You are on page 1of 13

Nguyễn Hoàng Vũ – NP11.

03 Page 1

CCNP Switch Command
Clearing a Switch

For nomarl switch
1. > ena
2. # Delete flash:vlan.dat
3. # Erase startup-config
4. # Reload

For Switch used connect to larger Network
1. > Ena
2. # Delete vlan.dat
3. # Erase startup-config
4. # Reload
5. # Show vlan brief
6. (config)# Interface rage f0/1-24
7. (config-if)# Shutdown
8. # Conf t
9. (config)# Vtp mode transparent
Config Switch first
1. > Ena
2. # Conf t
3. (config)# Hostname Switch_Access2
4. (config)# enable secret class
5. (config)# line console 0
6. (config-line)# logging synch
7. (config-line)# exec-timeout 00
8. (config-line)# password cisco
9. (config-line)# login
Nguyễn Hoàng Vũ – NP11.03 Page 2

10. (config)# enable secret cisco
11. (config)# line vty 0 15
12. (config-line)# password cisco
13. (config-line)#
Config Vlan-Vtp

Step1: show vlan
1. Show Vlan
2. Show vtp status
Step 1: config Vlan
1. (config)# interface vlan1
2. (config-if)# ip address 10.1.1.101 255.255.255.0
3. (config-if)# no shutdown
Step 2: config vtp
1. Vtp domain CCNP1103
2. Vtp version 2
3. Vtp mode server/client/transparent
4. Vtp password cisco123
Step 3: config interface mode
Trunk
1. Interface f0/6
1. Switchport trunk encapsulation dot1q
2. Swichport mode trunk
Access
3. Interface f0/1
4. Switchport mode access
Show:
1. show interface F0/7 switchport
2. show interface trunk
Nguyễn Hoàng Vũ – NP11.03 Page 3

Step4: configure vlan in configuration mode
1. (confg)# Vlan 20
2. (config-vlan)# Name Server-1
3. (config)# Interface f0/6
4. (config-if)# Switchport access vlan20
modified vlan
 Vlan 120
 Shutdown
 No shutdown
 State active
Config Ethernet-Channel
Step 1: config basic switch parameter
1. Conf t
2. (config)# Interface range f0/7-12
3. (config-if-range)# Switchport trunk encapsulation dot1q
4. (config-if-range)# Switchport mode trunk
Step2: configure Enther Channel with Cisco PAagP
1. (config)# Interface range f0/7-12
2. (config-if-range)# Channel-group 1 mode desirable
3. (config)# interface port-channel 1
4. (config-if)# switchport mode trunk
Step3: configure layer3 entherchannel
1. (config)# Interface range fastethernet 0/11-12
2. (config-if-range)# No switchport
3. (config-if-range)# Channel-group 3 mode desirable
4. (config-if-range)# Interface port-channel 3
5. (config-if)# No switchport
6. (config-if)# Ip address 10.0.0.1 255.255.255.0
Step4: configure loadbalancing
1. (config)# Port-channel load-balance src-dst-mac
2. # show ethernetchannel load-balance
Nguyễn Hoàng Vũ – NP11.03 Page 4

Configuration Spanning-tree
basic
Step1: prepare the switches for the lab:
1. (config)# Interface range fastenthernet 0/7-12
2. (config-if-range)# Switchport trunk encapsulation dot1q
3. (config-if-range)# Switchport mode trunk
Step 2: configure specific switch to be primary and secondary root
1. # debug spanning-tree events
2. DSL1 (config)# spanning-tree vlan 1 root primary
3. ADSL (config)# spanning-tree vlan 1 root secondary
4. #show run |include span
Step 3: change the root port using the spanning-tree
1. (config)# int f0/12
2. (config)# spanning-tree port-priority 112
3. (config)# int f0/6
4. (confg)# spanning-tree cost 10
Step 5: config portfast on an access port
1. (config)# int f0/6
2. (confg)# switchport mode access
3. (config-if)# no shut
4. (config-if)# int f0/6
5. (config-if)# spanning-tree portfast
PVST students
step1: prepare the switches on the lab
1. (config)# int range f0/7-12
2. (config-if-range)# switchport trunk encapsulation dot1q
3. (config-if-range)# switchport mode trunk
step 2: config VLAN
step3: assign a root switch of each vlan
1. (config)# spanning-tree vlan 10 priority 4096
Step 3: config RSTP
1. (config)# spanning-tree mode rapid-pvst
Nguyễn Hoàng Vũ – NP11.03 Page 5

Configure MTS
Step1: prepare the switches for the lab
1. (config)# Interface range fastenthernet 0/7-12
2. (config-if-range)# Switchport trunk encapsulation dot1q
3. (config-if-range)# Switchport mode trunk
Step2: configure VTP and Vlans
1. (config)# Vtp mode transparent
2. (config)# vtp domain Cisco
Step 3: configure MTS globally
1. (config)# spanning-tree mode mst
Step 4: config the MTS region and instance
2. (config)# spanning-tree mst configuration
3. (config-mst)# name CISCO
4. (config-mst)# revision 1
5. (config-mst)# instance 1 vlan 20-50
Show command
1. (config-mst)# show current
2. (config-mst)# show pending
3. (config-mst)# show span mst configuration
4. (config)# show spanning-tree
5. (config)# show interface trunk
6. (config)# show spanning-tree root
7. (config)# debug spanning-tree events
Configure Inter-Vlan
Step 3: configure the route
1. (config)# hostname ISP
2. (config)# int s0/1
3. (config-if)# ip address 192.168.1.2 255.255.255.0
4. (config-if)# clockrate 64000
5. (config-if)# no shutdown
6. (config)# ip route 172.16.0.0 255.255.0.0 192.168.1.1
Nguyễn Hoàng Vũ – NP11.03 Page 6

Step4: configure the switches
1. (config)# int vlan 1
2. (config-if)# ip address 172.16.1.101 255.255.255.0
3. (config-if)# no shutdown
4. (config-if)# exit
5. (config)# ip default-gateway 172.16.1.1
Step 6: configure trunk links and ethernetchannel on switches
1. (config)# int range f0/7-12
2. (config-if-range)# switchport mode trunk
3. (config-if-range)# channel-group 1 mode desirable
4. (config-if-range)# end
5. # show etherchannel 1 summary
Step 7: config VTP and Vlan
Step 8: config Accessport- fastport
1. (config)# int f0/6
2. (config-if)# switchport mode access
3. (config-if) switch access vlan 100
4. (config-if)# spanning-tree portfast
step 10: config the gateway router fast Ethernet interface for vlan trunking
1. (config)# interface f0/1.1
2. (config-subif)# description management VLan1
3. (config-subif)# encapsulation dot1q native
4. (config-subif)# ip address 172.16.1.1 255.255.255.0
Config HSRP
1. Step1: prepare the switch for the lab
2. Step 2: configure the host ip setting
3. Step 3: configure basic parameter
4. Step 4: configure trunks and ethernetchannel between switches
5. Step 5: configure vtp on adls
6. Step 6: configure vtp on dsl
7. Step7: configure accessport fast
Step8 configure HSRP interface and enable routing
1. (config)# ip routing
Nguyễn Hoàng Vũ – NP11.03 Page 7

2. (config)# interface vlan 1
3. (config-if)# standby 1 ip 172.16.1.1
4. (config-if)# standby 1 preempt
5. (config-if)# standby 1 priority 150
6. (config-if)# exit
Step9: verify the HSRP configuration
1. # Show standby
2. # Show standby brief
Configure SLA campus
Step1: prepare the switches for the lab
Step2: config the host PCs
Step3: config basic parameter switches
 configure the hostname, password and optionally, remote access
 configure a management IP address on VLAN 1
o (config)# int vlan1
o (config-if)# ip address 172.1.16.10 255.255.255.0
o (config-if)# no shut
 config default gateway
o (config)# ip default-gateway 172.16.1.1
step 4: config trunks and ethernetchannel between switches
step 5&6: config VLan and VTP
Step 7: config accessport
step8: config VLAN interface and enable routing
 (config)# int vlan 100
 (config-if)# ip address 10.172.16.1 255.255.255.0
 (config)# ip routing

Step9: configure cisco IP SLA responders
 (config)# ip sla responder
 (config)# ip sla responder udp-echo ipaddress 172.16.1.1 port 5000
Nguyễn Hoàng Vũ – NP11.03 Page 8

Step10: configure cisco ios ip sla source to menasure network performance
1. (config)# ip sla 1
2. (config-ip-sla)# icmp-echo 172.16.100.101
3. (config-ip-sla)# exit
4. (config)# ip sla schedule 1 life forver start-time now
Step11: monitor ip sla operation
1. # show ip sla configuration 1
2. #show ip sla application
3. #show ip sla responder
4. #show ip sla statistics 1.
Securing layer 2
Step 1: prepare the switch for the lab
Step 2: configure the basic parameter and trunking
 (config)# hostname ADLS1
 (config)# enable secret class
 (config)# line vty 0 15
 (config-line)# password cisco
 (config-line)# login
 (config-lien) exit

o (config)# interface vlan 1
o (config-if)# ip address 172.16.101.1 255.255.255.0
o (config-if)# no shutdown
o (config-if)# exit
o (config)# ip default-gateway 172.16.1.1
o (config)# int range f0/7p12
o (config-if)switchport mode trunk
Step 3: configure vtp on adsl1 and adsl2
step4: configure IP routing. the vlan. vlan SVIs, HSRP
a) config VTP, VLAN, and IP routing
o (config)# vtp domain SPWOD
o (config)# vtp version 2
Nguyễn Hoàng Vũ – NP11.03 Page 9

o (config)# vlan 100
o (config-if)# name stafff
o (config-if)#exit
o (confi)# ip routing
b) config switch vitural interface (SVIs) and HSRP
o (config)# int vlan 1
o (config-if)# standby 1 ip 172.16.1.1
o (config-if)# standby 1 preempt
o (config-if)# standby 1 priority 150
c) veryfy
o show vlan brief
o show vtp status
o show standby brief
o show ip route
Step 6: config port-sercurity
a) By default, issuing the switchport port-security command by itself sets the maximum
number of MAC addresses to 1, and the violation mode to shutdown. It is not necessary
to specify the maximum number of addresses, unless it is greater than 1.
o ALS2(config)# interface range fastethernet 0/15 - 24
o ALS2(config-if-range)# switchport port-security
b) Verify
o show port-security
c) Enter the configuration of the staff
o (confg)# int range f0/15-24
o (config-if-range)# switchport port-sercurity
o (config-if-range)# switchport port-sercurity maximum 2
o (config-if-range)# switchport port-sercurity mac-address sticky
Step 7: config DHCP snooping
a) enable to trust DHCP relay information
 (config)# ip dhcp relay information trust-all
b) config switches to trust DHCP on the trunk port
 ALS1(config)# ip dhcp snooping
 ALS1(config)# interface range fastethernet 0/7 - 12
 ALS1(config-if-range)# ip dhcp snooping trust
 ALS1(config-if-range)# exit
 ALS1(config)# interface range fastethernet 0/15 - 24
 ALS1(config-if-range)# ip dhcp snooping limit rate 20
 ALS1(config-if-range)# exit
 ALS1(config)# ip dhcp snooping vlan 100,200
Nguyễn Hoàng Vũ – NP11.03 Page 10

Step 8: config AAA
 (config)# username vu password cisco
 (config)# username vu password cisco
 (config)# username vu password cisco
 (config)# aaa new-model
 (config)# aaa authentication dot1x default local
 (config)# dot1x system-auth-control
 (config)# int range f0/15-24
 (config-if-range)# dot1x port-control auto
Sercuring Spanning tree protocol
step1: load or verify the configuration
step2: Config the primary and secondary root bridges for the vlans
a) command
 (config)# spanning-tree vlan 1,100 root primary
 (config)# spanning-tree vlan 20 root secondary
b) verify : show spanning-tree
Step3: configure root guard
 (config)# int range f0/13-14
 (config)# spanning-tree guard root
Step4: demonstrate root guard functionally
a) command show
 show spanning-tree vlan 1
 show spanning-tree inconsistentports
b) undo
 (config-if)# no spanning-tree guard root
Step5: config BPDU
 (config)# spanning-tree portfast bpduguard default
 show spanning-tree summary
Step6: enable broardcast storm control on trunk port
 (config)# int f0/7
 (config-if)# storm-control broadcast level 50
 show running-config interface
Nguyễn Hoàng Vũ – NP11.03 Page 11

Step7: configure UDLD
 (config)# int range f0/1-24
 (config-if-range)# udld port aggressive
 (config)# udld enable
 show udld f0/15
Sercuring Vlan
step1: verify configure from switches
 show vlan
 show interface trunk
 show standby brief
step2: configure private vlan
a) config HSRP
 (config)# int vlan 50
 (config-vlan)# name server-farm
 (config)# int f0/5
 (config-if)# ip address 10.172.16.1 255.255.255.0
 (config-if)# standby 1 ip 10.172.16.3
 (config-if)# standby 1 priority 100
 (config-if)# standby 1 preempt
 show standby vlan 150 brief
b) config vlan
 (config) vlan 151
 (config-van) primary-vlan isolated
 (config) vlan 150
 (config-vlan) primary-vlan community
 (config) vlan 152
 (confi-vlan) primary-vlan isolated
 (config-vlan) primary-vlan association 150,151
c) the VLan mapping
 (config) int vlan 152
 (config-if) private-vlan mapping 150-151
d) The switchport mode private-vlan host-association
 (config) int range f0/18-20
 (config-if-range) switchport mode private-vlan host
Nguyễn Hoàng Vũ – NP11.03 Page 12

 (config-if-range) switchport private-vlan host-association 150 151
Step 3: configure RACLs between VLANs
a) config access list
 DLS1(config)# access-list 100 permit tcp 172.16.200.0 0.0.0.255 172.16.100.0
0.0.0.255 established
 DLS1(config)# access-list 100 permit icmp 172.16.200.0 0.0.0.255 172.16.100.0
0.0.0.255 echo-reply
 DLS1(config)# access-list 100 deny ip 172.16.200.0 0.0.0.255 172.16.100.0
0.0.0.255
 DLS1(config)# access-list 100 permit ip any any
 DLS1(config)# interface vlan 100
 DLS1(config-if)# ip access-group 100 in
 DLS1(config)# interface vlan 200
 DLS1(config-if)# ip access-group 100 in
b) show command
 show access-lists
 show ip interface vlan 100
c) ip vlan
 (config) int vlan 100
 (config-if) ip address 172.16.100.100 255.255.255.0
d) verify
 ping 172.16.100.1 source vl100
step4: configure VACLs
a) configure access list
 (config) ip access-list extended temp-host
 (config-ext-nacl) permit ip host 172.16.100.150 172.16.100.0 0.0.0.255
b) configure vlan access map
 (config) vlan access-map block-temp 10
 (config-access-map) match ip address temp-host
 (config-access-map) action drop
 (config-access-map) vlan access-map block-temp 20
 (config-access-map) action forward
c) define vlan filter
 (config) vlan filter block-temp vlan-list 100
d) show command
 show vlan access map

Nguyễn Hoàng Vũ – NP11.03 Page 13

Switch IP telephone stundent
step1: prepare the switches lab
step2: config the basic parameter
step3: config the trunk and ethernetchannel
step4: config VTP and vlan
step5: config IP routing, VLAN SVIs, HSRP
step7: config access-port to trusth IP phone CoS
 (config)#: int range f0/15-24
 (config-if)# switchport mode access
 (config-if-range)# switchport access vlan 10
 (config-if-range)# switchport voice vlan 20
 (config-if-range)# auto qos voip cisco-phone
step9: config the distribution layer switches to trust access layer
 (config)# mls qos
 (config)# int range f0/15-24
 (config-if-range)# auto qos voip trust
step10: manual assign access layer CoS for the camera
 (config)# int f0/5
 (config-if)# switchport mode access
 (config-if)# switchport access vlan 100
 (config-if)# mls qos trust cos
 (config-if)# mls qos cos 3
 show mls qos cos interface