How To Set Up Ethernet Wall Ports
Configuring Ethernet Switch Ports
This affiliate gives an overview of configuration tasks for the Gigabit Ethernet (GE) switch on the Cisco 800M Serial ISR.
This chapter contains the following sections:
- Configuring VLANs
- Configuring VTP
- Configuring 802.1x Authentication
- Configuring Spanning Tree Protocol
- Configuring MAC Address Table Manipulation
- Configuring MAC Accost Notification Traps
- Configuring the Switched Port Analyzer
- Configuring IGMP Snooping
- Configuring Per-Port Storm Command
- Configuring HSRP
- Configuring VRRP
Configuring VLANs
A VLAN is a switched network that is logically segmented by function, projection team, or application, without regard to the physical locations of the users. VLANs have the same attributes equally physical LANs, merely y'all can grouping end stations even if they are non physically located on the same LAN segment. Any switch port can belong to a VLAN, and unicast, broadcast, and multicast packets are forwarded and flooded but to end stations in the VLAN. Each VLAN is considered a logical network, and packets destined for stations that do not vest to the VLAN must exist forwarded through a router. A VLAN is a switched network that is logically segmented by function, project team, or application, without regard to the concrete locations of the users. VLANs have the same attributes as physical LANs, but you can grouping end stations even if they are not physically located on the same LAN segment. Any switch port tin can belong to a VLAN, and unicast, circulate, and multicast packets are forwarded and flooded merely to stop stations in the VLAN. Each VLAN is considered a logical network, and packets destined for stations that do not belong to the VLAN must be forwarded through a router.
For detailed information on VLANs, meet the following web link:
http://world wide web.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/15-0_2_se/configuration/guide/scg3750/swvlan.html
For a sample VLAN configuration, come across "Case: VLAN configuration".
Example: VLAN configuration
The post-obit example shows how to configure inter-VLAN routing:
Configuring VTP
VTP is a Layer two messaging protocol that maintains VLAN configuration consistency by managing the addition, deletion, and renaming of VLANs on a network-wide basis. VTP minimizes misconfigurations and configuration inconsistencies that can cause several problems, such as duplicate VLAN names, incorrect VLAN-blazon specifications, and security violations.
Before you lot create VLANs, you must decide whether to use VTP in your network. Using VTP, you can make configuration changes centrally on one or more switches and have those changes automatically communicated to all the other switches in the network. Without VTP, you cannot send information about VLANs to other switches.VTP is designed to work in an environment where updates are made on a single switch and are sent through VTP to other switches in the domain. It does not piece of work well in a state of affairs where multiple updates to the VLAN database occur simultaneously on switches in the aforementioned domain, which would issue in an inconsistency in the VLAN database.
You should understand the following concepts for configuring VTP.
- VTP domain: A VTP domain (also called a VLAN management domain) consists of one switch or several interconnected switches or switch stacks nether the same authoritative responsibility sharing the same VTP domain proper name. A switch can be in merely one VTP domain. You make global VLAN configuration changes for the domain.
- VTP server: In VTP server mode, you tin create, modify, and delete VLANs, and specify other configuration parameters (such as the VTP version) for the entire VTP domain. VTP servers advertise their VLAN configurations to other switches in the same VTP domain and synchronize their VLAN configurations with other switches based on advertisements received over trunk links.VTP server is the default mode.
- VTP customer: A VTP client behaves like a VTP server and transmits and receives VTP updates on its trunks, just you lot cannot create, change, or delete VLANs on a VTP customer. VLANs are configured on another switch in the domain that is in server mode.
- VTP transparent: VTP transparent switches do non participate in VTP. A VTP transparent switch does not advertise its VLAN configuration and does not synchronize its VLAN configuration based on received advertisements. However, in VTP version 2 or version 3, transparent switches do forward VTP advertisements that they receive from other switches through their trunk interfaces. You can create, modify, and delete VLANs on a switch in VTP transparent mode.
For detailed information on VTP, see the post-obit web link:
http://www.cisco.com/c/en/u.s./td/docs/switches/lan/catalyst3750/software/release/15-0_2_se/configuration/guide/scg3750/swvtp.html
For a sample VTP configuration, see "Instance: Configuring VTP".
Case: Configuring VTP
The following example shows how to configure the switch equally a VTP server:
The following case shows how to configure the switch as a VTP client:
The post-obit example shows how to configure the switch as VTP transparent:
Configuring 802.1x Authentication
IEEE 802.1x port-based authentication defines a client-server-based admission control and hallmark protocol to prevent unauthorized clients from connecting to a LAN through publicly accessible ports.The hallmark server authenticates each client connected to a switch port before allowing access to any switch or LAN services. Until the client is authenticated, IEEE 802.1x access control allows only Extensible Hallmark Protocol over LAN (EAPOL), Cisco Discovery Protocol (CDP), and Spanning Tree Protocol (STP) traffic through the port to which the customer is continued. Later on hallmark, normal traffic passes through the port.
With IEEE 802.1x authentication, the devices in the network take specific roles:
- Supplicant—Device (workstation) that requests access to the LAN and switch services and responds to requests from the router. The workstation must be running IEEE 802.1x-compliant client software such as that offered in the Microsoft Windows XP operating system. (The supplicant is sometimes called the client.)
- Authentication server—Device that performs the actual authentication of the supplicant. The authentication server validates the identity of the supplicant and notifies the router whether or not the supplicant is authorized to access the LAN and switch services. The Network Access Device (or Cisco ISR router in this instance) transparently passes the authentication letters between the supplicant and the authentication server, and the authentication process is carried out between the supplicant and the hallmark server. The item EAP method used will be decided betwixt the supplicant and the authentication server (RADIUS server). The RADIUS security organization with EAP extensions is bachelor in Cisco Secure Access Control Server Version iii.0 or afterwards. RADIUS operates in a client and server model in which secure authentication information is exchanged between the RADIUS server and one or more than RADIUS clients.
- Authenticator—Router that controls the concrete access to the network based on the authentication status of the supplicant. The router acts equally an intermediary between the supplicant and the authentication server, requesting identity data from the supplicant, verifying that data with the authentication server, and relaying a response to the supplicant. The router includes the RADIUS client, which is responsible for encapsulating and decapsulating the EAP frames and interacting with the authentication server.
For detailed information on how to configure 802.1x port-based authentication, come across the post-obit link:
http://world wide web.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_8021x/configuration/15-mt/sec-user-8021x-15-mt-book/config-ieee-802x-pba.html
For a sample 802.1x authentication configuration run into "Case: Enabling IEEE 802.1x and AAA on a Switch Port".
Example: Enabling IEEE 802.1x and AAA on a Switch Port
This case shows how to configure Cisco 800M series ISR as 802.1x authenticator.
Configuring Spanning Tree Protocol
Spanning Tree Protocol (STP) is a Layer 2 link management protocol that provides path redundancy while preventing loops in the network. For a Layer ii Ethernet network to function properly, just one active path can exist between any ii stations. Multiple active paths amongst finish stations crusade loops in the network. If a loop exists in the network, terminate stations might receive indistinguishable letters. Switches might too acquire end-station MAC addresses on multiple Layer 2 interfaces. These weather condition event in an unstable network. Spanning-tree performance is transparent to end stations, which cannot detect whether they are connected to a single LAN segment or a switched LAN of multiple segments.
The STP uses a spanning-tree algorithm to select ane switch of a redundantly connected network every bit the root of the spanning tree. The algorithm calculates the best loop-free path through a switched Layer 2 network past assigning a function to each port based on the function of the port in the agile topology:
- Root—A forwarding port elected for the spanning-tree topology
- Designated—A forwarding port elected for every switched LAN segment
- Alternate—A blocked port providing an alternate path to the root bridge in the spanning tree
- Backup—A blocked port in a loopback configuration
The switch that has all of its ports equally the designated role or as the fill-in role is the root switch. The switch that has at least 1 of its ports in the designated role is called the designated switch.Spanning tree forces redundant data paths into a standby (blocked) state. If a network segment in the spanning tree fails and a redundant path exists, the spanning-tree algorithm recalculates the spanning-tree topology and activates the standby path. Switches send and receive spanning-tree frames, called bridge protocol data units (BPDUs), at regular intervals. The switches do not forward these frames but use them to construct a loop-gratis path. BPDUs contain data about the sending switch and its ports, including switch and MAC addresses, switch priority, port priority, and path cost. Spanning tree uses this information to elect the root switch and root port for the switched network and the root port and designated port for each switched segment.
When two ports on a switch are part of a loop, the spanning-tree port priority and path cost settings control which port is put in the forwarding state and which is put in the blocking state. The spanning-tree port priority value represents the location of a port in the network topology and how well it is located to pass traffic. The path cost value represents the media speed.
For detailed configuration data on STP see the following link:
http://www.cisco.com/c/en/usa/td/docs/switches/lan/catalyst3750/software/release/15-0_2_se/configuration/guide/scg3750/swstp.html
For configuration examples, encounter "Case: Spanning Tree Protocol Configuration".
Case: Spanning Tree Protocol Configuration
The following example shows configuring spanning-tree port priority of a Gigabit Ethernet interface. If a loop occurs, spanning tree uses the port priority when selecting an interface to put in the forwarding country.
The post-obit instance shows how to change the spanning-tree port cost of a Gigabit Ethernet interface. If a loop occurs, spanning tree uses cost when selecting an interface to put in the forwarding land.
Router(config-if)# cease
The following example shows configuring the bridge priority of VLAN x to 33792:
The following case shows configuring the hello fourth dimension for VLAN 10 being configured to vii seconds. The howdy time is the interval between the generation of configuration messages by the root switch.
The following example shows configuring maximum age interval for the spanning tree. The maximum-aging fourth dimension is the number of seconds a switch waits without receiving spanning-tree configuration messages before attempting a reconfiguration.
The following instance shows the switch beingness configured as the root bridge for VLAN 10, with a network bore of 4.
Configuring MAC Accost Table Manipulation
The MAC address table contains address data that the switch uses to forward traffic betwixt ports. All MAC addresses in the accost table are associated with i or more ports. The address table includes these types of addresses:
- Dynamic address: a source MAC address that the switch learns and so drops when it is not in use. You tin can employ the aging time setting to ascertain how long the switch retains unseen addresses in the table.
- Static address: a manually entered unicast address that does not age and that is not lost when the switch resets.
The address tabular array lists the destination MAC address, the associated VLAN ID, and port number associated with the address and the type (static or dynamic).
Meet the "Example: MAC Address Table Manipulation" for sample configurations for enabling secure MAC address, creating a statc entry, set up the maximum number of secure MAC addresses and set the crumbling fourth dimension.
For detailed configuration information on MAC address table manipulation run across the following link:
http://www.cisco.com/c/en/us/td/docs/routers/access/interfaces/software/characteristic/guide/geshwic_cfg.html#wp1048223
Example: MAC Address Tabular array Manipulation
The following case shows configuration for enabling secure MAC address option on the port.
The following example shows creating a static entry in the MAC address table.
The post-obit case shows setting the aging timer.
Router(config)# cease
Configuring MAC Address Notification Traps
MAC address notification enables you to runway users on a network by storing the MAC accost activity on the switch. Whenever the switch learns or removes a MAC address, an SNMP notification can be generated and sent to the network direction system (NMS). If y'all take many users coming and going from the network, you can set a trap interval time to packet the notification traps and reduce network traffic. The MAC notification history table stores the MAC address activity for each hardware port for which the trap is enabled. MAC address notifications are generated for dynamic and secure MAC addresses; events are not generated for self addresses, multicast addresses, or other static addresses.
For configuration examples, see "Example: Configuring MAC Accost Notification Traps".
Example: Configuring MAC Accost Notification Traps
This example shows how to enable the MAC notification trap when a MAC accost is added to the interface:
This example shows how to enable the MAC notification trap when a MAC address is removed from this interface.
Configuring the Switched Port Analyzer
You can clarify network traffic passing through ports or VLANs by using Span or RSPAN to transport a copy of the traffic to another port on the switch or on another switch that has been connected to a network analyzer or other monitoring or security device. SPAN copies (or mirrors) traffic received or sent (or both) on source ports or source VLANs to a destination port for assay. Span does not affect the switching of network traffic on the source ports or VLANs. You must dedicate the destination port for Span use. Except for traffic that is required for the SPAN or RSPAN session, destination ports do not receive or forwards traffic.
But traffic that enters or leaves source ports or traffic that enters or leaves source VLANs can be monitored by using Bridge; traffic routed to a source VLAN cannot be monitored. For example, if incoming traffic is existence monitored, traffic that gets routed from some other VLAN to the source VLAN cannot be monitored; however, traffic that is received on the source VLAN and routed to another VLAN tin exist monitored.
See Case: Bridge Configuration for Span configuration examples.
For detailed information on how to configure a switched port analyzer (SPAN) session, see the following web link:
http://world wide web.cisco.com/c/en/the states/td/docs/switches/lan/catalyst3750/software/release/xv-0_2_se/configuration/guide/scg3750/swspan.html
Example: SPAN Configuration
The following example shows how to configure a SPAN session to monitor bidirectional traffic from a Gigabit Ethernet source interface:
The following example shows how to configure a gigabit ethernet interface as the destination for a Span session:
Router(config)# finish
The following example shows how to remove gigabit ethernet every bit a SPAN source for SPAN session 1:
Router(config)# end
Configuring IGMP Snooping
IGMP snooping constrains the flooding of multicast traffic past dynamically configuring Layer ii interfaces so that multicast traffic is forwarded to only those interfaces associated with IP multicast devices. Every bit the proper name implies, IGMP snooping requires the LAN switch to snoop on the IGMP transmissions between the host and the router and to keep track of multicast groups and member ports. When the switch receives an IGMP written report from a host for a detail multicast group, the switch adds the host port number to the forwarding table entry; when it receives an IGMP Leave Group message from a host, it removes the host port from the tabular array entry. It also periodically deletes entries if it does not receive IGMP membership reports from the multicast clients.
The multicast router sends out periodic full general queries to all VLANs. All hosts interested in this multicast traffic send join requests and are added to the forwarding table entry. The switch creates one entry per VLAN in the IGMP snooping IP multicast forwarding table for each group from which it receives an IGMP join request.
By default, IGMP snooping is globally enabled. When globally enabled or disabled, information technology is besides enabled or disabled in all existing VLAN interfaces. Past default, IGMP snooping is enabled on all VLANs, but it tin be enabled and disabled on a per-VLAN basis. Global IGMP snooping overrides the per-VLAN IGMP snooping capability. If global snooping is disabled, yous cannot enable VLAN snooping. If global snooping is enabled, you lot can enable or disable snooping on a VLAN basis.
See the "Example: Configuring IGMP Snooping" for a sample configuration on IGMP snooping.
Example: Configuring IGMP Snooping
The post-obit example shows how to enable IGMP snooping on a VLAN interface.
Router# end
The following case shows how to enable a static connection to a multicast router.
The following example shows how to add a port every bit a member of a multicast grouping. Ports unremarkably join multicast groups through the IGMP report message, but you can also statically configure a port as a fellow member of a multicast group.
Router# end
Configuring Per-Port Tempest Control
Tempest command prevents traffic on a LAN from being disrupted past a broadcast, a multicast, or a unicast storm on one of the physical interfaces. A LAN storm occurs when packets flood the LAN, creating excessive traffic and degrading network operation. Errors in the protocol-stack implementation, mistakes in the network configuration, or users issuing a deprival-of-service attack can cause a storm.
Storm command (or traffic suppression) monitors packets passing from an interface to the switching bus and determines if the packet is unicast, multicast, or circulate. The switch counts the number of packets of a specified type received within the i-second fourth dimension interval and compares the measurement with a predefined suppression-level threshold.
Storm control uses one of these methods to measure traffic action:
- Bandwidth as a percentage of the total available bandwidth of the port that can exist used by the circulate, multicast, or unicast traffic
- Traffic rate in packets per second at which broadcast, multicast, or unicast packets are received
With either method, the port blocks traffic when the rising threshold is reached. The port remains blocked until the traffic rate drops below the falling threshold (if one is specified) and and so resumes normal forwarding. If the falling suppression level is not specified, the switch blocks all traffic until the traffic rate drops beneath the rising suppression level. In general, the higher the level, the less effective the protection confronting broadcast storms.
Note 
In C800M platform, when you lot configure the storm-control activeness shutdown control, the land of the port changes to administratively downwards. Use the no shutdown command to manually revert the state of the port.
Meet the "Example: Per-Port Tempest-Control" for a sample configuration on per-port tempest control.
Example: Per-Port Storm-Control
The following example shows bandwidth-based multicast tempest control being enabled at 70 percent on Gigabit Ethernet interface.
Configuring HSRP
The Hot Standby Router Protocol (HSRP) is Cisco'south standard method of providing high network availability by providing first-hop redundancy for IP hosts on an IEEE 802 LAN configured with a default gateway IP address. HSRP routes IP traffic without relying on the availability of whatever single router. It enables a set of router interfaces to piece of work together to present the appearance of a single virtual router or default gateway to the hosts on a LAN. When HSRP is configured on a network or segment, it provides a virtual Media Access Control (MAC) address and an IP address that is shared among a group of configured routers. HSRP allows two or more HSRP-configured routers to employ the MAC address and IP network address of a virtual router. The virtual router does not exist; it represents the common target for routers that are configured to provide backup to each other. One of the routers is selected to be the active router and another to be the standby router, which assumes control of the group MAC address and IP address should the designated agile router fail.
HSRP uses a priority mechanism to decide which HSRP configured device is to exist the default active device. To configure a device equally the agile device, you assign it a priority that is college than the priority of all the other HSRP-configured devices. The default priority is 100, so if you configure just ane device to take a higher priority, that device will be the default active device. In instance of ties, the master IP addresses are compared, and the higher IP address has priority. If you practice not use the standby preempt interface configuration command in the configuration for a router, that router volition not become the active router, even if its priority is higher than all other routers.
For more data near configuring HSRP, come across the following link:
http://www.cisco.com/c/en/united states/td/docs/ios-xml/ios/ipapp_fhrp/configuration/15-mt/fhp-15-mt-book/fhp-hsrp.html
For a sample HSRP configuration, run into "Instance: Configuring HSRP"
Example: Configuring HSRP
In this example, Router A is configured to be the active device for group 1 and standby device for grouping 2. Device B is configured every bit the active device for group 2 and standby device for group 1.
Configuring VRRP
The Virtual Router Redundancy Protocol (VRRP) is an election protocol that dynamically assigns responsibility for one or more virtual routers to the VRRP routers on a LAN, assuasive several routers on a multiaccess link to utilize the same virtual IP address. A VRRP router is configured to run the VRRP protocol in conjunction with i or more other routers attached to a LAN. In a VRRP configuration, i router is elected as the virtual router master, with the other routers acting as backups in case the virtual router master fails.
An important aspect of the VRRP is VRRP router priority. Priority determines the role that each VRRP router plays and what happens if the virtual router primary fails. If a VRRP router owns the IP address of the virtual router and the IP address of the physical interface, this router will function as a virtual router master. Priority too determines if a VRRP router functions as a virtual router fill-in and the guild of clout to becoming a virtual router principal if the virtual router principal fails. Yous can configure the priority of each virtual router backup using the vrrp priority command.
By default, a preemptive scheme is enabled whereby a higher priority virtual router fill-in that becomes available takes over for the virtual router backup that was elected to become virtual router master. Y'all tin disable this preemptive scheme using the no vrrp preempt command. If preemption is disabled, the virtual router backup that is elected to get virtual router master remains the master until the original virtual router principal recovers and becomes main again.
The virtual router principal sends VRRP advertisements to other VRRP routers in the same grouping. The advertisements communicate the priority and land of the virtual router master. The VRRP advertisements are encapsulated in IP packets and sent to the IP Version 4 multicast address assigned to the VRRP group. The advertisements are sent every second past default; the interval is configurable.
For more than information on VRRP, see the following link:
http://www.cisco.com/c/en/u.s.a./td/docs/ios-xml/ios/ipapp_fhrp/configuration/xv-mt/fhp-fifteen-mt-book/fhp-vrrp.html
For a sample VRRP configuration, run across "Example: Configuring VRRP".
Example: Configuring VRRP
In the post-obit example, Router A and Router B each belong to 2 VRRP groups, group1 and group 5. In this configuration, each group has the following properties:
Group 1:
- Virtual IP address is 10.ane.0.10.
- Router A will become the chief for this group with priority 120.
- Advertisement interval is 3 seconds.
- Preemption is enabled.
Group v:
- Router B will become the master for this grouping with priority 200.
- Advertising interval is 30 seconds.
- Preemption is enabled.
RouterA(config-if)# no shutdown
RouterA(config-if)# end
Source: https://www.cisco.com/c/en/us/td/docs/routers/access/800M/software/800MSCG/vlanconf.html
0 Response to "How To Set Up Ethernet Wall Ports"
Post a Comment