Cisco Networking - Vincent Tocco

Cisco Catalyst 6500 IOS Configuration Template

November 25, 2014 by Vince

! *****   Fill in the parameters within the angle brackets  *****
! *****   Catalyst 6500 Native configuration template       *****
!****************************************************************
!
mls rate-limit unicast ip icmp unreachable acl-drop 10
mls rate-limit unicast ip icmp redirect 10
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
logging buffered 11024
service password-encryption
enable secret &lt;password&gt;
no enable password
ip multicast-routing
clock timezone GST 0
!
hostname &lt;hostname&gt;
!
!
! ***************************************************************
! * Configure DNS parameters
! * Enable UDLD in aggressive mode
! * Enable full ip flow tracking for mls
! * Enable TCP path mtu discovery
! * Enable QOS and re-map COS to DSCP values
! * Rate limit ip redirect and unreachable to the Switch process at 10 PPS
! ***************************************************************
! 
ip subnet-zero
ip domain lookup
ip domain-list &lt;domain that switch is in&gt;
ip name-server &lt;www.xxx.yyy.zzz&gt;
udld aggressive
udld message time 7
mls flow ip full
ip tcp path-mtu-discovery age-timer 30 
mls qos map cos-dscp 0 8 16 26 32 46 48 56
mls qos map ip-prec-dscp 0 8 16 26 32 46 48 56
mls qos
mls aclmerge algorithm odm
mls aclmerge odm optimizations 
!
!
! ***************************************************************
! * Set the VTP domain to the name of the switch and the VTP mode to transparent
! ***************************************************************
!
vtp domain &lt;hostname&gt; 
vtp mode transparent
!
errdisable recovery cause all
errdisable recovery interval 60
!
!
! ***************************************************************
! * Configure Spanning Tree 
! *  Set the spanning tree root or secondary root for the vlan. If this is the HSRP
! *  primary for this vlan, the priority should be set to 8192.  If this is the HSRP
! *  standby, the priority should be set to 16384.
! ***************************************************************
!
spanning-tree mode rapid-pvst
spanning-tree vlan &lt;vlan list&gt; priority &lt;value 8192 for primary or 16384 for secondary&gt;
spanning-tree extend system-id
spanning-tree portfast bpduguard default
!
!
! ********************
! * Configure VLANs
! ********************
!
vlan &lt;vlan number&gt;
 name Data_Vlan
vlan &lt;voice vlan number&gt;
 name Voice_Vlan
!
!
! ********************
! * Standard Fastethernet interfaces (2q1p2t ports), configure as a range
! ********************
!
interface range FastEthernet &lt;Start interface&gt; - &lt;End Interface Number&gt;
 switchport
 switchport host
 switchport access vlan &lt;vlan&gt;
 switchport voice vlan &lt;voice vlan number&gt;
 no snmp trap link-status
 mls qos trust extend cos 0
 mls qos trust cos
 priority-queue cos-map 1 5
 power inline auto
 no shut
!
!
! ***************************************************************
! * Uplink Ports
! * Configure the uplink ports to trunk with 802.1q encapsulation
! * Only trunk vlans that are needed
! * Set port to trust DSCP values from the MDF
! ***************************************************************
!
interface range GigabitEthernet &lt;Start interface&gt; - &lt;End Interface Number&gt;
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan &lt;vlan list, NOT vlan 1&gt;
 switchport mode trunk
 mls qos trust cos
 no shut
!
!
! ********************
! * Always disable interface VLAN 1
! ********************
!
interface Vlan1
 no ip address
 shutdown
!
!
! ***************************************************************
! * Layer 3 Vlan Interfaces No HSRP
! * Enable PIM on the interface
! * Do Not enable PIM on VOICE vlans
! ***************************************************************
!
interface vlan &lt;vlan Number&gt;
 ip address &lt;IP Address&gt; &lt;Netmask&gt;
 ip helper-address &lt;helper address&gt;
 no ip redirects
 no ip directed-broadcast
 ip pim sparse-dense-mode 
 no shut
!
!
! ***************************************************************
! Use the configurations below for configuring HSRP
! ***************************************************************
!
! ***************************************************************
! * Layer 3 Interfaces (Primary HSRP)
! ***************************************************************
! * Enable PIM on the interface
! * Configure the standby HSRP IP address
! * Configure the HSRP timers 1 &amp; 3 respectively
! * Configure the HSRP priority (115) &amp; premept delay (15)
! * Configure interface tracking for HSRP
! * Do Not enable PIM on VOICE vlans
! ***************************************************************
!
interface vlan &lt;vlan Number&gt;
 ip address &lt;ip address&gt; &lt;netmask&gt;
 ip helper-address &lt;helper address&gt;
 no ip redirects
 no ip directed-broadcast
 ip pim sparse-dense-mode
 standby &lt;group number&gt; ip &lt;HSRP address&gt;
 standby &lt;group number&gt; timers 1 3
 standby &lt;group number&gt; priority 115 preempt delay 15
 standby &lt;group number&gt; track &lt;uplink interface&gt; 20
 no shut
!
! ***************************************************************
! * Layer 3 Interfaces (HSRP Standby)
! ***************************************************************
! * Enable PIM on the interface
! * Configure the standby HSRP IP address
! * Configure the HSRP timers 1 &amp; 3 respectively
! * Configure the HSRP priority
! * Configure interface tracking for HSRP
! * Do Not enable PIM on VOICE vlans
! ***************************************************************
!
interface vlan &lt;vlan Number&gt;
 ip address &lt;ip address&gt; &lt;netmask&gt;
 ip helper-address &lt;helper address&gt;
 no ip redirects
 no ip directed-broadcast
 ip pim sparse-dense-mode
 standby &lt;group number&gt; ip &lt;HSRP address&gt;
 standby &lt;group number&gt; timers 1 3
 standby &lt;group number&gt; priority 100 preempt delay 15
 standby &lt;group number&gt; track &lt;uplink interface&gt; 20
 no shut
!
!
! ***************************************************************
! * Set the syslog server
! * Disable the HTTP server for web management
! ***************************************************************
!
logging trap debugging
no ip http server
logging &lt;logging server IP address&gt;
!
!
! ********************
! * Set SNMP system variables
! ********************
!
snmp-server community &lt;Read-Only String&gt; RO
snmp-server location &lt;site/building&gt;
snmp-server contact &lt;contact-name&gt;
snmp-server enable traps
snmp-server ifindex persist
no snmp-server enable traps syslog
no snmp-server chassis-id 
snmp-server trap-source vlan &lt;management vlan&gt;
no snmp-server enable traps snmp authentication
!
!
! ********************
! * Configure the tacacs+ servers
! ********************
!
tacacs-server host &lt;Primary tacacs server IP&gt;
tacacs-server host &lt;Secondary tacacs server IP&gt;
tacacs-server timeout 10
tacacs-server key &lt;tacacs key&gt;
!
!
! ********************
! * Set the Banner exactly as shown below
! ********************
!
Banner motd ^

THIS IS A PRIVATE COMPUTER SYSTEM --- USAGE MAY BE
MONITORED AND UNAUTHORIZED ACCESS OR USE MAY RESULT
IN CRIMINAL OR CIVIL PROSECUTION

^
!
!
! ********************
! * Configure timeout timers and login passwords on all available
! * console and vty lines
! ********************
!
line con 0
 exec-timeout 10 0
 password &lt;password&gt;
 logg sync
line vty 0 15
 exec-timeout 20 0
 password &lt;password&gt;
 transport input telnet
 logg sync
!
! ********************
! * Configure SSH if correct code
! * Use version 2 of SSH if supported
! ********************
!
ip ssh version 2
line vty 0 15
  transport input telnet ssh
!
crypto key generate rsa
!
!
! ********************
! * Set the NTP Server
! ********************
!
ntp server &lt;local ntp server or pool.ntp.org&gt;
!
!
! ********************
! * Configure tacacs+ if using an ACS server, otherwise do not configure
! * Remove ACS auth from console in case of emergency
! ********************
aaa new-model
aaa authentication login no_tacacs enable
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa authorization commands 0 default group tacacs+ if-authenticated none
aaa authorization commands 15 default group tacacs+ if-authenticated none
aaa accounting update newinfo
aaa accounting commands 15 default start-stop group tacacs+
line con 0
login authentication no_tacacs

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

! ***** Fill in the parameters within the angle brackets *****

! ***** Catalyst 6500 Native configuration template *****

!****************************************************************

mls rate-limit unicast ip icmp unreachable acl-drop 10

mls rate-limit unicast ip icmp redirect 10

no service pad

service timestamps debug datetime localtime

service timestamps log datetime localtime

logging buffered 11024

service password-encryption

enable secret <password>

no enable password

ip multicast-routing

clock timezone GST 0

hostname <hostname>

! ***************************************************************

! * Configure DNS parameters

! * Enable UDLD in aggressive mode

! * Enable full ip flow tracking for mls

! * Enable TCP path mtu discovery

! * Enable QOS and re-map COS to DSCP values

! * Rate limit ip redirect and unreachable to the Switch process at 10 PPS

! ***************************************************************

ip subnet-zero

ip domain lookup

ip domain-list <domain that switch is in>

ip name-server <www.xxx.yyy.zzz>

udld aggressive

udld message time 7

mls flow ip full

ip tcp path-mtu-discovery age-timer 30

mls qos map cos-dscp 0 8 16 26 32 46 48 56

mls qos map ip-prec-dscp 0 8 16 26 32 46 48 56

mls qos

mls aclmerge algorithm odm

mls aclmerge odm optimizations

! ***************************************************************

! * Set the VTP domain to the name of the switch and the VTP mode to transparent

! ***************************************************************

vtp domain <hostname>

vtp mode transparent

errdisable recovery cause all

errdisable recovery interval 60

! ***************************************************************

! * Configure Spanning Tree

! * Set the spanning tree root or secondary root for the vlan. If this is the HSRP

! * primary for this vlan, the priority should be set to 8192. If this is the HSRP

! * standby, the priority should be set to 16384.

! ***************************************************************

spanning-tree mode rapid-pvst

spanning-tree vlan <vlan list> priority <value 8192 for primary or 16384 for secondary>

spanning-tree extend system-id

spanning-tree portfast bpduguard default

! ********************

! * Configure VLANs

! ********************

vlan <vlan number>

name Data_Vlan

vlan <voice vlan number>

name Voice_Vlan

! ********************

! * Standard Fastethernet interfaces (2q1p2t ports), configure as a range

! ********************

interface range FastEthernet <Start interface> - <End Interface Number>

switchport

switchport host

switchport access vlan <vlan>

switchport voice vlan <voice vlan number>

no snmp trap link-status

mls qos trust extend cos 0

mls qos trust cos

priority-queue cos-map 1 5

power inline auto

no shut

! ***************************************************************

! * Uplink Ports

! * Configure the uplink ports to trunk with 802.1q encapsulation

! * Only trunk vlans that are needed

! * Set port to trust DSCP values from the MDF

! ***************************************************************

interface range GigabitEthernet <Start interface> - <End Interface Number>

switchport

switchport trunk encapsulation dot1q

switchport trunk allowed vlan <vlan list, NOT vlan 1>

switchport mode trunk

mls qos trust cos

no shut

! ********************

! * Always disable interface VLAN 1

! ********************

interface Vlan1

no ip address

shutdown

! ***************************************************************

! * Layer 3 Vlan Interfaces No HSRP

! * Enable PIM on the interface

! * Do Not enable PIM on VOICE vlans

! ***************************************************************

interface vlan <vlan Number>

ip address <IP Address> <Netmask>

ip helper-address <helper address>

no ip redirects

no ip directed-broadcast

ip pim sparse-dense-mode

no shut

! ***************************************************************

! Use the configurations below for configuring HSRP

! ***************************************************************

! * Layer 3 Interfaces (Primary HSRP)

! ***************************************************************

! * Enable PIM on the interface

! * Configure the standby HSRP IP address

! * Configure the HSRP timers 1 & 3 respectively

! * Configure the HSRP priority (115) & premept delay (15)

! * Configure interface tracking for HSRP

! * Do Not enable PIM on VOICE vlans

! ***************************************************************

interface vlan <vlan Number>

ip address <ip address> <netmask>

ip helper-address <helper address>

no ip redirects

no ip directed-broadcast

ip pim sparse-dense-mode

standby <group number> ip <HSRP address>

standby <group number> timers 1 3

standby <group number> priority 115 preempt delay 15

standby <group number> track <uplink interface> 20

no shut

! ***************************************************************

! * Layer 3 Interfaces (HSRP Standby)

! ***************************************************************

! * Enable PIM on the interface

! * Configure the standby HSRP IP address

! * Configure the HSRP timers 1 & 3 respectively

! * Configure the HSRP priority

! * Configure interface tracking for HSRP

! * Do Not enable PIM on VOICE vlans

! ***************************************************************

interface vlan <vlan Number>

ip address <ip address> <netmask>

ip helper-address <helper address>

no ip redirects

no ip directed-broadcast

ip pim sparse-dense-mode

standby <group number> ip <HSRP address>

standby <group number> timers 1 3

standby <group number> priority 100 preempt delay 15

standby <group number> track <uplink interface> 20

no shut

! ***************************************************************

! * Set the syslog server

! * Disable the HTTP server for web management

! ***************************************************************

logging trap debugging

no ip http server

logging <logging server IP address>

! ********************

! * Set SNMP system variables

! ********************

snmp-server community <Read-Only String> RO

snmp-server location <site/building>

snmp-server contact <contact-name>

snmp-server enable traps

snmp-server ifindex persist

no snmp-server enable traps syslog

no snmp-server chassis-id

snmp-server trap-source vlan <management vlan>

no snmp-server enable traps snmp authentication

! ********************

! * Configure the tacacs+ servers

! ********************

tacacs-server host <Primary tacacs server IP>

tacacs-server host <Secondary tacacs server IP>

tacacs-server timeout 10

tacacs-server key <tacacs key>

! ********************

! * Set the Banner exactly as shown below

! ********************

Banner motd ^

THIS IS A PRIVATE COMPUTER SYSTEM --- USAGE MAY BE

MONITORED AND UNAUTHORIZED ACCESS OR USE MAY RESULT

IN CRIMINAL OR CIVIL PROSECUTION

! ********************

! * Configure timeout timers and login passwords on all available

! * console and vty lines

! ********************

line con 0

exec-timeout 10 0

password <password>

logg sync

line vty 0 15

exec-timeout 20 0

password <password>

transport input telnet

logg sync

! ********************

! * Configure SSH if correct code

! * Use version 2 of SSH if supported

! ********************

ip ssh version 2

line vty 0 15

transport input telnet ssh

crypto key generate rsa

! ********************

! * Set the NTP Server

! ********************

ntp server <local ntp server or pool.ntp.org>

! ********************

! * Configure tacacs+ if using an ACS server, otherwise do not configure

! * Remove ACS auth from console in case of emergency

! ********************

aaa new-model

aaa authentication login no_tacacs enable

aaa authentication login default group tacacs+ enable

aaa authentication enable default group tacacs+ enable

aaa authorization commands 0 default group tacacs+ if-authenticated none

aaa authorization commands 15 default group tacacs+ if-authenticated none

aaa accounting update newinfo

aaa accounting commands 15 default start-stop group tacacs+

line con 0

Cisco Nexus 56128 Configuration Template

August 2, 2015November 23, 2014 by Vince

Here is a quick template to setup a Cisco Nexus 56128 or any other switch in the 5600 series. These are solid 40G switches that offer a ton of features. Fabricpath is used in this template for switch to switch communication. These are also setup as a “Leaf” switch in a spine/leaf two tier design. … Read moreCisco Nexus 56128 Configuration Template

Configure Cisco Nexus Unified Ports

November 20, 2014November 20, 2014 by Vince

The configuration can vary depending on the type of switch you are using, so this is for the Nexus 5600 series, tested on the 56128. Unified ports on this device are available on the modules you can install in the top two slots, they are 24 ports each unified. So you can have a total … Read moreConfigure Cisco Nexus Unified Ports

Setup a VPC correctly on Cisco Nexus Switches with Fabricpath

November 20, 2014November 13, 2014 by Vince

VPC: Virtual Port Channel – this is a port channel that instead of connecting multiple ports only on one switch, you are spreading it over two physical switches. This give more redundancy in most cases. it can be a bit tricky to setup, so here is a config that I have used which seem to … Read moreSetup a VPC correctly on Cisco Nexus Switches with Fabricpath

Cisco Nexus 6004 (5596) Configuration – Fabricpath and Spine

November 20, 2014November 10, 2014 by Vince

Here is a quick template to setup a Cisco Nexus 6004 or 6001 (recently renamed to the 5600 series, so now the 5696). These are solid 40G switches that offer a ton of features. Fabricpath is used in this template for switch to switch communication. These are also setup as a “Spine” switch in a … Read moreCisco Nexus 6004 (5596) Configuration – Fabricpath and Spine