CCNA2 Chapter 5 Switch Configuration

Switch Boot Sequence

1. First, the switch loads a power-on self-test (POST) program stored in ROM. POST checks the CPU subsystem. It tests the CPU, DRAM, and the portion of the flash device that makes up the flash file system. 2. Next, the switch loads the boot loader software. The boot loader is a small program stored in ROM that is run immediately after POST successfully completes. 3. The boot loader performs low-level CPU initialization. It initializes the CPU registers, which control where physical memory is mapped, the quantity of memory, and its speed. 4. The boot loader initializes the flash file system on the system board. 5. Finally, the boot loader locates and loads a default IOS operating system software image into memory and gives control of the switch over to the IOS.

security violations occur in these situations

A station with Mac that is not in the address table attempts to access the interface when the table is full An address is being used on two secure interfaces in a VLAN

show version

Command that displays the OS version along with system information

show history

Command that displays what a user has previously done on the terminal, with a default setting of 10 entries

show flash

Command that lists a current status of the flash memory

Secure Unused Ports

Disable Unused Ports A simple method that many administrators use to help secure the network from unauthorized access is to disable all unused ports on a switch. For example, if a Catalyst 2960 switch has 24 ports and there are three Fast Ethernet connections in use, it is good practice to disable the 21 unused ports. Navigate to each unused port and issue the Cisco IOS shutdown command. If, later on, a port must be reactivated, it can be enabled with the no shutdown command. The figure shows partial output for this configuration. It is simple to make configuration changes to multiple ports on a switch. If a range of ports must be configured, use the interface range command. Switch(config)# interface range type module/first-number - last-number The process of enabling and disabling ports can be time-consuming, but it enhances security on the network and is well worth the effort.

show ip interface

Displays the IPv4 statistics for all interfaces on a router

Configure Switch Ports at the Physical Layer

Enter configuration mode and set FastEthernet0/1 duplex to full and speed 100. S1# configure terminal Enter configuration commands, one per line. End with CNTL/Z. S1(config)# interface FastEthernet0/1 S1(config-if)# duplex full S1(config-if)# speed 100 End out of configuration mode and save the configuration to NVRAM. S1(config-if)# end S1# %SYS-5-CONFIG_I: Configured from console by console S1# copy running-config startup-config You successfully configured the switch port duplex and speed settings.

configure Auto-MDIX

Enter configuration mode and set the Fastethernet0/1 duplex, speed, and MDIX to auto. S2# configure terminal Enter configuration commands, one per line. End with CNTL/Z. S2(config)# interface fastethernet0/1 S2(config-if)# duplex auto S2(config-if)# speed auto S2(config-if)# mdix auto End out of configuration mode and save the configuration to NVRAM. S2(config-if)# end S2# %SYS-5-CONFIG_I: Configured from console by console S2# copy running-config startup-config You successfully configured the MDIX auto feature.

Duplex Communication

Full-duplex communication improves the performance of a switched LAN. Full-duplex communication increases effective bandwidth by allowing both ends of a connection to transmit and receive data simultaneously. This is also known as bidirectional communication. This method of optimizing network performance requires micro-segmentation. A micro-segmented LAN is created when a switch port has only one device connected and is operating in full-duplex mode. When a switch port is operating in full-duplex mode, there is no collision domain associated with the port. Unlike full-duplex communication, half-duplex communication is unidirectional. Sending and receiving data does not occur at the same time. Half-duplex communication creates performance issues because data can flow in only one direction at a time, often resulting in collisions. Half-duplex connections are typically seen in older hardware, such as hubs. Full-duplex communication has replaced half-duplex in most hardware. Gigabit Ethernet and 10Gb NICs require full-duplex connections to operate. In full-duplex mode, the collision detection circuit on the NIC is disabled. Frames that are sent by the two connected devices cannot collide because the devices use two separate circuits in the network cable. Full-duplex connections require a switch that supports full-duplex configuration, or a direct connection using an Ethernet cable between two devices. Standard, shared hub-based Ethernet configuration efficiency is typically rated at 50 to 60 percent of the stated bandwidth. Full-duplex offers 100 percent efficiency in both directions (transmitting and receiving). This results in a 200 percent potential use of the stated bandwidth.

characteristics of sticky secure MAC addresses

Learned dynamically converted to sticky secure Mac addresses stored in the running config Removed from the running-config if port security is disabled Lost when the switch reboots power cycled Saving sticky secure Mac addresses in startup-config makes them permanent and the switch retains them after a reboot Disabling sticky learning converts sticky MAC addresses to dynamic secure addresses and removes them the running-config

show mac address-table

Lists MAC table entries, including the associated VLAN

Troubleshooting Network Access Layer Issues

Most issues that affect a switched network are encountered during the original implementation. Theoretically, after it is installed, a network continues to operate without problems. However, cabling gets damaged, configurations change, and new devices are connected to the switch that require switch configuration changes. Ongoing maintenance and troubleshooting of the network infrastructure is required. To troubleshoot scenarios involving no connection, or a bad connection, between a switch and another device, follow this general process: Use the show interfaces command to check the interface status. If the interface is down: Check to make sure that the proper cables are being used. Additionally, check the cable and connectors for damage. If a bad or incorrect cable is suspected, replace the cable. If the interface is still down, the problem may be due to a mismatch in speed setting. The speed of an interface is typically auto-negotiated; therefore, even if it is manually configured on one interface, the connecting interface should auto-negotiate accordingly. If a speed mismatch does occur through misconfiguration, or a hardware or software issue, then that may result in the interface going down. Manually set the same speed on both connection ends if a problem is suspected. If the interface is up, but issues with connectivity are still present: Using the show interfaces command, check for indications of excessive noise. Indications may include an increase in the counters for runts, giants, and CRC errors. If there is excessive noise, first find and remove the source of the noise, if possible. Also, verify that the cable does not exceed the maximum cable length and check the type of cable that is used. If noise is not an issue, check for excessive collisions. If there are collisions or late collisions, verify the duplex settings on both ends of the connection. Much like the speed setting, the duplex setting is usually auto-negotiated. If there does appear to be a duplex mismatch, manually set the duplex to full on both ends of the connection.

Port Security: Operation

Port Security All switch ports (interfaces) should be secured before the switch is deployed for production use. One way to secure ports is by implementing a feature called port security. Port security limits the number of valid MAC addresses allowed on a port. The MAC addresses of legitimate devices are allowed access, while other MAC addresses are denied. Port security can be configured to allow one or more MAC addresses. If the number of MAC addresses allowed on the port is limited to one, then only the device with that specific MAC address can successfully connect to the port. If a port is configured as a secure port and the maximum number of MAC addresses is reached, any additional attempts to connect by unknown MAC addresses will generate a security violation. Figure 1 summarizes these points. Secure MAC Address Types There are a number of ways to configure port security. The type of secure address is based on the configuration and includes: Static secure MAC addresses - MAC addresses that are manually configured on a port by using the switchport port-security mac-address mac-address interface configuration mode command. MAC addresses configured in this way are stored in the address table and are added to the running configuration on the switch. Dynamic secure MAC addresses - MAC addresses that are dynamically learned and stored only in the address table. MAC addresses configured in this way are removed when the switch restarts or the port goes down. Sticky secure MAC addresses - MAC addresses that can be dynamically learned or manually configured, then stored in the address table and added to the running configuration until the switch restarts. Sticky Secure MAC addresses To configure an interface to convert dynamically learned MAC addresses to sticky secure MAC addresses and add them to the running configuration, you must enable sticky learning. Sticky learning is enabled on an interface by using the switchport port-security mac-address sticky interface configuration mode command. When this command is entered, the switch converts all dynamically learned MAC addresses, including those that were dynamically learned before sticky learning was enabled, into sticky secure MAC addresses. All sticky secure MAC addresses are added to the address table and to the running configuration. Sticky secure MAC addresses can also be manually defined. When sticky secure MAC addresses are configured by using the switchport port-security mac-address sticky mac-address interface configuration mode command, all specified addresses are added to the address table and the running configuration. If the sticky secure MAC addresses are saved to the startup configuration file, then when the switch restarts or the interface shuts down, the interface does not need to relearn the addresses. If the sticky secure addresses are not saved, they will be lost. If sticky learning is disabled by using the no switchport port-security mac-address sticky interface configuration mode command, the sticky secure MAC addresses remain part of the address table, but are removed from the running configuration. Figure 2 shows the characteristics of sticky secure MAC addresses. Note: The port security feature will not work until port security is enabled on the interface using the switchport port-security command.

Port Security Violation Modes

Protect - When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until a sufficient number of secure MAC addresses are removed, or the number of maximum allowable addresses is increased. There is no notification that a security violation has occurred. Restrict - When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until a sufficient number of secure MAC addresses are removed, or the number of maximum allowable addresses is increased. In this mode, there is a notification that a security violation has occurred. Shutdown - In this (default) mode, a port security violation causes the interface to immediately become error-disabled and turns off the port LED. It increments the violation counter. When a secure port is in the error-disabled state, it can be brought out of this state by entering the shutdown interface configuration mode command followed by the no shutdown command.

configure dynamic port security

S1 (config)# interface fastethernet 0/18 S1 (config-if)# switch mode access S1 (config-if)# switchport port-security

configure sticky port security

S1 (config)# interface fastethernet 0/19 S1 (config-if)# switch mode access S1 (config-if)# switchport port-security maximum 10 S1 (config-if)# switchport port-security Mac-address sticky

Configuring Basic Switch Management interface

S1# config t S1(config)# interface vlan99 S1(config-if)# ip address 172.17.99.11 255.255.255.0 S1(config-if)# no shutdown S1(config-if)# end S1(config)# copy running-config startup config

verify Auto-mdix

S1# show controllers ethernet-controller fa 0/1 phy | include auto-MDIX

port Status

S1# show interface fa0/18 status

Verify SSH support

S1# show ip ssh On a PC, an SSH client such as PuTTY, is used to connect to an SSH server. For the examples the following have been configured: SSH enabled on switch S1 Interface VLAN 99 (SVI) with IPv4 address 172.17.99.11 on switch S1 PC1 with IPv4 address 172.17.99.21 In Figure 1, the PC initiates an SSH connection to the SVI VLAN IPv4 address of S1. the user has been prompted for a username and password. Using the configuration from the previous example, the username admin and password ccna are entered. After entering the correct combination, the user is connected via SSH to the CLI on the Catalyst 2960 switch. To display the version and configuration data for SSH on the device that you configured as an SSH server, use the show ip ssh command. In the example, SSH version 2 is enabled. To check the SSH connections to the device, use the show ssh command.

verify secure mac addresses

S1# show port-security address

verify MAC address dynamic

S1# show port-security interface fastEthernet 0/18

verify MAC address Sticty

S1# show port-security interface fastEthernet 0/19

verify Sticty MAC-running-config

S1# show run | begin fastEthernet 0/19

Re-enabling error disabled port

S1(config)# interface fastEthernet 0/18 S1(config-if)# shutdown S1(config-if)# no shutdown

SSH Operation

Secure Shell (SSH) is a protocol that provides a secure (encrypted) management connection to a remote device. SSH should replace Telnet for management connections. Telnet is an older protocol that uses unsecure plaintext transmission of both the login authentication (username and password) and the data transmitted between the communicating devices. SSH provides security for remote connections by providing strong encryption when a device is authenticated (username and password) and also for the transmitted data between the communicating devices. SSH is assigned to TCP port 22. Telnet is assigned to TCP port 23.

Configuring SSH

Set the domain name to cisco.com and generate the 1024 bit rsa key. S1(config)# ip domain-name cisco.com S1(config)# crypto key generate rsa The name for the keys will be: S1.cisco.com Choose the size of the key modulus in the range of 360 to 4096 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys, keys will be non-exportable... [OK] (elapsed time was 4 seconds) S1(config)# *Mar 1 02:20:18.529: %SSH-5-ENABLED: SSH 1.99 has been enabled Create a local user 'admin' with the password 'ccna'. Set all vty lines to use ssh and local login for remote connections. Exit out to global configuration mode. S1(config)# username admin secret ccna S1(config)# line vty 0 15 S1(config-line)# transport input ssh S1(config-line)# login local S1(config-line)# end S1# %SYS-5-CONFIG_I: Configured from console by console Configure S1 to use SSH 2.0. S1(config)# ip ssh version 2 S1(config)# You successfully configured SSH on all VTY lines.

implement security on all ports

Specify a single MAC address or group of valid Mac addresses allowed on a port Specify rhat a port automatically shuts down if unauthorised Mac addresses are detected

Configuring Basic Switch Management Access with IPv4

Step 1. Configure Management Interface An IPv4 address and subnet mask is configured on the management SVI of the switch from VLAN interface configuration mode. As shown in Figure 1, the interface vlan 99 command is used to enter interface configuration mode. The ip address command is used to configure the IPv4 address. The no shutdown command enables the interface. In this example, VLAN 99 is configured with IPv4 address 172.17.99.11. The SVI for VLAN 99 will not appear as "up/up" until VLAN 99 is created and there is a device connected to a switch port associated with VLAN 99. To create a VLAN with the vlan_id of 99, and associate it to an interface, use the following commands: S1(config)# vlan vlan_id S1(config-vlan)# name vlan_name S1(config-vlan)# exit S1(config)# interface interface_id S1(config-if)# switchport access vlan vlan_id Step 2. Configure Default Gateway The switch should be configured with a default gateway if it will be managed remotely from networks that are not directly connected. The default gateway is the router to which the switch is connected. The switch will forward its IP packets with destination IP addresses outside the local network to the default gateway. As shown in Figure 2, R1 is the default gateway for S1. The interface on R1 connected to the switch has the IPv4 address 172.17.99.1. This address is the default gateway address for S1. To configure the default gateway for the switch, use the ip default-gateway command. Enter the IPv4 address of the default gateway. The default gateway is the IPv4 address of the router interface to which the switch is connected. Use the copy running-config startup-config command to back up your configuration. Step 3. Verify Configuration As shown in Figure 3, the show ip interface brief command is useful when determining the status of both physical and virtual interfaces. The output shown confirms that interface VLAN 99 has been configured with an IPv4 address and subnet mask.

Switch LED Indicators

System LED - Shows whether the system is receiving power and is functioning properly. If the LED is off, it means the system is not powered on. If the LED is green, the system is operating normally. If the LED is amber, the system is receiving power but is not functioning properly. Redundant Power System (RPS) LED - Shows the RPS status. If the LED is off, the RPS is off, or it is not properly connected. If the LED is green, the RPS is connected and ready to provide backup power. If the LED is blinking green, the RPS is connected but is unavailable because it is providing power to another device. If the LED is amber, the RPS is in standby mode, or in a fault condition. If the LED is blinking amber, the internal power supply in the switch has failed, and the RPS is providing power. Port Status LED - Indicates that the port status mode is selected when the LED is green. This is the default mode. When selected, the port LEDs will display colors with different meanings. If the LED is off, there is no link, or the port was administratively shut down. If the LED is green, a link is present. If the LED is blinking green, there is activity and the port is sending or receiving data. If the LED is alternating green-amber, there is a link fault. If the LED is amber, the port is blocked to ensure that a loop does not exist in the forwarding domain and is not forwarding data (typically, ports will remain in this state for the first 30 seconds after being activated). If the LED is blinking amber, the port is blocked to prevent a possible loop in the forwarding domain. Port Duplex LED - Indicates the port duplex mode is selected when the LED is green. When selected, port LEDs that are off are in half-duplex mode. If the port LED is green, the port is in full-duplex mode. Port Speed LED - Indicates the port speed mode is selected. When selected, the port LEDs will display colors with different meanings. If the LED is off, the port is operating at 10 Mb/s. If the LED is green, the port is operating at 100 Mb/s. If the LED is blinking green, the port is operating at 1000 Mb/s. Power over Ethernet (PoE) Mode LED - If PoE is supported; a PoE mode LED will be present. If the LED is off, it indicates the PoE mode is not selected and that none of the ports have been denied power or placed in a fault condition. If the LED is blinking amber, the PoE mode is not selected but at least one of the ports has been denied power, or has a PoE fault. If the LED is green, it indicates the PoE mode is selected and the port LEDs will display colors with different meanings. If the port LED is off, the PoE is off. If the port LED is green, the PoE is on. If the port LED is alternating green-amber, PoE is denied because providing power to the powered device will exceed the switch power capacity. If the LED is blinking amber, PoE is off due to a fault. If the LED is amber, PoE for the port has been disabled.

Recovering From a System Crash

The boot loader can be accessed through a console connection following these steps: Step 1. Connect a PC by console cable to the switch console port. Configure terminal emulation software to connect to the switch. Step 2. Unplug the switch power cord. Step 3. Reconnect the power cord to the switch and, within 15 seconds, press and hold down the Mode button while the System LED is still flashing green. Step 4. Continue pressing the Mode button until the System LED turns briefly amber and then solid green; then release the Mode button. Step 5. The boot loader switch: prompt appears in the terminal emulation software on the PC. The boot loader command line supports commands to format the flash file system, reinstall the operating system software, and recover a lost or forgotten password. For example, the dir command can be used to view a list of files within a specified directory, as shown in the figure. Note: Notice that in this example, the IOS is located in the root of the flash folder.

Network Access Layer Issues

The output from the show interfaces command can be used to detect common media issues. One of the most important parts of this output is the display of the line and data link protocol status. The first parameter (FastEthernet0/1 is up) refers to the hardware layer and indicates if the interface is receiving a carrier detect signal. The second parameter (line protocol is up) refers to the data link layer and indicates whether the data link layer protocol keepalives are being received. Based on the output of the show interfaces command, possible problems can be fixed as follows: If the interface is up and the line protocol is down, a problem exists. There could be an encapsulation type mismatch, the interface on the other end could be error-disabled, or there could be a hardware problem. If the line protocol and the interface are both down, a cable is not attached or some other interface problem exists. For example, in a back-to-back connection, the other end of the connection may be administratively down. If the interface is administratively down, it has been manually disabled (the shutdown command has been issued) in the active configuration. show interfaces command output. The example shows counters and statistics for the FastEthernet0/1 interface.

Preparing for Basic Switch Management

To prepare a switch for remote management access, the switch must be configured with an IP address and a subnet mask. Keep in mind, that to manage the switch from a remote network, the switch must be configured with a default gateway. This is very similar to configuring the IP address information on host devices. In the figure, the switch virtual interface (SVI) on S1 should be assigned an IP address. The SVI is a virtual interface, not a physical port on the switch. SVI is a concept related to VLANs. VLANs are numbered logical groups to which physical ports can be assigned. Configurations and settings applied to a VLAN are also applied to all the ports assigned to that VLAN. By default, the switch is configured to have the management of the switch controlled through VLAN 1. All ports are assigned to VLAN 1 by default. For security purposes, it is considered a best practice to use a VLAN other than VLAN 1 for the management VLAN. Note that these IP settings are only for remote management access to the switch; the IP settings do not allow the switch to route Layer 3 packets.

Port Security: Verifying

Verify Port Security After configuring port security on a switch, check each interface to verify that the port security is set correctly, and check to ensure that the static MAC addresses have been configured correctly. Verify Port Security Settings To display port security settings for the switch, or for the specified interface, use the show port-security interface [interface-id] command. The output for the dynamic port security configuration is shown in Figure 1. By default, there is one MAC address allowed on this port. The output shown in Figure 2 shows the values for the sticky port security settings. The maximum number of addresses is set to 10, as configured. Note: The MAC address is identified as a sticky MAC. Sticky MAC addresses are added to the MAC address table and to the running configuration. As shown in Figure 3, the sticky MAC for PC2 has been added to the running configuration for S1. Verify Secure MAC Addresses To display all secure MAC addresses configured on all switch interfaces, or on a specified interface with aging information for each, use the show port-security address command. As shown in Figure 4, the secure MAC addresses are listed along with the types.

Ports in Error Disabled State

When a port is configured with port security, a violation can cause the port to become error disabled. When a port is error disabled, it is effectively shut down and no traffic is sent or received on that port. A series of port security related messages display on the console (Figure 1). Note: The port protocol and link status is changed to down. The port LED will turn off. The show interfaces command identifies the port status as err-disabled (Figure 2). The output of the show port-security interface command now shows the port status as secure-shutdown. Because the port security violation mode is set to shutdown, the port with the security violation goes to the error disabled state. The administrator should determine what caused the security violation before re-enabling the port. If an unauthorized device is connected to a secure port, the port should not be re-enabled until the security threat is eliminated. To re-enable the port, use the shutdown interface configuration mode command (Figure 3). Then, use the no shutdown interface configuration command to make the port operational.

show interfaces

a command to display media issues

auto-MDIX

a feature that detects the type of cable, and configures the interfaces to allow the connection

SSH Operation

an attacker can monitor packets using Wireshark. A Telnet stream can be targeted to capture the username and password. the attacker can capture the username and password of the administrator from the plaintext Telnet session. the Wireshark view of an SSH session. The attacker can track the session using the IP address of the administrator device. However, in Figure 4, the username and password are encrypted. To enable SSH on a Catalyst 2960 switch, the switch must be using a version of the IOS software including cryptographic (encrypted) features and capabilities. In Figure 5, use the show version command on the switch to see which IOS the switch is currently running.An IOS filename that includes the combination "k9" supports cryptographic (encrypted) features and capabilities.

show startup-config

displays the backup configuration file

port security defaults

port security - disabledon port Maximum number of security Mac addresses- 1 Volition mode - shutdown, the shuts down when the maximum number of security addresses exceeded Sticky address leaning - disabled

Configure default gateway

s1# config t s1 (config)#ip default-gateway 172.17.99.1 s1 (config)# end S1(config)# copy running-config startup config

Verify Configuration

s1# show ip interface brief

show running-config

shows current running config (must be in global config mode)

Network Access Layer Issues

some media errors are not severe enough to cause the circuit to fail, but do cause network performance issues. these common errors which can be detected using the show interfaces command. "Input errors" is the sum of all errors in datagrams that were received on the interface being examined. This includes runts, giants, CRC, no buffer, frame, overrun, and ignored counts. The reported input errors from the show interfaces command include the following: Runt Frames - Ethernet frames that are shorter than the 64-byte minimum allowed length are called runts. Malfunctioning NICs are the usual cause of excessive runt frames, but they can also be caused by collisions. Giants - Ethernet frames that are larger than the maximum allowed size are called giants. CRC errors - On Ethernet and serial interfaces, CRC errors usually indicate a media or cable error. Common causes include electrical interference, loose or damaged connections, or incorrect cabling. If you see many CRC errors, there is too much noise on the link and you should inspect the cable. You should also search for and eliminate noise sources. "Output errors" is the sum of all errors that prevented the final transmission of datagrams out the interface that is being examined. The reported output errors from the show interfaces command include the following: Collisions - Collisions in half-duplex operations are normal. However, you should never see collisions on an interface configured for full-duplex communication. Late collisions - A late collision refers to a collision that occurs after 512 bits of the frame have been transmitted. Excessive cable lengths are the most common cause of late collisions. Another common cause is duplex misconfiguration. For example, you could have one end of a connection configured for full-duplex and the other for half-duplex. You would see late collisions on the interface that is configured for half-duplex. In that case, you must configure the same duplex setting on both ends. A properly designed and configured network should never have late collisions.

Port Security: Configuring

summarizes the default port security settings on a Cisco Catalyst switch. Cisco IOS CLI commands needed to configure port security on the Fast Ethernet F0/18 port on the S1 switch. Notice that the example does not specify a violation mode. In this example, the violation mode is shutdown (the default mode). sticky secure MAC addresses for port security on Fast Ethernet port 0/19 of switch S1. As stated earlier, the maximum number of secure MAC addresses can be manually configured. In this example, the Cisco IOS command syntax is used to set the maximum number of MAC addresses to 10 for port 0/19. The violation mode is set to shutdown, by default.