Instructor: Kent Reuber, consultant for
Engineering departments reuber@stanford.edu, 725-8092
1

 Definitions
 Switch Models and Building Design
 Configuring Cisco 2900/3500 Switches
 Managing Switches via Web and Telnet
 Reference Section
 Lab (Optional)
2

3




A smart hub can be configured and remotely managed. For example, ports can be shut off.
However, this doesn’t mean that it does anything smart with network traffic. It has no switching capabilities. Traffic is always forwarded to all ports.
Our most common smart hub on campus is the Asanté
NetStacker.
 Networking no longer recommends hubs for wiring closets. It may be OK to use small unmanaged hubs to give selected offices additional ports. Use hubs with care!
4

Stanford has mostly decommissioned NAT bridges, but since switches do bridging, it’s worth discussing how these work.
A bridge separates network segments into two “collision domains”, allowing both sides to support one “conversation” on each side.
Each side has “bridging table”: a list of all MAC addresses on their side. Based on its lists, a bridge determines if it should keep a packet on one side, or forward it to the other.
A NAT bridge will show a solid green “Status 3” light if working properly. Any other condition is an error. One common error condition is an unterminated coaxial segment.
Broadcasts and Multicasts are always forwarded to both sides
(or to every port in the case of a switch). If you use a sniffer on a switch port, this should be the only traffic you see.
5

A switch is a hub where every port acts as a bridge.
Each port remembers the MAC addresses of all devices connected to it. If
The switch as a whole keeps a master list of all these MAC addresses by port.
If a user has a mini-hub in their office, you will see multiple MAC addresses on a switch port.
A switch port periodically drops unseen addresses from its list. Pinging a host by IP address will put the corresponding MAC address back in the table (assuming the device is on).
The end result of this is that network traffic is generally not repeated across all ports (unless it’s a broadcast or multicast). For example, if a computer on port 2 is sending a huge file to the server on port 8, no other ports see this traffic.
Network traffic problems almost always disappear with switches. Collisions become a thing of the past.
6





There are ranges of addresses that are not routed anywhere on the
Internet. Any site may use these addresses for their own purpose:
10.*.*.*, 172.16.*.* – 172.32.*.*, 192.168.*.*
Devices with private addresses cannot access or be accessed by hosts outside of Stanford. That’s usually OK for switches, printers, etc.
If your network is 171.6x.y.*, your private address is probably
172.2x.y.*
–
For large nets, there may be only one private range. E.g, the private net associated with 171.64.52 – 55 is 172.24.52.*
– You can check in Netdb or whois. Look up the Network record for your net number. Net numbers end in “0”, e.g., 171.64.20.0
The netmask for devices on the private net is 255.255.255.0. Don’t use 172.24.1.1 for a gateway. Use a “.1” address for the specific network. (For example, use 172.24.20.1 for net 20.)
7

What would happen in the following situation: switch switch
Which switch would send the packet? What would happen if both switches sent a packet from one side to the other?
To prevent such a problem, there is Spanning Tree Protocol. Simply put, the two bridging devices decide which one will do the bridging, and which one will enter “standby” mode.
If you wish to use switches to provide redundancy in your network, you can do so. Spanning tree will force one switch to shut off that port.
The primary problem of spanning tree is that it takes 20-30 seconds or more for the port of a switch to discover if it is connected to another switch. This can cause problems with many desktop computers which become impatient with the delay, assume there’s no network connection, and give an error.
8

 Twisted Pair:
– Category 3: 10 Mb only, uses 2 pairs.
–
Category 5/5e: Required for 100Mb. Use 2 pairs for
100Mb, 4 pairs for gigabit (1000BaseT)
 Two types of wiring configurations (RJ-45):
–
Standard (switch/hub to computer)
– Crossover (switch-switch or computer-computer)
–
AutoMDIX: Some switches automatically chooses standard or crossover as appropriate.
– 1000BaseT can use either standard or crossover between switches.
9

 Fiber can be used for speeds from 10Mb to 10Gb.
– Names: 10FL, 100FX, 1000BaseSX/LX/ZX
–
Fiber switches do not auto-negotiate: no 10/100!
 Two types of cables:
– Single mode (yellow): Usually 8µm diameter fibers.
Used for longer runs, equipment is more expensive.
– Multimode (orange): Usually 62.5µm or 50µm. Used for shorter runs. 50µm can support longer runs.
–
Currently Stanford uses multimode for most applications. Gigabit will involve using more single mode for building feeds.
10

 ST (think “T for tube”):
– 2 round ends with thin-wire style bayonet connectors.
–
Used on 10FL switches. By convention, Stanford uses ST for connections between buildings, even for 100FX.
 SC (think “C for cube”):
–
2 square ends that click into place
– Used by 100Mb and gigabit equipment. Now used for fiber runs within a building at Stanford (new installations).
 MT-RJ:
– Small connector. Can be a little fragile. Used when you need to put lots of fiber in a small space (e.g., a switch with 24 fiber ports)
11

12

Model Backplane
Speed
(Gbps)
1900 series 1
10/100 baseT ports
GBICs
2924/C/M
2950 series
3508G
3512/24/48
3550-12T
3550-12G
3550-24/48
AT-8288
3.2
8.8
10
10
24
24
24
12/24
10baseT
24
12/24/48
12/24/48
48
8
Other
2 100FX fiber or 2 100T ports or 1 of each. Not used much anymore.
Very common at Stanford. C has
100FX, M has 2 module bays
**Discontinued**
Optional 100FX (MT-RJ),
10/100/1000BaseT, or GBIC uplinks
8 **Discontinued**
2 **Discontinued**
2 10 10/100/1000BaseT ports. Layer 3
10 2 10/100/1000 ports. New building entrance device.
2
From Allied Telesyn. 8 100FX + 2 modular slots for gigabit. Use d in wireless network and some building entrance devices.
Except for 8288, all switches are made by Cisco.
Ask your network consultant for help when designing nets
13

 “Gigabit Interface Converter”. Hot swappable modules for different gigabit media.
– 1000BaseLX (fiber). Used mainly for runs between buildings
(~550m limit on 62.5 µm multimode fiber, 5km on single mode)
– 1000BaseSX (fiber). Used mainly for runs between wiring closets
(~220m limit on 62.5 µm multimode, ~500m on 50µm multimode.
Cannot be used with single mode).
– Gigastack or “stacking GBIC” (copper). Can be used to connect switches within a rack. Note that switches in a stack can act as though they were connected with a Gigabit hub -- you *can* have collisions. Probably don’t want to use these.
–
1000BaseT. Gigabit over Cat 5. For servers and/or switches.
 Warning: GBICs are static sensitive. Cisco recommends using a grounding strap.
14

Main Closet
(e.g., in basement)
100FX fiber building feed
2924M w/ fiber modules
2924
2924 (more as needed)
1st floor, wing 1
100FX fiber
2924C
2924
2924 (more as needed)
(Other floors are similar)
1st floor, wing 2
100FX fiber
2924C
2924
2924 (more as needed)
15

Networking
Controlled
1000BaseT
1000LX fiber building feed
3550-12G
3550-12G
3550-48
3550-48 (more as needed)
Main Closet
(e.g., in basement)
1st floor, wing 1
1000SX fiber
3550-12G
3550-48
3550-48 (more as needed)
(Other floors are similar)
1st floor, wing 2
1000SX fiber
3550-12G
3550-48
3550-48 (more as needed)
16

17




Cisco Catalyst 2900series switches use Cisco’s IOS operating system, which is the same OS used on their routers.
In this class, we cover only the basic IOS commands needed for switch configuration and basic management.
There are 5-day classes that introduce you to IOS, and then other 5-day classes offered by third parties that you take to get into some of the details.
IOS works on levels. You have to be at the right level to issue the desired command.
-
The most useful level is the “enable” level, from which you will be able to see your configurations and save ( write ) your configuration. Very similar to becoming “root” in Unix or “Administrator” in Windows.
There’s also a configuration level which is used to input new commands.
For example, to change the speed and duplex for a switch port (Cisco calls this an “interface”), you must:
Enter enable mode
Enter configuration mode
Specify the interface you want to modify (e.g., FastEthernet 0/1)
Issue the commands to change speed and duplex
18

The most useful IOS commands are:
 en to enter enable mode (from which you do everything).
When in enabled mode, a # will appear in the prompt ( Switch> becomes
Switch# ). At each level the prompt changes ( Switch(config)# or switch(config-if)# etc.) You’ll see some of this in our configuration.


Show run will show the current running configuration while Show config will show the stored configuration. The write will store the running configuration.
Config t to configure over the terminal (your current session).
 Config net to configure over the network (download a configuration file from a tftp server).
 Exit to go back a level (i.e. to go from config to enable level to write a configuration, control-Z will get you all the way back to the enable level)
Any config changes are not saved until you issue a “write” command .
19

You’ll Need:
 A laptop or desktop computer with a serial connection.
 The special serial cable that comes with the switch.


A crossover cable (usually hot pink or lime green)
A network connection.
Set up:
 Turn AppleTalk off (if using an older PowerBook)
 Create a NetDB record for the switch (you need an appropriate
IP address)
 Connect the serial cable (using the appropriate adapters) to the
RJ-45 console port on the switch
 Connect the switch, using the crossover cable, to an Ethernet connection.
 Start a serial session.
20


–
IP address, netmask, gateway, hostname
– passwords

– Stanford DNS servers, standard access lists
(address ranges allowed to access the switch)

–
Additional access lists, spanning tree settings
21




22

 Go to the LNA Guide “Hardware” section:
– http://lna.stanford.edu/hardware.html
–
Note, this page is restricted to LNAs.
 Select the link appropriate for your switch. This will open the config file in a browser window:
– 24 10/100 ports (2924, 2950-24, 3524, etc.)
–
48 10/100 ports (2950-48, 3540, 3550-48)
– All gigabit (3508, 3550-12G, 3550-12T)
 Select all this text and paste it into a text editor
(e.g., Notepad in Windows, or TeachText for Mac)
23

 The config file you’ve accessed needs to be altered. Comments will show you what you need to change. In general, change:
– Switch IP address and default gateway
– Switch hostname (name from NetDB)
– Telnet and enable passwords
– Web access list (what IP addresses can access the switch for Web management)
– Portfast settings
24

 Change the items in bold: enable config terminal
# Replace the address below with your switch's IP address.
# The netmask will probably not need to be changed.
interface VLAN1 ip address 172.24.00.000 255.255.255.0
no shutdown exit
# Replace with your gateway address.
ip default-gateway 172.24.00.1
# Replace "SWITCH" with the name of the switch as shown in netdb hostname SWITCH
25

 More things to change:
# Replace "SEKRIT" with the "enable" password of your switch.
# This password allows you to make changes.
enable secret SEKRIT
# Replace "SEKRIT2" with the telnet password for the switch.
# We recommend that you make this different than the enable password.
line vty 0 4 password SEKRIT2 exit
# Uncomment the line below if you DON'T want your switch to be
# running a Web server for management purposes.
#
#no ip http server
26

 More things to change:
# The next lines control which address ranges can manage your switches.
# You should not need to change access-list 1, which is for telnet
# access.
ip http access-class 2 access-list 1 permit 171.64.0.0 0.3.255.255
access-list 1 permit 172.24.0.0 0.3.255.255
access-list 2 permit 171.64.20.0 0.0.0.255
# Access-class 2 is for Web management. Add any net ranges that should
# be allowed to manage your switches below. The second number is
# the width of the access block. For example
# "access-list 1 permit 172.24.0.0 0.3.255.255” allows any device from
# 172.24.0.0 through 172.27.255.255 to manage the switches.
# Uncomment the line below and add your subnet(s) of choice.
# access-list 2 permit 171.64.00.0
0.0.0.255
27

 More things to change. Remove the portfast statement from any port that will connect to another switch.
# The instructions below enables portfast on every 10/100 port.
# We assume one of the Gigabit ports is the uplink port.
# If your uplink port is on one of the 10/100 ports,
# remove the "spanning-tree portfast" line for this port.
# If this is a distribution switch, remove the "spanning-tree portfast"
# lines from *EVERY* port that links one switch with another.
# In other words, portfast is usually a good thing for ports that
# connect to computers, printers, etc., but *NOT* a good thing for
# links that connect switches to one another.
interface FastEthernet0/1 spanning-tree portfast interface FastEthernet0/2 spanning-tree portfast
28




(Note: we have seen instances where the paste operation fails mid-way through. This is probably dependant on the terminal software used. If it does fail, paste again from the point where the failure occurs. You may want to try pasting the config file in 2-3 smaller “chunks”.)
29

30








Log in to the switch by its name or IP number through Netscape 4 + or
IE 4+. You should use a PC — the Cisco Web management software works poorly (if at all) from Macs.
The quality of the Web interface varies with the software version of the switch and the browser version. In general, Networking only uses the
Telnet interface, because it’s much more reliable and can be accessed from any machine.
However, the Web interface is the easiest way of doing switch software upgrades.
When you connect via a browser, you will see a username/password dialog. Put in the enable password. Leave the name area blank.
Click on “Web Console.”
Note how each active port looks just like it would if you were looking at the switch. Click the “Mode” button to cycle through the modes just like you were clicking on the “Mode” button on an actual switch.
Note: Don’t the web interface and a telnet connection at the same time-
- some of your changes may not be written to the config file.
31

 Generation 1:
–
Long narrow menu bar (not hierarchical)
 Generation 2:
– Shorter, fatter menu bar with “popup” action
 Generation 3:
– Requires Java plugin (no Mac/Linux version!)
– This is the only version for the 3500
32

33

34

35

 Enabling/Disabling Ports: e.g., a hacked machine is spewing packets and we want to shut if off.



Turning on PortFast: Bypasses the ~30 sec delay caused by spanning tree when devices are booting.
– Fixes “Your AppleTalk network is now available” warning
– Fixes some problems with Ethernet-LocalTalk bridges and any host having problems getting an address via DHCP.
Labeling Ports. Helps you keep straight who’s plugged into each port. But, you may prefer spreadsheets/database.
Forcing port speed/duplex: some devices don’t autonegotiate well.
 Important note: Saving changes is a separate step!
36

 Generation 1:
– PortFast: “STP” menu. Check/uncheck boxes.
– “Port” menu for other functions
 Generation 2:
– PortFast: “Device” menu, “Spanning Tree Protocol” item. Select VLAN from the list (usually there’s just 1), then click button “Modify STP parameters”. Check/uncheck boxes.
– “Port” menu, “Port Configuration” item for other functions
 Generation 3:
– “Port” menu, “Port Configuration” item for everything.
– A new window will open. Click the row of the port you want to modify and click the “modify” button.
37

 Changes via Web interface requires 2 steps
– “Apply” changes on the screen of interest
– “Save” the change on the “System” menu
 Location of “Save” command
– Generation 1: “System” menu, “Save Configuration” button
– Generation 2: “System” menu, “System Configuration” item,
“Save Configuration” button
– Generation 3: “System” menu, “Save Configuration” item
38



The telnet syntax is exactly the same as the format of the configuration file
Telnet to the switch and get into enable mode. Type“ show run ” command to see the current config. (“show config” shows the saved config)


Notice the lines that look like:
– interface FastEthernet0/1
–
This is where port specific information goes
At any point you can type “?”. IOS will show you what the possible values are.
39

 Example: switch#config t
Enter configuration commands, one per line. End with CNTL/Z.
switch(config)#interface fastethernet 0/1 switch(config-if)#?
– (There are many more commands. I’ve deleted most of them for brevity.)
Interface configuration commands: duplex Configure duplex operation.
exit Exit from interface configuration mode spanning-tree Spanning Tree Subsystem speed Configure speed operation.
switch(config-if)#speed ?
10 Force 10 Mbps operation
100 Force 100 Mbps operation auto Enable AUTO speed configuration
40

switch(config-if)#duplex ?
auto Enable AUTO duplex configuration full Force full duplex operation half Force half-duplex operation switch(config-if)#spanning-tree ?
cost Change an interface's spanning tree path cost port-priority Change an interface's spanning tree priority portfast Allow a change from blocking to forwarding vlan VLAN Switch Spanning Trees
 Full example: switch(config)#interface fastethernet 0/1 switch(config-if)# Speed 100 switch(config-if)# Duplex full switch(config-if)# Spantree portfast switch(config-if)# ctrl-Z switch#write
41

 Look at the MAC address table to find specific device and shut down a port. (Caution: a device on another switch will be listed as being on the port connecting the switches.
You don’t want to shut this port off!)
– Switch>enable
– Switch#show mac-address-table
• Dynamic Address Count: 63
• Secure Address Count: 0
• Static Address (User-defined) Count: 12
• System Self Address Count: 27
• Total MAC addresses: 102
• Maximum MAC addresses: 8192
• Non-static Address Table:
• Destination Address Address Type VLAN Destination Port
• ----------------------------------------------------
• 0000.0c07.ac14 Dynamic 1 FastEthernet0/24
• 0000.0c14.257b Dynamic 1 FastEthernet0/24
• 0000.1b16.765a Dynamic 1 FastEthernet0/24
• 0003.933e.b76e Dynamic 1 FastEthernet0/24
42

 When hunting, you probably want to search for a specific address rather than looking at the whole table.
 Commands aren’t the same on all switches. Also, the format of the MAC address changes!
– Switches with IOS (2900, 3500 series):
• Show mac-address-table address xxxx.xxxx.xxxx
– Switches with CatOS (4000, 5000, 6000 series)
• Show cam xx-xx-xx-xx-xx-xx
43

 Finding adjacent switch with Cisco Discovery Protocol
(CDP only works with Cisco):
– nw-test-2950#show cdp neighbors
– Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
– S - Switch, H - Host, I - IGMP, r - Repeater
– Device ID Local Intrfce Holdtme Capability Platform Port ID
– Pine-Pyramid-1.stFas 0/24 130 S WS-C2924C-Fas 0/10
 Adjacent switch is “pine-pyramid-1” (.stanford.edu is truncated)
 Documenting your network (what switches/ports connect to each other) may be more useful and faster!
44

 Once you find a bad device, you may want to shut down the port:
– nw-test-2950#config t
– Enter configuration commands, one per line. End with CNTL/Z.
– nw-test-2950(config)#interface fastethernet 0/1
– nw-test-2950(config-if)#shutdown
– nw-test-2950(config-if)#exit
– nw-test-2950(config)#exit
 Make a note of what ports you shut down!
 Use “no shutdown” command to re-enable the port.
45




Please give us feedback: fill out the feedback (yellow) forms.
We add and remove content from our classes all the time.
Please let us know how we can improve our courses!
What do you want to see more of?
What do you want less of?
Please feel free to send me comments
reuber@stanford.edu
(650) 725-8092
46

47

Look at http://whatsup.stanford.edu. Login as “guest” with no password.
Click on NAT Bridges, or Building Entrance Devices, look for your bridge. If it’s in a green field, you’re fine. If it’s in a red field, we’ve been notified.
Network Ops staff are paged when bridges die. Please let us know (3-
3909) if you need to turn one off or remove one.
If your bridge isn’t in the list, let us know.
If you need a replacement bridge, your Network Consultant will configure it for you.
Hint: If you can get to the bridge, look for a constant light under Status #3.
Any combination of lights other than just one light under 3 is a problem.
If we aren’t already out there fixing it, let us know.
48

You’ll Need:


A serial cable.
A converter to use your serial cable with the DB9 male port on the back of the hub (for older 1900’s) or the special cable that comes with the switch.


A laptop or desktop computer with a serial connection.
To turn AppleTalk off (if using older PowerBook)
Set up:
 Connect the serial cable (using the appropriate adapters) to the RJ-45
Console Port (or DB9 Console Port)
 Have the IP number ready, and a label to put on the switch.
 Launch your terminal emulation program of choice (Mac- or PC-
Samson are recommended)


Start a serial session.
Hit return a couple of times.
49

Catalyst 1900 Set up (Continued)
 If fresh from the factory, you’ll have an initial IP configuration option.
Type I (or, for an older switch, N then I )
Type I again, enter the IP number.
Type S enter an appropriate subnet mask
(public: 255.255.0.0, private: 255.255.255.0)
Type G enter an appropriate gateway
(e.g. 171.64.1.1 or 172.24.xx.1)
Type M enter a 171.64.7.55
, 77 or 99 .
Type N and choose another DNS computer.
Type D enter stanford.edu
(The “M,” “N,” and “D” choices aren’t on the older 1900’s)
 Type X to finish IP configuration, X again to get to the main menu.
Type C for console settings, and M to set a password.
Type X until you’ve exited the console, type Y to really exit.
50

Configuring the Cat 2900/3500 (Extra for Experts)
If you plan on configuring many 2900-series switches, and have write access to a directory of a tftp server, you can upload your configuration and save several steps.
After you’ve written the configuration to the switch, you can write it to your tftp server using the following commands:
Write net
[name of your host] i.e.: “tftp-server”
[name of your file, including path] i.e.: switch_configs/polya-2924.config
[hit return to accept]
Then, telnet into the tftp server and examine the file, you’ll notice the following two lines: interface VLAN1 ip address 171.64.xx.yy 255.255.0.0
51

Configuring the Cat 2900/3500 (Extra for Experts 2)
You’ll want to delete the second line (the one containing the IP number for the switch you just configured), so that you don’t have one IP address propagated to all your switches.
Then, when you set up further switches, you’ll just have to put in the initial setup information. Config net the file you just created on your tftp server, write the information, and you’re finished. Each subsequent switch will only take about 5 minutes to set up using this fashion.
TFTP server software is generally free with most UNIX systems, and can be purchased and/or downloaded for Windows and Mac OS computers.
52

The Catalyst 5000-series switches use yet another command line interface. It’s easier than IOS, in that you don’t have to go into or out of layers, just type the command and it’s executed. You’ll need to enter enable mode to use most of these commands. Just type en and the password.
Show config to show the whole configuration
Show port to show the status of each port (very useful)
Show spantree to see which ports have portfast enabled.
set port name <mod_num/port_num> [port_name] to give each port a useful descriptive name.
set port duplex <mod_num/port_num> <full|half> to change duplex mode , if autonegotiation isn’t working.
set port speed <mod_num/port_num> <4|10|16|100|auto> to change the port speed, also for auto-negotiation failure.
set spantree portfast <mod_num/port_num>
<enable|disable> to enable portfast, it will warn you about the possible problems of portfast.
53

Appropriate Web Sites:
Cisco Documentation: http://cisco.com/public/products_doc.shtml
This Class: http://www.stanford.edu/group/networking/NetConsult/hbs/
54