Switching Basics and Intermediate Routing CCNA 3 Chapter 6 www.ciscopress.com Catalyst Switch Configuration Introduction • Switches are Layer 2 devices that serve as concentration points for the connection of workstations, servers, routers, hubs, and other switches • Switches are multiport bridges that utilize a star topology • Switches provide dedicated, point-to-point virtual circuits that make collisions unlikely • New switches are configured with factory defaults but normally need changes • Switches can be configured from a command-line interface (CLI) or from a web-based interface www.ciscopress.com Catalyst Switch Configuration Introduction • Network engineers must be familiar with these switch configuration tasks: – Maintenance of the switch – Cisco IOS upgrades – Management of interfaces and switching tables – Password recovery www.ciscopress.com Starting the Switch Physical Startup of the Catalyst Switch • Most Catalyst switches have no power switch! – Simply plug in to start • Before starting the switch, verify the following: – All network cables are secure – A terminal is connected to the console port – A console terminal application, such as HyperTerminal, is selected www.ciscopress.com Starting the Switch Physical Startup of the Catalyst Switch • Steps in starting a switch (continued) – Attach the power cord to the switch – Observe the boot sequence • Look at the LEDs on the switch • Observe the Cisco IOS software output text on the console www.ciscopress.com Starting the Switch Switch Port Types • Switches in the Catalyst 2950 series have these characteristics: – 12-port, 24-port, or 48-port – All ports are FastEthernet – Optional uplink slots for copper or fiber Gigabit Interface Converter (GBIC) modules • Asymmetrical switching • Switches such as the Catalyst 3750 now include small-form-factor pluggable (SFP) slots, which are smaller than GBIC slots www.ciscopress.com Starting the Switch Switch Port Types Catalyst 2950 Switches Are Used at the Access Layer www.ciscopress.com Starting the Switch Switch Port Types Four Slots on the Right of These Catalyst 3750 Switches are SFP Slots www.ciscopress.com Starting the Switch Switch LED Indicators • The following LEDs are seen on the front of a Catalyst 2950 switch: – System LED • Tells whether the system is receiving power and functioning properly – Redundant Power Supply (RPS) LED • Indicates whether a redundant power supply is in use – Port Mode LEDs – Port Status LEDs www.ciscopress.com Starting the Switch Switch LED Indicators Catalyst 2950 Switches Have Four Types of LEDs www.ciscopress.com Starting the Switch Switch LED Indicators System LED and RPS LED www.ciscopress.com Starting the Switch Switch LED Indicators • After power cable is connected, the switch initiates a series of tests called the poweron self test (POST) – Runs automatically to verify the switch functions correctly – System LED indicates the status of the POST • System LED off but switch is plugged in, the POST is running • System LED is green: POST successful • System LED is amber: POST failed (fatal error) www.ciscopress.com Starting the Switch Switch LED Indicators • Port Mode LEDs indicate the state of the Mode button – Press the Mode button repeatedly until the desired mode is selected • Port Status LEDs indicate various port states – Depends on the value of the Port Mode LEDs www.ciscopress.com Starting the Switch Switch LED Indicators Catalyst 2950 Port Status LED Display Modes www.ciscopress.com Starting the Switch Switch LED Indicators Catalyst 2950 Port Status LED Display Modes (continued) www.ciscopress.com Starting the Switch Switch LED Indicators Catalyst 2950 Port Status LED Display Modes (continued) www.ciscopress.com Starting the Switch Viewing Initial Bootup Output from the Switch • Connect a computer’s COM port to a switch’s console port using a rollover cable Console Connection to the Switch Is the Most Common Configuration Method www.ciscopress.com Starting the Switch Viewing Initial Bootup Output from the Switch • Start HyperTerminal on the computer – Choose the Serial Port www.ciscopress.com Starting the Switch Viewing Initial Bootup Output from the Switch • Name the connection • After selecting the COM port, click the OK button – Set up the parameters as seen in this figure www.ciscopress.com Starting the Switch Viewing Initial Bootup Output from the Switch • Plug the switch into the wall outlet • Initial bootup output should be displayed on the HyperTerminal screen – Contains details about POST status and switch hardware – After POST status a prompt to enter initial configuration will appear • Can configure manually or with a System Configuration dialog www.ciscopress.com Starting the Switch Viewing Initial Bootup Output from the Switch Hardware Platform and Flash Information Displayed During Bootup www.ciscopress.com Starting the Switch Viewing Initial Bootup Output from the Switch Hardware Platform and Flash Information Displayed During Bootup (continued) www.ciscopress.com Starting the Switch Using the System Configuration Dialog Using the System Configuration Dialog www.ciscopress.com Starting the Switch Using the System Configuration Dialog Using the System Configuration Dialog (continued) www.ciscopress.com Starting the Switch Using the System Configuration Dialog Option to Use Config Generated by Setup www.ciscopress.com Starting the Switch Logging on with the Switch CLI and Using the Help Facility • The Cisco IOS software provides a CLI called the EXEC – Interprets commands that are entered and carries out corresponding operations • Two levels of access to the EXEC: – User mode: tasks indicating switch status • Indicated by the > prompt – Privileged mode: ability to change the configuration of the switch • Indicated by the # prompt www.ciscopress.com Starting the Switch Logging on with the Switch CLI and Using the Help Facility • To change from user EXEC mode to privileged EXEC mode, use the enable command – Switch will prompt for the enable password if one is configured • Password is not shown on screen as you type • If configuring switch over a network via a modem or Telnet, password is sent in clear text www.ciscopress.com Starting the Switch Logging on with the Switch CLI and Using the Help Facility • Privileged EXEC mode includes all commands from user EXEC mode, plus all the configuration commands – The configure command allows access to other command modes • Several types of command-line help: – Context-sensitive help: a list of commands and arguments associated with a specific command – Console error messages: problems with commands that are entered incorrectly – Command history buffer: recall of long or complex commands to be altered or corrected www.ciscopress.com Starting the Switch Logging on with the Switch CLI and Using the Help Facility • The question mark (?) can be used to get help – Two types of context-sensitive help with the ? command: • Word help: Enter the ? command to get word help for a list of commands that begin with a particular character sequence; do not use a space before the question mark • Command syntax help: Enter the ? command to see how to complete a command; enter a question mark in place of a keyword or argument; use a space before the question mark www.ciscopress.com Configuring the Switch Catalyst Switch Default Configuration • Catalyst 2950 switches come with this default configuration: – IP address: 0.0.0.0 – CDP: Enabled – 100BASE-T port: Autonegotiate duplex mode – Spanning tree: Enabled – Console password: None – Hostname: Switch – No passwords set on virtual terminal (VTY) lines www.ciscopress.com Configuring the Switch Catalyst Switch Default Configuration • The show running-config command displays the active configuration on the switch – Requires privileged EXEC mode access Default Output for show running-config Command: www.ciscopress.com Configuring the Switch Catalyst Switch Default Configuration Default Output for show running-config Command (continued): www.ciscopress.com Configuring the Switch Catalyst Switch Default Configuration • The show interface f0/2 command displays information about interface FastEthernet 0/2 – Switch trunks and switch ports are both considered interfaces – Output varies, depending on the network for which you have configured an interface www.ciscopress.com Configuring the Switch Catalyst Switch Default Configuration Default f0/2 Settings www.ciscopress.com Configuring the Switch Catalyst Switch Default Configuration Default f0/2 Settings (continued) www.ciscopress.com Configuring the Switch Catalyst Switch Default Configuration Nondefault f0/1 Settings www.ciscopress.com Configuring the Switch Catalyst Switch Default Configuration Fields in the show interface f0/1 Output of Previous Slide www.ciscopress.com Configuring the Switch Catalyst Switch Default Configuration • VLAN membership is displayed using the show vlan command • In default configuration, all ports are in VLAN 1 – VLAN 1 is the default management VLAN • The flash directory has a file that contains the IOS image, a file called env_vars, and a subdirectory called html • After switch configuration, two more files are added to the flash directory: config.txt and a VLAN database www.ciscopress.com Configuring the Switch Catalyst Switch Default Configuration Default Port VLAN Membership www.ciscopress.com Configuring the Switch Catalyst Switch Default Configuration Output of show flash www.ciscopress.com Configuring the Switch Catalyst Switch Default Configuration Verify IOS version and configuration register settings with the show version command www.ciscopress.com Configuring the Switch Catalyst Switch Default Configuration Verify IOS version and configuration register settings with the show version command (continued) www.ciscopress.com Configuring the Switch Catalyst Switch Default Configuration Fields in the show version Output From Previous Slide www.ciscopress.com Configuring the Switch Basic Catalyst Switch Configuration • Returning the Switch to Its Default Configuration: – Delete the VLAN database file, vlan.dat from the flash directory – Erase the backup configuration file, startup-config – Restart the switch with the reload command www.ciscopress.com Configuring the Switch Basic Catalyst Switch Configuration • One of the first tasks in configuring a switch is to name it – Allows you to better manage the network by uniquely identifying each switch – The name of the switch is considered its hostname – The name is displayed at the system prompt – The switch name is assigned in global configuration mode www.ciscopress.com Configuring the Switch Basic Catalyst Switch Configuration Configuring the Hostname and Line Passwords www.ciscopress.com Configuring the Switch Basic Catalyst Switch Configuration • Assign an IP address to the switch – Makes it possible to connect remotely using Telnet or a web browser • VLAN 1 is assigned an IP address – Use the no shutdown command to make the Switch Virtual Interface (SVI), VLAN 1, operational • Required if using Simple Network Management Protocol (SNMP) to manage the switch • Assign a default gateway to the switch using the ip default-gateway command – Allows access to other networks www.ciscopress.com Configuring the Switch Basic Catalyst Switch Configuration Configuring the Switch for Management www.ciscopress.com Configuring the Switch Basic Catalyst Switch Configuration • By default, VLAN 1 is the management VLAN – Use it to manage all the network devices on a network – All ports belong to VLAN1 – Remove access ports from VLAN 1 and place them in another VLAN • Allows for VLAN management while keeping traffic from network hosts off the management VLAN – Use the no ip address configuration command to remove an IP address for VLAN 1 or to disable IP processing www.ciscopress.com Configuring the Switch Basic Catalyst Switch Configuration • FastEthernet switch ports default to autospeed and auto-duplex – Allows the interfaces to negotiate these settings – Can be manually configured • A web browser can be used to configure the switch if the switch has an http server running on port 80 www.ciscopress.com Configuring the Switch Basic Catalyst Switch Configuration Configuring HTTP Support www.ciscopress.com Configuring the Switch Basic Catalyst Switch Configuration • The Cisco Virtual Switch Manager (CVSM) is a webbased graphical user interface (GUI) used to configure and monitor many Cisco switches such as the Catalyst 2950 – When the GUI is initialized by opening a browser with the switch’s URL, an applet is downloaded to the switch • Another GUI, Cisco Network Assistant (CAN) is also available, as is Cluster Management Suite (CMS) • Special IOS images that include an additional HTML package are required to make CVSM and CNA work with switches www.ciscopress.com Configuring the Switch Duplex and Speed Configuration • Half-duplex transmission mode implements CSMA/CD – Traditional shared LAN operates in halfduplex mode and is susceptible to collisions • Full-duplex significantly improves network performance without installing new cabling – Can use point-to-point Ethernet, FastEthernet, and Gigabit Ethernet connections – Collision free connections www.ciscopress.com Configuring the Switch Duplex and Speed Configuration • Full-duplex connections are point-to-point between switches and nodes but not between shared hubs – Most NICs sold today offer full-duplex capability – In full-duplex mode, the collision detection circuit is disabled – Nodes that attach to hubs share their connection to a switch port and must operate in half-duplex mode www.ciscopress.com Configuring the Switch Duplex and Speed Configuration • Standard shared Ethernet uses 5060% of the 10-Mbps bandwidth (5 to 6 Mbps) • Full-duplex offers 100% of bandwidth in both directions (10-Mbps transmit and 10-Mbps receive for a total of 20 Mbps) www.ciscopress.com Configuring the Switch Duplex and Speed Configuration • Operation of half-duplex versus fullduplex: – Half-duplex relies on CSMA/CD – Half-duplex supports only unidirectional data flow – Half-duplex has a higher potential for collisions – Half-duplex involves the use of hubs www.ciscopress.com Configuring the Switch Duplex and Speed Configuration • Operation of half-duplex versus fullduplex (continued): – Full-duplex is point-to-point – Full-duplex requires full-duplex support on both ends – Full-duplex is collision free – Full-duplex has the collision detection circuit disabled www.ciscopress.com Configuring the Switch Duplex and Speed Configuration • Use the duplex {auto | full | half} interface configuration command to specify the duplex mode of switch ports – Set autonegotiation of duplex mode: auto – Set full-duplex mode: full – Set half-duplex mode: half – For FastEthernet and 10/100/1000 ports, the default is auto – For 100BASE-FX, the default is full www.ciscopress.com Configuring the Switch Duplex and Speed Configuration • Use the show interfaces command to verify duplex settings • Autonegotiation can cause problems – Sometimes an attached device does not support autonegotiation and is operating in full duplex mode • Necessary to manually configure the duplex mode • Check for FCS errors with the show interfaces command – It is critical that the setting on the switch is compatible with the setting on the NIC www.ciscopress.com Configuring the Switch Managing the MAC Address Table • Switches use MAC address tables to forward traffic between ports – The tables include dynamic, permanent and static addresses • Dynamic addresses: source MAC addresses that the switch learns and then drops when they are not refreshed and time out – Learned by examining the source MAC address of each frame received on each port – MAC address and port number are added to the MAC address table www.ciscopress.com Configuring the Switch Managing the MAC Address Table – The tables include dynamic, permanent and static addresses (continued) • Permanent addresses: assigned by an administrator to a port – Reasons for assigning permanent addresses: » MAC address will not age out » Must attach a server or user workstation to a specific port and you know the MAC address » Enhanced security www.ciscopress.com Configuring the Switch Managing the MAC Address Table • Maximum size of MAC address table varies with different switches – Catalyst 2950: 8192 MAC addresses • When table is full, traffic for new MAC addresses is flooded • The show mac-address-table command, entered in privileged EXEC mode, displays the MAC addresses a switch has learned • The clear mac-address-table command purges dynamically learned entries www.ciscopress.com Configuring the Switch Managing the MAC Address Table Viewing the MAC Address Table www.ciscopress.com Configuring the Switch Managing the MAC Address Table Clearing Dynamic Entries in the MAC Address Table www.ciscopress.com Configuring the Switch Managing the MAC Address Table • The global configuration mode command: mac address-table static mac-addr vlan vlan-id interface interface-id can be used to configure a static MAC address for a switch www.ciscopress.com Configuring the Switch Managing the MAC Address Table Statically Configuring a Port-to-MAC Mapping www.ciscopress.com Configuring the Switch Configuring Port Security • Port security features can be used to restrict input on an interface – Limit and identify the MAC addresses of the stations allowed to access the port – Switch will not forward frames with source MAC addresses that are outside the group of defined addresses – Use the switchport port-security interface command without keywords to enable port security on an interface www.ciscopress.com Configuring the Switch Configuring Port Security • Port security features can be used to restrict input on an interface (continued) – Use the switchport port-security interface command with keywords to configure a secure MAC address, maximum number of secure MAC addresses, or the violation mode – Use the no form of this command to disable port security or set the parameters to their default state www.ciscopress.com Configuring the Switch Configuring Port Security Port Security Options • Full syntax for switchport port-security interface mode command: switchport port-security [mac-address mac-address] | [mac-address sticky [mac-address]] | [maximum value] | [violation {protect | restrict | shutdown}] www.ciscopress.com Configuring the Switch Configuring Port Security • A port must be in access mode to enable port security, and port security is disabled by default • Methods by which secure addresses can be added to the table after the maximum number of allowed MAC addresses is set: – Manually configure all the addresses – Allow the port to dynamically configure all the addresses – Configure some MAC addresses and allow the rest to be dynamically learned www.ciscopress.com Configuring the Switch Configuring Port Security • An interface can be configured to convert dynamic MAC addresses to sticky secure AMC addresses and add them to the running configuration by enabling sticky learning: – Enter the switchport port-security macaddress sticky interface configuration command • Converts all dynamically learned addresses to sticky secure addresses www.ciscopress.com Configuring the Switch Configuring Port Security • Sticky MAC addresses do not automatically become part of the configuration file – Must save the configuration file or the addresses will have to be learned the next time the switch is restarted – Disabling sticky learning converts the sticky secure MAC addresses to dynamic secure addresses and they are removed from the configuration file – A secure port can have from 1 to 132 associated secure addresses; no more than 1024 on the switch total www.ciscopress.com Configuring the Switch Configuring Port Security • Security violation situations: – Maximum number of secure MAC addresses has been added to the address table, and a station whose MAC address is not in the table attempts to access the interface – An address learned or configured on one secure interface is seen on another secure interface in the same VLAN www.ciscopress.com Configuring the Switch Configuring Port Security Port Security Keyword Options www.ciscopress.com Configuring the Switch Configuring Port Security • An address violation occurs when: – A secured port receives an address that has been assigned to another secured port – A port tries to learn an address that exceeds its address table size limit • Set with the switchport port-security maximum command www.ciscopress.com Configuring the Switch Configuring Port Security Configuring Port Security www.ciscopress.com Configuring the Switch Configuring Port Security show port security Keyword Options www.ciscopress.com Configuring the Switch Configuring Port Security • Use the show port-security address command to display MAC addresses for all ports • Use the show port-security command without keywords to display the port security settings for the switch Verifying Port Security www.ciscopress.com Configuring the Switch Configuring Port Security Verifying Port Security (continued) www.ciscopress.com Configuring the Switch Configuring Port Security Verifying Port Security (continued) www.ciscopress.com Configuring the Switch Executing Adds, Moves, and Changes • To add a new MAC address on an access switch that connects a workstation to the network: – Configure port security – Configure the MAC address to the port allocated for the new interface so that the first MAC address on the port is the only address permitted • To delete a MAC address on an access switch that connects a workstation to the network, remove the MAC address restrictions from the port www.ciscopress.com Configuring the Switch Executing Adds, Moves, and Changes • To move a MAC address from one access switch to another: – Add the MAC address to the new physical port – On the new access switch, configure port security – On the new access switch, configure the MAC address to the port allocated for the new user – When all security is in place in the new location, shut down the old port and remove any MAC restrictions; remove any old access lists from the original access switch www.ciscopress.com Configuring the Switch Executing Adds, Moves, and Changes • If an Ethernet NIC fails, installing a new NIC changes the MAC address of the workstation – With port security, the new NIC doesn’t have connectivity because of the now-incorrect MAC address – Remove the old MAC address from the security on the port and add the new MAC address www.ciscopress.com Configuring the Switch Executing Adds, Moves, and Changes • To add a new switch to a network: – Configure the switch name, IP address, and default gateway – Configure administrative access for console, auxiliary, and VTY interfaces as appropriate – Configure security for the device (user EXEC and privileged EXEC levels) – Configure access switch ports as necessary – To ensure the switch does not become root of the spanning tree, increase the priority value www.ciscopress.com Configuring the Switch Managing Switch Configuration Files • The switch configuration file is erased with the erase startup-config privileged EXEC command – Clears non-volatile RAM (NVRAM): RAM that retains its memory when powered off • Back up the most current configuration file on a server or disc – Essential for documentation – On Catalyst 2950 use the copy nvram:startupconfig tftp command to upload the configuration file to a TFTP server www.ciscopress.com Configuring the Switch Managing Switch Configuration Files • Steps to upload a configuration file from a switch to a TFTP server: – Verify the TFTP server is accessible (ping it) and properly configured – Log in to the switch through a console port or Telnet session – Upload the switch configuration to the TFTP server, using the IP address or hostname of the TFTP server and the destination filename • Use one of these commands: copy system:running-config tftp:[[[//location]/directory]/filename] copy nvram:startup-config tftp:[[[//location]/directory]/filename] www.ciscopress.com Configuring the Switch Managing Switch Configuration Files Saving Configuration Files www.ciscopress.com Configuring the Switch Password Recovery • For security and management purposes, passwords must be set on console and VTY lines – Assures only authorized access • Sometimes you have physical access to a switch but don’t know the password – Follow the password recovery procedures such as: http://www.cisco.com/en/US/products/hw/switches/ps6 28/prod_password_recoveries_list.html www.ciscopress.com Configuring the Switch Upgrading the Cisco IOS Image • IOS images are replaced because: – Bugs are fixed – New features are made available – Performance improvements are made • If the network can be made more secure or to operate more efficiently, upgrade the IOS • To upgrade, log on to cisco.com and download a copy of the new image to your local TFPT server www.ciscopress.com Summary • Switches are similar to routers – Have basic computers components such as CPUs, RAM, and an operating system – Ports are used to connect hosts and for management – LEDs on the front of the switch show system status, RPS, port mode and port status – When powered on, a switch performs a POST automatically to verify that it functions correctly – Use HyperTerminal to configure or check the status of a switch www.ciscopress.com Summary • Switches are similar to routers (continued) – Switches use a CLI – A question mark (?) is used to access help • Word help and syntax help are available – Command modes: • User EXEC mode – Prompt is a greater-than character (>) • Privileged EXEC mode – Prompt is a pound character (#) • Password protect both modes • The configure command allows use of other command modes www.ciscopress.com Summary • Switches use default data when powered up the first time – show running-config and show interfaces display the factory default settings – Assign an IP address for management purposes – The show version command verifies the IOS version and the configuration register settings www.ciscopress.com Summary • After an IP address and default gateway are configured, a switch can be accessed with a web-based interface on port 80, if the http server has been enabled on the switch • The duplex command is used to configure interface duplex options • Troubleshooting issues with switches usually pertain to speed or duplex misconfigurations www.ciscopress.com Summary • A switch dynamically learns and maintains thousands of MAC addresses – If frames associated with a previously learned MAC address are not received, they are automatically aged out or discarded after 300 seconds – The command clear mac-address-table will manually clear address tables www.ciscopress.com Summary • A MAC address permanently assigned to an interface will not age out – Security will be enhanced • To configure a static MAC address: mac address-table static mac-addr vlan vlan-id interface interface-id – Use the no form of the command to remove it • Port security provides a basic level of security – Restricts access based on MAC address or allowable maximum number of MAC addresses www.ciscopress.com Summary • To verify port security, use these commands: – show port security – show port security address – show port security interface • On a new switch added to a network, configure: – Switch name – IP address and default gateway – Line passwords • When you move a switch or host from one port to another, remove configurations that can cause unexpected behavior • Maintain documentation and do backups to a server www.ciscopress.com