Transcript Document

Setting Up and Managing
Switched Networks
ITS 905
Instructor: Kent Reuber, consultant for
Engineering departments
[email protected], 725-8092
1
Outline
 Definitions
 Switch Models and Building Design
 Configuring Cisco 2900/3500 Switches
 Managing Switches via Web and Telnet
 Reference Section
 Lab (Optional)
2
Definitions
3
What’s a Smart Hub?
 A smart hub can be configured and remotely managed. For
example, ports can be shut off.
 However, this doesn’t mean that it does anything smart with
network traffic. It has no switching capabilities. Traffic is always
forwarded to all ports.
 Our most common smart hub on campus is the Asanté
NetStacker.
 Networking no longer recommends hubs for wiring closets. It
may be OK to use small unmanaged hubs to give selected
offices additional ports. Use hubs with care!
4
What’s a Bridge?
Stanford has mostly decommissioned NAT bridges, but since
switches do bridging, it’s worth discussing how these work.
A bridge separates network segments into two “collision domains”,
allowing both sides to support one “conversation” on each side.
Each side has “bridging table”: a list of all MAC addresses on
their side. Based on its lists, a bridge determines if it should
keep a packet on one side, or forward it to the other.
A NAT bridge will show a solid green “Status 3” light if working
properly. Any other condition is an error. One common error
condition is an unterminated coaxial segment.
Broadcasts and Multicasts are always forwarded to both sides
(or to every port in the case of a switch). If you use a sniffer
on a switch port, this should be the only traffic you see.
5
What’s a Switch?
A switch is a hub where every port acts as a bridge.
Each port remembers the MAC addresses of all devices connected to it. If
The switch as a whole keeps a master list of all these MAC addresses
by port.
If a user has a mini-hub in their office, you will see multiple MAC
addresses on a switch port.
A switch port periodically drops unseen addresses from its list. Pinging a
host by IP address will put the corresponding MAC address back in the
table (assuming the device is on).
The end result of this is that network traffic is generally not repeated
across all ports (unless it’s a broadcast or multicast). For example, if a
computer on port 2 is sending a huge file to the server on port 8, no
other ports see this traffic.
Network traffic problems almost always disappear with switches. Collisions
become a thing of the past.
6
Private Address Ranges
 There are ranges of addresses that are not routed anywhere on the
Internet. Any site may use these addresses for their own purpose:
10.*.*.*, 172.16.*.* – 172.32.*.*, 192.168.*.*
 Devices with private addresses cannot access or be accessed by hosts
outside of Stanford. That’s usually OK for switches, printers, etc.
 If your network is 171.6x.y.*, your private address is probably
172.2x.y.*
– For large nets, there may be only one private range. E.g, the private net
associated with 171.64.52 – 55 is 172.24.52.*
– You can check in Netdb or whois. Look up the Network record for your
net number. Net numbers end in “0”, e.g., 171.64.20.0
 The netmask for devices on the private net is 255.255.255.0. Don’t
use 172.24.1.1 for a gateway. Use a “.1” address for the specific
network. (For example, use 172.24.20.1 for net 20.)
7
The Wonders of Spanning Tree
What would happen in the following situation:
switch
switch
Which switch would send the packet? What would happen if both switches
sent a packet from one side to the other?
To prevent such a problem, there is Spanning Tree Protocol. Simply put,
the two bridging devices decide which one will do the bridging, and
which one will enter “standby” mode.
If you wish to use switches to provide redundancy in your network, you can
do so. Spanning tree will force one switch to shut off that port.
The primary problem of spanning tree is that it takes 20-30 seconds or
more for the port of a switch to discover if it is connected to another
switch. This can cause problems with many desktop computers which
become impatient with the delay, assume there’s no network
connection, and give an error.
8
Fun with Wiring (Copper)…
 Twisted Pair:
– Category 3: 10 Mb only, uses 2 pairs.
– Category 5/5e: Required for 100Mb. Use 2 pairs for
100Mb, 4 pairs for gigabit (1000BaseT)
 Two types of wiring configurations (RJ-45):
– Standard (switch/hub to computer)
– Crossover (switch-switch or computer-computer)
– AutoMDIX: Some switches automatically chooses
standard or crossover as appropriate.
– 1000BaseT can use either standard or crossover
between switches.
9
Fun with Wiring (Fiber)
 Fiber can be used for speeds from 10Mb to 10Gb.
– Names: 10FL, 100FX, 1000BaseSX/LX/ZX
– Fiber switches do not auto-negotiate: no 10/100!
 Two types of cables:
– Single mode (yellow): Usually 8µm diameter fibers.
Used for longer runs, equipment is more expensive.
– Multimode (orange): Usually 62.5µm or 50µm. Used
for shorter runs. 50µm can support longer runs.
– Currently Stanford uses multimode for most
applications. Gigabit will involve using more single
mode for building feeds.
10
Fiber Connectors
 ST (think “T for tube”):
– 2 round ends with thin-wire style bayonet connectors.
– Used on 10FL switches. By convention, Stanford uses ST for
connections between buildings, even for 100FX.
 SC (think “C for cube”):
– 2 square ends that click into place
– Used by 100Mb and gigabit equipment. Now used for fiber runs
within a building at Stanford (new installations).
 MT-RJ:
– Small connector. Can be a little fragile. Used when you need to
put lots of fiber in a small space (e.g., a switch with 24 fiber ports)
11
Switch Models and
Building Designs
12
Switch Models
Model
Backplane
10/100
GBICs
Other
Speed
baseT ports
(Gbps)
1900 series
1
12/24
2 100FX fiber or 2 100T ports or 1
10baseT
of each. Not used much anymore.
2924/C/M
3.2
24
Very common at Stanford. C has
100FX, M has 2 module bays
**Discontinued**
2950 series
8.8
12/24/48
Optional 100FX (MT-RJ),
10/100/1000BaseT, or GBIC uplinks
3508G
10
8
**Discontinued**
3512/24/48
10
12/24/48
2
**Discontinued**
3550-12T
24
2
10 10/100/1000BaseT ports. Layer 3
3550-12G
24
10
2 10/100/1000 ports. New building
entrance device.
3550-24/48
24
48
2
AT-8288
8
From Allied Telesyn. 8 100FX + 2
modular slots for gigabit. Use d in
wireless network and some building
entrance devices.
Except for 8288, all switches are made by Cisco.
Ask your network consultant for help when designing nets
13
What’s a GBIC?
 “Gigabit Interface Converter”. Hot swappable
modules for different gigabit media.
– 1000BaseLX (fiber). Used mainly for runs between buildings
(~550m limit on 62.5 µm multimode fiber, 5km on single mode)
– 1000BaseSX (fiber). Used mainly for runs between wiring closets
(~220m limit on 62.5 µm multimode, ~500m on 50µm multimode.
Cannot be used with single mode).
– Gigastack or “stacking GBIC” (copper). Can be used to connect
switches within a rack. Note that switches in a stack can act as
though they were connected with a Gigabit hub -- you *can* have
collisions. Probably don’t want to use these.
– 1000BaseT. Gigabit over Cat 5. For servers and/or switches.
 Warning: GBICs are static sensitive. Cisco
recommends using a grounding strap.
14
Typical Building Layout: 2900’s
Main Closet
(e.g., in basement)
100FX fiber building feed
2924M w/ fiber modules
2924
2924 (more as needed)
1st floor, wing 1
1st floor, wing 2
100FX fiber
100FX fiber
2924C
2924
2924C
2924
2924 (more as needed)
2924 (more as needed)
(Other floors are similar)
15
Typical Building Layout: 3500
1000LX
fiber building feed
Networking
Controlled
3550-12G
Main Closet
(e.g., in basement)
3550-12G
3550-48
1000BaseT
3550-48 (more as needed)
1st floor, wing 1
1000SX fiber
1st floor, wing 2
1000SX fiber
3550-12G
3550-48
3550-48 (more as needed)
3550-12G
3550-48
3550-48 (more as needed)
(Other floors are similar)
16
Cisco 2900/3500
Configuration
17
A brief interlude into IOS
 Cisco Catalyst 2900-series switches use Cisco’s IOS operating system,
which is the same OS used on their routers.
-
In this class, we cover only the basic IOS commands needed for switch
configuration and basic management.
There are 5-day classes that introduce you to IOS, and then other 5-day
classes offered by third parties that you take to get into some of the details.
 IOS works on levels. You have to be at the right level to issue the
desired command.
-
-
The most useful level is the “enable” level, from which you will be able to
see your configurations and save (write) your configuration. Very similar
to becoming “root” in Unix or “Administrator” in Windows.
There’s also a configuration level which is used to input new commands.
 For example, to change the speed and duplex for a switch port (Cisco
calls this an “interface”), you must:
-
Enter enable mode
Enter configuration mode
Specify the interface you want to modify (e.g., FastEthernet 0/1)
Issue the commands to change speed and duplex
18
IOS (Continued)
The most useful IOS commands are:
 en to enter enable mode (from which you do everything).
When in enabled mode, a # will appear in the prompt (Switch> becomes
Switch#). At each level the prompt changes (Switch(config)# or
switch(config-if)# etc.) You’ll see some of this in our
configuration.
 Show run will show the current running configuration while Show
config will show the stored configuration. The write will store the
running configuration.
 Config t to configure over the terminal (your current session).
 Config net to configure over the network (download a configuration
file from a tftp server).
 Exit to go back a level (i.e. to go from config to enable level to write a
configuration, control-Z will get you all the way back to the enable
level)
Any config changes are not saved until you issue a “write”
command.
19
What you’ll need
You’ll Need:
 A laptop or desktop computer with a serial connection.
 The special serial cable that comes with the switch.
 A crossover cable (usually hot pink or lime green)
 A network connection.
Set up:
 Turn AppleTalk off (if using an older PowerBook)
 Create a NetDB record for the switch (you need an appropriate
IP address)
 Connect the serial cable (using the appropriate adapters) to the
RJ-45 console port on the switch
 Connect the switch, using the crossover cable, to an Ethernet
connection.
 Start a serial session.
20
The Old Way…
 Do basic switch network configuration:
– IP address, netmask, gateway, hostname
– passwords
 Download supplementary configuration file:
– Stanford DNS servers, standard access lists
(address ranges allowed to access the switch)
 Any switch specific configuration:
– Additional access lists, spanning tree settings
21
The New Way…
 Copy a configuration file from the LNA
Guide into a text editor.
 Make a few changes to the configuration
(address, gateway, etc.)
 Paste new configuration into terminal
window.
22
Step 1: Get a config file
 Go to the LNA Guide “Hardware” section:
– http://lna.stanford.edu/hardware.html
– Note, this page is restricted to LNAs.
 Select the link appropriate for your switch. This
will open the config file in a browser window:
– 24 10/100 ports (2924, 2950-24, 3524, etc.)
– 48 10/100 ports (2950-48, 3540, 3550-48)
– All gigabit (3508, 3550-12G, 3550-12T)
 Select all this text and paste it into a text editor
(e.g., Notepad in Windows, or TeachText for Mac)
23
Step 2: Edit the config file
 The config file you’ve accessed needs to be
altered. Comments will show you what you need
to change. In general, change:
–
–
–
–
Switch IP address and default gateway
Switch hostname (name from NetDB)
Telnet and enable passwords
Web access list (what IP addresses can access the
switch for Web management)
– Portfast settings
24
Config file details:
 Change the items in bold:
enable
config terminal
# Replace the address below with your switch's IP address.
# The netmask will probably not need to be changed.
interface VLAN1
ip address 172.24.00.000 255.255.255.0
no shutdown
exit
# Replace with your gateway address.
ip default-gateway 172.24.00.1
# Replace "SWITCH" with the name of the switch as shown in netdb
hostname SWITCH
25
Config file details (pt. 2):
 More things to change:
# Replace "SEKRIT" with the "enable" password of your switch.
# This password allows you to make changes.
enable secret SEKRIT
# Replace "SEKRIT2" with the telnet password for the switch.
# We recommend that you make this different than the enable password.
line vty 0 4
password SEKRIT2
exit
# Uncomment the line below if you DON'T want your switch to be
#
running a Web server for management purposes.
#
#no ip http server
26
Config file details (pt. 3):
 More things to change:
# The next lines control which address ranges can manage your switches.
# You should not need to change access-list 1, which is for telnet
# access.
ip http access-class 2
access-list 1 permit 171.64.0.0 0.3.255.255
access-list 1 permit 172.24.0.0 0.3.255.255
access-list 2 permit 171.64.20.0 0.0.0.255
# Access-class 2 is for Web management. Add any net ranges that should
#
be allowed to manage your switches below. The second number is
#
the width of the access block. For example
# "access-list 1 permit 172.24.0.0 0.3.255.255” allows any device from
# 172.24.0.0 through 172.27.255.255 to manage the switches.
# Uncomment the line below and add your subnet(s) of choice.
#access-list 2 permit 171.64.00.0 0.0.0.255
27
Config file details (pt. 4):
 More things to change. Remove the portfast statement
from any port that will connect to another switch.
# The instructions below enables portfast on every 10/100 port.
#
We assume one of the Gigabit ports is the uplink port.
# If your uplink port is on one of the 10/100 ports,
#
remove the "spanning-tree portfast" line for this port.
# If this is a distribution switch, remove the "spanning-tree portfast"
#
lines from *EVERY* port that links one switch with another.
# In other words, portfast is usually a good thing for ports that
# connect to computers, printers, etc., but *NOT* a good thing for
# links that connect switches to one another.
interface FastEthernet0/1
spanning-tree portfast
interface FastEthernet0/2
spanning-tree portfast
28
Step 3: Paste
 Copy the modified config file in the text
editor.
 Paste into the terminal window.
 **Done**
(Note: we have seen instances where the paste operation fails mid-way
through. This is probably dependant on the terminal software used. If it does
fail, paste again from the point where the failure occurs. You may want to try
pasting the config file in 2-3 smaller “chunks”.)
29
Managing 2900s and 3500s via
the Web and Telnet
30
Cisco Web Interface
 Log in to the switch by its name or IP number through Netscape 4 + or






IE 4+. You should use a PC — the Cisco Web management software
works poorly (if at all) from Macs.
The quality of the Web interface varies with the software version of the
switch and the browser version. In general, Networking only uses the
Telnet interface, because it’s much more reliable and can be accessed
from any machine.
However, the Web interface is the easiest way of doing switch software
upgrades.
When you connect via a browser, you will see a username/password
dialog. Put in the enable password. Leave the name area blank.
Click on “Web Console.”
Note how each active port looks just like it would if you were looking at
the switch. Click the “Mode” button to cycle through the modes just like
you were clicking on the “Mode” button on an actual switch.
Note: Don’t the web interface and a telnet connection at the same time- some of your changes may not be written to the config file.
31
Cisco 2900 Web Interfaces
 Generation 1:
– Long narrow menu bar (not hierarchical)
 Generation 2:
– Shorter, fatter menu bar with “popup” action
 Generation 3:
– Requires Java plugin (no Mac/Linux version!)
– This is the only version for the 3500
32
Cisco Web Interface (Generation 1)
33
Cisco Web Interface (Generation 2)
34
Cisco Web Interface (Generation 3)
35
Common Switch Management Tasks
 Enabling/Disabling Ports: e.g., a hacked machine is
spewing packets and we want to shut if off.
 Turning on PortFast: Bypasses the ~30 sec delay caused
by spanning tree when devices are booting.
– Fixes “Your AppleTalk network is now available” warning
– Fixes some problems with Ethernet-LocalTalk bridges and any
host having problems getting an address via DHCP.
 Labeling Ports. Helps you keep straight who’s plugged
into each port. But, you may prefer spreadsheets/database.
 Forcing port speed/duplex: some devices don’t autonegotiate well.
 Important note: Saving changes is a separate step!
36
Port Commands
 Generation 1:
– PortFast: “STP” menu. Check/uncheck boxes.
– “Port” menu for other functions
 Generation 2:
– PortFast: “Device” menu, “Spanning Tree Protocol” item. Select VLAN
from the list (usually there’s just 1), then click button “Modify STP
parameters”. Check/uncheck boxes.
– “Port” menu, “Port Configuration” item for other functions
 Generation 3:
– “Port” menu, “Port Configuration” item for everything.
– A new window will open. Click the row of the port you want to
modify and click the “modify” button.
37
Saving Configuration Changes
 Changes via Web interface requires 2 steps
– “Apply” changes on the screen of interest
– “Save” the change on the “System” menu
 Location of “Save” command
– Generation 1: “System” menu, “Save Configuration” button
– Generation 2: “System” menu, “System Configuration” item,
“Save Configuration” button
– Generation 3: “System” menu, “Save Configuration” item
38
Telnet interface
 The telnet syntax is exactly the same as the format of the
configuration file
 Telnet to the switch and get into enable mode. Type“show
run” command to see the current config. (“show config”
shows the saved config)
 Notice the lines that look like:
– interface FastEthernet0/1
– This is where port specific information goes
 At any point you can type “?”. IOS will show you what
the possible values are.
39
Telnet interface (cont)
 Example:
switch#config t
Enter configuration commands, one per line. End with CNTL/Z.
switch(config)#interface fastethernet 0/1
switch(config-if)#?
– (There are many more commands. I’ve deleted most of them for brevity.)
Interface configuration commands:
duplex
Configure duplex operation.
exit
Exit from interface configuration mode
spanning-tree
Spanning Tree Subsystem
speed
Configure speed operation.
switch(config-if)#speed ?
10
Force 10 Mbps operation
100
Force 100 Mbps operation
auto Enable AUTO speed configuration
40
Telnet interface (cont.)
switch(config-if)#duplex ?
auto Enable AUTO duplex configuration
full Force full duplex operation
half Force half-duplex operation
switch(config-if)#spanning-tree ?
cost
Change an interface's spanning tree path cost
port-priority Change an interface's spanning tree priority
portfast
Allow a change from blocking to forwarding
vlan
VLAN Switch Spanning Trees
 Full example:
switch(config)#interface fastethernet 0/1
switch(config-if)# Speed 100
switch(config-if)# Duplex full
switch(config-if)# Spantree portfast
switch(config-if)# ctrl-Z
switch#write
41
Hunting Down Bad Devices
 Look at the MAC address table to find specific device and
shut down a port. (Caution: a device on another switch
will be listed as being on the port connecting the switches.
You don’t want to shut this port off!)
–
–
Switch>enable
Switch#show mac-address-table
•
•
•
•
•
•
•
•
•
•
•
•
•
Dynamic Address Count:
63
Secure Address Count:
0
Static Address (User-defined) Count:
12
System Self Address Count:
27
Total MAC addresses:
102
Maximum MAC addresses:
8192
Non-static Address Table:
Destination Address Address Type VLAN Destination Port
------------------- ------------ ---- -------------------0000.0c07.ac14
Dynamic
1 FastEthernet0/24
0000.0c14.257b
Dynamic
1 FastEthernet0/24
0000.1b16.765a
Dynamic
1 FastEthernet0/24
0003.933e.b76e
Dynamic
1 FastEthernet0/24
42
Hunting, Part 2
 When hunting, you probably want to search for a
specific address rather than looking at the whole
table.
 Commands aren’t the same on all switches. Also,
the format of the MAC address changes!
– Switches with IOS (2900, 3500 series):
• Show mac-address-table address xxxx.xxxx.xxxx
– Switches with CatOS (4000, 5000, 6000 series)
• Show cam xx-xx-xx-xx-xx-xx
43
Hunting, pt. 3
 Finding adjacent switch with Cisco Discovery Protocol
(CDP only works with Cisco):
–
–
–
nw-test-2950#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater
–
–
Device ID
Local Intrfce
Pine-Pyramid-1.stFas 0/24
Holdtme
130
Capability
S
Platform Port ID
WS-C2924C-Fas 0/10
 Adjacent switch is “pine-pyramid-1” (.stanford.edu is
truncated)
 Documenting your network (what switches/ports connect
to each other) may be more useful and faster!
44
Hunting, pt. 4
 Once you find a bad device, you may want to shut
down the port:
–
–
–
–
–
–
nw-test-2950#config t
Enter configuration commands, one per line. End with CNTL/Z.
nw-test-2950(config)#interface fastethernet 0/1
nw-test-2950(config-if)#shutdown
nw-test-2950(config-if)#exit
nw-test-2950(config)#exit
 Make a note of what ports you shut down!
 Use “no shutdown” command to re-enable the
port.
45
That’s It!!
 Please give us feedback: fill out the feedback (yellow) forms.
 We add and remove content from our classes all the time.
Please let us know how we can improve our courses!
- What do you want to see more of?
- What do you want less of?
 Please feel free to send me comments
- [email protected]
- (650) 725-8092
46
Reference
47
NAT Bridge Status
Look at http://whatsup.stanford.edu. Login as “guest” with no password.
Click on NAT Bridges, or Building Entrance Devices, look for your bridge. If
it’s in a green field, you’re fine. If it’s in a red field, we’ve been notified.
Network Ops staff are paged when bridges die. Please let us know (33909) if you need to turn one off or remove one.
If your bridge isn’t in the list, let us know.
If you need a replacement bridge, your Network Consultant will configure it
for you.
Hint: If you can get to the bridge, look for a constant light under Status #3.
Any combination of lights other than just one light under 3 is a problem.
If we aren’t already out there fixing it, let us know.
48
Cisco Catalyst 1900 Switches
You’ll Need:
 A serial cable.
 A converter to use your serial cable with the DB9 male port on the back
of the hub (for older 1900’s) or the special cable that comes with the
switch.
 A laptop or desktop computer with a serial connection.
 To turn AppleTalk off (if using older PowerBook)
Set up:
 Connect the serial cable (using the appropriate adapters) to the RJ-45
Console Port (or DB9 Console Port)
 Have the IP number ready, and a label to put on the switch.
 Launch your terminal emulation program of choice (Mac- or PCSamson are recommended)
 Start a serial session.
 Hit return a couple of times.
49
Catalyst 1900 Set up (Continued)
 If fresh from the factory, you’ll have an initial IP configuration option.
Type I (or, for an older switch, N then I)
Type I again, enter the IP number.
Type S enter an appropriate subnet mask
(public: 255.255.0.0, private: 255.255.255.0)
Type G enter an appropriate gateway
(e.g. 171.64.1.1 or 172.24.xx.1)
Type M enter a 171.64.7.55, 77 or 99.
Type N and choose another DNS computer.
Type D enter stanford.edu
(The “M,” “N,” and “D” choices aren’t on the older 1900’s)
 Type X to finish IP configuration, X again to get to the main menu.
Type C for console settings, and M to set a password.
Type X until you’ve exited the console, type Y to really exit.
50
Configuring the Cat 2900/3500 (Extra for Experts)
If you plan on configuring many 2900-series switches, and have write
access to a directory of a tftp server, you can upload your configuration
and save several steps.
After you’ve written the configuration to the switch, you can write it to your
tftp server using the following commands:
Write net
[name of your host] i.e.: “tftp-server”
[name of your file, including path] i.e.:
switch_configs/polya-2924.config
[hit return to accept]
Then, telnet into the tftp server and examine the file, you’ll notice the
following two lines:
interface VLAN1
ip address 171.64.xx.yy 255.255.0.0
51
Configuring the Cat 2900/3500 (Extra for Experts 2)
You’ll want to delete the second line (the one containing the IP number for
the switch you just configured), so that you don’t have one IP address
propagated to all your switches.
Then, when you set up further switches, you’ll just have to put in the initial
setup information. Config net the file you just created on your tftp
server, write the information, and you’re finished. Each subsequent
switch will only take about 5 minutes to set up using this fashion.
TFTP server software is generally free with most UNIX systems, and can
be purchased and/or downloaded for Windows and Mac OS computers.
52
A Few Quick Commands for the
Catalyst 5000-series switches.
The Catalyst 5000-series switches use yet another command line
interface. It’s easier than IOS, in that you don’t have to go into or out of
layers, just type the command and it’s executed. You’ll need to enter
enable mode to use most of these commands. Just type en and the
password.
Show config to show the whole configuration
Show port to show the status of each port (very useful)
Show spantree to see which ports have portfast enabled.
set port name <mod_num/port_num> [port_name] to give each
port a useful descriptive name.
set port duplex <mod_num/port_num> <full|half> to change
duplex mode , if auto-negotiation isn’t working.
set port speed <mod_num/port_num> <4|10|16|100|auto> to
change the port speed, also for auto-negotiation failure.
set spantree portfast <mod_num/port_num>
<enable|disable> to enable portfast, it will warn you about the
possible problems of portfast.
53
Appendix
Appropriate Web Sites:
Cisco Documentation: http://cisco.com/public/products_doc.shtml
This Class: http://www.stanford.edu/group/networking/NetConsult/hbs/
54