Configure IP Unnumbered on Cisco

On the test I will configure IP Unnumbered on Cisco Catalyst 6509E with firmware 12.2(33)SXJ7, on other switches the setup is similar.
IP Unnumbered is useful, for example, when it is necessary to divide a large network into several VLANs and use the same IP addresses and also to issue white IPs in any VLAN using one gateway.

Connect to the terminal device through the console, telnet or SSH.

Continue reading “Configure IP Unnumbered on Cisco”

Back Up Cisco Catalyst 6500 Configuration

For the test, I sketched a Cisco Catalyst 6509-E automatic backup configuration script.

Actually the script itself:

# Backup CISCO config
sleep 5
echo "user"
sleep 4
echo "password"
sleep 4
echo "copy running-config tftp:"
sleep 2
echo ""
sleep 2
echo "cisco.cfg"
sleep 6

echo "exit"
) | telnet
mv /srv/tftp/cisco.cfg /backups/devices/cisco/`date +%Y-%m-%d`_cisco.cfg

find /backups/devices/cisco/ -type f -mtime +30 -exec rm {} \;

Add the contents of the script, for example, to the file and add it to cron, adding the following line to the /etc/crontab file:

0 2 * * * root /backups/scripts/ > /dev/null 2>&1

The file can be opened for example in the text editor nano (Ctrl+X to exit, y/n to save or cancel changes):

sudo nano /etc/crontab

The script connects via telnet to and copies the configuration to the tftp server, then the file is moved to a convenient directory for storage.
The last line in the script deletes files older than 30 days.
How to start the tftp server, see my articles: Installing and Configuring a TFTP Server in Ubuntu or Starting a TFTP server in Windows.
See also: Using and configuring CRON.

Configuring ports in Cisco switches

For the test I will configure ports on Cisco Catalyst 6509-E.

I’ll give an example of setting Access of the port (the traffic goes only over one specified vlan without a tag):

interface GigabitEthernet1/1
description TEXT
switchport access vlan 226
switchport mode access
no shutdown

Now I’ll give an example of setting Trunk of the port (traffic goes through one or several vlan with a tag only):

interface GigabitEthernet1/2
description TEXT
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 207,228
switchport mode trunk
no shutdown

And the third option, Hybrid port (traffic goes only on one vlan without a tag and on one or several vlan with a tag):

interface GigabitEthernet1/3
description TEXT
switchport trunk encapsulation dot1q
switchport trunk native vlan 226
switchport trunk allowed vlan 207,226
switchport mode trunk
no shutdown

To specify parameters for several ports at once:

interface range GigabitEthernet1/1-24

We prohibit automatic switching of the port to access or trunk mode:

interface range GigabitEthernet1/1-24
switchport nonegotiate

See also my article – Configuring link aggregation on the Cisco Catalyst 6500

Blocking third-party DHCP on Cisco via DHCP Snooping

On the test, I configure DHCP Snooping on the Cisco Catalyst 6509-E to block third-party DHCP servers, on the other Cisco switches, the configuration is basically the same.

After connecting to the device immediately go to the configuration mode:


Continue reading “Blocking third-party DHCP on Cisco via DHCP Snooping”

Configuring HTTP on Cisco

Connect to the Cisco switch and go into elevated privilege mode:


Now go into the configuration mode:

configure terminal

Enable HTTP:

ip http server
ip http authentication local

If necessary, you can disable HTTP and HTTPS as follows:

no ip http server
no ip http secure-server

Add a user if it does not exist:

username NAME privilege 15 secret PASSWORD

If you want to allow HTTP access to only certain IPs, then let’s see what rules there are on the switch:

show access-list
show ip access-lists
configure terminal

If there is no necessary rule, then we will create:

access-list 10 permit
access-list 10 permit

See my article – Restricting access to the Cisco Catalyst 6500 management

Apply the rule to HTTP:

ip http access-class 10

To cancel it is possible so:

no ip http access-class 10

If you need to specify the maximum number of connection attempts:

ip admission max-login-attempts 5
show ip admission configuration

Leave their configuration mode and save the configuration:


See also:
Configuring Cisco devices

Using third-party SFP modules in Cisco switches

Suppose we connected a third-party module to the first SFP port, we’ll look at the information about it:

show idprom int GigabitEthernet 1/1

In my case, on the Cisco Catalyst 6509-E, very many ports with third-party SFP modules after some time they turned off and in the logs information was written that the module was not supported.

Now go into the configuration mode:

config t

And we will make sure that the interfaces are not disabled when third-party SFP modules are enabled by entering the following commands:

service unsupported-transceiver
no errdisable detect cause sfp-config-mismatch
no errdisable detect cause gbic-invalid

After that, everything worked well.

See also:
Configure Cisco Catalyst 6509-E

Configuring Protected Ports on Cisco

On the test, I will configure the Cisco Catalyst WS-C3750-48TS-S.

And so, all ports are configured as access, except for the first Gigabit uplink port, it is configured as a trunk and the Internet on the client vlan with the tag comes to it.
We need all the ports on this switch to not see each other and see only the first gigabit ulink port.

To do this, connect to the switch and go into the configuration mode:

configure terminal

Then, we issue the switchport protected command for all access ports:

interface range fastEthernet 1/0/1-48
switchport protected
interface range gigabitEthernet 1/0/2-4
switchport protected

Save the configuration:


Apparently interface gigabitEthernet 1/0/1 we did not touch.
Now the ports on which the switchport protected command is registered do not see the other ports on which this command is also registered, they see only the ports where it is not registered, that is, in our case the first gigabit ulink port, and it sees all the ports with the command and without.

Information about ports can be viewed by the command:

show interfaces NAME switchport

View full configuration:

show running-config

See also:
Port isolation on Huawei switches
Port isolation on the ZyXEL MES-3528 switch