Switches and Configuring

Cisco Catalyst switches:

WS-C3548-XL-EN

• Install: 3500XL_Install.pdf
• CLI commands: 3500XL_cli.pdf
• Config guide: 3500XL_swg.pdf

Hunt around for the latest firmware maybe on cisco or rapidshare.

• c3500xl-c3h2s-mz.120-5.WC17.bin
• c3500xl-c3h2s-tar.120-5.WC17.tar

1. Find the pin-out of the console port in the Catalyst 3500 Series XL Hardware Installation Guide.
2. Build a straight through cable. Set your baud rate to 9600 8N1.
3. Use minicom to xmodem the latest (.bin) firmware image over, it will take awhile.
4. Answer the config Qs set the IP address etc...

Put the .tar version of the firmware on your tftpd-hpa server then do these commands:

enable
tar /x tftp://192.168.0.1/c3500xl-c3h2s-tar.120-5.WC17.tar flash:

Make note of the filename but I don't think it changed

To set the ip address of the Management lan:

enable
configure terminal
interface vlan 1
ip address <ip_address> <subnet_mask>
exit
ip default-gateway <ip_address>
end
show running-config

To change the telnet password for all 16 possible sessions:

enable
configure terminal
line vty 0 15
password <Something>
end
show running-config

To change the enable password:

enable
configure terminal
enable secret <Something>
end
show running-config

To set the boot location and turn on the webserver:

enable
configure terminal
boot system flash:c3500xl-c3h2s-mz.120-5.WC17.bin
ip http server
end
reload
yes

After it reboots you can log in with root and the enable (telnet?) password.
To change a statically assigned VLAN for a port

enable
configure terminal
interface fa0/33
switchport mode access
switchport access vlan 1
exit
show interface fa0/33 switchport

To set up a Trunk Port:

configure terminal
interface fa0/33
switchport mode trunk
switchport trunk encapsulation dot1q
exit
show interface fa0/33 switchport
copy running-config startup-config

Make sure the cisco switches are using the same native VLAN between the trunk ports, and that the correct ip address is on the correct VLAN usually 1.

Note to have VLANs forwarded on trunk interfaces they have to exist in the VLAN db. You can add one by assigning it to a port or like this:

vlan database
vlan <vlan-id> name WareBarn_IT
show

To make sure that a trunk will pass it you can add this line when configuring it, though this is the default:

switchport trunk allowed vlan all

To delete a vlan from the database:

vlan database
no vlan vlan-id
exit
show vlan brief

To save changes:

write memory

One annoying thing about Cisco switches is when you plug in a new device the port goes through a long STP negotiation and the port is blocked for 30 seconds or more. You can skip this wait by using the spanning-tree portfast command e.g.:

configure terminal
interface fastethernet 0/1
spanning-tree portfast
exit
exit
show running-config
write memory

But never use it on ports that go to other hubs, switches or routers.

There are other noisy protocols that Cisco switches run by default. Some Cable modems will only allow one MAC address to talk to it, and if they hear any of the switches macs first, then getting a DHCP lease will mysteriously fail. The Catalyst switches put the port number in the last octet for announcements like STP, but for pings and telnet sessions it uses 00 in the last octet irregardless of which port you're on. Turn this noise off like so:

rewrite mac address on both ports but not to a random one?

configure terminal
no cdp run
no spanning-tree vlan 10
interface f0/17
no keepalive
exit
exit
vlan database
vtp transparent
exit
write memory

Lastly you might want to play with the Mac Address Aging Time:

show mac-address-table aging-time
configure terminal
mac-address-table aging-time 15
end

If you want to back up your configs, you could make your tftpserver writeable.

apt-get install tftpd-hpa tftp-hpa

adduser --system --home /srv/tftp --no-create-home --uid 113 --group tftp
chown tftp.tftp /srv/tftp
chmod 755 /srv/tftp

Then edit /etc/default/tftpd-hpa:

vi /etc/default/tftpd-hpa
OPTIONS="-4 -p -c -u tftp -U 002 -l -s"

killall in.tftpd
/etc/init.d/tftpd-hpa start

Copy an IOS config file over:

copy flash:config.text tftp:
Address or name of remote host []? 192.168.0.1
Destination filename [config.text]?

Notes:
WS-G5483 - 1000BASE-T GBIC transceiver, is compatable with:
http://www.pc-wholesale.com/ws-g5483.html
Sometimes the fans go out and you need to order new ones. The part number is: BFB1012M.

Rewrite mac address on both router ports but not to a random one? Thus two different routers could be in a failover configuration, but have the same MAC addresses for the modem vlan(s) on the trunk port. This would raise the odds that the ISP assigned IP address would be the same.

---

Dell Powerconnect switches:

• 3000 Series Specs: http://www.smallbusinesscomputing.com/webmaster/article.php/1365341/First-Look-PowerConnect-3048.htm
• 3400 Series Specs: dell-powerconnect-3400-series-switches.pdf
• 3000 Series Systems User's Guide: PowerConnect_30xx_users.pdf
• 3400 Series User’s Guide: PowerConnect_34xx_users.pdf
• 3400 Series CLI Reference Guide: PowerConnect_34xx_cli.pdf

Hunt around for the latest firmware maybe on dell support

• PowerConnect_34xx-v2.0.0.34.zip

The pin-out of the console port on the dell switches is standard 9 pin, set to 9600 8N1. There is a two second pause during boot up during which you can pres ESC to get a pre-boot menu, where you can bypass the enable password, or delete files on the flash drive. Note the these files will be recreated with some minimal system defaults. To reset the switch to factory defaults, boot with password recovery and:

delete startup-config

It might be that when you do this that the other undeleatable files are also reset to defaults. Later in the boot process there is a setup wizard that will help you set the IP etc... You can tftp the new firmware over like this:

copy tftp://192.168.0.1/PowerConnect_34xx-20034.ros image
copy tftp://192.168.0.1/PowerConnect_34XX_boot-10101.rfb boot ??
boot system image-2
show bootvar

You can also use the web front end, or use minicom to xmodem the latest (.ros) firmware image over, it will take awhile.

You might want lock down the switch so that you can only configure it from the console. Eg from your terminal server:

configure
management access-class console-only
exit
show management access-class

To set the name and location of the switch:

configure
hostname dellsw
snmp-server location Garage
exit
show system

To set the ip address of the Management, or any lan:

configure
interface vlan 1
ip address <ip_address> <subnet_mask>
ip default-gateway <ip_address>
exit
exit
show running-config

To change the enable password:

configure
enable password <Something>
end
show running-config

To set up ssh:

configure
crypto key generate dsa
crypto key generate rsa
no ip ssh pubkey-auth
ip ssh server
exit
show ip ssh
show crypto key mypubkey

To set up https:
Note if you get an error about your certs then perhaps try importing a cert make with Tiny-CA

clock set 18:00:00 28 sep 2014
configure
crypto certificate 1 generate key-generate
ip https server
exit
show crypto certificate mycertificate
show ip https

To disable http:

configure
no ip http server
exit
show ip http

To disable telnet:

configure
management access-list secure-protos
deny service telnet
deny service http
permit
exit
management access-class secure-protos
exit
show management access-class
show management access-list

To create or delete a vlan:

configure
vlan database
vlan 10
no vlan 10
exit
interface vlan 10
name Modems
exit
show vlan

To change a statically assigned VLAN for port(s)

configure
interface range ethernet e(45-46)
switchport mode access
switchport access vlan 10
end
show interfaces switchport ethernet e45
show vlan

To set up an aggregated port group:

configure
interface range ethernet e(48)
switchport trunk allowed vlan remove all
switchport mode access
no switchport access vlan
channel-group 1 mode auto
exit
interface port-channel 1
# Configuration commands...

To set up a Trunk Port:

configure
interface range ethernet e(47-48),g3,g4
switchport mode trunk
switchport trunk allowed vlan add all
switchport trunk allowed vlan add 1-5
switchport trunk allowed vlan remove 1-4096
switchport trunk native vlan 1
end
show interfaces switchport ethernet e48
copy running-config startup-config

Make sure the switches are using the same native VLAN between the trunk ports, and that the correct ip address is on the correct VLAN, usually 1. Note to have VLANs forwarded on trunk interfaces they have to exist in the VLAN db. See above.

To make sure that a trunk will pass everything you must add this line when configuring it:

switchport trunk allowed vlan add all

On the Dell switches they have flow-control and back-pressure turned off by default, but you probably want them on:

configure
interface range ethernet all
back-pressure
flowcontrol auto
exit
interface range port-channel 1
flowcontrol auto
end
show running-config

One annoying thing about switches is when you plug in a new device the port goes through a long STP negotiation and the port is blocked for 30 seconds or more. You can skip this wait by using the spanning-tree portfast command e.g.:

configure
interface range ethernet e(1-48)
spanning-tree portfast
end
show running-config

But never use it on ports that go to other hubs, switches or routers.

There are other noisy protocols that switches run by default. Some Cable modems will only allow one MAC address to talk to it, and if they hear any of the switches macs first, then getting a DHCP lease will mysteriously fail. Note that there doesn't seem to be a way to turn off the first and only EAP announcement packet that the Dell switches send at power up. Turn the rest of this noise off like so:

configure
interface range ethernet e(45-46)
spanning-tree disable
no lldp enable
end

To set up the SNTP time client for our timezone:

configure
clock source sntp
sntp server 192.168.0.254 poll
sntp unicast client poll
sntp unicast client enable
clock timezone -8 zone PST
clock summer-time recurring 2 sun mar 02:00 1 sun nov 02:00 zone PDT
exit
show sntp status
show clock detail
show sntp configuration

To monitor a all traffic on port e45 to e46 (eg mirroring):

configure
interface ethernet e46
switchport access vlan 1
port monitor e45
end

Lastly you might want to play with the Mac Address Aging Time:

show mac-address-table aging-time
configure terminal
mac-address-table aging-time 15
end

If you want to back up your configs, you could make your tftpserver writeable.

apt-get install tftpd-hpa tftp-hpa

adduser --system --home /srv/tftp --no-create-home --uid 113 --group tftp
chown tftp.tftp /srv/tftp
chmod 755 /srv/tftp

Then edit /etc/default/tftpd-hpa:

vi /etc/default/tftpd-hpa
OPTIONS="-4 -p -c -u tftp -U 002 -l -s"

killall in.tftpd
/etc/init.d/tftpd-hpa start

Copy a config file over:

enable
copy startup-config tftp://192.168.0.1/dellsw.conf
copy running-config tftp://192.168.0.1/dellsw.conf
copy tftp://192.168.0.1/dellsw.conf startup-config

Notes:
Posible SFP modules:
10/100/1000BASE-T Copper Ethernet SFP: http://www.antaira.com/products/sfp-modules/dell/gigabit-modules/copper/sfp-c?pid=3342
NEW Dell 310-7225 Compatible 1000BASE-T SFP Transceiver Module: http://www.fiberstore.com/-p-13277.html?currency=USD&gclid=CL2Ijd_Hh8ECFU1cfgod8YoAeQ
Sometimes the fans go out and you need to order new ones. The part number is: ??

Rewrite mac address on both router ports but not to a random one? Thus two different routers could be in a failover configuration, but have the same MAC addresses for the modem vlan(s) on the trunk port. This would raise the odds that the ISP assigned IP address would be the same.

-- ClifCox - 30 Sep 2014