Chapter 6: Configuring Basic Switch Management

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

Local username

A username (with matching password), configured on a router or switch. It is considered local because it exists on the router or switch, and not on a remote server.

line vty 1st-vty last-vty

Changes the context to vty configuration mode for the range of vty lines listed in the command.

ip address ip-address subnet-mask

VLAN interface mode. Statically configures the switch's IP address and mask.

Secure Shell (SSH)

A TCP/IP application layer protocol that supports terminal emulation between a client and server, using dynamic key exchange and encryption to keep the communications private.

VLAN interface

A configuration concept inside Cisco switches, used as an interface between IOS running on the switch and a VLAN supported inside the switch, so that the switch can assign an IP address and send IP packets into that VLAN.

Enable mode

A part of the Cisco IOS CLI in which the user can use the most powerful and potentially disruptive commands on a router or switch, including the ability to then reach configuration mode and reconfigure the router.

AAA server

A server that holds security information and provides services related to user login, particularly authentication (is the user who he says he is?), authorization (once authenticated, what do we allow the user to do?), and accounting (tracking the user).

4. An engineer's desktop PC connects to a switch at the main site. A router at the main site connects to each branch office through a serial link, with one small router and switch at each branch. Which of the following commands must be configured on the branch office switches, in the listed configuration mode, to allow the engineer to telnet to the branch office switches and supply only a password to login? (Choose three answers.) a. The ip address command in interface configuration mode b. The ip address command in global configuration mode c. The ip default-gateway command in VLAN configuration mode d. The ip default-gateway command in global configuration mode e. The password command in console line configuration mode f. The password command in vty line configuration mode

A, D, and F. To allow access through Telnet, the switch must have password security enabled, at a minimum using the password vty line configuration subcommand. In addition, the switch needs an IP address (configured under one VLAN interface) and a default gateway when the switch needs to communicate with hosts in a different subnet.

6. Which of the following line subcommands tells a switch to wait until a show command's output has completed before displaying log messages on the screen? a. logging synchronous b. no ip domain-lookup c. exec-timeout 0 0 d. histor y size 15

A. The logging synchronous line subcommand synchronizes the log message display with other command output so the log message does not interrupt a show command's output. The no ip domain-lookup command is not a line subcommand. The other two incorrect answers are line subcommands but do not configure the function listed in the question.

2. An engineer wants to set up simple password protection with no usernames for some switches in a lab, for the purpose of keeping curious coworkers from logging in to the lab switches from their desktop PCs. Which of the following commands would be a useful part of that configuration? a. A login vty mode subcommand b. A password password console subcommand c. A login local vty subcommand d. A transport input ssh vty subcommand

A. To answer this question, it might be best to first think of the complete configuration and then find any answers that match the configuration. The commands, in vty line configuration mode, would be password password and login. Only one answer lists a vty subcommand that is one of these two commands. Of note in the incorrect answers: One answer mentions console subcommands. The console does not define what happens when remote users log in; those details sit in the vty line configuration. One answer mentions the login local command; this command means that the switch should use the local list of configured usernames/passwords. The question stated that the engineer wanted to use passwords only, with no usernames. One answer mentions the transport input ssh command, which, by omitting the telnet keyword, disables Telnet. While that command can be useful, SSH does not work when using passwords only; SSH requires both a username and a password. So, by disabling Telnet (and allowing SSH only), the configuration would allow no one to remotely log in to the switch.

AAA

Authentication, authorization, and accounting. Authentication confirms the identity of the user or device. Authorization determines what the user or device is allowed to do. Accounting records information about access attempts, including inappropriate requests.

3. An engineer had formerly configured a Cisco 2960 switch to allow Telnet access so that the switch expected a password of mypassword from the Telnet user. The engineer then changed the configuration to support Secure Shell. Which of the following commands could have been part of the new configuration? (Choose two answers.) a. A username name secret password vty mode subcommand b. A username name secret password global configuration command c. A login local vty mode subcommand d. A transport input ssh global configuration command

B and C. SSH requires the use of usernames in addition to a password. Using the username global command would be one way to define usernames (and matching passwords) to support SSH. The vty lines would also need to be configured to require the use of usernames, with the login local vty subcommand being one such option. The transport input ssh command could be part of a meaningful configuration, butit is not a global configuration command (as claimed in one wrong answer). Likewise, one answer refers to the username command as a command in vty config mode, which is also the wrong mode.

5. A Layer 2 switch configuration places all its physical ports into VLAN 2. The IP addressing plan shows that address 172.16.2.250 (with mask 255.255.255.0) is reserved for use by this new LAN switch and that 172.16.2.254 is already configured on the router connected to that same VLAN. The switch needs to support SSH connections into the switch from any subnet in the network. Which of the following commands are part of the required configuration in this case? (Choose two answers.) a. The ip address 172.16.2.250 255.255.255.0 command in interface vlan 1 configuration mode. b. The ip address 172.16.2.250 255.255.255.0 command in interface vlan 2 configuration mode. c. The ip default-gateway 172.16.2.254 command in global configuration mode. d. The switch cannot support SSH because all its ports connect to VLAN 2, and the IP address must be configured on interface VLAN 1.

B and C. To allow SSH or Telnet access, a switch must have a correct IP configuration. That includes the configuration of a correct IP address and mask on a VLAN interface. That VLAN interface then must have a path out of the switch via ports assigned to that VLAN. In this case, with all ports assigned to VLAN 2, the switch must use interface VLAN 2 (using the interface vlan 2 configuration command). To meet the requirement to support login from hosts outside the local subnet, the switch must configure a correct default gateway setting with the ip default-gateway 172.16.2.254 global command in this case.

1. Imagine that you have configured the enable secret command, followed by the enable password command, from the console. You log out of the switch and log back in at the console. Which command defines the password that you had to enter to access privileged mode? a. enable password b. enable secret c. Neither d. The password command, if it is configured

B. If both commands are configured, IOS accepts only the password as configured in the enable secret command.

Data plane

Carries user traffic. Also known as the forwarding plane.

interface vlan number

Changes the context to VLAN interface mode. For VLAN 1, allows the configuration of the switch's IP address.

line console 0

Changes the context to console configuration mode.

terminal history size x

Changes the length of the history buffer for the current user only, only for the current login to the switch

Control plane

Configuration and processes that control and change the choices made by a switch's data plane

password pass-value

Console and vty configuration mode. Lists the password required if the login command (with no other parameters) is configured.

login

Console and vty configuration mode. Tells IOS to prompt for a password.

login local

Console and vty configuration mode. Tells IOS to promptfor a username and password, to be checked against locally configured username global configuration commands on this switch or router.

exec-timeout minutes [seconds]

Console or vty mode. Sets the inactivity timeout, so that after the defined period of no action, IOS closes the current user login session.

logging synchronous

Console or vty mode. Tells IOS to send log messages to the user at natural break points between commands rather than in the middle of a line of output.

Management plane

Deals with managing the networking device itself, rather than controlling what the device is doing.

DNS

Domain Name System. An application layer protocol used throughout the Internet for translating hostnames into their associated IP addresses.

[no] logging console

Global command that disables or enables the display of log messages to the console.

ip name-server server-ip-1 server-ip-2 ...

Global command. Configures the IPv4 addresses of DNS servers, so any commands when logged in to the switch will use the DNS for name resolution.

ip default-gateway address

Global command. Configures the switch's default gateway IPv4 address. Not required if the switch uses DHCP.

crypto key generate rsa [modulus 360..2048]

Global command. Creates and stores (in a hidden location in flash memory) the keys required by SSH.

username name secret pass-value

Global command. Defines one of possibly multiple usernames and associated passwords, used for user authentication. Used when the login local line configuration command has been used.

hostname name

Global command. Sets this switch's hostname, which is also used as the first part of the switch's command prompt.

enable secret pass-value

Global command. Sets this switch's password that is required for any user to reach enable mode.

History buffer

In a Cisco router or switch, the function by which IOS keeps a list of commands that the user has used in this login session, both in EXEC mode and configuration mode. The user can then recall these commands for easier repeating or making small edits and issuing similar commands.

history size length

Line config mode. Defines the number of commands held in the history buffer, for later recall, for users of those lines.

show dhcp lease

Lists any information the switch acquires as a DHCP client. This includes IP address, subnet mask, and default gateway information.

show ssh

Lists status information for current SSH connections into and out of the local switch.

show ip ssh

Lists status information for the SSH server, including the SSH version.

show history

Lists the commands in the current history buffer.

show running-config

Lists the currently used configuration.

show interfaces vlan number

Lists the interface status, the switch's IPv4 address and mask, and much more.

show crypto key mypubkey rsa

Lists the public and shared key created for use with SSH using the crypto key generate rsa global configuration command.

show ip default-gateway

Lists the switch's setting for its IPve default gateway.

Default gateway

On an IP host, the IP address of some router to which the host sends packets when the packet's destination address is on a subnet other than the local subnet.

show running-config | begin line vty

Pipes (sends) the command output to the begin command, which only lists output beginning with the first line that contains the text "line vty."

The configuration checklist for shared passwords for the console, Telnet, and enable passwords.

Step 1. Configure the enable password with the enable secret password-value command. Step 2. Configure the console password: a. Use the line con 0 command to enter console configuration mode. b. Use the password password-value subcommand to set the value of the console password. a. Use the login sub command to enable console password security using a simple password. Step 3. Configure the Telnet (vty) password: a. Use the line vty 0 15 command to enter vty configuration mode for all 16 vty lines (numbered 0 through 15). a. Use the password password-value subcommand to set the value of the console password. c. Use the login subcommand to enable console password security using a simple password.

Configure a Cisco switch to support SSH using local usernames.

Step 1. Configure the switch to generate a matched public and private key pair to use for encryption: A. If not already configured, use the hostname name in global configuration mode to configure a hostname for this switch. B. If not already configured, use the ip domain-name name in global configuration mode to configure a domain name for the switch, completing the switch's FQDN. C. Use the cryptokey generate rsa command in global configuration mode (or the crypto key generate rsa modulus modulus-value command to avoid being prompted for the key modulus) to generate the keys. (Use at least a 768-bit key to support SSH version 2.) Step 2. (Optional) Use the ip ssh version 2 command in global configuration mode to override the default of supporting both versions 1 and 2, so that only SSHv2 connections are allowed. Step 3. (Optional) If not already configured with the setting you want, configure the vty lines to accept SSH and whether to also allow Telnet: A. Use the transport input ssh command in vty line configuration mode to allow SSH only. B. Use the transport input all command (default) or transport input telnet ssh command in vty line configuration mode to allow both SSH and Telnet. Step 4. Use various commands in vty line configuration mode to configure local username login authentication as discussed earlier in this chapter.

Steps to configure DHCP on a switch

Step 1. Enter VLAN 1 configuration mode using the interface vlan 1 global configuration command, and enable the interface using the no shutdown command as necessary. Step 2. Assign an IP address and mask using the ip address dhcp interface subcommand.

Steps to configure IPv4 on a switch

Step 1. Use the interface vlan 1 command in global configuration mode to enter interface VLAN 1 configuration mode. Step 2. Use the ip address ip-address mask command in interface configuration mode to assign an IP address and mask. Step 3. Use the no shutdown command in interface configuration mode to enable the VLAN 1 interface if it is not already enabled. Step 4. Add the ip default-gateway ip-address command in global configuration mode to configure the default gateway. Step 5. (Optional) Add the ip name-server ip-address1 ip-address2 ... command in global configuration mode to configure the switch to use Domain Name System (DNS) to resolve names into their matching IP address.

Configuration commands to configure local username login

Step 1. Use the username name secret password global configuration command to add one or more username/password pairs on the local switch. Step 2. Configure the console to use locally configured username/password pairs: A. Use the line vty 0 15 command to enter vty configuration mode for all 16 vty lines (numbered 0 through 15). B. Use the login local subcommand to enable the switch to prompt for both username and password for all inbound Telnet users, checked versus the list of local usernames/passwords. C. (Optional)Use the no password subcommand to remove any existing simple shared passwords, just for good housekeeping of the configuration file. Step 3. Configure Telnet (vty) to use locally configured username/password pairs. A. Use the vty line 0 15 command to enter console configuration mode. B. Use the login local subcommand to enable the console to prompt for both username and password, checked versus the list of local usernames/passwords. C. (Optional) Use the no password subcommand to remove any existing simple shared passwords, just for good housekeeping of the configuration file.

Name resolution

The process by which an IP host discovers the IP address associated with a hostname, often involving sending a DNS request to a DNS server, with the server supplying the IP address used by a host with the listed hostname.

Telnet

The standard terminal-emulation application layer protocol in the TCP/IP protocol stack. Telnet is used for remote terminal connection, enabling users to log in to remote systems and use resources as if they were connected to a local system. Telnet is defined in RFC 854.

ip address dhcp

VLAN interface mode. Configures the switch as a DHCP client to discover its IPv4 address, mask, and default gateway.

An engineer wants to set up simple password protection with no usernames for some switches in a lab, for the purpose of keeping curious coworkers from logging in to the lab switches from their desktop PCs. Which of the following commands would be a useful part of that configuration? a. A login vty mode subcommand b. A password password console subcommand c. A transport input ssh vty subcommand d. A login local vty subcommand

a. To answer this question, it might be best to first think of the complete configuration and then find any answers that match the configuration. The commands, in vty line configuration mode, would be password password and login. Only one answer lists a vty subcommand that is one of these two commands. Of note in the incorrect answers: One answer mentions console subcommands. The console does not define what happens when remote users log in; those details sit in the vty line configuration. One answer mentions the login local command; this command means that the switch should use the local list of configured usernames/passwords. The question stated that the engineer wanted to use passwords only, with no usernames. One answer mentions the transport input ssh command, which, by omitting the telnet keyword, disables Telnet. While that command can be useful, SSH does not work when using passwords only; SSH requires both a username and a password. So, by disabling Telnet (and allowing SSH only), the configuration would allow no one to remotely log in to the switch.

A network engineer was tasked with helping build a new Cisco network. As part of this implementation, one of the requirements is to have a central database of authorized users that is used by the deployed network devices. Which protocols could the engineer use that would provide these capabilities? a. RADIUS b. SSH c. TACACS+ d. AAA

a., b., Two common protocols are used for user authentication on a Cisco device: TACACS+ and RADIUS. TACACS+ is a proprietary protocol that is typically used only on Cisco devices. RADIUS is a standards-based protocol that can perform the same functions. The selection of which protocol to use depends on the implementation. As for the incorrect answers, AAA refers to the type of server used to store the username password pairs. SSH is the Secure Shell protocol used for transmitting encrypted data over a network.

Which two of the following actions provide the best security for accessing a router's privileged mode remotely? a. Configuring the enable secret command b. Enabling SSH access using the transport input telnet ssh VTY line subcommand c. Configuring the enable password command d. Enabling SSH and disabling Telnet access using the transport input ssh VTY line subcommand

a., d. It is more secure to disable Telnet altogether, using the transport input ssh command (omitting telnet). This prevents users from sending clear-text passswords over Telnet connections. Although the service password-encryption command tells the router to encrypt the enable password, the encryption is easily broken. The inherent MD5 encoding used by the enable secret command is much more secure.

A user opens a terminal emulator after connecting their PC physically to the console port of a router. The user logs in to the router's user mode, and then continues the process to reach privileged mode. Assume that the router is configured to use the strongest security options. Which command must be configured to support that last step of reaching privileged mode? a. login b. enable secret c. enable password d. line console 0 e. password

b. Both the enable password and enable secret commands set a password required for a user to enter privileged mode. If both are configured, the enable secret password defines which password is required.

Which command will generate the SSH encryption keys? a. crypto key modulus rsa b. crypto key generate rsa c. crypto key modulus ssh d. crypto key generate ssh

b. The crypto key generate rsa command will generate the SSH encryption keys. The incorrect answers are not commands supported on Cisco routers and switches.

Which of the following line subcommands tells a switch to wait until a show command's output has completed before displaying log messages on the screen? a. exec-timeout 0 0 b. logging synchronous c. history size 15 d. no ip domain-lookup

b. The logging synchronous line subcommand synchronizes the log message display with other command output so the log message does not interrupt a show command's output. The no ip domain-lookup command is not a line subcommand. The other two incorrect answers are line subcommands but do not configure the function listed in the question.

An engineer logs in to a device and wants to ensure that all of the commands that he enters are temporarily recorded in the history buffer. He is configuring a number of repetitive commands and wants to reduce the number of times these commands need to be typed. Which command would be used to ensure this behavior? a. R1#history size num-of-lines b. R1(config-line)#history size num-of-lines c. R1#terminal history size num-of-lines d. R1(config-line)#terminal history size num-of-lines Select 2 answers

b., c. Two main commands are used to configure the command history on a Cisco IOS device: terminal history size num-of-lines and history size num-of-lines. The terminal history size num-of-lines command is used in enable (EXEC) mode and configures the size of the command history buffer for the current session only. The history size num-of-lines command is used in line configuration mode (all line types) to configure the size of the command history buffer for all sessions connecting through that line.

A Layer 2 switch configuration places all its physical ports into VLAN 2. The IP addressing plan shows that address 172.16.2.250 (with mask 255.255.255.0) is reserved for use by this new LAN switch and that 172.16.2.254 is already configured on the router connected to that same VLAN. The switch needs to support SSH connections into the switch from any subnet in the network. Which of the following commands are part of the required configuration in this case? (Choose two answers.) a. The switch cannot support SSH because all its ports connect to VLAN 2, and the IP address must be configured on interface VLAN 1. b. The ip default-gateway 172.16.2.254 command in global configuration mode. d. The ip address 172.16.2.250 255.255.255.0 command in interface vlan 1 configuration mode. e. The ip address 172.16.2.250 255.255.255.0 command in interface vlan 2 configuration mode. Select 2 answers

b., d. To allow SSH or Telnet access, a switch must have a correct IP configuration. That includes the configuration of a correct IP address and mask on a VLAN interface. That VLAN interface then must have a path out of the switch via ports assigned to that VLAN. In this case, with all ports assigned to VLAN 2, the switch must use interface VLAN 2 (using the interface vlan 2 configuration command). To meet the requirement to support login from hosts outside the local subnet, the switch must configure a correct default gateway setting with the ip default-gateway 172.16.2.254 global command in this case.

Imagine that you have configured the enable secret command, followed by the enable password command, from the console. You log out of the switch and log back in at the console. Which command defines the password that you had to enter to access privileged mode? a. Neither b. The password command, if it is configured c. enable secret d. enable password

c. If both commands are configured, IOS accepts only the password as configured in the enable secret command.

An engineer had formerly configured a Cisco 2960 switch to allow Telnet access so that the switch expected a password of mypassword from the Telnet user. The engineer then changed the configuration to support Secure Shell. Which of the following commands could have been part of the new configuration? (Choose two answers.) a. A username name secret password vty mode subcommand b. A transport input ssh global configuration command c. A username name secret password global configuration command d. A login local vty mode subcommand Select 2 answers

c., d. SSH requires the use of usernames in addition to a password. Using the username global command would be one way to define usernames (and matching passwords) to support SSH. The vty lines would also need to be configured to require the use of usernames, with the login local vty subcommand being one such option. The transport input ssh command could be part of a meaningful configuration, but it is not a global configuration command (as claimed in one wrong answer). Likewise, one answer refers to the username command as a command in vty config mode, which is also the wrong mode.

An engineer's desktop PC connects to a switch at the main site. A router at the main site connects to each branch office through a serial link, with one small router and switch at each branch. Which of the following commands must be configured on the branch office switches, in the listed configuration mode, to allow the engineer to telnet to the branch office switches and supply only a password to login? (Choose three answers.) a. The password command in console line configuration mode b. The ip address command in global configuration mode c. The ip default-gateway command in global configuration mode d. The password command in vty line configuration mode e. The ip address command in interface configuration mode f. The ip default-gateway command in VLAN configuration mode Select 3 answers

c., d., e. To allow access through Telnet, the switch must have password security enabled, at a minimum using the password vty line configuration subcommand. In addition, the switch needs an IP address (configured under one VLAN interface) and a default gateway when the switch needs to communicate with hosts in a different subnet.

Which answers encrypt the password that will be required of a user after they type the enable EXEC command? a. enable password password-value b. password password-value c. enable password-value d. enable secret password-value

d. The enable password password-value configuration command configures the password but it will create an unencrypted password. The enable secret password-value configuration command will create an encrypted password that will override the enable password password-value command. The other two answers do not configure the password that IOS requires of a user that types the enable EXEC command.

You are in the process of troubleshooting a network problem on a Cisco device, but you are having a problem getting the right commands entered on the device to fix it. The reason is that every time you attempt to configure the commands, the console generates another message, your command gets split, and you lose your place in the command. What command could you configure on the device to have it automatically place the commands that are entered onto a fresh line and redrawn up to the point where the command entry was interrupted? a. logging console brief b. logging regenerate c. logging console redraw d. logging synchronous

d. The logging synchronous command alters the way that console messages are printed onto a screen. The first thing it will do is print only console messages on new lines, but this would interrupt the entry of a command. To remedy this situation, it also redraws a new prompt with the command that was being entered, complete up to the point where it was before the message was printed. This allows you to keep your place in the command and provide clean console output.

As an administrator, you decide to change the passwords periodically on the switch. You enter the following command: SW1(config)# enable password bubba123 The next time you telnet to the switch, you are prompted for a password, but bubba123 is not accepted. Why? a. The enable "secret" password should have been changed instead. b. We should have been in line configuration mode before using the command. c. The telnet protocol is not allowed on the vty lines by default. d. The enable password that was set is not the vty line password.

d. The password for the vty lines uses a different syntax and must also be done in line configuration mode for the lines we want to change the password for. If we did change the enable password, and not used the enable secret command, the existing enable secret for going into privileged mode would still not have been changed because the enable secret wins over the enable password. The transport of Telnet is allowed on the vty lines, provided we have authentication set appropriately. The command enable password is not the correct syntax for the vty line password configuration.

Cisco routers often default to transport input none, so you must add the ___ line subcommand to enable Telnet and/or SSH into a router.

transport input

transport input {telnet | ssh | all | none}

vty line configuration mode. Defines whether Telnet/SSH access is allowed into this switch. Both values can be configured on one command to allow both Telnet and SSH access (the default).


Kaugnay na mga set ng pag-aaral

Managerial Accounting Ch. 6 Exam

View Set

Introduction To Supply Chain Management

View Set

W6 L2: Liking, attraction and relationships

View Set

Database Concepts: Chapter 4 Quiz

View Set

Converting Decimals to Fractions

View Set