Switch management Chapter 6

objectives Upon completion of this chapter, you should be able to: Configure switches Configure VLANs Verify configuration settings Troubleshoot problems

Types of switches Unmanaged Managed Plug in and connect devices Nothing to configure Managed Configure settings, security, switching modes, etc.

6.1 Switch access

Console Port Out-of-band management Use when nothing is configured yet Means direct maintenance access only Use when nothing is configured yet Use when next to switch Need a PC w/ terminal emulation software & console cable Configure a password to this port There is a recovery method if you forget password. Serial port to RJ45 USB to Mini-B (newer option)

Telnet, ssh, aux In-band management Browser-based config Telnet remote access (plain-text) One active interface must be configured Secure Shell (SSH) remote access (encrypted) Once you connect, you get in with a terminal emulation program. Current Windows (Vista & up) do not include them Older Windows had HyperTerminal. PuTTY (Figure 1) Tera Term (Figure 2) SecureCRT (Figure 3) HyperTerminal OS X Terminal

activity

6.1 Using the cli

User & privileged modes USER is what you first see when you boot up.

Global config mode

Getting between modes Switch> enable (en) Switch# configure terminal (config t) Switch(config)# interface xxx (int) Switch(config-if)# Switch(config)# line xxx Switch(config-line)# Switch(config-line)#exit (goes back one mode) Ctrl+Z or end= (goes back to privileged mode) Switch# disable (goes back to user mode) Do all of this in PT. Demo all modes, sh?, cl?, clock set ?, clock set 19:22:00 ?, show ?, description of an interface, ping, and traceroute

example Complete this in Packet Tracer.

Oops…I made a mistake

activity Packet Tracer Lab 2.1.4.6- Navigating the IOS https://static-course-assets.s3.amazonaws.com/ITN51/en/index.html#2.1.4.6 https://static-course-assets.s3.amazonaws.com/ITN51/en/course/files/2.1.4.6%20Packet%20Tracer%20-%20Navigating%20the%20IOS.pka

What we’ll do… Create a two PC network connected via a switch Setting a name for the switch Limiting access to the device configuration Configuring banner messages Saving the configuration

Hostnames What are the default hostnames? Hostnames allow devices to be identified by network administrators over a network or the Internet. What could these switches be named? Sw-Floor1, etc. Some guidelines for naming conventions are that names should: Start with a letter (Capitalization counts) Contain no spaces End with a letter or digit Use only letters, digits, and dashes Be less than 64 characters in length

Configure hostname Must be in privileged mode 2.2.1.2 has activity to name a device

Limit access to device Put switch in a secure location Set passwords & encrypt them Enable password Enable secret password Console password Vty password Encrypt all passwords On the board, write the 4 types of passwords students will be learning to configure in the PT Activity. console password – password to limit device access using the console connection enable password – password to limit access to the privileged EXEC mode (after you type enable) enable secret password – encrypted password to limit access to the privileged EXEC mode (after you type enable) VTY password – password to limit device access using telnet Encrypt all passwords- service password-encryption

Password tips We’ll use cisco & class Use passwords that are more than 8 characters Use combination of upper & lowercase letters, numbers, special characters Avoid using the same password for all devices Avoid using common words such as password or administrator Explain it is good practice to require different passwords for each of these levels of access. From a security standpoint, requiring only one password is analogous to locking the doors to a house while leaving the windows open. Additionally, remind students to use strong passwords that are not easily guessed. The use of weak or easily guessed passwords continues to be a security issue in many facets of the business world. Ask the class how many of them have passwords that breach these best practices. There likely will be quite a few, which illustrates how common the errors are. END OF DAY 3

Set passwords In Packet Tracer, complete: Privileged enable password (cisco) Privileged enable secret password (class) Console password (cisco) VTY password (cisco) Banner MOTD Encrypt all passwords Then verify all passwords are encrypted by show run 2.2.2.5 has an activity MOTD often used for legal notification because it is displayed to all connected terminals. Have students come up with a proper MOTD warning.

Configuration files- show & save Startup Config What is saved in NVRAM Switch# copy run start (SAVES CONFIG) Switch# show startup-config (show start) (SHOWS THE CONFIG) Running Config What is running in RAM Make a change= stays in RAM Save the config so it goes to NVRAM for next boot/reboot Switch# show running-config (show run) (SHOWS CONFIG IN RAM) In a switch: The startup configuration is removed by using the erase startup-config command. To erase the startup configuration file use erase NVRAM:startup-config or erase startup-config at the privileged EXEC mode prompt: Switch#erase startup-config On a switch you must also issue the delete vlan.dat command in addition to the erase startup-config command in order to return the device to its default "out-of-the-box" configuration (comparable to a factory reset): Switch#delete vlan.dat Delete filename [vlan.dat]? Delete flash:vlan.dat? [confirm]

Erasing the config file In order to return the device to its default "out-of-the-box" configuration (comparable to a factory reset): Switch#delete vlan.dat Delete filename [vlan.dat]? Delete flash:vlan.dat? [confirm] Switch#erase startup-config

lab 2.2.3.4 Configuring a Switch You will perform basic switch configurations. You will secure access to the command-line interface (CLI) and console ports using encrypted and plain text passwords. You will also learn how to configure messages for users logging into the switch. These banners are also used to warn unauthorized users that access is prohibited. https://static-course-assets.s3.amazonaws.com/ITN51/en/index.html#2.2.3.4 https://static-course-assets.s3.amazonaws.com/ITN51/en/course/files/2.2.3.4%20Packet%20Tracer%20-%20Configuring%20Initial%20Switch%20Settings.pka

activity TestOut 6.1.7- Modify System Passwords TestOut 6.1.10- Practice Questions (5)

Review- 2q What mode do you need to be in to make configuration changes? Privileged If you erase the startup-config, what else will you need to do in order to return the device to factory default? Reload Write the definitions listed in bold below on the board and then ask the students to name the command. show running-config (definition: shows the config file in RAM. This file will be immediately changed if you make any changes to the router). show startup-config (definition: this file is in NVRAM and will become the running-config in the event of a power cycle). copy running-config startup-config (definition: this copies the current configuration in RAM to NVRAM) reload (definition: this will cause the device to reload the startup-config into RAM) copy startup-config running-config (definition: this copies the configuration in NVRAM to RAM) erase startup-config (definition: will cause the startup config to be erased).

Switch ip configuration 6.2 Switch ip configuration

Configure switch address Virtual interface Allows remote access Configure switch IP and default gateway Activity on 2.3.2.4 Complete this on PT

LAB/activity 2.3.2.5- Basic Switch Configuration You will implement basic connectivity by configuring IP addressing on switches and PCs. You will use various show commands to verify configurations and use the ping command to verify basic connectivity between devices. TestOut 6.2.3 LAB- Configure Management VLAN Settings TestOut 6.2.4 LAB- Configure Switch IP Settings TestOut 6.2.5- Practice Questions (3) https://static-course-assets.s3.amazonaws.com/ITN51/en/course/files/2.3.2.5%20Packet%20Tracer%20-%20Implementing%20Basic%20Connectivity.pdf https://static-course-assets.s3.amazonaws.com/ITN51/en/course/files/2.3.2.5%20Packet%20Tracer%20-%20Implementing%20Basic%20Connectivity.pka

Switch interface configuration 6.3 Switch interface configuration

Review of how a switch works What layer of the OSI model do switches work at? 2 What kind of address do switches read? MAC How do switches learn about MAC addresses? READ INCOMING FRAMES When reading the incoming frame, what address does it learn about? SOURCE MAC What kind of table is kept in a switch & what is it in? MAC ADDRESS TABLE; MAC & PORT NOTE: begin calling the table CAM (Content Addressable Memory) The destination MAC is not in the table, so what happens? FLOODS IT OUT ALL PORTS EXCEPT THE ONE IT CAME IN ON After everyone communicates, the table will be complete.

Show version Switch Interfaces Software version - IOS software version (stored in flash) Bootstrap version - Bootstrap version (stored in Boot ROM) System up-time - Time since last reboot System restart info - Method of restart (e.g., power cycle, crash) Software image name - IOS filename stored in flash Router type and processor type - Model number and processor type Memory type and allocation (shared/main) - Main Processor RAM and Shared Packet I/O buffering Software features - Supported protocols/feature sets Hardware interfaces - Interfaces available on the device Configuration register - Sets bootup specifications, console speed setting, and related parameters

Show ip int brief All ports are automatically down until you plug something in. Then they will go up because this Cisco switch is made to work out of the box without configuration. We will do some configuring of the interfaces, including speed and duplex.

activity

Interface configuration Speed & duplex settings are auto, by default Full duplex, Half duplex, Auto Must match setting of device Half duplex uses CSMA/CD to avoid collisions Animation 1: autonegotiate 2: mismatch 3: commands for speed and duplex 4: command for range of ports to do speed and duplex

Shut down ports If nothing will connect to a port, shut it down GOOD SECURITY MEASURE

activity TestOut 6.3.7- Configure Switch Ports TestOut 6.3.8- Practice Questions (4)

6.4 Virtual lans

Vlan overview Normally a switch is in one broadcast domain VLAN splits layer 2 switch into multiple broadcast domains (own networks) Isolates traffic to only their own VLAN By default a layer 2 switch is in one broadcast domain, VLAN 1. Isolate traffic because they are working on private stuff. They can’t even see/talk to each other in this scenario. Picture 1: Single VLAN Animation 1: Multiple VLANS using different subnets

Configure vlans 1st: Create the VLANs 2nd: Assign interfaces to VLANs

View vlans Switch#show vlan All ports a member of VLAN by default

Other vlan commands Show vlan brief Delete a vlan

lab Make this lab. Configure the switch. VLAN 1 addresses: 192.168.1.2 & 3/24 VLAN 2 addresses: 200.1.1.2 & 3/24 Switch IP: 192.168.1.1 Set up passwords Try and ping between the two VLANs. It won’t work.

activity TestOut 6.4.5- Create VLAN Lab TestOut 6.4.6- Explore VLANs Lab TestOut 6.4.7- Practice Questions (11) Packet Tracer VLAN Lab

vlans In order to pass data between VLANs, you need a router or layer 3 switch. (The only way to send data between two different networks) A VLAN ID is added to the frames. Picture 1: Two different networks/VLANs. Animation 2: Inter-VLAN routing.

6.5 trunking

Access ports By default, all ports are access ports Usually connect to an end device (PC, printer, server, etc.) Can only be assigned to 1 VLAN

Trunk ports Can be assigned to multiple VLANs Allows same VLANs to talk between switches The Frame is tagged with the VLAN ID to go over that trunk.

vtp VLAN Trunking Protocol Allows VLAN configuration to be shared to the other switches for easier config changes Server Mode Client Mode Transparent Mode IEEE 802.1Q encapsulation Server Mode- config the VLAN & it advertises it to client switches Client Mode- receives config from server mode switch and passes to switches it’s connected to Transparent Mode- you can make changes on this switch; it doesn’t accept or pass the VLAN config info

Configure trunking Connection is currently in trunk mode. All VLAN frames will be sent across. Connection is currently in default VLAN1. VLAN10 frames will NOT be sent across. Animation 1: Configure the port for trunk 2: Change to trunk mode (arrow) 3: show interface trunk

review Create the VLANs and name them Assign interfaces to VLANs Connect switches & change mode to trunk You can now connect (ping) to devices in the same VLAN on the other switch

activity TestOut 6.5.5- Configure Trunking Lab TestOut 6.5.9- Practice Questions (5)

Spanning tree protocol 6.6 Spanning tree protocol

Switching loops Could happen with redundant links between switches Can take the network down!

STP Enabled by default Each switch has a Bridge ID (BID) Will identify which switch is the BOSS! Bridge ID shared when switches turn on Sends BPDU with the ID They then elect a ROOT BRIDGE (the boss) Lowest # On other switches: They look for shortest path to the Root Bridge They disable all other paths to prevent the loop BID is: 2-byte priority number and the switch’s MAC address All switches have the same priority number by default Switch with the LOWEST MAC address will be the Root Bridge (the boss) Newest version is Rapid Spanning Tree Protocol (RSTP)

Stp switchport states A switch port on a redundant link goes through & remains in one of these modes: Blocking Listening Learning Forwarding Disabled

Configure stp Switch#show spanning-tree Notice the Priority #. By default, this is the same on all switches. If you don’t change it, it will then go by the lowest MAC address. The Root ID info should match on all switches as it is showing you who the root is.

activity TestOut 6.6.2- Configuring STP Video TestOut 6.6.3- Selecting a Root Bridge Video TestOut 6.6.7- Find STP Info LAB

Switch troubleshooting 6.7 Switch troubleshooting

problems Mismatched duplex settings Mismatched speed settings Could SLOW DOWN transmissions Mismatched speed settings Can only operate at slowest speed BOTH SHOULD BE SET TO AUTO If it’s still slow, it could be poor wiring (crosstalk) Switching Loops Misconfigured VLAN assignments

activity TestOut 6.7.3- Practice Questions (13)

Review & study Complete the study guide handout Complete TestOut Practice in Packet Tracer Jeopardy review

Switch management Chapter 6