer 3 switch. There is also a technique called Router on a Stick which I have discussed in another post.

The packet tracer file for this secnario can be downloaded below.

Cisco VLANs

Cisco Show Interface Command

James Gray — Mon, 21 Dec 2009 12:46:49 +0000

One of the most used Cisco commands is the show interfaces command. Running this command will give you an output of all the configurations on each of the interfaces on the switch or router. To show information for a particular interface you must put the interface number on the end of the command as shown below.

01: SW0#show interfaces fastEthernet 0/1
02: FastEthernet0/1 is up, line protocol is up (connected)
03:   Hardware is Lance, address is 0060.3e6b.0501 (bia 0060.3e6b.0501)
04:  BW 100000 Kbit, DLY 1000 usec,
05:      reliability 255/255, txload 1/255, rxload 1/255
06:   Encapsulation ARPA, loopback not set
07:   Keepalive set (10 sec)
08:   Full-duplex, 100Mb/s
09:   input flow-control is off, output flow-control is off
10:   ARP type: ARPA, ARP Timeout 04:00:00
11:   Last input 00:00:08, output 00:00:05, output hang never
12:   Last clearing of "show interface" counters never
13:   Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
14:   Queueing strategy: fifo
15:   Output queue :0/40 (size/max)
16:   5 minute input rate 0 bits/sec, 0 packets/sec
17:   5 minute output rate 0 bits/sec, 0 packets/sec
18:      956 packets input, 193351 bytes, 0 no buffer
19:      Received 956 broadcasts, 0 runts, 0 giants, 0 throttles
20:      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
21:      0 watchdog, 0 multicast, 0 pause input
22:      0 input packets with dribble condition detected
23:      2357 packets output, 263570 bytes, 0 underruns
24:      0 output errors, 0 collisions, 10 interface resets
25:      0 babbles, 0 late collision, 0 deferred
26:      0 lost carrier, 0 no carrier
27:      0 output buffer failures, 0 output buffers swapped out

I have put line numbers in the output above so that I can discuss each of them as we go down the list.

01: SW0#show interfaces fastEthernet 0/1

Displays only the information about the configuration of Fast Ethernet port 1 in slot 0 on the switch (in this case a Catalyst 2950 with 24 ports).

02: FastEthernet0/1 is up, line protocol is up (connected)

Shows the current state of the interface FastEthernet0/1 is up, line protocol is up (connected) means that the interface is currently active and handling traffic normally. The output below indicates that the interface has been shut down and must be opened using the no shutdown command in interface configuration mode.

FastEthernet0/1 is administratively down, line protocol is down (disabled)

Another possible output on this line is shown below which indicates that there could be a physical problem with the interface, meaning that either there is no device attached or there is a problem with the cable.

FastEthernet0/1 is down, line protocol is down (disabled)

03: Hardware is Lance, address is 0060.3e6b.0501 (bia 0060.3e6b.0501)

Shows the hardware type and the MAC address of the port along with the BIA (Burned In Address) which will always be the same. The first port on the switch has the lowest MAC address in this case 0060.3e6b.0501. Below is the MAC address of port 2 on the switch.

Hardware is Lance, address is 0060.3e6b.0502 (bia 0060.3e6b.0502)

The MAC address of an interface can be changed by typing the commands shown below.

SW0#conf tEnter configuration commands, one per line.  End with CNTL/Z.
SW0(config)#int fa0/1
SW0(config-if)#mac-address 0000.0000.0001

04: BW 100000 Kbit, DLY 1000 usec,

Shows the Bandwidth (BW) in Kilobits and delay in micro seconds set on the interface. If this were a router the bandwidth command is used to communicate the capacity of the interface to different routing protocols, which then select the best path through a network.

05: reliability 255/255, txload 1/255, rxload 1/255

Shows the reliability of the interface as a fraction 255/255 is equal to 100% reliability this is calculated as an exponential average over a 5 minute period. txload is transmitted data and rxload is received data, again the display is out of 255 where 1/255 means that the link is practically idle as compared to 128/255 where the interface is handling 50% of traffic. Obviously if either txload or rxload are at 255/255 that means that the interface is completely saturated.

06: Encapsulation ARPA, loopback not set

Shows the encapsulation type set on the interface and whether there is a loopback set. Loopbacks are virtual interfaces that are always up and protocols such as BGP & OSPF make use of them they are a bit like the Windows loopback interface of 127.0.0.1.

07: Keepalive set (10 sec)

Shows the keepalive timer for the interface in seconds. The keepalive is the frequency at which the switch sends messages to itself (Ethernet) or to the other end (Auxiliary) to ensure a network interface is alive.

08: Full-duplex, 100Mb/s

Shows the duplex configured on the interface in this case its full-duplex which allows communication in both directions simultaneously unlike half-duplex which does not allow simultaneous communication.

09: input flow-control is off, output flow-control is off

Shows the flow control configured on the interfaces. Flow control enables connected Ethernet ports to control traffic rates during congestion by allowing congested nodes to pause link operation at the other end. It does this by sending the remote device a pause frame which when received the remote device stops sending data packets which prevents loss of data packets during the congestion period.

10: ARP type: ARPA, ARP Timeout 04:00:00

Shows the Address Resolution Protocol (ARP) type and the timeout for the protocol. The timeout is the time specified in seconds defining how long a dynamically learned IP address and its corresponding MAC address remain in the ARP cache.

11: Last input 00:00:08, output 00:00:05, output hang never

Shows the last input in the number of hours, minutes and seconds since the last packet was successfully received by an interface. It also shows the output which is the last time the interface successfully transmitted a packet. Output hang never is the time since the interface was last reset because of a transmission that took too long.

12: Last clearing of "show interface" counters never

Shows the last clearing of the show interface counters using the clear counters command.

13: Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Shows the input queue drops. When a packet enters the interface the switch attempts to forward it at interrupt level. If a match cannot be found in an appropriate cache table, the packet is queued on the input queue of the incoming interface to be processed. Some packets are always processed, but with the appropriate configuration and in stable networks, the rate of processed packets must never congest the input queue. If the input queue is full, the packet is dropped.

14: Queueing strategy: fifo

Displays the queuing strategy of the interface. Queuing is the process of sequencing packets before they leave a router interface normally packets leave in the order that they arrive or FIFO (First in first out) when the interface is set to this the interface does not prioritise voice or mission critical traffic.

15: Output queue :0/40 (size/max)

Shows the output queue drops. output drops are caused by a congested interface e.g. the traffic rate on the outgoing interface cannot accept all the packets that should be sent out.

16: 5 minute input rate 0 bits/sec, 0 packets/sec

Shows the input rate of packets for the last 5 minutes.

17: 5 minute output rate 0 bits/sec, 0 packets/sec

Shows the output rate of packets for the last 5 minutes.

18: 956 packets input, 193351 bytes, 0 no buffer

Shows the total amount of packets received on the interface.

19: Received 956 broadcasts, 0 runts, 0 giants, 0 throttles

Shows the amount of broadcasts received on the interface along with the number of Runts (packets with a size of less than 64 bytes and that have a bad CRC Cyclic Redundancy Check). It also shows the number of Giants received (packets that are over the maximum size of an Ethernet frame or over 1518 bytes with a bad FCS Frame Check Sequence). This line also shows the number of Throttles received. Throttles show the number of times the receiver on the port is disabled due to a buffer or processor overload. Throttles can be caused by IP packets with options, expired TTL, non-ARPA encapsulation, fragmentation, tunnelling, ICMP packets, packets with MTU checksum failure, RPF failure, IP checksum and length errors.

20: 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

Shows the number of input errors on the interface. This includes runts, giants, no buffer (the number of packets dropped because there is no free buffer to copy the packet), CRC (Cyclic Redundancy Check), frame, overruns (where the input rate of traffic exceeded the receivers ability to handle the data) and ignored counts (the number of packets ignored by the interface because the interface hardware ran low on internal buffers, this can be caused by broadcast storms and bursts of noise).

21: 0 watchdog, 0 multicast, 0 pause input

Shows the watchdog timeouts on the interface. The watchdog timer controls the time of each process. If the timer is not reset, a trap occurs, if a process is longer than it must be, the watchdog timer is used to escape from this process. It also shows the number of Multicast packets and Pause Input (where the connected device requests for a traffic pause when its receive buffer is almost full)

22: 0 input packets with dribble condition detected

Shows the input packets with dribble condition. A dribble bit error indicates that a frame is slightly too long however the switch will still accept the frame.

23: 2357 packets output, 263570 bytes, 0 underruns

Shows the number of output packets and the underruns on the interface. Underruns are the number of times that the transmitter has been run faster than the switch can handle. This can occur when the interface receives a high volume of bursty traffic from many other interfaces all at once.

24: 0 output errors, 0 collisions, 10 interface resets

Shows the number of output errors. Output errors are the sum of all errors that prevented the final transmission of datagram’s out of the interface. This can be caused by a low output queue size. It also shows the number of collisions on the interface which could be caused by a duplex mismatch. the number of interface resets shows the number of times the interface has been completely reset.

25: 0 babbles, 0 late collision, 0 deferred

Shows the number of babbles on the interface. Babbles indicate the transmit jabber time expired. A Jabber is a frame longer than 1518 octets, which does not end with an even number of octets (alignment error) or has a bad FCS error. It also shows the number of late collisions, late collisions occur when two devices transmit at the same time, and neither side of the connection detects a collision. A common cause of late collisions are the result of incorrect cabling or a non-compliant number of hubs in the network. Bad NICs can also cause late collisions. This line also shows the number of deferred frames, these are frames that have been transmitted successfully after waiting for the media, because the media was busy. This is usually seen in half duplex environments where the carrier is already in use when it tries to transmit a frame. In full duplex environments the issue occurs when the excessive load is destined for the switch.

26: 0 lost carrier, 0 no carrier

Shows the lost carrier counter. This is the number of times the carrier was lost in transmission, causes of this can be a bad cable. The No Carrier counter is the number of times the carrier was not present in the transmission similarly check for a bad cable.

27: 0 output buffer failures, 0 output buffers swapped out

Shows the output buffer failures/swapped out counters. Causes of this are when A port buffers the packets to the Tx buffer when the rate of traffic switched to the port is high and it cannot handle the amount of traffic. The port starts to drop the packets when the Tx buffer is full and thus increases the underruns and the output buffer failure counters. The increase in the output buffer failure counters can be a sign that the ports are run at an inferior speed and/or duplex, or there is too much traffic that goes through the port.

Cisco Password Recovery

James Gray — Thu, 22 Oct 2009 13:10:36 +0000

If you dont know what the enable password or enable secret password is on a router or switch you can reset it by using the information below.

Power cycle the router or switch and press Ctrl+Break on the keyboard whilst it is decompressing the image. This will put you into Rom Monitor mode with a rommon> prompt.

Self decompressing the image :

########

monitor: command “boot” aborted due to user interrupt

rommon 1 >

At the prompt enter confreg 0×2142 to change the configuration register and then restart the router/switch by using the reset command

rommon 1 > confreg 0×2142

rommon 2 > reset

Because we changed the configuration register to 0×2142 the router/switch will ignore the startup configurtion file stored in NVRAM and proceed to load setup mode. We now need to exit from setup mode and copy the startup configuration (that the router ignored) into the running configuration. Once we have done that we can use the enable secret command to set a new password, change the configuration register back to 0×2102 and then reload the router.

Continue with configuration dialog? [yes/no]: n

Press RETURN to get started! Router>en

Router#copy startup-config running-config

Destination filename [running-config]?

305 bytes copied in 0.416 secs (733 bytes/sec)

Router#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

Router(config)#enable secret altcontrolit

Router(config)#config-register 0×2102

 Router(config)#^Z

%SYS-5-CONFIG_I: Configured from console by console

Router#wr

Router#reload

Once the router/switch has reloaded we should now be able to log in using the new enable secret password.

Cisco Password Encryption

James Gray — Sun, 27 Sep 2009 11:56:20 +0000

By default the passwords on Cisco routers and switches are saved in the configuration unencrypted. The only password that gets encrypted is the enable secret one. to encrypt all passwords on a Cisco router or switch you have to use the command below.

R1(config)#service password-encryption

The passwords stored in the configuration of the router or switch will now be hashed. There are sites on the web though that can decipher the hashed password so make sure you lock the router or switch down!