•Instructor Materials Chapter 5: Switch Configuration CCNA Routing and Switching Routing and Switching Essentials v6.0 Cisco Networking Academy Program Routing and Switching Essentials v6.0 Chapter 5: Switch Configuration •5.1 Basic Switch Configuration •5.2 Basic Device Configuration •Configure the management virtual interface on a switch. •Configure the port security feature to restrict network access. • Chapter 5 - Sections & Objectives SMB Cisco Networking Academy Program Routing and Switching Essentials v6.0 Chapter 5: Switch Configuration 5.1 Configure a Switch with Initial Settings 5 – Switch Configuration 5.1 – Configure a Switch with Initial Settings •Power-on self-test (POST), a program stored in ROM, executes and checks hardware like CPU and RAM. •The boot loader, also stored in ROM, runs and initializes parts within the CPU, initializes the flash file system, and then locates and loads an IOS image. •The IOS image can be defined within the BOOT environment variable. •If the variable is not set, the switch scours through the flash file system searching for an executable image file, loading it into RAM, and launching it if found. •If an executable image file is not found, the switch shows the prompt switch: where a few commands are allowed in order to provide access to operating system files found in flash memory and files used to load or reload an operating system. •If an IOS operating system loads, the switch interfaces are initialized and any commands stored in the startup-config file load. • Switch Boot Sequence The startup-config file is stored in NVRAM. 5.1 – Basic Switch Configuration 5.1.1 – Configure a Switch with Initial Settings 5.1.1.1 – Switch Boot Sequence • • Switch Boot Sequence (Cont.) 5.1 – Basic Switch Configuration 5.1.1 – Configure a Switch with Initial Settings 5.1.1.1 – Switch Boot Sequence §The boot loader prompt can be accessed through a console connection to the switch: •1. Cable the PC to the switch console port. •2. Configure the terminal emulation software on the PC. •3. Unplug the switch power cord. •4. Reconnect the power cord and at the same time or within 15 seconds, press and hold the Mode button on the front of the switch until the System LED turns an amber color briefly and then turns a solid green. §The boot loader command prompt is switch: (instead of Switch>). •The commands available through the boot loader command prompt are limited. •Use the help command to display the available commands. • Recovering From a System Crash 5.1 – Basic Switch Configuration 5.1.1 – Configure a Switch with Initial Settings 5.1.1.2 – Recovering From a System Crash Switch LED Indicators §System LED shows if the switch has power applied. §Port LED states: •Off – no link or shut down •Green – link is present •Blinking green – data activity •Alternating green and amber – link fault •Amber – port is not sending data; common for first 30 seconds of connectivity or activation •Blinking amber – port is blocking to prevent a switch loop • • • • • • • • • 5.1 – Basic Switch Configuration 5.1.1 – Configure a Switch with Initial Settings 5.1.1.3 – Switch LED Indicators Preparing for Basic Switch Management §To configure a switch for remote access, the switch must be configured with an •IP address, subnet mask, and default gateway. §One particular switch virtual interface (SVI) is used to manage the switch: •A switch IP address is assigned to an SVI. •By default the management SVI is controlled and configured through VLAN 1. •The management SVI is commonly called the management VLAN. §For security reasons, it is best practice to use a VLAN other than VLAN 1 for the management VLAN. • • • • • • • • Remember that the switch console port is on the back of the switch. 5.1 – Basic Switch Configuration 5.1.1 – Configure a Switch with Initial Settings 5.1.1.4 – Preparing for Basic Switch Management §Examining the Source MAC Address §Switches examine all incoming frames for new source MAC address information to learn. §If the source MAC address is unknown, it is added to the table along with the port number. §If the source MAC address does exist, the switch updates the refresh timer for that entry. §By default, most Ethernet switches keep an entry in the table for 5 minutes. § Switching Process: Learn §Examining the Destination MAC Address §If the destination MAC address is a broadcast or a multicast, the frame is also flooded out all ports except the incoming port. §If the destination MAC address is a unicast address, the switch will look for a match in its MAC address table. §If the destination MAC address is in the table, it will forward the frame out the specified port. §If the destination MAC address is not in the table (i.e., an unknown unicast) the switch will forward the frame out all ports except the incoming port. § Switching Process: Forward Configuring Basic Switch Management Access with IPv4 exit > Important Concept The default gateway is the router address and is used by the switch to communicate with other networks. 5.1 – Basic Switch Configuration 5.1.1 – Configure a Switch with Initial Settings 5.1.1.5 – Configuring Basic Switch Management Access with IPv4 Basic Switch Configuration 5.1 – Basic Switch Configuration 5.1.1 – Configure a Switch with Initial Settings 5.1.1.6 – Lab - Basic Switch Configuration §Gigabit Ethernet and 10Gb Ethernet NICs require full-duplex connections to operate. • Duplex Communication Bidirectional communication Unidirectional communication Obvody pro detekci kolize jsou vypnuty 5.1 – Basic Switch Configuration 5.1.2 – Configure Switch Ports 5.1.2.1 – Duplex Communication §Some switches have the default setting of auto for both duplex and speed. §Mismatched duplex and/or speed settings can cause connectivity issues. §Always check duplex and speed settings using the show interface interface_id command. §All fiber ports operate at one speed and are always full-duplex. • Configure Switch Ports at the Physical Layer 5.1 – Basic Switch Configuration 5.1.2 – Configure Switch Ports 5.1.2.2 – Configure Switch Ports at the Physical Layer §Some switches have the automatic medium-dependent interface crossover (auto-MDIX) feature that allows an interface to detect the required cable connection type (straight-through or crossover) and configure the connection appropriately. Auto-MDIX 5.1 – Basic Switch Configuration 5.1.2 – Configure Switch Ports 5.1.2.3 – Auto-MDIX §Use the show controllers Ethernet-controller command to verify auto-MDIX settings. Auto-MDIX (Cont.) 5.1 – Basic Switch Configuration 5.1.2 – Configure Switch Ports 5.1.2.3 – Auto-MDIX (Cont.) Verifying Switch Port Configuration 5.1 – Basic Switch Configuration 5.1.2 – Configure Switch Ports 5.1.2.4– Verifying Switch Port Configuration Verifying Switch Port Configuration (Cont.) 5.1 – Basic Switch Configuration 5.1.2 – Configure Switch Ports 5.1.2.4– Verifying Switch Port Configuration (Cont.) Verifying Switch Port Configuration (Cont.) Layer 1 OK Layer 2 OK 5.1 – Basic Switch Configuration 5.1.2 – Configure Switch Ports 5.1.2.4– Verifying Switch Port Configuration (Cont.) §Use the show interfaces command to detect common media issues. §The first parameter refers to Layer 1, the physical layer, and indicates if the interface is receiving a carrier detect signal. §The second parameter (protocol status) refers to the data link layer and indicates whether the data link layer protocol has been configured correctly and keepalives are being received. Network Access Layer Issues 5.1 – Basic Switch Configuration 5.1.2 – Configure Switch Ports 5.1.2.5 – Network Access Layer Issues Network Access Layer Issues (Cont.) 5.1 – Basic Switch Configuration 5.1.2 – Configure Switch Ports 5.1.2.5 – Network Access Layer Issues (Cont.) ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Late collision Výřez obrazovky Pozdní kolize jsou problémem, protože jakmile NIC zmešká skutečnost, že došlo ke kolizi, zotavení a opakovaný přenos jsou ponechány na horních vrstvách a doba zotavení drasticky vzroste. Zatímco síťová karta obvykle obnoví a znovu vysílá rámec za 2 –3 ms, u horních vrstev trvá obvykle 10x až 100x déle. Troubleshooting Network Access Layer Issues 5.1 – Basic Switch Configuration 5.1.2 – Configure Switch Ports 5.1.2.6– Troubleshooting Network Access Layer Issues 5.2 Switch Security 5 - Switch Configuration 5.2 – Switch Security §Secure Shell (SSH) •An alternative protocol to Telnet. Telnet uses unsecure plaintext of the username and password as well as the data transmitted. •SSH is more secure because it provides an encrypted management connection. SSH Operation Wireshark Capture of Telnet Wireshark Capture of SSH 5.2 – Switch Security 5.2.1 – Secure Remote Access 5.2.1.1 – SSH Operation §A switch must have an IOS version (k9 at the end of the IOS file name) that includes cryptographic capabilities in order to configure and use SSH. •Use the show version command to see the IOS version. SSH Operation (Cont.) 5.2 – Switch Security 5.2.1 – Secure Remote Access 5.2.1.1 – SSH Operation (Cont.) 1.Verify SSH support. 2.Configure the IP domain name. 3.Generate RSA key pairs. 4.Configure user authentication. 5.Configure the vty lines. 6.Enable SSH version 2. Configuring SSH > Commonly forgotten command that is used in key generation Default is to accept both Telnet and SSH (transport input all) The login local command forces the use of the local database for username/ password. 5.2 – Switch Security 5.2.1 – Secure Remote Access 5.2.1.2 – Configuring SSH §On the PC, connect to the switch using SSH. Verifying SSH Packet Tracer: ssh –l 172.17.99.11 5.2 – Switch Security 5.2.1 – Secure Remote Access 5.2.1.3 – Verifying SSH §On the PC, connect to the switch using SSH. Verifying SSH The PC is using SSH to communicate and issue commands on the switch. 5.2 – Switch Security 5.2.1 – Secure Remote Access 5.2.1.3 – Verifying SSH Packet Tracer – Configuring SSH 5.2 – Switch Security 5.2.1 – Secure Remote Access 5.2.1.4 – Packet Tracer – Configuring SSH Secure Unused Ports The interface range command can be used to apply a configuration to several switch ports at one time. 5.2 – Switch Security 5.2.2 – Switch Port Security 5.2.2.1 – Secure Unused Ports §Port security limits the number of valid MAC addresses allowed to transmit data through a switch port. •If a port has port security enabled and an unknown MAC address sends data, the switch presents a security violation. •Default number of secure MAC addresses allowed is 1. §Methods use to configure MAC addresses within port security: •Static secure MAC addresses – manually configure • switchport port-security mac-address mac-address •Dynamic secure MAC addresses – dynamically learned and removed if the switch restarts •Sticky secure MAC addresses – dynamically learned and added to the running configuration (which can later be saved to the startup-config to permanently retain the MAC addresses) • switchport port-security mac-address sticky mac-address •Note: Disabling sticky learning converts sticky MAC addresses to dynamic secure addresses and removes them from the running-config. • • • Port Security: Operation 5.2 – Switch Security 5.2.2 – Switch Port Security 5.2.2.2 – Port Security: Operation §Protect – data from unknown source MAC addresses are dropped; a security notification IS NOT presented by the switch §Restrict - data from unknown source MAC addresses are dropped; a security notification IS presented by the switch and the violation counter increments. §Shutdown – (default mode) interface becomes error-disabled and port LED turns off. The violation counter increments. Issues the shutdown and then the no shutdown command on the interface to bring it out of the error-disabled state. • Port Security: Violation Modes 5.2 – Switch Security 5.2.2 – Switch Port Security 5.2.2.3 – Port Security: Violation Modes Port Security example: Configuring 5.2 – Switch Security 5.2.2 – Switch Port Security 5.2.2.4 – Port Security: Configuring §Before configuring port-security features, place the port in access mode and use the switchport port-security interface configuration command to enable port security on an interface. Port Security: Configuring (Cont.) 5.2 – Switch Security 5.2.2 – Switch Port Security 5.2.2.4 – Port Security: Configuring (Cont.) Port Security: Configuring (Cont.) 5.2 – Switch Security 5.2.2 – Switch Port Security 5.2.2.4 – Port Security: Configuring (Cont.) §Use the show port-security interface command to verify the maximum number of MAC addresses allowed on a particular port and how many of those addresses were learned dynamically using sticky. Port Security: Verifying Dynamic 5.2 – Switch Security 5.2.2 – Switch Port Security 5.2.2.5 – Port Security: Verifying §Use the show port-security interface command to verify the maximum number of MAC addresses Port Security: Verifying Sticky 5.2 – Switch Security 5.2.2 – Switch Port Security 5.2.2.5 – Port Security: Verifying §Use the show running-config command to see learned MAC addresses added to the configuration. Port Security: Verifying (Cont.) 5.2 – Switch Security 5.2.2 – Switch Port Security 5.2.2.5 – Port Security: Verifying (Cont.) §The show port-security address command shows how MAC addresses were learned on a particular port. Port Security: Verifying (Cont.) 5.2 – Switch Security 5.2.2 – Switch Port Security 5.2.2.5 – Port Security: Verifying (Cont.) §Switch console messages display when a port security violation occurs. Notice the port link status changes to down. Ports in Error Disabled State 5.2 – Switch Security 5.2.2 – Switch Port Security 5.2.2.6 – Ports in Error Disabled State §Check the port status and the port security settings. Ports in Error Disabled State (Cont.) 5.2 – Switch Security 5.2.2 – Switch Port Security 5.2.2.6 – Ports in Error Disabled State (Cont.) Ports in Error Disabled State (Cont.) §Do not re-enable a port until the security threat is investigated and eliminated. §Notice that you must first shut the port down and then issue the no shutdown command in order to use the particular port again after a security violation has occurred. 5.2 – Switch Security 5.2.2 – Switch Port Security 5.2.2.6 – Ports in Error Disabled State (Cont.) Výřez obrazovky Hrátky s časem Výřez obrazovky Typická konfigurace ‹#› © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Výřez obrazovky Jiný typický příklad Packet Tracer – Configuring Switch Port Security 5.2 – Switch Security 5.2.2 – Switch Port Security 5.2.2.7 – Packet Tracer – Configuring Switch Port Security Packet Tracer – Troubleshooting Switch Port Security 5.2 – Switch Security 5.2.2 – Switch Port Security 5.2.2.8 – Packet Tracer – Troubleshooting Switch Port Security Packet Tracer – Configuring Switch Security Features 5.2 – Switch Security 5.2.2 – Switch Port Security 5.2.2.9 – Lab – Configuring Switch Security Features 5.3 Chapter Summary 5 - Switch Configuration 5.3 – Summary Packet Tracer - Skills Integration Challenge 5.3 – Summary 5.3.1 – Conclusion 5.3.1.2 – Packet Tracer - Skills Integration Challenge •Disable ports that do not have a device connected to them using the shutdown command. •Avoid using VLAN 1 because it is commonly attacked. •Use port security to keep private devices from being attached to a network in place of a corporate wired device. • Security best practices: Nutné k zapamatování config t interface vlan 99 ip address 172.17.99.11 255.255.255.0 no shutdown ip default-gateway 172.16.99.1 (address on the router that is on the same 172.17.99.0 network) vlan 99 name Management exit •show interfaces interface_id or show ip interface brief •show ip interface interface_id •show running-config •show flash •show version •show mac-address-table § § Používejte příkazy show •Switch> (User EXEC mode that is shown when a switch first boots) •Switch# (Privileged EXEC mode that is shown after someone types enable) •switch: (Boot loader mode shown when a switch does not have, or cannot find, an operating system) § ? is a KEY to IOS. Promts § Výřez obrazovky sh boot 5.3 – Summary 5.3.1 – Conclusion 5.3.1.3 – Switch Configuration New Terms and Commands •POST •Boot loader •boot system command •show boot command •switch: prompt •Mode button •System LED •Port LED •SVI •VLAN •Management VLAN •interface vlan command •vlan command •name command •Full-duplex •Half-duplex •Port speed •duplex command •speed command •mdix command •show interfaces command •SSH configuration •ip domain-name command •crypto key generate rsa command •transport input local command •username secret command •ip ssh version 2 command •login local command •show ip ssh command •Unused ports •Port security •switchport mode access command •switchport port-security command •switchport port-security maximum command •switchport port-security mac-address sticky command •show port-security interface command •show port-security address command Chapter 5 - New Terms and Commands