Switch Study Note 642-803 HUB----------------------- Layer 2 Switch------------------------ Layer 3 Switch Hub: Brodacast Domain Collision Domain 1 1 Layer 2 Switch: Broadcast Domain Collision Domain 1 Multi Layer 3 Switch Broadcast Domain Collision Domain Multi Multi This is a typical small business model. This is a typical Cisco small business model. Issue with Plug and Play Switches 1. Chances for Failure. 2. Broadcast Traffic 3. Multicasting issue. 4. Security issue 5. Mac Flooding. Switches lose MAC address if the PC is not sending any data (Sleep Mode). And the switch will delete the MAC address from the table. Cisco Network Model. In the enterprise Model Cisco would like the setup in Blocks. VLAN Vlans divide the flat network into multi broadcast domains. No broadcast can come from another VLAN. They help simplify network management troubleshooting gives better performance don’t slow the network by dividing the large network into smaller broadcast domains. Scalibility Can help in summarization the network. When used with Routing. Designing the Network. When doing designing your network, keep these in mind. Restrict VLANs to switch blocks. (don’t use the same VLAN number in different Blocks). Implement Management VLANs. To isolate the management for security reason. Separate Voice traffic from Data traffic. Implement MultiCast support. Switches treat MC like Broadcast. Cisco Operating System flavors. CatOS. Was aquired by cisco whrn they bought the switches technology. Uses SET base syntax command. Combined with IOS for Layer 3 function. No config terminal based command. Large Switches still use CatOS. Cisco IOS (Native OS) Same OS that is used on Routers. VLANs (Virtual LANs) VLANs Foundations. Logically Divide Groups of users/PC/Servers, etc into segments. Segments Broadcast Domains. Subnet Correlation. Access Control Quality of Service. -Switch to switch ports connection is called Trunk ports. Local Vlan Are confined to one block. (Server Blocks, Users Blocks). It is Cisco recommended Model. Ideally they don’t extend beyond the Distribution Layer. They are routed to other Vlans. And should be created around physical boundaries. Configuring basic VLAN. (LAB) Show vlans. Give you all the vlans that are configured. There are 2 ways to configure VLANs --The original way. Being fazed out. Switch# vlan database Switch(vlan)# vlan 10 name users Switch(vlan)# vlan 20 name management Switch(vlan)# vlan 30 name sales Switch(vlan)# exit (Note: when done make sure you type exit not Control-Z or you will lose everything.) --The new and recommended way is. Switch#config t Switch(config)# vlan 10 Switch(config-vlan)# name management. Switch(config-vlan)# exit Switch(config)# vlan 20 Switch(config-vlan)# name sales Switch(config)# vlan 20 Now we assign ports to the vlans. Switch(config)# Interface range f0/1 – 10 Switch(config-if-range)# Switchport this put the port in switch mode (layer 2) Switch(config-if-range)# Switchport mode access This hardcode the port in access mode not in trunk (if left in autoNegotiate). Switch(config-if-range)# Switchport mode access vlan 10 Switch(config)# Interface range f0/11 – 24 Switch(config-if-range)# Switchport Switch(config-if-range)# Switchport mode access Switch(config-if-range)# Switchport access vlan 20 VLAN info/data is stored in VLAN.DAT file NOT in the running-config. They are stored on the flash memory. Note: Delete this file if you need or want to erase the switch configuration along with the startup-config. VLAN TRUNK ISL and 802.1Q Native VLAN Native VLAN Mismatch. Trunking port are used to carry and tag vlans between switches and vlans. Tags are removed by switches and the data is sent to the end device (PC,Server, etc) Trunking works in layer 2. ISL Cisco propriety trunking protocol. works only on Cisco devices. Encapsulate the whole frame. Being fased out. Most new swiches may not include it. 26 byte header | Ethernet Frame | | Junk | VLAN | Junk | 802.1Q Open Standard | 4 byte CRC Insert Tags into frame rather than encapsulating. Dest MAC | Source MAC | 4byte Tag | Ethernet Frame | | 3 Bit Pri | VLAN | FCS Native VLANs It used in 802.1Q, may get error native vlan mismatch. When a untagged package from a device connect through trunk port (hub). It tags them with the a native vlan tag. If a trunk port receive untagged packet on its port, it assign it to the native VLAN. Example when connecting VOIP phone and PC together. VOIP is assigned a VLAN number and since the PC can’t assign a VLAN, the switch assigns it to the native vlan. The phone is acting as a hub. DTP is a dynamic trunking protocol. Switches use to auto negotiate trunking between them. Not recommended because of possible security issue. Switch ports can have 5 different modes. 1. Access : used when connecting PC/servers to the switch. When connecting a switch to it, it will not act as a trunk. Will only allow 1 VLAN. 2. Trunk : this will send DTP packet and will always stay as trunk. If the other side is trunk D. Auto, D. Desirable it will make them trunk ports. 3. Dynamic Auto if both switch port are set to this they will not become trunk ports rather they would be access ports. If one side is set to Dynamic Desirable then the Auto port become a trunk port. 4. Dynamic Desirable : default port. When ever you plug anything to it it will negotiate with the other device. If it is a switch it become a trunk, if you plug PC it will become access port. 5. Non-Negotiate used with trunk mode and the port will not send any DTP packets. Good for security, sniffer can’t see the packet going through the port. Switch# show Interface f0/2 switchport Will give the administrative mode (set by the admin) the port is in. and operational Mode (what mode it is negotiating with the other side) administrative mode: dynamic desirable operational Mode: trunk Switch# Switchport trunk encapsulation dot1q Switch# Switchport mode trunk Switch# Switchport nonnegotiate (used with trunk command) ( no DTP will be sent) Note: On new IOS switches there is no ISL encapsulation command. Switch# Switchport trunk native 10 Will assign this port native vlan 10, anything that comes in on this port without a tag it will assign to the native vlan (10). Pruning manually Switch# Switchport trunk allowed vlan ? Switch# Switchport trunk allowed vlan 10,20,30 ? (will have multi choices to pick, add,all, except, none, remove word) Show Command to use. Switch# show run int f 0/2 Switch# show int f 0/2 switchport Switch# show int f 0/2 trunk Note: do nongeotiate command before trunk command this way you won’t lose the nonnegotiate option if you ever reboot the switch. VTP VLAN Trunking Protocol VTP: is the VLAN trunking protocol, used to ease VLAN administration/ replication. When connecting multiple switch and configure VLAN on one switch, it is copied to all other switches. Whenever new VLAN is created it is pushed to all other switches, the switch checks its database revision and if this is newer it replace its database. VTP MODES 1. SERVER: Can change VLAN information Send and receive VTP updates Saves VLAN Configuration 2. CLIENT Can’t change VLAN Information Send and receive VTP Updates Does not Save VLAN Config 3. TARANSPARENT Can change VLAN information Forward VTP updates, V2 Doesn’t listen to VTP advertisement Saves VLAN configuration VTP Pruning VTP pruning is automatic way to remove unnecessary broadcast traffic from going through trunk link. Works only on VTP Server If you have VLAN 20,30,40 on few switches and you have VLAN 20.30 on a particular switch so there is no need to pass VLAN 40 to it, VTP can stop that VLAN broadcast traffic from crossing the trunk link to it, but it does not remove the actual VLANs. You will see the VLANs in that switch. VTP Configuration 1. Verify the current VTP status 2. Configure VTP domain / password 3. Configure VTP mode 4. Set VTP Version number 5. Verify Switch_A# show vtp status Notice the VTP version that it is in. must be turned on Configuration revision. Should be 0 to start with. Has no VLAN passed to it and no vlan configured. VTP Operating mode : Server. Is the default for switches. VTP Domain Name: Blank, by default this is the most Susceptible state for the switch. You must change this ASAP. Common VLAN issues 1. Native VLAN mismatch. 2. Trunk Negotiation issues Auto-to-Auto does not become Trunk Avoid DTP (trunk negotiating) when possible 3. VTP issues not updating/applying Verify VTP domain / password. (name is case sensitive). Verify VTP version (Ver 1, 2) Verfy Trunk Links. Delete flash:VLAN.DAT file and reboot. STP Spanning Tree Protocol Spanning Tree checks for redundant ports and block them except for one port. Only the active link will send traffic. STP is used to eliminate broadcast storms. TTL is layer 3. STP facts. Origianl STP 802.1D was created to prevent loop. Switches send probes into the network to discover loops called Bridger Protocol Data Units (BPDU) (boomerang). It is MultiCast packet BPDU helps elect the core switch (Root Bridge). The oldest switch is elected as RB ( lower Mac Address) STP view is switches find the best way to reach the Root Bridge then Block all other redundant links. Bridge ID = priority( 2 bytes) + MAC address(6 bytes). BPDU is sent every 2 Seconds. BPDU is sent around the network with the root bridge ID, which at the beginning it believe it is the Root Bridge, after an election is decided by the switches, every switch send BPDU with the elected Root Bridge ID. Lower Bridge ID wins the Root Bridge election. If all switches have the same Priority value then the lower MAC address wins the election. Priority is a value between 0 – 61440. the default is 32768. and increment by 4096. lower value is better. Prority is a vlue between 0 and 65535 the default is 32768, and you can only increment by 4096. Two type of BPDU exits. Configuration BPDU. Used for Spanning tree computation. BPDU (TCN) Topology Change Notification. Used to announce changes in the topology. BPDU and RB Election. Root Bridge has all its ports in Forwarding. Root Port: used to reach the Root Bridge. It is decided by the lowest link cost to the Root Bridge. Designated Port: is a Forwarding port, one per link decided by the switch with the lower Mac Address. Blocking / Non-designated Port: STP block that port (where the STP Fell). The other side of the designated port How STP Finds the Best path. 1- Elect Root Bridge the lowest Bridge ID wins 2-Switch finds the lowest cost path to root. And makes that port the root port. 3- Use the lower bridge ID on equal cost path. (Bridge ID = 32768 + Mac Address) 4- Use lower port to break a tie (when multi link exist between the switches). Link Bandwidth STP Cost 4 MBPS 10 16 45 100 155 622 1GB 10GB 250 100 62 39 19 14 6 4 2 STP Port States Disabled: does not send or receive data Blocking: Receive BPDU. Does not send or receive data or Learn MAC address. Listening: Receive and Send BPDU. Does not send or receive data or Learn MAC. Learning: Receive and Send BPDU and MAC. Does not send or receive data. Forwarding: Receive and Send BPDU and MAC and data. (operational Mode). CST vs PVST vs PVST+ Common spanning Tree (CST). Is IEEE 802.1Q standard. It specify one Spanning Tree for all the VLANs. All CST BPDU are transmitted on the trunk using the Native VLAN with untagged frames. Per-VLAN Spanning tree (PVST) Is Cisco Proprietary requires ISL Trunk encapsulation Uses one Spanning Tree per VLAN with one Root Bridge elected per VLAN. Helps Load Balance more effectively. All new Cisco switches uses it. It adds the VLAN number to the Priority value. 32768 + VLAN #. Bridge ID = Priority + VLAN + MAC address Example for VLAN 10. (Priority = 32768 + 10 = 32778). By lowering Priority on one switch for one VLAN we make that switch the RB and lower another prority on another switch for another VLAN and makes that switch the RB for the other vlan. Per-VLAN Spanning tree Plus (PVST+) Another Cisco Proprietary Allows switches to interoperate with both CST and PVST. Between 802.1Q and ISL Spanning Tree Commands Switch(config)# spanning-tree vlan X root primary Switch(config)# spanning-tree vlan X root secondary OR use this command. Switch(config)# spanning-tree vlan X root <number> Switch# show spanning-tree RAPID SPANNING TREE Rapid STP: 802.1W Proactive System Redefined Port Roles Many STP Similarities. Port Fast: applied to ports with devices connected to such servers/PC. Can’t be on a trunk port. Rapid STP port states Discarding Learning Forwarding Rapid STP port Roles. Root Port Designated Port Alternate Port Edge Port ( port Fast) Rapid STP is better because: It doesn’t forgot ports Many timers of STP are elminated. Any changes to the trunk ports flood through the network to other switches (Topolgy Change Packet). Configuring RSTP Switch(config)# spanning-tree mode rapid-pvst To group vlan under a single ST instance. Switch(config)# spanning-tree mode mst TherChannel Aggregating redundant links Ether Channel. Is using multi link and turning them into one link. Up to 8 ports/links and using them as a trunk link. Load balance across them and automatic failover. 2 Negotiation Protocols. 1- PAGP port Aggregation Protocol Cisco propriotery. Ports modes. Auto: wait for the other side and see if they are set as desirable to on to become ether channel. If both side are set to Auto then both links will not become ether channel. Desirable: will be an aggregate link if link is detected, if other side is auto then both will become ether channel On: both side need to be on to become ether channel. 2- LACP link Aggregation Control Protocol. Standard industry (802.3AD). Ports modes. Passive: same as Auto Active: Same as Desirable On: same as on. Configuring EtherChannel 1- configuring EtherChannel at Layer 2 Switch(config)#int range f0/23 -24 Switch(config-if-range)#channel-protocol pagp Switch(config-if-range)#channel-group 10 mode desirable Switch(config-if-range)#do sh ip int br Port-channel 1 unassigned YES unset down Switch#sh etherchannel Switch#sh etherchannel port-channel down 2- configuring EtherChannel at Layer 3 Same as Layer 2 plus this: Switch(config)#int port-channel 1 Switch(config-if)#no switchport Switch(config-if)# ip add 10.1.1.2 255.255.255.0 Load Balancing Cmd Switch(config-if)# port-channel load-balance <Method> Key notes: All ports must use same speed/duplex Interfaces in a bundle are redundant (1 port goes down doesn’t affect the channel). No interface in bundle can be span ports Interface in bundle must be in same vlan / trunk Any changes to port-channel affect all bundle ports Any changes to individual ports affect only that port not the channel. Inter-VLAN Routing Router on a Stick Advantages Easy to setup Lower Cost Disadvantages Congestion on the link Single point of Failure Delay of Routing Configuration On the Switch Setup and configure the Trunk link On the Router setup and configure the Sub_Interface. The Switch configuration: Switch# interface f0/24 Switch# Switchport trunk encapsulation dot1q Switch# Switchport mode trunk Switch# no shut Also setup the vlans and assign the ports to the VLANs Note: don’t forget to setup and match the Duplex and the speed on all the ports (switch, router and PCs). And make sure all interface are up/up before you ping. The Router configuration: Router# Interface f0/0 Router# no shut Router# interface f0/0.10 Router# encapsulation dot1q 10 Router# ip address 192.168.10.1 255.255.255.0 Router# interface f0/0.20 Router# encapsulation dot1q 20 Router# ip address 192.168.20.1 255.255.255.0 Do ping and trace route to test. Multi_Layer Switching Advantages Routing at wire speed Backplane bandwitdth Redundancy enabled Disadvantages Cost Configuration: Setup/create SVI --SVI 10 192.168.10.1 SVI 10 192.168.20.1 Enable Ip Routing on the switch (Optional) Create Routed Ports Enable Routing Protocols Switch(Config)# Interface vlan 10 Switch(Config)# IP address 192.168.10.1 255.255.255.0 Switch(Config)# Interface vlan 20 Switch(Config)# IP address 192.168.20.1 255.255.255.0 Switch(Config)# IP Routing (Optional) if you need to connect the switch to a router then you can enable routing and routing protocol. Switch(Config)# Router EIGRP 1 Switch(Config)# Network 192.168.10.0 Switch(Config)# Network 192.168.20.0 LAYER 3 vs MultiLayer Switching (CEF) Multilayer Switching Layer 3 switch is a switch with a router built-in it. Multi layer switch is a switch that is capable to cache route information Every layer 3 switch is Multi Layer switch Not Every multi layer switch is a layer 3 switch Layer 3 Routing vs Layer 3 Switching Routers and Layer 3 switch both have IOS software routing. Software Routing is slow compared to ASIC (wire Speed). Layer 3 switches can play a little software / hardware trick. FIB has all the next routing that are passed to it from the Layer 3 routing engine. It also contain the next hop address for each route entry. Adjacent table is a list of MAC address. Packet are moved at wire speed. To enable CEF on a switch just implement the cmd Switch(config)# ip cef Switch# show ip cef summary Switch# show ip cef vlan 100 Switch# show ip arp 192.168.1.102 Switch# show ip cef 192.168.1.102 CEF support traffic statistic. To check usage on a switch. CEF takes Layer 3 routing and apply it to layer 3 switching. Redundancy Layer 3 High availability HSRP, VRRP, GLBP HSRP: Hot standby router protocol. Cisco proprietary send messages to mulicast 224.0.0.2 (all routers). Use a default timer of 3 seconds with the hold timer (gateway) of 10 seconds. Timers are tunable and you need to add 1 second more for delay. Gateways are organized into standby groups. One gateway is active and the other is in standby state. Virtual router IP (VIP) and MAC(virtual MAC) are created. Virtual MAC is made up of Csico Vendor ID (6bits), HSRP ID (4 bits) and group ID (2bits). Virtual MAC 0000.0C 07.AC XX VRRP: Virtual Router Redundancy Protocol. Created by IETF Works on other vendor equipments. Faster timer by default than HSPR. 1 second hello timer and 3 seconds Hold timer. GLBP: Gateway Load Balancing Protocol. Cisco Proprietary Same as HSRP, but allows an active-active connection that adds load balancing. Configuring HSRP 1. created standby group 2. reassign IP address 3. Verify 4. optimize and tune : Priority. Choose which switch is the primary switch for traffic Preempt. Over throw the router with a lower priority. Tracking. If wan link drop, then the switch would lower its priority by a certain number Timers. Campus Security Common layer 2 attacks. DSNIFF utility: (network Auditing utility) - MACOF . fill the CAM table with MAC address then the switch turns into a hub. The user then sniff for all the data that are going through the switch. Note: Create a list of best security practices. Port Security on switches: -Prevent Many layer 2 attacks -Can use secure MAC address Dynamic Static Sticky -Limit the number of MAC addresses per port. Limit # of MAC address: Switch(config-if)# switchport mode access This way no trunk can be used. Switch(config-if)# switchport port-security maximum 1 Allow only 1 MAC address per port , no hub can be installed on this port. Switch#show port security int f0/2 Switch(config-if)# switchport port-security violation (shutdown,protect,restrict) Shutdown: is the default Protect: will not tell you if the port was violated. Restrict: will add count to security Violation Count. Switch# show interface status Shows more detail about the port’s status. To get the port back up, shut the port then no shut cmd. Switch#show errdisable recovery Switch(config)# errdisable recovery cause 300 sec default Switch(config)# errdisable interval 100 Secure MAC address Switch(config-if)# switchport port-security mac-address <sticky, MAC_Address> Hard code the MAC Add or use sticky to learn it the 1st time devices connect. Switch(config-if)# switchport port-security mac-add sticky NOTE: If you type the MAC add then you should limit the maximum address to 1 otherwise it will ignore it. Switch#showmac-add int f0/2 Gives you detail about the port MAC,VLAN, type (Dynamic). Identity-Based Network Services. (IBNS) 802.1X allows the switch to participate in authentication. When a client needs to use the network port, it asks the switch to authenticate and the switch asks the Radius/Tacac+ whether to allow or deny. EAP allow to use or switch to new authentication technology. EAP is a shell that contain TLS, PEAP, LEAP etc. Switch(config)# AAA new-model Switch(config)# AAA authentication dot1x default group radius Switch(config)# dot1x system-auth-control Turn 802.1x on the switch. Switch(config)# inter f0/2 Switch(config-if)# dot1x port-control How to setup 802.1X http://www.cs.umd.edu/~mvanopst/8021x/howto/ Campus Security VLAN and Spoofing Attacks Prevent VLAN hopping attacks Private VLANs Mitigating spoofing with snooping and IP source guard. Prevent VLAN hopping attacks Hackers negotiate a trunk connection with a switch, moves between VLANs Simple yet easily forgotten prevention Switch(config-if)# swtichport mode <access,dot1q-tunnel,dynamic,trunk> Private VLANs Are VLANs within VLANs (sub_VLANs). You can have 3 differnet types of ports. Promiscuous. Setup on the router default gateway Isolated. FTP server. (One isolated VLAN per Primary) 320 Community. WWW server and the DB server. They need to exchange info between each other. 310 Switch(config)# VTP mode transparent Switch(config)# vlan 300 Switch(config-vlan)#private-vlan primary Switch(config)# vlan 310 Switch(config-vlan)# private-vlan community Switch(config)# vlan 320 Switch(config-vlan)# private-vlan isolated Switch(config)# vlan 300 Switch(config-vlan)# private-vlan association 310, 320 Switch(config)#inter f0/20 Switch(config-if)# swtichport mode private-vlan host Switch(config-if)# swtichport private-vlan host-association 300 320 Do the same to the other ports. For promiscuous port do this Switch(config-if)# swtichport mode private-vlan promiscuous Switch(config-if)# swtichport private-vlan mapping 300 310,320 Man in the middle attacks Cisco use DHCP snooping to stop this. Switch(config)# ip dhcp snooping If someone tries to connect some switch/router/dhcp server to give ip address it will stop it. Switch(config-if)# ip dhcp snooping trust. Will ties the IP address to the MAC add of the device on this port. IP source guard. Create access list for the port that requested IP from a DHCP server. Switch(config-if)# ip verify source vlan dhcp-snooping port-security. Campus Security STP Switch(config-if) spanning-tree bpduguard enable. Put the port in error-disable state. Don’t enable on the ports that are connected to other switches. Switch(config-if) spanning-tree guard root If a switch connect to this port it will flag it with a message of inconsistent Best practices to swcure switches. Disable CDP whenever possible Lock down STP Disable trunk negotiation on access ports Physical security Place unused ports in a black hole VLAN (999) Use SSH when possible Switch(config)# no cdp run Switch(config-if)#no cdp enable disable it per port Switch(config-if)# switchport host. Switch(config-if)# switch mode access Switch(config)# line vty 04 Switch(config-line)#transport ssh Campus Security VACL VLAN Access List. Allow you to filter all traffic on a VLAN: VLAN 10 has access only to 192.168.10.0, VLAN 30 has access to 192.168.30.0 subnet Supported on MLS only Typically found in large enviorment. VACL works like route-map. Switch(config)# access list 1 permit 192.168.10.0 0.0.0.255 Switch(config)# access list 2 permit 192.168.30.0 0.0.0.255 Switch(config)# vlan access-map TEST 10 Switch(config-access-map)# match ip address 1 Switch(config-access-map)# action forward Switch(config)# vlan access-map TEST 20 Switch(config-access-map)# action drop Switch(config)# mac access extended server Switch(config)# permit any host 1111.1111.1111 PACL (port ACL) ACL applied to a inbound of a ports. Switch(config-if)#ip access-group 1 in VOICE OVER IP Benefit of VOIP. Move, adds, and change (MAC). Are cheaper to implement. Less technicians. Bandwidth and equipment efficiency. . Ex: One set of cabling Lower cost of voice transmission. Same wan connection for data and voice. New applications and devices. PBS need special equipment and propority equipment, while VOIP doesn’t. Each phone line uses 64kbps of bandwidth, voip can compress to 8 kbps. Without any noticeable loss/degrading. Phases of migration from PBX to IP phone. Phase one: Keep the PBX system and digital phones. Calls routed over WAN rather than PSTN. Benfit free long distance, major requirement QOS. Phase two: Voice and data network have become one PBX and Digital phone decommed True integration between voice and data Typical new structure starts. Campus issue with deploying VOIP. Inline power Dual VLANs. Daisy chain phone and PC. QOS. Dual VLAN. Switch(config-if)# switchport mode access Switch(config-if)# switchport access vlan 200 Switch(config-if)# switchport voice vlan 100 QOS: 2 QOS marking: used so that we don’t need deep packet inspection - Class of service (COS) layer 2. 8 bits, 8 level of marking. Type of service (TOS) Layer 3 3 to 6 bits many levels of marking, TOS (ip precedence). Bit 6 DSCP. Switch(config-if)# mls qos trust cos Trust COS on this port. Switch(config-if)# mls qos trust device cisco-phone To make sure no hacker use the port as a phone. The switch will check to make sure that a Cisco phone is plugged. Switch(config-if)# auto qos voip cisco-phone It will deploy all kind of QOS automatically. WIRELESS Type of Wireless Network Personal area network (PAN). Blue Tooth Local Area Network (LAN). Linksys routers/switches. Metro Area Network (MAN). City Wide wireless network Wide Area Network (WAN). City to City wireless network. Wireless LAN facts. Wireless access point (WAP) acts like a hub. o Shares Signal o Half Duplex. Only one user can send and receive data. Uses unlicensed band of radio frequency Wireless is a physical and data link standard Uses CSMA/CA instead CSMA/CD Faces connectivity issue because of interferences. Layer 2 Roaming. 2 or more wireless AP with the same VLAN/subnet and SSID. Monitoring Syslog: Switch(config)#line console 0 Switch(config-line)# logging synchronus. Helps remove the annoying logging when you exit and puts you at CMD prompt. Switch(config)#logging buffer Adjust the logging buffer size. Logging is store in memory. Syslog uses port UDP port 541 KIWI syslog server Is a log server. Switch(config)#logging 192.168.1.12 Switch(config)#logging trap <level 0-7> SNMP It collects statistics from devices. monitoring application (ORION,PRTG) maniplulate and massage data SNMP has 3 versions. Version 3 offer authentication/encryption. RO default community string is public RW default string is Private. Highly recommended is to change them. Switch(config)# access-list 10 permit 192.168.1.102 0.0.0.0 Switch(config)#snmp-server community <name> ro 10 IP SLA A way to detect link failure using real time data A way of testing service level on a line A way to add valuable data to network monitoring SLA endpoint can be either a device or IP SLA responder. 4.2.2.2 Is a public DNS server. Switch(config)# ip sla 100 Switch(config-ip-sla)# icmp-echo <isp-gateway><or any IP> Switch(config-ip-sla)# frequency 5 Now we schedule it. Switch(config)# ip sla scheduale 100 start-time now life forever. Switch# show ip sla statistic. Switch(config)# track 1 rtr 100 reachability. (RTR is old version of SLA) Switch(config)# ip route 172.25.25.25 0.0.0.0 track 100 The second link Switch(config)# ip route 190.125.25.25 0.0.0.0 50 (this a back route) SLA endpoint can be either a device or IP SLA responder. Use a reliable router as a SLA responder to give better results.