Given a scenario, install and configure routers and switches. This section will cover the basic configuration of both routers and switches, including interface configuration (duplex, speed, and addressing), routing configuration, Network Address Translation (NAT), VLAN configuration, PoE, traffic filtering, VTP configuration, QoS, and port mirroring. Learn more in our Cisco CCNA lab and video training course.
Router Configuration
Router configuration can be very complex, and it requires knowledge about many technologies, depending on the functions that router must accomplish. However, there are some basic configuration steps that are often used in enterprise environments once a clean install has been performed on such a device:
- Interface configuration:
- Duplex settings
- Speed settings
- IP addressing
- Static/dynamic routing configuration
- NAT/PAT configuration
- Traffic filtering (access control lists)
- Quality of Service configuration
Interface Configuration
Router interfaces can be of different types, based on the following two factors:
- Underlying technology used (e.g., Ethernet)
- Interface bandwidth
The following are the most common router and switch interfaces used in modern enterprise networks:
- 10Mbps (Ethernet, which is rarely used nowadays)
- 100Mbps (FastEthernet)
- 1Gbps (GigabitEthernet)
- 10Gbps (TenGigabitEthernet)
In order to address a specific router interface and enter Interface Configuration mode to configure specific parameters, you must know the interface notation. This can vary based on the router manufacturer but the interface notation is usually made up of two parts:
- Interface type (Ethernet, FastEthernet, etc.)
- Interface slot/module and port number
For example, here are some common interface notations:
- Ethernet1/0 (slot 1, port 0)
- FastEthernet0/3 (slot 0, port 3)
- GigabitEthernet0/1/1 (slot 1, module 1, port 1)
Note: Slot 0 usually represents the built-in ports and the other slots represent extension slots that can be added at any time. Slot and port numbering usually starts at 0. |
In order for a router interface to have basic functionality, you must configure the following parameters:
- Speed
- Duplex
- IP address
We will exemplify these basic configuration settings on a Cisco router, as they are commonly used in modern enterprise networks. To see the available interfaces and their current state, you can issue the show ip interface brief command, as shown in the output below:
Router#show ip interface brief
Interface IP-Address OK? Method Status Protocol FastEthernet0/0 unassigned YES unset administratively down down FastEthernet0/1 unassigned YES unset administratively down down |
From the output above, you can see that the router has two FastEthernet (100Mbps) interfaces on slot 0 and neither is configured (no IP address), and they are both administratively disabled (status: administratively down).
Before you configure interface parameters, you must enter Router Configuration mode, using the configure terminal command on Cisco devices, and then Interface Configuration mode, using the interface <interface name> command. The first step in the interface configuration process is enabling the interface. For our purposes, we will focus on interface FastEthernet0/0, which can be enabled using the no shutdown command.
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z. Router(config)#interface Fast Router(config)#interface FastEthernet0/0 Router(config-if)#no shut Router(config-if)#no shutdown Router(config-if)# *Mar 1 00:32:05.199: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up *Mar 1 00:32:06.199: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up |
The next configuration step involves setting up speed and duplex settings. These parameters must match at both ends of the link, and they can also be auto-negotiated by the device. A Gigabit interface can usually work at 10Mbps, 100Mbps, or 1000Mbps, depending on the device it connects to. Speed is configured using the speed command in Interface Configuration mode. In order to see the command’s available parameters, you can use the ? symbol after the first part of the command, as shown in the output below:
Router(config-if)#speed ?
10 Force 10Mbps operation 100 Force 100Mbps operation auto Enable AUTO speed configuration |
From the configuration output above, you can see that there are three speed configuration options for the FastEthernet interface:
- Operating at 10Mbps
- Operating at 100Mbps
- Auto-negotiation (selects maximum bandwidth based on the capabilities at both ends of the link)
Duplex configuration describes the router interface’s capability to send and receive traffic. Full-duplex interfaces can send and receive traffic at the same time, on different copper cable pairs, because the traffic is separated so there is no need for collision detection which is required when using hubs. Half-duplex is usually used when connecting to a hub, and it involves sending or receiving traffic but not at the same time. As with interface speed configuration, duplex can be auto-negotiated between the two ends of a link. The duplex configuration options on a Cisco router interface can be seen in the output below:
Router(config-if)#duplex ?
auto Enable AUTO duplex configuration full Force full duplex operation half Force half-duplex operation |
Because a router is a Layer 3 device, each interface must be assigned an IP address using the ip address <ip> <subnet> interface configuration command, as exemplified below:
Router(config)#interface FastEthernet0/0
Router(config-if)#ip address 192.168.1.1 255.255.255.00 |
After the router interface configuration is complete, you can verify the settings by inspecting the full interface-configured parameters using the show interfaces [name] command on Cisco routers, as shown in the output below:
Router#show interfaces FastEthernet0/0
FastEthernet0/0 is up, line protocol is up Hardware is Gt96k FE, address is c200.0814.0000 (bia c200.0814.0000) Internet address is 192.168.1.1/24 MTU 1500 bytes, BW 10000 Kbit/sec, DLY 1000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Half-duplex, 10Mb/s, 100BaseTX/FX ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output 00:00:06, output hang never Last clearing of “show interface” counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo <output missing> |
Routing Protocols
Comprehensive details about different routing techniques and protocols were presented in Chapter 4 of this book. Routing is a two-step process that involves learning information about available networks and then making Layer 3 forwarding decisions for different packets.
Routing information can be learned in the following two ways:
- Static routing
- Dynamic routing
Static routing involves manually entering information about available networks. On Cisco routers, this is done using the ip route command, as exemplified below:
Router(config)#ip route 10.10.10.0 255.255.255.0 192.168.1.2 |
The command above basically indicates that the router can reach the 10.10.10.0/24 network using the next hop of 192.168.1.2. Another form of the command involves using an output interface rather than a next-hop IP address, as shown below:
Router(config)#ip route 10.10.10.0 255.255.255.0 FastEthernet0/1 |
A special case of a static route is the default route, which sets a next hop for all traffic that does not have a more explicit route present in the routing table. A sample default route configuration is presented below:
Router(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.2 |
On the other hand, using dedicated routing protocols allows dynamic learning of network prefixes from neighbor routers by exchanging routing protocol messages. A sample OSPF configuration is presented below:
Router(config)#router ospf 10
Router(config-router)#router-id 192.168.1.100 Router(config-router)#network 192.168.1.0 0.0.0.255 area 0 Router(config-router)#passive-interface FastEthernet0/1 |
The configuration above enabled routing protocol OSPF with the process number 10, assigned a router id, enabled OSPF functionality on the interfaces that are part of the 192.168.1.0/24 network for OSPF Area 0, and disabled OSPF functionality on interface FastEthernet0/1 by configuring it as a passive interface.
After the router is configured with static or default routing, the routing table begins to populate; you can see the learned or manually configured routes by issuing the show ip route command, as illustrated in the output below:
Router#show ip route
Codes: C – connected, S – static, R – RIP, M – mobile, B – BGP D – EIGRP, EX – EIGRP external, O – OSPF, IA – OSPF inter area N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2 E1 – OSPF external type 1, E2 – OSPF external type 2 i – IS-IS, su – IS-IS summary, L1 – IS-IS level-1, L2 – IS-IS level-2 ia – IS-IS inter area, * – candidate default, U – per-user static route o – ODR, P – periodic downloaded static route
Gateway of last resort is 192.168.1.2 to network 0.0.0.0
10.0.0.0/24 is subnetted, 1 subnets S 10.10.10.0 [1/0] via 192.168.1.2 C 192.168.1.0/24 is directly connected, FastEthernet0/0 S* 0.0.0.0/0 [1/0] via 192.168.1.2 |
In the configuration sample above, there are three routes present in the routing table:
- Static route 10.10.10.0, reachable via 192.168.1.2
- Connected route 192.168.1.0/24, assigned to the FastEthernet0/0 interface
- Static default route pointing to 192.168.1.2
Note: The default route on a Cisco router is also called the gateway of last resort and its functionality is similar to a default gateway on a PC. |
Network Address Translation
Network Address Translation (NAT) is a technique used to modify IP address information in the IP header while the packet traverses a router. This is often done in conjunction with using a private addressing space (RFC 1918) on the Local Area Network (LAN). Service providers do not allow packets that come from the private address ranges to reach the Internet because the same address can be used by multiple enterprise networks.
A solution to this issue and to allow machines that have private addresses to access Internet resources is allocating a public IP address (or a pool of addresses) to the specific enterprise and translate the internal addresses into a public address as traffic leaves the network, as depicted in Figure 8.1 below:
Figure 8.1 – NAT Example
PC 1 cannot access the Internet unless specific NAT policies are configured on the router to translate the internal address into a public allocated address (80.80.80.2 in this case).
Basic NAT functionality works by mapping a single internal address to an external address, like in the configuration example below:
Router(config)#interface FastEthernet0/0
Router(config-if)#ip address 192.168.1.1 255.255.255.0 Router(config-if)#ip nat inside Router(config)#interface FastEthernet0/1 Router(config-if)#ip address 80.80.80.2 255.255.255.252 Router(config-if)#ip nat outside Router(config)#ip nat inside source static 192.168.1.11 interface fastEthernet0/1 |
The output above defines interface FastEthernet0/0 as an inside interface and interface FastEthernet0/1 as an outside interface from the NAT mechanism’s perspective. The last statement defines the translation of the single inside private address (PC 1) to the interface FastEthernet0/1 public address (80.80.80.2).
Although standard NAT functionality performs its intended use, it does not help to conserve public IP space, as multiple internal hosts require multiple public IP addresses to access the Internet. Port Address Translation (PAT) overcomes this issue by allowing multiple private internal addresses to be associated with a single public address. The traffic session tracking is accomplished by associating each traffic flow with a unique port number. A PAT configuration example is shown below. Note the overload command which tells the router to use PAT:
Router(config)#interface FastEthernet0/0
Router(config-if)#ip address 192.168.1.1 255.255.255.0 Router(config-if)#ip nat inside Router(config)#interface FastEthernet0/1 Router(config-if)#ip address 80.80.80.2 255.255.255.252 Router(config-if)#ip nat outside Router(config)#access-list 100 permit ip 192.168.1.0 0.0.0.255 any Router(config)#ip nat inside source list 100 interface fastEthernet0/1 overload |
The configuration above mirrors the standard NAT example, with an important difference: the NAT statement does not reference a single internal private address but instead an access control list, which permits the entire internal subnet (192.168.1.0/24). This way, all internal hosts (including PC 1 and PC 2) can access the Internet by having their private addresses translated to the single 80.80.80.2 public address and keeping track of the sessions using port numbers.
After traffic is generated, you can inspect the NAT rules being applied by issuing the show ip nat translations command on Cisco routers.
Note: PAT is also called NAT overload. |
Traffic Filtering
Traffic filtering configuration on routers allows you to restrict certain traffic types from passing through the device. Those traffic types can be selected based on multiple factors, including:
- Traffic source
- Traffic destination
- Protocol
The first step in traffic filtering configuration is defining what type of traffic you want to block and then applying the rule on a specific interface. On Cisco routers this is accomplished using access control lists (ACLs). The configuration example below restricts any ICMP traffic from exiting the router on interface FastEthernet0/1:
Router(config)#ip access-list extended 100
Router(config-ext-nacl)#deny icmp any any Router(config-ext-nacl)#permit ip any any Router(config-ext-nacl)#exit Router(config)#interface fastEthernet0/1 Router(config-if)#ip access-group 100 out |
The configuration example above creates an ACL that denies ICMP traffic from any source to any destination (meaning all possible combinations) and then allows any other IP traffic. The order of the statements is important because they are executed from top to bottom. If you inversed the statements, first permitting any IP traffic and then denying ICMP traffic, the rule would have no effect because all the traffic would have matched the first statement. The last step is applying the ACL on an interface in the desired direction.
Note: A router interface can be configured with a single ACL per direction per protocol. |
Quality of Service
Quality of Service (QoS) techniques are often used in Wide Area Networks (WANs) because the bandwidth characteristics are usually low compared to those present on the LAN side. This bandwidth difference that packets experience when traffic is sent from a high-bandwidth LAN environment to a low-bandwidth WAN environment can cause congestion, which leads to the application not behaving the way it should (e.g., dropped packets, latency issues, etc.).
QoS mechanisms will be covered in detail in Chapter 26 but briefly they include the following:
- Traffic shaping and policing: Traffic shaping is a process that tries to control the way in which traffic is sent by buffering excess packets. Traffic policing, on the other hand, will drop or re-mark (penalize) packets that exceed a given rate.
- Congestion management: This QoS mechanism involves queuing. Applying queuing techniques means using other techniques than the default FIFO (First In First Out) method, including priority queuing, custom queuing, and weighted fair queuing.
- Congestion avoidance: When both the hardware and the software queues fill up, you will have a tail drop at the end of the queue, which can lead to voice traffic starvation and/or to TCP global synchronization. Using congestion avoidance techniques guard against global synchronization problems. The most popular congestion avoidance mechanism is called Random Early Detection (RED).
- Link efficiency mechanisms: These include compression and link fragmentation and interleaving (LFI).
QoS techniques are most effective on bursty WAN connections, typically in Frame Relay environments where committed information rates and burst rates are usually specified in the contract. Traffic bursts occur when large packets are sent over the network or when the network is very busy during certain periods of the day. QoS techniques should be mandatory if the enterprise uses any kind of delay-sensitive applications, for example, applications that must function in real-time (e.g., presentations over the Internet or video training sessions).
QoS mechanisms are most often applied on links that carry VoIP traffic, because that type of traffic is very sensitive to latency variations and can be influenced by other larger packets when the link experiences congestion.
Basically, QoS involves unfair treatment of packets on the network, based on the priority and importance you assign on different traffic flows. To exemplify a QoS configuration, consider the topology depicted in Figure 8.2 below:
Figure 8.2 – QoS Topology Example
The objective is to prioritize critical traffic from the application server going out to the Internet by guaranteeing 70% of the available bandwidth in case of congestion. The configuration that achieves this is presented below:
Router(config)#access-list 100 permit ip host 192.168.1.11 any
Router(config-cmap)#class-map APP_SRV Router(config-cmap)#match access-group 100 Router(config)#policy-map POLICY_APP_SRV Router(config-pmap)#class APP_SRV Router(config-pmap-c)#bandwidth percent 70 Router(config)#interface FastEthernet0/1 Router(config-if)#service-policy out POLICY_APP_SRV |
The proposed configuration starts by defining the traffic that is subject to preferential QoS treatment and this is accomplished using an ACL that matches any IP traffic originated by 192.168.1.11 (the application server). Then, a class map is created that matches the previously defined ACL. The class map is referenced into a policy map, which is where the QoS mechanism is defined, in this case guaranteeing 70% of interface bandwidth to traffic originating from the application server if there is any congestion. The defined policy map is applied outbound on the FastEthernet0/1 interface (facing the Internet) as the last step of the configuration process, thus completing the scenario and ensuring that the application server traffic is treated with preference outbound from the Internet connection.
Note: QoS policies should be designed and configured based on application requirements. |
Switch Configuration
Basic switch interface configuration is similar in many ways to router interface configuration, as defined previously in this chapter. However, switches offer Layer 2 functionalities that routers do not, including:
- Separating traffic using VLANs
- VTP technology
- Port mirroring
- MAC filtering
- Power over Ethernet (PoE)
Managed versus Unmanaged Switches
There are two types of switches that you can purchase: unmanaged and managed. Unmanaged switches have the following characteristics:
- Low cost
- All ports are placed in the same VLAN
- You cannot configure anything on them
- Generally used by home users and small companies
- Usually “plug and play”
On the other hand, managed switches have the following properties:
- Usually more expensive than unmanaged switches
- Can be configured via either a command line interface or a Web console
- Can be remotely managed
- Can support advanced features like VLAN, port mirroring, Layer 2 traffic filtering, and QoS mechanisms
- Usually used in enterprise-level networks
VLAN Configuration
Virtual LAN (VLAN) switching logic and mechanisms have been covered in detail in Chapter 2 and Chapter 4 so we will not go into much detail here. We will instead focus on the configuration aspects of a regular managed switch, taking as an example a Cisco switch, which is commonly used in enterprise networks.
On Cisco IOS-based switches, a VLAN is configured using the vlan <id> command and a name can be assigned in vlan Configuration mode, as shown below:
Switch(config)#vlan 10
Switch(config-vlan)#name SERVER_FARM Switch(config-vlan)#exit |
When a switch port is connected to a workstation or a server, that port is usually configured in Access mode and it carries a single VLAN. A sample configuration is presented below:
Switch(config)#interface FastEthernet1/1
Switch(config-if)#switchport mode access Switch(config-if)#switchport access vlan 10 |
On the other hand, switch ports that connect to other switches might need to be configured as trunks to carry traffic from multiple VLANs, as presented in the configuration output below:
Switch(config)#interface FastEthernet1/2
Switch(config-if)#switchport mode trunk Switch(config-if)#switchport trunk encapsulation dot1q Switch(config-if)#switchport trunk allowed vlan 10,20,30 |
After defining the port as a trunk, you can define the encapsulation method, which can be dot1q or ISL on Cisco switches (although Cisco are deprecating support for ISL). Dot1q encapsulation is usually used in multivendor environments. The last step is defining the VLANs that are allowed on the particular trunk. If you skip the allowed vlan command, all VLANs will be permitted on the link. All the trunking parameters should match on both sides of the link.
Note: If you try to assign a VLAN to a port that was not previously defined, the VLAN will usually be created automatically by the switch but this depends on the vendor and the switch software. |
VTP
VLAN trunking protocol (VTP) is a Cisco proprietary protocol that is used to reduce administration in a switched network by distributing a VLAN configured on a device throughout the network. This reduces the need to configure the same VLAN on every switch in the network. VTP configuration parameters on a Cisco switch are presented in the output below:
Switch(config)#vtp ?
domain Set the name of the VTP administrative domain. file Configure IFS filesystem file where VTP configuration is stored. interface Configure interface as the preferred source for the VTP IP updater address. mode Configure VTP device mode password Set the password for the VTP administrative domain pruning Set the administrative domain to permit pruning version Set the administrative domain to VTP version |
Switches that should exchange VLAN information must be configured with the following identical parameters:
- VTP domain
- VTP password
- VTP version
Switches can operate in three VTP modes:
- Server mode: VLANs for the entire VTP domain can be created, modified, and deleted. Switches in this mode advertise and synchronize their VLAN configuration with other switches in the same domain.
- Client mode: This is the same as server mode, except that VLANs cannot be created, changed, or deleted.
- Transparent mode: Switches in VTP transparent mode do not participate in VTP (they do not advertise and synchronize their VLAN information).
A sample VTP configuration is presented below:
Switch(config)#vtp mode server
Switch(config)#vtp domain Network+ Switch(config)#vtp version 2 |
To verify a Cisco switch VTP configuration, you can issue the show vtp status command, as shown below:
Switch#show vtp status
VTP Version : 2 Configuration Revision : 3 Maximum VLANs supported locally : 36 Number of existing VLANs : 6 VTP Operating Mode : Server VTP Domain Name : Network+ VTP Pruning Mode : Disabled VTP V2 Mode : Enabled VTP Traps Generation : Disabled MD5 digest : 0xC3 0xBD 0x67 0x2C 0x5C 0x62 0x66 0xE7 Configuration last modified by 0.0.0.0 at 3-1-02 00:38:00 Local updater ID is 0.0.0.0 (no valid interface found) |
An important parameter presented in the output above is the VTP revision number. This number increases each time a VLAN change is made on the device. The switch with the highest revision number dictates the VTP configuration in a network because it is assumed that it has the latest VLAN information.
Note: When you first install a new Cisco switch into the network, the recommendation is to configure it in VTP transparent mode to avoid possible problems that can happen if that switch has a higher revision number than any other switch (this can lead to VLAN deletion and modification across the network). |
Port Mirroring
Port mirroring is a technique that allows a switch port to send a copy of every packet that goes through it to another port. It is generally used either to see the traffic that passes through a switch port or to direct it via another port to a device that collects traffic (e.g., a call recording server in a VoIP environment).
Port mirroring on Cisco devices is called Switched Port Analyzer (SPAN), and it is configured as presented in the output below:
Switch(config)#monitor session 1 source interface FastEthernet1/1
Switch(config)#monitor session 1 destination interface FastEthernet1/2 |
Specific configuration statements are used to define the source and destination port for a particular monitoring session (defined by a numerical id). The monitoring source can be either a physical interface or a VLAN.
By default, both the transmitted and the received traffic on the source interface is cloned on the destination interface, but you can change this by using a special keyword at the end of the configuration statement, as presented in the output below:
Switch(config)#monitor session 1 source interface FastEthernet1/1 ?
, Specify another range of interfaces – Specify a range of interfaces both Monitor received and transmitted traffic rx Monitor received traffic only tx Monitor transmitted traffic only |
- The both keyword captures both received and transmitted traffic
- The rx keyword captures received traffic
- The tx keyword captures transmitted traffic
MAC Filtering
MAC filtering functionality is usually available on high-end switch models and has similar functionality to access control lists on routers, except it functions at Layer 2. A sample MAC filtering configuration on a Cisco switch is presented below:
Switch(config)#mac access-list extended MAC_FILTER
Switch(config-ext-macl)#deny host 0000.0000.1111 any Switch(config-ext-macl)#permit any any Switch(config-ext-macl)#exit Switch(config)#interface FastEthernet1/3 Switch(config-if)#mac access-group MAC_FILTER in |
The first step in the configuration output presented above is to define a MAC ACL that denies the MAC addresses that are filtered and permits everything else. In this case, traffic sourced by MAC address 0000.0000.1111 is blocked. After the MAC ACL is defined, you can apply it on an interface in the inbound or outbound direction (inbound in the output above).
PoE
Power over Ethernet (PoE) is a technology that allows switches to pass electrical power along with data on Ethernet cables. This is usually done on the four extra wires in UTP cables, the ones that are not used for data transmission.
PoE is generally used to power up non-critical network devices in order to reduce cabling necessities in the office. Such devices include:
- IP phones
- Video conferencing cameras
- Surveillance cameras
- Wireless access points
PoE is supported only on special switch models, which are usually more expensive. On a Cisco switch PoE can be configured in Interface Configuration mode using the power inline command (this is on by default but can be disabled using the no power inline command).
Switch(config)#interface FastEthernet4/1
Switch(config-if)#power inline auto |
PoE is defined as a standard in IEEE 802.3af.
Summary
Router configuration can be very complex and can require knowledge about many technologies, depending on the functions that router must accomplish. However, there are some basic configuration steps that are often used in enterprise environments once a clean install on such a device is performed:
- Interface configuration:
- Duplex settings
- Speed settings
- IP addressing
- Static/dynamic routing configuration
- NAT/PAT configuration
- Traffic filtering (access control lists)
- Quality of Service configuration
Basic switch interface configuration is similar in many ways to router interface configuration. However, switches offer Layer 2 functionalities that routers do not, including:
- Separating traffic using VLANs
- VTP technology
- Port mirroring
- MAC filtering
- Power over Ethernet (PoE)
Cisco router configuration guide.
Configure routers and switches in our 101 Labs – CompTIA Network+ book.