Lab 1: Basic Switch Configuration

Objective
• Investigate the default configuration of a 1900 series switch.
• Configure a switch with a name and an IP address.
• Configure passwords to ensure that access to the CLI is secured.
• Save the active configuration.

PC1

Background / Preparation
Cable a network similar to the one in the diagram. We will use this diagram for following labs.
Start a HyperTerminal session.

General Configuration Tips

• Using the question mark (?) and arrow keys help to enter commands.
• Each command mode restricts the set of available commands. If there is difficulty entering a
command, check the prompt and then enter the question mark (?) for a list of available
commands. The problem might be a wrong command mode or using the wrong syntax.
• To disable a feature, enter the keyword no before the command; for example, no ip address
Before starting labs, erase and reload the switch using following procedure:
> enable
# delete vtp
This command resets the switch with VTP parameters set to factory defaults.
All other parameters will be unchanged.
Reset system with VTP parameters set to factory defaults, [Y]es or [N]o?
Enter y and press [Enter]
At the privileged exec mode enter the command erase startup-config as follows:
# delete nvram
This command resets the switch with factory defaults. All system parameters will revert to
their default factory settings. All static and dynamic addresses will be removed.
Reset system with factory defaults, [Y]es or [N]o?
Enter y and press [Enter]

Erase of nvram: complete

At the privileged exec mode enter the reload command as follows:
# reload
System configuration has been modified. Save? [yes/no]:
Type n and then press Enter.
Proceed with reload? [confirm] [enter]
Step 1 Examine the switch

a. What indicator lights (LEDs) are on the front of the switch?

SYSTEM: Switch is on, led colors:

Green – all post test passed, there are 13 tests and port led indicates, which test is switch
executing
Orange, but switch is functional – post detected one or more non-fatal failures, switch is
forwarding packets, but is operating at degraded fashion
Orange + one or more LEDs are orange – post detected one or more fatal failures, switch is not
operational and management console is not available
RPS: Remote Power Supply, led colors:
Green – operational
Flashing Green – RPS and local power supply are both powered, only one power source can be
supplying power to switch
Orange – RPS failure

b. What button is on the front of the switch? What is it used for?

MODE button changes among these modes:

STAT – Port Status, led colors:
Off – no link
Green – link present
Flashing Green – port operational
Alternating Green / Orange – error frames, excessive collisions, CRC error packets
Orange – port is not forwarding or is disabled in management console, suspended due to MAC
address violation or by STP due to loops. During first 30 seconds since the switch boots-up or
cable is connected to switch port, the port is not forwarding because switch and host are agreeing
on connection parameters
UTL – Utilization of the switch, led colors:
First one third of switch ports indicate low utilization of switch, second indicate medium utilization,
third indicate high-to-very high utilization of switch.
FDUP – which ports operates at Full Duplex, led colors:
Off – port is operating at Half Duplex
Green – port is operating at Full Duplex
100 – which ports operates at 100Mbps

Step 2 Enter privileged mode

a. Privileged mode gives access to all the switch commands. Many of the privileged commands
configure operating parameters. Therefore, privileged access should be password-protected to
prevent unauthorized use. The privileged command set includes those commands contained in
user EXEC mode, as well as the configure command through which access to the remaining
command modes are gained.

> enable
#
b. Notice the prompt changed in the configuration to reflect privileged exec mode.
Step 3 Examine the current switch configuration
a. Examine the following current running configuration file.

# show running-config
b. How many Ethernet or Fast Ethernet interfaces does the switch have? ___________________
c. What is the range of values shown for the VTY lines? _______________________________
d. Issue the following to show the current IP address of the switch.

# show ip

Step 4 Get IOS information

a. Examine the following version information that the switch reports.

# show version
b. What is the IOS version that the switch is running? _________________________________
c. What is the system image file name? ___________________________________________
d. What is the base MAC address of this switch? _____________________________________
e. Is the switch running enterprise edition software? __________________________________

Step 5 Examine the Ethernet interfaces

a. Examine the default properties of the Ethernet interfaces, e.g. fourth port:
# show interface ethernet 0/4
b. Is the interface up or down? __________________________________________________
c. What event would make the interface go up? _____________________________________
d. What is the MAC address of the interface? _______________________________________
e. What is the speed and duplex setting of the interface? _______________________________

Step 6 Examine VLAN information

a. Examine the following default VLAN settings of the Switch

# show vlan
b. What is the name of VLAN 1? ________________________________________________
c. Which ports are in this VLAN? ________________________________________________
d. Is VLAN 1 active? _________________________________________________________
e. What type of VLAN is the default VLAN? _________________________________________
Step 7 Assign a name to the switch
a. Enter enable and then the configuration mode. The configuration mode allows the management
of the switch. Enter AL Switch, the name this switch will be referred to in the following

# configure terminal
Enter the configuration commands, one for each line. End by pressing Ctrl + Z.
(config)# hostname 1900

Step 8 Set the command mode passwords

a. Set the enable password to class and the enable secret password to cisco as follows:

1900(config)# enable password level 15 class

1900(config)# enable secret cisco
b. Which password takes precedence, the enable password or enable secret password? _______

Step 9 Configure the layer 3 access to the switch

a. Set the IP address of the switch and default-gateway based on information from Windows
“ipconfig” command:
1900(config)# ip address <IP address>
1900(config)# ip default-gateway <IP address>

b. Now list the configuration using:

1900# show ip

Step 10 Examine the configuration file

a. Commands entered on Catalyst 1900 series switches are directly written into NVRAM. To see
the configuration stored there use:

1900# show running-config

b. What is displayed? ________________________________________________________
c. Are all the changes that were entered recorded in the file? ____________________________
Lab 2: Managing the MAC Address Table, Creating and Deleting Static Entries

Objective
• Manage the switch MAC table.
• Create a static address entry in the switch MAC table a test it.
• Remove the created static MAC address entry.

Step 1 Verify connectivity to connected computers

a. To verify that hosts and switch are correctly configured, ping the switch IP address from the
hosts.
b. Were the pings successful? __________________________________________________
c. If the answer is no, troubleshoot the hosts and switch configurations.

Step 2 Record the MAC addresses of both hosts

a. Determine and record the layer 2 addresses of the PC network interface cards.
PC1: ___________________________________________________________________
PC2: ___________________________________________________________________

Step 3 Determine the MAC addresses that the switch has learned
a. To determine the what MAC addresses the switch has learned use the show mac-address-table
command as follows at the privileged exec mode prompt:

1900# show mac-address-table

b. How many dynamic addresses are there? ________________________________________
c. How many total MAC addresses are there? _______________________________________
d. Why are there more MAC addresses than ports on the switch?
__________________________________________________________________________
e. How many addresses have been user defined? ___________________________________
f. Do the MAC addresses match the host MAC addresses? _____________________________

Step 4 Determine the show MAC table options

a. To determine the options the show mac-address-table command has use the ? option as
follows:
1900#show mac-address-table ?
b. How many options are available for the show mac-address-table command? __________
c. Show only the mac-address-tables that were learned dynamically.
d. How many are there? _______________________________________________________
Step 5 Clear the MAC address table
a. To remove the existing MAC addresses:

1900# clear mac-address-table dynamic

b. Verify that the mac-address-table was cleared as follows:

1900# show mac-address-table

c. How many total MAC addresses are there now? ___________________________________
d. Why are there so many? ____________________________________________________
e. How many dynamic addresses are there? ________________________________________

Step 6 Determine the clear MAC table options

a. To determine the options available use the command clear mac-address-table ? at the
privileged exec mode prompt as follows:

1900# clear mac-address-table ?

b. How many options are there? _________________________________________________
c. In what circumstances would these options be used? _______________________________

Step 7 Examine the MAC table again

a. Look at the MAC address table again using the show mac-address-table command at the
privileged exec mode prompt as follows:

1900# show mac-address-table

b. How many dynamic addresses are there? ________________________________________
c. Why did this change from the last display? _______________________________________
d. The table has not changed yet, ping the switch IP address from the hosts or hosts between
each other and repeat step 7.
Step 8 Setup a static MAC address
a. Setup a static MAC address on, e.g. Ethernet interface 0/4 as follows:
Note: Use the address that was recorded for PC2 in step 2
1900(config)#mac-address-table permanent <MAC address> ethernet 0/4
b. Enter the following to verify the mac–address table entries.

1900# show mac-address-table

c. How did the output change? _____________________________________________________
d. Clear MAC address table and verify your static MAC is still there
e. Test the static entry pinging to the host

Step 9 Remove the static MAC entry

1900(config)# no mac-address-table permanent <MAC address> ethernet 0/4

a. Enter the following to verify that the static MAC address was cleared:

1900# show mac-address-table permanent

b. How many total static MAC addresses are there now? _______________________________
Lab 3: Configuring Port Security and Portfast mode

Objective
• Configure port security on individual ports.
• Configure port for rapid Spanning Tree operation.

Securing network is an important responsibility for a network administrator. Access layer switchports are
accessible through the structured cabling at wall outlets in offices and rooms. Anyone can plug in a PC or
laptop into one of these outlets. This is a potential entry point to the network by unauthorized users.
Switches provide a feature called port security. It is possible to limit the number of addresses that can be
learned on an interface. The switch can be configured to take an action if this is exceeded. Secure MAC
addresses can be set statically. However, securing MAC addresses statically can be a complex task and
prone to error.

An alternative approach is to set port security on a switch interface. The number of MAC address per port
can be limited to 1. The first address dynamically learned by the switch becomes the secure address.

Step 1 List port security options

a. Determine the options for setting port security on interface FastEthernet 0/4:

1900(config)# interface ethernet 0/4

1900(config-if)# port secure ?
max-mac-count Maximum number of addresses allowed on the port
<cr>
b. To allow the switchport FastEthernet 0/4 to accept only one device enter port security as
follows:

1900(config-if)# port secure

Step 2 Verify the results

a. Enter the following to verify the mac –address table entries:

1900# show mac-address-table

b. How are the address types listed for the two MAC addresses? ______________________

1900# show mac-address-table security

Step 3 Show the running configuration file

a. Are there statements that directly reflect the security implementation in the listing of the running
configuration? ____________________________________________________________
b. What do those statements mean?
Step 4 Limit the number of hosts per port
a. On interface Ethernet 0/4 set the port security maximum MAC count to 1 as follows:

1900(config)# interface ethernet 0/4

1900(config-if)# port secure max-mac-count 1
b. Disconnect the PC2 attached to FastEthernet 0/4 and connect it to another port. Connect PC1
to FastEthernet 0/4 port. It may be necessary to generate some traffic.
c. Record any observations. ___________________________________________________
__________________________________________________________________________

Step 5 Configure Portfast mode

When a switch port comes up it normally goes thru the normal 802.1d Spanning Tree states of Blocking,
Listening, Learning, and then Forwarding. This process can take up to 45 seconds to occur. When Port
fast mode (rapid spanning tree) is enabled, the Spanning Tree Protocol (STP) can transition the port's
state from Blocking to Forwarding without going through the intermediate states of Listening and Learning.
However, Port Fast mode should only be enabled on ports connecting single end stations. When
connecting to another switches, do not enable Port Fast mode on these ports, since you will start loosing
BPDUs and get your network into loops. You cannot enable Port Fast mode on trunked connections.

a. To configure a port for rapid Spanning Tree operation use:

1900(config-if)# spantree start-forwarding

Before continuing with other labs, remove port security from configuration.
Lab 4: Password Recovery Procedure on a Catalyst 1900 Series Switches

Objective
• Gain access to the switch if password is lost

1.) Power-cycle the switch. After POST completes, the following prompt displays:

Do you wish to clear the passwords? [Y]es or [N]o:

Note: You have ten seconds to respond. If you don't respond within that time, the Management Console
Logon screen displays. You cannot change this waiting period.
2.) Enter [Y]es to delete the existing password from Nonvolatile RAM (NVRAM).
3.) Assign a password from the switch management interfaces (management console or Command Line
Interface (CLI)).

Viewing the Password

For firmware versions between 1.10 and 3.02, you can view the password you are trying to recover
(instead of clearing it as described in the previous section).
1.) Access the diagnostic console.
2.) Press and hold the Mode button.
3.) Power-cycle the switch.
4.) Release the Mode button one or two seconds after the LED above port 1x goes off.
You will see the following logon screen:
-------------------------------------------------
Cisco Systems Diagnostic Console
Copyright(c) Cisco Systems, Inc. 1999
All rights reserved.
Ethernet Address: 00-E0-1E-7E-B4-40
-------------------------------------------------
5.) Press Enter to continue.
6.) Press Enter and select the [S] option on the Diagnostic Console - Systems Engineering menu, and
then select the [V] option on the Diagnostic Console - System Debug Interface menu to display the
management console password.
7.) If you want to change the password, select the [M] option on the Console Settings menu
8.) If you do not this option listed, you can use [F] option from System Engineering menu to revert to
factory defaults. However, your whole configuration will be deleted.
VLAN Configuration

Lab 1: Configuring Static VLANs

Objective
• Create two VLANs, name them and assign member ports to them.
• Delete VLAN information

Background / Preparation
When managing a switch, the Management Domain is always VLAN 1. The Network
Administrator's workstation must have access to a port in the VLAN 1 Management Domain. All
ports are assigned to VLAN 1 by default.

Step 1 Look at the VLAN interface information

a. Type following command at the privileged exec prompt:

1900# show vlan-membership

b. Which ports belong to the default VLAN? ________________________________________

1900# show vlan

c. How many VLANs are set up by default on the switch? ______________________________
d. What does the VLAN 1003 represent? __________________________________________
e. How many ports are in the 1003 VLAN? _________________________________________

Step 2 Create and name two VLANs

Enter the following commands to create and name two VLANs:
1900# conf t
1900(config)# vlan 2 name VLAN2
1900(config)# vlan 3 name VLAN3
Step 3 Look at the VLAN interface information
a. Type the command show vlan at the privileged exec prompt as follows:

1900# show vlan

b. Are there new VLANs in the listing? ___________

1900# show vlan-membership

c. Do they have any ports assigned to them yet? ___________

Step 4 Assign ports to VLAN 2

Assigning ports to VLANs must be done from the interface mode. Enter the following commands
to add port 2 to VLAN2:
1900# conf t
1900(config)# interface Ethernet 0/2
1900(config-if)# vlan static 2
1900(config)# end

Additionally, assign port 1 and 3 to VLAN 2

Step 5 Look at the VLAN interface information

a. Type following command at the privileged exec prompt:

1900# show vlan-membership

b. Are ports 1, 2, 3 assigned to VLAN 2? ___________
c. Are ports still listed in the default VLAN? ___________

Step 6 Assign ports to VLAN 3

Repeat step 4 and 5 to additionally assign ports 4, 5 and 6 to VLAN 3.

Step 7 Look at only VLAN2 information

a. Instead of displaying all of the VLANs type the show vlan 2 command at the privileged exec
mode prompt as follows:

1900# show vlan 2

b. Does this command supply any more information than the show VLAN command? __________
Step 8 Test the VLANs

a. Ping from the host in port 0/1 to the host in port 0/3.
b. Was the ping successful? ______________________
c. Ping from the host in port 0/1 to the host in port 0/4.
d. Was the ping successful? ______________________
e. Why? ______________________________________

f. Ping from the host in port 0/1 to the switch IP address.

g. Was the ping successful? ______________________
h. Ping from the host in port 0/4 to the switch IP address.
i. Was the ping successful? ______________________
j. Why? ______________________________________

Step 9 Delete a Host from a VLAN

To remove a host from a VLAN, use the no form of the commands:

1900# conf t
1900(config)# interface Ethernet 0/2
1900(config-if)# no vlan static 2
1900(config-if)# end

Step 10 Display the VLAN Interface Information

a. Type following command at the privileged EXEC prompt:

1900# show vlan-membership

b. Is port 0/2 removed from VLAN 2? ___________________________________________

Step 11 Delete a VLAN

a. To remove an entire VLAN use:

1900# conf t
1900# no vlan 2
1900(config)#exit
Step 12 Display the VLAN Interface Information

a. Type following command at the privileged EXEC prompt:

1900# show vlan
b. Is VLAN 2 removed? _______________________________________________________
c. What happened to the ports that were released from the VLANs? ____________________

Step 13 Delete VLAN 1

a. Try to delete VLAN 1, which is the default VLAN, the same way that you deleted VLAN 2.

Switch_A# conf t
Switch_A(config)# no vlan 1
Switch_A(config)# no vlan 1
^
% Invalid input detected at '^' marker.
Switch_A(config)#exit

b. The default VLAN cannot be deleted.

Lab 2: Trunking and Inter-VLAN routing

Objective

• Create an ISL trunk line between the the switches

• Create a basic configuration on a router.
• Test the VLAN functionality

Background / Preparation

Trunking changes the formatting of the packets. The ports need to be in agreement as to which format is
being used to transmit data on the trunk or no data will be passed. If there is different trunking
encapsulation on the two ends of the link they will not able to communicate. A similar situations will occur
if one of the ports is configured in trunking mode, unconditionally, and the other one as in access mode,
unconditionally.

Step 1 Create and name the VLANs

Configure topology displayed above. Assign computers to VLAN1, VLAN2 and VLAN3. according
to the picture. Appropriate IP information should be found out from “ipconfig” command.
VLAN information will be received by VTP from 2900XL Catalyst switch operating in VTP server
mode. Therefore, set both 1900 Catalyst switches for VTP client mode:
Switch_B# conf t
Switch_B(config)# vtp client
Switch_A# conf t
Switch_A(config)# vtp client
Step 2 Create the ISL trunk

On all Catalyst 1900 series switches use following commands to configure trunk connection: (here
is the sample from configuring just two of them)

1900_A(config)# interface fastethernet 0/26

1900_A(config-if)# trunk on
1900_B(config)# interface fastethernet 0/27
1900_B(config-if)# trunk on

Step 3 Verify the ISL trunk

a. To verify that port fastethernet 0/26 has been established as a trunk port, type:

1900_A# show trunk at the privileged exec mode prompt.

b. What type of trunking encapsulation is shown on the output results?

____________________
c. What would happen if the two ports of the trunk were using different encapsulation?
______________________________________________________________

Step 4 Test the VLANs and the trunk

Using ping, verify that hosts on the same VLAN can communicate between each other. Can they
also talk to hosts on different VLANs?

Step 5 Look at the VLAN interface information

a. On Switch_B, type the command show vlan at the privileged exec prompt as follows:

Switch_B# show vlan-membership

b. Are ports assigned correctly? _________________________________________________
Step 6 Connect and configure routers
a. 2500 series routers that do not support Inter-VLAN routing must use one physical interface per
each VLAN to be connected, as shown on the picture. Therefore use the usual configuration
procedures.

b. For routers that do support Inter-VLAN routing, dividing physical interface into logical subinterfaces is
the way. While using just one physical interface, you will create one subinterface per each VLAN to be
connected to the router. Remember, as long as at least one of your subinterfaces are connected to
default, management VLAN, you can connect to switch remotely through telnet:
 2600(config)# interface ethernet 0/0
2600(config-if)# no shutdown
2600(config-if)# duplex full ! Set this also on the switch port F0/10
2600(config-if)# interface ethernet 0/0.1
2600(config-subif)# encapsulation dot1q 1
2600(config-subif)# ip address <VLAN IP subnet> <subnet mask>
2600(config-subif)# interface ethernet 0/0.2
2600(config-subif)# encapsulation dot1q 2
2600(config-subif)# ip address <VLAN IP subnet> <subnet mask>
2600(config-subif)# interface ethernet 0/0.3
2600(config-subif)# encapsulation dot1q 3
2600(config-subif)# ip address <VLAN IP subnet> <subnet mask>
2600(config-subif)# end

Step 7 Look at the router routing table

a. Type show ip route at the privileged exec mode prompt.
b. Are there entries in the routing table? ___________________________________________
c. What interface are they all pointing to? __________________________________________
d. Why is there not a need to run a routing protocol? __________________________________

Step 8 Test the VLANs and the trunk

All hosts should be able to talk to each other. If not then you must troubleshoot the situation.