1

Setting Up and Managing Switched Networks

ITS 905Instructor: Kent Reuber, consultant for

Engineering departments

reuber@stanford.edu, 725-8092

2

Outline

Definitions Switch Models and Building Design Configuring Cisco 2900/3500 Switches Managing Switches via Web and Telnet Reference Section

Lab (Optional)

3

Definitions

4

What’s a Smart Hub?

A smart hub can be configured and remotely managed. For example, ports can be shut off.

However, this doesn’t mean that it does anything smart with network traffic. It has no switching capabilities. Traffic is always forwarded to all ports.

Our most common smart hub on campus is the Asanté NetStacker.

Networking no longer recommends hubs for wiring closets. It may be OK to use small unmanaged hubs to give selected offices additional ports. Use hubs with care!

5

What’s a Bridge?Stanford has mostly decommissioned NAT bridges, but since

switches do bridging, it’s worth discussing how these work.A bridge separates network segments into two “collision

domains”, allowing both sides to support one “conversation” on each side. Each side has “bridging table”: a list of all MAC addresses on their side. Based on its lists, a bridge determines if it should keep a packet on one side, or forward it to the other.

A NAT bridge will show a solid green “Status 3” light if working properly. Any other condition is an error. One common error condition is an unterminated coaxial segment.

Broadcasts and Multicasts are always forwarded to both sides (or to every port in the case of a switch). If you use a sniffer on a switch port, this should be the only traffic you see.

6

What’s a Switch?

A switch is a hub where every port acts as a bridge.Each port remembers the MAC addresses of all devices

connected to it. If The switch as a whole keeps a master list of all these MAC addresses by port.

If a user has a mini-hub in their office, you will see multiple MAC addresses on a switch port.

A switch port periodically drops unseen addresses from its list. Pinging a host by IP address will put the corresponding MAC address back in the table (assuming the device is on).

The end result of this is that network traffic is generally not repeated across all ports (unless it’s a broadcast or multicast). For example, if a computer on port 2 is sending a huge file to the server on port 8, no other ports see this traffic.

Network traffic problems almost always disappear with switches. Collisions become a thing of the past.

7

Private Address Ranges

There are ranges of addresses that are not routed anywhere on the Internet. Any site may use these addresses for their own purpose: 10.*.*.*, 172.16.*.* – 172.32.*.*, 192.168.*.*

Devices with private addresses cannot access or be accessed by hosts outside of Stanford. That’s usually OK for switches, printers, etc.

If your network is 171.6x.y.*, your private address is probably 172.2x.y.* – For large nets, there may be only one private range. E.g, the private net

associated with 171.64.52 – 55 is 172.24.52.*– You can check in Netdb or whois. Look up the Network record for your

net number. Net numbers end in “0”, e.g., 171.64.20.0 The netmask for devices on the private net is 255.255.255.0. Don’t

use 172.24.1.1 for a gateway. Use a “.1” address for the specific network. (For example, use 172.24.20.1 for net 20.)

8

The Wonders of Spanning Tree

What would happen in the following situation:

Which switch would send the packet? What would happen if both switches sent a packet from one side to the other?

To prevent such a problem, there is Spanning Tree Protocol. Simply put, the two bridging devices decide which one will do the bridging, and which one will enter “standby” mode.

If you wish to use switches to provide redundancy in your network, you can do so. Spanning tree will force one switch to shut off that port.

The primary problem of spanning tree is that it takes 20-30 seconds or more for the port of a switch to discover if it is connected to another switch. This can cause problems with many desktop computers which become impatient with the delay, assume there’s no network connection, and give an error.

switch

switch

9

Fun with Wiring (Copper)…

Twisted Pair:– Category 3: 10 Mb only, uses 2 pairs.– Category 5/5e: Required for 100Mb. Use 2 pairs for

100Mb, 4 pairs for gigabit (1000BaseT) Two types of wiring configurations (RJ-45):

– Standard (switch/hub to computer)– Crossover (switch-switch or computer-computer)– AutoMDIX: Some switches automatically chooses

standard or crossover as appropriate. – 1000BaseT can use either standard or crossover between

switches.

10

Fun with Wiring (Fiber)

Fiber can be used for speeds from 10Mb to 10Gb.– Names: 10FL, 100FX, 1000BaseSX/LX/ZX– Fiber switches do not auto-negotiate: no 10/100!

Two types of cables:– Single mode (yellow): Usually 8µm diameter fibers.

Used for longer runs, equipment is more expensive.– Multimode (orange): Usually 62.5µm or 50µm. Used

for shorter runs. 50µm can support longer runs.– Currently Stanford uses multimode for most applications.

Gigabit will involve using more single mode for building feeds.

11

Fiber Connectors

ST (think “T for tube”):– 2 round ends with thin-wire style bayonet connectors.

– Used on 10FL switches. By convention, Stanford uses ST for connections between buildings, even for 100FX.

SC (think “C for cube”):– 2 square ends that click into place

– Used by 100Mb and gigabit equipment. Now used for fiber runs within a building at Stanford (new installations).

MT-RJ:– Small connector. Can be a little fragile. Used when you need to

put lots of fiber in a small space (e.g., a switch with 24 fiber ports)

12

Switch Models and Building Designs

13

Switch ModelsModel Backplane

Speed(Gbps)

10/100baseT ports

GBICs Other

1900 series 1 12/2410baseT

2 100FX fiber or 2 100T ports or 1of each. Not used much anymore.

2924/C/M 3.2 24 Very common at Stanford. C has100FX, M has 2 module bays**Discontinued**

2950 series 8.8 12/24/48 Optional 100FX (MT-RJ),10/100/1000BaseT, or GBIC uplinks

3508G 10 8 **Discontinued**3512/24/48 10 12/24/48 2 **Discontinued**3550-12T 24 2 10 10/100/1000BaseT ports. Layer 33550-12G 24 10 2 10/100/1000 ports. New building

entrance device.3550-24/48 24 48 2AT-8288 8 From Allied Telesyn. 8 100FX + 2

modular slots for gigabit. Used inwireless network and some buildingentrance devices.

Except for 8288, all switches are made by Cisco.

Ask your network consultant for help when designing nets

14

What’s a GBIC?

“Gigabit Interface Converter”. Hot swappable modules for different gigabit media.– 1000BaseLX (fiber). Used mainly for runs between buildings (~550m

limit on 62.5 µm multimode fiber, 5km on single mode)– 1000BaseSX (fiber). Used mainly for runs between wiring closets

(~220m limit on 62.5 µm multimode, ~500m on 50µm multimode. Cannot be used with single mode).

– Gigastack or “stacking GBIC” (copper). Can be used to connect switches within a rack. Note that switches in a stack can act as though they were connected with a Gigabit hub -- you *can* have collisions. Probably don’t want to use these.

– 1000BaseT. Gigabit over Cat 5. For servers and/or switches. Warning: GBICs are static sensitive. Cisco recommends

using a grounding strap.

15

Typical Building Layout: 2900’s

2924M w/ fiber modules

2924

2924 (more as needed)

100FX fiber building feed

Main Closet(e.g., in basement)

2924C

2924

2924 (more as needed)

100FX fiber

1st floor, wing 1

2924C

2924

2924 (more as needed)

100FX fiber

1st floor, wing 2

(Other floors are similar)

16

Typical Building Layout: 3500

3550-12G

3550-48

3550-48 (more as needed)

1000LXfiber building feed

Main Closet(e.g., in basement)

3550-12G

3550-48

3550-48 (more as needed)

1000SX fiber

1st floor, wing 1 1st floor, wing 2

(Other floors are similar)

1000SX fiber

3550-12GNetworkingControlled

1000BaseT

3550-12G

3550-48

3550-48 (more as needed)

17

Cisco 2900/3500Configuration

18

A brief interlude into IOS Cisco Catalyst 2900-series switches use Cisco’s IOS operating

system, which is the same OS used on their routers. - In this class, we cover only the basic IOS commands needed for switch

configuration and basic management. - There are 5-day classes that introduce you to IOS, and then other 5-day

classes offered by third parties that you take to get into some of the details.

IOS works on levels. You have to be at the right level to issue the desired command. - The most useful level is the “enable” level, from which you will be able

to see your configurations and save (write) your configuration. Very similar to becoming “root” in Unix or “Administrator” in Windows.

- There’s also a configuration level which is used to input new commands. For example, to change the speed and duplex for a switch port

(Cisco calls this an “interface”), you must:- Enter enable mode- Enter configuration mode- Specify the interface you want to modify (e.g., FastEthernet 0/1)- Issue the commands to change speed and duplex

19

IOS (Continued)

The most useful IOS commands are: en to enter enable mode (from which you do everything).When in enabled mode, a # will appear in the prompt (Switch>

becomes Switch#). At each level the prompt changes (Switch(config)# or switch(config-if)# etc.) You’ll see some of this in our configuration.

Show run will show the current running configuration while Show config will show the stored configuration. The write will store the running configuration.

Config t to configure over the terminal (your current session). Config net to configure over the network (download a

configuration file from a tftp server). Exit to go back a level (i.e. to go from config to enable level to

write a configuration, control-Z will get you all the way back to the enable level)

Any config changes are not saved until you issue a “write” command.

20

What you’ll need

You’ll Need: A laptop or desktop computer with a serial connection. The special serial cable that comes with the switch. A crossover cable (usually hot pink or lime green) A network connection.Set up: Turn AppleTalk off (if using an older PowerBook) Create a NetDB record for the switch (you need an

appropriate IP address) Connect the serial cable (using the appropriate

adapters) to the RJ-45 console port on the switch Connect the switch, using the crossover cable, to an

Ethernet connection. Start a serial session.

21

The Old Way…

Do basic switch network configuration:– IP address, netmask, gateway, hostname– passwords

Download supplementary configuration file:– Stanford DNS servers, standard access lists

(address ranges allowed to access the switch) Any switch specific configuration:

– Additional access lists, spanning tree settings

22

The New Way…

Copy a configuration file from the LNA Guide into a text editor.

Make a few changes to the configuration (address, gateway, etc.)

Paste new configuration into terminal window.

23

Step 1: Get a config file

Go to the LNA Guide “Hardware” section:– http://lna.stanford.edu/hardware.html– Note, this page is restricted to LNAs.

Select the link appropriate for your switch. This will open the config file in a browser window:– 24 10/100 ports (2924, 2950-24, 3524, etc.)– 48 10/100 ports (2950-48, 3540, 3550-48)– All gigabit (3508, 3550-12G, 3550-12T)

Select all this text and paste it into a text editor (e.g., Notepad in Windows, or TeachText for Mac)

24

Step 2: Edit the config file

The config file you’ve accessed needs to be altered. Comments will show you what you need to change. In general, change:– Switch IP address and default gateway

– Switch hostname (name from NetDB)

– Telnet and enable passwords

– Web access list (what IP addresses can access the switch for Web management)

– Portfast settings

25

Config file details:

Change the items in bold:

enableconfig terminal# Replace the address below with your switch's IP address.# The netmask will probably not need to be changed.interface VLAN1ip address 172.24.00.000 255.255.255.0no shutdownexit# Replace with your gateway address.ip default-gateway 172.24.00.1# Replace "SWITCH" with the name of the switch as shown in netdbhostname SWITCH

26

Config file details (pt. 2):

More things to change:

# Replace "SEKRIT" with the "enable" password of your switch.# This password allows you to make changes.enable secret SEKRIT# Replace "SEKRIT2" with the telnet password for the switch.# We recommend that you make this different than the enable password.line vty 0 4password SEKRIT2exit# Uncomment the line below if you DON'T want your switch to be # running a Web server for management purposes.##no ip http server

27

Config file details (pt. 3):

More things to change:

# The next lines control which address ranges can manage your switches.# You should not need to change access-list 1, which is for telnet# access.ip http access-class 2access-list 1 permit 171.64.0.0 0.3.255.255access-list 1 permit 172.24.0.0 0.3.255.255access-list 2 permit 171.64.20.0 0.0.0.255# Access-class 2 is for Web management. Add any net ranges that should# be allowed to manage your switches below. The second number is # the width of the access block. For example# "access-list 1 permit 172.24.0.0 0.3.255.255” allows any device from # 172.24.0.0 through 172.27.255.255 to manage the switches. # Uncomment the line below and add your subnet(s) of choice.#access-list 2 permit 171.64.00.0 0.0.0.255

28

Config file details (pt. 4):

More things to change. Remove the portfast statement from any port that will connect to another switch.

# The instructions below enables portfast on every 10/100 port.

# We assume one of the Gigabit ports is the uplink port.

# If your uplink port is on one of the 10/100 ports,

# remove the "spanning-tree portfast" line for this port.

# If this is a distribution switch, remove the "spanning-tree portfast"

# lines from *EVERY* port that links one switch with another.

# In other words, portfast is usually a good thing for ports that

# connect to computers, printers, etc., but *NOT* a good thing for

# links that connect switches to one another.

interface FastEthernet0/1

spanning-tree portfast

interface FastEthernet0/2

spanning-tree portfast

29

Step 3: Paste

Copy the modified config file in the text editor.

Paste into the terminal window. **Done**

(Note: we have seen instances where the paste operation fails mid-way through. This is probably dependant on the terminal software used. If it does fail, paste again from the point where the failure occurs. You may want to try pasting the config file in 2-3 smaller “chunks”.)

30

Managing 2900s and 3500s via the Web and Telnet

31

Cisco Web Interface Log in to the switch by its name or IP number through Netscape 4

+ or IE 4+. You should use a PC — the Cisco Web management software works poorly (if at all) from Macs.

The quality of the Web interface varies with the software version of the switch and the browser version. In general, Networking only uses the Telnet interface, because it’s much more reliable and can be accessed from any machine.

However, the Web interface is the easiest way of doing switch software upgrades.

When you connect via a browser, you will see a username/password dialog. Put in the enable password. Leave the name area blank.

Click on “Web Console.” Note how each active port looks just like it would if you were

looking at the switch. Click the “Mode” button to cycle through the modes just like you were clicking on the “Mode” button on an actual switch.

Note: Don’t the web interface and a telnet connection at the same time-- some of your changes may not be written to the config file.

32

Cisco 2900 Web Interfaces

Generation 1:– Long narrow menu bar (not hierarchical)

Generation 2:– Shorter, fatter menu bar with “popup” action

Generation 3:– Requires Java plugin (no Mac/Linux version!)

– This is the only version for the 3500

33

Cisco Web Interface (Generation 1)

34

Cisco Web Interface (Generation 2)

35

Cisco Web Interface (Generation 3)

36

Common Switch Management Tasks

Enabling/Disabling Ports: e.g., a hacked machine is spewing packets and we want to shut if off.

Turning on PortFast: Bypasses the ~30 sec delay caused by spanning tree when devices are booting. – Fixes “Your AppleTalk network is now available” warning– Fixes some problems with Ethernet-LocalTalk bridges and any host

having problems getting an address via DHCP. Labeling Ports. Helps you keep straight who’s plugged into

each port. But, you may prefer spreadsheets/database. Forcing port speed/duplex: some devices don’t auto-

negotiate well. Important note: Saving changes is a separate step!

37

Port Commands

Generation 1:– PortFast: “STP” menu. Check/uncheck boxes.– “Port” menu for other functions

Generation 2:– PortFast: “Device” menu, “Spanning Tree Protocol” item. Select VLAN

from the list (usually there’s just 1), then click button “Modify STP parameters”. Check/uncheck boxes.

– “Port” menu, “Port Configuration” item for other functions

Generation 3:– “Port” menu, “Port Configuration” item for everything.– A new window will open. Click the row of the port you want to

modify and click the “modify” button.

38

Saving Configuration Changes

Changes via Web interface requires 2 steps– “Apply” changes on the screen of interest

– “Save” the change on the “System” menu

Location of “Save” command– Generation 1: “System” menu, “Save Configuration” button

– Generation 2: “System” menu, “System Configuration” item, “Save Configuration” button

– Generation 3: “System” menu, “Save Configuration” item

39

Telnet interface

The telnet syntax is exactly the same as the format of the configuration file

Telnet to the switch and get into enable mode. Type“show run” command to see the current config. (“show config” shows the saved config)

Notice the lines that look like:– interface FastEthernet0/1– This is where port specific information goes

At any point you can type “?”. IOS will show you what the possible values are.

40

Telnet interface (cont)

Example:switch#config tEnter configuration commands, one per line. End with CNTL/Z.switch(config)#interface fastethernet 0/1switch(config-if)#?– (There are many more commands. I’ve deleted most of them for brevity.)

Interface configuration commands: duplex Configure duplex operation. exit Exit from interface configuration mode spanning-tree Spanning Tree Subsystem speed Configure speed operation.

switch(config-if)#speed ? 10 Force 10 Mbps operation 100 Force 100 Mbps operation auto Enable AUTO speed configuration

41

Telnet interface (cont.)

switch(config-if)#duplex ? auto Enable AUTO duplex configuration full Force full duplex operation half Force half-duplex operation

switch(config-if)#spanning-tree ? cost Change an interface's spanning tree path cost port-priority Change an interface's spanning tree priority portfast Allow a change from blocking to forwarding vlan VLAN Switch Spanning Trees

Full example:switch(config)#interface fastethernet 0/1switch(config-if)# Speed 100switch(config-if)# Duplex fullswitch(config-if)# Spantree portfastswitch(config-if)# ctrl-Zswitch#write

42

Hunting Down Bad Devices

Look at the MAC address table to find specific device and shut down a port. (Caution: a device on another switch will be listed as being on the port connecting the switches. You don’t want to shut this port off!)– Switch>enable– Switch#show mac-address-table

• Dynamic Address Count: 63• Secure Address Count: 0• Static Address (User-defined) Count: 12• System Self Address Count: 27• Total MAC addresses: 102• Maximum MAC addresses: 8192• Non-static Address Table:• Destination Address Address Type VLAN Destination Port• ------------------- ------------ ---- --------------------• 0000.0c07.ac14 Dynamic 1 FastEthernet0/24• 0000.0c14.257b Dynamic 1 FastEthernet0/24• 0000.1b16.765a Dynamic 1 FastEthernet0/24• 0003.933e.b76e Dynamic 1 FastEthernet0/24

43

Hunting, Part 2

When hunting, you probably want to search for a specific address rather than looking at the whole table.

Commands aren’t the same on all switches. Also, the format of the MAC address changes!– Switches with IOS (2900, 3500 series):

• Show mac-address-table address xxxx.xxxx.xxxx

– Switches with CatOS (4000, 5000, 6000 series)• Show cam xx-xx-xx-xx-xx-xx

44

Hunting, pt. 3

Finding adjacent switch with Cisco Discovery Protocol (CDP only works with Cisco):– nw-test-2950#show cdp neighbors– Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge– S - Switch, H - Host, I - IGMP, r - Repeater

– Device ID Local Intrfce Holdtme Capability Platform Port ID– Pine-Pyramid-1.stFas 0/24 130 S WS-C2924C-Fas 0/10

Adjacent switch is “pine-pyramid-1” (.stanford.edu is truncated)

Documenting your network (what switches/ports connect to each other) may be more useful and faster!

45

Hunting, pt. 4

Once you find a bad device, you may want to shut down the port:– nw-test-2950#config t– Enter configuration commands, one per line. End with CNTL/Z.– nw-test-2950(config)#interface fastethernet 0/1– nw-test-2950(config-if)#shutdown– nw-test-2950(config-if)#exit– nw-test-2950(config)#exit

Make a note of what ports you shut down! Use “no shutdown” command to re-enable the

port.

46

That’s It!!

Please give us feedback: fill out the feedback (yellow) forms.

We add and remove content from our classes all the time. Please let us know how we can improve our courses! - What do you want to see more of? - What do you want less of?

Please feel free to send me comments- reuber@stanford.edu- (650) 725-8092

47

Reference

48

NAT Bridge Status

Look at http://whatsup.stanford.edu. Login as “guest” with no password.

Click on NAT Bridges, or Building Entrance Devices, look for your bridge. If it’s in a green field, you’re fine. If it’s in a red field, we’ve been notified. Network Ops staff are paged when bridges die. Please let us know (3-3909) if you need to turn one off or remove one.

If your bridge isn’t in the list, let us know. If you need a replacement bridge, your Network Consultant will

configure it for you.Hint: If you can get to the bridge, look for a constant light under

Status #3. Any combination of lights other than just one light under 3 is a problem. If we aren’t already out there fixing it, let us know.

49

Cisco Catalyst 1900 Switches

You’ll Need: A serial cable. A converter to use your serial cable with the DB9 male port on the

back of the hub (for older 1900’s) or the special cable that comes with the switch.

A laptop or desktop computer with a serial connection. To turn AppleTalk off (if using older PowerBook)

Set up: Connect the serial cable (using the appropriate adapters) to the RJ-

45 Console Port (or DB9 Console Port) Have the IP number ready, and a label to put on the switch. Launch your terminal emulation program of choice (Mac- or PC-

Samson are recommended) Start a serial session. Hit return a couple of times.

50

Catalyst 1900 Set up (Continued)

If fresh from the factory, you’ll have an initial IP configuration option.

Type I (or, for an older switch, N then I)Type I again, enter the IP number.Type S enter an appropriate subnet mask

(public: 255.255.0.0, private: 255.255.255.0)Type G enter an appropriate gateway

(e.g. 171.64.1.1 or 172.24.xx.1)Type M enter a 171.64.7.55, 77 or 99. Type N and choose another DNS computer.Type D enter stanford.edu

(The “M,” “N,” and “D” choices aren’t on the older 1900’s) Type X to finish IP configuration, X again to get to the main menu.

Type C for console settings, and M to set a password.Type X until you’ve exited the console, type Y to really exit.

51

Configuring the Cat 2900/3500 (Extra for Experts)

If you plan on configuring many 2900-series switches, and have write access to a directory of a tftp server, you can upload your configuration and save several steps.

After you’ve written the configuration to the switch, you can write it to your tftp server using the following commands:

Write net

[name of your host] i.e.: “tftp-server”

[name of your file, including path] i.e.: switch_configs/polya-2924.config

[hit return to accept]

Then, telnet into the tftp server and examine the file, you’ll notice the following two lines:

interface VLAN1

ip address 171.64.xx.yy 255.255.0.0

52

Configuring the Cat 2900/3500 (Extra for Experts 2)

You’ll want to delete the second line (the one containing the IP number for the switch you just configured), so that you don’t have one IP address propagated to all your switches.

Then, when you set up further switches, you’ll just have to put in the initial setup information. Config net the file you just created on your tftp server, write the information, and you’re finished. Each subsequent switch will only take about 5 minutes to set up using this fashion.

TFTP server software is generally free with most UNIX systems, and can be purchased and/or downloaded for Windows and Mac OS computers.

53

A Few Quick Commands for the Catalyst 5000-series switches.The Catalyst 5000-series switches use yet another command line

interface. It’s easier than IOS, in that you don’t have to go into or out of layers, just type the command and it’s executed. You’ll need to enter enable mode to use most of these commands. Just type en and the password.

Show config to show the whole configurationShow port to show the status of each port (very useful)Show spantree to see which ports have portfast enabled.set port name <mod_num/port_num> [port_name] to give each port

a useful descriptive name.set port duplex <mod_num/port_num> <full|half> to change

duplex mode , if auto-negotiation isn’t working.set port speed <mod_num/port_num> <4|10|16|100|auto> to

change the port speed, also for auto-negotiation failure.set spantree portfast <mod_num/port_num> <enable|disable> to

enable portfast, it will warn you about the possible problems of portfast.

54

Appendix

Appropriate Web Sites:Cisco Documentation:

http://cisco.com/public/products_doc.shtml

This Class: http://www.stanford.edu/group/networking/NetConsult/hbs/