Perform Basic Switch Configurations

Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1of 7

Perform Basic Switch Configurations

Configure the switch hostname.


.Disable DNS lookup
Router(config)#line console 0
.‫خروج‬out time ‫بيعمل‬default by =‫ دقائق‬5 ‫الراوتر بعد‬
‫الوقت لتغير‬
Router(config-line)#exec- timeout 4 30
Router(config-line)#no exec-timeout
‫لعمل مزامنة مع االوامر حتى التتشتت‬

Router(config-line)# logging synchronous


. ‫ على الشبكة‬broadcast ‫لو كتبنا امر غلط بيحدث‬

Router(config)#no ip domain lookup

Configure a password of cisco for console connections.

Type 6 Encryption replaces service-password encryption and will encrypt present and future plaintext (0) and
type 7 encrypted passwords, however, it will not encrypt enable password or enable secret.

Router(config)#line console 0
Router(config-line)#login local
 To enable Type 8 privilege EXEC mode passwords:
Router(config)#enable algorithm-type sha256 secret P@ss2020
 To create a local user account with a Type 8 password:
Router(config)#username bob algorithm-type sha256 secret P@ss2020

Configure a password of cisco for vty connections.(ssh version 2)


Router#show ip interface brief

---VLAN------------
Create VLANs 10 (server),20,30,40
Assign switch ports to a VLAN
Assign the management VLAN.
Verify VLAN configuration (#show vlan brief )
Enable trunking on inter-switch connections( switchport mode trunk # switchport trunk native vlan
99)
not to allow all VLANs on your trunk link : (SwitchB(config-if)switchport trunk allowed vlan remove
1-4094 , #switchport trunk allowed vlan add 1-50)
Verify trunk configuration (#show interface trunk ,#show interfaces fa0/14 switchport,#show
interfaces fa0/14 trunk)
taged native VLAN ((config)#vlan dot1q tag native)
Disable negotiation of the switchport status (Switch(config-if)#switchport nonegotiate)
Save the VLAN configuration

----VTP----------------------
SW1(config)#vtp domain NWL
SW1(config)#vtp version 3
----> SW1#show vtp status | include Operating Mode
VTP Operating Mode : Server
SW1(config)#vtp Mode server/client
SW1(config)#vtp primary/secondary
SW1(config)#vtp password P@ss2020 hidden

------etherchannal---------------------------------

channel-protocol lacp/PAGP
channel-group 1 mode active/indesirable
interface Port-channel1
switchport trunk allowed vlan 30,40
switchport mode trunk

------------Loadbalancing--------------------------

R2(config-if)#standby 1 ip 172.16.0.254
R2(config-if)#standby 1 priority 150 <-- The router with the second-highest priority value
becomes the standby router. The priority value can range from 0 to 255, with 100 as the default
value.
R2(config-if)#standby 1 preempt

To view the HSRP information on R1


=====================================
R1#show standby
Ethernet0/1 - Group 1
State is Standby <-- R1 is Standy
4 state changes, last state change 00:02:48
Virtual IP address is 172.16.0.254 <-- IP Address Virtual Router
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.448 secs
Preemption enabled <-- HSRP preemption is a
feature that enables a standby router with a higher priority to become the active router in an HSRP
group. By default, when the active router goes down, the standby router with the highest priority
takes over as the active router.
Active router is 172.16.0.2, priority 150 (expires in 9.072 sec)
Standby router is local
Priority 100 (default 100) <-- 100 as the default
priority value
Group name is "hsrp-Et0/1-1" (default)
---------STP---------------------------------------

SW1(config)#spanning-tree mode rapid-pvst

SW1#show spanning-tree

VLAN0001
Spanning tree enabled protocol rstp <-- Rapid-PVST mode
Root ID Priority 32769
Address aabb.cc00.1a00
This bridge is the root <-- SW1 is the root bridge for VLAN1
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)


Address aabb.cc00.1a00
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type


------------------- ---- --- --------- -------- --------------------------------
Et0/0 Desg FWD 100 128.1 Shr
Et0/1 Desg FWD 100 128.2 Shr
Et0/2 Desg FWD 100 128.3 Shr
Et0/3 Desg FWD 100 128.4 Shr

Make the ports that are connected to the PCs as Edge ports (Portfast) and prevent other switches,
which are not PCs, from connecting to this interface using BPDU Guard.
====================================
SW2(config)#interface ethernet0/1
SW2(config-if)#switchport mode access
SW2(config-if)#spanning-tree portfast
SW2(config-if)#spanning-tree bpduguard enable

------OSPF/EIGRP/RIP------------------------------------------

Configuration Basique :

R1(config)#router ospf 1
R1(config-router)#router-id 1.1.1.1
R1(config-router)#network 10.0.12.1 0.0.0.0 area 0
R1(config-router)#network 10.0.13.1 0.0.0.0 area 0

Redistribution

-----Security-----------------------------------------------------

DAI
DAI (Dynamic ARP Inspection )va nous servir a nous protéger des attaques ARP Spoofing
et des Man-and-the-middle

C’est une sécurité qui permet de valider les paquets ARP dans le réseau.

Étape 1 : Activer le DAI sur nos Vlans


Sw(config)# ip arp inspection vlan 1-100,200,300
Étape 2 : Spécifier nos équipements de confiance
Pour ce faire, il existe deux méthodes :
 Par interface
Sw(config)# interface GigabitEthernet 0/1
Sw(config-if)# ip arp inspection trust
 Enable storm control for broadcasts.

‫ ال تى من الممكن أن تتع رض له ا الش بكة من‬Flood‫خاصية مفيدة وهامة لحماية الشبكات من هجمات الـ‬
‫ وفكرة الخاصية ببساطة هي مراقبة الترافيك الذي يدخل‬denial-of-service ‫خالل هجوم مايعرف بي الـ‬
.‫من خالل كل منفذ موجود عندنا على السويتش‬

Sélectionne les interfaces d’ accès


Switch ( config )# interface range FastEthernet <0/1 -20 >

Limite le trafic broadcast à X% de la bande passante


Switch ( config -if - range )# storm - control broadcast level <X>

Limite le trafic multicast à Y% de la bande passante


Switch ( config -if - range )# storm - control multicast level <Y>

Limite le trafic unicast à Z% de la bande passante


Switch ( config -if - range )# storm - control unicast level <Z>

Active les remontées d’alertes par SNMP ( seulement si les traps SNMP sont activés)
Switch ( config -if - range )# storm - control action trap

Eteint un port s’il subit une tempête de trames


Switch ( config -if - range )# storm - control action shutdown

Indique qu ’un port éteint à cause d’ une tempête de trames peut être débloqué
automatiquement par le recovery
Switch ( config )# errdisable recovery cause storm – control

Indique le temps (en secondes ) au bout duquel l’ interface sort de l’état d’ erreur
Switch ( config )# errdisable recovery interval <300 >

 Enable PortFast and BPDU guard.:

SW2(config)#interface ethernet0/1
SW2(config-if)#switchport mode access
SW2(config-if)#spanning-tree portfast
SW2(config-if)#spanning-tree bpduguard enable

 Enable root guard.

Root guard is another option to help prevent rogue switches and spoofing. Root guard can be
enabled on all ports on a switch that are not root ports

S2(config)# interface g0/1


S2(config-if)# spanning-tree guard root
 Enable loop guard.

applied to non-designated ports.

S2(config)# spanning-tree loopguard default

 Configure and verify port security.

Sw(config-if)# switchport port-security mac-address sticky


Sw(config-if)# switchport port-security maximum 10

10 adresses MAC vont être apprises dynamiquement par le Sticky.

Violation

Sw(config-if)# switchport port-security violation [shutdown|restrict|


protect]

 Disable unused ports.


 Move ports from default VLAN 1 to alternate VLAN.

 Configure DHCP SNOOPING.

DHCP Snooping = Protège notre réseau d’un Serveur DHCP non désiré.
IP Source Guard = Protège notre réseau d’un Client non désiré.

Active le DHCP snooping


Switch ( config )# ip dhcp snooping

Définit sur quels VLAN le DHCP snooping doit être activ é ( tous ici , sauf le VLAN 1
inutilisé)
Switch ( config )# ip dhcp snooping vlan <2 -4094 >

Dé finit l’ interface par laquelle le commutateur dialogue avec le serveur ou relai DHCP de
confiance
Switch ( config )# interface FastEthernet <0/1 >
Switch ( config -if)# ip dhcp snooping trust
Switch ( config -if)# exit

Active la base de données de DHCP snooping ( sert à suivre l’é tat des baux DHCP )
Switch ( config )# ip dhcp snooping database <flash : snooping - database >

Désactive l’insertion des champs de l’ option 82 du protocole DHCP ( action né cessaire


pour que le DHCP snooping fonctionne )
Switch ( config )# no ip dhcp snooping information option
Limite le nombre de paquets DHCP à 10 par seconde sur les interfaces connect ées aux
clients
Switch ( config )# interface range FastEthernet <0/4 -15 >
Switch ( config -if)# ip dhcp snooping limit rate <10>
Switch ( config -if)# exit

SW#show ip dhcp snooping

Switch DHCP snooping is enabled


DHCP snooping is configured on following VLANs:
none
DHCP snooping is operational on following VLANs:
none
DHCP snooping is configured on the following L3 Interfaces:

Insertion of option 82 is enabled


circuit-id default format: vlan-mod-port
remote-id: aabb.cc00.2a00 (MAC)
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Verification of giaddr field is enabled
DHCP snooping trust/rate is configured on the following Interfaces:

Interface Trusted Allow option Rate limit (pps)


----------------------- ------- ------------ ----------------
Ethernet0/0 yes yes unlimited
Custom circuit-ids:
Ethernet0/1 no no 10
Custom circuit-ids:
Ethernet0/2 no no 10
Custom circuit-ids:
Ethernet0/3 no no 10
Custom circuit-ids:
NO CDP

You might also like