%Management% Archives %%page%%

Tag Archive for 'management'

Cisco sets a Target with their new Collaboration Portfolio

Published

on September 24, 2008

. 0 Comments

I’m bogged down at the moment with HP Partnership Management work and haven’t been making posts on Network Ninja (never mind touch CCNP books or get organized with putting my LAB together) so don’t feel left out if you feel I have been neglecting updating, I feel like I am running backwards fast on getting my CCNP done.

I haven’t had time for anything else either like seeing clients, making sales, doing installations or even going into the office (I’m not really complaining all that much about the last one). I’ve moved my “office” to my house and for the time being haven’t seen any other room but my Study and Bedroom. Teleworking is really the bomb, rolling out of bed and getting straight to work suits me just fine (for a while) I kind of like separating my home and work life when it gets down to it.

I did however break my self inflicted work isolation to attend the brief for the new collaboration portfolio hosted by Christopher Thompson, Senior Director for Solutions Marketing at Cisco via Telepresence (ooooh!! very nice kit this). This was the first time I was actually in the room attending a meeting using the Cisco Telepresence (above) solution, while Chris was in Europe we were in South Africa and let me tell you, when I grow up one day I am getting one of these! My web cam just doesn’t cut it any more. A little off-topic, I did a post on Telepresence a while ago and I did say that everyone should organize a Demo for themselves (Call Cisco and ask) because let me tell you impressive does not cover this solution, its really amazing!

After the meeting ended we chatted with Chris for a while and he mentioned that by Friday (that is Friday 26th not next Friday) he will have done 300 presentations to Press and other parties all over the world on the Collaboration Portfolio. Imagine the cost savings Cisco realised in one week by doing these Telepresence meetings versus sending multiple people like Chris (Senior Director mind you) all over the world to do these briefings for the pre-launch? AND This is just one event and they do this all the time!

I am going to say again to any Corporate or Mid-sized company that is interested in Telepresence to cut down travel costs for meetings where they have multiple locations either nationally or internationally. Organise a demo by calling Cisco or a local Partner you won’t look back. Back to the topic.

Collaboration

The concept of Collaboration in the workplace (Also during Degree Training at Universities) has been a hot-topic for a while and many vendors (IT or not) have positioned product, services and bundled solutions at this space because of its “importance” in $$$ terms. Whether these products are new and engineered to meet this need or old re-boxed marketing/advertising spins is another topic for another day.

The importance of Collaboration cannot be discounted however as maximizing the ease, effectiveness and efficiency of communication, sharing, meetings and abilities inter- and intra-company drives higher return on investment per project as more can be done, more effectively, in less time, with more ease, without the need of any re-work and no-work because of crossed-wires and misunderstanding.

Collaboration with Cisco

The Cisco Collaboration Portfolio is designed and engineered to work with you like you work. That’s whether you are 20 or 50 the CEO or the Grad Student doing the coffee run. Cisco realises that people, companies, and age groups are different and they have modeled an open solution portfolio set to suit the way in which individual companies work and the individuals in the company like to work.

The solution will work even in mixed deployment environments where Microsoft, Linux, OSX and others play as it was made to be operating system independant. There is deeper linking with vendors like IBM and Microsoft (if that matters). The portfolio scales from small to super-size by being either hosted on demand (SaaS) or mixed hosted and on-premises or totally on-premises. The portfolio will help accelerate business processes, increase productivity and speed innovation by bringing people together and helping them work more efficiently and effectively together.

The Portfolio consists of Unified Communications, Video (Telepresence) and new Web 2.0 applications platforms all of which leverage the network as a platform to enable people to connect, communicate and collaborate from ANY WORKSPACE (Microsoft, Apple, Linux and even Smartphones) without degradation of service of a change of experience.

The Portfolio works the way you do and is designed to integrate with business applications, existing IT infrastructure and other web services (If it has an API it can integrate examples Goolge, Flickr, Salesforce), allowing developers and partners to develop and create customized applications and network based services.

The Portfolio includes some of the following key products and solutions:

Cisco Unified Communications Release 7.0

Cisco Unified Communications System Release 7.0 enables collaboration so that organisations can quickly adapt to market changes and improve competitive advantage through speed and innovation. Accelerating the deployment of unified communications requires the ability to leverage existing infrastructure and applications.

It offers enhancements to its applications development environment and provides deeper integration with desktop products from IBM and Microsoft. Mobility enhancements extend productivity features across every workspace.

Cisco Unified Mobile Communicator now supports devices running on Windows Mobile as well as Symbian and Blackberry with support for Apple iPhone coming soon. Cisco UC Release 7.0 continues to drive down system and management costs by increasing Cisco Unified Presence scalability to 30,000 users and Cisco Unity to 15,000 users on a single server and by optimizing network management through an easy-to-use appliance deployment environment.

Unified workspace

Cisco TelePresence Expert on Demand

Cisco TelePresence Expert on Demand integrates Cisco Unified Communications and Cisco Unified Contact Center with the immersive “in person” experience of Telepresence to transform the way organisations deliver high-touch customer and point of sale services.

It enables customers to connect with subject-matter experts for tailored, in-person service at the touch of a button. This gives users the ability to summon expert assistance directly in a Cisco TelePresence meeting or use a dedicated customer-facing Cisco TelePresence endpoint and get face-to-face assistance.

An organisation can choose to configure Cisco TelePresence Expert on Demand with a direct assistance number, a hunt group, or its Cisco Unified Contact Centre deployment. In the latter case, a user will be connected to an appropriate agent via skills-based routing.

Cisco WebEx Connect

Cisco WebEx Connect is a cloud-based application platform for collaborative business mashups. It includes a number of standard applications including enterprise instant messaging, team spaces, document management, calendaring and wikis, which can be combined with third party widgets built using open APIs, enabling companies to work from a single workspace. Extensive administrative controls support enterprise policy, security and compliance requirements to enable highly secure inter-company collaboration.

WebEx Connect works with Cisco Unified Communication system to deliver seamless communication capabilities within the context of a collaborative mash-up.

More Information:

Cisco Collaboration Homepage

Cisco Unified Communications 7.0

Thanks

Thanks goes out to JP and Jonathan for the Invite to the Brief.

Linksys Brand to Disapear

Published

Deon Botha

on August 28, 2008

in Asides, Cisco Systems and Vine

. 1 Comment

Cisco acquired Linksys back in 2003 and the Linksys brand has been around in some way or form since then, kind of, I haven’t had problems with the product myself but have had logistics problems with the brand and this comes from up-channel from various distributors where they can’t promise due dates and shipping from Linksys.

This is a problem for the Linksys brand because although the brand as a whole has a great price point for Home, Home Office (SOHO) and Small, Medium Business (SMB) Market segments the availability sucks and not being able to promise delivery or give an indication of delivery makes using the brand as a plausible solution pointless. While an Enterprise customer might be willing to understand and “deal” that no stock is kept in a Emerging market of their class of products and that the lead time to delivery is longer that understanding is lacking with SMB customers where deals are lost on cents and the ability to start installation tomorrow.

There was talk about a year back from the channel and some of my networking buddies that the Linksys brand would be integrated into the Cisco “stable” for good, meaning that the Linksys brand would phase out totally and only one would emerge. There were obviously two views to this; while one said “Great Cisco all the way” and the other said “Linksys is a strong brand on its own, why kill it?”.

Be that as it may the first steps of the brand integration process has started. How this whole change management process will work is that soon the “Linksys a division of Cisco” will become “Linksys by Cisco” with Linksys and Cisco sharing as much product space and font size and finally only “Cisco” will be on the packaging and product. This process happens over years to get customers use to the idea and “new” packaging and branding and is the eventual process after the companies have assimilated into each other and adopted each others cultures and views.

Wasn’t around back in the day but I suppose the Catalyst Switching platform followed the same routine as this. I know that the IBM and Lexmark Printing and Imaging System did this back in the day.

BSCI Design Foundation – Network Models

Published

Deon Botha

on July 25, 2008

in BSCI, BSCI Notes, Certification, Cisco Systems, Concepts and Constructs, ECNM, Enterprise Architecture, IIN and SONA

. 0 Comments

Design – Hierarchical

Where networks once were non-hierarchical (layer-1 design, layer-2 design, layer-3 design) they are generally now three-layer hierarchical in design (above). Cisco has been using this model for years and it gave a high-level overview of how a reliable network could be conceived but was largely conceptual because it did not provide specific guidance on “how-to” implement certain things, like:

Implementing redundancy,
Adding Internet Access,
Accounting for remote users,
Locating workgroup and enterprise services

Design – Enterprise Composite Network Model (ECNM)

Revisions to the hierarchical design showed redundant distribution and core devices and connections to make the hierarchical model more fault tolerant. The switch block design (above) explained how redundancy fit into a network, but still did not really adequately specify other parts of the network design. This lead to the Enterprise Composite Network Model (ECNM) development to address the failures of both the hierarchical model and switch block model.

This ECNM is broken into three large pieces:

Enterprise Campus,
Enterprise Edge,
Service Provider Edge.

Enterprise Composite Network Model

ECNM – Campus

The enterprise campus looks very much like the above switch block design with some added details:

Campus Backbone (like the core layer of the hierarchical model),
Building Distribution,
Building Access,
Management,
Server Farm (Enterprise Services).

The ECNM Campus builds onto the Switch block design but gives specific guidance as to where to place servers and management equipment. Take note that the servers look like a switch block and are redundantly attached (dual-homed) to the switches (not really shown nicely in the diagram).

ECNM – Enterprise Edge

The Enterprise edge shows the connections that the enterprise has with the wide area (other networks) and include:

E-Commerce,
Remote Access,
Internet Connectivity,
WAN (Internal links to other branches).

ECNM – Service Provider Edge

The service provider edge includes the public networks that facilitate wide area (other networks) connectivity:

Internet Service Provider (ISP),
Public Switched Telephone Network (PSTN) for dialup,
Frame Relay, ATM, and PPP for private connections.

Multiplexing

Historically voice traffic used one set of circuits and data traffic another. Also if you wanted more than one “number” the telecommunications company installed another physical line to your premises. If you wanted access to a data network they installed a data line for that purpose.

With line technologies like the T-carrier system (USA, Japan, Korea) 24 pulse-code modulated (I don’t know need to ask one the engineers about this), time-division multiplexed speech signals are carried over 2 copper pairs. This type of technology saved the telecommunications companies a lot of money in building out subscriber lines. The problem with T1 as a technology is that it cannot adjust as the customer usage requirements changes (see E-carrier system for Europe and other countries).

As technology changes so does the requirements from that technology; Modern networks are designed to carry voice, video, enterprise applications, normal LAN traffic and management traffic all on the same single secure infrastructure (convergence). The traffic is forced (statistically multiplexed) to share access to the network.

Service-Orientated Network Architecture (SONA) and Intelligent Information Network (IIN)

As covered above “Multiplexing” described the idea of a converged network as a system that integrates what was previously disparate systems (voice, video, data). The traffic types usually found on a converged network would include, but may not be limited to:

voice signalling and bearer traffic,
Core application traffic (ERP and CRM),
Transactional traffic related to database interactions (SQL),
Network management traffic for monitoring and maintaining the network structure (including routing protocol traffic),
Multicast multimedia,
Other traffic (web, e-mail, file transfer).

Each of the above traffic types has its own requirements and expectations that govern its successful execution. These requirements include security, QoS, transmission capacity, and delay.

To support this kind of multiplexed traffic, Cisco routers are able to implement filtering, compression, prioritization, and policing (dedicating network capacity). Except for the filtering process these processes are collectively known as QoS.

As an alternative to QoS, Cisco has an ideal called the Intelligent Information Network (IIN). This vision describes a network that integrates network and application functionality cooperatively allowing the network to be “smart” about how it handles traffic to minimize the footprint of applications. The IIN evolution is described in three phases:

Phase 1: Integrated Transport, deals with a converged network, built along a similar fashion of the ECNM and based on open standards (cross-compatibility)
Phase 2: Integrated Services, posits virtualization of resources such as servers, storage and network access; to move to an “on-demand” model. Don’t think marketing/advertising “virtualization” think practical virtualization the ISR routers (routing, switching, voice, network management, security and wireless) designed as an aio (all-in-one) appliance and Vitalizing Servers (if you have proper designed for the job servers) you can’t be trying this on SMB servers or try recycling 10 year old technology and thinking “bargain let’s load 5 operating systems on this”.
Phase 3: Integrated Applications, using application orientated networking (AON) to make the network “aware” allowing the network to actively monitor and participate in service delivery.

Service-Orientated Network Architecture (SONA) is the practical application or “how-to” of IIN in enterprise networks. SONA breaks down IIN into three layers;

SONA Infrastructure Layer is basically the same as IIN Phase 1,
SONA interactive Services Layer maps to IIN Phase 2,
SONA Application Layer has the same concepts as IIN Phase 3.

Resources:

Aragoen Celtdra on BSCI: Network Architecture and Design

Notes and Notices:

This is a part of my personal BSCI notes and research to assist myself in learning and understanding the concepts and theory for the BSCI exam. I learn by making notes reading and writing things down and wish to file them where I can’t lose them. These notes are not to be seen, judged or mistaken for replacements to Cisco recognized and authorized training which I personally support and attend and suggest you undertake if you are going for the BSCI Certification.

EMEA Cisco Recruiting

Published

Deon Botha

on July 3, 2008

in Cisco Systems and Vine

. 2 Comments

This may be old-ish news but I found this interesting. This is a Cisco initiative to help Channel Partners Address Technology Skills Shortfall with a new Partner Talent Portal in Middle East and Africa. Stories like this always lead me off the beaten track and thinking about interconnected things (I’m weird, that’s what makes me specials).

The management side of me finds this interesting, its probably more complex than this explanation but this is the basics of something called supply and demand (which is something I got drilled into my head when I was studying). The graph basically shows a single supply source for qualified individuals (that would be you and me) and a radical change in demand (market driven demand from Channel partners and even Cisco) and if you are wondering the other axis (not market) is generally what your pay might be as demand increases.

In times when there is growth (2010 World cup in South Africa, good economic conditions recently) there is a strong demand for “skilled” individuals (skill + experience), this creates a supply problem because there is then a short supply (due to (1) skill shortage in the form of certified individuals in this case (2) the certified individuals having no real world experience) to fill the demand.

This will always happens when there is a rapid upturn in the market, supply lags behind demand because oversupply is in most cases expensive (having certified individuals on staff with nothing to do) and counter productive (carrying the expense of certifying individuals when there is no work for them or need for them). There are many factors that play on this that I haven’t included because this can get overly complicated fairly quickly if you consider them for example in a South African context the massive skilled brain drain to other more developed markets, political factors, crime, local employment and training policies employed by companies, private sector willingness to skill and give experiential training, etc.

What is interesting and will be interesting about this scenario is what will happen in the short to long term future with the downturn in the global market, what I have already encountered (in the last couple of months) is that customers are less willing to undertake CAPEX spending (uncertainty about what will happen in the short to near term), which is bad as networking and network equipment is seen as a CAPEX spend.

If doom and gloom is on the horizon it doesn’t however mean the end of the world as OPEX spending to keep operations going will continue in the form of maintenance of currently installed equipment (which still needs certified skilled individuals to maintain) the only difference will be that the lifecycle of installed kit will be extended as customers will hold onto their kit longer to squeeze the Return on Investment ratio dry or the kit actually breaks.

Thanks goes to JP for the heads up.

BCMSN Trunking Lab 3

Published

Deon Botha

on June 10, 2008

in BCMSN, Certification, Cisco Systems and Trunk

. 2 Comments

Im grafting so quantity over quality… I will go over this sometime this coming weekend for mistakes

Trunking

This lab builds directly onto the previous lab where the default VLAN was shut and a new VLAN was created (basically to give practice for creating a vlan). This lab will now create trunk links between switches to allow more than a single VLANs information to traverse a link. If you are wondering why I am explicitly declaring trunks instead of allowing DTP to do its thing read this, and this.

Distribution Switch 1

Step 1: Setup the basics all of the following is CCNA level stuff and should easy if not second nature. This is to get the security and host name down before going onto the interface configuration.

Enter Privileged Mode switch>enable Enter Global Configuration Mode switch#configure terminal Change the hostname of the switch switch(config)#hostname DSW1 Enable secret and password DSW1(config)#enable secret ciscosystems DSW1(config)#enable password cisco Setup a local user database DSW1(config)#username admin@mydomain.com privilege 15 password cisco Setup the console port password DSW1(config)#line con 0 DSW1(config-line)#login local DSW1(config-line)#exit Setup the Virtual Teletype Terminal (VTY) Password DSW1(config)#line vty 0 4 DSW1(config-line)#password cisco DSW1(config-line)#login DSW1(config-line)#exit Setup the Auxiliary Password DSW1(config)#line aux 0 DSW1(config-line)#no exec DSW1(config-line)#exit

Step 2: Setup the management interface

Setup the default VLAN ip address from remote ip admin if there was a GUI and to Telnet to the switch DSW1(config)#interface vlan 1 DSW1(config-if)#ip address 192.168.1.1 255.255.255.0 NB I am shutting the interface DSW1(config-if)#shut DSW1(config-if)#exit

Step 3: Assign an ip address to the new VLAN to ping

Setup VLAN 100 ip address from remote ip admin if there was a GUI and to Telnet to the switch DSW1(config)#interface vlan 100 DSW1(config-if)#ip address 192.168.100.1 255.255.255.0 DSW1(config-if)#no shut DSW1(config-if)#exit

Step 4: Setup other interfaces

Setup Fastethernet Interfaces DSW1(config)#interface fastethernet 0/1 DSW1(config-if)#description DSW1 - ASW1 DSW1(config-if)#exit DSW1(config)#interface fastethernet 0/2 DSW1(config-if)#description DSW1 - ASW1 DSW1(config-if)#exit DSW1(config)#interface fastethernet 0/3 DSW1(config-if)#description DSW1 - ASW2 DSW1(config-if)#exit DSW1(config)#interface fastethernet 0/4 DSW1(config-if)#description DSW1 - ASW2 DSW1(config-if)#exit Create and Associate VLAN 100 with Fe 1 to 4 DSW1(config)#interface range fastethernet 0/1 - 4 DSW1(config-if-range)#speed 100 DSW1(config-if-range)#duplex auto DSW1(config-if-range)#switchport DSW1(config-if-range)#switchport trunk encapsulation dot1q DSW1(config-if-range)#switchport trunk native vlan 1 DSW1(config-if-range)#switchport trunk allowed vlan 1,100 DSW1(config-if-range)#switchport mode trunk DSW1(config-if-range)#exit DSW1(config)#interface fastethernet 0/11 DSW1(config-if)#description DSW1 - DSW2 DSW1(config-if)#exit DSW1(config)#interface fastethernet 0/12 DSW1(config-if)#description DSW1 - DSW2 DSW1(config-if)#exit Associate VLAN 100 with Fe 11 and 12 DSW1(config)#interface range fastethernet 0/11 - 12 DSW1(config-if-range)#speed 100 DSW1(config-if-range)#duplex auto DSW1(config-if-range)#switchport DSW1(config-if-range)#switchport trunk encapsulation dot1q DSW1(config-if-range)#switchport trunk native vlan 1 DSW1(config-if-range)#switchport trunk allowed vlan 1,100 DSW1(config-if-range)#switchport mode trunk DSW1(config-if-range)#exit

Step 5: Shut down non-used interfaces

Administratively shut down all ports not connected DSW1(config)#interface range fastethernet 0/5 - 10 DSW1(config-if-range)#shut DSW1(config-if-range)#exit Exit Global Configuration Mode DSW1(config)#exit

Step 6: Check your work

Check that you named the interfaces correctly, havent missed out on a connected interface and that the duplex and speed setting are correct DSW1#show interfaces status show the vlans that are configured DSW1#show vlan show switchport you can change the fastethernet 0/4 for any active port for information DSW1#show interface fasthethernet 0/4 switchport show which interfaces are trunking DSW1#show interfaces trunk show run the running configuration DSW1#show run

Step 7: Save your work

Copy the running configuration to the startup configuration. I got in the bad habbit to do this the other way around for a while (did it in an exam)... oops copy start run DSW1#copy run start

Distribution Switch 2

Enter Privileged Mode switch>enable Enter Global Configuration Mode switch#configure terminal Change the hostname of the switch switch(config)#hostname DSW2 Enable secret and password DSW2(config)#enable secret cisco DSW2(config)#enable password cisco Setup a local user database DSW2(config)#username admin@mydomain.com privilege 15 password cisco Setup the console port password DSW2(config)#line con 0 DSW2(config-line)#login local DSW2(config-line)#exit Setup the Virtual Teletype Terminal (VTY) Password DSW2(config)#line vty 0 4 DSW2(config-line)#password cisco DSW2(config-line)#login DSW2(config-line)#exit Setup the Auxiliary Password DSW2(config)#line aux 0 DSW2(config-line)#no exec DSW2(config-line)#exit

Step 2: Setup the management interface

Setup the default VLAN ip address from remote ip admin if there was a GUI and to Telnet to the switch DSW2(config)#interface vlan 1 DSW2(config-if)#ip address 192.168.1.50 255.255.255.0 NB I am shutting the interface DSW2(config-if)#shut DSW2(config-if)#exit

Step 3: Assign an ip address to the new VLAN to ping

Setup the VLAN ip address DSW2(config)#interface vlan 100 DSW2(config-if)#ip address 192.168.100.50 255.255.255.0 DSW2(config-if)#no shut DSW2(config-if)#exit

Step 4: Setup other interfaces

Setup Fastethernet Interfaces DSW2(config)#interface fastethernet 0/1 DSW2(config-if)#description DSW1 - ASW1 DSW2(config-if)#exit DSW2(config)#interface fastethernet 0/2 DSW2(config-if)#description DSW1 - ASW1 DSW2(config-if)#exit DSW2(config)#interface fastethernet 0/3 DSW2(config-if)#description DSW1 - ASW2 DSW2(config-if)#exit DSW2(config)#interface fastethernet 0/4 DSW2(config-if)#description DSW1 - ASW2 DSW2(config-if)#exit Create and Associate VLAN 100 with Fe 1 to 4 DSW2(config)#interface range fastethernet 0/1 - 4 DSW2(config-if-range)#speed 100 DSW2(config-if-range)#duplex full DSW2(config-if-range)#switchport DSW2(config-if-range)#switchport trunk encapsulation dot1q DSW2(config-if-range)#switchport trunk native vlan 1 DSW2(config-if-range)#switchport trunk allowed vlan 1,100 DSW2(config-if-range)#switchport mode trunk DSW2(config-if-range)#exit DSW2(config)#interface fastethernet 0/11 DSW2(config-if)#description DSW1 - DSW2 DSW2(config-if)#exit DSW2(config)#interface fastethernet 0/12 DSW2(config-if)#description DSW1 - DSW2 DSW2(config-if)#exit Associate VLAN 100 with Fe 11 and 12 DSW2(config)#interface range fastethernet 0/11 - 12 DSW2(config-if-range)#speed 100 DSW2(config-if-range)#duplex full DSW2(config-if-range)#switchport DSW2(config-if-range)#switchport trunk encapsulation dot1q DSW2(config-if-range)#switchport trunk native vlan 1 DSW2(config-if-range)#switchport trunk allowed vlan 1,100 DSW2(config-if-range)#switchport mode trunk DSW2(config-if-range)#exit

Step 5: Shut down non-used interfaces

Aministratively shutdown all ports not connected DSW2(config)#interface range fastethernet 0/5 - 10 DSW2(config-if-range)#shut DSW2(config-if-range)#exit Exit Global Configuration Mode DSW2(config)#exit

Step 6: Check your work

Check that you named the interfaces correctly, havent missed out on a connected interface and that the duplex and speed setting are correct DSW2#show interfaces status show the vlans that are configured DSW2#show vlan show switchport you can change the fastethernet 0/4 for any active port for information DSW2#show interface fasthethernet 0/4 switchport show which interfaces are trunking DSW2#show interfaces trunk show run the running configuration DSW2#show run

Step 7: Save your work

Copy the running configuration to the startup configuration. I got in the bad habbit to do this the other way around for a while (did it in an exam)... oops copy start run DSW2#copy run start

Access Switch 1

Enter Privileged Mode switch>enable Enter Global Configuration Mode switch#configure terminal Change the hostname of the switch switch(config)#hostname ASW1 Enable secret and password ASW1(config)#enable secret cisco ASW1(config)#enable password cisco Setup a local user database ASW1(config)#username admin@mydomain.com privilege 15 password cisco Setup the console port password ASW1(config)#line con 0 ASW1(config-line)#login local ASW1(config-line)#exit Setup the Virtual Teletype Terminal (VTY) Password ASW1(config)#line vty 0 4 ASW1(config-line)#password cisco ASW1(config-line)#login ASW1(config-line)#exit Setup the Auxiliary Password ASW1(config)#line aux 0 ASW1(config-line)#no exec ASW1(config-line)#exit

Step 2: Setup the management interface

Setup the default VLAN ip address from remote ip admin if there was a GUI and to Telnet to the switch ASW1(config)#interface vlan 1 ASW1(config-if)#ip address 192.168.1.100 255.255.255.0 NB I am shutting the interface ASW1(config-if)#shut ASW1(config-if)#exit

Step 3: Assign an ip address to the new VLAN to ping

Create VLAN 100 and Configure Interface ASW1(config)#vlan 100 name Marketing ASW1(config)#interface vlan 100 ASW1(config-if)#ip address 192.168.100.100 255.255.255.0 ASW1(config-if)#no shut ASW1(config-if)#exit

Step 4: Setup other interfaces

Setup Fastethernet Interfaces ASW1(config)#interface fastethernet 0/1 ASW1(config-if)#description DSW1 - ASW1 ASW1(config-if)#exit ASW1(config)#interface fastethernet 0/2 ASW1(config-if)#description DSW1 - ASW1 ASW1(config-if)#exit ASW1(config)#interface fastethernet 0/3 ASW1(config-if)#description DSW1 - ASW2 ASW1(config-if)#exit ASW1(config)#interface fastethernet 0/4 ASW1(config-if)#description DSW1 - ASW2 ASW1(config-if)#exit Associate VLAN 100 with Fe 1 to 4 ASW1(config)#interface range fastethernet 0/1 - 4 ASW1(config-if-range)#speed 100 ASW1(config-if-range)#duplex full ASW1(config-if-range)#switchport ASW1(config-if-range)#switchport trunk encapsulation dot1q ASW1(config-if-range)#switchport trunk native vlan 1 ASW1(config-if-range)#switchport trunk allowed vlan 1,100 ASW1(config-if-range)#switchport mode trunk ASW1(config-if-range)#exit

Step 5: This is where the ASW and the DSW switches differ. This connects to the Workstation end-point where the DSW switches use port 11/12 to provide failover for the distribution

Setup Fastethernet 0/12 for 10mbs half duplex as an access level end-point interface ASW1(config)#interface fastethernet 0/12 ASW1(config-if)#description ASW1 - PC1 ASW1(config-if)#speed 10 ASW1(config-if)#duplex half ASW1(config-if)#switchport Make the port as an access port ASW1(config-if)#switchport mode access Make the port an access port for VLAN 100 ASW1(config-if)#switchport access vlan 100 ASW1(config-if)#no shut ASW1(config-if)#exit

Step 6: Shut down non-used interfaces

Administratively shut down all ports not connected ASW1(config)#interface range fastethernet 0/5 - 11 ASW1(config-if-range)#shut ASW1(config-if-range)#exit Exit Global Configuration Mode ASW1(config)#exit

Step 7: Check your work

Check that you named the interfaces correctly, havent missed out on a connected interface and that the duplex and speed setting are correct ASW1#show interfaces status show the vlans that are configured ASW1#show vlan show switchport you can change the fastethernet 0/4 for any active port for information ASW1#show interface fasthethernet 0/4 switchport show which interfaces are trunking ASW1#show interfaces trunk show run the running configuration ASW1#show run

Step 8: Save your work

Copy the running configuration to the startup configuration. I got in the bad habit to do this the other way around for a while (did it in an exam)... oops copy start run ASW1#copy run start

Access Switch 2

Enter Privileged Mode switch>enable Enter Global Configuration Mode switch#configure terminal Change the hostname of the switch switch(config)#hostname ASW2 Enable secret and password ASW2(config)#enable secret cisco ASW2(config)#enable password cisco Setup a local user database ASW2(config)#username admin@mydomain.com privilege 15 password cisco Setup the console port password Setup the console port password ASW2(config)#line con 0 ASW2(config-line)#login local ASW2(config-line)#exit Setup the Auxiliary Password ASW2(config)#line aux 0 ASW2(config-line)#no exec ASW2(config-line)#exit Setup the Virtual Teletype Terminal (VTY) Password ASW2(config)#line vty 0 4 ASW2(config-line)#password cisco ASW2(config-line)#login ASW2(config-line)#exit

Step 2: Setup the management interface

Setup the default VLAN ip address from remote ip admin if there was a GUI and to Telnet to the switch ASW2(config)#interface vlan 1 ASW2(config-if)#ip address 192.168.1.200 255.255.255.0 NB I am shutting the interface ASW2(config-if)#shut ASW2(config-if)#exit

Step 3: Assign an ip address to the new VLAN to ping

Create VLAN 100 and Configure Interface ASW2(config)#vlan 100 name Marketing ASW2(config)#interface vlan 100 ASW2(config-if)#ip address 192.168.100.200 255.255.255.0 ASW2(config-if)#no shut ASW2(config-if)#exit

Step 4: Setup other interfaces

Setup Fastethernet Interfaces ASW2(config)#interface fastethernet 0/1 ASW2(config-if)#description DSW1 - ASW1 ASW2(config-if)#exit ASW2(config)#interface fastethernet 0/2 ASW2(config-if)#description DSW1 - ASW1 ASW2(config-if)#exit ASW2(config)#interface fastethernet 0/3 ASW2(config-if)#description DSW1 - ASW2 ASW2(config-if)#exit ASW2(config)#interface fastethernet 0/4 ASW2(config-if)#description DSW1 - ASW2 ASW2(config-if)#exit Associate VLAN 100 with Fe 1 to 4 ASW2(config)#interface range fastethernet 0/1 - 4 ASW2(config-if-range)#speed 100 ASW2(config-if-range)#duplex full ASW2(config-if-range)#switchport ASW2(config-if-range)#switchport trunk encapsulation dot1q ASW2(config-if-range)#switchport trunk native vlan 1 ASW2(config-if-range)#switchport trunk allowed vlan 1,100 ASW2(config-if-range)#switchport mode trunk ASW2(config-if-range)#exit

Step 5: This is where the ASW and the DSW switches differ. This connects to the Workstation end-point where the DSW switches use port 11/12 to provide failover for the distribution

Setup Fastethernet 0/12 for 10mbs half duplex as an access level end-point interface ASW2(config)#interface fastethernet 0/12 ASW2(config-if)#description ASW2 - PC2 ASW2(config-if)#speed 10 ASW2(config-if)#duplex half ASW1(config-if)#switchport Make the port as an access port ASW2(config-if)#switchport mode access Make the port an access port for VLAN 100 ASW2(config-if)#switchport access vlan 100 ASW2(config-if)#no shut ASW2(config-if)#exit

Step 6: Shut down non-used interfaces

Administratively shut down all ports not connected ASW2(config)#interface range fastethernet 0/5 - 11 ASW2(config-if-range)#shut ASW2(config-if-range)#exit Exit Global Configuration Mode ASW2(config)#exit

Step 7: Check your work

Check that you named the interfaces correctly, havent missed out on a connected interface and that the duplex and speed setting are correct ASW2#show interfaces status show the vlans that are configured ASW2#show vlan show switchport you can change the fastethernet 0/4 for any active port for information ASW2#show interface fasthethernet 0/4 switchport show which interfaces are trunking ASW2#show interfaces trunk show run the running configuration ASW2#show run

Step 8: Save your work

Copy the running configuration to the startup configuration. I got in the bad habit to do this the other way around for a while (did it in an exam)... oops copy start run ASW2#copy run start

Notes and Notices:

This is a part of my personal BCMSN notes and research to assist myself in learning and understanding the concepts and theory for the BCMSN exam. I learn by making notes reading and writing things down and wish to file them where I can’t lose them. These notes are not to be seen, judged or mistaken for replacements to Cisco recognized and authorized training which I personally support and attend and suggest you undertake if you are going for the BCMSN Certification.

BCMSN VLAN-ing Lab 2

Published

Deon Botha

on June 10, 2008

in BCMSN, Certification, Cisco Systems, Concepts and Constructs and VLAN

. 1 Comment

The way of the VLAN

Looking back over the previous config done on the switches you will remember that all switches were part of VLAN 1 (default vlan). If you don’t know this or know where I pulled this information from issue this command:

ASW1#show interfaces status

The output will show interface, the description of the interface, status, VLAN, duplex, speed and the type of connection (all connections by default unless told otherwise belong to the default VLAN iow VLAN 1)

To practice VLANs I am going to change some information from the initial config and add VLANs.

I am a glutton for punishment, I retype and redo all configurations when I am practising for an exam from scratch (I don’t run from saved, I redo). Try it, it’s a pain in the backside and takes longer but it means that you are forced to type the commands one at a time from memory (don’t take a shortcut and use notepad either, type each command, move between interfaces, keep track which interfaces you have completed and which you still have to do). It pays off at the end of the day and helps you logically organize how you configure IRL (In Real Life).

Distribution Switch 1

Step 2: Setup the management interface

Step 3: Setup other interfaces

Setup Fastethernet Interfaces DSW1(config)#interface fastethernet 0/1 DSW1(config-if)#description DSW1 - ASW1 DSW1(config-if)#speed 100 DSW1(config-if)#duplex auto DSW1(config-if)#no shut DSW1(config-if)#exit DSW1(config)#interface fastethernet 0/2 DSW1(config-if)#description DSW1 - ASW1 DSW1(config-if)#speed 100 DSW1(config-if)#duplex auto DSW1(config-if)#no shut DSW1(config-if)#exit DSW1(config)#interface fastethernet 0/3 DSW1(config-if)#description DSW1 - ASW2 DSW1(config-if)#speed 100 DSW1(config-if)#duplex auto DSW1(config-if)#no shut DSW1(config-if)#exit DSW1(config)#interface fastethernet 0/4 DSW1(config-if)#description DSW1 - ASW2 DSW1(config-if)#speed 100 DSW1(config-if)#duplex auto DSW1(config-if)#no shut DSW1(config-if)#exit DSW1(config)#interface fastethernet 0/11 DSW1(config-if)#description DSW1 - DSW2 DSW1(config-if)#speed 100 DSW1(config-if)#duplex auto DSW1(config-if)#no shut DSW1(config-if)#exit DSW1(config)#interface fastethernet 0/12 DSW1(config-if)#description DSW1 - DSW2 DSW1(config-if)#speed 100 DSW1(config-if)#duplex auto DSW1(config-if)#no shut DSW1(config-if)#exit

Alternatively use range command

Step 4: Associate a VLAN with the Interfaces

Create and Associate VLAN 100 with Fe 1 to 4 DSW1(config)#interface range fastethernet 0/1 - 4 DSW1(config-if-range)#switchport DSW1(config-if-range)#switchport mode access DSW1(config-if-range)#switchport access vlan 100 %Access VLAN does not exist. Creating vlan 100 DSW1(config-if-range)#exit Associate VLAN 100 with Fe 11 and 12 DSW1(config)#interface range fastethernet 0/11 - 12 DSW1(config-if-range)#switchport DSW1(config-if-range)#switchport mode access DSW1(config-if-range)#switchport access vlan 100 DSW1(config-if-range)#exit

Step 5: Assign an ip address to the new VLAN to ping

Setup the VLAN ip address DSW1(config)#interface vlan 100 DSW1(config-if)#ip address 192.168.100.1 255.255.255.0 DSW1(config-if)#no shut DSW1(config-if)#exit

Step 6: Shut down non-used interfaces

Step 7: Check your work

Step 8: Save your work

Copy the running configuration to the startup configuration. I got in the bad habbit to do this the other way around for a while (did it in an exam)... oops copy start run DSW1#copy run start

Distribution Switch 2

Step 2: Setup the management interface

Step 3: Setup other interfaces

Setup Fastethernet Interfaces DSW2(config)#interface fastethernet 0/1 DSW2(config-if)#description DSW2 - ASW2 DSW2(config-if)#speed 100 DSW2(config-if)#duplex auto DSW2(config-if)#no shut DSW2(config-if)#exit DSW2(config)#interface fastethernet 0/2 DSW2(config-if)#description DSW2 - ASW2 DSW2(config-if)#speed 100 DSW2(config-if)#duplex auto DSW2(config-if)#no shut DSW2(config-if)#exit DSW2(config)#interface fastethernet 0/3 DSW2(config-if)#description DSW2 - ASW1 DSW2(config-if)#speed 100 DSW2(config-if)#duplex auto DSW2(config-if)#no shut DSW2(config-if)#exit DSW2(config)#interface fastethernet 0/4 DSW2(config-if)#description DSW2 - ASW1 DSW2(config-if)#speed 100 DSW2(config-if)#duplex auto DSW2(config-if)#no shut DSW2(config-if)#exit DSW2(config)#interface fastethernet 0/11 DSW2(config-if)#description DSW2 - DSW1 DSW2(config-if)#speed 100 DSW2(config-if)#duplex auto DSW2(config-if)#no shut DSW2(config-if)#exit DSW2(config)#interface fastethernet 0/12 DSW2(config-if)#description DSW2 - DSW1 DSW2(config-if)#speed 100 DSW2(config-if)#duplex auto DSW2(config-if)#no shut DSW2(config-if)#exit

Alternatively use range command

Step 4: Associate a VLAN with the Interfaces

Create and Associate VLAN 100 with Fe 1 to 4 DSW2(config)#interface range fastethernet 0/1 - 4 DSW2(config-if-range)#switchport DSW2(config-if-range)#switchport mode access DSW2(config-if-range)#switchport access vlan 100 %Access VLAN does not exist. Creating vlan 100 DSW2(config-if-range)#exit Associate VLAN 100 with Fe 11 and 12 DSW2(config)#interface range fastethernet 0/11 - 12 DSW2(config-if-range)#switchport DSW2(config-if-range)#switchport mode access DSW2(config-if-range)#switchport access vlan 100 DSW2(config-if-range)#exit

Step 5: Assign an ip address to the new VLAN to ping

Setup the VLAN ip address DSW2(config)#interface vlan 100 DSW2(config-if)#ip address 192.168.100.50 255.255.255.0 DSW2(config-if)#no shut DSW2(config-if)#exit

Step 6: Shut down non-used interfaces

Step 7: Check your work

Step 8: Save your work

Copy the running configuration to the startup configuration. I got in the bad habbit to do this the other way around for a while (did it in an exam)... oops copy start run DSW2#copy run start

Access Switch 1

Step 2: Setup the management interface

Step 3: Assign an ip address to the new VLAN to ping

Step 4: Setup other interfaces

Setup Fastethernet Interfaces ASW1(config)#interface fastethernet 0/1 ASW1(config-if)#description ASW1 - DSW1 ASW1(config-if)#speed 100 ASW1(config-if)#duplex auto ASW1(config-if)#no shut ASW1(config-if)#exit ASW1(config)#interface fastethernet 0/2 ASW1(config-if)#description ASW1 - DSW1 ASW1(config-if)#speed 100 ASW1(config-if)#duplex auto ASW1(config-if)#no shut ASW1(config-if)#exit ASW1(config)#interface fastethernet 0/3 ASW1(config-if)#description ASW1 - DSW2 ASW1(config-if)#speed 100 ASW1(config-if)#duplex auto ASW1(config-if)#no shut ASW1(config-if)#exit ASW1(config)#interface fastethernet 0/4 ASW1(config-if)#description ASW1 - DSW2 ASW1(config-if)#speed 100 ASW1(config-if)#duplex auto ASW1(config-if)#no shut ASW1(config-if)#exit

Alternatively use the range command

Setup Fastethernet Interfaces ASW1(config)#interface fastethernet 0/1 ASW1(config-if)#description DSW1 - ASW1 ASW1(config-if)#exit ASW1(config)#interface fastethernet 0/2 ASW1(config-if)#description DSW1 - ASW1 ASW1(config-if)#exit ASW1(config)#interface fastethernet 0/3 ASW1(config-if)#description DSW1 - ASW2 ASW1(config-if)#exit ASW1(config)#interface fastethernet 0/4 ASW1(config-if)#description DSW1 - ASW2 ASW1(config-if)#exit ASW1(config)#interface range fastethernet 0/1 - 4 ASW1(config-if-range)#speed 100 ASW1(config-if-range)#duplex auto ASW1(config-if-range)#no shut ASW1(config-if-range)#exit

Step 5: This is where the ASW and the DSW switches differ. This connects to the Workstation end-point where the DSW switches use port 11/12 to provide failover for the distribution

Step 6: Associate a VLAN with the Interfaces

Associate VLAN 100 with Fe 1 to 4 ASW1(config)#interface range fastethernet 0/1 - 4 ASW1(config-if-range)#switchport ASW1(config-if-range)#switchport mode access ASW1(config-if-range)#switchport access vlan 100 ASW1(config-if-range)#exit

Step 7: Shut down non-used interfaces

Step 8: Check your work

Step 9: Save your work

Copy the running configuration to the startup configuration. I got in the bad habit to do this the other way around for a while (did it in an exam)... oops copy start run ASW1#copy run start

Access Switch 2

Step 2: Setup the management interface

Step 3: Assign an ip address to the new VLAN to ping

Step 4: Setup other interfaces

Setup Fastethernet Interfaces ASW2(config)#interface fastethernet 0/1 ASW2(config-if)#description ASW2 - DSW2 ASW2(config-if)#speed 100 ASW2(config-if)#duplex auto ASW2(config-if)#no shut ASW2(config-if)#exit ASW2(config)#interface fastethernet 0/2 ASW2(config-if)#description ASW2 - DSW2 ASW2(config-if)#speed 100 ASW2(config-if)#duplex auto ASW2(config-if)#no shut ASW2(config-if)#exit ASW2(config)#interface fastethernet 0/3 ASW2(config-if)#description ASW2 - DSW1 ASW2(config-if)#speed 100 ASW2(config-if)#duplex auto ASW2(config-if)#no shut ASW2(config-if)#exit ASW2(config)#interface fastethernet 0/4 ASW2(config-if)#description ASW2 - DSW1 ASW2(config-if)#speed 100 ASW2(config-if)#duplex auto ASW2(config-if)#no shut ASW2(config-if)#exit

Alternatively use the range command

Setup Fastethernet Interfaces ASW2(config)#interface fastethernet 0/1 ASW2(config-if)#description DSW1 - ASW1 ASW2(config-if)#exit ASW2(config)#interface fastethernet 0/2 ASW2(config-if)#description DSW1 - ASW1 ASW2(config-if)#exit ASW2(config)#interface fastethernet 0/3 ASW2(config-if)#description DSW1 - ASW2 ASW2(config-if)#exit ASW2(config)#interface fastethernet 0/4 ASW2(config-if)#description DSW1 - ASW2 ASW2(config-if)#exit ASW2(config)#interface range fastethernet 0/1 - 4 ASW2(config-if-range)#speed 100 ASW2(config-if-range)#duplex auto ASW2(config-if-range)#no shut ASW2(config-if-range)#exit

Step 5: This is where the ASW and the DSW switches differ. This connects to the Workstation end-point where the DSW switches use port 11/12 to provide failover for the distribution

Step 6: Associate a VLAN with the Interfaces

Associate VLAN 100 with Fe 1 to 4 ASW2(config)#interface range fastethernet 0/1 - 4 ASW1(config-if-range)#switchport ASW1(config-if-range)#switchport mode access ASW2(config-if-range)#switchport access vlan 100 ASW2(config-if-range)#exit

Step 7: Shut down non-used interfaces

Step 5: Check your work

Step 6: Save your work

Copy the running configuration to the startup configuration. I got in the bad habit to do this the other way around for a while (did it in an exam)... oops copy start run ASW2#copy run start

This lab is pretty much exactly the same as the previous lab except for the small changes to VLAN 1 and the addition of VLAN 100. Other noteworthy changes would be the use of switchport access commands.

The object would be to be able to ping the various VLAN 100 interface ip addresses. There may be certain restrictions to what you can ping but as long as directly connected switches can ping the VLAN 100 interfaces you have VLAN 100 up and running.

Post Scriptum

I am going to assume* that if one telnets into a switch/router using the vlan 1 then go onto shut vlan 1 the session will be dropped (it will make sense if that were to happen). So I am going to assume you would have to use the Console connection to do this.

One can automate to an extent the speed and duplex commands with the interface range command for this lab, I just need to get into the habit of adding a description to my interfaces (don’t do that because I know what the interface are and do when setting it up, troubleshooting 6 months later I have found it to be another matter).

Also you can use the following to shorten what you have to type every time :-
ASW2(config)#define interface range OnetoFour fe 0/1, fe 0/2, fe 0/3, fe 0/4 ASW2(config)#interface range macro OnetoFour

*The say assumption is the mother of all f-ups. Until I have arranged lab time I am going to go on my assumptions because I want to test and see if this is the case.

Notes and Notices:

BCMSN Practical Lab Initial Config

Published

Deon Botha

on June 9, 2008

in BCMSN, Certification and Cisco Systems

. 2 Comments

The Topology

The above topology shows (from the top) a Distribution and Access switched network design with redundant links between Distribution switches and Distribution and Access Layers. Finally there are two attached end-devices (workstations).

The network is going to use the 192.168.1.0 network using the /24 (255.255.255.0) subnet thus allowing for 254 hosts on the network.

Lets say that the DSW switches are MLS switches for argument sake (I know the diagram doesn’t show it).

If you look at the colour key at the bottom you will find that each link colour combination represents a fastethernet port in this case. It’s a fairly simple Lab so its easy to have each link connected on Access Switch fe0/1 and then Distribution Switch fe0/1 on the other end.

I didn’t want to make much work for myself connecting things weird but you can do that by all means. All that means is that you really have to pay attention when you configure when Access Switch fe0/1 connects to Distribution Switch fe0/8 or something weird on one switch and then Access Switch fe0/5 connects to Distribution Switch fe0/12 on the other.

There is however still a catch to this lab layout, notice that from DSW1 to DWS2 the connections flip and the same applies to the ASW1 and ASW2 (meaning DSW1 fe0/1 connects to ASW1 while DSW2 fe0/1 connects to ASW2). Something that means I have to stay awake but not on my toes.

Initial Configuration

The initial configuration entails some things old (CCNA) and some one new command (not drastically new). I am going to go through what I am doing to practice for the exam and annotate the commands and generally what they do.

I am a weird Muppet, I want to know what and more importantly why something has to be used (probably the reason it takes me so long to study things). I can’t make sense of something unless I know command X is used to enable/do Y and relates to the theory in such and such a fashion for a particular reason.

Distribution Switch 1

Step 2: Setup the management interface

Step 3: Setup other interfaces

Alternatively use range command

Step 4: Shut down non-used interfaces

Aministratively shut down all ports not connected DSW1(config)#interface range fastethernet 0/5 - 10 DSW1(config-if-range)#shut DSW1(config-if-range)#exit Exit Global Configuration Mode DSW1(config)#exit

Step 5: Check your work

Check that you named the interfaces correctly, havent missed out on a connected interface and that the duplex and speed setting are correct DSW1#show interfaces status show run the running configuration DSW1#show run

Step 6: Save your work

Copy the running configuration to the startup configuration. I got in the bad habbit to do this the other way around for a while (did it in an exam)... oops copy start run DSW1#copy run start

Distribution Switch 2

Enter Privelaged Mode switch>enable Enter Global Configuration Mode switch#configure terminal Change the hostname of the switch switch(config)#hostname DSW2 Enable secret and password DSW2(config)#enable secret cisco DSW2(config)#enable password cisco Setup a local user database DSW2(config)#username admin@mydomain.com privilege 15 password cisco Setup the console port password DSW2(config)#line con 0 DSW2(config-line)#login local DSW2(config-line)#exit Setup the Virtual Teletype Terminal (VTY) Password DSW2(config)#line vty 0 4 DSW2(config-line)#password cisco DSW2(config-line)#login DSW2(config-line)#exit Setup the Auxiliary Password DSW2(config)#line aux 0 DSW2(config-line)#no exec DSW2(config-line)#exit

Step 2: Setup the management interface

Step 3: Setup other interfaces

Alternatively use range command

Step 4: Shut down non-used interfaces

Step 5: Check your work

Check that you named the interfaces correctly, havent missed out on a connected interface and that the duplex and speed setting are correct DSW2#show interfaces status show run the running configuration DSW2#show run

Step 6: Save your work

Copy the running configuration to the startup configuration. I got in the bad habbit to do this the other way around for a while (did it in an exam)... oops copy start run DSW2#copy run start

Access Switch 1

Enter Privelaged Mode switch>enable Enter Global Configuration Mode switch#configure terminal Change the hostname of the switch switch(config)#hostname ASW1 Enable secret and password ASW1(config)#enable secret cisco ASW1(config)#enable password cisco Setup a local user database ASW1(config)#username admin@mydomain.com privilege 15 password cisco Setup the console port password ASW1(config)#line con 0 ASW1(config-line)#login local ASW1(config-line)#exit Setup the Virtual Teletype Terminal (VTY) Password ASW1(config)#line vty 0 4 ASW1(config-line)#password cisco ASW1(config-line)#login ASW1(config-line)#exit Setup the Auxiliary Password ASW1(config)#line aux 0 ASW1(config-line)#no exec ASW1(config-line)#exit

Step 2: Setup the management interface

Step 3: Setup other interfaces

Alternatively use the range command

Setup Fastethernet Interfaces ASW1(config)#interface fastethernet 0/1 ASW1(config-if)#description DSW1 - ASW1 ASW1(config-if)#exit ASW1(config)#interface fastethernet 0/2 ASW1(config-if)#description DSW1 - ASW1 ASW1(config-if)#exit ASW1(config)#interface fastethernet 0/3 ASW1(config-if)#description DSW1 - ASW2 ASW1(config-if)#exit ASW1(config)#interface fastethernet 0/4 ASW1(config-if)#description DSW1 - ASW2 ASW1(config-if)#exit ASW1(config)#interface range fastethernet 0/1 - 4 ASW1(config-if-range)#speed 100 ASW1(config-if-range)#duplex auto ASW1(config-if-range)#no shut ASW1(config-if-range)#exit

Step 4: This is where the ASW and the DSW switches differ. This connects to the Workstation end-point where the DSW switches use port 11/12 to provide failover for the distribution

Setup Fastethernet 0/12 for 10mbs half duplex as an access level end-point interface ASW1(config)#interface fastethernet 0/12 ASW1(config-if)#description ASW1 - PC1 ASW1(config-if)#speed 10 ASW1(config-if)#duplex half Make the port as an access port ASW1(config-if)#switchport mode access ASW1(config-if)#no shut ASW1(config-if)#exit

Step 5: Shut down non-used interfaces

Aministratively shutdown all ports not connected ASW1(config)#interface range fastethernet 0/5 - 11 ASW1(config-if-range)#shut ASW1(config-if-range)#exit Exit Global Configuration Mode ASW1(config)#exit

Step 5: Check your work

Check that you named the interfaces correctly, havent missed out on a connected interface and that the duplex and speed setting are correct ASW1#show interfaces status show run the running configuration ASW1#show run

Step 6: Save your work

Copy the running configuration to the startup configuration. I got in the bad habbit to do this the other way around for a while (did it in an exam)... oops copy start run ASW1#copy run start

Access Switch 2

Enter Privelaged Mode switch>enable Enter Global Configuration Mode switch#configure terminal Change the hostname of the switch switch(config)#hostname ASW2 Enable secret and password ASW2(config)#enable secret cisco ASW2(config)#enable password cisco Setup a local user database ASW2(config)#username admin@mydomain.com privilege 15 password cisco Setup the console port password Setup the console port password ASW2(config)#line con 0 ASW2(config-line)#login local ASW2(config-line)#exit Setup the Auxiliary Password ASW2(config)#line aux 0 ASW2(config-line)#no exec ASW2(config-line)#exit Setup the Virtual Teletype Terminal (VTY) Password ASW2(config)#line vty 0 4 ASW2(config-line)#password cisco ASW2(config-line)#login ASW2(config-line)#exit

Step 2: Setup the management interface

Step 3: Setup other interfaces

Alternatively use the range command

Setup Fastethernet Interfaces ASW2(config)#interface fastethernet 0/1 ASW2(config-if)#description DSW1 - ASW1 ASW2(config-if)#exit ASW2(config)#interface fastethernet 0/2 ASW2(config-if)#description DSW1 - ASW1 ASW2(config-if)#exit ASW2(config)#interface fastethernet 0/3 ASW2(config-if)#description DSW1 - ASW2 ASW2(config-if)#exit ASW2(config)#interface fastethernet 0/4 ASW2(config-if)#description DSW1 - ASW2 ASW2(config-if)#exit ASW2(config)#interface range fastethernet 0/1 - 4 ASW2(config-if-range)#speed 100 ASW2(config-if-range)#duplex auto ASW2(config-if-range)#no shut ASW2(config-if-range)#exit

Step 4: This is where the ASW and the DSW switches differ. This connects to the Workstation end-point where the DSW switches use port 11/12 to provide failover for the distribution

Setup Fastethernet 0/12 for 10mbs half duplex as an access level end-point interface ASW2(config)#interface fastethernet 0/12 ASW2(config-if)#description ASW2 - PC2 ASW2(config-if)#speed 10 ASW2(config-if)#duplex half ASW2(config-if)#no shut Make the port as an access port ASW2(config-if)#switchport mode access ASW2(config-if)#exit

Step 5: Shut down non-used interfaces

Aministratively shutdown all ports not connected ASW2(config)#interface range fastethernet 0/5 - 11 ASW2(config-if-range)#shut ASW2(config-if-range)#exit Exit Global Configuration Mode ASW2(config)#exit

Step 5: Check your work

Check that you named the interfaces correctly, havent missed out on a connected interface and that the duplex and speed setting are correct ASW2#show interfaces status show run the running configuration ASW2#show run

Step 6: Save your work

Copy the running configuration to the startup configuration. I got in the bad habbit to do this the other way around for a while (did it in an exam)... oops copy start run ASW2#copy run start

For more information on Commands and why to use a command in a certain place check out the Cisco Command lookup tool (CCO Login required)

Cisco CDP

In a LAB or Real World (RW) situation you would telnet or console into Distribution Switch 1 (DSW1) and work from there. First off I am going to use CDP to discover the network topology. This is old work from the CCNA and useful if you (1) don’t know the network topology, (2) remote into a network to do work and need to hop from one device to another and need network information, (3) have a huge network and never bothered to document growth (ISPs), or (4) you are too lazy or there is a foot thick metal vault door between you and the kit and changing the console cable from one switch/router to another one isn’t going to happen.

The following command gives a basic table of information,
DSW1#show cdp neighbors
To get specific information use,
DSW1#show cdp neighbors detail
With that information you can then do something like this:
DSW1#telnet 192.168.1.50 Trying 192.168.1.50 ... Open User Access Verification Password:_ DSW2#

Terminology:

Two terms that I have been made aware of recently that I need to remember out-of-band management and in-band management.

Out-of-Band Management is the use of a dedicated channel for device maintenance. Example of this would be using the Console port (Serial) or maybe the Auxiliary port (modem – pots – offsite) for management purposes.

In-Band Management is the use of regular channels for device maintenance. Example of this would be using Ethernet for Console Access (when you change the IP Address the session ends).

Notes and Notices:

Switch Security Layer-2 Attacks – Four

Published

Deon Botha

on May 28, 2008

in ACL, BCMSN, CDP, Certification, Cisco Systems, Concepts and Constructs, SSH, Telnet and VTY

. 0 Comments

CDP

Cisco Discovery Protocol (CDP) is a useful and great protocol when you are sitting on the other side of the office/country/planet and don’t know what you are working with on a network but CDP has some holes for attackers to leverage that can cause problems.

CDP uses clear-text and unauthenticated to send information about network topology between network devices. An attacker can use a packet sniffer to get information about network infrastructure that we don’t really want them to have.

CDP isn’t needed on ports that no network management is done (this isn’t the case for Cisco IP Phones). You can also go ballistic and disable CDP totally thats up to you. To disable CDP use the following commands

CDP per-port

switch(config)#configure terminal switch(configp)#interface gigabitethernet 0/1 switch(config-if)#no cdp enable

CDP Globally

switch(config)#configure terminal switch(config)#no cdp run

Be careful with this, CDP is used in conjunction with or as support for other Cisco protocols

Telnet

Telnet has a few problems:

All usernames, passwords, and data sent over a public network (read: Internet) is sent in clear text and is thus vulnerable.
A user with an account on the system can gain elevated privelages.
A remote attacker could crash the Telnet service, preventing legitimate service rendering.
A remote attacker could find an enabled guest account that may be present anywhere in the trusted domain of the server.

iow Dont Telnet over the internet

SSH

SSH is a client and server protocol used to log in to another computer over a network. It provides strong authentication and secure communication over a public communication network. SSH may be “more” secure many vendors implementations of SSH is vulnerable.

switch(config)#configure terminal switch(config)#line vty 0-15 switch(config-line)#transport input ssh

VTY Access Control Lists (ACL)

One can associate ACLs to permit or deny access to a vty port to a switch.

The Number of VTYs differ make sure you get it right and configure an ACL on ALL the VTY connections and don’t leave one open

switch(config)#configure terminal switch(config)#access-list 12 permit 192.168.0.0 0.0.255.255 switch(config)#line vty 0 15 switch(config-line)#access-class 12 in

Notes and Notices:

Switch Security Layer-2 Attacks – Two

Published

Deon Botha

on May 27, 2008

in ACL, BCMSN, Certification, Cisco Systems, Concepts and Constructs, Switch Spoofing, Trunk, VACL, VLAN and VLAN Hopping

. 2 Comments

VLAN Hopping

VLAN Hopping is a network attack whereby an end-device sends packets to/or collects packets from a VLAN that should not be accessible to that end-device. This is done by tagging the invasive traffic with a specific VLAN ID (VID) or by negotiating a trunk link to send or receive traffic on penetrated VLANs. VLAN hopping can be done by switch spoofing or double tagging.

In a Switch spoofing attack the attacker configures an end-device to spoof itself as a switch (this can be a linux pc). The attack emulates Inter-Switch Link (ISL) or 802.1Q signaling along with Dynamic Trunk Protocol (DTP). This is signaling to attempt to establishing a trunk connection with the company switch.

Any switch port configured with DTP auto, upon receipt of a DTP packet generated by the attacking device, will become a trunk port and then accept traffic destined for any VLAN supported on any trunk on that link. The attacker can then send/collect packets from/to any VLAN.

Double Tagging is another method of VLAN Hopping, this is when a workstation generates frames for two 802.1Q headers, this causes the switch to forward the frames onto a VLAN that would normally be inaccessible to the attacker through legitimate means.

The first switch to encounter the double tagged 802.1Q frame strips the first header frame (native VLAN), and forwards the frame out a trunk link, the second switch then forwards the frame according to the other 802.1Q frame header. Should the tag not match the native VLAN of the attacker, the frame will go untagged and flooded to only the original frame.

Best Practices to Mitigate VLAN Hopping

Configure all unused ports as access ports so that trunking cannot be negotiated across those links.
Place all unused ports in the shutdown state and associate them with a VLAN designed for only unused ports, carrying no user data traffic (that means not the Native VLAN either).
When establishing a trunk link, purposefully configure arguments so that:
- The native VLAN will be different form any data VLANs
- Trunking is set up as “on” rather than as negotiated.
- The specific VLAN range will be carried on the trunk

Configuration
To Mitigate against VLAN hopping attacks the following is the config. First select a range of interfaces:
switch#configure terminal switch(config)#interface range gigabitethernet 0/1-48

Now configure the ports as access ports this in turn will turn off DTP

switch(config-if)#switchport mode access

Assign the ports to an unused VLAN (not the Native VLAN)

switch(config-if)#switchport access vlan vlan-id

NB the above commands will not work in VoIP (voice) networks. Cisco IP Phones use trunks (DTP).

VLAN Access Control Lists

There are three kinds of ACLs:

Router Access Control Lists (RACLs)supported in the TCAM hardware on Cisco Multi-layer switches (MLS). Can be applied to any router interface, such as a switch virtual interface (SVI) or Layer 3 routed port.
Port Access Control List (PACL)filters traffic at the port level. PACLs can be applied on a Layer-2 switch port, trunk port, or EtherChannel port.
Vlan Access Control Lists (VACLs)(a.k.a VLAN Access Maps) supported on software on Cisco MLS.

Cisco Catalyst switches support four ACL lookups per packet*:

ingress (1) and egress (2) security lookup
ingress (3) and egress (4) Quality of Service (QoS) look-up

This following section all went over my head or just about and I have no idea whether this works or not or is correct or not for more information.

There are cases where certain Access Control Entries (ACEs) must be combined in each ACLs due to limitations of TCAM hardware. The merge process is also responsible for other functions like expanding ACEs due to a lack of Layer 4 Operations Pointers (L4Op Pointers) or Logical Operational Units (LOUs).

Cisco catalyst Switches use two features to perform a merge

order independent algorithm merge
order dependant algorithm merge

Order Independent Merge (OIM) is based on Binary Decision Diagrams(BDD), ACLs are merged from a series of oder-dependant actions to a set of order-independent masks and patterns. The resulting ACE can be very large, and processor and memory intensive.

Order Dependant Merge (ODM) is not bit-based. The computation is much faster and is less processor intensive.

RACLs are supported in hardware through IP standard and IP extended ACSs, with permit and deny actions. ACL processing is an intrinsic part of the packet forwarding process. ACL entries are programmed in hardware. Lookups occur in the pipeline, whether ACLs are configured or not. With RACLs access list statistics and logging are not supported.

*You can get some switches with two security lookups and 1 QoS lookup in each direction (6 total).

Configuring VACLs

VACLs apply to all traffic on a VLAN. VACLs use standard and extended Cisco IOS IP and IPX ACLs, and MAC Layer-named ACLs and VLAN access-maps.

VACLs follow route-map conventions, in which map sequences are check in order (top-down).

Each VLAN access map can consist of one or more map sequence, each sequence with a match clause and an action clause. The match clause specifices IP, IPX, or MAC ACLs for traffic filtering and the action clause specifies the action to be taked when a match occurs. When a flow matches a permit ACL entry, the assciated action is taken and the flow is not checked against the remaining sequences. When a flow matches a deny ACL entry, it will be checked against the next ACL in the same sequence or the next sequence. If aflow does not match any ACL entry and at least on ACL is configured for that packet, the packet is denied.

Three VACL actions are permitted:

Permit (with capture, Catalyst 6500 only)
Redirect (Catalyst 6500 only)
Deny (with logging, Catalyst 6500 only)

Two features are supported on Catalyst 6500 only:

VACL Capturewhere Forwarded packets are captured on the capture port. The capture option is only permit ACEs. The capture port can be an IDS port or an Ethernet port. The capture port must be an egress VLAN for layer-3 switched traffic.

VACL Redirect where matching packets are redirected to specific ports. You can configure up to five redirect ports. Redirect ports must be in a VLAN where a VACL is applied.

Define a VLAN Access MAP

switch#configure terminal switch(config)#vlan access-map map-name seq# insert to/delete from

Configure the match clause in a VLAN access map sequence

switch(config-access-map)#match options

Configure actions

switch(config-access-map)#action options

Apply the VACL to VLANs

switch(config)#vlan filter map-name vlan-list list

Verify configuration

switch(config)#show vlan access-map map-name

Source for this Config document Section

Private VLANs

Internet Service Providers (ISP) often have devices from multiple clients, in addition to their own servers resident on a single demilitarized zone(DMZ) segment of VLAN. Cisco Catalyst 6500/4500 switches Private Virtual Local Area Networks (PVLAN) to keep some switch ports shared and some switch ports isolated, even if the ports exist in the same VLAN. The 2950 and 3550 support “protected ports”, which are functionally the same on a per-switch basis.

Traditionally ISPs used one VLAN per customer, with each VLAN having its own subnet. A layer 3 device the provides interconnectivity between VLANs and Internet destinations. Problems with this method:

Supporting a VLAN per customer may require a high number of interfaces on ISP network devices.
Spanning Tree becomes more complicated with many VLAN iterations.
Network address space must be divided into many subnets, which wastes space and increases management complexity.
Multiple ACL applications are required to maintain security on multiple VLANs, resulting in increased management complexity.

PVLANs provide Layer-2 isolation between ports within the same VLAN, thereby eliminating the need for VLAN and IP subnet per customer.

A Port in a PVLAN can be one of three types:

Isolated: port has complete Layer-2 separation from other ports within the same PVLAN, except for promiscuous ports; blocks all traffic to isolated ports except from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports.
Promiscuous: ports can communicate with all ports within the PVLAN. The default Gateway (DG) is probably be hosted as a promiscuous port.
Community: ports communicate among themselves and their promiscuous ports. These interfaces are isolated at Layer-2 from all other interfaces in other communities, or in isolated ports within their PVLAN.

Trunks carry all VLAN traffic so isolated, promiscuous and community PVLAN traffic may enter and leave a switch through trunks

PVLAN ports are associated with a set of supporting VLANs that are used to create the PVLAN structure.

As a Primary VLAN: carrying traffic from promiscuous ports to isolated, community and other promiscuous ports in the same primary VLAN.
As an Isolated VLAN: carrying traffic from isolated ports to a promiscuous port.
As a Community VLAN: carrying traffic between secondary VLANs. You can extend PVLANs across multiple devices by trunking primary, isolated, and community VLANs to other devices that support PVLANs.

A promiscuous port can service only one primary VLAN. A promiscuous port can service one isolated VLAN or many community VLANs.

Configuring

Step 1: Set VTP Mode to Transparent

switch#configure terminal switch(config)#vtp mode transparent

You may also want to check VTP version, password and domain while you are at VTP configuration

Step 2: Create the secondary VLANs (Isolated and community VLANs are secondary VLANs)

switch#configure terminal switch(config)#vlan 102 switch(config-vlan)#private-vlan isolated switch(config-vlan)#end switch#show vlan private-vlan type

Step 3: Create the primary VLAN

switch#configure terminal switch(config)#vlan 100 switch(config-vlan)#private-vlan primary switch(config-vlan)#end switch#show vlan private-vlan type

Step 4: Associate the secondary VLAN with the primary VLAN. Only one isolated VLAN can be mapped to a primary VLAN, but more than one community VLAN can be mapped to a primary VLAN

switch#configure terminal switch(config)#vlan 100 switch(config-vlan)#private-vlan association add 102 switch(config-vlan)#end switch#show vlan private-vlan type

When associating secondary VLANs with primary VLANs use these best practices:

Make sure that the VLAN IDs contain only one isolated VLAN ID (VID)
Use the remove keyword with the secondary VID to clear association; there can only be one association.
Use the no keyword to clear all association from the primary VLAN.
Do not allow the command to take effect until you exit VLAN configuration submode.

Step 5: Configure an interface as an isolated or community port.

switch#configure terminal switch(config)#interface gigabitethernet 0/1 switch(config-if)#switchport mode private-vlan host switch(config-if)#end switch#show interfaces gigabitethernet 0/1 switchport

Step 6: Associate the isolated port or community port with the primary/secondary VLAN pair

switch#configure terminal switch(config)#interface gigabitethernet 0/1 switch(config-if)#switchport private-vlan mapping 100 102 switch(config-if)#end switch#show interfaces gigabitethernet 0/1 switchport

Step 7: Configure an interface as a promiscuous port

switch#configure terminal switch(config)#interface gigabitethernet 0/1 switch(config-if)#switchport mode private-vlan promiscuous switch(config-if)#end switch#show interfaces gigabitethernet 0/1 switchport

Step 8: Map the promiscuous port to the primary/secondary VLAN pair

switch#configure terminal switch(config)#interface gigabitethernet 0/1 switch(config-if)#switchport private-vlan host-association mapping 100 102 switch(config-if)#end switch#show interfaces gigabitethernet 0/1 switchport

Step 9: Permit Routing of Secondary VLAN Ingress Traffic

switch#configure terminal switch(config)#interface vlan 100 switch(config-if)#private-vlan mapping add 102 switch(config-if)#end switch#show interfaces private-vlan mapping

The sources for this config section include this Cisco 4500 document and this document. Finally CCIE Blog gave me a some insight and hint as to WTF the difference between the host and promiscious ports on the interface config was.

Definition

Logical Operation Unit (LOU) are hardware registers used to store {operator, operand} tuplesfor Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) port numbers specified in an IP extended ACL, VACL, or QoS ACL. These tuples are called Layer 4 Operations (L4Op).

Source

Notes and Notices:

References I want to rememeber:

Hucaby, D. (2007). CCNP Self-Study: CCNP BCMSN Official Exam Certification Guide, Fourth Ed, VLAN Access Lists (page. 413-414). Indianapolis: Cisco Press.

QoS and Voice Traffic

Published

Deon Botha

on May 22, 2008

in AutoQoS, BCMSN, Certification, Cisco Systems, CoS, Concepts and Constructs, NBAR, QoS and Trunk

. 1 Comment

Definitions

ingress: arrives/come in/enter

egress: leaving/exit/to go

Its the new words of the day so its going to be used alot

Introduction

Regardless of the speed of individual switches (slower/older vs. faster/newer switches) or links (10/100), speed mismatches (ingress 1000/egress 100), many-to-one switching fabrics(multiple access layer switches into a distribution layer switch), and aggregation (multiple devices communicating through a single connection or to a single device or server) may cause a device to experience congestion, which can result in latency that result in dropped packets.

If and inevitably when congestion occurs (I have heard of enterprise pay-rolls that cause certain amounts of congestion on a network at the end of each month) and congestion management features are not in place (QoS, load balancing on servers, etc) then some packets will be dropped, causing retransmission (TCP) that inevitably increase overall network load and if voice and video are on the network (UDP) the inevitable will be angry employees. QoS can to an extent mitigate latency caused by congestion.

QoS is implemented by classifying and marking traffic at one device while allowing other devices to prioritize or to queue the traffic according to those marks applied to individual frames or packets.

LAN-Based Classification and Marking of Traffic

Classification and marking of traffic is the process of identifying traffic for prioritization as that traffic moves across the network. Traffic is classified by examining information at various layers of the Open Systems Interconnection (OSI) model. IP traffic can be classified according to any values configurable in an access control list (ACL) or any of these layers:

Layer-2 parameters: MAC Address, Multiprotocol Label Switching (MPLS), ATM Cell Loss Priority (CLP) bit, Frame Relay discard eligible (DE) bit, ingress interface
Layer-3 parameters: IP precedence, DiffServ Code Point (DSCP), QoS group, IP Address, ingress interface
Layer-4 parameters: TCP or User Datagram Protocol (UDP) ports, ingress interface
Layer-7 parameters: Application signature, ingress interface

QoS marks (values) establish priority levels (priority classes of service) for network traffic as it is processed by each switch (Access, Distribution, or Core). Once traffic is marked with a QoS value, then QoS policies on switches and interfaces will handle traffic accordingly at the frame and packet level. As a result of classification and marking, traffic will be prioritized accordingly at each switch to ensure that delay-sensitive traffic receives priority processing (voice, video) while non-delay sensitive data traffic waits it’s turn as each switch manages congestion, delay, and bandwidth allocation.

Layer-2 Qos

QoS layer-2 classification occurs by examining information in the Ethernet or 802.1Q header (trunking), like destination MAC Address, Virtual Local Area Network (VLAN) ID. QoS layer-2 markings occur in the priority field of the 802.1q header (LAN layer-2 headers have no place for this so 802.1Q encapsulation must occur). The priority field is 3 bits long (a.k.a 802.1p User Priority or class of Service (CoS) value).

The 3-bit Priority field can carry a value of 1 to 7; 1 is associated with delay tolerant traffic like TCP/IP traffic. Voice traffic receiving a higher priority for Call Signalling receiving a 3 value and Voice bearer traffic 5 value.

As a result of Layer-2 Classifications and marking, these QoS operations can occur:

Input queue scheduling: when a frame enters a port, it can be assigned to one of a number of port-based queues before being scheduled for switching to an egress port. Typically, multiple queues are used where traffic requires different levels of service.
Policing: is the process of inspecting a frame to see if it has exceeded a predefined rate of traffic within a certain time frame that is typically a fixed number internal to a switch. If a frame is determined to be in excess of the predefined rate limit, it can either be dropped, or the CoS value be marked down.
Output Queue Scheduling: is where the switch will place the frame into an appropriate egress queue for switching. The switch will perform buffer management on this queue by ensuring that the buffer does not overflow.

Layer-3 QoS

QoS layer-3 classification occurs by examining information of the header values such as destination IP address or protocol. Qos Layer-3 markings occurs in the Type of Service (ToS) byte in the IP header. The first three bits of the ToS byte are occupied by IP precedence, which correlates to three CoS bits carried in the Layer-2 header.

The ToS byte can also be used for DSCP marking that allows prioritization hop by hop as packets are processed on each switch and interface.

Trust Boundaries

In QoS campus implementations, trust boundaries are defined/created where existing QoS values that are attached to frames and packets are to be accepted or altered. These “trusts” are established by configuring trust levels on the ports of key peripheral network devices where QoS policies will be enforced (trusted) as traffic makes its way into/onto the network. At this entry point traffic will be allowed or not allowed to retain its original QoS markings or will be ascribed new markings (best practice is to mark traffic as close to the source as possible).

In practice this means that if you have a network with a Desktop/Notebook attached to a Cisco IP Phone attached to a Catalyst Switch attached to a Cisco Router the trust boundary can be set at the Cisco IP Phone. Where the IP Phone attaches priority values which are then trusted.

Otherwise if there is a Desktop/Notebook with Softphone attached to a Catalyst Switch attached to a Router the trust boundary can be set to the Desktop/Notebook. Where the softphone attaches priority values which are then trusted.

Configuration IP Phone Attachment

This goes hand in hand with how to configure VLANs first off we create a VLAN

switch#configure terminal switch(config)#vlan 10 name 001-WORK-STATION switch(config)#vlan 100 name 001-IP-PHONE

Now we need to assign the Data and Voice VLAN to a interface

switch(config)#interface gigabitethernet 0/1 switch(config-if)#switchport voice vlan 100 switch(config-if)#switchport access vlan 10

Now we need to setup trust as they arrive at the switch port

switch(config-if)#mls qos trust cos

Finally set the trust conditional to a Cisco IP Phone being attached

switch(config-if)#mls qos trust device cisco-phone

Auto QoS

Cisco AutoQoS gives the ability to deploy QoS features for converged IP Telephony and allow for telephony networks to be deployed quicker and efficiently than if it had to be done manually. Cisco AutoQoS generates traffic classes and policy map command-line (CLI) templates across platforms that are the same where doing things manually might not have the same congruence. Cisco AutoQoS simplifies and automates the QoS CLI (MQC) definition of traffic classes and the creation and configuration of traffic policies.

AutoQos can be beneficial in these scenarios:

SMB that deploy IP Telephony quickly but lack experience and staffing to deploy IP QoS Services.
Large enterprises that need to deploy Cisco Systems Telephony solutions on a large scale, while reducing costs, complexity, and time frame for deployment, and ensuring that the appropriate QoS for voice applications is being set in a consistent fashion.
International enterprises or service providers requiring QoS for VoIP where little expertise exists in different regions of the world and where provisioning QoS remotely and across different time-zones is difficult.
Service providers requiring a template-driven approach to deliver managed services and QoS for voice traffic of customer premises devices.

Cisco AutoQoS simplifies and shortens the deployment cycle in the following ways:

Application classification: By leveraging intelligent classification on routers Cisco network-based application recognition (NBAR) provides stateful and deep packet inspection. Cisco AutoQos uses Cisco Discovery Protocol (CDP) for voice packets to ensure that end-device attached to the Local Area Network (LAN) is really an Cisco IP Phones (keep in mind that CDP is Cisco Proprietary).
Policy Generation: Cisco AutoQos evaluates the network environment and generates the initial policy. This feature automatically generates interface configurations, policy maps, class maps, and Access Control Lists (ACL).
Configurations: Using one command, Cisco AutoQoS configures the port to prioritize voice traffic without affecting other network traffic, while still offering the flexibility to adjust QoS settings for unique network requirements. Cisco AutoQoS will automatically detect Cisco IP Phones and enable QoS settings, in turn it will also disable QoS settings to prevent malicious activity when a Cisco IP Phone is relocated or moved.
Monitoring and reporting: Cisco AutoQoS provides visibility into the Class of Service (CoS) deployed via system logging and Simple Network Management Protocol (SNMP) traps, with notification of abnormal events(VoIP packet drops).
Consistency: Cisco AutoQoS configurations are consistent among router and switch platforms. This level of consistency ensures seamless QoS operation and interoperability within the network.

Cisco Catalyst Switch Configuration – Cat OS

To configure the global QoS settings

Console> (enable) set qos autoqos ......... All ingress and egress QoS scheduling parameters configured on all ports. CoS to DSCP, DSCP to CoS. Precedence to DSCP and policed dscp maps configured. Global QoS configured, port specific autoqos recommended: set port qos <mod/port> autoqos trust <cos/dscp> set port qos <mod/port> autoqos voip <ciscoipphone/ciscosoftphone>

To configure Cisco AutoQoS settings and the trusted boundary features on/for Cisco IP Phones, CDP V.2 or later needs to be enabled on a port. If the trusted boundary feature is enabled. You will receive a syslog warning message if CDP is not running or CDP V.1 is running.

CDP need not be enabled if you do not use the ciscoipphone QoS configuraiton.
Console> (enable) set port qos 4/1 autoqos voip ciscoipphone Warning: CDP is disabled or CDP version 1 is in use. Ensure that CDP version 2 is enabled globally, and also ensure that CDP is enabled on the port(s) you wish to configure autoqos on. Port 4/1 ingress QoS configures for ciscoipphone. It is recommended to execute the "set qos autoquos" gloval command if not executed previously. Console> (enable)

To configure the port-specific QoS macro that handles all inbound QoS configurations that are specific to a particular port. This should only be used when the port connects to other known switches or servers because the port tursts all inbound traffic marked.
Console> (enable) set port qos 4/1 autoqos voip code/dscp

Cisco Catalyst Switch Configuration – Cisco IOS

When Cisco AutoQos in enabled on the first interface, QoS is globally enabled. This would be like configuring this command

switch#configure terminal switch(config)msl qos

To in turn enable QoS on an interface use this command that tells the switch that the interface is connected to a trusted router/switch and that the VoIP classifications in the ingress packet should be trusted:

switch#configure terminal switch(config)#interface gigabitethernet 0/1 switch(config-if)#auto qos voip trust

OR that the interface is connected to a Cisco IP Phone, the QoS labels of incoming packets are trusted only when the IP Phone is detected; this enabled CDP to detect the IP Phones absence or presence.

switch#configure terminal switch(config)#interface gigabitethernet 0/1 switch(config-if)#auto qos voip cisco-phone
To check config use the following command
switch#show auto qos interface-id

Cisco AutoQoS Automation

Cisco AutoQoS automates several things when configured. It enforces trust boundaries on Cisco Catalyst switches access ports, uplinks and downlinks. Enables Catalyst strict priority queuing (PQ) (a.k.a expedited queuing) with weighted round-robin (WRR) scheduling for voice and data traffic. It configures queue admission criteria and finally modifies queue sizes and weights as needed.

Notes and Notices:

Network Ninja

Tag Archive for 'management'

Cisco sets a Target with their new Collaboration Portfolio

Linksys Brand to Disapear

BSCI Design Foundation – Network Models

EMEA Cisco Recruiting

BCMSN Trunking Lab 3

BCMSN VLAN-ing Lab 2

BCMSN Practical Lab Initial Config

Switch Security Layer-2 Attacks – Four

Switch Security Layer-2 Attacks – Two

QoS and Voice Traffic

Search

About

Latest

Archives

Categories