Perform Basic Switch Configurations
Perform Basic Switch Configurations
Perform Basic Switch Configurations
Type 6 Encryption replaces service-password encryption and will encrypt present and future plaintext (0) and
type 7 encrypted passwords, however, it will not encrypt enable password or enable secret.
Router(config)#line console 0
Router(config-line)#login local
To enable Type 8 privilege EXEC mode passwords:
Router(config)#enable algorithm-type sha256 secret P@ss2020
To create a local user account with a Type 8 password:
Router(config)#username bob algorithm-type sha256 secret P@ss2020
---VLAN------------
Create VLANs 10 (server),20,30,40
Assign switch ports to a VLAN
Assign the management VLAN.
Verify VLAN configuration (#show vlan brief )
Enable trunking on inter-switch connections( switchport mode trunk # switchport trunk native vlan
99)
not to allow all VLANs on your trunk link : (SwitchB(config-if)switchport trunk allowed vlan remove
1-4094 , #switchport trunk allowed vlan add 1-50)
Verify trunk configuration (#show interface trunk ,#show interfaces fa0/14 switchport,#show
interfaces fa0/14 trunk)
taged native VLAN ((config)#vlan dot1q tag native)
Disable negotiation of the switchport status (Switch(config-if)#switchport nonegotiate)
Save the VLAN configuration
----VTP----------------------
SW1(config)#vtp domain NWL
SW1(config)#vtp version 3
----> SW1#show vtp status | include Operating Mode
VTP Operating Mode : Server
SW1(config)#vtp Mode server/client
SW1(config)#vtp primary/secondary
SW1(config)#vtp password P@ss2020 hidden
------etherchannal---------------------------------
channel-protocol lacp/PAGP
channel-group 1 mode active/indesirable
interface Port-channel1
switchport trunk allowed vlan 30,40
switchport mode trunk
------------Loadbalancing--------------------------
R2(config-if)#standby 1 ip 172.16.0.254
R2(config-if)#standby 1 priority 150 <-- The router with the second-highest priority value
becomes the standby router. The priority value can range from 0 to 255, with 100 as the default
value.
R2(config-if)#standby 1 preempt
SW1#show spanning-tree
VLAN0001
Spanning tree enabled protocol rstp <-- Rapid-PVST mode
Root ID Priority 32769
Address aabb.cc00.1a00
This bridge is the root <-- SW1 is the root bridge for VLAN1
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Make the ports that are connected to the PCs as Edge ports (Portfast) and prevent other switches,
which are not PCs, from connecting to this interface using BPDU Guard.
====================================
SW2(config)#interface ethernet0/1
SW2(config-if)#switchport mode access
SW2(config-if)#spanning-tree portfast
SW2(config-if)#spanning-tree bpduguard enable
------OSPF/EIGRP/RIP------------------------------------------
Configuration Basique :
R1(config)#router ospf 1
R1(config-router)#router-id 1.1.1.1
R1(config-router)#network 10.0.12.1 0.0.0.0 area 0
R1(config-router)#network 10.0.13.1 0.0.0.0 area 0
Redistribution
-----Security-----------------------------------------------------
DAI
DAI (Dynamic ARP Inspection )va nous servir a nous protéger des attaques ARP Spoofing
et des Man-and-the-middle
C’est une sécurité qui permet de valider les paquets ARP dans le réseau.
ال تى من الممكن أن تتع رض له ا الش بكة منFloodخاصية مفيدة وهامة لحماية الشبكات من هجمات الـ
وفكرة الخاصية ببساطة هي مراقبة الترافيك الذي يدخلdenial-of-service خالل هجوم مايعرف بي الـ
.من خالل كل منفذ موجود عندنا على السويتش
Active les remontées d’alertes par SNMP ( seulement si les traps SNMP sont activés)
Switch ( config -if - range )# storm - control action trap
Indique qu ’un port éteint à cause d’ une tempête de trames peut être débloqué
automatiquement par le recovery
Switch ( config )# errdisable recovery cause storm – control
Indique le temps (en secondes ) au bout duquel l’ interface sort de l’état d’ erreur
Switch ( config )# errdisable recovery interval <300 >
SW2(config)#interface ethernet0/1
SW2(config-if)#switchport mode access
SW2(config-if)#spanning-tree portfast
SW2(config-if)#spanning-tree bpduguard enable
Root guard is another option to help prevent rogue switches and spoofing. Root guard can be
enabled on all ports on a switch that are not root ports
Violation
DHCP Snooping = Protège notre réseau d’un Serveur DHCP non désiré.
IP Source Guard = Protège notre réseau d’un Client non désiré.
Définit sur quels VLAN le DHCP snooping doit être activ é ( tous ici , sauf le VLAN 1
inutilisé)
Switch ( config )# ip dhcp snooping vlan <2 -4094 >
Dé finit l’ interface par laquelle le commutateur dialogue avec le serveur ou relai DHCP de
confiance
Switch ( config )# interface FastEthernet <0/1 >
Switch ( config -if)# ip dhcp snooping trust
Switch ( config -if)# exit
Active la base de données de DHCP snooping ( sert à suivre l’é tat des baux DHCP )
Switch ( config )# ip dhcp snooping database <flash : snooping - database >