EDTECH
552
(SP11)
Susan
Ferdon
Notes – Odom, Chapter 9
Flashcards Set: http://www.flashcardmachine.com/1296100/1xp3
Access Interface
Trunk Interface
Trunking
MD5 hash value
Syslog
VLAN Trunking
A LAN network design term that refers to a switch
interface connected to end-user devices.
On a LAN switch, an interface that is currently using
either 802.1Q or Inter-Switch Link (ISL) trunking.
Also called VLAN trunking. A method (using either the
Cisco ISL protocol or the IEEE 802.1q protocol) to
support multiple VLANs that have members on more
than one switch.
Message-Digest algorithm 5
The MD5 hash also known as checksum for a file is a
128-bit value, something like a fingerprint of the file.
MD5 hash values share the following properties:
- Hash length (128 or 160 bits)
- Non-discoverability (non-identical files translate
into different hash value)
- Repeatability (file hashed with same algorithm will
always produce the same hash value)
- Irreversibility (one-way  can’t get password if
you have the hash value)
A standard for logging program messages. It allows
separation of the software that generates messages
from the system that stores them and the software
that reports and analyzes them. It also provides
devices, which would otherwise be unable to
communicate, a means to notify administrators of
problems or performance.
Allows a single network adapter to behave as “n”
number of virtual network adapters, where ”n” has a
theoretical upper limit of 4096 but is typically limited
to 1000 VLAN network segments.
Chapter 9 Configuration Command Reference
Basic Password Configuration:
Command
Mode/Purpose/Description
line console 0
Changes the context to console configuration mode.
Line vty 1st-vty 2ndvty
Changes the context to vty configuration mode for the
range of vty lines listed in the command.
Login
Console and vty configuration mode. Tells IOS to prompt
for a password.
Console and vty configuration mode. Lists the password
required if the login command (with no other parameters)
is configured.
Password passvalue
Username/Password and SSH Configuration:
login local
username name
password
passvalue
crypto key
generate rsa
transport input
{telnet | ssh}
Console and vty configuration mode. Tells IOS to prompt
for a username and password, to be checked against
locally configured username global configuration
commands on this switch or router.
Global command. Defines one of possibly multiple
usernames and associated passwords, used for user
authentication. Used when the login local line
configuration command has been used.
Global command. Creates and stores (in a hidden location
in flash memory) the keys required by SSH.
vty line configuration mode. Defines whether Telnet and/or
SSH access is allowed into this switch. Both values can be
configured on one command to allow both Telnet and SSH
access (the default).
IP Address Configuration
interface vlan
number
Changes the context to VLAN interface mode. For VLAN 1,
allows the configuration of the switch’s IP address.
ip address ipaddress subnetmask
VLAN interface mode. Statically configures the switch’s IP
address and mask.
ip address dhcp
VLAN interface mode. Configures the switch as a DHCP
client to discover its IP address, mask, and default
gateway.
Global command. Configures the switch’s default gateway
IP address. Not required if the switch uses DHCP.
ip defaultgateway address
Interface Configuration
interface type portnumber
interface range
type port-range
shutdown
no shutdown
speed {10 | 100 |
1000 | auto}
duplex {auto | full
| half}
description text
Changes context to interface mode. The type is typically
FastEthernet or gigabitEthernet. The possible port numbers
vary depending on the model of switch—for example,
Fa0/1, Fa0/2, and so on.
Changes the context to interface mode for a range of
consecutively numbered interfaces. The subcommands that
follow then apply to all interfaces in the range.
Interface mode. Disables or enables the interface,
respectively.
Interface mode. Manually sets the speed to the listed
speed or, with the auto setting, automatically negotiates
the speed.
Interface mode. Manually sets the duplex to half or full, or
to autonegotiate the duplex setting.
Interface mode. Lists any information text that the
engineer wants to track for the interface, such as the
expected device on the other end of the cable.
Miscellaneous
hostname name
enable secret
pass-value
history size length
switchport portsecurity
macaddress
mac-address
switchport portsecurity
macaddress
sticky
switchport portsecurity
maximum value
switchport portsecurity violation
{protect | restrict
| shutdown}
Global command. Sets this switch’s hostname, which is
also used as the first part of the switch’s command prompt.
Global command. Sets this switch’s password that is
required for any user to reach enable mode.
Line config mode. Defines the number of commands held in
the history buffer, for later recall, for users of those lines.
Interface configuration mode command that statically adds
a specific MAC address as an allowed MAC address on the
interface.
Interface subcommand that tells the switch to learn MAC
addresses on the interface and add them to the
configuration for the interface as secure MAC addresses.
Interface subcommand that sets the maximum number of
static secure MAC addresses that can be assigned to a
single interface.
Interface subcommand that tells the switch what to do if
an inappropriate MAC address tries to access the network
through a secure switch port.
Chapter 9 EXEC Command Reference
Basic Password Configuration:
Command
Mode/Purpose/Description
show mac
address-table
dynamic
Lists the dynamically learned entries in the switch’s
address (forwarding) table.
show dhcp lease
Lists any information the switch acquires as a DHCP client.
This includes IP address, subnet mask, and default
gateway information.
Lists the public and shared key created for use with SSH
using the crypto key generate rsa global configuration
command.
Lists one output line per interface, noting the description,
operating state, and settings for duplex and speed on each
interface.
Lists the interface status, the switch’s IP address and
mask, and much more.
show crypto key
mypubkey rsa
show interfaces
status
show interfaces
vlan 1
show portsecurity interface
type
number
Lists an interface’s port security configuration settings and
security operational status.
Configuration of Features in Common with Routers
Securing the Switch CLI, p. 235
 Access from the console or Telnet/SSH session then use enable
command.
 From console, with default settings, no password is needed for user or
enable mode.
 To reach enable mode from vty (Telnet or SSH) you need an IP
address, login security, and enable password.
 Recommended to configure security, even from console.
Configuring Simple Password Security, p. 236
 Password protect user mode from console, Telnet, and SSH.
 User can gain access to enable mode using enable command but with
different defaults depending on whether they logged in from the
console or remotely using Telnet or SSH. Console can get to enable
without a password, but Telnet can’t. Password protect enable mode
using the secret enable global configuration command.
 Exit command takes you out of current mode and moves you up one
level. End command or Cntl-Z takes you back to enable mode.
Configuring Usernames and Secure Shell (SHH), p. 239
 SSH encrypts data so it is the preferred method for remote login to
switches and routers.
 SSH needs to be configured to use one of two authentication methods
– on the switch or an external server – an Authentication,
Authorization and Accounting (AAA) server. The book uses locally
configured passwords/usernames.
 Procedures listed in book.
 For even greater security, you can disable Telnet (not encrypted)
completely by using transport input ssh command. Default is
transport input telnet, to allow both use transport input telnet
ssh command.
Password Encryption, p. 242
 Simple passwords configured on the console and vty lines, with the
password command, plus the password in the username command,
are all stored in clear text by default.
 The enable secret command automatically hides the password value.
 Prevent password vulnerability in printed version of the configuration
file, or in a backup stored on a server, by encrypting/encoding
passwords using the service password-encryption global
configuration command.
o When the service password-encryption command is
configured, all existing console, vty, and username command
passwords are immediately encrypted. Future changes to these
passwords are also encrypted.
o If the no service password-encryption command is used
later, the passwords remain encrypted, until they are changed—
at which point they show up in clear text.
The Two Enable Mode Passwords, p. 244
 A router or switch can be configured to require a password to reach
enable mode.
o Global configuration enable password actual-password
command - configuration file lists password as clear text by
default.
o Global configuration enable secret actual-password command configuration file lists password as a hidden MD5 hash value.
o If both commands are used, the password set in the enable
secret command defines which password is required.
 When enable secret command is configured the router or switch
automatically hides the password using a mathematical algorithm (not
encrypted) and stores the formula in the configuration file – IOS calls
this type 5.
 To delete the enable secret password use the no enable secret
command which deletes the enable secret password without having to
enter the password value. Typically, one would just do enable secret
command and put in a new value for the password.
 MD5 encoding is much more secure than encryption used for
passwords with the service password-encryption command.
Console and vty Settings, p. 245
 Banners: MOTD is default.
o The banner global configuration command can be used to
configure all three types of these banners. The banner text can
span several lines, with the CLI user pressing Enter at the end of
each line.
o Delimiting character is used in the command (# in example on
p.245) and same character ends the banner text.
 History Buffer Commands: You can use up-arrow key or Ctrl-p to move
back in the history buffer, which makes it easy and fast to use a set of
commands repeatedly.
 The logging synchronous and exec-timeout Commands:
o The console automatically receives copies of all unsolicited
syslog messages on a switch or router; that feature cannot be
disabled.
o The message is put on the screen immediately, even in the
middle of a command or output.
o To make the switch send the syslog message at a more
convenient time, configure the logging synchronous console
line subcommand.
o You can make using the console more convenient by setting an
inactivity timeout - configure the exec-timeout minutes
seconds line subcommand. If you set it to 0 minutes 0 seconds it
will never timeout the console connection.
LAN Switch Configuration and Operation
Cisco switches ship from the factory with all interfaces enabled (a default
configuration of no shutdown) and with autonegotiation enabled for ports
that run at multiple speeds and duplex settings (a default configuration of
duplex auto and speed auto).
That which follows applies only to switches – not to routers.
Configuring the Switch IP Address, p. 248
 The switch needs an IP address for several reasons:
o Allow Telnet or SSH access
o Allow IP Management protocols, like Simple Network
Management Protocol (SNMP) to function
o Allow access using graphical tools like Cisco Device Manager
(CDM)
 IP Configuration
o Works like a host with a single Ethernet interface.
o Needs one IP address, a matching subnet mask and to know its
default gateway/nearby router.
o Statically configure a switch with its IP address/mask/gateway,
or the switch can dynamically learn this information using DHCP.
o IOS-based switch configures IP address and mask on a special
virtual interface called the VLAN 1 interface; same role as
Ethernet interface on a PC.
o To administratively enable an interface on a switch or router, use
the no shutdown interface subcommand. To disable use the
shutdown interface subcommand.
o To configure DHCP, use same steps as static, but use ip
address dhcp command, instead of the ip address ip-address
mask command, on the VLAN 1 interface and do not configure
the ip default-gateway global command.
o For static interface IP address use the show running-config
command to see the IP address.
o For DHCP client use the show dhcp lease command to see the
(temporarily) leased IP address and other parameters.
o The output of the show interface vlan 1 command lists two very
important details related to switch IP addressing.
o Output lists interface status of the VLAN 1 interface – must be
up to send and receive traffic - default shutdown state is
“administratively down”.
o Output lists IP address - if switch fails to acquire with DHCP, the
output would instead list the fact that the address will
(hopefully) be acquired by DHCP. Nothing in the output mentions
that the IP address is either statically configured or DHCPleased.
Configuring Switch Interfaces, p. 248
 IOS uses the term interface to refer to physical ports used to forward
data to and from other devices.
 Each interface can be configured separately using IOS subcommands statically or dynamically. Default is autonegotiation.
 “a” in “a-full” and “a-100” (example p. 253) means they were
autonegotiated.
Port Security, p. 253
 If you know what devices should be cabled and connected to particular
interfaces on a switch, you can use port security to restrict that
interface so that only the expected devices can use it. This reduces
exposure to some kinds of attacks.
 Make the switch interface an access interface, which means the port is
not doing any VLAN trunking.
 Enable port security and configure MAC addresses of devices allowed
to use that port (steps listed on p. 258).
 The 2960 must think that the interface is an access interface, so the
switchport mode access command is required. The switchport
port-security command is required to enable portsecurity on the
interface. Use switchport portsecurity mac-address MAC address
command. Together, these three interface subcommands enable port
security.
 The switchport portsecurity mac-address sticky command tells
the switch to learn the MAC address from the first frame sent to the
switch and then adds the MAC address as a secure MAC to the running
configuration. In other words, the first MAC address heard “sticks” to
the configuration.
 If you wanted to save the configuration with that first MAC address
heard, you would use the copy running-config startup-config
command.
 The switch can be configured to use one of three actions when a
violation occurs. All three cause the switch to discard the offending
frame, but some of the configuration options include additional
actions.
Port Security, p. 253
 If you know what devices should be cabled and connected to particular
interfaces on a switch, you can use port security to restrict that
interface so that only the expected devices can use it. This reduces
exposure to some kinds of attacks.
VLAN Configuration, p. 256
 Cisco switch interfaces are considered to be either access interfaces or
trunk interfaces.
o Access interfaces send and receive frames only in a single VLAN,
called the access VLAN. (covered in the book)
o Trunking interfaces send and receive traffic in multiple VLANs.
(not covered in the book).
 The switch must be configured to believe that the VLAN exists and
must have one or more access interfaces assigned to the VLAN.
 One VLAN is configured by default but the switch would need to be
configured for additional VLANs (procedure on p. 257).
 To disable trunking use switchport mode access interface
subcommand.
Securing Unused Switch Interfaces, p. 259
 Plug-and-Play operation of Cisco switches expose some security
threats.
 Recommendations for unused switch interfaces to override default
interface settings:
o Administratively disable the interface using the shutdown
interface subcommand.
o Prevent VLAN trunking and VTP by making the port a
nontrunking interface using the switchport mode access
interface subcommand.
o Assign the port to an unused VLAN using the switchport access
vlan number interface subcommand.
 “Do I Know This Already” Quiz, Chapter 9 - pp. 232-234
TOPIC
Configuration of Features
in Common with Router
LAN Switch Configuration
and Operation
Q#
1
2
3
4
5
6
7
8
1st Try
B
ABCD
B
D
B, D, F
CDEF
E
B, D
2nd Try
Answer
B, C
A
A, D, F
F
A
Q2: An engineer had formerly configured a Cisco 2960 switch to allow Telnet
access so that the switch expected a password of mypassword from
the Telnet user. The engineer then changed the configuration to
support Secure Shell. Which of the following commands could have
been part of the new configuration?
a. A username name password password command in vty config
mode
b. A username name password password global configuration
command
c. A transport input ssh command in vty config mode
d. A transport input ssh global configuration command
Answer: B and C
Explanation: Global configuration commands apply to features that affect the
system as a whole, rather than just one protocol or interface. From global
configuration mode you can also enter specifiec configuration modes and
submodes used to configure specific system features. Use the configure
terminal privileged EXEC command to enter global configuration mode.
Global configuration would mean that the password and username would
apply to console, Telnet and SSH access.
Not A: Secure shell automatically has username and password so A is not
necessary.
Not D: Transport input ssh is not a global command – it would apply only to
remote access so it’s vty config.
Yes B: Using the global configuration command, username and password
would now apply to all forms of access.
Yes C: Telnet is default for remote access so ssh is needed in vty config.
Q4: Which of the following is not required when configuring port security
without sticky learning?
a. Setting the maximum number of allowed MAC addresses on the
interface with the switchport port-security maximum interface
subcommand
b. Enabling port security with the switchport port-security interface
subcommand
c. Defining the allowed MAC addresses using the switchport portsecurity macaddress interface subcommand
d. All of the other answers list required commands
Answer: A
Explanation: “Not required when configuring port security without sticky
learning” means the same thing as “not required with configuring port
security for specific MAC addresses.” That means that whatever answers I
don’t pick ARE required
Not B: switchport port-security interface subcommand is needed to
initiate port security.
Not C: Allowed MAC addresses need to be defined because sticky in not
being used.
Not D: A is superfluous so “all of the above” is not correct.
Yes A: The setting for the maximum number of MAC addresses has a default
of 1, so the switchport port-security maximum command does not have to
be configured.
Q5: An engineer’s desktop PC connects to a switch at the main site. A router
at the main site connects to each branch office via a serial link, with
one small router and switch at each branch. Which of the following
commands must be configured, in the listed configuration mode, to
allow the engineer to telnet to the branch office switches?
a. The ip address command in VLAN 1 configuration mode
b. The ip address command in global configuration mode
c. The ip default-gateway command in VLAN 1 configuration mode
d. The ip default-gateway command in global configuration mode
e. The password command in console line configuration mode
f. The password command in vty line configuration mode
Answer: A, D, F
Explanation: Global configuration commands apply to features that affect the
device as a whole. To allow access via Telnet, the switch must have
password security enabled, at a minimum using the password vty line
configuration subcommand. Additionally, the switch needs an IP address
(configured under the VLAN 1 interface) and a default gateway when the
switch needs to communicate with hosts in a different subnet. See IP
Address Configuration Table in book and notes above.
Not B: IP Address is configured under VLAN interface, not global.
Not C: Default gateway is configured under global, since it affects the device
as a whole.
Not E: This is for remote access, which is vty. Console is for physical
connection.
Yes A: IP address is configured under VLAN interface
Yes D: Default gateway is configured under global
Yes F: Telnet requires password and it’s vty at a minimum
Q6: Which of the following describes a way to disable IEEE standard
autonegotiation on a 10/100 port on a Cisco switch?
a. Configure the negotiate disable interface subcommand
b. Configure the no negotiate interface subcommand
c. Configure the speed 100 interface subcommand
d. Configure the duplex half interface subcommand
e. Configure the duplex full interface subcommand
f. Configure the speed 100 and duplex full interface subcommands
Answer: F
Explanation: Choices A and B are not correct syntax – subcommands are
auto, speed and duplex. To disable autonegotiation, you need to specify
values for both speed and duplexing (F), not one or the other (C, D, E).
Q8: The show vlan brief command lists the following output:
2 my-vlan active Fa0/13, Fa0/15
Which of the following commands could have been used as part of the
configuration for this switch?
a. The vlan 2 global configuration command
b. The name MY-VLAN vlan subcommand
c. The interface range Fa0/13 - 15 global configuration command
d. The switchport vlan 2 interface subcommand
Answer: A (I had B a d D)
Explanation: VLAN names are case-sensitive, so the name MY-VLAN
command, while using the correct syntax, would set a different VLAN name
than the name shown in the question (B). The interface range command in
one of the answers includes interfaces Fa0/13, Fa0/14, and Fa0/15. Because
Fa0/14 is not assigned to VLAN 2, this command would not have allowed the
right VLAN assignment (C). To assign a port to a VLAN, the switchport
access vlan 2 command would have been required, not the switchport vlan 2
command, which is syntactically incorrect (D).