Commands for IOS-enabled switches (e.g., 2900XL, 2950, 1900, and 3550) are almost identical to those on the IOS routers, which makes them fit nicely into the scope of this book. To connect a switch to the network, we must first configure the management port, as described next.
14.3.1. Configuring the Management Port (VLAN 1)
In order to access a switch remotely with telnet (SSH is not yet available on switches), ping, or SNMP, we need to supply a few basic pieces of information, including the IP address, subnet mask, and a default gateway.
We won't be applying the IP address to an interface; in fact, you should never configure a physical switch interface with an IP address unless it's a layer 3 switch. Instead, we apply the address to a logical interface. If you look at a default configuration of one of the IOS-based switches that we mentioned previously, you will see the physical ports, such as interface fastethernet0/1 through interface fastethernet0/24. You will also see interface VLAN 1. This does not correspond to a physical port; it is a logical port. By default, VLAN 1 is the management VLAN. Different protocols, which help to manage the network between devices such as CDP or VTP, travel over the management VLAN. When we assign an IP address to a switch, we configure it on the logical VLAN interface. You can configure the default management VLAN 1 with an IP address; however, any VLAN to which you assign an IP address becomes the management VLAN.
Figure 14-3 illustrates a very simple network, consisting only of a router and a switch. In our example network, you can imagine that we just replaced a hub with our new switch. Now that we have swapped our hub for a new switch, we need to configure it.
Figure 14-3. Basic switch connection to the network
14.3.2. Simple Switch Configuration
In this configuration, we are going to set VLAN 1 (the management VLAN for the switch) to 192.168.1.1/24 and our default gateway to the IP address of the router, which is 1922.214.171.124/24.
Here's the configuration file for Switch 1 from Figure 14-3:
! Set the hostname hostname switch1 ! Configure the management VLAN interface interface VLAN1 description Our management VLAN for the switch ip address 192.168.1.1 255.255.255.0 no shutdown ! ! Set the default gateway ip default-gateway 192.168.1.254 ! ! Configure the port that connects to router1 interface fastethernet 0/3 description Connection to router1 no shutdown
Now that we have our management VLAN configured, we can ping back and forth from the router to the switch.
switch1#ping 192.168.1.254 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.254, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/6 ms
The output of the show VLAN brief command shows all the interfaces currently in VLAN 1, which is what we'd expect since we haven't yet configured them into different VLANs:
switch1#show VLAN brief VLAN Name Status Ports ---- ----------------------------- -------------------------------------- 1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4, Fa0/5, Fa0/6, Fa0/7, Fa0/8, Fa0/9, Fa0/10, Fa0/11, Fa0/12, Fa0/13, Fa0/14, Fa0/15, Fa0/16, Fa0/17, Fa0/18, Fa0/19, Fa0/20, Fa0/21, Fa0/22, Fa0/23, Fa0/24
The show mac-address-table command displays all the MAC addresses the switch has learned so far, which, in this case, is the MAC address of the router:
switch1#show mac-address-table Dynamic Address Count: 1 Secure Address Count: 0 Static Address (User-defined) Count: 0 System Self Address Count: 47 Total MAC addresses: 48 Maximum MAC addresses: 2048 Non-static Address Table: Destination Address Address Type VLAN Destination Port ------------------- ------------ ---- -------------------- 00b0.64f3.5ae0 Dynamic 1 FastEthernet0/3
14.3.3. Auto Detection
On our interfaces, we have the ability to leave the speed and duplex settings in auto negotiate, which means that the device will try to detect and set them automatically. Unfortunately, these auto-sensing features are notoriously bad at choosing the correct setting. Furthermore, an incorrect duplex setting can result in serious network latency and intermittent connectivity.
At half duplex , it is possible for both devices to sense that the wire is available and to transmit at the exact same time, which results in a collision. Collisions are considered normal. However, more than a one percent ratio of errors to total traffic signals indicates that something else might be wrong.
At full duplex , the collisions counter is not active. A duplex mismatch causes impaired collision handling. It's always a good idea to set these values explicitly in interface configuration with the speed and duplex commands.
interface fastethernet 0/3 speed 100 duplex full
To verify the settings, use the show interface command, just as you would on a router:
switch#show interface fastethernet0/3 FastEthernet0/3 is up, line protocol is up Hardware is Fast Ethernet, address is 0030.809b.9f83 (bia 0030.809b.9f83) MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, rely 255/255, load 1/255 Encapsulation ARPA, loopback not set, keepalive not set Full-duplex, 100Mb/s, 100BaseTX/FX ARP type: ARPA, ARP Timeout 04:00:00 ...
14.3.4. Sample VLAN Configuration
In our previous example, we configured only the management VLAN for the switch (VLAN 1). To make our network more realistic, let's split our network up into four VLANs: VLAN 1, VLAN 2 (Human Resources), VLAN 3 (Development), and VLAN 4 (Sales).
Figure 14-4 shows how these VLANs will be configured in our network.
Figure 14-4. Splitting up the network with VLANs
As you can see, VLAN 2 (Human Resources) and VLAN 3 (Development) each have routers for their subnets while VLAN 4 (Sales) is simply composed of three hosts that are directly connected to the switch.
14.3.5. VLAN Interface Commands
To make an interface a member of a VLAN, use the switchport access command on each interface. In very simple terms, this command assigns an interface to each VLAN. The following configuration shows the switch commands for the network illustrated in Figure 14-4:
! interface FastEthernet0/1 description HR router (VLAN 2) switchport access VLAN 2 ! interface FastEthernet0/2 description Development router (VLAN 3) switchport access VLAN 3 ! ! This is our router connection from before ! no VLAN setting here - yet! interface FastEthernet0/3 description Connection to Router1 ! interface FastEthernet0/4 description Sales1 (VLAN 4) switchport access VLAN 4 ! interface FastEthernet0/5 description Sales2 (VLAN 4) switchport access VLAN 4 ! interface FastEthernet0/6 description Sales3 (VLAN 4) switchport access VLAN 4 !
Now, when we run show VLAN brief, we see that the interfaces are in the VLANs that we expect them to be in:
Switch1#show VLAN brief VLAN Name Status Ports ---- -------------------------------- -------------------------------------- 1 default active Fa0/3, Fa0/7, Fa0/8, Fa0/9, Fa0/10, Fa0/11 2 VLAN0002 active Fa0/1 3 VLAN0003 active Fa0/2 4 VLAN0004 active Fa0/4, Fa0/5, Fa0/6
That's great! We've configured our VLANs just the way we want them. However, there's a big problem with this network. As you might recall from our previous discussion, each VLAN is a separate subnet, which means that VLANs 2, 3, and 4 are all logically separated. Router 1 can access only VLAN1 in this configuration, which means that the other VLANs can't access each other or Router 1. So what do we do? We need to make Router 1 a member of all VLANs. To do that, we need to employ trunking .