Switching Basics and Intermediate Routing CCNA 3 Chapter 6
Catalyst Switch Configuration Introduction Switches are Layer 2 devices that serve as concentration points for the connection of workstations, servers, routers, hubs, and other switches Switches are multiport bridges that utilize a star topology Switches provide dedicated, point-to-point virtual circuits that make collisions unlikely New switches are configured with factory defaults but normally need changes Switches can be configured from a command-line interface (CLI) or from a web-based interface
Catalyst Switch Configuration Introduction Network engineers must be familiar with these switch configuration tasks: –Maintenance of the switch –Cisco IOS upgrades –Management of interfaces and switching tables –Password recovery
Starting the Switch Physical Startup of the Catalyst Switch Most Catalyst switches have no power switch! –Simply plug in to start Before starting the switch, verify the following: –All network cables are secure –A terminal is connected to the console port –A console terminal application, such as HyperTerminal, is selected
Starting the Switch Physical Startup of the Catalyst Switch Steps in starting a switch (continued) –Attach the power cord to the switch –Observe the boot sequence Look at the LEDs on the switch Observe the Cisco IOS software output text on the console
Starting the Switch Switch Port Types Switches in the Catalyst 2950 series have these characteristics: –12-port, 24-port, or 48-port –All ports are FastEthernet –Optional uplink slots for copper or fiber Gigabit Interface Converter (GBIC) modules Asymmetrical switching Switches such as the Catalyst 3750 now include small-form-factor pluggable (SFP) slots, which are smaller than GBIC slots
Starting the Switch Switch Port Types Catalyst 2950 Switches Are Used at the Access Layer
Starting the Switch Switch Port Types Four Slots on the Right of These Catalyst 3750 Switches are SFP Slots
Starting the Switch Switch LED Indicators The following LEDs are seen on the front of a Catalyst 2950 switch: –System LED Tells whether the system is receiving power and functioning properly –Redundant Power Supply (RPS) LED Indicates whether a redundant power supply is in use –Port Mode LEDs –Port Status LEDs
Starting the Switch Switch LED Indicators Catalyst 2950 Switches Have Four Types of LEDs
Starting the Switch Switch LED Indicators System LED and RPS LED
Starting the Switch Switch LED Indicators After power cable is connected, the switch initiates a series of tests called the power- on self test (POST) –Runs automatically to verify the switch functions correctly –System LED indicates the status of the POST System LED off but switch is plugged in, the POST is running System LED is green: POST successful System LED is amber: POST failed (fatal error)
Starting the Switch Switch LED Indicators Port Mode LEDs indicate the state of the Mode button –Press the Mode button repeatedly until the desired mode is selected Port Status LEDs indicate various port states –Depends on the value of the Port Mode LEDs
Starting the Switch Switch LED Indicators Catalyst 2950 Port Status LED Display Modes
Starting the Switch Switch LED Indicators Catalyst 2950 Port Status LED Display Modes (continued)
Starting the Switch Switch LED Indicators Catalyst 2950 Port Status LED Display Modes (continued)
Starting the Switch Viewing Initial Bootup Output from the Switch Connect a computer’s COM port to a switch’s console port using a rollover cable Console Connection to the Switch Is the Most Common Configuration Method
Starting the Switch Viewing Initial Bootup Output from the Switch Start HyperTerminal on the computer –Choose the Serial Port
Starting the Switch Viewing Initial Bootup Output from the Switch Name the connection After selecting the COM port, click the OK button –Set up the parameters as seen in this figure
Starting the Switch Viewing Initial Bootup Output from the Switch Plug the switch into the wall outlet Initial bootup output should be displayed on the HyperTerminal screen –Contains details about POST status and switch hardware –After POST status a prompt to enter initial configuration will appear Can configure manually or with a System Configuration dialog
Starting the Switch Viewing Initial Bootup Output from the Switch Hardware Platform and Flash Information Displayed During Bootup
Starting the Switch Viewing Initial Bootup Output from the Switch Hardware Platform and Flash Information Displayed During Bootup (continued)
Starting the Switch Using the System Configuration Dialog Using the System Configuration Dialog
Starting the Switch Using the System Configuration Dialog Using the System Configuration Dialog (continued)
Starting the Switch Using the System Configuration Dialog Option to Use Config Generated by Setup
Starting the Switch Logging on with the Switch CLI and Using the Help Facility The Cisco IOS software provides a CLI called the EXEC –Interprets commands that are entered and carries out corresponding operations Two levels of access to the EXEC: –User mode: tasks indicating switch status Indicated by the > prompt –Privileged mode: ability to change the configuration of the switch Indicated by the # prompt
Starting the Switch Logging on with the Switch CLI and Using the Help Facility To change from user EXEC mode to privileged EXEC mode, use the enable command –Switch will prompt for the enable password if one is configured Password is not shown on screen as you type If configuring switch over a network via a modem or Telnet, password is sent in clear text
Starting the Switch Logging on with the Switch CLI and Using the Help Facility Privileged EXEC mode includes all commands from user EXEC mode, plus all the configuration commands –The configure command allows access to other command modes Several types of command-line help: –Context-sensitive help: a list of commands and arguments associated with a specific command –Console error messages: problems with commands that are entered incorrectly –Command history buffer: recall of long or complex commands to be altered or corrected
Starting the Switch Logging on with the Switch CLI and Using the Help Facility The question mark (?) can be used to get help –Two types of context-sensitive help with the ? command: Word help: Enter the ? command to get word help for a list of commands that begin with a particular character sequence; do not use a space before the question mark Command syntax help: Enter the ? command to see how to complete a command; enter a question mark in place of a keyword or argument; use a space before the question mark
Configuring the Switch Catalyst Switch Default Configuration Catalyst 2950 switches come with this default configuration: –IP address: –CDP: Enabled –100BASE-T port: Autonegotiate duplex mode –Spanning tree: Enabled –Console password: None –Hostname: Switch –No passwords set on virtual terminal (VTY) lines
Configuring the Switch Catalyst Switch Default Configuration The show running-config command displays the active configuration on the switch –Requires privileged EXEC mode access Default Output for show running-config Command:
Configuring the Switch Catalyst Switch Default Configuration Default Output for show running-config Command (continued):
Configuring the Switch Catalyst Switch Default Configuration The show interface f0/2 command displays information about interface FastEthernet 0/2 –Switch trunks and switch ports are both considered interfaces –Output varies, depending on the network for which you have configured an interface
Configuring the Switch Catalyst Switch Default Configuration Default f0/2 Settings
Configuring the Switch Catalyst Switch Default Configuration Default f0/2 Settings (continued)
Configuring the Switch Catalyst Switch Default Configuration Nondefault f0/1 Settings
Configuring the Switch Catalyst Switch Default Configuration Fields in the show interface f0/1 Output of Previous Slide
Configuring the Switch Catalyst Switch Default Configuration VLAN membership is displayed using the show vlan command In default configuration, all ports are in VLAN 1 –VLAN 1 is the default management VLAN The flash directory has a file that contains the IOS image, a file called env_vars, and a subdirectory called html After switch configuration, two more files are added to the flash directory: config.txt and a VLAN database
Configuring the Switch Catalyst Switch Default Configuration Default Port VLAN Membership
Configuring the Switch Catalyst Switch Default Configuration Output of show flash
Configuring the Switch Catalyst Switch Default Configuration Verify IOS version and configuration register settings with the show version command
Configuring the Switch Catalyst Switch Default Configuration Verify IOS version and configuration register settings with the show version command (continued)
Configuring the Switch Catalyst Switch Default Configuration Fields in the show version Output From Previous Slide
Configuring the Switch Basic Catalyst Switch Configuration Returning the Switch to Its Default Configuration: –Delete the VLAN database file, vlan.dat from the flash directory –Erase the backup configuration file, startup-config –Restart the switch with the reload command
Configuring the Switch Basic Catalyst Switch Configuration One of the first tasks in configuring a switch is to name it –Allows you to better manage the network by uniquely identifying each switch –The name of the switch is considered its hostname –The name is displayed at the system prompt –The switch name is assigned in global configuration mode
Configuring the Switch Basic Catalyst Switch Configuration Configuring the Hostname and Line Passwords
Configuring the Switch Basic Catalyst Switch Configuration Assign an IP address to the switch –Makes it possible to connect remotely using Telnet or a web browser VLAN 1 is assigned an IP address –Use the no shutdown command to make the Switch Virtual Interface (SVI), VLAN 1, operational Required if using Simple Network Management Protocol (SNMP) to manage the switch Assign a default gateway to the switch using the ip default-gateway command –Allows access to other networks
Configuring the Switch Basic Catalyst Switch Configuration Configuring the Switch for Management
Configuring the Switch Basic Catalyst Switch Configuration By default, VLAN 1 is the management VLAN –Use it to manage all the network devices on a network –All ports belong to VLAN1 –Remove access ports from VLAN 1 and place them in another VLAN Allows for VLAN management while keeping traffic from network hosts off the management VLAN –Use the no ip address configuration command to remove an IP address for VLAN 1 or to disable IP processing
Configuring the Switch Basic Catalyst Switch Configuration FastEthernet switch ports default to auto- speed and auto-duplex –Allows the interfaces to negotiate these settings –Can be manually configured A web browser can be used to configure the switch if the switch has an http server running on port 80
Configuring the Switch Basic Catalyst Switch Configuration Configuring HTTP Support
Configuring the Switch Basic Catalyst Switch Configuration The Cisco Virtual Switch Manager (CVSM) is a web- based graphical user interface (GUI) used to configure and monitor many Cisco switches such as the Catalyst 2950 –When the GUI is initialized by opening a browser with the switch’s URL, an applet is downloaded to the switch Another GUI, Cisco Network Assistant (CAN) is also available, as is Cluster Management Suite (CMS) Special IOS images that include an additional HTML package are required to make CVSM and CNA work with switches
Configuring the Switch Duplex and Speed Configuration Half-duplex transmission mode implements CSMA/CD –Traditional shared LAN operates in half- duplex mode and is susceptible to collisions Full-duplex significantly improves network performance without installing new cabling –Can use point-to-point Ethernet, FastEthernet, and Gigabit Ethernet connections –Collision free connections
Configuring the Switch Duplex and Speed Configuration Full-duplex connections are point-to-point between switches and nodes but not between shared hubs –Most NICs sold today offer full-duplex capability –In full-duplex mode, the collision detection circuit is disabled –Nodes that attach to hubs share their connection to a switch port and must operate in half-duplex mode
Configuring the Switch Duplex and Speed Configuration Standard shared Ethernet uses % of the 10-Mbps bandwidth (5 to 6 Mbps) Full-duplex offers 100% of bandwidth in both directions (10-Mbps transmit and 10-Mbps receive for a total of 20 Mbps)
Configuring the Switch Duplex and Speed Configuration Operation of half-duplex versus full- duplex: –Half-duplex relies on CSMA/CD –Half-duplex supports only unidirectional data flow –Half-duplex has a higher potential for collisions –Half-duplex involves the use of hubs
Configuring the Switch Duplex and Speed Configuration Operation of half-duplex versus full- duplex (continued): –Full-duplex is point-to-point –Full-duplex requires full-duplex support on both ends –Full-duplex is collision free –Full-duplex has the collision detection circuit disabled
Configuring the Switch Duplex and Speed Configuration Use the duplex {auto | full | half} interface configuration command to specify the duplex mode of switch ports –Set autonegotiation of duplex mode: auto –Set full-duplex mode: full –Set half-duplex mode: half –For FastEthernet and 10/100/1000 ports, the default is auto –For 100BASE-FX, the default is full
Configuring the Switch Duplex and Speed Configuration Use the show interfaces command to verify duplex settings Autonegotiation can cause problems –Sometimes an attached device does not support autonegotiation and is operating in full duplex mode Necessary to manually configure the duplex mode Check for FCS errors with the show interfaces command –It is critical that the setting on the switch is compatible with the setting on the NIC
Configuring the Switch Managing the MAC Address Table Switches use MAC address tables to forward traffic between ports –The tables include dynamic, permanent and static addresses Dynamic addresses: source MAC addresses that the switch learns and then drops when they are not refreshed and time out –Learned by examining the source MAC address of each frame received on each port –MAC address and port number are added to the MAC address table
Configuring the Switch Managing the MAC Address Table –The tables include dynamic, permanent and static addresses (continued) Permanent addresses: assigned by an administrator to a port –Reasons for assigning permanent addresses: »MAC address will not age out »Must attach a server or user workstation to a specific port and you know the MAC address »Enhanced security
Configuring the Switch Managing the MAC Address Table Maximum size of MAC address table varies with different switches –Catalyst 2950: 8192 MAC addresses When table is full, traffic for new MAC addresses is flooded The show mac-address-table command, entered in privileged EXEC mode, displays the MAC addresses a switch has learned The clear mac-address-table command purges dynamically learned entries
Configuring the Switch Managing the MAC Address Table Viewing the MAC Address Table
Configuring the Switch Managing the MAC Address Table Clearing Dynamic Entries in the MAC Address Table
Configuring the Switch Managing the MAC Address Table The global configuration mode command: mac address-table static mac-addr vlan vlan-id interface interface-id can be used to configure a static MAC address for a switch
Configuring the Switch Managing the MAC Address Table Statically Configuring a Port-to-MAC Mapping
Configuring the Switch Configuring Port Security Port security features can be used to restrict input on an interface –Limit and identify the MAC addresses of the stations allowed to access the port –Switch will not forward frames with source MAC addresses that are outside the group of defined addresses –Use the switchport port-security interface command without keywords to enable port security on an interface
Configuring the Switch Configuring Port Security Port security features can be used to restrict input on an interface (continued) –Use the switchport port-security interface command with keywords to configure a secure MAC address, maximum number of secure MAC addresses, or the violation mode –Use the no form of this command to disable port security or set the parameters to their default state
Configuring the Switch Configuring Port Security Port Security Options Full syntax for switchport port-security interface mode command: switchport port-security [mac-address mac-address] | [mac-address sticky [mac-address]] | [maximum value] | [violation {protect | restrict | shutdown}]
Configuring the Switch Configuring Port Security A port must be in access mode to enable port security, and port security is disabled by default Methods by which secure addresses can be added to the table after the maximum number of allowed MAC addresses is set: –Manually configure all the addresses –Allow the port to dynamically configure all the addresses –Configure some MAC addresses and allow the rest to be dynamically learned
Configuring the Switch Configuring Port Security An interface can be configured to convert dynamic MAC addresses to sticky secure AMC addresses and add them to the running configuration by enabling sticky learning: –Enter the switchport port-security mac- address sticky interface configuration command Converts all dynamically learned addresses to sticky secure addresses
Configuring the Switch Configuring Port Security Sticky MAC addresses do not automatically become part of the configuration file –Must save the configuration file or the addresses will have to be learned the next time the switch is restarted –Disabling sticky learning converts the sticky secure MAC addresses to dynamic secure addresses and they are removed from the configuration file –A secure port can have from 1 to 132 associated secure addresses; no more than 1024 on the switch total
Configuring the Switch Configuring Port Security Security violation situations: –Maximum number of secure MAC addresses has been added to the address table, and a station whose MAC address is not in the table attempts to access the interface –An address learned or configured on one secure interface is seen on another secure interface in the same VLAN
Configuring the Switch Configuring Port Security Port Security Keyword Options
Configuring the Switch Configuring Port Security An address violation occurs when: –A secured port receives an address that has been assigned to another secured port –A port tries to learn an address that exceeds its address table size limit Set with the switchport port-security maximum command
Configuring the Switch Configuring Port Security Configuring Port Security
Configuring the Switch Configuring Port Security show port security Keyword Options
Configuring the Switch Configuring Port Security Use the show port-security address command to display MAC addresses for all ports Use the show port-security command without keywords to display the port security settings for the switch Verifying Port Security
Configuring the Switch Configuring Port Security Verifying Port Security (continued)
Configuring the Switch Configuring Port Security Verifying Port Security (continued)
Configuring the Switch Executing Adds, Moves, and Changes To add a new MAC address on an access switch that connects a workstation to the network: –Configure port security –Configure the MAC address to the port allocated for the new interface so that the first MAC address on the port is the only address permitted To delete a MAC address on an access switch that connects a workstation to the network, remove the MAC address restrictions from the port
Configuring the Switch Executing Adds, Moves, and Changes To move a MAC address from one access switch to another: –Add the MAC address to the new physical port –On the new access switch, configure port security –On the new access switch, configure the MAC address to the port allocated for the new user –When all security is in place in the new location, shut down the old port and remove any MAC restrictions; remove any old access lists from the original access switch
Configuring the Switch Executing Adds, Moves, and Changes If an Ethernet NIC fails, installing a new NIC changes the MAC address of the workstation –With port security, the new NIC doesn’t have connectivity because of the now-incorrect MAC address –Remove the old MAC address from the security on the port and add the new MAC address
Configuring the Switch Executing Adds, Moves, and Changes To add a new switch to a network: –Configure the switch name, IP address, and default gateway –Configure administrative access for console, auxiliary, and VTY interfaces as appropriate –Configure security for the device (user EXEC and privileged EXEC levels) –Configure access switch ports as necessary –To ensure the switch does not become root of the spanning tree, increase the priority value
Configuring the Switch Managing Switch Configuration Files The switch configuration file is erased with the erase startup-config privileged EXEC command –Clears non-volatile RAM (NVRAM): RAM that retains its memory when powered off Back up the most current configuration file on a server or disc –Essential for documentation –On Catalyst 2950 use the copy nvram:startup- config tftp command to upload the configuration file to a TFTP server
Configuring the Switch Managing Switch Configuration Files Steps to upload a configuration file from a switch to a TFTP server: –Verify the TFTP server is accessible (ping it) and properly configured –Log in to the switch through a console port or Telnet session –Upload the switch configuration to the TFTP server, using the IP address or hostname of the TFTP server and the destination filename Use one of these commands: copy system:running-config tftp:[[[//location]/directory]/filename] copy nvram:startup-config tftp:[[[//location]/directory]/filename]
Configuring the Switch Managing Switch Configuration Files Saving Configuration Files
Configuring the Switch Password Recovery For security and management purposes, passwords must be set on console and VTY lines –Assures only authorized access Sometimes you have physical access to a switch but don’t know the password –Follow the password recovery procedures such as: 28/prod_password_recoveries_list.html
Configuring the Switch Upgrading the Cisco IOS Image IOS images are replaced because: –Bugs are fixed –New features are made available –Performance improvements are made If the network can be made more secure or to operate more efficiently, upgrade the IOS To upgrade, log on to cisco.com and download a copy of the new image to your local TFPT server
Summary Switches are similar to routers –Have basic computers components such as CPUs, RAM, and an operating system –Ports are used to connect hosts and for management –LEDs on the front of the switch show system status, RPS, port mode and port status –When powered on, a switch performs a POST automatically to verify that it functions correctly –Use HyperTerminal to configure or check the status of a switch
Summary Switches are similar to routers (continued) –Switches use a CLI –A question mark (?) is used to access help Word help and syntax help are available –Command modes: User EXEC mode –Prompt is a greater-than character (>) Privileged EXEC mode –Prompt is a pound character (#) Password protect both modes The configure command allows use of other command modes
Summary Switches use default data when powered up the first time –show running-config and show interfaces display the factory default settings –Assign an IP address for management purposes –The show version command verifies the IOS version and the configuration register settings
Summary After an IP address and default gateway are configured, a switch can be accessed with a web-based interface on port 80, if the http server has been enabled on the switch The duplex command is used to configure interface duplex options Troubleshooting issues with switches usually pertain to speed or duplex misconfigurations
Summary A switch dynamically learns and maintains thousands of MAC addresses –If frames associated with a previously learned MAC address are not received, they are automatically aged out or discarded after 300 seconds –The command clear mac-address-table will manually clear address tables
Summary A MAC address permanently assigned to an interface will not age out –Security will be enhanced To configure a static MAC address: mac address-table static mac-addr vlan vlan-id interface interface-id –Use the no form of the command to remove it Port security provides a basic level of security –Restricts access based on MAC address or allowable maximum number of MAC addresses
Summary To verify port security, use these commands: –show port security –show port security address –show port security interface On a new switch added to a network, configure: –Switch name –IP address and default gateway –Line passwords When you move a switch or host from one port to another, remove configurations that can cause unexpected behavior Maintain documentation and do backups to a server