Home > Articles > Cisco Network Technology > Routing & Switching > Cisco LAN Switching Fundamentals: Configuring Switches

Cisco LAN Switching Fundamentals: Configuring Switches

Chapter Description

This chapter provides guidance and configuration examples for connecting switches running both native and hybrid software configurations, and offers examples of both Layer 3 and Layer 2 connectivity between switches.

Configuring the Access Layer

Switchports on the Catalyst 5500 SW3 and interfaces on the Catalyst 4506 SW4 will be configured in VLANs to support access layer devices. Figure 7-10 shows the IP network numbers assigned to these VLANs.

Figure 10Figure 7-10 Addition of Access Layer VLANs

Configuring the access layer begins with configuring ports on SW3 to be in VLAN 130. VLAN 130 is one of the access layer VLANs in the VLAN addressing scheme outlined in Table 7-1 earlier in this chapter. Remember VLAN 130 was created on SW3 earlier in VTP configuration (refer to Example 7-3). In Example 7-37, module 4 on SW3 is a 24-port 10/100 Mb FastEthernet module, and will have all ports assigned to VLAN 130.

Example 7-37 Configuring Ports on SW3 as Members of VLAN 130

SW3> (enable) show mod 4
Mod Module-Name     Ports Module-Type      Model  Serial-Num Status
--- ------------------- ----- --------------------- --------- --------- -------
4            24  10/100BaseTX Ethernet WS-X5224 009607843 ok

Mod MAC-Address(es)            Hw   Fw     Sw
--- -------------------------------------- ------ ---------- -----------------
4  00-10-7b-78-57-00 to 00-10-7b-78-57-17 1.4  3.1(1)   4.5(5)
SW3> (enable)

SW3> (enable) set vlan 130 4/1-24
VLAN 130 modified.
VLAN 1 modified.
VLAN Mod/Ports
---- -----------------------
130  4/1-24

SW3> (enable)

For these ports to be reachable from other networks, an SVI must be configured on the RSM for VLAN 130. The SVI for VLAN 130 is configured in Example 7-38. Remember sc0 on the switch is already assigned to VLAN 130 with an IP address of 172.16.196.5/24 in Example 7-8, earlier in the chapter.

Example 7-38 Configuring a SVI for VLAN 130 on the RSM of SW3

RSM1#config t
Enter configuration commands, one per line. End with CNTL/Z.
RSM1(config)#int vlan130
RSM1(config-if)#ip address 172.16.196.1 255.255.255.0
RSM1(config-if)#end
RSM1#

In Example 7-39, the show interface vlan130 command is issued to confirm the SVI is UP/UP, and a ping from the SVI to the sc0 interface on the supervisor is issued.

In Example 7-40, the interfaces on module 2 of SW4 are configured for VLAN 140. Module 4 on the SW4 is a 48-port 10/100/1000BASE-TX module.

Example 7-39 Verifying the Status of the VLAN130 Interface and sc0

RSM1#show interface vlan130
Vlan130 is up, line protocol is up
 Hardware is Cat5k Virtual Ethernet, address is 0010.f6b3.4800 (bia 0010.f6b3.4
800)
 Internet address is 172.16.196.1/24
(output truncated)

RSM1#ping 172.16.196.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.196.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/23/112 ms

Example 7-40 Configuring Ports 2/1-48 on SW4 for VLAN 140

SW4#config t
Enter configuration commands, one per line. End with CNTL/Z.
SW4(config)#interface range gigabitethernet 2/1 - 48
SW4(config-if-range)#switchport mode access
SW4(config-if-range)#switchport access vlan 140
SW4(config-if-range)#end
SW4#

SW4#show vlan

VLAN Name               Status  Ports
---- -------------------------------- --------- -------------------------------
1  default             active
140 VLAN0140             active  Gi2/1, Gi2/2, Gi2/3, Gi2/4
                        Gi2/5, Gi2/6, Gi2/7, Gi2/8
                        Gi2/9, Gi2/10, Gi2/11, Gi2/12
                        Gi2/13, Gi2/14, Gi2/15, Gi2/16
                        Gi2/17, Gi2/18, Gi2/19, Gi2/20
                        Gi2/21, Gi2/22, Gi2/23, Gi2/24
                        Gi2/25, Gi2/26, Gi2/27, Gi2/28
                        Gi2/29, Gi2/30, Gi2/31, Gi2/32
                        Gi2/33, Gi2/34, Gi2/35, Gi2/36
                        Gi2/37, Gi2/38, Gi2/39, Gi2/40
                        Gi2/41, Gi2/42, Gi2/43, Gi2/44
                        Gi2/45, Gi2/46, Gi2/47, Gi2/48
!output truncated

The interface range command must be entered exactly as shown in Example 7-40 with spaces to be accepted. The output of the show vlan command shows ports 2/1–48 assigned successfully to VLAN 140.

Now that these ports have been assigned, an SVI must be created on SW4 so that VLAN 140 can be reached from other networks. The SVI for VLAN 140 on SW4 is created in Example 7-41.

Example 7-41 Configuration of a SVI on SW4 for VLAN 140

SW4#config t
Enter configuration commands, one per line. End with CNTL/Z.
SW4(config)#interface VLAN140
SW4(config-if)#ip address 172.16.197.1 255.255.255.0
SW4(config-if)#no shutdown
SW4(config-if)#end
SW4#

In Example 7-42, the show interface vlan140 command is issued to confirm the SVI is UP/UP.

Example 7-42 Verifying the Status of the VLAN140 Interface

SW4#show interface vlan140
Vlan140 is up, line protocol is up
 Hardware is Ethernet SVI, address is 000b.fdd5.62bf (bia 000b.fdd5.62bf)
 Internet address is 172.16.197.1/24

Dynamic Routing

Now that the Layer 3 connections between the four switches are configured, the access layer VLANs created, and access ports assigned, a dynamic routing protocol is configured to allow connectivity between VLANs. In these examples, EIGRP is used as the dynamic routing protocol. EIGRP will be enabled on all four switches using Autonomous System (AS) 100, starting with SW1. Refer to the documentation on Cisco.com for more information about EIGRP and other dynamic routing protocols. Example 7-43 shows EIGRP being configured on SW1.

Example 7-43 EIGRP Configured on SW1

SW1(config)#router eigrp 100
SW1(config-router)#network 172.16.192.0 0.0.63.255
SW1(config-router)#end
SW1#show ip eigrp interfaces
IP-EIGRP interfaces for process 100

          Xmit Queue  Mean  Pacing Time  Multicast  Pending
Interface  Peers Un/Reliable SRTT  Un/Reliable  Flow Timer  Routes
Gi1/1     0    0/0     0    0/10      0      0
Gi1/2     0    0/0     0    0/10      0      0
Fa10/23    0    0/0     0    0/10      0      0
Lo0      0    0/0     0    0/10      0      0
SW1#

The output of the show ip eigrp interfaces command in Example 7-43 indicates the four interfaces that have been configured on SW1 with IP addresses in the previous exercises now part of EIGRP AS 100. The same commands are repeated on SW2 in Example 7-44, on SW3 in Example 7-45, and on SW4 in Example 7-46.

Example 7-44 EIGRP Configured on SW2

SW2#config t
Enter configuration commands, one per line. End with CNTL/Z.
SW2(config)#router eigrp 100
SW2(config-router)#network 172.16.192.0 0.0.63.255
SW2(config-router)#end
SW2#show ip eigrp interfaces
IP-EIGRP interfaces for process 100

          Xmit Queue  Mean  Pacing Time  Multicast  Pending
Interface  Peers Un/Reliable SRTT  Un/Reliable  Flow Timer  Routes
Gi1/1     1    0/0   1044    0/10    5216      0
Gi1/2     0    0/0     0    0/10      0      0
Fa3/37     0    0/0     0    0/10      0      0
Lo0      0    0/0     0    0/10      0      0
SW2#

Example 7-45 EIGRP Configured on the RSM of SW3

RSM1(config)#router eigrp 100
RSM1(config-router)#network 172.16.192.0 0.0.63.255
RSM1(config-router)#end
RSM1#show ip eigrp interfaces
IP-EIGRP interfaces for process 100

          Xmit Queue  Mean  Pacing Time  Multicast  Pending
Interface  Peers Un/Reliable SRTT  Un/Reliable  Flow Timer  Routes
Vl130     0    0/0     0    0/10      0      0
Vl901     1    0/0    726    0/10    3632      0
Vl902     1    0/0    752    0/10    3760      0
Lo0      0    0/0     0    0/10      0      0
RSM1#

Example 7-46 EIGRP Configured on SW4

SW4#config t
Enter configuration commands, one per line. End with CNTL/Z.
SW4(config)#router eigrp 100
SW4(config-router)#network 172.16.192.0 0.0.63.255
SW4(config-router)#end
SW4#show ip eigrp interfaces
IP-EIGRP interfaces for process 100

          Xmit Queue  Mean  Pacing Time  Multicast  Pending
Interface  Peers Un/Reliable SRTT  Un/Reliable  Flow Timer  Routes
Vl140     0    0/0     0    0/10      0      0
Gi1/1     1    0/0     0    0/10      0      0
Gi1/2     1    0/0     0    0/10      0      0
Lo0      0    0/0     0    0/10      0      0
SW4#

Now that dynamic routing for network 172.16.192.0 and its subnets has been configured on all four switches, a look at the routing table of SW1 in Example 7-47 shows that the networks for the access layer VLANs (172.16.196.0 and 172.16.197.0) are now reachable via the uplinks to those switches.

Example 7-47 Output of show ip route on SW1

SW1#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
    D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
    N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
    E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
    i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
    * - candidate default, U - per-user static route, o - ODR
    P - periodic downloaded static route

Gateway of last resort is not set

   172.16.0.0/16 is variably subnetted, 11 subnets, 3 masks
C    172.16.240.12/30 is directly connected, FastEthernet10/23
D    172.16.240.8/30
      [90/28416] via 172.16.240.6, 00:03:08, GigabitEthernet1/2
C    172.16.240.4/30 is directly connected, GigabitEthernet1/2
D    172.16.240.20/30
      [90/3072] via 172.16.240.6, 00:03:11, GigabitEthernet1/2
      [90/3072] via 172.16.240.18, 00:03:11, GigabitEthernet1/1
D    172.16.225.1/32
      [90/130816] via 172.16.240.6, 00:03:08, GigabitEthernet1/2
C    172.16.240.16/30 is directly connected, GigabitEthernet1/1
C    172.16.224.1/32 is directly connected, Loopback0
D    172.16.227.1/32
      [90/130816] via 172.16.240.18, 00:03:11, GigabitEthernet1/1
D    172.16.226.1/32
      [90/156160] via 172.16.240.13, 00:06:00, FastEthernet10/23
D    172.16.196.0/24
      [90/30720] via 172.16.240.13, 00:06:00, FastEthernet10/23
D    172.16.197.0/24
      [90/3072] via 172.16.240.18, 00:03:12, GigabitEthernet1/1
C  127.0.0.0/8 is directly connected, EOBC0/0
SW1#

Channeling and Trunking

All the configuration examples thus far have assumed it is possible to restrict a VLAN to a single switch. Although this is the cleanest and simplest configuration, it is not always possible. Many times, connections between access layer and distribution layer switches are Layer 2, and VLANs must span many switches because of application or administrative requirements. Chapter 11, "Design and Implementation Best Practices," discusses additional design options and considerations.

In Figure 7-11, a requirement for two additional VLANs with ports on both SW1 and SW2 is introduced. VLANs 401 and 402 are used for the exercises. VLANs 401 and 402 have been created on SW1 and SW2 using the same procedures as in Examples 7-1 through 7-4. While the Gigabit connection between SW1 and SW2 could be converted to a trunk to carry these additional VLANs, some unused FastEthernet ports will be configured in a channel to carry only these new VLANs and VLAN 1.

Figure 11Figure 7-11 Addition of VLANs 401 and 402

Configuration begins with creating the channel group on SW1, as shown in Example 7-48.

Example 7-48 Creating the Channel Group on SW1

SW1#config t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#interface range fastEthernet 10/11 - 14
SW1(config-if-range)#no ip address
SW1(config-if-range)#switchport
SW1(config-if-range)#switchport trunk encapsulation dot1q
SW1(config-if-range)#switchport mode trunk
SW1(config-if-range)#switchport mode dynamic desirable
SW1(config-if-range)#switchport trunk allowed vlan remove 2-400,403-1005
SW1(config-if-range)#channel-group 1 mode desirable
SW1(config-if-range)#no shutdown
SW1(config-if-range)#end
SW1#

The channel is completed by configuring the other side on SW2, as shown in Example 7-49.

Example 7-49 Creating the Channel Group on SW2

SW2(config)#interface range fastEthernet 3/11 - 14
SW2(config-if-range)#no ip address
SW2(config-if-range)#switchport

SW2(config-if-range)#switchport trunk encapsulation dot1q
SW2(config-if-range)#switchport mode trunk
SW2(config-if-range)#switchport mode dynamic desirable
SW2(config-if-range)#switchport trunk allowed vlan remove 2-400,403-1005
SW2(config-if-range)#channel-group 1 mode desirable
Creating a port-channel interface Port-channel1
SW2(config-if-range)#no shutdown
SW2(config-if-range)#end
SW2#

Issuing a show run interface fastEthernet 3/11 command displays the configuration of one of the ports in the channel (see Example 7-50).

Example 7-50 Verifying the Configuration on SW2

SW2#show run interface fastEthernet 3/11
Building configuration...

Current configuration : 182 bytes
!
interface FastEthernet3/11
 no ip address
switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,401,402
 channel-group 1 mode desirable
end

The operation of the new channel group can be verified by issuing a show interfaces port-channel 1 command. The operation of the trunk can be verified by issuing the show interfaces trunk command, as shown in Example 7-51.

Example 7-51 Output of the show interfaces port-channel and show interfaces trunk Commands on SW1

SW1#show interfaces port-channel 1
Port-channel1 is up, line protocol is up
 Hardware is EtherChannel, address is 0009.1267.9ffa (bia 0009.1267.9ffa)
 MTU 1500 bytes, BW 400000 Kbit, DLY 100 usec,
   reliability 255/255, txload 1/255, rxload 1/255
 Encapsulation ARPA, loopback not set
 Full-duplex, 100Mb/s
 Members in this channel: Fa10/11 Fa10/12 Fa10/13 Fa10/14
!output truncated

SW1#show interfaces trunk

Port   Mode     Encapsulation Status    Native vlan
Po1    desirable  802.1q     trunking   1

Port   Vlans allowed on trunk
Po1    1,401-402

Port   Vlans allowed and active in management domain
Po1    1,401-402

Port   Vlans in spanning tree forwarding state and not pruned
Po1    1,401-402
SW1#

The bandwidth reported on the channel is 400000 Kbit, and the members of the channel are listed in the output.

Configuring UniDirectional Link Detection

One best practice to follow when configuring a network like the one used in this chapter is the configuration of UniDirectional Link Detection (UDLD) in Aggressive mode. UDLD is designed to mitigate certain fault conditions on fiber and copper Ethernet interfaces. UDLD is designed to shutdown any miswired ports or unidirectional links by putting the port in an errDisabled state. UDLD is a Layer 2 protocol and, when run in combination with autonegotiation Layer 1 mechanisms, UDLD can validate the physical (Layer 1) and logical (Layer 2) integrity of a link. UDLD accomplishes this task by learning about neighbors and keeping neighbor status in a cache. Neighbors are learned by the sending of UDLD echo or hello messages.

The UDLD Aggressive feature provides additional protection against unidirectional link conditions in certain situations, and attempts to re-establish a connection with the neighbor when a failure is detected. UDLD Aggressive works by detecting when one side of a link remains up while the other side of the link has gone down, and after eight failed retries, transitions the port to an errDisabled state and generates a syslog message.

Cisco recommends configuring UDLD in Aggressive mode on point-to-point FastEthernet/GigabitEthernet links between Cisco switches, and setting the message interval to 15 seconds. UDLD is globally disabled by default and can be enabled globally or on a port–by-port basis. In the examples in this section, UDLD Aggressive should be configured on all the links between switches. An example of this configuration on a per-port basis is shown in Example 7-52 using SW1 and SW2.

Example 7-52 Enabling Aggressive UDLD on SW1 and SW2

SW1#config t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#interface range gigabitethernet 1/1 - 2
SW1(config-if-range)#udld enable
SW1(config-if-range)#udld aggressive
SW1(config-if-range)#end

SW2#config t
Enter configuration commands, one per line. End with CNTL/Z.
SW2(config)#interface range gigabitethernet 1/1 - 2
SW2(config-if-range)#udld enable
SW2(config-if-range)#udld aggressive
SW2(config-if-range)#end
SW2#

The output of the show udld command on SW1 shows the status of the UDLD configuration. In the output in Example 7-53, SW1 detects SW2 as a UDLD neighbor, because both SW1 and SW2 have been configured, but does not detect SW4 on GigabitEthernet1/1 because it has yet to be configured.

Example 7-53 Output of show udld Command on SW1

SW1#show udld

Interface Gi1/1
---
Port enable administrative configuration setting: Enabled / in aggressive mode
Port enable operational state: Enabled / in aggressive mode
Current bidirectional state: Unknown
Current operational state: Advertisement
Message interval: 7
Time out interval: 5
No neighbor cache information stored

Interface Gi1/2
---
Port enable administrative configuration setting: Enabled / in aggressive mode
Port enable operational state: Enabled / in aggressive mode
Current bidirectional state: Bidirectional
Current operational state: Advertisement - Single neighbor detected
Message interval: 60
Time out interval: 5

  Entry 1
  ---
  Expiration time: 168
  Device ID: 1
  Current neighbor state: Bidirectional
  Device name: SAD04281ARM
  Port ID: Gi1/1
  Neighbor echo 1 device: SAD050814BH
  Neighbor echo 1 port: Gi1/2

  Message interval: 5
  CDP Device name: SW2

Portfast and BPDU Guard

You can find a detailed discussion of portfast and BPDU Guard in Chapter 10, "Implementing and Tuning Spanning Tree," but the configuration of the access layer ports in this chapter's examples would not be complete without enabling portfast and BPDU Guard.

Portfast is a feature that bypasses the normal spanning-tree operation of listening and learning and places a port immediately into forwarding when a port is connected. Portfast should only be used on ports connecting to end-station devices such as workstations and servers. Portfast is disabled by default and is enabled on a port-by-port basis.

The addition of BPDU Guard as an additional protection allows the switch to place any port configured with portfast into an errDisabled state if a BPDU is received on that port. Because ports 2/1 through 2/48 on SW4 were configured for access layer devices in VLAN 140 in Example 7-40 earlier in the chapter, those ports will have portfast and BPDU Guard enabled as follows in Example 7-54.

Example 7-54 Enabling Portfast and BPDU Guard on SW4

SW4#config t
Enter configuration commands, one per line. End with CNTL/Z.
SW4(config)#interface range gigabitethernet 2/1 - 48
SW4(config-if-range)#spanning-tree portfast
%Warning: portfast should only be enabled on ports connected to a single
 host. Connecting hubs, concentrators, switches, bridges, etc... to this
 interface when portfast is enabled, can cause temporary bridging loops.
 Use with CAUTION
%Portfast will be configured in 48 interfaces due to the range command
 but will only have effect when the interfaces are in a non-trunking mode.

SW4(config-if-range)#spanning-tree bpduguard enable
SW4(config-if-range)#end
6. Configuring SNMP | Next Section Previous Section