Presentation is loading. Please wait.

Presentation is loading. Please wait.

Saeed Darvish Pazoki – MCSE, CCNA Abstracted From: Cisco Press – ICND 1 – Chapter 9 Ethernet Switch Configuration 1.

Published byDonald Snow Modified over 8 years ago

Similar presentations

Presentation on theme: "Saeed Darvish Pazoki – MCSE, CCNA Abstracted From: Cisco Press – ICND 1 – Chapter 9 Ethernet Switch Configuration 1."— Presentation transcript:

1 Saeed Darvish Pazoki – MCSE, CCNA Abstracted From: Cisco Press – ICND 1 – Chapter 9 Ethernet Switch Configuration 1

2 Configuration of Features in Common with Routers This section covers the following topics: Simple password security for the console and Telnet access Secure Shell (SSH) Password encryption Enable mode passwords Port-Security 2

3 Configuration of Features in Common with Routers Securing the Switch CLI With default configuration settings, a user at the console does not need to supply a password to reach user mode or enable mode. The reason is that anyone with physical access to the switch or router console could reset the passwords in less than 5 minutes by using the password recovery procedures that Cisco publishes. To reach enable mode from a vty (Telnet or SSH), the switch must be configured with several items: An IP address Login security on the vty lines An enable password 3

4 Configuration of Features in Common with Routers Securing the Switch CLI Configuring Simple Password Security With default settings, Telnet users are rejected when they try to access the switch, because a vty password has not yet been configured. By default, the enable command allows console users into enable mode without requiring a password, but Telnet users are rejected without even a chance to supply a password. Regardless of these defaults, it makes sense to password protect enable mode using the enable secret global configuration command. 4

5 Configuration of Features in Common with Routers Securing the Switch CLI Configuring Simple Password Security 5

6 Configuration of Features in Common with Routers Securing the Switch CLI Configuring Usernames and Secure Shell (SSH) To add support for SSH login to a Cisco switch or router, the switch needs several configuration commands. 6

7 Configuration of Features in Common with Routers Securing the Switch CLI Configuring Usernames and Secure Shell (SSH) Emma# Emma#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Emma(config)#line vty 0 15 Emma(config-line)#login local Emma(config-line)#transport input telnet ssh Emma(config-line)#exit Emma(config)#username wendell password hope Emma(config)#ip domain-name example.com Emma(config)#crypto key generate rsa The name for the keys will be: Emma.example.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: 1024 % Generating 1024 bit RSA keys...[OK] 7

8 Configuration of Features in Common with Routers Securing the Switch CLI Password Encryption To prevent password vulnerability in a printed version of the configuration file, or in a backup copy of the configuration file stored on a server, you can encrypt or encode the passwords using the service password-encryption global configuration command. The presence or absence of the service password-encryption global configuration command dictates whether the passwords are encrypted as follows: When the service password-encryption command is configured, all existing console, vty, and username command passwords are immediately encrypted. If the service password-encryption command has already been configured, any future changes to these passwords are encrypted. If the no service password-encryption command is used later, the passwords remain encrypted, until they are changed—at which point they show up in clear text. 8

9 Configuration of Features in Common with Routers Securing the Switch CLI Password Encryption 9

10 Configuration of Features in Common with Routers Securing the Switch CLI The Two Enable Mode Passwords A router or switch can be configured to require a password to reach enable mode according to the following rules: If the global configuration command enable password actual- password is used, it defines the password required when using the enable EXEC command. This password is listed as clear text in the configuration file by default. If the global configuration command enable secret actual-password is used, it defines the password required when using the enable EXEC command. This password is listed as a hidden MD5 hash value in the configuration file. If both commands are used, the password set in the enable secret command defines which password is required. The MD5 encoding is much more secure than the encryption used for other passwords with the service password-encryption command. 10

11 Configuration of Features in Common with Routers Securing the Switch CLI The Two Enable Mode Passwords 11

12 Configuration of Features in Common with Routers Console and vty Settings Banners Cisco routers and switches can display a variety of banners depending on what a router or switch administrator is doing. A banner is simply some text that appears on the screen for the user. 12

13 Configuration of Features in Common with Routers Console and vty Settings Banners 13

14 Configuration of Features in Common with Routers Console and vty Settings Banners 14

15 Configuration of Features in Common with Routers Console and vty Settings History Buffer Commands 15

16 Configuration of Features in Common with Routers Console and vty Settings The logging synchronous and exec-timeout Commands The console automatically receives copies of all unsolicited syslog messages on a switch or router; that feature cannot be disabled. Normally a switch or router puts these syslog messages on the console’s screen at any time—including right in the middle of a command you are entering, or in the middle of the output of a show command. To make using the console a little easier, you can tell the switch to display syslog messages only at more convenient times, such as at the end of output from a show command or to prevent the interruption of a command text input. To do so, just configure the “logging synchronous” console line subcommand. 16

17 Configuration of Features in Common with Routers Console and vty Settings The logging synchronous and exec-timeout Commands By default, the switch or router automatically disconnects users after 5 minutes of inactivity, for both console users and users who connect to vty lines using Telnet or SSH. When you configure the exec-timeout minutes seconds line subcommand, the switch or router can be told a different inactivity timer. Also, if you set the timeout to 0 minutes and 0 seconds, the router never times out the console connection. 17

18 LAN Switch Configuration and Operation In particular, this section covers the following: Switch IP configuration Interface configuration (including speed and duplex) Port security VLAN configuration Securing unused switch interfaces 18

19 LAN Switch Configuration and Operation Configuring the Switch IP Address To allow Telnet or SSH access to the switch, to allow other IP- based management protocols such as Simple Network Management Protocol (SNMP) to function as intended, or to allow access to the switch using graphical tools such as Cisco Device Manager (CDM), the switch needs an IP address. Switches do not need an IP address to be able to forward Ethernet frames. The need for an IP address is simply to support overhead management traffic, such as logging into the switch. An IOS-based switch configures its IP address and mask on a special virtual interface called the VLAN 1 interface. 19

20 LAN Switch Configuration and Operation Configuring the Switch IP Address In effect, a switch’s VLAN 1 interface gives the switch an interface into the default VLAN used on all ports of the switch—namely, VLAN 1. The following steps list the commands used to configure IP on a switch: 20

21 LAN Switch Configuration and Operation Configuring the Switch IP Address For the switch to act as a DHCP client to discover its IP address, mask, and default gateway, you still need to configure it. Some older models of Cisco IOS switches might not support the DHCP client function on the VLAN 1 interface. 21

22 LAN Switch Configuration and Operation Configuring Switch Interfaces You can see some of the details of interface configuration with both the show running-config command and the handy show interfaces status command. You can configure a command on a range of interfaces at the same time using the interface range command. 22

23 LAN Switch Configuration and Operation Port Security Port security configuration involves several steps: Step 1 Make the switch interface an access interface using the switchport mode access interface subcommand. Step 2 Enable port security using the switchport port-security interface subcommand. Step 3 (Optional) Specify the maximum number of allowed MAC addresses associated with the interface using the switchport port-security maximum number interface subcommand. (Defaults to one MAC address.) Step 4 (Optional) Define the action to take when a frame is received from a MAC address other than the defined addresses using the switchport port-security violation {protect | restrict | shutdown} interface subcommand. (The default action is to shut down the port.) Step 5A Specify the MAC address(es) allowed to send frames into this interface using the switchport port-security mac-address mac-address command. Use the command multiple times to define more than one MAC address. Step 5B Alternatively, instead of Step 5A, use the “sticky learning” process to dynamically learn and configure the MAC addresses of currently connected hosts by configuring the switchport port-security macaddress sticky interface subcommand. 23

24 LAN Switch Configuration and Operation Port Security 24

25 LAN Switch Configuration and Operation Port Security 25

Download ppt "Saeed Darvish Pazoki – MCSE, CCNA Abstracted From: Cisco Press – ICND 1 – Chapter 9 Ethernet Switch Configuration 1."

Similar presentations

Configuring a Router Harold Hernandez, MS, CCNI. 3.1 Configuring a Router Name a router Set passwords Examine show commands Configure a serial interface.

Configuring a Router Harold Hernandez, MS, CCNI. 3.1 Configuring a Router Name a router Set passwords Examine show commands Configure a serial interface.
CCNA2 Module 4. Discovering and Connecting to Neighbors Enable and disable CDP Use the show cdp neighbors command Determine which neighboring devices.

CCNA2 Module 4. Discovering and Connecting to Neighbors Enable and disable CDP Use the show cdp neighbors command Determine which neighboring devices.
1 Semester 2 Module 4 Learning about Other Devices Yuda college of business James Chen

1 Semester 2 Module 4 Learning about Other Devices Yuda college of business James Chen
Ch. 6 – Switch Configuration CCNA 3 version 3.0. 2 Overview Identify the major components of a Catalyst switch Monitor switch activity and status using.

Ch. 6 – Switch Configuration CCNA 3 version Overview Identify the major components of a Catalyst switch Monitor switch activity and status using.
1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.1 Module 6 Switch Configuration.

1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.1 Module 6 Switch Configuration.
Sybex CCENT 100-101 Chapter 10: Layer 2 Switching Instructor & Todd Lammle.

Sybex CCENT Chapter 10: Layer 2 Switching Instructor & Todd Lammle.
1 CCNA 2 v3.1 Module 3. 2 CCNA 2 Module 3 Configuring a Router.

1 CCNA 2 v3.1 Module 3. 2 CCNA 2 Module 3 Configuring a Router.
Introduction to the Cisco IOS

Introduction to the Cisco IOS
Ch. 7 – Switch Configuration

Ch. 7 – Switch Configuration
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Understanding Switch Security Issues.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Understanding Switch Security Issues.
CCNA Guide to Cisco Networking Fundamentals Fourth Edition

CCNA Guide to Cisco Networking Fundamentals Fourth Edition
CCNA 2 v3.1 Module 2.

CCNA 2 v3.1 Module 2.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Securing Network Services.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Securing Network Services.
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.

Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Initial Switch Configuration Internetworking Fundamentals Instructor: Abdirahman I. Abdi.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Initial Switch Configuration Internetworking Fundamentals Instructor: Abdirahman I. Abdi.
1 Chapter 2 ROUTER FUNDAMENTALS By: Tassos Tassou.

1 Chapter 2 ROUTER FUNDAMENTALS By: Tassos Tassou.
1 Semester 2 Module 3 Configuring a Router Yuda college of business James Chen

1 Semester 2 Module 3 Configuring a Router Yuda college of business James Chen
NMS Labs Mikko Suomi LAB1 Choose SNMP device managment software Features: –Gives Nice overview of network –Bandwith monitoring –Multible.

NMS Labs Mikko Suomi LAB1 Choose SNMP device managment software Features: –Gives Nice overview of network –Bandwith monitoring –Multible.
Chapter 6 Router Configuration Sem 2V2. Configuration files can come from the console NVRAM TFTP server. The router has several modes:  privileged mode.

Chapter 6 Router Configuration Sem 2V2. Configuration files can come from the console NVRAM TFTP server. The router has several modes:  privileged mode.
Configuring a network os

Configuring a network os

Similar presentations

Ads by Google