Showing posts with label Cisco. Show all posts
Showing posts with label Cisco. Show all posts

Jun 11, 2013

How to configure VLAN on a Cisco Switch?

9:38 PM No comments

VLAN stands for virtual LAN and technically we can say, a VLAN is a broadcast domain created by switch. When managing a switch, the management domain is always VLAN 1, the default VLAN. All ports of switch are assigned to VLAN 1 by default.  VLAN increase the performance of a network because it divide a network logically in different parts and limit the broadcasts.
Any member of VLAN 2 can not talk with any member of VLAN 3 without router but all the members of VLAN 2 and VLAN 3 can talk with other members within their VLANs.
This Lab will also help how VLANs can be used to separate traffic and reduce broadcast domains. 
To create a VLAN, first enter global configuration mode to run the following commands.
 Configuration to create VLAN 2 
SwitchA(config)#configure terminal               (enter in global configuration mode) 
SwitchA(config)#vlan 2                                        (defining the vlan 2) 
SwitchA(config)#vlan 2 name marketing       (assigning the name marketing to vlan 2)
SwitchA(config)#exit        (exit from vlan 2) 

Configuration to create VLAN 3 
SwitchA(config)#configure terminal                 (enter in global configuration mode) 
SwitchA(config)#vlan 3                                        (defining the vlan 3) 
SwitchA(config)#vlan 3 name management      (assigning the name management to vlan 3)
SwitchA(config)#exit        (exit from vlan 3)
 Now assigning the ports 2 and 3 to VLAN 2, it must be done from the interface mode. Enter the following commands to add port 2 and 3 to VLAN 2. 
SwitchA(config)#configure terminal                                 (enter in global configuration mode) 
SwitchA(config)#interface fastethernet 0/2                     (select the Ethernet 0 of port 2) 
SwitchA(config-if)#switchport access vlan 2                  (allot the membership of vlan 2)
SwitchA(config-if)#exit                                                        (exit from interface 2)
  
Now adding port 3 to VLAN 2 
SwitchA(config)#interface fastethernet 0/3                     (select the Ethernet 0 of port 3) 
SwitchA(config-if)#switchport access vlan 2                  (allot the membership of vlan 2)
SwitchA(config-if)#exit                                                        (exit from interface 3) 

Now assigning the ports 4 and 5 to VLAN 3, enter the following commands to add port 4 and 5 to VLAN 3. 
SwitchA(config)#configure terminal                                 (enter in global configuration mode) 
SwitchA(config)#interface fastethernet 0/4                     (select the Ethernet 0 of port 4) 
SwitchA(config-if)#switchport access vlan 3                  (allot the membership of vlan 3)
SwitchA(config-if)#exit                                                        (exit from interface 4) 

Now adding port 5 to VLAN 3 
SwitchA(config)#interface fastethernet 0/5                     (select the Ethernet 0 of port 5) 
SwitchA(config-if)#switchport access vlan 3                  (allot the membership of vlan 3)
SwitchA(config-if)#exit                                                        (exit from interface 5) 
To show the VLAN interface information, run the command show vlan.

Read more »

Posted in:

Jun 9, 2013

How to configure VLANs - Access & Trunk Links

11:28 PM No comments

Introduction

By now we should feel comfortable with terms such as 'VLAN', 'Static & Dynamic VLANs', but this is just the beginning in this complex world. On this page, we will start to slowly expand on these terms by introducing new ones!
To begin with, we will take a closer look at the port interfaces on these smart switches and then start moving towards the interfaces connecting to the network backbone where things become slightly more complicated, though do not be alarmed since our detailed and easy to read diagrams are here to ensure the learning process is as enjoyable as possible.

VLAN Links - Interfaces

When inside the world of VLANs there are two types of interfaces, or if you like, links. These links allow us to connect multiple switches together or just simple network devices e.g PC, that will access the VLAN network. Depending on their configuration, they are called Access Links, or Trunk Links.


Access Links

Access Links are the most common type of links on any VLAN switch. All network hosts connect to the switch's Access Links in order to gain access to the local network. These links are your ordinary ports found on every switch, but configured in a special way, so you are able to plug a computer into them and access your network.
Here's a picture of a Cisco Catalyst 3550 series switch, with it's Access Links (ports) marked in the Green circle:



We must note that the 'Access Link' term describes a configured port - this means that the ports above can be configured as the second type of VLAN links - Trunk Links. What we are showing here is what's usually configured as an Access Link port in 95% of all switches. Depending on your needs, you might require to configure the first port (top left corner) as a Trunk Link, in which case, it is obviously not called a Access Link port anymore, but a Trunk Link!
When configuring ports on a switch to act as Access Links, we usually configure only one VLAN per port, that is, the VLAN our device will be allowed to access. If you recall the diagram below which was also present during the introduction of the VLAN concept, you'll see that each PC is assigned to a specific port:


In this case, each of the 6 ports used have been configured for a specific VLAN. Ports 1, 2 and 3 have been assigned to VLAN 1 while ports 4, 5 and 6 to VLAN 2.
In the above diagram, this translates to allowing only VLAN 1 traffic in and out of ports 1, 2 and 3, while ports 4, 5 and 6 will carry VLAN 2 traffic. As you would remember, these two VLANs do not exchange any traffic between each other, unless we are using a layer 3 switch (or router) and we have explicitly configured the switch to route traffic between the two VLANs.
It is equally important to note at this point that any device connected to an Access Link (port) is totally unaware of the VLAN assigned to the port. The device simply assumes it is part of a single broadcast domain, just as it happens with any normal switch. During data transfers, any VLAN information or data from other VLANs is removed so the recipient has no information about them.
The following diagram illustrates this to help you get the picture:


As shown, all packets arriving, entering or exiting the port are standard Ethernet II type packets which are understood by the network device connected to the port. There is nothing special about these packets, other than the fact that they belong only to the VLAN the port is configured for.
If, for example, we configured the port shown above for VLAN 1, then any packets entering/exiting this port would be for that VLAN only. In addition, if we decided to use a logical network such as 192.168.0.0 with a default subnet mask of 255.255.255.0 (/24), then all network devices connecting to ports assigned to VLAN 1 must be configured with the appropriate network address so they may communicate with all other hosts in the same VLAN.

Trunk Links

What we've seen so far is a switch port configured to carry only one VLAN, that is, an Access Link port. There is, however, one more type of port configuration which we mentioned in the introductory section on this page - the Trunk Link.
A Trunk Link, or 'Trunk' is a port configured to carry packets for any VLAN. These type of ports are usually found in connections between switches. These links require the ability to carry packets from all available VLANs because VLANs span over multiple switches.
The diagram below shows multiple switches connected throughout a network and the Trunk Links are marked in purple colour to help you identify them:


As you can see in our diagram, our switches connect to the network backbone via the Trunk Links. This allows all VLANs created in our network to propagate throughout the whole network. Now in the unlikely event of Trunk Link failure on one of our switches, the devices connected to that switch's ports would be isolated from the rest of the network, allowing only ports on that switch, belonging to the same VLAN, to communicate with each other.
So now that we have an idea of what Trunk Links are and their purpose, let's take a look at an actual switch to identify a possible Trunk Link:


As we noted with the explanation of Access Link ports, the term 'Trunk Link' describes a configured port. In this case, the Gigabit ports are usually configured as Trunk Links, connecting the switch to the network backbone at the speed of 1 Gigabit, while the Access Link ports connect at 100Mbits.
In addition, we should note that for a port or link to operate as a Trunk Link, it is imperative that it runs at speeds of 100Mbit or greater. A port running at speeds of 10Mbit's cannot operate as a Trunk Link and this is logical because a Trunk Link is always used to connect to the network backbone, which must operate at speeds greater than most Access Links!

Summary

This page introduced the Access and Trunk links. We will be seeing a lot of both links from now on, so it's best you get comfortable with them! Configuration of these links is covered later on, because there is still quite a bit of theory to cover!
Read more »

Posted in:

Basic Private VLAN Configuration

11:22 PM No comments

Now that the community lab has been equipped with a Catalyst 3560, I have finally been able to write about private VLANs (which are supported only on Catalyst 3560 and higher switches). This article discusses the concept of private VLANs and includes a basic configuration example, with more complex configurations deferred for future articles.
Private VLANs were developed to provide the ability to isolate end hosts at layer two. To understand the motivation behind this feature, consider a colocation environment in which the network operator must connect servers belonging to different customers to the Internet. These servers must all be able to reach their first-hop router, but for security reasons, servers belonging to one customer must not be able to communicate with servers belonging to another. An obvious design solution for these requirements is to place each customer's servers in a separate VLAN, which also requires the assignment of a separate IP subnet per customer (even if they have only one server).

 This approach wastes both VLAN IDs and IP address space. Private VLANs were introduced as a more elegant alternative, allowing multiple devices to reside in the same IP subnet, yet remain isolated from one another at layer two.


A private VLAN is defined as a pairing of a primary VLAN with a secondary VLAN. Primary VLANs are the normal VLANs we all know and love. Secondary VLANs use the same VLAN ID range and are defined in the same manner as primary VLANs, but are specially designated to operate as secondary VLANs in one of two modes:
  • Isolated - The end points of all ports assigned to an isolated private VLAN cannot communicate with one another, nor with host ports in any other private VLANs.
  • Community - End points attached to community ports can communicate with one another, but not with ports in other private VLANs.
An access port assigned to a private VLAN operates in one of two modes:
  • Host - The port inherits its behavior from the type of private VLAN it is assigned to.
  • Promiscuous - The port can communicate with any other private VLAN port in the same primary VLAN.

Configuring Private VLANs

We'll configure an isolated private VLAN to allow two servers owned by different customers in the same IP subnet to communicate with their first-hop router, but not with one another.


Before getting started with private VLAN configuration, ensure that VTP has been set to transparent mode. There are numerous reasons for running VTP in transparent mode beyond the scope of this article, and to enable private VLANs it's explicitly required.

Switch(config)# vtp mode transparent
Setting device to VTP TRANSPARENT mode.
 
As with normal VLANs, private VLANs must be created before they can be used. Upon creation, we must also define a type (isolated, community, or primary) for each. We'll create our secondary VLANs first, then our primary VLAN. The secondary private VLAN is mapped under the configuration of the primary private VLAN.

Switch(config)# vlan 101
Switch(config-vlan)# private-vlan isolated
Switch(config-vlan)# vlan 100
Switch(config-vlan)# private-vlan primary
Switch(config-vlan)# private-vlan association 101 
 
Our completed VLAN configuration looks like this:

vlan 100
  private-vlan primary
  private-vlan association 101
!
vlan 101
  private-vlan isolated
 
Next, we designate our private VLAN interfaces. Our uplink port to the router will be set to promiscuous mode, with the primary VLAN mapped to the secondary VLAN.

Switch(config)# interface f0/1
Switch(config-if)# switchport mode private-vlan promiscuous
Switch(config-if)# switchport private-vlan mapping 100 101 
 
Our two server ports will be configured in host mode: 

Switch(config)# interface f0/3
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association 100 101
Switch(config-if)# interface f0/5
Switch(config-if)# switchport mode private-vlan host
Switch(config-if)# switchport private-vlan host-association 100 101 
 
At this point our private VLAN configuration is complete. We can verify private VLAN interface assignments with the command show vlan private-vlan:

Switch# show vlan private-vlan

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------
100     101       isolated          Fa0/1, Fa0/3, Fa0/5
Switch# show interface status

Port      Name               Status       Vlan       Duplex  Speed Type
Fa0/1                        connected    100        a-full  a-100 10/100BaseTX
Fa0/2                        notconnect   1            auto   auto 10/100BaseTX
Fa0/3                        connected    100,101    a-full  a-100 10/100BaseTX
Fa0/4                        notconnect   1            auto   auto 10/100BaseTX
Fa0/5                        connected    100,101    a-full  a-100 10/100BaseTX
Fa0/6                        notconnect   1            auto   auto 10/100BaseTX
Fa0/7                        notconnect   1            auto   auto 10/100BaseTX
...
The command show interface switchport is also useful for examining private VLAN details per interface.

Finally, we can verify that the router can communicate with both servers, but the servers cannot communicate directly with one another.

Router# ping 192.168.0.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Router# ping 192.168.0.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

Server1# ping 192.168.0.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Read more »

Posted in:

VLANs

11:18 PM No comments

Topic:
Isolating VM traffic using VLANs
Setup:
Two Physical Networks:
  • Data Network:  Ethernet network for VM data traffic, which will carry VLAN tagged traffic between VMs.  Your physical switch(es) must be capable of forwarding VLAN tagged traffic and the physical switch ports should be VLAN trunks (Usually this is default behavior.  Configuring your physical switching hardware is beyond the scope of this document).
  • Management Network: This network is not strictly required, but it is a simple way to give the physical host an IP address for remote access, since an IP address cannot be assigned directly to eth0. 
Two Physical Hosts:
Host1, Host2.  Both hosts are running Open vSwitch.  Each host has two NICs:
  • eth0 is connected to the Data Network.  No IP address can be assigned on eth0.
  • eth1 is connected to the Management Network (if necessary).   eth1 has an IP address that is used to reach the physical host for management.
Four VMs:
VM1,VM2 run on Host1.  VM3,VM4 run on Host2.
Each VM has a single interface that appears as a Linux device (e.g., “tap0″) on the physical host.  (Note: for Xen/XenServer, VM interfaces appears as Linux devices with names like “vif1.0″)



Goal:
Isolate VMs using VLANs on the Data Network.
VLAN 1: VM1,VM3
VLAN 2: VM2,VM4
Configuration:
Perform the following configuration on Host 1:
Create an OVS bridge:
ovs-vsctl add-br br0
Add eth0 to the bridge (by default, all OVS ports are VLAN trunks, so eth0 will pass all VLANs):
ovs-vsctl add-port br0 eth0
Add VM1 as an “access port” on VLAN 1:
ovs-vsctl add-port br0 tap0 tag=1
Add VM2 on VLAN 2:
ovs-vsctl add-port br0 tap1 tag=2
On Host 2, repeat the same configuration to setup a bridge with eth0 as a trunk:
ovs-vsctl add-br br0
ovs-vsctl add-port br0 eth0
Add VM3 to VLAN 1:
ovs-vsctl add-port br0 tap0 tag=1
Add VM4 to VLAN 2:
ovs-vsctl add-port br0 tap1 tag=2

Trouble-Shooting:
Ping from VM1 to VM3, this should succeed.
Ping from VM2 to VM4, this should succeed.
Ping from VM1/VM3 to VM2/VM4, this should not succeed (unless you have a router configured to forward between the VLANs, in which case, packets arriving at VM3 should have the source MAC address of the router, not of VM1).


Read more »

Posted in:

VLAN Commands

11:17 PM No comments

The vlan database Global Configuration mode command enters the VLAN Configuration mode.
Syntax
vlan database
Parameters
This command has no arguments or keywords.
Default Configuration
This command has no default configuration.
Command Mode
Global Configuration mode
User Guidelines
There are no user guidelines for this command.
Example
The following example enters the VLAN database mode.
console(config)# vlan database
console(config-vlan)#
vlan
The vlan VLAN Configuration mode command creates a VLAN. Use the no form of this command to delete a VLAN.
Syntax
vlan vlan-range
no vlan vlan-range
Parameters
vlan-range — Specifies a list of VLAN IDs to be added. Separate nonconsecutive VLAN IDs with a comma and no spaces; a hyphen designates a range of IDs.
Default Configuration
This command has no default configuration.
Command Mode
VLAN Configuration mode
User Guidelines
There are no user guidelines for this command.
Example
The following example VLAN number 1972 is created.
console(config)# vlan database
console(config-vlan)# vlan 1972
interface vlan
The interface vlan Global Configuration mode command enters the Interface Configuration (VLAN) mode.
Syntax
interface vlan vlan-id
Parameters
vlan-id — Specifies an existing VLAN ID.
Default Configuration
This command has no default configuration.
Command Mode
Global Configuration mode
User Guidelines
In case the VLAN doesn't exist (‘ghost VLAN’), only partial list of the commands are available under the interface VLAN context.
The commands supported for non-existant VLANs are:
1) IGMP snooping control
2) Bridge Multicast configuration
Example
In the following example, for VLAN 1, the address is 131.108.1.27 and the subnet mask is 255.255.255.0:
console(config)# interface vlan 1
console(config-if)# ip address 131.108.1.27 255.255.255.0
interface range vlan
The interface range vlan Global Configuration mode command enables simultaneously configuring multiple VLANs.
Syntax
interface range vlan {vlan-range | all}
Parameters
vlan-range — Specifies a list of VLAN IDs to be added. Separate nonconsecutive VLAN IDs with a comma and no spaces; a hyphen designates a range of IDs.
all — All existing static VLANs.
Default Configuration
This command has no default configuration.
Command Mode
Global Configuration mode
User Guidelines
Commands under the interface range context are executed independently on each interface in the range. If the command returns an error on one of the interfaces, an error message is displayed and execution of the command continues on the other interfaces.
Example
The following example groups VLANs 221, 228 and 889 to receive the same command.
console(config)# interface range vlan 221-228,889
console(config-if)#
name
The name Interface Configuration mode command adds a name to a VLAN. Use the no form of this command to remove the VLAN name.
Syntax
name string
no name
Parameters
string — Unique name to be associated with this VLAN. (Range: 1 - 32 characters)
Default Configuration
No name is defined.
Command Mode
Interface Configuration (VLAN) mode. Cannot be configured for a range of interfaces (range context).
User Guidelines
There are no user guidelines for this command.
Example
The following example gives VLAN number 19 the name Marketing.
console(config)# interface vlan 19
console(config-if)# name Marketing
switchport protected
The switchport protected Interface Configuration mode command enables Private VLAN Edge, by overriding the FDB decision, and sends all Unicast, Multicast and Broadcast traffic to an uplink port. Use the no form of this command to disable overriding the FDB decision.
Syntax
switchport protected {ethernet port | port-channel port-channel-number}
no switchport protected
Parameters
port— Specifies the uplink Ethernet port.
port-channel-number — Specifies the uplink port-channel.
Default Configuration
Switchport protected is disabled.
Command Mode
Interface Configuration (Ethernet, port-channel) mode
User Guidelines
Private VLAN Edge (PVE) supports private communication by isolating PVE-defined ports and ensuring that all Unicast, Broadcast and Multicast traffic from these ports is only forwarded to uplink port(s).
PVE requires only one VLAN on each device, but not on every port; this reduces the number of VLANs required by the device. Private VLANs and the default VLAN function simultaneously in the same device.
The uplink must be a GE port.
Example
This example configures ethernet port 1/e8 as a protected port, so that all traffic is sent to its uplink (ethernet port 1/e9).
console(config)# interface ethernet 1/e8
console(config-if)# switchport forbidden vlan add 234-256
console(config-if)# exit
console(config)# interface ethernet 1/e9
console(config-if)# switchport protected ethernet 1/e1
switchport mode
The switchport mode Interface Configuration mode command configures the VLAN membership mode of a port. Use the no form of this command to return to the default configuration.
Syntax
switchport mode {access | trunk | general}
no switchport mode
Parameters
access — Indicates an untagged layer 2 VLAN port.
trunk — Indicates a trunking layer 2 VLAN port.
general — Indicates a full 802-1q supported VLAN port.
Default Configuration
All ports are in access mode, and belong to the default VLAN (whose VID=1).
Command Mode
Interface Configuration (Ethernet, port-channel) mode
User Guidelines
There are no user guidelines.
Example
The following example configures Ethernet port 1/e16 as an untagged layer 2 VLAN port.
console(config)# interface ethernet 1/e16
console(config-if)# switchport mode access
switchport access vlan
The switchport access vlan Interface Configuration mode command configures the VLAN ID when the interface is in access mode. Use the no form of this command to return to the default configuration.
Syntax
switchport access vlan {vlan-id}
no switchport access vlan
Parameters
vlan-id — Specifies the ID of the VLAN to which the port is configured.
Default Configuration
All ports belong to VLAN 1.
Command Mode
Interface configuration (Ethernet, port-channel) mode
User Guidelines
The command automatically removes the port from the previous VLAN and adds it to the new VLAN.
Example
The following example configures a VLAN ID of 23 to the untagged layer 2 VLAN Ethernet port 1/e16.
console(config)# interface ethernet 1/e16
console(config-if)# switchport access vlan 23
switchport trunk allowed vlan
The switchport trunk allowed vlan Interface Configuration mode command adds or removes VLANs to or from a trunk port.
Syntax
switchport trunk allowed vlan {add vlan-list | remove vlan-list}
Parameters
add vlan-list — List of VLAN IDs to be added. Separate nonconsecutive VLAN IDs with a comma and no spaces. A hyphen designates a range of IDs.
remove vlan-list — List of VLAN IDs to be removed. Separate nonconsecutive VLAN IDs with a comma and no spaces. A hyphen designates a range of IDs.
Default Configuration
This command has no default configuration.
Command Mode
Interface Configuration (Ethernet, port-channel) mode
User Guidelines
There are no user guidelines for this command.
Example
The following example adds VLANs 1, 2, 5 to 6 to the allowed list of Ethernet port 1/e16.
console(config)# interface ethernet 1/e16
console(config-if)# switchport trunk allowed vlan add 1-2,5-6
switchport trunk native vlan
The switchport trunk native vlan Interface Configuration mode command defines the native VLAN when the interface is in trunk mode. Use the no form of this command to return to the default configuration.
Syntax
switchport trunk native vlan vlan-id
no switchport trunk native vlan
Parameters
vlan-id— Specifies the ID of the native VLAN.
Default Configuration
VID=1.
Command Mode
Interface Configuration (Ethernet, port-channel) mode
User Guidelines
The command adds the port as a member in the VLAN. If the port is already a member in the VLAN (not as a native), it should be first removed from the VLAN.
Example
The following example configures VLAN number 123 as the native VLAN when Ethernet port 1/e16 is in trunk mode.
console(config)# interface ethernet 1/e16
console(config-if)# switchport trunk native vlan 123
switchport general allowed vlan
The switchport general allowed vlan Interface Configuration mode command adds or removes VLANs from a general port.
Syntax
switchport general allowed vlan add vlan-list [tagged | untagged]
switchport general allowed vlan remove vlan-list
Parameters
add vlan-list — Specifies the list of VLAN IDs to be added. Separate nonconsecutive VLAN IDs with a comma and no spaces. A hyphen designates a range of IDs.
remove vlan-list — Specifies the list of VLAN IDs to be removed. Separate nonconsecutive VLAN IDs with a comma and no spaces. A hyphen designates a range of IDs.
tagged — Indicates that the port transmits tagged packets for the VLANs.
untagged — Indicates that the port transmits untagged packets for the VLANs.
Default Configuration
If the port is added to a VLAN without specifying tagged or untagged, the default setting is tagged.
Command Mode
Interface Configuration (Ethernet, port-channel) mode
User Guidelines
This command enables changing the egress rule (e.g., from tagged to untagged) without first removing the VLAN from the list.
Example
The following example adds VLANs 2, 5, and 6 to the allowed list of Ethernet port 1/e16.
console(config)# interface ethernet 1/e16
console(config-if)# switchport general allowed vlan add 2,5-6 tagged
switchport general pvid
The switchport general pvid Interface Configuration mode command configures the PVID when the interface is in general mode. Use the no form of this command to return to the default configuration.
Syntax
switchport general pvid vlan-id
no switchport general pvid
Parameters
vlan-id — Specifies the PVID (Port VLAN ID).
Default Configuration
If the default VLAN is enabled, PVID = 1. Otherwise, PVID=4095.
Command Mode
Interface Configuration (Ethernet, port-channel) mode
User Guidelines
There are no user guidelines for this command.
Example
The following example configures the PVID for Ethernet port 1/e16, when the interface is in general mode.
console(config)# interface ethernet 1/e16
console(config-if)# switchport general pvid 234
switchport general ingress-filtering disable
The switchport general ingress-filtering disable Interface Configuration mode command disables the ingress filtering of a port. Use the no form of this command to enable the ingress filtering of a port.
Syntax
switchport general ingress-filtering disable
no switchport general ingress-filtering disable
Parameters
This command has no arguments or keywords.
Default Configuration
Ingress filtering is enabled.
Command Mode
Interface Configuration (Ethernet, port-channel) mode
User Guidelines
There are no user guidelines for this command.
Example
The following example disables the ingress filtering of a port.
console(config)# switchport general ingress-filtering disable
switchport general acceptable-frame-type tagged-only
The switchport general acceptable-frame-type tagged-only Interface Configuration mode command discards untagged frames at ingress. Use the no form of this command to return to the default configuration.
Syntax
switchport general acceptable-frame-type tagged-only
no switchport general acceptable-frame-type tagged-only
Parameters
This command has no arguments or keywords.
Default Configuration
All frame types are accepted at ingress.
Command Mode
Interface Configuration (Ethernet, port-channel) mode
User Guidelines
There are no user guidelines for this command.
Example
The following example configures Ethernet port 1/e16 to discard untagged frames at ingress.
console(config)# interface ethernet 1/e16
console(config-if)# switchport general acceptable-frame-type tagged-only
switchport general map macs-group vlan
The switchport general map macs-group vlan interface configuration mode command sets a mac-based classification rule. Use the no form of this command to delete a classification.
Syntax
switchport general map macs-group group vlan vlan-id
no switchport general map macs-group group
Parameters
This command has no arguments or keywords.
Default Configuration
This command has no default configuration.
Command Mode
Interface Configuration (Ethernet, port-channel) mode
User Guidelines
MAC based VLAN rules cannot contain overlapping ranges on the same interface.
The priority between VLAN classification rules is:
MAC based VLAN (Best match between the rules)
PVID
The interface must be in General Mode to configure a MAC-based classification rule.
Example
The following example sets a mac-based classification rule.
console(config)# vlan database
console(config-vlan)# map mac 00:08:78:32:98:78 9 macs-group 1 interface ethernet e17
console(config-vlan)# exit
console(config)# interface ethernet 1/e17
console(config-if)# switchport mode general
console(config-if)# switchport general map macs-group 1 vlan 2
map mac macs-group
The map mac macs-group VLAN Configuration mode command maps a MAC address or a range of MAC addresses to a group of MAC addresses. Use the no form of this command to delete a map.
Syntax
map mac mac-address {prefix-mask | host} macs-group group
no map mac mac-address {prefix-mask | host}
mac-address — Specifies the MAC address to be entered to the group.
prefix-mask — Specifies the Mask bits. The format is the MAC address format.
host — Specifies all 1’s mask.
group — Specifies the group number. (Range: 1 - 2147483647)
Default Configuration
This command has no default configuration.
Command Mode
VLAN Configuration mode
User Guidelines
There are no user guidelines for this command.
Example
The following example maps a MAC address or a range of MAC addresses to a group of MAC addresses.
console(config)# vlan database
console(config-vlan)# map mac 00:08:78:32:98:78 9 macs-group 1 interface ethernet e17
show vlan macs-group
The show vlan macs-group privileged EXEC command displays MAC group information.
Syntax
show vlan macs-group
Parameters
This command has no arguments or keywords.
Default Configuration
This command has no default configuration.
Command Mode
Privileged EXEC mode
User Guidelines
There are no user guidelines for this command.
Example
The following example displays macs-groups information
console# show vlan macs-groups
MAC Address Mask Group ID
-------------- -------------- --------
0060.704C.73FF FFFF.FFFF.0000 1
0060.704D.73FF FFFF.FFFF.0000 1
switchport forbidden vlan
The switchport forbidden vlan Interface Configuration mode command forbids adding specific VLANs to a port. Use the no form of this command to return to the default configuration.
Syntax
switchport forbidden vlan {add vlan-list | remove vlan-list}
Parameters
add vlan-list — Specifies the list of VLAN IDs to be added. Separate nonconsecutive VLAN IDs with a comma and no spaces. A hyphen designates a range of IDs.
remove vlan-list — Specifies the list of VLAN IDs to be removed. Separate nonconsecutive VLAN IDs with a comma and no spaces. A hyphen designates a range of IDs.
Default Configuration
All VLANs are allowed.
Command Mode
Interface Configuration (Ethernet, port-channel) mode
User Guidelines
This command can be used to prevent GVRP from automatically making the specified VLANs active on the selected ports.
Example
The following example forbids adding VLAN IDs 234 to 256 to Ethernet port 1/e16.
console(config)# interface ethernet 1/e16
console(config-if)# switchport forbidden vlan add 234-256
ip internal-usage-vlan
The ip internal-usage-vlan Interface Configuration mode command reserves a VLAN as the internal usage VLAN of an interface. Use the no form of this command to return to the default configuration.
Syntax
ip internal-usage-vlan vlan-id
no ip internal-usage-vlan
Parameters
vlan-id — Specifies the ID of the internal usage VLAN.
Default Configuration
The software reserves a VLAN as the internal usage VLAN of an interface.
Command Mode
Interface Configuration (Ethernet, port-channel) mode
User Guidelines
An internal usage VLAN is required when an IP interface is configured on an Ethernet port or port-channel.
This command enables the user to configure the internal usage VLAN of a port. If an internal usage VLAN is not configured and the user wants to configure an IP interface, an unused VLAN is selected by the software.
If the software selected a VLAN for internal use and the user wants to use that VLAN as a static or dynamic VLAN, the user should do one of the following:
Remove the IP interface.
Create the VLAN and recreate the IP interface.
Use this command to explicitly configure a different VLAN as the internal usage VLAN.
Example
The following example reserves an unused VLAN as the internal usage VLAN of ethernet port 1/e8.
console# config
console(config)# interface ethernet 1/e8
console(config-if)# ip internal-usage-vlan
show vlan
The show vlan Privileged EXEC mode command displays VLAN information.
Syntax
show vlan [tag vlan-id | name vlan-name]
Parameters
vlan-id — specifies a VLAN ID
vlan-name — Specifies a VLAN name string. (Range: 1 - 32 characters)
Default Configuration
This command has no default configuration.
Command Mode
Privileged EXEC mode
User Guidelines
There are no user guidelines for this command.
Example
The following example displays all VLAN information.
console# show vlan





VLAN
Name
Ports
Type
Authorization
----
-------
--------
----
-------------
1
default
1/e1-e2, 2/e1-e4
other
Required
10
VLAN0010
1/e3-e4
dynamic
Required
11
VLAN0011
1/e1-e2
static
Required
20
VLAN0020
1/e3-e4
static
Required
21
VLAN0021

static
Required
30
VLAN0030

static
Required
31
VLAN0031

static
Required
91
VLAN0011
1/e1-e2
static
Not Required
3978
Guest VLAN
1/e17
guest
-
show vlan internal usage
The show vlan internal usage Privileged EXEC mode command displays a list of VLANs used internally by the device.
Syntax
show vlan internal usage
Parameters
This command has no arguments or keywords.
Default Configuration
This command has no default configuration.
Command Mode
Privileged EXEC mode
User Guidelines
There are no user guidelines for this command.
Example
The following example displays VLANs used internally by the device.
console# show vlan internal usage




VLAN
Usage
IP address
Reserved
----
---------
----------
--------
1007
Eth 1/e21
Active
No
1008
Eth 1/e22
Inactive
Yes
1009
Eth 1/e23
Active
Yes
show interfaces switchport
The show interfaces switchport Privileged EXEC mode command displays the switchport configuration.
Syntax
show interfaces switchport {ethernet interface | port-channel port-channel-number}
Parameters
interface — A valid Ethernet port number.
port-channel-number — A valid port-channel number.
Default Configuration
This command has no default configuration.
Command Mode
Privileged EXEC mode
User Guidelines
There are no user guidelines for this command.
Example
The following example displays the switchport configuration for Ethernet port 1/e1.
console# show interface switchport ethernet 1/e1
Port 1/e1:
VLAN Membership mode: General
Operating parameters:
PVID: 1 (default)
Ingress Filtering: Enabled
Acceptable Frame Type: All
GVRP status: Enabled
Protected: Enabled, Uplink is 1/e9




Port 1/e1 is member in:
Vlan
Name
Egress rule
Type
----
-------
-----------
-------
1
default
untagged
System
8
VLAN008
tagged
Dynamic
11
VLAN011
tagged
Static
19
IPv6 VLAN
untagged
Static
72
VLAN0072
untagged
Static




Static configuration:
PVID: 1 (default)
Ingress Filtering: Enabled
Acceptable Frame Type: All




Port 1/e1 is statically configured to:
Vlan
Name
Egress rule

----
-------
-----------

1
default
untagged

11
VLAN011
tagged

19
IPv6 VLAN
untagged

72
VLAN0072
untagged





Forbidden VLANS:
VLAN
Name


----
----


73
out






console# show interface switchport ethernet 1/e2
Port 1/e2:
VLAN Membership mode: General

Operating parameters:
PVID: 4095 (discard vlan)
Ingress Filtering: Enabled
Acceptable Frame Type: All




Port 1/e1 is member in:
Vlan
Name
Egress rule
Type
----
------------
-----------
------
91
IP Telephony
tagged
Static




Static configuration:


PVID: 8


Ingress Filtering: Disabled
Acceptable Frame Type: All




Port 1/e2 is statically configured to:
Vlan
Name
Egress rule

----
------------
-----------

8
VLAN0072
untagged

91
IP Telephony
tagged





Forbidden VLANS:
VLAN
Name


----
----


73
out






Port 2/e19






Static configuration:


PVID: 2922


Ingress Filtering: Enabled
Acceptable Frame Type: Untagged
GVRP status: Disabled
Read more »

Posted in:

Configuring Windows Server 2008 Server Core Basic Networking Settings

11:16 PM 1 comment

In my previous articles (see list below) I have written about how, in Windows Server 2008, Server Core installation does not include the traditional full graphical user interface (GUI). Therefore, once you have configured the server, you can only manage it locally at a command prompt, or remotely using a Terminal Server connection.


Like any other server, Server Core machines must be properly configured to be able to communicate on your network. Some of these settings include:
  • Configuring an IP address
  • Configuring an administrator's password
  • Configuring a server name
  • Enabling remote MMC snap-in management
  • Enabling remote RDP connections
  • Enabling remote Windows Firewall management
  • Enabling remote shell management
  • Activating the server
  • Joining a domain
  • Configuring Windows Updates
  • Configuring error reporting
  • Adding server roles and features
And other tasks.
Before you start, you need to configure the server's IP address.

To set the server with a static IP address

  1. At a command prompt, type the following: 
    netsh interface ipv4 show interfaces
  2. Look at the number shown in the Idx column of the output for your network adapter. If your computer has more than one network adapter, make a note of the number corresponding to the network adapter for which you wish to set a static IP address.
  3. At the command prompt, type: 
    netsh interface ipv4 set address name="" source=static address= mask= gateway=
    Where:
    • ID is the number from step 2 above
    • StaticIP is the static IP address that you are setting
    • SubnetMask is the subnet mask for the IP address
    • DefaultGateway is the default gateway
  4. At the command prompt, type: 
    netsh interface ipv4 add dnsserver name="" address= index=1
    Where:
    • ID is the number from step 2 above
    • DNSIP is the IP address of your DNS server
  5. Repeat step 4 for each DNS server that you want to set, incrementing the index= number each time.
  6. Verify by typing ipconfig /all and checking that all the addresses are correct.

To set the administrative password in Windows Server 2008

  1. At a command prompt, type the following: 
    net user administrator *
  2. When prompted to enter the password, type the new password for the administrator user account and press ENTER.
  3. When prompted, retype the password and press ENTER.
Next, you might want to change the computer's name, as the default name is a random-generated name (unless configured through an answer file)

To change the name of the server

  1. Determine the current name of the server with the hostname or ipconfig /all commands.
  2. At a command prompt, type: 
    netdom renamecomputer  /NewName:
  3. Restart the computer by typing the following at a command prompt: 
    shutdown /r /t 0

To manage a server running a Server Core installation by using the Windows Remote Shell

  1. To enable Windows Remote Shell on a server running a Server Core installation, type the following command at a command prompt: 
    WinRM quickconfig
  2. Click Y to accept the default settings. Note: The WinRM quickconfig setting enables a server running a Server Core installation to accept Windows Remote Shell connections.
  3. 3. On the remote computer, at a command prompt, use WinRS.exe to run commands on a server running a Server Core installation. For example, to perform a directory listing of the Windows folder, type: 
    winrs -r: cmd
    Where ServerName is the name of the server running a Server Core installation.
  4. You can now type any command that you require, it will be executed on the remote computer.

To activate the server

  1. At a command prompt, type: 
    slmgr.vbs –ato
    If activation is successful, no message will return in the command prompt.

To activate the server remotely

  1. At a command prompt, type: 
    cscript slmgr.vbs -ato
  2. Retrieve the GUID of the computer by typing: 
    cscript slmgr.vbs -did
  3. Type 
    cscript slmgr.vbs -dli
  4. Verify that License status is set to Licensed (activated).

To join a Windows 2008 server to a domain

  1. At a command prompt, type: 
    netdom join  /domain: /userd: /passwordd:*
    Where:
    • ComputerName is the name of the server that is running the Server Core installation.
    • DomainName is the name of the domain to join.
    • UserName is a domain user account with permission to join the domain.
    Note: Entering * as the password means you will be prompted to enter it on the command prompt window in the next step. You can enter it in the initial command, if you wish to. Note: Note that the word "passwordd" has 2 d's in it…
  2. When prompted to enter the password, type the password for the domain user account specified by UserName.
  3. Restart the computer by typing the following at a command prompt: 
    shutdown /r /t 0

To remove the Windows 2008 server from a domain

  1. At a command prompt, type: 
    netdom remove
  2. Reboot the computer.

To configure automatic updates

  1. To enable automatic updates, type: 
    cscript C:'Windows'System32'Scregedit.wsf /au 4
  2. To disable automatic updates, type: 
    cscript C:'Windows'System32'Scregedit.wsf /au 1
    BTW, in order to view your current settings you can type:
    cscript C:'Windows'System32'Scregedit.wsf /au /v

To configure error reporting

  1. To verify the current setting, type: 
    serverWerOptin /query
  2. To automatically send detailed reports, type: 
    serverWerOptin /detailed
  3. To automatically send summary reports, type: 
    serverWerOptin /summary
  4. To disable error reporting, type: 
    serverWerOptin /disable
Read more »

Posted in: ,,
Twitter Delicious Facebook Digg Stumbleupon Favorites More

 
Design by Computer Tricks and Tips