Standard Cisco Switch Configuration

Switch Configuration Standards

 

VLAN 1 and Switch Management

Switched networks employ several control protocols that work to ensure the smooth flow of user data across the network.  This section discusses significance VLAN 1 and its relevance to switch control protocols used in switched network environment.  The section also establishes the Organization’s standards for configuring a switch to be administered remotely.

 

VLAN 1

VLAN 1 carries special significance in a Cisco switching environment. It is used for several switch control protocols, including VLAN Trunking Protocol (VTP), Port Aggregation Protocol (PAgP), Cisco Discovery Protocol (CDP), and Spanning Tree Protocol (STP).  All these inter-switch protocols use VLAN 1 to communicate vital switching information throughout the network.

The control protocols mentioned above are critical to the normal operation of a switched network.  Excessive interference with these communication processes could result in degraded conditions or interruptions to the normal flow of user data. 

Because of the importance of control protocol communications, VLAN 1 should not be used for user data traffic, but instead reserved for the control protocols.

Organization's reserves VLAN 1 exclusively for these vital inter-switch communications processes.

 

SC0 Interface

Configuring a switch or router is normally accomplished one of two ways:  the administrator can either attach directly to the switch via the switch’s console port, or remotely via a telnet or ssh session.  On an L3 switch or a router, the administrator can simply connect to one of the L3 interfaces.  On a CatOS-based switch, which does not operate at the network layer, the administrator must connect to a virtual L3 interface, known as the switch console interface (sc0). 

By default, all interfaces of a Cisco switch reside in VLAN 1.  To avoid interference with the switches control plane protocols operating in VLAN 1, the recommended best practice is to move the sc0 interface to another VLAN specifically designated for management purposes.

Organizations places the sc0 interface for all its CatOS switches in the VLAN designated for network management.  At Wacker Drive, VLAN 7 is used for management.  The BRC uses VLAN for management

 Like a VTY interface on a router, the sc0 interface can be protected with a password.  The Organization uses passwords to limit network access to its switches.

 

AAA

AAA stands for Authentication, Authorization, and Accounting.  As its name suggests, AAA is a framework that allows better control over who is allowed to administer a switch and what commands those administrators are allowed to perform.  The accounting function keeps a record of all users logging into a switch and what configuration changes are made.

The biggest advantage of AAA is that it creates a level of accountability for network changes that is unavailable with shared passwords.

 

VLAN Trunking Protocol (VTP)

VLAN Trunking Protocol (VTP) is a Cisco-proprietary mechanism used to easily manage VLANs across an enterprise.  With VTP in place, the administrator can configure VLANs on a switch designated as a VTP server and have those VLAN configurations automatically propagated across the enterprise.  Using VTP to automatically manage VLANs streamlines the configuration process and reduces the chances of introducing configuration mistakes.

 To utilize VTP, Cisco switches must be configured to participate in a VTP domain.  The domain is made up of VTP servers and VTP clients; a switch must be configured as one or the other to participate in the domain.  The following list identifies the various elements of VTP configuration and explains how each VTP setting is used at FHBLC.

• VTP Mode The VTP Mode setting designates a switch’s status within the VTP structure.  A switch can be configured to function in one of three modes: VTP Server, VTP Client, or VTP Transparent.  The core 6509 switches at Wacker and BRC are each configured as VTP Servers (we use 2 VTP Servers at each site for redundancy’s sake).  All other switches are configured as VTP Client and Transparent modes.  VTP Transparent mode is used when a switch should not participate in VTP, but should pass along VTP traffic to other switches that are VTP participants. 
  
  The VTP mode is configured as follows:

On a CatOS switch:

Switch> (enable) set vtp mode {client | server | transparnt}

On an IOS switch:

Switch(vlan-config)# vtp {server | client | transparent}

• VTP Domain All switches participating in VTP must be part of a VTP domain to send or receive VTP information.  By default, the VTP Domain is not set. 
  
  The VTP domain is configured as follows:

On a CatOS switch:

Switch> (enable) set vtp domain domain-name

On an IOS switch: 

Switch(vlan-config)# vtp domain domain-name

• VTP Version VTP version 1 is the default.  VTP version 2 is required for certain additional features, such as Token Ring support.  All switches in the VTP domain must use the same VTP version.  An Organization uses VTP version 1 on its switches.
  
  The VTP domain is configured as follows:

On a CatOS switch:

Switch> (enable) set vtp v2 {enable | disable}

On an IOS switch:

Switch(vlan-config)# vtp v2-mode

• VTP Password For added security, communications between servers and clients can be password protected.  This feature is most useful in mixed environments where multiple organizations share the same network.  An Organization does not currently use VTP passwords.
  
  The VTP password is configured as follows:

On a CatOS switch:

Switch> (enable) set vtp passwd password

On an IOS switch:

Switch(vlan-config)# vtp v2-mode

• VTP Pruning  VTP Pruning limits broadcast traffic through the switched network by limiting broadcasts to switches with active ports in a given VLAN.  VTP Pruning is disabled by default; an organization enables VTP pruning to limit broadcast traffic to those switches that need to hear it.
  
  VTP Pruning is configured as follows:

On a CatOS switch:

Switch> (enable) set vtp pruning enable

On an IOS switch: 

Switch(vlan-config)# vtp pruning

 

Spanning Tree Protocol (STP)

A switched network designed for high availability must include redundant physical paths throughout the topology.  However, a switched topology with physical redundancy must also have a single logical path through the network, in order to avoid switching loops.  The Spanning Tree Protocol (STP) is used to determine the optimum loop-free path through a switched network.

 

PVST+

To make the best use of redundant hardware, Cisco switches are capable of using a variant on the original Spanning Tree Protocol, known as Per-VLAN Spanning Tree Protocol.[2]  PVST+ is the default for newer Cisco switches, and it is a good choice for ORGANIZATION because it provides the network admin with the ability to balance user data traffic across all its LAN equipment.

 

STP Root

Spanning tree creates a single logical loop-free switching path (sometimes referred to as a tree) through a network.  To eliminate loops, one switch is selected as the root bridge (switch), and all other switches make their forwarding decisions based on their connectivity to the root bridge.  Each switch designates a root port – the port with the best path to the root bridge.  All other uplink ports are placed into blocking mode.  Figure 1 illustrates a how spanning tree works on a simple network topology.  The paths with red X’s represent ports placed into blocking mode.

Manually setting the root for each VLAN makes the network stable and ensures optimum traffic flow throughout the network.  On the CatOS-based core switches at an organization, the command to designate a switch as the root for a particular VLAN is:

set spantree root [vlan]

To set a switch as the secondary root, (which becomes the STP root should the primary fail), the following command is used:

set spantree root secondary [vlan]

The “set spantree root” command modifies several STP parameters to make the switch the “best” choice for root bridge.  At ORGANIZATION, each of the two core switches are configured to ensure that one or the other will always be selected as the root bridge for each VLAN.

  

STP UplinkFast

In the event that a switch’s primary uplink to the root bridge becomes unavailable, the switch has to select an alternate path to the root.  Normally, the entire spanning tree algorithm would have to run before selecting an alternate path, which takes approximately 30 seconds.  During this period, no traffic from the access switch is forwarded to the core. 

In a high-availability network environment, this interruption in service is unacceptably long.  Fortunately, Cisco switches offer a tweak to STP that allows the switch to skip over the first parts of the STP algorithm and begin forwarding traffic almost immediately.  This feature is called Spanning Tree Uplinkfast.  The Uplinkfast feature is enabled with the following command:

 

On a CatOS switch:

Switch> (enable) set spantree uplinkfast enable 

On an IOS switch:

Switch(config)# spanning-tree uplinkfast 

Uplinkfast feature is intended for use only on access level switches.  Uplinkfast also automatically raises the switches bridge priority (making it a less attractive choice for STP root) to ensure the switch with Uplinkfast will not become a root bridge.

 

Spanning Tree Portfast and BPDU Guard

When a switch port first comes online in a network running spanning tree, the switch must first run the spanning tree algorithm to determine whether or not the port should be put into blocking mode.  With the default timers, this process takes about 50 seconds.  This initial hold time can interfere with some client networking processes, so Cisco has a feature that effectively disables spanning tree on a given port. 

This feature, called Spanning Tree Portfast, skips over the listening and learning phases and places the port immediately into forwarding status.  Portfast can be enabled or disabled globally, but the recommended practice is to enable or disable portfast on per-port basis.  Portfast is enabled on a per-port basis as follows:

 

On a CatOS switch:

Switch> (enable) set spantree portfast mod/port {enable | disable}

On an IOS switch:

Switch(config-if)# spanning-tree portfast

 

When Portfast is enabled, Spanning Tree is effectively disabled for that port.  The downside of this behavior is that if a switch is inadvertently attached to a port with Portfast enabled, a switching loop could be introduced.  To prevent this from happening, a mechanism called BPDUGuard can be used in concert with Portfast.

Since a Portfast-enabled port should never be connected to another switch, the port should never receive a BPDU frame.  BPDUGuard prevents switching loops by disabling a port if a BPDU frame is received.  The port can be manually re-enabled once the situation is corrected.  BPDUGuard is configured as follows:

On a CatOS switch:

Switch> (enable) set spantree bpdu-guard mod/port {enable | disable}

On an IOS switch:

Switch(config-if)# spanning-tree bpduguard enable

 

EtherChannel

When a single link between two switches cannot provide the required bandwidth, up to eight links can be configured to act as a single logical link.  Cisco calls this mechanism EtherChannel.  Today, an ORGANIZATION switched network uses EtherChannel in just two spots: the link between the core switches at each location.  Today’s bandwidth requirements do not warrant EtherChannel configurations in other areas, such as the uplinks between access switches and the core.  EtherChannel is configured as follows:

On a CatOS switch:

Switch> (enable) set port channel mod/port [admin group]
Switch> (enable) set port channel mod/port mode {on|off|desirable|auto}

Note that the port channel mode sets how the Port Aggregation Protocol (PAgP) will perform.  The PAgP should be configured to desirable mode, on both ends, which causes the channel to be auto negotiated. 

On an IOS switch, configure the physical interface to participate in a channel group:

Switch(config-if)# interface port-channel channel-group number

Then configure the port channel interface parameters:

Switch(config-if)# channel-group number mode {on|off|desirable|auto}

 

Link Integrity

Unidirectional Link Detection (UDLD)

Occasionally a link between switches will function correctly in one direction, but not the other.  That is, a switch port may be able to receive, but not send, data on a particular port.  This situation can lead to spanning tree problems, since one switch might consider a link down when its neighbor thinks the link is still up.

To address this problem, Cisco introduced a mechanism to monitor link integrity, called Unidirectional Link Detection (UDLD).  UDLD will monitor a port for bidirectional connectivity and disable the port if link integrity becomes compromised.

Organization's standard is to run UDLD on all inter-switch connections.  UDLD is configured with the following commands:

On a CatOS switch:

Switch> (enable) set udld enable mod/port

On an IOS switch:

Switch(config-if)# udld enable

 

Trunk Ports

Trunk Encapsulation

Trunk ports are used to carry multiple VLANs over a single physical interface.  This is accomplished by designating, or tagging, frames as members of a particular VLAN.  Cisco refers to the process of tagging frames as trunk encapsulation.  Cisco switches support two trunk encapsulation types: Inter-Switch Link (ISL) and IEEE802.1Q (dot1q).  ISL encapsulation is a Cisco proprietary trunk encapsulation, and is the only encapsulation method available on older switches.  Dot1Q encapsulation is an industry standard, and it is the recommended trunk encapsulation method for modern networks (some newer Cisco switches do not even support ISL encapsulation).

Organizations will use IEEE 802.1Q encapsulation for all of its trunk links.  Trunk encapsulation mode is configured with the following commands:

On a CatOS switch:

Switch> (enable) set trunk mod/port desirable {isl | dot1q} 

On an IOS switch:

Switch(config-if)# switch port mode dynamic desirable dot1q

 

DTP

A physical port can be manually configured as a trunk, or it can be configured to negotiate trunking status via the Dynamic Trunking Protocol (DTP).

Cisco’s recommended best practice for trunk ports is to allow DTP to dynamically configure trunk status.  The reason for using DTP instead of manually configuring a trunk is that DTP will ensure proper trunk formation, whereas manually configuring a trunk to “on” mode may result in a port showing trunk status on even when the neighbor is mis-configured.  To configure dynamic trunking on a Cisco switch, use the following commands: 

On a CatOS switch:

Switch> (enable) set trunk mod/port desirable dot1q

On an IOS switch:

Switch(config-if)# switch port mode dynamic desirable

 

Edge Ports

Speed and Duplex

Cisco recommends allowing the switch and the host device to automatically negotiate the appropriate speed and duplex settings.  It requires the least configuration, and it is the method 

On a CatOS switch:

Switch> (enable) set port speed mod/port auto
Switch> (enable) set port duplex mod/port auto

On an IOS switch:

Switch(config-if)# speed auto
Switch(config-if)# duplex auto

 

In some cases, auto negotiating speed and duplex may not work correctly, or an administrator may prefer to know that a host is connected to the network at the fastest possible speed (e.g., a server).  In these cases, speed and duplex can be configured manually, but care must be taken to also configure the appropriate speed and duplex settings on the host.

Organization's uses both approaches to setting speed and duplex for host ports.  Auto negotiated speed and duplex are used where appropriate, such as a user workstation VLAN.  In other areas of the network, such as switch-router connections, the Organization prefers to set speed and duplex manually. 

Enabled or Disabled

By default, Cisco switch ports are all enabled.  This represents a potential risk, since an unauthorized user could potentially gain access to the network, or a mis-configured device could potentially disrupt normal traffic flows.

 For the above reasons, an organization will opt to disable switch ports by default, and enable them as necessary for new connectivity.

 

 

[1] The 6500 series switches can run either in hybrid mode, which uses CatOS on the Supervisor and IOS on the MSFC; or in native mode, which uses IOS to control both switching and routing functions.  Some features are only available in one mode or another: the Organization chooses to operate its 6500 switches in hybrid mode primarily because of the stateful supervisor switchover capability, which is only available in hybrid mode.  A detailed comparison of hybrid vs. native modes on the 6500 series is available at: http://cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a00800c8441.shtml

[2] In the original specification for Spanning Tree Protocol, just one “tree” is formed for all VLANs.  This creates a situation where half of the network is underutilized, since the redundant core and redundant uplinks go unused.  To make more efficient use of the hardware in place, Cisco introduced Per-VLAN Spanning Tree Protocol (PVST), which creates a separate spanning tree for each VLAN.  By adjusting spanning tree parameters, the administrator can balance traffic flows across the redundant equipment, ensuring the best utilization of network equipment.