Ch. 8 Configuring Ethernet Switching
Configuration steps to use local usernames
2. Global mode: Create Usernames and Passwords 1. VTY mode: Enable Use of Local Usernames
List the suggested security actions for unused switch ports
Administratively disable the interface using the shutdown interface subcommand. Prevent VLAN trunking by making the port a nontrunking interface using the switchport mode access interface subcommand. Assign the port to an unused VLAN using the swithport access vlan (number) interface subcommand. Set the native VLAN to not be VLAN 1, but to instead be an unused VLAN, using the switchport trunk native vlan (vlan-id) interface subcommand. (The native VLAN is discussed in Chapter 9.)
Does sending log and SNMP messages protect, restrict or shutdown?
Restricts and Shuts down.
ip address dhcp
VLAN interface mode. configures the switch as a DHCP client to discover its IP address, mask, and default gateway.
An engineer's desktop PC connects to a switch at the main site. A router at the main site connects to each branch office through a serial link, with one small router and switch at each branch. Which of the following commands must be configured on the branch office switches, in the listed configuration mode, to allow the engineer to telnet to the branch office switches? (Choose three answers.) a. The ip address command in VLAN configuration mode b. The ip address command in global configuration mode c. The ip default-gateway command in VLAN configuration mode d. The ip default-gateway command in global configuration mode e. The password command in console line configuration mode f. The password command in vty line configuration mode
A (The ip address command in VLAN configuration mode) , D (The ip default-gateway command in global configuration mode) , and F (The password command in vty line configuration mode ) . To allow access through Telnet, the switch must have password security enabled, at a minimum using the password vty line configuration subcommand. Additionally, the switch needs an IP address (configured under one VLAN interface) and a default gateway when the switch needs to communicate with hosts in a different subnet.
Port security
A Cisco switch feature in which the switch watches Ethernet frames that come in an interface (a port), tracks the source MAC addresses of all such frames, and takes a security action if the number of different such MAC addresses is exceeded.
SSH
A TCP/IP application layer protocol that supports terminal emulation between a client and server, using dynamic key exchange and encryption to keep the communications private.
VLAN interface
A configuration concept inside Cisco switches, used as an interface between IOS running on the switch and a VLAN support inside the switch, so that the switch can assign an IP address and send IP packets into that VLAN.
Switch Virtual Interface (SVI) Concept inside a switch
A switch uses concepts similar to a host, except that the switch can use a virtual NIC. Like a PC, a switch has a real CPU, running an OS (called IOS). The switch then uses a NIC-like concept called a Switched Virtual Interface (SVI), or more commonly, a VLAN interface, that acts like the switch's own NIC for connecting into a LAN to send IP packets. like a host, the switch configuration assigns IP settings, like an IP address, to this VLAN interface.
Local Username
A username (with matching password), configured on a router or switch. It is considered local because it exists on the router or switch, and not on a remote server.
An engineer had formerly configured a Cisco 2960 switch to allow Telnet access so that the switch expected a password of mypassword from the Telnet user. The engineer then changed the configuration to support Secure Shell. Which of the following commands could have been part of the new configuration? (Choose two answers.) a. A username name password password vty mode subcommand b. A username name password password global configuration command c. A login local vty mode subcommand d. A transport input ssh global configuration command
B (A username name password password global configuration command) and C (A login local vty mode subcommand) . SSH requires the use of usernames in addition to a password. Using the username global command would be one way to define usernames (and matching passwords) to support SSH. The vty lines would also need to be configured to require the use of usernames, with the login local vty subcommand being one such option. The transport input ssh command could be part of a meaningful configuration, but it is not a global configuration command (as claimed in one wrong answer). Likewise, one answer refers to the username command as a command in vty config mode, which is also the wrong mode.
Which of the following is required when configuring port security with sticky learning? a. Setting the maximum number of allowed MAC addresses on the interface with the switchport port-security maximum interface subcommand b. Enabling port security with the switchport port-security interface subcommand c. Defining the specific allowed MAC addresses using the switchport port-security mac-address interface subcommand d. All the other answers list required commands
B (Enabling port security with the switchport port-security interface subcommand) . The setting for the maximum number of MAC addresses has a default of 1, so the switchport port-security maximum command does not have to be configured. With sticky learning, you do not need to predefine the specific MAC addresses either. However, you must enable port security, which requires the switchport port-security interface subcommand.
The following command was copied and pasted into configuration mode when a user was telnetted into a Cisco switch: banner login this is the login banner Which of the following is true about what occurs the next time a user logs in from the console? a. No banner text is displayed. b. The banner text "his is" is displayed. c. The banner text "this is the login banner" is displayed. d. The banner text "Login banner configured, no text defined" is displayed.
B (The banner text "his is" is displayed.) . The first nonblank character after the banner login phrase is interpreted as the beginning delimiter character. In this case, it's the letter t. So, the second letter t—the first letter in "the"—is interpreted as the ending delimiter. The resulting login banner is the text between these two ts—namely, "his is."
Imagine that you have configured the enable secret command, followed by the enable password command, from the console. You log out of the switch and log back in at the console. Which command defines the password that you had to enter to access privileged mode? a. enable password b. enable secret c. Neither d. The password command, if it's configured
B (enable secret) . If both commands are configured, IOS accepts only the password as configured in the enable secret command.
Key points about enable secret and enable password
Both commands configured: use the enable secret password command Only one command configured: use the password in that one command Neither command configured (default): console users are allowed into enable mode without a password prompt, while others are rejected.
Interface (type port-number)
Changes context to interface mode. The type is typically FastEthernet or GigabitEthernet. The possible port numbers vary depending on the model of switch for example, fa0/1, fa0/2, and so on.
Interface vlan (number)
Changes the context to VLAN interface mode. For VLAN 1, allows the configuration of the switch's IP address.
Interface range (type port-range)
Changes the context to interface mode for a range of consecutively numbered interfaces. The subcommands that follow then apply to all interfaces in the range.
exec-timeout (minutes [seconds])
Console or vty mode. Sets the inactivity timeout, so that after the defined period of no action, IOS closes the current user login session.
logging synchronous
Console or vty mode. Tells IOS to send log messages to the user at natural break points between commands, rather than in the middle of a line of output.
Key features of all variations of port security
Define a maximum number of source MAC addresses allowed for all frames coming in the interface. Watch all incoming frames, and keep a list of all source MAC addresses, plus a counter of the number of different source MAC addresses. When adding a new source MAC address to the list, if the number of MAC addresses pushes past the configured maximum, a port security violation has occurred. The switch takes action (the default action is to shutdown the interface).
In which of the following modes of the CLI could you configure the duplex setting for interface Fast Ethernet 0/5? a. User mode b. Enable mode c. Global configuration mode d. VLAN mode e. Interface configuration mode
E (Interface configuration mode ) . Cisco switches can be configured for speed (with the speed command) and duplex (with the duplex command) in interface configuration mode.
Which of the following describes a way to disable IEEE standard autonegotiation on a 10/100 port on a Cisco switch? a. Configure the negotiate disable interface subcommand b. Configure the no negotiate interface subcommand c. Configure the speed 100 interface subcommand d. Configure the duplex half interface subcommand e. Configure the duplex full interface subcommand f. Configure the speed 100 and duplex full interface subcommands
F (Configure the speed 100 and duplex full interface subcommands ) . Cisco switches do not have a command to disable autonegotiation of speed and duplex. Instead, a switch port that has both speed and duplex configured disables autonegotiation.
Service password-encryption
Global command that (weakly) encrypts passwords defined by the username password, enable password, and login commands.
banner [motd | exec | login ] (delimiter banner-text delimeter)
Global command that defines a banner that is displayed at different times when users log in to the switch or router.
[no] logging console
Global command that disables or enables the display of log messages to the console.
ip default-gateway (address)
Global command. Configures the switch's default gateway IP address. Not required if the switch uses DHCP.
Crypto key generate RSA
Global command. Creates and stores (in a hidden location in flash memory) the keys required by SSH.
Username (name) Secret (pass-value)
Global command. Defines one of possibly multiple usernames and associated passwords, used for user authentication. Used when the login local line configuration command has been used.
ip name-server (server-ip-1 server-ip-2....)
Global command. configures the IP address(es) of DNS servers, so any commands when logged into the switch will use the DNS for name resolution.
enable secret (pass-value)
Global command. sets this switch's password that is required for any user to reach enable mode.
Switchport port-security mac-address (mac-address)
Interface configuration mode command that statically adds a specific MAC address as an allowed MAC address on the interface.
Switchport mode {access | trunk }
Interface configuration mode command that tells the switch to always be an access port, or always be a trunk port.
Shutdown no Shutdown
Interface mode. Disables or enables the interface, respectively.
description (text)
Interface mode. Lists any information text that the engineer wants to track for the interface, such as the expected device on the other end of the cable.
duplex { auto | full | half }
Interface mode. Manually sets the duplex to half or full, or to autonegotiate the duplex setting.
Speed { 10 | 100 | 1000 | auto }
Interface mode. Manually sets the speed to the listed speed or, with the auto setting, automatically negotiates the speed.
switchport access vlan (vlan-number)
Interface subcommand that defines the VLAN in which the interface resides.
switchport port-security maximum (value)
Interface subcommand that sets the maximum number of static secure MAC addresses that can be assigned to a single interface.
switchport port-security mac-address sticky
Interface subcommand that tells the switch to learn MAC addresses on the interface and add them to the configuration for the interface as secure MAC addresses.
switchport port-security violation {protect | restrict | shutdown }
Interface subcommand that tells the switch what to do if an inappropriate MAC address tries to access the network through a secure switch port.
Does discarding offending traffic protect, restrict or shutdown?
It protects, restricts and shuts down.
history size (length)
Line config mode. Defines the number of commands held in the history buffer, for later recall, for users of those lines.
List of commands related to the command history buffer
Show history: Lists the commands currently held in the history buffer. History size x: From console or vty line configuration mode, sets the default number of commands saved in the history buffer for the user(s) of the console or vty lines, respectively. Terminal history size x: From EXEC mode, this command allows a single user to set, just for this one login session, the size of his or her history buffer.
Configuration steps for SSH support on a switch
Step 1. Configure the vty lines to use usernames, with either locally configured usernames (using the login local command) or a AAA server. Step 2. If using locally defined usernames, add one or more username global configuration commands to configure username/password pairs. Step 3. Configure the switch to generate a matched public and private key pair to use for encryption, using two commands: a. As a prerequisite for the next command, configure a DNS domain name with the ip domain-name (name) global configuration command. b. Create the encryption keys using the crypto key generate rsa global configuration command. Step 4. (optional) Enable SSH Version 2 using the ip ssh version 2 global command for enhanced security.
How a switch can learn its IPv4 settings with DHCP.
Step 1. Enter VLAN 1 configuration mode using the interface vlan 1 global configuration command, and enable the interface using the no shutdown command as necessary. Step 2. Assign an IP address and mask using the ip address dhcp interface subcommand.
Configuring IPv4 on a Switch, assuming the IP address is configured in VLAN 1.
Step 1. Enter VLAN 1 configuration mode using the interface vlan 1 global configuration command. Step 2. Assign an IP address and mask using the ip address (ip-address mask) interface subcommand. Step 3. If not already enabled, enable the VLAN 1 interface using the no shutdown interface subcommand. Step 4. Add the ip default-gateway (ip-address1 ip-address2....) global command to configure the switch to use DNS to resolve names into their matching IP address.
Port security configuration checklist
Step 1. Make the switch interface either a static access or trunk interface, using the switchport mode access or the switchport mode trunk interface subcommands, respectively. Step 2. Enable port security using the switchport port-security interface subcommand. Step 3. (optional) override the default maximum number of allowed MAC addresses associated with the interface (1) by using the switchport port-security maximum number interface subcommand. Step 4. (optional) override the default action to take upon a security violation (shutdown) using the switchport port-security violation {protect | restrict | shutdown} interface subcommand. Step 5. (optional) predefine any allowed source MAC address(es) for this interface, using the switchport port security mac-address (mac address) command. Use the command multiple times to define more than one MAC address. Step 6. (optional) Tell the switch to "sticky learn" dynamically learned MAC addresses with the switchport port-security mac-address sticky interface subcommand.
TELNET
The standard terminal-emulation application layer protocol in the TCP/IP protocol stack. Telnet is ued for remote terminal connection, enabling users to log in to remote systems and use resources as if they were connected to a local system. Telnet is defined in RFC, 854.
Basic password configuration
The user must first get into config-line by entering in line console 0. next by entering in the password command it lists the simple text password.
ip address (ip-address subnet-mask)
VLAN interface mode. Statically configures the switch's IP address and mask.
Does disabling the interface and discarding all traffic protect, restrict or shutdown?
it just Shuts down.
Transport input {Telnet | SSH |all | None}
vty line configuration mode. Defines whether Telnet and/or SSH access is allowed into this switch. Both values can be configured on one command to allow both Telnet and SSH access (the default).