Cisco 3560-E

Dec 2 2008   7:30AM GMT

How to configure SPAN(Switched Port Analyzer ) feature in a Cisco Catalyst Switch

Posted by: Yasir Irfan
Switches, Cisco, Switching, Cisco IOS, Wireshark, Cisco 2960, Cisco 2950, Cisco 6500, Cisco Tips, Cisco 3560, Cisco 3745, Cisco Learning, Cisco 3750-E, Cisco 3560-E, Network Troubleshooting, Show commands, Cisco 6500 Series Catalyst Switch, Cisco 6503, Cisco Catalyst 6503-E Switch, Cisco Catalyst 6506-E Switch, Cisco Catalyst 6509-V-E Switch, Cisco Catalyst 6509-E Switch, Cisco Catalyst 6513 Switch, SPAN, Sniifer

It’s quite important for Network Engineers and an essential network troubleshooting technique to utilize the ability of Cisco Catalyst Switches to mirror the traffic and send it to a sniffer for analysis. All Cisco Catalyst Switches support the Switched Port Analyzer (SPAN) feature. The SPAN copies traffic from the specified interface or VLANs and mirrors this traffic to a specified destination interface (SPAN interface).  Then you can connect the PC with a sniffing tool (Wireshark) installed on the destination SPAN interface to capture all the mirrored traffic.Let’s see how to configure the SPAN in Cisco Catalyst Switches.  To enable the switch SPAN mirroring feature configure the following on the catalyst switch: Configuration Example - Monitoring traffic from a specific interfaceITKEAS01#configure tITKEAS01(config) monitor session 1 source interface gigabitEthernet 0/5

ITKEAS01(config)#monitor session 1 destination interface gigabitEthernet 0/10 

The  above configuration will capture all traffic from interface gigabitEthernet 0/5  and send it to SPAN port interface gigabitEthernet 0/10 

Configuration Example - Monitoring an entire VLAN traffic
ITKEAS01(config)#monitor session 1 source vlan 100
ITKEAS01(config) monitor session 1 destination interface gigabitEthernet 0/10 The  above configuration will capture all traffic of VLAN 100 and send it to SPAN port interface gigabitEthernet 0/10

Use  show monitor session 1 to verify your configuration.

Nov 22 2008   12:56PM GMT

How to configure DHCP Snooping in a Cisco Catalyst Switches.

Posted by: Yasir Irfan
Networking, DHCP, Switches, Cisco, Switching, Routing and Switching, CCNP, Cisco IOS, Cisco 2960, Cisco 2950, HSRP, Cisco 6500, Cisco Tips, Cisco 3560, Cisco Learning, Server Security, Cisco 3750-E, Cisco 3560-E, IOS commands, Cisco Systems, Cisco 6500 Series Catalyst Switch, Cisco 6503, Cisco Catalyst 6503-E Switch, Cisco Catalyst 6506-E Switch, Cisco Catalyst 6509-V-E Switch, Cisco Catalyst 6509-E Switch, Cisco Catalyst 6513 Switch, DHCP Snooping, Configuring DHCP Snooping, 802.1 Q, Trunk Ports

 So here we go, with the configuration of DHCP snooping on a Cisco Switch. This feature protects the network by allowing the Cisco Switches to accept DHCP response message only from the authorized servers connected to the trusted interfaces in a Cisco Switch.

All Switch to  Switch connections are configured as 802.1 1Q Trunk ports.

IP Address and HSRP Details for the Core Switches  From the above scenario we have two Cisco 6513 Series Switches as a Core/ Distribution with three VLANS one for management of Switches VLAN 50,VLAN 100 for all the servers and VLAN 101 for clients. Two Cisco 3560 Series Switches as Server Farm Switches and a Cisco 3560 Series Switch as an Access Switch.There are two DHCP servers with an IP address 10.0.1.100 and 10.0.1.101 connected with Server Farm Switches with HP NIC teaming. We configure DHCP Snooping based on above scenario. 

The first step to configure DHCP Snooping is to turn on DHCP snooping in all Cisco Switches using the “ip dhcp snooping” command. 

All Cisco Switches (config)#ip dhcp snooping  Second step is to configure the trusted interfaces, from the above scenario all trunk ports are configured as trusted ports as well as the interfaces G0/7,(ITKESF01 50.0.0.6),  G0/17,(ITKESF02 50.0.0.7),  G0/9 ITKESF01 50.0.0.6)  and G0/18 ITKESF02 50.0.0.7)  connected to DHCP servers with IP 10.0.1.100 and 10.0.1.101. Lets configure all trunk ports in ITKEBB01 

ITKEBB01(config)#interface range  gigabitEthernet 3/21 - 23

ITKEBB01 (config-if)#ip dhcp snooping trust 

Now let’s configure all trunk ports in ITKEBB02 

ITKEBB02(config)#interface range  gigabitEthernet 3/21 - 23 ITKEBB02 (config-if)#ip dhcp snooping trust 

ITKEBB02 (config)#interface gigabitEthernet 3/16

ITKEBB02 (config-if)#ip dhcp snooping trust 

Now let’s configure the trusted ports for the DHCP servers  

ITKESF01(config)#interface gigabitEthernet 0/7

ITKESF01 (config-if)#ip dhcp snooping trust 

ITKESF01(config)#interface gigabitEthernet 0/17 ITKESF01 (config-if)#ip dhcp snooping trust 

ITKESF02(config)#interface gigabitEthernet 0/9

ITKESF02 (config-if)#ip dhcp snooping trust 

ITKESF02(config)#interface gigabitEthernet 0/18 ITKESF02 (config-if)#ip dhcp snooping trust 

Now let’s configure the trunk ports  Access Switch ITKEAS01 

ITKEAS01(config)#interface range  gigabitEthernet 0/49 - 52

ITKEAS01 (config-if)#ip dhcp snooping trust 

Finally we are going to configure VLANS for DHCP snooping DHCP snooping will used on all the VLANs (VLAN 100 & 101)except management VLAN 50 . Also we will limit the requests rate received in the Access Switch (ITKEAS01)  ALL SWITCHES(config)# ip dhcp snooping VLAN 100,101 

ITKEAS01(config)#interface range  gigabitEthernet 0/1 - 48

ITKEAS01 (config-if)#ip dhcp snooping limit rate 20

Displaying the DHCP snooping  

For further reference please do check this article from Cisco about DHCP snooping.

Nov 22 2008   7:22AM GMT

Why should we consider implementing DHCP Snooping?

Posted by: Yasir Irfan
Networking, Security, DHCP, Switches, Cisco, Switching, Cisco 2960, Cisco 2950, Cisco 6500, Cisco Tips, Cisco 3560, Cisco 3750-E, Cisco 3560-E, Err-disable, Cisco Systems, Cisco 6500 Series Catalyst Switch, Cisco 6503, DHCP Snooping

Dear FriendsIn my previous post I was discussing about the DHCP Snooping, it may be hard to believe a DHCP sever can lead to lot troubles in your network. Consider a host sends out DHCP discovery packets, it listens for a DHCP offers packets and accepts the first available offer from a DHCP server. Guess what happens if the host gets a DHCP offer from a rouge DHCP server? The host could end up with using rouge DHCP server with an IP address and the default gateway. The host cannot access any of the resources from your network. 

Yes we can prevent this with DHCP snooping thanks to Cisco. DHCP snooping classifies interfaces as either trusted or untrusted. DHCP messages received on trusted interfaces will be permitted to pass through the Cisco switch, but DHCP messages received on untrusted interface in a Cisco Switch results in putting the interface into error disable state. Configuring DHCP snooping in a Network is quite troublesome job but I will try to make things easier for you by using a scenario, which hopefully I am going post soon.

Oct 12 2008   5:17AM GMT

How to configure SNMPv3 in a Cisco Catalyst Switch – Series 1

Posted by: Yasir Irfan
Security, Switches, Cisco, SNMP, Cisco IOS, Cisco 2950, Cisco 6500, Cisco Tips, Cisco 3560, Cisco 3745, Cisco Learning, Cisco 3560-E, IOS commands, SNMPv3, RFC3410, SNMP Version 3

Configuring SNMP Version 3 in a Cisco Catalyst Switch is bit more complicated compared to SNMP v1 and v2.  But after configuring SNMPv3 you can relax as the SNMPv3 provides more security by adding authentication (username and password) as well as encryption to the protocol.  

What is SNMPv3 ?Simple Network Management Protocol version 3. The specification for this Full Standard protocol is published in RFCs 3410 and 3418. SNMPv3 provides a Full Standard administrative framework (authorization, access control, etc.) and a remote configuration/administration MIB. Also check the SNMPv3 documentation from Cisco Systems. 

How to configure SNMPv3 in a Cisco Catalyst Switch ? 

First we begin with configuration of SNMPv3 on the Cisco Catalyst Switch by creating a SNMP “view”. A “view” defines what information can be accessed by the SNMP user/group when they query the SNMPv3 enabled  Cisco Catalyst Switch.  In the below example we will create “view” called ITKEView. We will enable “system” , “internet” and  “interfaces” SNMP OIDS on the Cisco Catalyst Switch. 

ITKE(config)# snmp-server view ITKEView internet includedITKE(config)# snmp-server view ITKEView system includedITKE(config)# snmp-server view ITKEView interfaces included 

To be continued in next series

Sep 24 2008   8:27AM GMT

How to configure intervlan routing between Cisco Catalyst Switches and HP Procurve Switches Series 2

Posted by: Yasir Irfan
Networking, Switches, Cisco, HP Procurve, Cisco Tips, Cisco 3560, Cisco Learning, Cisco 3560-E, Intervlan routing, IP Address, IOS commands, HP switches

In my previous post I did discussed about the how common terminologies are applied by both Cisco & HP, now it’s time  proceed further , in this example we will create two VLANs and make intervlan communication between HP Procurve Switches  and Cisco Catalyst Switches.

 

 

We will create 2 VLANS in both Switches, as shown in the below table

 

Now let’s see what configuration commands required to create a VLAN, and enable intervlan communication between HP Procurve Switches  and Cisco Catalyst Switches.

Sep 8 2008   8:12AM GMT

How to reset/delete the password & configuraton on a Cisco WS-C350-48-SMI

Posted by: Yasir Irfan
Switches, Cisco, Cisco 2950, HyperTerminal, Cisco Tips, Cisco 3560, Cisco 3750-E, Cisco 3560-E, IOS commands, Password reset

This article describes the procedure for resetting / delete  the  password & current configuration on a Cisco Catalyst WS-C3550-48-SMI.Model: WS-C3550-48-SMI
Warning: This procedure will remove the switch configuration. Be sure to have a backup of you current switch configuration before proceeding.The Cisco WS-C3550-48-SMI Catalyst switch is similar to most Catalyst switches and the procedure for resetting the password is the same.

Step 1: Connect the console cable to the switch and start your terminal program (HyperTerminal/Secure CRT). Console port settings are 9600,8,N,1

Step 2: Hold the MODE button (on the front of the switch) while you power on the switch.

Step 3: Hold the MODE button for a few seconds until you the System light stop flashing.Step 4: At this point, the switch should be in ROMmon mode. Step 5: From ROMmon mode, type: flash_initStep 6: From ROMmon mode, type: delete flash:config.textStep 7: From ROMmon mode, type: boot

At this point the switch will boot as normal with a new configuration and no password.

 

Aug 30 2008   5:16AM GMT

A cool tool to solve layer 1 UTP cable issues in Cisco Catalyst Switches.

Posted by: Yasir Irfan
Switches, Cisco, Cisco Tips, Cisco 3560, Cisco Learning, Cisco 3750-E, Cisco 3560-E, Network Troubleshooting, IOS commands, Layer 1 issues

Here is a simple and cool tool for solving layer 1 UTP cable issues in a Cisco Catalyst Switches, the command used for this function is “test cable-diagnostics tdr interface”
Here is the example

MBGF-DAC-3560-AS01#test cable-diagnostics tdr interface gigabitEthernet 0/1
TDR test started on interface Gi0/1
A TDR test can take a few seconds to run on an interface
Use ’show cable-diagnostics tdr’ to read the TDR results.
MBGF-DAC-3560-AS01#
The Catalyst 2960, 2970, 3560/3560-E, and 3750/3750-E switches have an integrated Time Domain Reflector (TDR), which is used to test cables associated with a port. TDR is supported only on 10/100/1000 and some 10/100 (Catalyst 2960) copper Ethernet ports. It is not supported on 10 GigabitEthernet or SFP module ports.

A TDR test can take a few seconds to run on an interface. Use “show cable-diagnostics tdr” to read the TDR results.

MBGF-DAC-3560-AS01#sho cable-diagnostics tdr interface gigabitEthernet 0/1
TDR test last run on: August 30 08:01:35

Interface Speed Local pair Pair length        Remote pair Pair status
——— —– ———- —————— ———– ——————–
Gi0/1     1000M Pair A     54   +/- 4  meters Pair A      Normal             
                Pair B     52   +/- 4  meters Pair B      Normal             
                Pair C     53   +/- 4  meters Pair C      Normal             
                Pair D     54   +/- 4  meters Pair D      Normal             
MBGF-DAC-3560-AS01#

Aug 23 2008   6:04AM GMT

Discover Cisco Network Assistant (CNA)

Posted by: Yasir Irfan
Networking, Switches, Cisco, Routers, SNMP, Cisco 2950, Cisco Tips, Cisco 3560, Cisco 3750-E, Cisco 3560-E, Network Troubleshooting, Network Inventory, Cisco Network Assistant

Cisco Network Assistant (CNA) is a PC-based graphical network management application which is free tool included when a new Cisco Switch is purchased. Cisco Network Assistant (CNA) is capable of managing the standalone Cisco Switches and clusters of Cisco Switches in your intranet. Cisco Network Assistant (CNA) is best suited for Small to Mid Sized LANS. . Cisco Network Assistant (CNA) supports wide range of Cisco Catalyst Switches from Cisco 2900 through Cisco Catalyst 4506. The Cisco Network Assistant (CNA) manages many of the critical functions of a Cisco Switches & is optimized for wired and Wireless LANs (WLANs). The Cisco Network Assistant (CNA) provides a centralized network view and allows network administrators to employ its features across Cisco switches, routers, and access points.  With Cisco Network Assistant (CNA) a Network Administrators can easily apply common services, generate inventory reports, synchronize passwords and employ features across Cisco Switches, routers and access points.   Cisco Network Assistant (CNA) is available at no cost and can be downloaded from the Cisco Network Assistant Software Download.

 

What’s new in Cisco Network Assistant (CNA) Version 5.4?

Increased device limits: Supports up to 40 switches and routers

Enhanced discovery: Discover devices with subnet or IP range 

Diagnostics: Conduct on-demand or scheduled tests to verify hardware functionality 

Command-line interface (CLI) preview: View CLIs before they are sent to the device

In my next article I will focus on how to use the Cisco Network Assistant (CNA).

Aug 17 2008   5:55AM GMT

What is the Link-flap error in Cisco Switches?

Posted by: Yasir Irfan
Switches, Cisco, Cisco 2950, Cisco 6500, Cisco 3560, Cisco 3750-E, Cisco 3560-E, Link-Flap, Err-disable, Layer 1 issues

Link flap means that the interface continually goes up and down in a Cisco Switch. The interface is put into the errdisabled state if it flaps more than five times in 10 seconds. The common cause of link flap is a Layer 1 issue such as a bad cable, duplex mismatch, or bad Gigabit Interface Converter (GBIC) card. Look at the console messages or the messages that were sent to the syslog server that state the reason for the port shutdown.

13w0d: %PM-4-ERR_DISABLE: link-flap error detected on Fa0/28, putting Fa0/28 in err-disable state 

Issue this command in order to view the flap values:

SRCL-ONC-3550-AS01# sho errdisable flap-values  ErrDisable Reason    Flaps     Time (sec)

—————–        ——   ———-

pagp-flap                        3       30

dtp-flap                           3       30

link-flap                           5       10

SRCL-ONC-3550-AS01# 

The interface can be recovered from errdisable state by reenabling the port using the errdisable recovery cause link-flap. This command is used to configure the recovery mechanism so that the interface can be brought out of the disabled state and allowed to try again. You can also set the time interval. Errdisable recovery is disabled by default in Cisco Switches; when enabled, the default time interval is 300 seconds.

Once you enable the errdisable state you can see the following log in the Cisco switch which is trying to recover the error disable interface (link-flap error)

13w0d: %PM-4-ERR_RECOVER: Attempting to recover from link-flap err-disable state on Fa0/28

Aug 2 2008   6:43AM GMT

Show Commands in Cisco Routers and Layer 3 Switches(Most commonly used)Series -1

Posted by: Yasir Irfan
Switches, Cisco, Routers, Cisco 2950, Cisco 6500, Cisco Tips, Cisco 3560, ASA/PIX, Cisco 525, PIX 525, Cisco 3745, Cisco 3750-E, Cisco 3560-E, Show commands, IOS commands, Router Troubleshooting

Some of the widely used commands in Cisco routers are just simple unavoidable, among the most commonly used commands in a Cisco Routers are “show” commands. These commands are essential to Network Administrators. Here is a list of those commands. I will try to cover this in two series. Here is the first series

1. Show running-configuration

The show running-configuration command shows the complete current running configuration in a router, firewall or a switch. Using show running-configuration command a network administrator can troubleshoot almost all issues related routing, filtering secure access, encapsulation, interface mismatch, and many more issues.

2. Show startup-configuration

The show startup-configuration command shows the configuration that is saved on the NVRAM. It is helpful in knowing the configuration that will be applied the next time the routers is reloaded. And also this command is useful in knowing the configuration that was loaded at the start-up of the router before making changes to it.  3. Show Interface

The Show interface command shows the status and statistics of the router interfaces. The show interface command is useful to troubleshoot the routing and link issues. The show interface command output includes interface status, interface IP address and subnet mask, protocol status on an interface, encapsulation type, bandwidth, utilization and much more information related to interface operation.

4. Show ip route

The show ip route command shows the routers routing table.  Routing protocols used and what networks these protocols are advertised. The show ip route command is used to troubleshoot routing problems.

5. Show ip protocols

The show ip protocols displays the routing protocols used in a router and the networks to which these protocols are advertised. It also shows the sources of the routing updates received and very helpful to troubleshoot routing issues.