Chapter 10

Configuring Catalyst Switches

- If you connect into a switch port and the switch port LED is alternating green and amber, it means the port is experiencing errors. If this happens, check the host NIC or the cabling, possibly the duplex settings on the port to make sure they match the host settings.

Address learning

- Layer 2 switches remember the source hardware address of each frame received on an interface and enter this information into a MAC database called a forward/filter table.

Example of how a forward/filter table is populated

1. Host A sends a frame to Host B. Host A's MAC address 0000.8c01.000A; Host B's MAC address is 0000.8c01.000B. 2. The switch receives the frame on the FA0/0 interface and places the source address in the MAC address table. 3. Since the destination address isn't in the MAC database, the frame is forwarded out all interfaces except the source port. 4. Host B receives the frame and responds to Host A. The switch receives this frame on interface FA0/1 and places the source hardware address in the MAC database. 5. Host A and Host B can now make a point-to-point connection and only these specific devices will receive the frames. Host C and D won't see the frames, nor will their MAC addresses be found in the database because they haven't sent a frame to the switch yet. - If Host A and Host B don't communicate to the switch again within a certain time period, the switch will flush their entries from the database to keep it as current as possible.

Remember the three switch functions

Address learning, forward/filter decisions, and loop avoidance are the functions of a switch

What are the three distinct functions of layer 2 switching

Following cards

Loop avoidance

If multiple connections between switches are created for redundancy purposes, network loops can occur. Spanning Tree Protocol (STP) is used to stop network loops while still permitting redundancy.

How to configure port security

Switch#config t Switch(config)#int fa0/1 Switch(config-if)#switchport mode access Switch(config-if)#switchport port-security Switch(config-if)#switchport port-security maximum 1 Switch(config-of)#switchport port-security violation shutdown

Remember the command to show mac addresses

The command show mac address-table will show you the forward/filter table used on the LAN switch.

Know the command to enabled port security

To enabled port security on a port, you must first make sure the port is an access port with switchport mode access and then use the switchport port-security command at the interface level. You can set the port security parameters before or after enabling port security.

Know the commands to verify port security

To verify port security, use the show port-security , show port-security interface interface , and show running-config commands.

What are four important advantages we gain when using layer 2 switches

• Hardware-based bridging (ASICS) • Wire speed • Low latency • Low cost

Do we need to Put IP address on a Switch?

- No, switches have all ports enabled and ready to rock. Take the switch out of the box, plug it in, and the switch starts learning MAC addresses in the CAM. - So why would I need an IP address since switches are providing layer 2 services? Because you still need it for in-band management purposes! Telnet, SSH, SNMP, etc, all need an IP address in order to communicate with the switch through the network (in-band). - So where do we put this management IP address the switch needs for management purposes? On what is predictably called the management VLAN interface-- a routed interface on every Cisco switch and called interface VLAN 1. This management interface can be changed, and Cisco recommends that you do change this to different management interface for security purposes.

Port Security

- Port security on a switch port restricts port access by MAC address. - By using port security, you can limit the number of MAC addresses that can be assigned dynamically to a port, set static MAC addresses. - Always remember to shutdown unused ports or assigned them to an unused VLAN. All ports are enabled by default, so you need to make sure there's no access to unused switch ports.

Notes

- Remember that switches never autodetect. - Never forget that IP address aren't needed on a switch for it to operate. The only reason we would set an IP address, mask, and default gateway is for management purposes.

Configuring Port Security (Cont)

- There are two other modes you can use instead of just shutting down the port. The restrict and protect modes mean that another host can connect up the maximum MAC address allowed, but after the maximum has been met, all frames will just be dropped and the port won't be shut down. Additionally, both the restrict and shutdown violation modes alert you via SNMP that a violation has occurred on a port.

Verifying Cisco Switches

- Using show runinng-config command gives a great overview of each device. But it's too time consuming. - For example, to verify the IP address set on a switch, we can use the show interface command. Here's the output: S3#sh int vlan 1 - The command show mac mac address-table. Using it displays the forward filter table, also called a content addressable memory (CAM) table. The switches use things called base MAC addresses, which are assigned to the CPU. The first one listed is the base mac address of the switch. Example: S1#show mac address-table

Forward/filter descisions

- When a frame is received on an interface, the switch looks at the destination hardware address, then chooses appropriate exit interface for it in the MAC database. This way, the frame is only forwarded out of the correct destination port. - If the destination hardware address isn't listed in the MAC database, then the frame will be flooded out all active interfaces except the interface it was received on. If a device answer the flooded frame, the MAC database is then updated with the device location.

How to assign static MAC addresses

- You can set a static MAC address in the MAC address table, but like setting static MAC port security without the sticky command. Example: S3(config)#mac address-table static aaaa.bbbb.cccc vlan 1 int fa0/7

Understand the reason for port security

Port security restricts access to a switch based on MAC addresses.

Configuring a switch for management purposes

S1#config t S1(config)#interface vlan 99 S1(config-if)#ip address 172.17.99.11 255.255.0.0 S1(config-if)#no shutdown S1(config-if)#end *Save the configuration* Default gateway command so user can access outside of LAN S1#config t S1(config)#ip default-gateway 172.17.99.1 S1(config)#end *Save the configuration*

Configuring Port Security

S3#config t S3(config)#int range fa0/3-4 S3(config-if-range)#switchport mode access S3(config-if-range)#switchport port-security - The first command sets the mode of the ports to "access" ports. These ports must be access to trunk ports to enable security. By using the command switch port-security on the interface, I've enabled port security with a maximum MAC address of 1 and violation of shutdown. Port security is enabled, as displayed on the first line, but the second line shows secure-down because I haven't connected my hosts into the ports yet. Once I do, the status will show secure-up and would become Secure-shutdown if a violation occurs. ** It's very important to remember that you can set parameters for port security but it won't work until you enabled port security at the interface level.`

Sticky configuration

Switch(config-if)#switchport port-security mac-address sticky Switch(config-if)#switchport port-security maximum 2 Switch(config-if)#switchport port-security violation shutdown - Basically, with the sticky command you can provide static MAC address security without having to type in absolutely everyone's MAC address on the network. - IN the preceding example, the first two MAC addresses coming into the port "stick" to it as static addresses and will be placed in the running-config, but when a third address tries to connect, the port would shutdown immediately.