In this post you can find some practical advices about work with cisco catalyst.
1. How to make vlan?
2. How to add/remove interface to/from vlan?
3. How to shutdown interface?
4. What is ACL?
5. How to make ACL ?
6. How to add new rule or delete old one from ACL?
7. How to apply acl to the interface?
8. How to restrict access to port based on mac address?
9. How set size limit for history?
10. How to make current config boot at next time?
11. How to upload/download configuration file to/from switch?
12. Is there any analogs of unix grep in ios?
13. How to change telnet password?
14. How to turn on traffic analyzer on cisco devices?
1. How to make vlan?
It can be easily done in two steps:
Switch#vlan database Switch(vlan)#vlan vlan_id name vlan_name
2. How to add/remove interface to/from vlan?
First, I have to be have existing vlan at your switch.
Switch#configure terminal Switch(config)#interface gigaethernet 1/0 Switch(config-if )# switchport Switch(config-if )# switchport mode access Switch(config-if )# switchport access vlan vlan_id Switch(config-if )# no shutdown
3. How to shutdown interface?
To disable port you need to log in to cisco switch and run:
Switch#configure terminal Switch(config)#interface gigaethernet [port] Switch(config-if )#shutdown
4. What is ACL?
In certain proprietary computer hardware an Access Control List refers to rules that are applied to port numbers or network daemon names that are available on a host or other layer 3 device, each with a list of hosts and/or networks permitted to use the service. Both individual servers as well as routers can have network ACLs. Access control lists can generally be configured to control both inbound and outbound traffic, and in this context they are similar to firewalls.
5. How to make ACL ?
To create new acl you should go into configuration mode:
# configure terminal
and run:
# ip access-list extended name
Where,
name – the name of new acl
6. How to add new rule or delete old one from ACL?
To add new rule use next syntax for inbound packages:
permit [protocol] host [source_ip_addr] eq [source_port] host [destionation_ip_addr]
and this for outbound:
permit [protocol] host [source_ip_addr] host [destionation_ip_addr] eq [port]
There are some examples:
#ip access-list extended name
Switch2970(config-ext-nacl)#permit tcp host 10.0.30.20 eq 21 host 10.0.30.6
# allow host 10.0.30.6 connect to the ftp server at 10.0.30.20
Switch2970(config-ext-nacl)#permit tcp host 10.0.30.20 host 10.0.30.6 eq 80
# allow host 10.0.30.20 connect to web-server at 10.0.30.6
Switch2970(config-ext-nacl)# end Switch2970#show running-config
To delete rule go to your acl:
#ip access-list extended name
run your rule with word “
no
” in the begging. For instance if you have next rule:
permit tcp host 10.0.30.20 eq ftp host 10.0.30.6
to delete it make
no permit tcp host 10.0.30.20 eq ftp host 10.0.30.6
7. How to apply acl to the interface?
To apply acl to some particular interface go to configuration mode:
Switch2970#configure terminal
in our example I’ll use port number 11:
Switch2970(config)#interface gigabitEthernet 0/11
Switch2970(config-if)#ip access-group name in
# instead name type name of your acl
Switch2970(config-if)#end
and check it:
Switch2970# show running-config | begin 0/11 interface GigabitEthernet0/11 description empty ip access-group name in
Looks ok.
8. How to restrict access to port based on mac address?
To allow access device with mac=02-34-3d-34-11 to switch interface 1/0. Use next command :
Switch#configure terminal Switch(config)#interface gigaethernet 1/0 Switch(config-if )# switchport port-security Switch(config-if )# switchport port-security mac-address 02-34-3d-34-11 Switch(config-if )# switchport port-security violation type_of_violation
Where type_of_violation can be next:
restrict,protect and shutdown .
In case of connected device have another mac-address. First two types block any traffic from device. Where third – switch off interface. And interface will be shutdown until administrator make
no shutdown
command.
9. How set size limit for history?
You can set it by next commands
It’s for the current session:
Switch# terminal history size lines
And this one for the all session:
Switch(config-line)# history size lines
Where lines – the amount of lines which should be stored in history
10. How to make current config boot at next time?
To make current configuration load at next boot.You have to copy it into the start config:
Switch#copy running-config startup-config
11. How to upload/download configuration file to/from switch?
First, the tftp server on your host is required. The ip address of our tftp server is 10.0.30.6
To download your config go to switch and run”
#copy running-config tftp://10.0.30.6
Click enter to confirm you ip address:
Address or name of remote host [10.0.30.2]?
after this you will get next output in case of success:
Destination filename [switch2970-confg]? 2970.conf !!!!!!!!! 38067 bytes copied in 1.082 secs (35182 bytes/sec)
To upload the config from tftp make:
#copy tftp://10.0.30.6 running-config
and don’t forget to make new config boot after restart.
12. Is there any analogs of unix grep in ios?
In IOS you can use pipe as well as in unix environment. There are three commands for filtering output:
begin
– to go to first entry
include
– to print all lines which include entry
exclude
– to print all lines which exclude entry
show command | {begin | include | exclude} regexp
# show running-config | include hostname hostname Switch2970
13. How to change telnet password?
Go to configuration mode:
Switch2970#configure terminal
and change password
username csk@adm# password 0 [new_password] enable secret 0 [new_password]
14. How to turn on traffic analyzer on cisco devices?
For this operation you need free port at your switch and some machine.
Let’s imagine that we need to listen all network traffic at port 11 and have port 7 as free one.
First, log in to switch and run:
Switch2970(config)# no monitor session 1 Switch2970(config)# monitor session 1 source interface GigabitEthernet 0/7 Switch2970(config)# monitor session 1 destination interface GigabitEthernet 0/11
Now go to your computer and start any sniffer. I use tcpdump:
# tcpdump -l > tcpdump.log & tail -f tcpdump.log
