Chris Stark's Blog

Cisco ICND2 – Interpret the output of various show and debug commands to verify the operational status of a Cisco switched network

February 13, 2013February 13, 2013 Chris Stark Leave a comment

I have covered most show commands throughout the previous topics. Therefore I will list them quickly here plus a few others:

show ip interface brief
show flash:
show running-config
show mac-address-table
show vlan
show vlan brief
show interface switchport
show interface trunk
show vtp status
show vlan
show spanning-tree summary
show spanning-tree

As I’m using PacketTracer there isn’t much in terms of debugging commands for switches. I would highly recommend using physical switches if possible and build a small network and run some debug commands.

This might be useful – command reference from a Cisco Catalyst 2950 switch.

*If there is anything you’d like to add or feel there’s a mistake, please feel free to comment and contribute.

Cisco ICND2 – Configure, verify, and troubleshoot RSTP operation

February 12, 2013March 18, 2013 Chris Stark 1 Comment

This topic will cover configuring, verifying and troubleshooting the rapid spanning tree protocol.

To enable rapid spanning tree protocol on our three switches:

Switch A:

configure terminal
spanning-tree mode rapid-pvst

Switch B:

configure terminal
spanning-tree mode rapid-pvst

Switch C:

configure terminal
spanning-tree mode rapid-pvst

We will also enable portfast on our access ports (PCs connected to the switches) – This will enable the ports to go straight to a forwarding state meaning the ports will instantly come up. You do not want to enable this on trunk links, this may cause issues with switching loops.

Switch A:

configure terminal
interface fa0/3
spanning-tree portfast

Switch B:

configure terminal
interface fa0/3
spanning-tree portfast

You will get a warning message about enabling portfast on trunk links.

%Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc... to this
interface  when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION

%Portfast has been configured on FastEthernet0/3 but will only
have effect when the interface is in a non-trunking mode.

That’s all that’s needed to enabled rapid spanning-tree and portfast. Lets go one step further and lets force switch C become the root bridge for VLAN 1. Currently Switch B is the root.

We can do this two ways, one to set the priority of VLAN 1 to a much lower value for example 4096 or force the switch as the root.

Set the priority lower on Switch C:

configure terminal
spanning-tree vlan 1 priority 4096

Force switch as root:

configure terminal
spanning-tree vlan 1 root primary

I have gone with changing the priority to 4096, The above will only change the root bridge for VLAN 1.

Now if we do a show spanning-tree vlan 1 on Switch C:

The above shows a show spanning-tree output from Switch C. We can see the priority address has been changed to 4096+VLAN 1 (4097) and the bridge is the root for VLAN 1.

Verifying:

To verify RSTP has been configured correctly we can go through the configuration by using the show running-config command and verifying spanning-tree mode rapid-pvst has been entered on all three switches.

The next command we can verify RSTP with is show spanning-tree, this will show what type of spanning-tree is enabled and root bridge/interface statuses.

Show spanning-tree summary can be used to give a quick indication of what mode spanning tree is configured for and some other useful information such as what VLANs are taken part in spanning-tree.

Troubleshooting:

Ensure all switches are configured for rapid-spanning tree – rapid-spanning tree is backwards compatible meaning it will match the normal spanning-tree timers and can cause slowness
Check cables between switches are correct – Crossover cable
Check you haven’t made a trunk link portfast by mistake
Using the verify commands above can greatly help with understanding why RSTP isn’t work (root bridge incorrect, port blocked, rapid-spanning tree not configured)

Cisco ICND2 – Configure, verify, and troubleshoot VTP

February 11, 2013March 18, 2013 Chris Stark Leave a comment

In this topic I will discuss how to configure VTP on our switches. From this point onwards I will try to use our topology from the interVLAN topic.

We will configure Switch C and switch B as our VTP servers and Switch A as our VTP client.

These are global settings we will used on our three switches: (Note these are case-sensitive)

VTP Domain: Cstark
VTP Password: cisco

Switch A:

configure terminal
vtp domain Cstark
vtp password cisco
vtp mode client

Switch B:

configure terminal
vtp domain Cstark
vtp password cisco

Switch C:

configure terminal
vtp domain Cstark
vtp password cisco

No need to specify the server mode. By default switches are servers. If required to change between client/transparent the command is vtp mode server.

On Switch C we will create four VLANs 10, 20 30 and 40. VLAN 10 and 20 are already configured, We’re just naming them here:

configure terminal
vlan 10
name Marketing
vlan 20
name IT
vlan 30
name Finance
vlan 40
name HR

If we go to Switch B and switch A and issue a show vlan command we will notice the two VLANs have automatically been created for us:

Switch B:

Lets try and configure VLAN 50 on Switch A:

We are unable to do so! VTP is working correctly.

VTP Pruning isn’t supported as of writing this on Packet Tracer version 5.3.3. The command would be vtp pruning under global configuration. This will stop the advertisement of unused VLANs to other switches. This cannot be set on clients only servers but will propagate down to VTP clients. You could instead use switchport trunk allowed vlan #vlan under each interface to manually prune – this does give you much greater control.

I haven’t configured a transparent switch, the command to make a transparent switch is vtp mode transparent. A transparent switch will forward VTP information but has its own local database.

Verifying:

The following commands will help with verifying VTP on each switch:

show vtp status

The show VTP status command will show what VTP version is running, how many revisions, operating mode and VTP domain name.

The VTP version is in fact 1, I’m not sure why its showing 2. Trying to force VTP version 1 results in the following:

Switch C(config)#vtp version 1
VTP mode already in V1.

show running-config – to verify vtp is configured correctly
show vlan – will show the VLANs that have been created

Troubleshooting:

show vtp status – checking revision numbers are consistent across switches will indicate if VTP is working correctly
show vtp password will display the password if you’ve forgotten it
Ensure Domain name, version and password are the same – these are case sensitive!
If you cannot add a VLAN, the switch may be configured with client instead of server
VTP only supports 255 VLANs

Cisco ICND2 – Configure, verify, and troubleshoot interVLAN routing

February 10, 2013March 18, 2013 Chris Stark 1 Comment

In this topic I will discuss how to configure interVLAN routing typically known as Router on a Stick.

This is the setup we will be working with in packet tracer:

Notice that PC1 and PC2 are in different VLANs and different IP subnets. We are going to allow them to communicate with each other via Router A.

First we are going to configure the trunk links between each of the switches and between switch C and Router A. I will use the range command to save keep typing the individual interfaces.

Switch A

configure terminal
interface range fa0/1-fa0/2
switchport mode trunk

Switch B

configure terminal
interface range fa0/1-fa0/2
switchport mode trunk

Switch C

configure terminal
interface range fa0/1-fa0/3
switchport mode trunk

We will come back to Router A a little later on to finish the trunk configuration.

We need to configure the access ports and VLANs between the switches connected to PCs.

Switch A:

configure terminal
interface fa0/3
switchport access vlan 10

Switch B:

configure terminal
interface fa0/3
switchpport access vlan 20

We will configure PC1 and PC2 with an IP address and default gateway.

PC1:
IP Address: 10.0.0.2
Subnet: 255.255.255.0
Default Gateway: 10.0.0.1

PC2:
IP Address: 10.0.1.2
Subnet: 255.255.255.0
Default Gateway: 10.0.1.1

If we try and ping PC2 from PC1 the result will fail. Why? Because there’s no way for VLAN 10 and VLAN 20 to communicate, Also they’re in different subnets.

To allow these two PCs to communicate we need to configure Router A to route frames between VLAN 10 and VLAN 20.

If you noticed we set default gateways on PC1 and PC2, we will now configure these on Router A. This way, when PC1 or PC2 wants to send a frame to a different subnet, it will forward to the default gateway, the default gateway will lookup to see if it has an entry in its routing table if it does, it will forward otherwise it will drop the frame.

We will configure two sub interfaces on Router A under fa0/0 one for VLAN 10 and one for VLAN20. First we need to bring up the fast ethernet 0/0 interface up, otherwise the sub interfaces once configured will not work.

Router A:

configure terminal
interface fa0/0
no shutdown

Now to configure the sub interfaces on Router A:

configure terminal
interface fa0/0.10
encapsulation dot1q 10
ip address 10.0.0.1 255.255.255.0
interface fa0/0.20
encapsulation dotq1 20
ip address 10.0.1.1 255.255.255.0

I tend to create sub-interfaces that match the VLAN number, this is handy when trying to troubleshoot as you can quickly identify which VLAN belongs to which sub-interface.

The encapsulation dot1q 10/20 command defines the sub interface as a trunk link and that it expects to send/receive VLAN 10/20 traffic on this interface.

That’s pretty much it. If we try to ping PC2 from PC1 we should see a successful ping:

And from PC2 to PC1:

Verifying:

We verified that PC1 can communicate with PC2 above.

We can show the routing table on RouterA:

The above shows two directly connected routes, one for VLAN 10 and one for VLAN 20 this is how the router knows where to route to.

show running-config can be used on the switches and routers to ensure correct access VLAN assigned, trunk links are configured and correct IP addresses.

show vlan on the switches will show what VLANs are assigned to which ports.

Ping can we be used to verify connectivity, if you cant ping the destination IP, ensure you can ping your local default gateway and then destination gateway to try and figure where the problems lies.

Troubleshooting:

Ensure the links between switches and routers are trunked
Make sure PCs are in correct VLANs
Make sure PCs have correct IP Subnet / Default Gateway addresses
Use tracert on the PCs to see where the frames are failing
Check the router to make sure has the correct sub-interfaces and they match the default gateway of the PCs
The fast ethernet port on the router should be up (no shutdown) otherwise sub-interfaces will not work
Correct cables must be used between PC and switch (straight through) switch to switch (crossover) and switch to router (straight through)

Cisco ICND2 – Configure, verify, and troubleshoot trunking on Cisco switches

February 7, 2013March 18, 2013 Chris Stark 1 Comment

Configuring a trunk:

When configuring a trunk, the trunk needs to be enabled on both switches. We will configure fa0/1 as a trunk link on both Switch A and Switch B. I will be doing this via Cisco’s packet tracer program on two Cisco 2950 switches.

By default all VLANs are allowed to be received and sent across trunk links, this can be changed and will be discussed later on.

Switch A:

configure terminal
interface fa0/1
switchport mode trunk

Switch B:

configure terminal
interface fa0/1
switchport mode trunk

That’s it!

Configuring trunk on a layer 3 switch is slightly different, you have the choice of either using 802.1Q (dot1q) or ISL as the encapsulation. Newer routers don’t support ISL so It would be wise to use 802.1Q.

configure terminal
int fa0/1
switchport mode trunk
switchport trunk encapsulation dot1q

It is possible to do a range of interfaces to turn them into trunk links:

configure terminal
interface range fa0/1-fa0/5
switchport mode trunk

We can restrict or allow which VLANs are allowed across a trunk link using the trunk allowed command. To configure allowed VLANs make sure you’re under the interface where the trunk is enabled such as interface fa0/1.

This will reset the trunk to default allowing all VLANs across the trunk:

switchport trunk allowed vlan all

This will stop VLANs 2 through 6 from communicating over the trunk:

switchport trunk allowed vlan remove 2-6

This will allow VLAN 6 to communicate over the trunk if we removed it by mistake:

switchport trunk allowed vlan 6

Verifying a trunk:

There are few commands to verify a trunk link. The first is to run a show running-config on both switches.

show running-config

Switch A:

Switch B:

As shown above, we can see both the interfaces have been configured for trunking.

The next is to display the switchport information for both interfaces on the switches.

show int fa0/1 switchport

Switch A:

Switch B:We can see from this information that the operational mode is trunk and the encapsulaton is dot1q.

Lastly we can display information based on all interfaces that are enabled for trunk and what VLANs are allowed across these trunk links.

show int trunk

Switch A:

Switch B:

Troubleshooting a trunk:

Make sure trunk is enabled on both connecting sides of the interfaces
Ensure the encapsulation at both ends meet
Check the cable is connected and the correct type of cable is used
Check to see whether any restrictions are on the trunk that are preventing a VLAN across the link (show int trunk)

Cisco ICND2 – Configure, verify, and troubleshoot VLANs

February 6, 2013March 18, 2013 Chris Stark Leave a comment

Configuring a VLAN

Configuring a VLAN is easy, within privileged mode # enter the following commands to create a VLAN, assign individual ports to a VLAN or even a range of ports:

Create a VLAN:

configure terminal
VLAN 10
Name Marketing

Assign a FastEthernet port to vlan 10:

configure terminal
interface fa0/1
switchport access vlan 10

Assign a range of ports to vlan 10:

configure terminal
interface range fa0/2-fa0/5
switchport access vlan 10

Verify a VLAN

There are a couple of ways to verify the above commands have actually worked.

The following command will show all the VLANs currently on the switch and what ports are associated with that vlan.

show vlan

As you can see, we created VLAN 10 earlier with the name Marketing and we have Fa0/1 through to Fa0/5 in this vlan.

The next way is to check the running config, if the commands have been entered successfully we should see Fa0/1 through to Fa0/5 in VLAN 10.

show running-config

As you can see from the above, the command we entered switchport access vlan 10 has been successfully assigned to ports Fa0/1 through to Fa0/5.

Another option is to run the show switchport command against the interface:

show interface fa0/1 switchport

Troubleshooting a VLAN

Ensure physical connections are connected and are configured with correct IP information – Can check LEDs on switch for connectivity
Check whether the hosts are in the same VLAN – Remember hosts in different VLANs will not communicate without a Layer 3 device

Cisco ICND2 – Describe how VLANs create logically separate networks and the need for routing between them

February 5, 2013March 18, 2013 Chris Stark Leave a comment

VLANs

A VLAN is a virtual logical area network. VLANs allow you to logically group ports on a switch. You may want to do this to ensure the IT department cannot see traffic from the Finance department for example. VLANs can be spanned across multiple switches, meaning all you have to do is change the VLAN number on a port and bingo you’re in that VLAN (assuming VTP is enabled across the switched network). VLANs break up broadcast domains by broadcasting frames only to the same VLAN.

We have the ability with VLANs to improve our security by controlling what VLANs have access to which other VLANs on the network. We can also isolated a VLAN so it cannot communicate with any devices but just have access to the internet (handy for open areas).

By default VLANs cannot communicate with other VLANs. However this can be achieved with either a layer 3 switch (not covered in the CCNA but is in the CCNP) or by you guessed it a router, as a routers job is to route frames. This method is known as a router on a stick.

Key Info

VLANs 0 and 4095 For system use only
VLAN 1 is Cisco default VLAN, all ports are by default a member of this VLAN
VLANs 2-1001 You can use, create and delete VLANS within this range
VLANs 1002-1005 are used with FDDI and TokenRing. You cannot delete these
VLANs 1006-4094 These VLANs are the extended range for Ethernet, can not be propagated by VTP
VLAN information can be found in VLAN.DAT which is stored in Flash memory. This can be viewed using “show flash”
VLANs cannot send between VLANs, a Layer 3 device is needed

Taken from Cisco Configuring VLANs

Router on a stick

The way router on a stick works is, say a device on VLAN 20 wanted to communicate with a device VLAN 30 both VLAN frames would need to be sent to a router via a trunk link from the Layer 2 switch. The router will look at its sub-interfaces and see if it has a match for the VLANs, if it does it will route the frame to the correct destination. Remembering that without this method VLAN 20 will not be able to communicate with VLAN 30.

Key Info

Layer 3 device such as a router or switch required
Links between the switch and router must be in trunk mode
Encapsulation between the switch and router must match either 802.1Q or ISL
Encapsulation can only be configured on a Fast Ethernet/Gigabit interface
Encapsulation must be configured on the subinterface to match the VLAN
Subinterfaces must be configured with an IP address that is on the same subnet of the VLAN, this will also be the default gateway for that VLAN
the parent interface of the subinterface must be up (no shutdown) for the subinterfaces to work

Configuring a trunk:

Configuring a VLAN

VLANs

Follow CHRIS STARK