CCNA 2 Chapter 5: Switch Configuration

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Ports in Error Disabled State

A port security violation can put a switch in error disabled state. A port in error disabled is effectively shutdown. The switch communicates these events through console messages. The show interface command also reveals a switch port on error disabled state. A shutdown or no shutdown interface configuration mode command must be issued to re-enable the port. S1# show interfaces fastethernet 0/18 status S1# show port-security interface fastethernet 0/18

Switch Verification Commands

Display interface status and configuration. S1# show interfaces[interface-id] Display current startup configuration. S1# show startup-config Display current operating configuration. S1# show running-config Display information about the flash file system. S1# show flash: Display status of system hardware and software. S1# show version Display a history of commands entered. S1# show history Display IP information about an interface. S1# show ip [interface-id] Display the MAC address table. S1# show mac-address-table or S1# show mac address-table

Switch LED Indicators

Each port on Cisco Catalyst switches have status LED indicator lights. By default, these LED lights reflect port activity, but they can also provide other information about the switch through the Mode button. The following modes are available on Cisco Catalyst 2960 switches: System LED Redundant Power System (RPS) LED Port Status LED Port Duplex LED Port Speed LED Power over Ethernet (PoE) Mode LED

onfigure the Switch Management access

Enter global configuration mode. S1# configure terminal Enter interface configuration mode for the SVI. S1(config)# interface vlan 99 Configure the management interface IP address. S1(config-if)# ip address 172.17.99.11 255.255.0.0 Enable the management interface. S1(config-if)# no shutdown Return to privileged EXEC mode. S1(config-if)# end Save the running config to the startupconfig. S1# copy running-config startup-config verify onfigure the Switch Management interface S1# show ip interface brief

Configure Switch Ports at the Physical Layer

Enter global configuration mode. S1# configure terminal Enter interface configuration mode. S1(config)# interface fastethernet 0/1 Configure the interface duplex mode. S1(config-if)# duplex full Configure the interface speed. S1(config-if)# speed 100 Return to privileged EXEC mode. S1(config-if)# end Save the running config to the startup config. S1# copy running-config startup-config

configure Auto-MDIX

Enter global configuration mode. S1# configure terminal Enter interface configuration mode. S1(config)# interface fastethernet 0/1 Configure the interface to automatically negotiate the duplex mode with the connected device. S1(config-if)# duplex auto Configure the interface to automatically negotiate speed with the connected device. S1(config-if)# speed auto Enable auto-MDIX on the interface. S1(config-if)# mdix auto Return to privileged EXEC mode. S1(config-if)# end Save the running config to the startup config. S1# copy running-config startup-config verify configure Auto-MDIX S1#show controllers ethernet-controller fa 0/1 phy | auto-midx

Duplex Communication

Full-duplex communication improves the performance of a switched LAN. Full-duplex communication increases effective bandwidth by allowing both ends of a connection to transmit and receive data simultaneously. This is also known as bidirectional communication. This method of optimizing network performance requires micro-segmentation. A micro-segmented LAN is created when a switch port has only one device connected and is operating at full-duplex. This results in a micro size collision domain of a single device. Because there is only one device connected, a micro-segmented LAN is collision free. Unlike full-duplex communication, half-duplex communication is unidirectional. Sending and receiving data does not occur at the same time. Half-duplex communication creates performance issues because data can flow in only one direction at a time, often resulting in collisions. Half-duplex connections are typically seen in older hardware, such as hubs. Full-duplex communication has replaced half-duplex in most hardware. Most Ethernet and Fast Ethernet NICs sold today offer full-duplex capability. Gigabit Ethernet and 10Gb NICs require full-duplex connections to operate. In full-duplex mode, the collision detection circuit on the NIC is disabled. Frames that are sent by the two connected devices cannot collide because the devices use two separate circuits in the network cable. Full-duplex connections require a switch that supports full-duplex configuration, or a direct connection using an Ethernet cable between two devices.

Port Security: Violation Modes

IOS considers a security violation when: The maximum number of secure MAC addresses for that interface have been added to the CAM, and a station whose MAC address is not in the address table attempts to access the interface. There are three possible actions to take when a violation is detected: Protect - no notification received Restrict - notification received of security violation Shutdown switchport port-security violation {protect | restrict |shutdown} interface configuration mode command

etwork Access Layer Issues continue

Input Errors Total number of errors. It includes runts, giants, no buffer, CRC, frame,overrun, and ignored counts. Runts Packets that are discarded because they are smaller than the minimum packet size for the medium. For instance, any Ethernet pack that is less than 64 bytes is considered a runt. Giants Packets that are discarded because they exceed the maximum packet size for the medium. For example, any Ethernet packet that is greater than 1,518 bytes is considered a giant. CRC errors CRC errors are generated when the calculated checksum is not the same as the checksum received. Output Errors The sum of all errors that prevented the final transmission of datagrams out of the interface that is being examined. Collisions The number of messages retransmitted because of an Ethernet collision. Late Collisions A collision that occurs after 512 bits of the frame have been transmitted.

Port Security Violation Modes continue

It is a security violation when either of these situations occurs: The maximum number of secure MAC addresses have been added to the address table for that interface, and a station whose MAC address is not in the address table attempts to access the interface. An address learned or configured on one secure interface is seen on another secure interface in the same VLAN. An interface can be configured for one of three violation modes, specifying the action to be taken if a violation occurs. presents which kinds of data traffic are forwarded when one of the following security violation modes are configured on a port: Protect: When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until a sufficient number of secure MAC addresses are removed or the number of maximum allowable addresses is increased. There is no notification that a security violation has occurred. Restrict: When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until a sufficient number of secure MAC addresses are removed or the number of maximum allowable addresses is increased. In this mode, there is a notification that a security violation has occurred. Shutdown: In this (default) violation mode, a port security violation causes the interface to immediately become error-disabled and turns off the port LED. It increments the violation counter. When a secure port is in the error-disabled state, it can be brought out of this state by entering the shutdown and no shutdown interface configuration mode commands.

Troubleshooting Network Access Layer Issues

Most issues that affect a switched network are encountered during the original implementation. Theoretically, after it is installed, a network continues to operate without problems. However, cabling gets damaged, configurations change, and new devices are connected to the switch that require switch configuration changes. Ongoing maintenance and troubleshooting of the network infrastructure is required. To troubleshoot these issues when you have no connection or a bad connection between a switch and another device, follow this general process. Use the show interfaces command to check the interface status. If the interface is down: Check to make sure that the proper cables are being used. Additionally, check the cable and connectors for damage. If a bad or incorrect cable is suspected, replace the cable. If the interface is still down, the problem may be due to a mismatch in speed setting. The speed of an interface is typically auto-negotiated; therefore, even if speed is manually configured on one interface, the connecting interface should auto-negotiate accordingly. If a speed mismatch does occur through misconfiguration or a hardware or software issue, then that may result in the interface going down. Manually set the same speed on both connection ends if an auto negotiation problem is suspected. If the interface is up, but issues with connectivity are still present: Using the show interfaces command, check for indications of excessive noise. Indications may include an increase in the counters for runts, giants, and CRC errors. If there is excessive noise, first find and remove the source of the noise, if possible. Also, verify that the cable does not exceed the maximum cable length and check the type of cable that is used. For copper cable, it is recommended that you use at least Category 5. If noise is not an issue, check for excessive collisions. If there are collisions or late collisions, verify the duplex settings on both ends of the connection. Much like the speed setting, the duplex setting is usually auto-negotiated. If there does appear to be a duplex mismatch, manually set the duplex on both connection ends. It is recommended to use full-duplex if both sides support it.

Verifying SSH

On a PC, an SSH client, such as PuTTY, is used to connect to an SSH server. SSH enabled on switch S1 Interface VLAN 99 (SVI) with IP address 172.17.99.11 on switch S1 PC1 with IP address 172.17.99.21 the user has been prompted for a username and password. Using the configuration from the previous example, the username admin and password ccna are entered. After entering the correct combination, the user is connected via SSH to the CLI on the Catalyst 2960 switch. To display the version and configuration data for SSH on the device that you configured as an SSH server, use the show ip ssh command. In the example, SSH version 2 is enabled. To check the SSH connections to the device, use the show ssh command

Port Security Default Settings

Port security Disabled on a port Maximum number of secure MAC addresses 1 Violation mode Shutdown. The port shuts down when the maximum number of secure MAC addresses is exceeded. Sticky address learning Disabled

Switch Boot Sequence

Power-on self test (POST). Run boot loader software. Boot loader performs low-level CPU initialization. Boot loader initializes the flash file system. Boot loader locates and loads a default IOS operating system software image into memory and passes control of the switch over to the IOS.

SSH Operation

Secure Shell (SSH) is a protocol that provides a secure (encrypted), command-line based connection to a remote device. Because of strong encryption features, SSH should replace Telnet for management connections. SSH uses TCP port 22, by default. Telnet uses TCP port 23. A version of the IOS software, including cryptographic (encrypted) features and capabilities, is required to enable SSH on Catalyst 2960 switches.

Cisco Switch IOS CLI Commands for Dynamic Port Security

Specify the interface to be configured for port security. S1(config)# interface fastethernet 0/18 Set the interface mode to access. S1(config-if)# switchport mode access Enable port security on the interface. S1(config-if)# switchport port-security

Port Security: Operation

The MAC addresses of legitimate devices are allowed access, while other MAC addresses are denied. Any additional attempts to connect by unknown MAC addresses generate a security violation. Secure MAC addresses can be configured in a number of ways: Static secure MAC addresses - manually configured and added to running configuration - switchport port-security mac-address mac-address Dynamic secure MAC addresses - removed when switch restarts Sticky secure MAC addresses - added to running configuration and learned dynamically - switchport port-security mac-address sticky interface configuration mode command

Recovering From a System Crash

The boot loader can also be used to manage the switch if the IOS cannot be loaded. The boot loader can be accessed through a console connection by: Connecting a PC by console cable to the switch console port. Unplug the switch power cord. Reconnecting the power cord to the switch and press and hold the Mode button. The System LED turns briefly amber and then solid green. Release the Mode button. The boot loader switch: prompt appears in the terminal emulation software on the PC.

Secure Unused Ports

The first step in port security is to be aware of ports that are not currently being used on the switch. ti find out show run disable unused ports shutdown Disable Unused Ports A simple method that many administrators use to help secure the network from unauthorized access is to disable all unused ports on a switch. For example, if a Catalyst 2960 switch has 24 ports and there are three Fast Ethernet connections in use, it is good practice to disable the 21 unused ports. Navigate to each unused port and issue the Cisco IOS shutdown command. If a port later on needs to be reactivated, it can be enabled with the no shutdown command. It is simple to make configuration changes to multiple ports on a switch. If a range of ports must be configured, use the interface range command.

Network Access Layer Issues

The output from the show interfaces command can be used to detect common media issues. One of the most important parts of this output is the display of the line and data link protocol status. The following output and Table 2-7 indicate the summary line to check the status of an interface. S1# show interfaces fastethernet 0/18 FastEthernet0/18 is up, line protocol is up (connected) Hardware is Fast Ethernet, address is 0022.91c4.0301 (bia 0022.91c4.0e01) MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec, <output omitted>

Switch Boot Sequence (cont.)

To find a suitable Cisco IOS image, the switch goes through the following steps: Step 1. It attempts to automatically boot by using information in the BOOT environment variable. Step 2. If this variable is not set, the switch performs a top-to-bottom search through the flash file system. It loads and executes the first executable file, if it can. Step 3. The IOS software then initializes the interfaces using the Cisco IOS commands found in the configuration file and startup configuration, which is stored in NVRAM. Note: The boot system command can be used to set the BOOT environment variable. Use the show boot command to see to what the current IOS boot file is set.

Preparing for Basic Switch Management

To remotely manage a Cisco switch, it must be configured to access the network. A console cable is used to connect a PC to the console port of a switch for configuration. The IP information (address, subnet mask, gateway) is to be assigned to a switch virtual interface (SVI). If managing the switch from a remote network, a default gateway must also be configured. Although these IP settings allow remote management and remote access to the switch, they do not allow the switch to route Layer 3 packets.

auto-MDIX

a feature that detects the type of cable, and configures the interfaces to allow the connection Certain cable types (straight-through or crossover) were historically required when connecting devices. The automatic medium-dependent interface crossover (auto-MDIX) feature eliminates this problem. When auto-MDIX is enabled, the interface automatically detects and appropriately configures the connection. When using auto-MDIX on an interface, the interface speed and duplex must be set to auto.

verify port security

show port-security interface fastethernet 0/18 S1# show run | begin FastEthernet 0/19 show port-security address


Ensembles d'études connexes

American History midterm practice

View Set

CompTIA SY0-501 Security+, - Merged RM1

View Set

WQ Chapter 8 - Appendicular Skeleton (Lower Limb)

View Set

Chapter 7: Episodic & Semantic Memory

View Set