Wednesday, 31 August 2011

Installation of Webserver in UBUNTU


1. Introduction
· We’re going to install the Ubuntu Server operating system.
· We’re going to install an OpenSSH server. This allows you to administer your server from remote computers.
· A LAMP (Linux, Apache, MySQL, and PHP) stack is going to be installed.
· In order to follow this tutorial, you’re going to need a few items:
· A computer to use as your server. It doesn’t need to be powerful; as long as it’s not ancient, it’ll work fine.
· A CD burner and a blank CD. These are so that you can burn Ubuntu to a disk in order to install it.

2. Download Ubuntu Server
Now you need to burn the ISO (the file that you downloaded) to a blank CD

3. Install Ubuntu Server

Now that you’ve downloaded and burned the ISO, let’s get Ubuntu installed on your server. Put the disk in the drive, and boot from the CD. In most modern computers, this will happen by default if a disk is in the drive when you turn it on. If it doesn’t, then you need to press a key on your keyboard right when you turn it on. For my laptop, it’s F12, and for my server, it’s F2. It just depends on your computer.

Select your language, and hit enter. Now you’ll see this screen:
Select “Install Ubuntu Server”, and away we go!

The installer will now ask you if you want it to detect your keyboard layout. Personally, I always choose no, because
it’s faster to select a standard american keyboard from the list than to have the installer detect it. Either option is fine,
just follow the on-screen instructions.
After you’ve done that, you’ll now see a bunch of loading screens saying things like “Detecting CD-ROM drives” and such.
These should pass quickly and without problems. However, during these screens, the installer will try to auto-configure your
network settings. For most cases, this will work without complaint. However, if it doesn’t work for you, just follow the
on-screen instructions to get it working.

After it’s done with all of that, it will ask you for a host name. You can usually set this to anything; I always set
mine to “web-server”.

The system will now want you to set the time zone for your clock. For me, it’s Pacific. Choose the one that applies to

Now, the system will detect more hardware, and you’ll be prompted to “partion the disk(s)”. Select “Guided – use entire

You will now need to select the disk you wish to partition. For most setups, only one disk will be available; however,
for more specialized systems, more options will be available here. Choose the one that applies to you.

It will ask you if you want to write the changes to the disk. Select “Yes” and hit enter. The installer will now proceed
to format the drive and set up the partitions.

Now the magic happens. The system will begin to install. While this happens, go get a cup of coffee. This can take anywhere
from 10 minutes to an hour. It just depends on your system. There might be times that it seems like it’s frozen; don’t worry,
it isn’t. Just let it do it’s thing. However, if it’s stuck on one thing for upwards of an hour, then yes, it is frozen.

Now that the system is installed, it needs to set up the account you are going to login with. First, give it your full
name and hit “Continue”.

Now give it your username. It will normally just set it as your first name,
but you can change it. One name you may not use is “root”.

The system will now attempt to configure the “Package Manager” (we’ll get to what that is shortly). Provide it with your
proxy information, or leave it blank if you don’t use a proxy, and select “Continue”.

The system will now scan several servers looking for updates and configuration settings.
After that has completed, you will be presented with several options to install server software. Now, listen VERY carefully.
Select OpenSSH server, and press SPACE, NOT ENTER. If you hit enter, the install will proceed without installing the OpenSSH server.

You could install “LAMP server” as well, but I have no experience with this option, so we’re going to install it all with a different
command later on.

The system will now install your selected software, as well as other system components.

Finally, the install will finish. Remove the CD, and hit enter. The computer will reboot. If all goes well, you will be
presented with a screen that looks similar to the following:

Congratulations! You’ve just finished the hardest part. Ubuntu is now installed, and it is time to turn this computer into
a web server.

4. Update Your New Server

Before we go any further, we need to make sure your server is up-to-date. To do this, you need to login. First, type your username
(the one you chose earlier), press enter, and then type your password. As you’re typing your password, you’ll notice that nothing
seems to be happening. Don’t worry, that’s the way it was designed to work. After you’ve finished typing your password, hit enter,
and your screen should look similar to the one below if all went well:

Now, type:

sudo aptitude update && sudo aptitude dist-upgrade

It will ask you for you password, and again, you won’t see anything as you’re typing it. After you’ve done that, it will ask you if
you want to continue. Type “y” and press enter. Your screen will look similar to the following:

Your system will now download and install all the latest updates. This will take a while depending on your internet connection. After
it has finished, your computer will need to be rebooted. To do this, type:

sudo shutdown -r now

And let it reboot. Your server is now completely updated.

5. Install Apache, MySQL, and PHP

It is now time to install some programs. In order to access your sites from the internet, we’re going to need to install a web server (Apache). In additon to the web server, we’ll
also want a database server (MySQL) and a server-side language (PHP) so that we can run popular applications such as WordPress. So,
let’s get to it!

Installing programs on Ubuntu is a lot different than installing programs on Windows or
OS X, in that Ubuntu will download and install the programs for you with a simple command. This is because Ubuntu has something called
a Package Manager, which manages nearly all the programs on your system. All we have to do is tell the package manager
(called “aptitude”) that we want it to install Apache, MySQL, and PHP. To do this, type the following command:

sudo aptitude install apache2 php5-mysql libapache2-mod-php5 mysql-server

And press enter. Aptitude will download and install of the programs you specified. It will also download and install any

During the install process, MySQL will ask you for a root password. You can set this to anything, just be sure you make it long and secure.
Whatever you do, DO NOT leave this blank.

After that has all finished, you now have a fully working web server. To test it out, first find your server’s IP by typing:

ifconfig | grep inet

It’s usually the first IP returned. In my case, it’s Now that you know the IP, open your web browser and point it
to your server IP. If you see the “It works!” message, then congratulations, it works.

However, we’re not done yet. We don’t want Apache or PHP to disclose any information about themselves, as this information is not needed
by your users and could pose a security risk. First, back up the original Apache configuration file:

sudo cp /etc/apache2/apache2.conf /etc/apache2/apache2.conf.bak
Now open the configuration file:
sudo nano /etc/apache2/apache2.conf
Scroll down (down arrow) to where it says “ServerTokens Full” and change it to read “ServerTokens Prod”

Now, scroll down a little further and change “ServerSignature On” to “ServerSignature Off”
Finally, press Control-O followed by Control-X. That will save the file and exit the text editor.
Now, we need to do the same thing for PHP. First, back up the original PHP configuration file:
sudo cp /etc/php5/apache2/php.ini /etc/php5/apache2/php.ini.bak

Open the configuration file:

sudo nano /etc/php5/apache2/php.ini

Change “expose_php = On” to “expose_php = Off”

Again, press Control-O followed by Control-X. Now that the configuration files are updated, restart Apache:
sudo /etc/init.d/apache2 restart
You are done setting up Apache, MySQL, and PHP.

6. Install a Firewall

We now are going to lock down our server a bit more by installing Shorewall, a command-line firewall. To install it:

sudo aptitude install shorewall

By default, Shorewall is installed with no rules, allowing complete access. However, this is not the behavior we want.
Instead, we’re going to block all connections to anything other than port 80 (HTTP) and port 22 (SSH). First, copy the configuration
files to the Shorewall directory:
sudo cp /usr/share/doc/shorewall-common/examples/one-interface/* /etc/shorewall/
Now, open the “rules” file:
sudo nano /etc/shorewall/rules
Add these lines above where it says “#LAST LINE”

Then press Control-O and Control-X. Your firewall is now configured to only accept HTTP and SSH traffic. The last thing we need to
do is tell Shorewall to start on boot. So, open up the main Shorewall configuration file:

sudo nano /etc/shorewall/shorewall.conf

Scroll down to “STARTUP_ENABLED=No” and set it to “STARTUP_ENABLED=Yes”

Press Control-O and Control-X. Now, open the Shorewall default configuration file:
sudo nano /etc/default/shorewall
And change “startup=0″ to “startup=1″. Press Control-O and Control-X. Finally, start your firewall:

sudo /etc/init.d/shorewall start
Congratulations! Your firewall is now set up and protecting your server.

7. Add Your Website to Your Web Server

Now that you’ve got everything all set up, you’d probably like to add a website to it. By default, all of the files Apache serves
up to the internet are located at “/var/www/”. However, you cannot write to this folder. Let’s make it so you can:

sudo usermod -g www-data [YOUR USERNAME]

sudo chown -R www-data:www-data /var/www

sudo chmod -R 775 /var/www

What happened there was you added yourself to the “www-data” group, and made the website folder writable to the members of the “www-data”

Cheers !!

You now have a completely functioning web server. It makes for a great testing ground, and would even be suitable to host websites with fairly
low traffic. There is obviously a lot left to be learned, but hopefully you have gained a little insight into how web servers work.



·         Generic Attribute Registration Protocol (GARP) VLAN Registration Protocol (GVRP) is an application defined in the IEEE 802.1Q standard that allows for the control of VLANs.
·         GVRP runs only on 802.1Q trunk links.
·         GVRP prunes trunk links so that only active VLANs will be sent across trunk connections.
·         GVRP expects to hear join messages from the switches before it will add a VLAN to the trunk.
·         GVRP updates and hold timers can be altered.
·         GVRP ports run in various modes to control how they will prune VLANs.
·         GVRP can be configured to dynamically add and manage VLANS to the VLAN database for trunking purposes.

Configuring GVRP

GVRP is supported only on COS switches. GVRP will run only on 802.1Q trunk ports and is used primarily to prune traffic from VLANs that does not need to be passed between trunking switches. Use the following steps to configure GVRP.
1.      Enable GVRP globally:
COS set gvrp enable

2.      By default GVRP is not enabled for the switch. You must first enable GVRP on the switch before you can configure the 802.1Q ports for GVRP operation.
3.      Configure the port for 802.1Q operation:
COS set trunk mod/port [auto | desirable | on ] dot1q

4.      GVRP will run only on ports that are configured for 802.1Q trunking. See section "6-3: Trunking" for more information on trunking.
5.      Configure the port GVRP:
COS set port gvrp mod/port enable

6.      This command enables GVRP on the individual 802.1Q trunk port. GVRP must be configured on both sides of the trunk to work correctly.
7.      (Optional) Configure the port registration mode:
COS set gvrp registration [normal | fixed | forbidden] mod/port

8.      By default GVRP ports are in normal registration mode. These ports use GVRP join messages from neighboring switches to prune the VLANs running across the 802.1Q trunk link. If the device on the other side is not capable of sending GVRP messages, or if you do not want to allow the switch to prune any of the VLANs, use the fixed mode. Fixed mode ports will forward for all VLANs that exist in the switch database. Ports in forbidden mode forward only for VLAN 1.

Configuring GVRP for Dynamic VLAN Creation

Like VTP, GVRP can dynamically create VLANs on switches for trunking purposes. By enabling GVRP dynamic VLAN creation, a switch will add VLANs to its database when it receives GVRP join messages about VLANs it does not have.
1.      (Optional) Enable dynamic VLAN creation:
COS set gvrp dynamic-vlan-creation enable

2.      Dynamic VLAN creation is configured on a switch-by-switch basis. GVRP does not synchronize between switches, but only adds VLANs on devices that have dynamic creation enabled in order to pass traffic between trunks. To enable dynamic VLAN creation, all the trunk ports on the switch have to be 802.1Q and they all must be GVRP-enabled ports. If the switch has any non-802.1Q trunk ports or if the 802.1Q ports that exist are not configured for GVRP, this feature will not be enabled. VLANs will be added only for join messages received across a normal registration port. You must also have configured VTP in transparent or off mode, because VTP and dynamic VLAN creation cannot both be enabled at the same time.
3.      The trunk ports 15/1 and 16/1 on a 5000 or 6000 series switch do not count as ISL trunks when enabling dynamic-vlan-creation and will not prevent the function from operating.

Verifying GVRP Operation

After you have configured GVRP, use the following command to verify operation:
COS show gvrp configuration

Feature Example

In this example, the switch Access_1 is connected to Distribution_1 via an 802.1Q trunk Distribution_1 is also connected to Core_1 via an 802.1Q trunk. GVRP is enabled on both the distribution and core switches and on each GVRP port on those switches. Dynamic VLAN creation has also been enabled on the switches, and the port from Distribution_1 to Access_1 has been set to GVRP fixed mode because the Access_1 device will not send join messages and the distribution switch would prune all VLANs if it were in the normal default mode.
Network Diagram for GVRP Configuration on Access_1, Distribution_1, and Core_1
An example of the Catalyst OS configuration for Core_1 follows:
Core_1 (enable)>set vtp mode transparent
Core_1 (enable)>set trunk 1/1 on dot1Q
Core_1 (enable)>set gvrp enable
Core_1 (enable)>set port gvrp 1/1 enable
Core_1 (enable)>set gvrp dynamic-vlan-creation enable
An example of the Catalyst OS configuration for Distribution_1 follows:
Distribution_1 (enable)>set vtp mode transparent
Distribution_1 (enable)>set trunk 1/1 on dot1q
Distribution_1 (enable)>set trunk 2/1 on dot1q
Distribution_1 (enable)>set gvrp enable
Distribution_1 (enable)>set gvrp enable 1/1
Distribution_1 (enable)>set gvrp enable 2/1 
Distribution_1 (enable)>set gvrp registration fixed 2/1
Distribution_1 (enable)>set gvrp dynamic-vlan-creation enable
An example of the Layer 2 IOS configuration for Access_1 follows:
Access_1 #config t
Access_1 (config)#interface gigabitethernet 0/1
Access_1 (config-if)#switchport mode trunk
Access_1 (config-if)#switchport trunk encapsulation dot1Q
Access_1 (config-if)#end
Access_1#copy running-config startup-config

C. Trunking


·         VLANs are local to each switch's database, and VLAN information is not passed between switches.
·         Trunk links provide VLAN identification for frames traveling between switches.
·         Cisco switches have two Ethernet trunking mechanisms: ISL and IEEE 802.1Q.
·         Certain types of switches can negotiate trunk links.
·         Trunks carry traffic from all VLANs to and from the switch by default but can be configured to carry only specified VLAN traffic.
·         Trunk links must be configured to allow trunking on each end of the link.

Enabling Trunking

Trunk links are required to pass VLAN information between switches. A port on a Cisco switch is either an access port or a trunk port. Access ports belong to a single VLAN and do not provide any identifying marks on the frames that are passed between switches. Access ports also carry traffic that comes from only the VLAN assigned to the port. A trunk port is by default a member of all the VLANs that exist on the switch and carry traffic for all those VLANs between the switches. To distinguish between the traffic flows, a trunk port must mark the frames with special tags as they pass between the switches. Trunking is a function that must be enabled on both sides of a link. If two switches are connected together, for example, both switch ports must be configured for trunking, and they must both be configured with the same tagging mechanism (ISL or 802.1Q).
To enable trunking between the switches, use the following steps:
1.      Enable trunking on a port.
a.       Enable the trunk:
COS set trunk mod/port [auto | desirable | on | nonegotiate | off]
IOS (global) interface type mod/port
(interface) switchport mode dynamic [auto | desirable]
(interface) switchport mode trunk
(interface) switchport nonegotiate

b.      The most basic way to configure a trunk link is using the option on. This option enables the trunk and requires that you also specify a tagging mechanism for the trunk. For IOS devices, the command switchport mode trunk is equivalent to the set trunk mod/port on command. When specifying the option on, you must also choose a tagging mechanism (see Step 1b).
c.       Some IOS switches do not support Dynamic Trunking Protocol. For these switches, the only command that you can use to configure trunking is switchport mode trunk, which essentially turns trunking on.
d.      Many Cisco switches employ an automatic trunking mechanism known as the Dynamic Trunking Protocol (DTP), which allows a trunk to be dynamically established between two switches. All COS switches and integrated IOS switches can use the DTP protocol to form a trunk link. The COS options auto, desirable, and on and the IOS options of dynamic auto, dynamic desirable, and trunk configure a trunk link using DTP. If one side of the link is configured to trunk and will send DTP signals, the other side of the link will dynamically begin to trunk if the options match correctly.
e.       If you want to enable trunking and not send any DTP signaling, use the option nonegotiate for switches that support that function. If you want to disable trunking completely, use the off option for a COS switch or the no switchport mode trunk command on an IOS switch.
f.       Table 6-2 shows the DTP signaling and the characteristics of each mode.
g.      It is important to remember that not all switches support DTP and might not establish a trunk without intervention. Also remember that DTP offers no benefit when you are trunking with a non-Cisco switch. To eliminate any overhead associated with DTP, it is useful to use the nonegotiate option when DTP is not supported.
h.      When enabling trunking, it is not possible to specify a range of ports.

i.       Table 6-2 Trunking Mode Characteristics

Trunking Mode Characteristics
COS = on
IOS = mode trunk
Trunking is on for these links. They will also send DTP signals that attempt to initiate a trunk with the other side. This will form a trunk with other ports in the states on, auto, or desirable that are running DTP. A port that is in on mode always tags frames sent out the port.
COS = desirable
IOS = mode dynamic desirable
These links would like to become trunk links and will send DTP signals that attempt to initiate a trunk. They will only become trunk links if the other side responds to the DTP signal. This will form a trunk with other ports in the states on, auto, or desirable that are running DTP. This is the default mode for the 6000 running Supervisor IOS.
COS = auto
IOS = mode dynamic auto
These links will only become trunk links if they receive a DTP signal from a link that is already trunking or desires to trunk. This will only form a trunk with other ports in the states on or desirable. This is the default mode for COS switches.
COS = nonegotiate
IOS = mode nonegotiate
Sets trunking on and disables DTP. These will only become trunks with ports in on or nonegotiate mode.
COS = off
IOS = no switchport mode trunk
This option sets trunking and DTP capabilities off. This is the recommended setting for any access port because it will prevent any dynamic establishments of trunk links.

j.        Cisco 2950 and 3500XL switches do not support DTP and are always in a mode similar to nonegotiate. If you turn trunking on for one of these devices, it will not negotiate with the other end of the link and requires that the other link be configured to on or nonegotiate.
k.      Specify the encapsulation method:
COS set trunk mod/port [negotiate | isl | dot1Q]
IOS (global) interface type mod/port
(interface) switchport trunk encapsulation [negotiate | isl | dot1Q]

l.        The other option when choosing a trunk link is the encapsulation method. For Layer 2 IOS switches, such as the 2900XL or the 3500XL, the default encapsulation method is isl. You can change from the default with the switchport trunk encapsulation command. For COS switches or integrated IOS switches, the default encapsulation is negotiate. This method signals between the trunked ports to choose an encapsulation method. (ISL is preferred over 802.1Q.) The negotiate option is valid for auto or desirable trunking modes only. If you choose on as the mode or if you want to force a particular method or if the other side of the trunk cannot negotiate the trunking type, you must choose the option isl or dot1Q to specify the encapsulation method.
m.    Not all switches allow you to negotiate a trunk encapsulation setting. The 2900XL and 3500XL trunks default to isl and you must use the switchport trunk encapsulation command to change the encapsulation type. The 2950 and some 4000 switches support only 802.1Q trunking and provide no options for changing the trunk type.
n.      (Optional) Specify the native VLAN:
COS set vlan number mod/port
IOS (global) interface type mod/port
(interface) switchport trunk native vlan number

o.      For switches running 802.1Q as the trunking mechanism, the native VLAN of each port on the trunk must match. By default all COS ports are in VLAN 1; and the native VLAN on the IOS devices is also configured for VLAN 1, so the native VLAN does match. If you choose to change the native VLAN, use the set vlan command for COS switches or the switchport trunk native vlan command for IOS switches to specify the native VLAN. Remember that the native VLAN must match on both sides of the trunk link for 802.1Q; otherwise the link will not work. If there is a native VLAN mismatch, Spanning Tree Protocol (STP) places the port in a port VLAN ID (PVID) inconsistent state and will not forward on the link.
p.      Cisco Discovery Protocol (CDP) version 2 passes native VLAN information between Cisco switches. If you have a native VLAN mismatch, you will see CDP error messages on the console output.

Specifying VLANs to Trunk

By default a trunk link carries all the VLANs that exist on the switch. This is because all VLANs are active on a trunk link; and as long as the VLAN is in the switch's local database, traffic for that VLAN is carried across the trunks. You can elect to selectively remove and add VLANs from a trunk link. To specify which VLANs are to be added or removed from a trunk link, use the following commands.
1.      (Optional) Manually remove VLANs from a trunk link:
COS clear trunk mod/port vlanlist
IOS (global) interface type mod/port
(interface) switchport trunk allowed vlan remove vlanlist

2.      By specifying VLANs in the vlanlist field of this command, the VLANs will not be allowed to travel across the trunk link until they are added back to the trunk using the command set trunk mod/port vlanlist or switchport trunk allowed vlan add vlanlist.

Verifying Trunks

1.      After configuring a port for trunking, use one of the following commands to verify the VLAN port assignments:
COS show trunk [mod] [mod/port]
IOS (privileged) show interface type mod/port switchport
show interfaces trunk
show interface [mod] [interface_id] trunk

2.      The commands show interfaces trunk and show interface [mod] [interface_id] trunk are not available on all switches that run IOS.

Feature Example

Network Diagram for Trunk Configuration on Access_1, Distribution_1, and Core_1
An example of the Catalyst OS configuration for Distribution_1 follows:
Distribution_1 (enable)>clear trunk 1/1 2-1001
Distribution_1 (enable)>set trunk 1/1 desirable isl 10
Distribution_1 (enable)>clear trunk 2/1 2-1001
Distribution_1 (enable)>set trunk 2/1 on dot1q 5,8,10
An example of the Catalyst OS configuration for Core_1 follows:
Core_1 (enable)>clear trunk 1/1 2-1001
Core_1 (enable)>set trunk 1/1 10
An example of the Supervisor IOS configuration for Core_1 follows:
Core_1(config)#interface gigabitethernet 1/1
Core_1(config-if)#switchport encapsulation negotiate
Core_1(config-if)#switchport mode dynamic auto
Core_1(config-if)#switchport trunk allowed vlan remove 2-1001
Core_1(config-if)#switchport trunk allowed vlan add 10
Core_1 (config-if)#end
Core_1#copy running-config startup-config
An example of the Layer 2 IOS configuration for Access_1 follows:
Access_1 (config)#interface gigabitethernet 0/1
Access_1 (config-if)#switchport mode trunk
Access_1 (config-if)#switchport trunk encapsulation dot1q
Access_1 (config-if)#switchport trunk allowed vlan remove 2-1001
Access_1 (config-if)#switchport trunk allowed vlan add 5,8,10
Access_1 (config-if)#end
Access_1#copy running-config startup-config

B. VLAN Port Assignments


·         VLANs are assigned to individual switch ports.
·         Ports can be statically assigned to a single VLAN or dynamically assigned to a single VLAN.
·         All ports are assigned to VLAN 1 by default
·         Ports are active only if they are assigned to VLANs that exist on the switch.
·         Static port assignments are performed by the administrator and do not change unless modified by the administrator, whether the VLAN exists on the switch or not.
·         Dynamic VLANs are assigned to a port based on the MAC address of the device plugged into a port.
·         Dynamic VLAN configuration requires a VLAN Membership Policy Server (VMPS) client, server, and database to operate properly.

Configuring Static VLANs

On a Cisco switch, ports are assigned to a single VLAN. These ports are referred to as access ports and provide a connection for end users or node devices, such as a router or server. By default all devices are assigned to VLAN 1, known as the default VLAN. After creating a VLAN, you can manually assign a port to that VLAN and it will be able to communicate only with or through other devices in the VLAN. Configure the switch port for membership in a given VLAN as follows:
1.      Statically assign a VLAN:
COS set vlan number mod/port
IOS (global) interface type mod/port
(interface) switchport access vlan number

2.      To change the VLAN for a COS device, use the set vlan command, followed by the VLAN number, and then the port or ports that should be added to that VLAN. VLAN assignments such as this are considered static because they do not change unless the administrator changes the VLAN configuration.
3.      For the IOS device, you must first select the port (or port range for integrated IOS) and then use the switchport access vlan command followed by the VLAN number.
4.      If the VLAN that the port is assigned to does not exist in the database, the port is disabled until the VLAN is created.

Configuring Dynamic VLANs

Although static VLANs are the most common form of port VLAN assignments, it is possible to have the switch dynamically choose a VLAN based on the MAC address of the device connected to a port. To achieve this, you must have a VTP database file, a VTP server, a VTP client switch, and a dynamic port. After you have properly configured these components, a dynamic port can choose the VLAN based on whichever device is connected to that port. Use the following steps to configure dynamic VLANs:
1.      Create a VTP database file.
Using a text editor, such as WordPad or vi, create a VTP database file and place it on a VMPS or Remote Copy Protocol (RCP) server. The VTP database file contains the following elements:
o    A header that includes a VMPS domain name
o    The VMPS operational mode
o    The fallback VLAN name
o    A list of MAC address mapped to VLAN names
The basic outline of a VMPS database file is as follows:
vmps domain Switchblock1
vmps mode open
vmps fallback default
vmps no-domain-req deny
address 0001.0387.0943 vlan-name GroupA
address 0050.0491.F950 vlan-name GroupB
address 0050.DA8F.1134 vlan-name GroupC
The very first thing that should be in the VTP database file are the letters vmps followed by the word domain and a domain name. The domain name matches that of the VTP domain name of the switch(es) sending the VMPS request. (VTP is discussed further in section "6-4: VLAN Trunking Protocol.") This name is used in the request for VMPS mapping information. The next three lines in the file are information about how VMPS should operate. The mode open indicates whether a request comes in that is not in the MAC address list. The switch should place that device in a default VLAN. The next line specifies that VLAN by name. The name default is that of VLAN 1. You can also configure the mode as closed; if this is the case, the port will be suspended if the device is not in the MAC address table. The no-domain-req deny option states that any device that sends a request with no domain name should not be given any port VLAN mapping information. Each ! (exclamation point) is a comment and is ignored by the VMPS server.
The vmps-mac-addrs entry indicates the start of the MAC address to VLAN mapping. The entries are entered with the format address address vlan-name vlan_name, where the address is in dotted-hexadecimal format and the VLAN name is the exact name (including case) as found in the VLAN database of the requesting switch. When a request is sent, this mapping is returned to the requesting switch. The VLAN assignment is based on the name returned. If the name is not found on the local switch, the assignment is not made.
2.      Configure the VMPS server.
a.                   (Optional) Set the VMPS download method:
COS set vmps downloadmethod {rcp | tftp}

b.                  Specify how to download the VMPS database file using rcp or tftp. If you do not choose a method, the default is tftp.
c.                   Set the VMPS download server and filename:
COS set vmps downloadserver ipaddress [filename]

d.                  Configure the IP address of the RCP or TFTP server and specify the filename of the VMPS database.
e.                   Enable the VMPS server service:
COS set vmps state enable

f.                   When you enable the VMPS server service, it will read the file from the server into the memory of the switch and will then be able to respond to request from the VMPS client switches. Use the commands show vmps, show vmps mac, show vmps vlan, and show vmps statistics to verify the operation of the VMPS server.
g.                  After the VMPS server service has been enabled and the VMPS information loaded into the memory of the server, the VMPS database file is no longer referenced. If you make changes to the VMPS database file, you must either disable and reenable the server service or reload the file with the command download vmps.
3.      Configure the VMPS client:
COS set vmps server ipaddress [primary]
IOS (global) vmps server ipaddress primary

4.      Any switch that will have dynamic ports is considered a VMPS client. For this switch to request the dynamic VLAN information from the server, you must configure the client with the server address. Use the primary option to specify the IP address of the main VMPS server. You can also specify up to three other IP addresses for VMPS servers. Use the command show vmps server for COS and show vmps on IOS devices to confirm the server configuration.
5.      If the a switch is configured as a VMPS server and it will also have dynamic ports, it must also be configured as a client using Step 3 and pointing to its own IP address as server.
6.      Configure the port for dynamic VLAN assignments:
COS set port membership mod/port dynamic
IOS (interface) switchport access dynamic

7.      This places the port in dynamic VLAN mode. The switch must first be configured as a client (Step 3) before you configure a port as dynamic. After this has been configured, the port is assigned to the local switch's VLAN that has a name that matches the one mapped to the MAC address of the attached device in the VMPS database.

Verifying VLAN Assignments

After configuring a port for VLAN assignments, use one of the following commands to verify the VLAN port assignments:
COS show port
IOS (privileged) show interface type mod/port switchport
(privileged)show interface status

Feature Example

In this example, ports for the switches Access_1 and Distribution_1 are assigned as follows:
·         Static assignments for ports 1 and 2 on the access switch and 3/1–48 on the distribution switch into VLAN 5
·         Static assignments for ports 3 and 4 on the access switch and 4/1–48 on the distribution switch into VLAN 8
·         Static assignments for ports 5 and 6 on the access switch and 5/1–12 and 5/18–24 on the distribution switch into VLAN 10
Distribution_1 will be assigned the IP address and will serve as a VMPS server and get a file called vmpsconfig.txt (shown at the end of the example) from the server

VLAN Port Assignments on Access_1 and Distribution_1
An example of the Catalyst OS configuration for Distribution_1 follows:
Distribution_1 (enable)>set vlan 5 3/1-48
Distribution_1 (enable)>set vlan 8 4/1-48
Distribution_1 (enable)>set vlan 10 5/1-12,5/18-24
Distribution_1 (enable)>set vmps downloadserver vmpsconfig.txt
Distribution_1 (enable)>set int sc0
Distribution_1 (enable)>set vmps enable
Distribution_1 (enable)>set vmps server
Distribution_1 (enable)> set port membership 5/13-17 dynamic
An example of the Supervisor IOS configuration for Distribution_1 follows:
Distribution_1(config)#interface range fastethernet 3/1 - 48 
Distribution_1(config-if)#switchport mode access
Distribution_1(config-if)#switchport access vlan 5
Distribution_1(config-if)#no shut
Distribution_1(config)#interface range fastethernet 2/1 - 48 
Distribution_1(config-if)#switchport mode access
Distribution_1(config-if)#switchport access vlan 8
Distribution_1(config-if)#no shut
Distribution_1(config)#interface range fastethernet 5/1 - 12 , 5/18 - 24
Distribution_1(config-if)#switchport mode access
Distribution_1(config-if)#switchport access vlan 10
Distribution_1(config-if)#no shut
Distribution_1(config-if)# end
Distribution_1 #copy running-config startup-config
For the Supervisor IOS running on a Catalyst 6000 or Catalyst 4000, dynamic VLAN services are currently not supported. These switches cannot be configured with dynamic access ports or to act as a VMPS server.
An example of the Layer 2 IOS configuration for Access_1 follows:
Access_1(config)#interface fastethernet 0/1
Access_1(config-if)#switchport access vlan 5
Access_1(config-if)#interface fastethernet 0/2
Access_1(config-if)#switchport access vlan 5
Access_1(config-if)#interface fastethernet 0/3
Access_1(config-if)#switchport access vlan 8
Access_1(config-if)#interface fastethernet 0/4
Access_1(config-if)#switchport access vlan 8
Access_1(config-if)#interface VLAN 1
Access_1(config-if)#ip address
Access_1(config-if)#vmps server
Access_1(config)#interface fastethernet 0/5
Access_1(config-if)#switchport access dynamic
Access_1(config-if)#interface fastethernet 0/6
Access_1(config-if)#switchport access vlan dynamic
Access_1(config-if)# end
Access_1 #copy running-config startup-config
An example of the VMPS database file vmpsconfig.txt follows:
vmps domain Switchblock1
vmps mode open
vmps fallback default
vmps no-domain-req allow
address 0001.0387.0943 vlan-name Katie
address 0050.0491.F950 vlan-name Logan
address 0050.DA8F.1134 vlan-name Cameron

A: VLAN Configuration


·         VLANs are broadcast domains defined within switches to allow control of broadcast, multicast, unicast, and unknown unicast within a Layer 2 device.
·         VLANs are defined on a switch in an internal database known as the VLAN Trunking Protocol (VTP) database. After a VLAN has been created, ports are assigned to the VLAN.
·         VLANs are assigned numbers for identification within and between switches. Cisco switches have two ranges of VLANs, the normal range and extended range.
·         VLANs have a variety of configurable parameters, including name, type, and state.
·         Several VLANs are reserved, and some can be used for internal purposes within the switch.

Creation of an Ethernet VLAN

VLANs are created on Layer 2 switches to control broadcasts and enforce the use of a Layer 3 device for communications. Each VLAN is created in the local switch's database for use. If a VLAN is not known to a switch, that switch cannot transfer traffic across any of its ports for that VLAN. VLANs are created by number, and there are two ranges of usable VLAN numbers (normal range 1–1000 and extended range 1025–4096). When a VLAN is created, you can also give it certain attributes such as a VLAN name, VLAN type, and its operational state. To create a VLAN, use the following steps.
1.      Configure VTP.
VTP is a protocol used by Cisco switches to maintain a consistent database between switches for trunking purposes. VTP is not required to create VLANs; however, Cisco has set it up to act as a conduit for VLAN configuration between switches as a default to make administration of VLANs easier. Because of this, you must first either configure VTP with a domain name or disable VTP on the switch. VTP is explained in detail in section "6-4: VLAN Trunking Protocol."
o    Specify a VTP name:
COS set vtp domain domain-name
IOS (vlan) vtp domain domain-name
(global) vtp domain domain-name

o    By default, the VTP is in server mode and must be configured with a domain name before any VLANs can be created. These commands specify the VTP domain name. For IOS switches, you enter vlan database mode, (vlan), by entering the command vlan database, at the privileged-level prompt.
o    Disable VTP synchronization:
COS set vtp mode transparent
IOS (vlan) vtp transparent
(global) vtp mode transparent

o    Another option is to disable VTP synchronization of the databases. Disabling it enables you to manage your local VTP database without configuring and relying on VTP. For Catalyst 4000 and 6000 switches running IOS Supervisor 12.1(8a) or above (native IOS), you can configure the VTP parameters in global configuration mode as well.
o    Disable VTP:
COS set vtp mode off
o    With the introduction of COS version 7.1.1, an option now exists to disable VTP completely. Use the command set vtp mode off to turn off VTP. After doing so, you can administer the local VTP database.
2.      Create the VLAN.
VLANs are created by number. The two ranges of VLANs are as follows:
o    The standard range consists of VLANs 1 to 1000.
o    The extended range consists of VLANs 1025 to 4096.
Extended VLANs are currently supported only on switches running COS software version 6.1 or greater. When you create a VLAN, you have many options to consider. Many options are valid only for FDDI and Token Ring VLANs. Some of the items configured deal with options, such as private VLANs, which are discussed in other sections in this book. VLANs are created using the set vlan command for COS devices or with the vlan command in vlan database mode for IOS switches. For Ethernet VLANs, you can also configure the standard parameters in Table 6-1.

Configurable VLAN Parameters

Parameter Description
name A description of the VLAN up to 32 characters. If none is given, it defaults to VLAN00XXX, where xxx is the VLAN number.
mtu The maximum transmission unit (packet size, in bytes) that the VLAN can use; valid values are from 576 to 18190. The MTU can extend up to 1500 for Ethernet, but beyond for Token Ring or FDDI. The default is 1500.
state Used to specify whether the state of the VLAN is active or suspended. All ports in a suspended VLAN will be suspended and not allowed to forward traffic. The default state is active.

COS set vlan vlan-id [name name] [state state] [mtu mtu]
IOS (vlan) vlan vlan-id [name vlan-name] [state {suspend | active}] [mtu mtu-size]
(global) vlan vlan-id
(vlan-config) vlan vlan-id [mtu mtu-size] [name vlan-name] [state {suspend | active}]

c.                   The vlan-id specifies the VLAN by number. For COS you can specify a range of VLANs in the vlan-id section; you cannot configure the name for a range of VLANs, however, because each VLAN is to have a unique name. For IOS switches, VLANs are created in vlan database mode. For Catalyst 6000 and 4000 switches running Supervisor IOS 12.1(8a) and above, you can create VLANs in global configuration mode if the switch is in VTP transparent mode. To do this, enter the vlan vlan-id command to move to vlan-config mode. From vlan-config mode, you can manage the parameters of the VLANs.
d.                  Create a VLAN in the extended range.
Extended VLANs support VLANs up to 4096 in accordance with the 802.1Q standard. Currently only switches running COS 6.1 or greater can support creation and assignment of VLANs in the extended range. You cannot currently use VTP to manage VLANs in the extended range, and these VLANs cannot be passed over an Inter-Switch Link (ISL) trunk link.
1.      Enable spanning-tree MAC reduction:
COS set spantree macreduction enable

2.      To allow these switches to use the extended range, you must first enable spanningtree macreduction to allow the switch to support a large number of spanning-tree instances with a very limited number of MAC addresses and still maintain the IEEE 802.1D bridge ID requirement for each STP instance.
3.      After you have created a VLAN in the extended range, you cannot disable this feature unless you first delete the VLAN.
4.      Create a VLAN in the extended range:
COS set vlan vlan-id [name name] [state state] [mtu mtu]
6.      Here the vlan-id would be a number from 1025 to 4096. Numbers 1001 to 1024 are reserved by Cisco and cannot be configured.

Feature Example

In this example, the switches Access_1 and Distribution_1 are going to be configured with VLANs 5, 8, and 10 with the names Cameron, Logan, and Katie, respectively. Also the distribution switch will be configured with VLAN 2112 with the name Rush.
An example of the Catalyst OS configuration for Distribution 1 follows:
Distribution_1 (enable)>set vtp mode transparent
Distribution_1 (enable)>set vlan 5 name Cameron
Distribution_1 (enable)>set vlan 8 name Logan
Distribution_1 (enable)>set vlan 10 name Katie
Distribution_1 (enable)>set spantree macreduction enable
Distribution_1 (enable)>set vlan 2112 name Rush
Distribution_1 (enable)>
An example of the Supervisor IOS configuration for Distribution 1 follows:
Distribution_1#vlan database
Distribution_1(vlan)#vtp transparent
Distribution_1#conf t
Distribution_1(config)#vlan 5 
Distribution_1(config-vlan)# name Cameron
Distribution_1(config-vlan)#vlan 8 
Distribution_1(config-vlan)# name Logan
Distribution_1(config-vlan)# vlan 10
Distribution_1(config-vlan)# name Katie
Distribution_1(config-vlan)# end
Distribution_1 #copy running-config startup-config
An example of the Layer 2 IOS configuration for Access 1 follows:
Access_1#vlan database
Access_1 (vlan)#vtp transparent
Access_1 (vlan)#vlan 5 name Cameron
Access_1 (vlan)#vlan 8 name Logan
Access_1 (vlan)#vlan 10 name Katie
Access_1 (vlan)#exit
Access_1#copy running-config startup-config