Technical Diary » Cisco http://andriigrytsenko.net With Andrii Grytsenko Sun, 01 Apr 2012 11:10:57 +0000 en hourly 1 Mini-howto for Cisco Catalyst http://andriigrytsenko.net/2009/07/mini-howto-for-cisco-catalyst/ http://andriigrytsenko.net/2009/07/mini-howto-for-cisco-catalyst/#comments Mon, 06 Jul 2009 12:41:58 +0000 admin http://andriigrytsenko.net/?p=218 In this post you can find some practical advices about work with cisco catalyst.


1. How to make vlan?
2. How to add/remove interface to/from vlan?
3. How to shutdown interface?
4. What is ACL?
5. How to make ACL ?
6. How to add new rule or delete old one from ACL?
7. How to apply acl to the interface?
8. How to restrict access to port based on mac address?
9. How set size limit for history?
10. How to make current config boot at next time?
11. How to upload/download configuration file to/from switch?
12. Is there any analogs of unix grep in ios?
13. How to change telnet password?
14. How to turn on traffic analyzer on cisco devices?

1. How to make vlan?
It can be easily done in two steps:

Switch#vlan database
Switch(vlan)#vlan vlan_id name vlan_name

2. How to add/remove interface to/from vlan?
First, I have to be have existing vlan at your switch.

Switch#configure terminal
Switch(config)#interface gigaethernet 1/0
Switch(config-if )# switchport
Switch(config-if )# switchport mode access
Switch(config-if )# switchport access vlan vlan_id
Switch(config-if )# no shutdown

3. How to shutdown interface?
To disable port you need to log in to cisco switch and run:

Switch#configure terminal
Switch(config)#interface gigaethernet [port]
Switch(config-if )#shutdown

4. What is ACL?
In certain proprietary computer hardware an Access Control List refers to rules that are applied to port numbers or network daemon names that are available on a host or other layer 3 device, each with a list of hosts and/or networks permitted to use the service. Both individual servers as well as routers can have network ACLs. Access control lists can generally be configured to control both inbound and outbound traffic, and in this context they are similar to firewalls.

5. How to make ACL ?
To create new acl you should go into configuration mode:

# configure terminal

and run:

# ip access-list extended name

Where,
name – the name of new acl

6. How to add new rule or delete old one from ACL?
To add new rule use next syntax for inbound packages:

permit [protocol] host [source_ip_addr] eq [source_port] host [destionation_ip_addr]

and this for outbound:

permit [protocol] host [source_ip_addr] host [destionation_ip_addr] eq [port]

There are some examples:

#ip access-list extended name
Switch2970(config-ext-nacl)#permit tcp host 10.0.30.20 eq 21 host 10.0.30.6

# allow host 10.0.30.6 connect to the ftp server at 10.0.30.20

Switch2970(config-ext-nacl)#permit tcp host 10.0.30.20 host 10.0.30.6 eq 80

# allow host 10.0.30.20 connect to web-server at 10.0.30.6

Switch2970(config-ext-nacl)# end
Switch2970#show running-config

To delete rule go to your acl:

#ip access-list extended name

run your rule with word “ 

no

” in the begging. For instance if you have next rule:

permit tcp host 10.0.30.20 eq ftp host 10.0.30.6

to delete it make

no permit tcp host 10.0.30.20 eq ftp host 10.0.30.6

7. How to apply acl to the interface?
To apply acl to some particular interface go to configuration mode:

Switch2970#configure terminal

in our example I’ll use port number 11:

Switch2970(config)#interface gigabitEthernet 0/11
Switch2970(config-if)#ip access-group name in

# instead name type name of your acl

Switch2970(config-if)#end

and check it:

Switch2970# show running-config | begin 0/11
 interface GigabitEthernet0/11
 description empty
 ip access-group name in

Looks ok.

8. How to restrict access to port based on mac address?
To allow access device with mac=02-34-3d-34-11 to switch interface 1/0. Use next command :

Switch#configure terminal
Switch(config)#interface gigaethernet 1/0
Switch(config-if )# switchport port-security
Switch(config-if )# switchport port-security mac-address 02-34-3d-34-11
Switch(config-if )# switchport port-security violation type_of_violation

Where type_of_violation can be next:
restrict,protect and shutdown .
In case of connected device have another mac-address. First two types block any traffic from device. Where third – switch off interface. And interface will be shutdown until administrator make 

no shutdown

command.

9. How set size limit for history?
You can set it by next commands
It’s for the current session:

Switch# terminal history size lines

And this one for the all session:

Switch(config-line)# history size lines

Where lines – the amount of lines which should be stored in history

10. How to make current config boot at next time?
To make current configuration load at next boot.You have to copy it into the start config:

Switch#copy running-config  startup-config

11. How to upload/download configuration file to/from switch?
First, the tftp server on your host is required. The ip address of our tftp server is 10.0.30.6
To download your config go to switch and run”

#copy running-config tftp://10.0.30.6

Click enter to confirm you ip address: 

Address or name of remote host [10.0.30.2]?

after this you will get next output in case of success:

Destination filename [switch2970-confg]? 2970.conf
!!!!!!!!!
38067 bytes copied in 1.082 secs (35182 bytes/sec)

To upload the config from tftp make:

#copy tftp://10.0.30.6 running-config

and don’t forget to make new config boot after restart.

12. Is there any analogs of unix grep in ios?
In IOS you can use pipe as well as in unix environment. There are three commands for filtering output: 

begin

– to go to first entry

include

– to print all lines which include entry 

exclude

– to print all lines which exclude entry 

show command | {begin | include | exclude} regexp
# show running-config  | include hostname
hostname Switch2970

13. How to change telnet password?
Go to configuration mode:

Switch2970#configure terminal

and change password 

username csk@adm# password 0 [new_password]
enable secret 0 [new_password]

14. How to turn on traffic analyzer on cisco devices?
For this operation you need free port at your switch and some machine.
Let’s imagine that we need to listen all network traffic at port 11 and have port 7 as free one.
First, log in to switch and run:

Switch2970(config)# no monitor session 1
Switch2970(config)# monitor session 1 source interface GigabitEthernet 0/7
Switch2970(config)# monitor session 1 destination interface GigabitEthernet 0/11

Now go to your computer and start any sniffer. I use tcpdump:

# tcpdump -l > tcpdump.log & tail -f tcpdump.log
]]> http://andriigrytsenko.net/2009/07/mini-howto-for-cisco-catalyst/feed/ 0