Integrating Cisco Press Resources into the

advertisement
Switching Basics and Intermediate
Routing CCNA 3
Chapter 6
www.ciscopress.com
Catalyst Switch Configuration
Introduction
• Switches are Layer 2 devices that serve as
concentration points for the connection of workstations,
servers, routers, hubs, and other switches
• Switches are multiport bridges that utilize a star topology
• Switches provide dedicated, point-to-point virtual circuits
that make collisions unlikely
• New switches are configured with factory defaults but
normally need changes
• Switches can be configured from a command-line
interface (CLI) or from a web-based interface
www.ciscopress.com
Catalyst Switch Configuration
Introduction
• Network engineers must be familiar with
these switch configuration tasks:
– Maintenance of the switch
– Cisco IOS upgrades
– Management of interfaces and switching
tables
– Password recovery
www.ciscopress.com
Starting the Switch
Physical Startup of the Catalyst Switch
• Most Catalyst switches have no power
switch!
– Simply plug in to start
• Before starting the switch, verify the
following:
– All network cables are secure
– A terminal is connected to the console port
– A console terminal application, such as
HyperTerminal, is selected
www.ciscopress.com
Starting the Switch
Physical Startup of the Catalyst Switch
• Steps in starting a switch (continued)
– Attach the power cord to the switch
– Observe the boot sequence
• Look at the LEDs on the switch
• Observe the Cisco IOS software output text on the
console
www.ciscopress.com
Starting the Switch
Switch Port Types
• Switches in the Catalyst 2950 series have these
characteristics:
– 12-port, 24-port, or 48-port
– All ports are FastEthernet
– Optional uplink slots for copper or fiber Gigabit
Interface Converter (GBIC) modules
• Asymmetrical switching
• Switches such as the Catalyst 3750 now include
small-form-factor pluggable (SFP) slots, which
are smaller than GBIC slots
www.ciscopress.com
Starting the Switch
Switch Port Types
Catalyst
2950
Switches
Are Used
at the
Access
Layer
www.ciscopress.com
Starting the Switch
Switch Port Types
Four Slots on the Right of These Catalyst 3750
Switches are SFP Slots
www.ciscopress.com
Starting the Switch
Switch LED Indicators
• The following LEDs are seen on the front
of a Catalyst 2950 switch:
– System LED
• Tells whether the system is receiving power and
functioning properly
– Redundant Power Supply (RPS) LED
• Indicates whether a redundant power supply is in
use
– Port Mode LEDs
– Port Status LEDs
www.ciscopress.com
Starting the Switch
Switch LED Indicators
Catalyst 2950 Switches Have Four Types of LEDs
www.ciscopress.com
Starting the Switch
Switch LED Indicators
System LED and RPS LED
www.ciscopress.com
Starting the Switch
Switch LED Indicators
• After power cable is connected, the switch
initiates a series of tests called the poweron self test (POST)
– Runs automatically to verify the switch
functions correctly
– System LED indicates the status of the POST
• System LED off but switch is plugged in, the POST
is running
• System LED is green: POST successful
• System LED is amber: POST failed (fatal error)
www.ciscopress.com
Starting the Switch
Switch LED Indicators
• Port Mode LEDs indicate the state of the
Mode button
– Press the Mode button repeatedly until the
desired mode is selected
• Port Status LEDs indicate various port
states
– Depends on the value of the Port Mode LEDs
www.ciscopress.com
Starting the Switch
Switch LED Indicators
Catalyst 2950 Port Status LED Display Modes
www.ciscopress.com
Starting the Switch
Switch LED Indicators
Catalyst 2950
Port Status
LED Display
Modes
(continued)
www.ciscopress.com
Starting the Switch
Switch LED Indicators
Catalyst 2950 Port Status LED Display Modes
(continued)
www.ciscopress.com
Starting the Switch
Viewing Initial Bootup Output from the Switch
• Connect a computer’s COM port to a switch’s
console port using a rollover cable
Console Connection to the Switch Is the Most Common
Configuration Method
www.ciscopress.com
Starting the Switch
Viewing Initial Bootup Output from the Switch
• Start HyperTerminal on the computer
– Choose the Serial Port
www.ciscopress.com
Starting the Switch
Viewing Initial Bootup Output from the Switch
• Name the
connection
• After selecting the
COM port, click the
OK button
– Set up the parameters
as seen in this figure
www.ciscopress.com
Starting the Switch
Viewing Initial Bootup Output from the Switch
• Plug the switch into the wall outlet
• Initial bootup output should be displayed
on the HyperTerminal screen
– Contains details about POST status and
switch hardware
– After POST status a prompt to enter initial
configuration will appear
• Can configure manually or with a System
Configuration dialog
www.ciscopress.com
Starting the Switch
Viewing Initial Bootup Output from the Switch
Hardware Platform and Flash Information Displayed During Bootup
www.ciscopress.com
Starting the Switch
Viewing Initial Bootup Output from the Switch
Hardware Platform and Flash Information Displayed During Bootup
(continued)
www.ciscopress.com
Starting the Switch
Using the System Configuration Dialog
Using the System Configuration Dialog
www.ciscopress.com
Starting the Switch
Using the System Configuration Dialog
Using the System Configuration Dialog (continued)
www.ciscopress.com
Starting the Switch
Using the System Configuration Dialog
Option to Use
Config
Generated by
Setup
www.ciscopress.com
Starting the Switch
Logging on with the Switch CLI and Using the Help Facility
• The Cisco IOS software provides a CLI
called the EXEC
– Interprets commands that are entered and
carries out corresponding operations
• Two levels of access to the EXEC:
– User mode: tasks indicating switch status
• Indicated by the > prompt
– Privileged mode: ability to change the
configuration of the switch
• Indicated by the # prompt
www.ciscopress.com
Starting the Switch
Logging on with the Switch CLI and Using the Help Facility
• To change from user EXEC mode to
privileged EXEC mode, use the enable
command
– Switch will prompt for the enable password if
one is configured
• Password is not shown on screen as you type
• If configuring switch over a network via a modem
or Telnet, password is sent in clear text
www.ciscopress.com
Starting the Switch
Logging on with the Switch CLI and Using the Help Facility
• Privileged EXEC mode includes all commands
from user EXEC mode, plus all the configuration
commands
– The configure command allows access to other
command modes
• Several types of command-line help:
– Context-sensitive help: a list of commands and
arguments associated with a specific command
– Console error messages: problems with commands
that are entered incorrectly
– Command history buffer: recall of long or complex
commands to be altered or corrected
www.ciscopress.com
Starting the Switch
Logging on with the Switch CLI and Using the Help Facility
• The question mark (?) can be used to get help
– Two types of context-sensitive help with the ?
command:
• Word help: Enter the ? command to get word help
for a list of commands that begin with a particular
character sequence; do not use a space before the
question mark
• Command syntax help: Enter the ? command to
see how to complete a command; enter a question
mark in place of a keyword or argument; use a
space before the question mark
www.ciscopress.com
Configuring the Switch
Catalyst Switch Default Configuration
• Catalyst 2950 switches come with this default
configuration:
– IP address: 0.0.0.0
– CDP: Enabled
– 100BASE-T port: Autonegotiate duplex mode
– Spanning tree: Enabled
– Console password: None
– Hostname: Switch
– No passwords set on virtual terminal (VTY)
lines
www.ciscopress.com
Configuring the Switch
Catalyst Switch Default Configuration
• The show running-config command displays the active
configuration on the switch
– Requires privileged EXEC mode access
Default Output for show running-config Command:
www.ciscopress.com
Configuring the Switch
Catalyst Switch Default Configuration
Default Output for show running-config Command (continued):
www.ciscopress.com
Configuring the Switch
Catalyst Switch Default Configuration
• The show interface f0/2 command
displays information about interface
FastEthernet 0/2
– Switch trunks and switch ports are both
considered interfaces
– Output varies, depending on the network for
which you have configured an interface
www.ciscopress.com
Configuring the Switch
Catalyst Switch Default Configuration
Default f0/2 Settings
www.ciscopress.com
Configuring the Switch
Catalyst Switch Default Configuration
Default f0/2 Settings (continued)
www.ciscopress.com
Configuring the Switch
Catalyst Switch Default Configuration
Nondefault f0/1
Settings
www.ciscopress.com
Configuring the Switch
Catalyst Switch Default Configuration
Fields in the show interface f0/1 Output of Previous Slide
www.ciscopress.com
Configuring the Switch
Catalyst Switch Default Configuration
• VLAN membership is displayed using the show
vlan command
• In default configuration, all ports are in VLAN 1
– VLAN 1 is the default management VLAN
• The flash directory has a file that contains the
IOS image, a file called env_vars, and a
subdirectory called html
• After switch configuration, two more files are
added to the flash directory: config.txt and a
VLAN database
www.ciscopress.com
Configuring the Switch
Catalyst Switch Default Configuration
Default Port VLAN Membership
www.ciscopress.com
Configuring the Switch
Catalyst Switch Default Configuration
Output of show flash
www.ciscopress.com
Configuring the Switch
Catalyst Switch Default Configuration
Verify IOS version and configuration register settings with
the show version command
www.ciscopress.com
Configuring the Switch
Catalyst Switch Default Configuration
Verify IOS version and configuration register settings with
the show version command (continued)
www.ciscopress.com
Configuring the Switch
Catalyst Switch Default Configuration
Fields in the show version Output From Previous Slide
www.ciscopress.com
Configuring the Switch
Basic Catalyst Switch Configuration
• Returning the Switch to Its Default Configuration:
– Delete the VLAN database file, vlan.dat from the
flash directory
– Erase the backup configuration file, startup-config
– Restart the switch with the reload command
www.ciscopress.com
Configuring the Switch
Basic Catalyst Switch Configuration
• One of the first tasks in configuring a
switch is to name it
– Allows you to better manage the network by
uniquely identifying each switch
– The name of the switch is considered its
hostname
– The name is displayed at the system prompt
– The switch name is assigned in global
configuration mode
www.ciscopress.com
Configuring the Switch
Basic Catalyst Switch Configuration
Configuring the Hostname and Line Passwords
www.ciscopress.com
Configuring the Switch
Basic Catalyst Switch Configuration
• Assign an IP address to the switch
– Makes it possible to connect remotely using Telnet or
a web browser
• VLAN 1 is assigned an IP address
– Use the no shutdown command to make the Switch
Virtual Interface (SVI), VLAN 1, operational
• Required if using Simple Network Management Protocol
(SNMP) to manage the switch
• Assign a default gateway to the switch using the
ip default-gateway command
– Allows access to other networks
www.ciscopress.com
Configuring the Switch
Basic Catalyst Switch Configuration
Configuring the Switch for Management
www.ciscopress.com
Configuring the Switch
Basic Catalyst Switch Configuration
• By default, VLAN 1 is the management VLAN
– Use it to manage all the network devices on a
network
– All ports belong to VLAN1
– Remove access ports from VLAN 1 and place them in
another VLAN
• Allows for VLAN management while keeping traffic from
network hosts off the management VLAN
– Use the no ip address configuration command to
remove an IP address for VLAN 1 or to disable IP
processing
www.ciscopress.com
Configuring the Switch
Basic Catalyst Switch Configuration
• FastEthernet switch ports default to autospeed and auto-duplex
– Allows the interfaces to negotiate these
settings
– Can be manually configured
• A web browser can be used to configure
the switch if the switch has an http server
running on port 80
www.ciscopress.com
Configuring the Switch
Basic Catalyst Switch Configuration
Configuring HTTP Support
www.ciscopress.com
Configuring the Switch
Basic Catalyst Switch Configuration
• The Cisco Virtual Switch Manager (CVSM) is a webbased graphical user interface (GUI) used to configure
and monitor many Cisco switches such as the Catalyst
2950
– When the GUI is initialized by opening a browser with
the switch’s URL, an applet is downloaded to the
switch
• Another GUI, Cisco Network Assistant (CAN) is also
available, as is Cluster Management Suite (CMS)
• Special IOS images that include an additional HTML
package are required to make CVSM and CNA work with
switches
www.ciscopress.com
Configuring the Switch
Duplex and Speed Configuration
• Half-duplex transmission mode
implements CSMA/CD
– Traditional shared LAN operates in halfduplex mode and is susceptible to collisions
• Full-duplex significantly improves network
performance without installing new cabling
– Can use point-to-point Ethernet, FastEthernet,
and Gigabit Ethernet connections
– Collision free connections
www.ciscopress.com
Configuring the Switch
Duplex and Speed Configuration
• Full-duplex connections are point-to-point
between switches and nodes but not
between shared hubs
– Most NICs sold today offer full-duplex
capability
– In full-duplex mode, the collision detection
circuit is disabled
– Nodes that attach to hubs share their
connection to a switch port and must operate
in half-duplex mode
www.ciscopress.com
Configuring the Switch
Duplex and Speed Configuration
• Standard shared Ethernet uses 5060% of the 10-Mbps bandwidth (5 to
6 Mbps)
• Full-duplex offers 100% of bandwidth
in both directions (10-Mbps transmit
and 10-Mbps receive for a total of 20
Mbps)
www.ciscopress.com
Configuring the Switch
Duplex and Speed Configuration
• Operation of half-duplex versus fullduplex:
– Half-duplex relies on CSMA/CD
– Half-duplex supports only unidirectional
data flow
– Half-duplex has a higher potential for
collisions
– Half-duplex involves the use of hubs
www.ciscopress.com
Configuring the Switch
Duplex and Speed Configuration
• Operation of half-duplex versus fullduplex (continued):
– Full-duplex is point-to-point
– Full-duplex requires full-duplex support
on both ends
– Full-duplex is collision free
– Full-duplex has the collision detection
circuit disabled
www.ciscopress.com
Configuring the Switch
Duplex and Speed Configuration
• Use the duplex {auto | full | half}
interface configuration command to
specify the duplex mode of switch ports
– Set autonegotiation of duplex mode: auto
– Set full-duplex mode: full
– Set half-duplex mode: half
– For FastEthernet and 10/100/1000 ports, the
default is auto
– For 100BASE-FX, the default is full
www.ciscopress.com
Configuring the Switch
Duplex and Speed Configuration
• Use the show interfaces command to verify
duplex settings
• Autonegotiation can cause problems
– Sometimes an attached device does not
support autonegotiation and is operating in full
duplex mode
• Necessary to manually configure the duplex mode
• Check for FCS errors with the show interfaces
command
– It is critical that the setting on the switch is
compatible with the setting on the NIC
www.ciscopress.com
Configuring the Switch
Managing the MAC Address Table
• Switches use MAC address tables to forward
traffic between ports
– The tables include dynamic, permanent and
static addresses
• Dynamic addresses: source MAC addresses that
the switch learns and then drops when they are not
refreshed and time out
– Learned by examining the source MAC address of each
frame received on each port
– MAC address and port number are added to the MAC
address table
www.ciscopress.com
Configuring the Switch
Managing the MAC Address Table
– The tables include dynamic, permanent
and static addresses (continued)
• Permanent addresses: assigned by an
administrator to a port
– Reasons for assigning permanent addresses:
» MAC address will not age out
» Must attach a server or user workstation to
a specific port and you know the MAC
address
» Enhanced security
www.ciscopress.com
Configuring the Switch
Managing the MAC Address Table
• Maximum size of MAC address table
varies with different switches
– Catalyst 2950: 8192 MAC addresses
• When table is full, traffic for new MAC addresses is
flooded
• The show mac-address-table command,
entered in privileged EXEC mode, displays
the MAC addresses a switch has learned
• The clear mac-address-table command
purges dynamically learned entries
www.ciscopress.com
Configuring the Switch
Managing the MAC Address Table
Viewing the MAC Address Table
www.ciscopress.com
Configuring the Switch
Managing the MAC Address Table
Clearing Dynamic Entries in the MAC
Address Table
www.ciscopress.com
Configuring the Switch
Managing the MAC Address Table
• The global configuration mode
command:
mac address-table static mac-addr vlan vlan-id interface interface-id
can be used to configure a static MAC
address for a switch
www.ciscopress.com
Configuring the Switch
Managing the MAC Address Table
Statically Configuring a Port-to-MAC Mapping
www.ciscopress.com
Configuring the Switch
Configuring Port Security
• Port security features can be used to
restrict input on an interface
– Limit and identify the MAC addresses of the
stations allowed to access the port
– Switch will not forward frames with source
MAC addresses that are outside the group of
defined addresses
– Use the switchport port-security interface
command without keywords to enable port
security on an interface
www.ciscopress.com
Configuring the Switch
Configuring Port Security
• Port security features can be used to
restrict input on an interface (continued)
– Use the switchport port-security interface
command with keywords to configure a
secure MAC address, maximum number of
secure MAC addresses, or the violation mode
– Use the no form of this command to disable
port security or set the parameters to their
default state
www.ciscopress.com
Configuring the Switch
Configuring Port Security
Port Security Options
• Full syntax for switchport port-security interface
mode command:
switchport port-security [mac-address mac-address]
| [mac-address sticky [mac-address]] | [maximum
value] | [violation {protect | restrict | shutdown}]
www.ciscopress.com
Configuring the Switch
Configuring Port Security
• A port must be in access mode to enable port
security, and port security is disabled by default
• Methods by which secure addresses can be
added to the table after the maximum number of
allowed MAC addresses is set:
– Manually configure all the addresses
– Allow the port to dynamically configure all the
addresses
– Configure some MAC addresses and allow
the rest to be dynamically learned
www.ciscopress.com
Configuring the Switch
Configuring Port Security
• An interface can be configured to convert
dynamic MAC addresses to sticky secure
AMC addresses and add them to the
running configuration by enabling sticky
learning:
– Enter the switchport port-security macaddress sticky interface configuration
command
• Converts all dynamically learned addresses
to sticky secure addresses
www.ciscopress.com
Configuring the Switch
Configuring Port Security
• Sticky MAC addresses do not automatically
become part of the configuration file
– Must save the configuration file or the addresses will
have to be learned the next time the switch is
restarted
– Disabling sticky learning converts the sticky secure
MAC addresses to dynamic secure addresses and
they are removed from the configuration file
– A secure port can have from 1 to 132 associated
secure addresses; no more than 1024 on the switch
total
www.ciscopress.com
Configuring the Switch
Configuring Port Security
• Security violation situations:
– Maximum number of secure MAC addresses
has been added to the address table, and a
station whose MAC address is not in the table
attempts to access the interface
– An address learned or configured on one
secure interface is seen on another secure
interface in the same VLAN
www.ciscopress.com
Configuring the Switch
Configuring Port Security
Port
Security
Keyword
Options
www.ciscopress.com
Configuring the Switch
Configuring Port Security
• An address violation occurs when:
– A secured port receives an address that has
been assigned to another secured port
– A port tries to learn an address that exceeds
its address table size limit
• Set with the switchport port-security maximum
command
www.ciscopress.com
Configuring the Switch
Configuring Port Security
Configuring Port Security
www.ciscopress.com
Configuring the Switch
Configuring Port Security
show port security Keyword Options
www.ciscopress.com
Configuring the Switch
Configuring Port Security
• Use the show port-security address command to
display MAC addresses for all ports
• Use the show port-security command without
keywords to display the port security settings for the
switch
Verifying Port Security
www.ciscopress.com
Configuring the Switch
Configuring Port Security
Verifying Port Security (continued)
www.ciscopress.com
Configuring the Switch
Configuring Port Security
Verifying Port Security (continued)
www.ciscopress.com
Configuring the Switch
Executing Adds, Moves, and Changes
• To add a new MAC address on an access switch
that connects a workstation to the network:
– Configure port security
– Configure the MAC address to the port allocated for
the new interface so that the first MAC address on the
port is the only address permitted
• To delete a MAC address on an access switch
that connects a workstation to the network,
remove the MAC address restrictions from the
port
www.ciscopress.com
Configuring the Switch
Executing Adds, Moves, and Changes
• To move a MAC address from one access switch
to another:
– Add the MAC address to the new physical port
– On the new access switch, configure port security
– On the new access switch, configure the MAC
address to the port allocated for the new user
– When all security is in place in the new location, shut
down the old port and remove any MAC restrictions;
remove any old access lists from the original access
switch
www.ciscopress.com
Configuring the Switch
Executing Adds, Moves, and Changes
• If an Ethernet NIC fails, installing a new
NIC changes the MAC address of the
workstation
– With port security, the new NIC doesn’t have
connectivity because of the now-incorrect
MAC address
– Remove the old MAC address from the
security on the port and add the new MAC
address
www.ciscopress.com
Configuring the Switch
Executing Adds, Moves, and Changes
• To add a new switch to a network:
– Configure the switch name, IP address, and default
gateway
– Configure administrative access for console, auxiliary,
and VTY interfaces as appropriate
– Configure security for the device (user EXEC and
privileged EXEC levels)
– Configure access switch ports as necessary
– To ensure the switch does not become root of the
spanning tree, increase the priority value
www.ciscopress.com
Configuring the Switch
Managing Switch Configuration Files
• The switch configuration file is erased with the
erase startup-config privileged EXEC
command
– Clears non-volatile RAM (NVRAM): RAM that retains
its memory when powered off
• Back up the most current configuration file on a
server or disc
– Essential for documentation
– On Catalyst 2950 use the copy nvram:startupconfig tftp command to upload the configuration file
to a TFTP server
www.ciscopress.com
Configuring the Switch
Managing Switch Configuration Files
• Steps to upload a configuration file from a switch to a TFTP
server:
– Verify the TFTP server is accessible (ping it) and properly configured
– Log in to the switch through a console port or Telnet session
– Upload the switch configuration to the TFTP server, using the IP
address or hostname of the TFTP server and the destination filename
• Use one of these commands:
copy system:running-config tftp:[[[//location]/directory]/filename]
copy nvram:startup-config tftp:[[[//location]/directory]/filename]
www.ciscopress.com
Configuring the Switch
Managing Switch Configuration Files
Saving Configuration Files
www.ciscopress.com
Configuring the Switch
Password Recovery
• For security and management purposes,
passwords must be set on console and VTY
lines
– Assures only authorized access
• Sometimes you have physical access to a
switch but don’t know the password
– Follow the password recovery procedures such as:
http://www.cisco.com/en/US/products/hw/switches/ps6
28/prod_password_recoveries_list.html
www.ciscopress.com
Configuring the Switch
Upgrading the Cisco IOS Image
• IOS images are replaced because:
– Bugs are fixed
– New features are made available
– Performance improvements are made
• If the network can be made more secure or to
operate more efficiently, upgrade the IOS
• To upgrade, log on to cisco.com and download
a copy of the new image to your local TFPT
server
www.ciscopress.com
Summary
• Switches are similar to routers
– Have basic computers components such as CPUs,
RAM, and an operating system
– Ports are used to connect hosts and for
management
– LEDs on the front of the switch show system status,
RPS, port mode and port status
– When powered on, a switch performs a POST
automatically to verify that it functions correctly
– Use HyperTerminal to configure or check the status
of a switch
www.ciscopress.com
Summary
• Switches are similar to routers (continued)
– Switches use a CLI
– A question mark (?) is used to access help
• Word help and syntax help are available
– Command modes:
• User EXEC mode
– Prompt is a greater-than character (>)
• Privileged EXEC mode
– Prompt is a pound character (#)
• Password protect both modes
• The configure command allows use of other command
modes
www.ciscopress.com
Summary
• Switches use default data when powered
up the first time
– show running-config and show interfaces
display the factory default settings
– Assign an IP address for management
purposes
– The show version command verifies the
IOS version and the configuration register
settings
www.ciscopress.com
Summary
• After an IP address and default gateway are
configured, a switch can be accessed with a
web-based interface on port 80, if the http
server has been enabled on the switch
• The duplex command is used to configure
interface duplex options
• Troubleshooting issues with switches usually
pertain to speed or duplex misconfigurations
www.ciscopress.com
Summary
• A switch dynamically learns and
maintains thousands of MAC addresses
– If frames associated with a previously
learned MAC address are not received, they
are automatically aged out or discarded after
300 seconds
– The command clear mac-address-table will
manually clear address tables
www.ciscopress.com
Summary
• A MAC address permanently assigned to an
interface will not age out
– Security will be enhanced
• To configure a static MAC address:
mac address-table static mac-addr vlan vlan-id interface interface-id
– Use the no form of the command to remove it
• Port security provides a basic level of
security
– Restricts access based on MAC address or allowable
maximum number of MAC addresses
www.ciscopress.com
Summary
• To verify port security, use these commands:
– show port security
– show port security address
– show port security interface
• On a new switch added to a network, configure:
– Switch name
– IP address and default gateway
– Line passwords
• When you move a switch or host from one port to another,
remove configurations that can cause unexpected behavior
• Maintain documentation and do backups to a server
www.ciscopress.com
Download