2 Basic Switch Concepts and Configuration

2.0 Chapter Introduction

2.0.1 Chapter Introduction

Page 1:
In this chapter, you will build upon the skills learned in CCNA Exploration 4.0: Network Fundamentals, reviewing and reinforcing these skills with in-depth practice activities. You will learn about some key malicious threats to switches and learn to enable a switch with a secure initial configuration.


2.0.1 - Chapter Introduction
The diagram depicts the chapter objectives:
- Summarize the operation of Ethernet as defined for 100 /1000 megabits per second LAN's in the i e e e 8 0 2 dot 3 standard.
- Explain the functions that enable a switch to forward Ethernet frames in a LAN.
- Configure a switch for operation in a network designed to support voice, video, and data transmissions.
- Configure basic security on a switch that will operate in a network designed to support voice, video, and data transmissions.


2.1 Introduction to Ethernet/802.3 LANs

2.1.1 Key Elements of Ethernet/802.3 Networks

Page 1:
In this topic, you will learn about key components of the Ethernet standard that play a significant role in the design and implementation of switched networks. You will explore how Ethernet communications function and how switches play a role in the communication process.

CSMA/CD

Ethernet signals are transmitted to every host connected to the LAN using a special set of rules to determine which station can access the network. The set of rules that Ethernet uses is based on the IEEE carrier sense multiple access/collision detect (CSMA/CD) technology. You may recall from CCNA Exploration: Networking Fundamentals that CSMA/CD is only used with half-duplex communication typically found in hubs. Full-duplex switches do not use CSMA/CD.

Carrier Sense

In the CSMA/CD access method, all network devices that have messages to send must listen before transmitting.

If a device detects a signal from another device, it waits for a specified amount of time before attempting to transmit.

When there is no traffic detected, a device transmits its message. While this transmission is occurring, the device continues to listen for traffic or collisions on the LAN. After the message is sent, the device returns to its default listening mode.

Multi-access

If the distance between devices is such that the latency of the signals of one device means that signals are not detected by a second device, the second device may also start to transmit. The media now has two devices transmitting signals at the same time. The messages propagate across the media until they encounter each other. At that point, the signals mix and the messages are destroyed, a collision has occurred. Although the messages are corrupted, the jumble of remaining signals continues to propagate across the media.

Collision Detection

When a device is in listening mode, it can detect when a collision occurs on the shared media, because all devices can detect an increase in the amplitude of the signal above the normal level.

When a collision occurs, the other devices in listening mode, as well as all the transmitting devices, detect the increase in the signal amplitude. Every device that is transmitting continues to transmit to ensure that all devices on the network detect the collision.

Jam Signal and Random Backoff

When a collision is detected, the transmitting devices send out a jamming signal. The jamming signal notifies the other devices of a collision, so that they invoke a backoff algorithm. This backoff algorithm causes all devices to stop transmitting for a random amount of time, which allows the collision signals to subside.

After the delay has expired on a device, the device goes back into the "listening before transmit" mode. A random backoff period ensures that the devices that were involved in the collision do not try to send traffic again at the same time, which would cause the whole process to repeat. However, during the backoff period, a third device may transmit before either of the two involved in the collision have a chance to re-transmit.

Click the Play button to see the animation.


2.1.1 - Key Elements of Ethernet/8 0 2 dot 3 Networks
The animation depicts the operation of Media Access Control (MAC) in Ethernet using Carrier Sense Multiple Access Collision Detection (CSMA/CD).

Network Topology:
Four PC's, A, B, C, and D, are connected to an Ethernet bus type network cable.

Carrier Sense and Collision Detection Operation:
One. PC C listens before transmitting. It is monitoring the media for traffic.
Two. PC C detects (or senses) a carrier signal (digital sawtooth wave).
Three. PC C waits for a specified time after the signal passes. It will try again later.
Four. PC C listens again before transmitting. It is monitoring the media for traffic.
Five. PC C detects no carrier signal. The computer transmits.
Six. PC A and PC D listen before transmitting. They are monitoring the media for traffic.
Seven. No carrier signal is detected. Both computers transmit.
Eight. A collision occurs as a result of the signal from PC A and PC D.
Nine. PC A and PC D issue a jam signal.
Ten. PC A and PC D start a backoff timer and will try again later.


Page 2:
Ethernet Communications

Reference the selected Ethernet Communications area in the figure.

Communications in a switched LAN network occur in three ways: unicast, broadcast, and multicast:

Unicast: Communication in which a frame is sent from one host and addressed to one specific destination. In unicast transmission, there is just one sender and one receiver. Unicast transmission is the predominant form of transmission on LANs and within the Internet. Examples of protocols that use unicast transmissions include HTTP, SMTP, FTP, and Telnet.

Broadcast: Communication in which a frame is sent from one address to all other addresses. In this case, there is just one sender, but the information is sent to all connected receivers. Broadcast transmission is essential when sending the same message to all devices on the LAN. An example of a broadcast transmission is the address resolution query that the address resolution protocol (ARP) sends to all computers on a LAN.

Multicast: Communication in which a frame is sent to a specific group of devices or clients. Multicast transmission clients must be members of a logical multicast group to receive the information. An example of multicast transmission is the video and voice transmissions associated with a network-based, collaborative business meeting.

Ethernet Frame

Click the Ethernet Frame button in the figure.

The first course in our series, CCNA Exploration: Networking Fundamentals, described the structure of the Ethernet frame in detail. To briefly review, the Ethernet frame structure adds headers and trailers around the Layer 3 PDU to encapsulate the message being sent. Both the Ethernet header and trailer have several sections (or fields) of information that are used by the Ethernet protocol. The figure shows the structure of the current Ethernet frame standard, the revised IEEE 802.3 (Ethernet).

Roll over each field name to see its description.

Preamble and Start Frame Delimiter Fields

The Preamble (7 bytes) and Start Frame Delimiter (SFD) (1 byte) fields are used for synchronization between the sending and receiving devices. These first 8 bytes of the frame are used to get the attention of the receiving nodes. Essentially, the first few bytes tell the receivers to get ready to receive a new frame.

Destination MAC Address Field

The Destination MAC Address field (6 bytes) is the identifier for the intended recipient. This address is used by Layer 2 to assist a device in determining if a frame is addressed to it. The address in the frame is compared to the MAC address in the device. If there is a match, the device accepts the frame.

Source MAC Address Field

The Source MAC Address field (6 bytes) identifies the frame's originating NIC or interface. Switches use this address to add to their lookup tables.

Length/Type Field

The Length/Type field (2 bytes) defines the exact length of the frame's data field. This field is used later as part of the Frame Check Sequence (FCS) to ensure that the message was received properly. Only a frame length or a frame type can be entered here. If the purpose of the field is to designate a type, the Type field describes which protocol is implemented. When a node receives a frame and the Length/Type field designates a type, the node determines which higher layer protocol is present. If the two-octet value is equal to or greater than 0x0600 hexadecimal or 1536 decimal, the contents of the Data Field are decoded according to the protocol indicated; if the two-byte value is less than 0x0600 then the value represents the length of the data in the frame.

Data and Pad Fields

The Data and Pad fields (46 to 1500 bytes) contain the encapsulated data from a higher layer, which is a generic Layer 3 PDU, or more commonly, an IPv4 packet. All frames must be at least 64 bytes long (minimum length aides the detection of collisions). If a small packet is encapsulated, the Pad field is used to increase the size of the frame to the minimum size.

Frame Check Sequence Field

The FCS field (4 bytes) detects errors in a frame. It uses a cyclic redundancy check (CRC). The sending device includes the results of a CRC in the FCS field of the frame. The receiving device receives the frame and generates a CRC to look for errors. If the calculations match, no error has occurred. If the calculations do not match, the frame is dropped.

MAC Address

Click the MAC Address button in the figure.

In CCNA Exploration: Networking Fundamentals, you learned about the MAC address. An Ethernet MAC address is a two-part 48-bit binary value expressed as 12 hexadecimal digits. The address formats might be similar to 00-05-9A-3C-78-00, 00:05:9A:3C:78:00, or 0005.9A3C.7800.

All devices connected to an Ethernet LAN have MAC-addressed interfaces. The NIC uses the MAC address to determine if a message should be passed to the upper layers for processing. The MAC address is permanently encoded into a ROM chip on a NIC. This type of MAC address is referred to as a burned in address (BIA). Some vendors allow local modification of the MAC address. The MAC address is made up of the organizational unique identifier (OUI) and the vendor assignment number.

Roll over each field name to see its description.

Organizational Unique Identifier

The OUI is the first part of a MAC address. It is 24 bits long and identifies the manufacturer of the NIC card. The IEEE regulates the assignment of OUI numbers. Within the OUI, there are 2 bits that have meaning only when used in the destination address, as follows:

Broadcast or multicast bit: Indicates to the receiving interface that the frame is destined for all or a group of end stations on the LAN segment.

Locally administered address bit: If the vendor-assigned MAC address can be modified locally, this bit should be set.

Vendor Assignment Number

The vendor-assigned part of the MAC address is 24 bits long and uniquely identifies the Ethernet hardware. It can be a BIA or modified by software indicated by the local bit.


2.1.1 - Key Elements of Ethernet/8 0 2 dot 3 Networks
The diagram depicts the three ways Ethernet communication occurs in a switched LAN network: unicast, broadcast, and multicast. The format of the Ethernet frame and the MAC address are also presented.

Ethernet Communication:
Unicast: One sender and one receiver.
Broadcast: One sender to all other addresses.
Multicast: One sender to a group of addresses.

Ethernet Frame:
The diagram shows i e e e 8 0 2 dot 3 Ethernet frame format fields:
- Seven byte frame preamble
- One byte start of frame delimiter
- Six byte destination MAC address
- Six byte source MAC address
- Two byte frame length of encapsulated protocol type
- 46 to 1500 byte data (encapsulated packet) plus padding if required
- Four byte frame check sequence (CRC checksum)


MAC Address:
Diagram shows MAC address fields:
- Broadcast: The broadcast bit indicates to the receiving interface that the frame is destined for all or a group of end stations on the LAN segment.
- Local: The local bit indicates if the 24-bit vendor number can be modified locally.
- O U I number: The O U I number is 22 bits long. It is assigned by i e e e, and it identifies the manufacturer of the NIC.
- O U I: The O U I is 24 bits long and is made up of the broadcast, local, and O U I number fields.
- Vendor number (vendor assignment): The vendor assignment part of the MAC address is a 24 bit long number that uniquely identifies the Ethernet hardware.


Page 3:
Duplex Settings

There are two types of duplex settings used for communications on an Ethernet network: half duplex and full duplex. The figure shows the two duplex settings available on modern network equipment.

Half Duplex: Half-duplex communication relies on unidirectional data flow where sending and receiving data are not performed at the same time. This is similar to how walkie-talkies or two-way radios function in that only one person can talk at any one time. If someone talks while someone else is already speaking, a collision occurs. As a result, half-duplex communication implements CSMA/CD to help reduce the potential for collisions and detect them when they do happen. Half-duplex communications have performance issues due to the constant waiting, because data can only flow in one direction at a time. Half-duplex connections are typically seen in older hardware, such as hubs. Nodes that are attached to hubs that share their connection to a switch port must operate in half-duplex mode because the end computers must be able to detect collisions. Nodes can operate in a half-duplex mode if the NIC card cannot be configured for full duplex operations. In this case the port on the switch defaults to a half-duplex mode as well. Because of these limitations, full-duplex communication has replaced half duplex in more current hardware.

Full Duplex: In full-duplex communication, data flow is bidirectional, so data can be sent and received at the same time. The bidirectional support enhances performance by reducing the wait time between transmissions. Most Ethernet, Fast Ethernet, and Gigabit Ethernet NICs sold today offer full-duplex capability. In full-duplex mode, the collision detect circuit is disabled. Frames sent by the two connected end nodes cannot collide because the end nodes use two separate circuits in the network cable. Each full-duplex connection uses only one port. Full-duplex connections require a switch that supports full duplex or a direct connection between two nodes that each support full duplex. Nodes that are directly attached to a dedicated switch port with NICs that support full duplex should be connected to switch ports that are configured to operate in full-duplex mode.

Standard, shared hub-based Ethernet configuration efficiency is typically rated at 50 to 60 percent of the 10-Mb/s bandwidth. Full-duplex Fast Ethernet, compared to 10-Mb/s bandwidth, offers 100 percent efficiency in both directions (100-Mb/s transmit and 100-Mb/s receive).


2.1.1 - Key Elements of Ethernet/8 0 2 dot 3 Networks
The diagram depicts the two types of duplex settings used for communications on an Ethernet network: half duplex and full duplex.

Half Duplex (CSMA/CD):
Diagram: Four PC's connected to a hub. The hub connects to a switch.
- Unidirectional data flow.
- Higher potential for collision.
- Hub connectivity.

Full Duplex:
Diagram: One server connected to a switch, which connects to another switch.
- Point to point only.
- Attached to dedicated switched port.
- Requires full duplex support on both ends.
- Collision free.
- Collision-detect circuit disabled.


Page 4:
Switch Port Settings

A port on a switch needs to be configured with duplex settings that match the media type. Later in this chapter, you will configure duplex settings. The Cisco Catalyst switches have three settings:

  • The auto option sets autonegotiation of duplex mode. With autonegotiation enabled, the two ports communicate to decide the best mode of operation.
  • The full option sets full-duplex mode.
  • The half option sets half-duplex mode.

For Fast Ethernet and 10/100/1000 ports, the default is auto. For 100BASE-FX ports, the default is full. The 10/100/1000 ports operate in either half- or full-duplex mode when they are set to 10 or 100 Mb/s, but when set to 1,000 Mb/s, they operate only in full-duplex mode.

Note: Autonegotiation can produce unpredictable results. By default, when autonegotiation fails, the Catalyst switch sets the corresponding switch port to half-duplex mode. This type of failure happens when an attached device does not support autonegotiation. If the device is manually configured to operate in half-duplex mode, it matches the default mode of the switch. However, autonegotiation errors can happen if the device is manually configured to operate in full-duplex mode. Having half-duplex on one end and full-duplex on the other causes late collision errors at the half-duplex end. To avoid this situation, manually set the duplex parameters of the switch to match the attached device. If the switch port is in full-duplex mode and the attached device is in half-duplex mode, check for FCS errors on the switch full-duplex port.

auto-MDIX

Connections between specific devices, such as switch-to-switch or switch-to-router, once required the use of certain cable types (cross-over, straight-through). Instead, you can now use the mdix auto interface configuration command in the CLI to enable the automatic medium-dependent interface crossover (auto-MDIX) feature.

When the auto-MDIX feature is enabled, the switch detects the required cable type for copper Ethernet connections and configures the interfaces accordingly. Therefore, you can use either a crossover or a straight-through cable for connections to a copper 10/100/1000 port on the switch, regardless of the type of device on the other end of the connection.

The auto-MDIX feature is enabled by default on switches running Cisco IOS Release 12.2(18)SE or later. For releases between Cisco IOS Release 12.1(14)EA1 and 12.2(18)SE, the auto-MDIX feature is disabled by default.


2.1.1 - Key Elements of Ethernet/8 0 2 dot 3 Networks
The diagram depicts the options for switch port settings. Ports on a Cisco Catalyst 2960 Series switch can be configured with these settings:
- Auto option allows the two ports to communicate to decide the mode.
- Full option sets full-duplex mode.
- Half option sets half-duplex mode.


Page 5:
MAC Addressing and Switch MAC Address Tables

Switches use MAC addresses to direct network communications through their switch fabric to the appropriate port toward the destination node. The switch fabric is the integrated circuits and the accompanying machine programming that allows the data paths through the switch to be controlled. For a switch to know which port to use to transmit a unicast frame, it must first learn which nodes exist on each of its ports.

A switch determines how to handle incoming data frames by using its MAC address table. A switch builds its MAC address table by recording the MAC addresses of the nodes connected to each of its ports. Once a MAC address for a specific node on a specific port is recorded in the address table, the switch then knows to send traffic destined for that specific node out the port mapped to that node for subsequent transmissions.

When an incoming data frame is received by a switch and the destination MAC address is not in the table, the switch forwards the frame out all ports, except for the port on which it was received. When the destination node responds, the switch records the node's MAC address in the address table from the frame's source address field. In networks with multiple interconnected switches, the MAC address tables record multiple MAC addresses for the ports connecting the switches which reflect the node's beyond. Typically, switch ports used to interconnect two switches have multiple MAC addresses recorded in the MAC address table.

To see how this works, click the steps in the figure.

The following describes this process:

Step 1. The switch receives a broadcast frame from PC 1 on Port 1.

Step 2. The switch enters the source MAC address and the switch port that received the frame into the address table.

Step 3. Because the destination address is a broadcast, the switch floods the frame to all ports, except the port on which it received the frame.

Step 4. The destination device replies to the broadcast with a unicast frame addressed to PC 1.

Step 5. The switch enters the source MAC address of PC 2 and the port number of the switch port that received the frame into the address table. The destination address of the frame and its associated port is found in the MAC address table.

Step 6. The switch can now forward frames between source and destination devices without flooding, because it has entries in the address table that identify the associated ports.


2.1.1 - Key Elements of Ethernet/8 0 2 dot 3 Networks
The diagram depicts the three ways Ethernet communication occurs in a MAC address table.

Network Topology:
Two PC's, PC1 and PC2, are connected to Ethernet switch S1. PC1 is connected to S1 Port 1. No PC is connected to S1 Port 2, and PC3 is connected to S1 Port 3.

Step One: The switch receives a frame destined for PC2 on Port 1 from PC1.
Step Two: The switch enters the source MAC address and the switch port that receives the frame into the MAC table.
MAC Table:
Port 1: MAC PC1.
Port 2: Empty.
Port 3: Empty.
Step Three: Because the destination address is a broadcast, the switch floods the frame to all ports, except the port on which it received the frame.
MAC Table:
Port 1: MAC PC1.
Port 2: Empty.
Port 3: Empty.
Step Four: The destination device (PC2) replies to the broadcast with a unicast frame addressed to PC1.
Step Five: The switch enters the source MAC address of PC2 and the port number of the switch port that received the frame into the MAC table. The destination address of the frame and its associated port is found in the MAC table.
MAC Table:
Port 1: MAC PC1.
Port 2: Empty.
Port 3: MAC PC2.
Step Six: The switch can now forward frames between source and destination devices without flooding, because it has entries in the MAC table that identify the associated ports.


2.1.2 Design Considerations for Ethernet/802.3 Networks

Page 1:
In this topic, you will learn about the Ethernet design guidelines needed for interpreting hierarchical network designs for small and medium-sized businesses. This topic focuses on broadcast and collision domains and how they affect LAN designs.

Bandwidth and Throughput

A major disadvantage of Ethernet 802.3 networks is collisions. Collisions occur when two hosts transmit frames simultaneously. When a collision occurs, the transmitted frames are corrupted or destroyed. The sending hosts stop sending further transmissions for a random period, based on the Ethernet 802.3 rules of CSMA/CD.

Because Ethernet has no way of controlling which node will be transmitting at any time, we know that collisions will occur when more than one node attempts to gain access to the network. Ethernet's resolution for collisions does not occur instantaneously. Also, a node involved in a collision cannot start transmitting until the matter is resolved. As more devices are added to the shared media the likelihood of collisions increases. Because of this, it is important to understand that when stating the bandwidth of the Ethernet network is 10 Mb/s, full bandwidth for transmission is available only after any collisions have been resolved. The net throughput of the port (the average data that is effectively transmitted) will be considerably reduced as a function of how many other nodes want to use the network. A hub offers no mechanisms to either eliminate or reduce these collisions and the available bandwidth that any one node has to transmit is correspondingly reduced. As a result, the number of nodes sharing the Ethernet network will have effect on the throughput or productivity of the network.

Collision Domains

When expanding an Ethernet LAN to accommodate more users with more bandwidth requirements, the potential for collisions increases. To reduce the number of nodes on a given network segment, you can create separate physical network segments, called collision domains.

The network area where frames originate and collide is called the collision domain. All shared media environments, such as those created by using hubs, are collision domains. When a host is connected to a switch port, the switch creates a dedicated connection. This connection is considered an individual collision domain, because traffic is kept separate from all other traffic, thereby eliminating the potential for a collision. The figure shows unique collision domains in a switched environment. For example, if a 12-port switch has a device connected to each port, 12 collision domains are created.

As you now know, a switch builds a MAC address table by learning the MAC addresses of the hosts that are connected to each switch port. When two connected hosts want to communicate with each other, the switch uses the switching table to establish a connection between the ports. The circuit is maintained until the session is terminated. In the figure, Host A and Host B want to communicate with each other. The switch creates the connection that is referred to as a microsegment. The microsegment behaves as if the network has only two hosts, one host sending and one receiving, providing maximum utilization of the available bandwidth.

Switches reduce collisions and improve bandwidth use on network segments because they provide dedicated bandwidth to each network segment.


2.1.2 - Design Considerations for Ethernet/8 0 2 dot 3 Networks
The diagram depicts the operation of MAC in Ethernet.

Four PC's, Host A, Host B, Host C, and Host D, are connected to an Ethernet switch. Each port on the switch to which a PC connects is its own collision domain, so there are four collision domains. Host A is in Collision Domain 1, and Host B is in Collision Domain 3. Because communication is full duplex, they can transmit and receive simultaneously, without collisions.


Page 2:
Broadcast Domains

Although switches filter most frames based on MAC addresses, they do not filter broadcast frames. For other switches on the LAN to get broadcasted frames, broadcast frames must be forwarded by switches. A collection of interconnected switches forms a single broadcast domain. Only a Layer 3 entity, such as a router, or a virtual LAN (VLAN), can stop a Layer 3 broadcast domain. Routers and VLANs are used to segment both collision and broadcast domains. The use of VLANs to segment broadcast domains will be discussed in the next chapter.

When a device wants to send out a Layer 2 broadcast, the destination MAC address in the frame is set to all ones. By setting the destination to this value, all the devices accept and process the broadcasted frame.

The broadcast domain at Layer 2 is referred to as the MAC broadcast domain. The MAC broadcast domain consists of all devices on the LAN that receive frame broadcasts by a host to all other machines on the LAN. This is shown in the first half of the animation.

When a switch receives a broadcast frame, it forwards the frame to each of its ports, except the incoming port where the switch received the broadcast frame. Each attached device recognizes the broadcast frame and processes it. This leads to reduced network efficiency, because bandwidth is used to propagate the broadcast traffic.

When two switches are connected, the broadcast domain is increased. In this example, a broadcast frame is forwarded to all connected ports on switch S1. Switch S1 is connected to switch S2. The frame is propagated to all devices connected to switch S2. This is shown in the second half of the animation.


2.1.2 - Design Considerations for Ethernet/8 0 2 dot 3 Networks
The animation depicts the operation of broadcast domains.

Network Topology:
LAN 1 has one switch, S1, with four PC's and a server attached. A packet broadcast from the server is received by all four PC's.

LAN 2 has two switches that are connected: S1 and S2. Each switch has four PC's and a server attached. A packet broadcast from the server on S1 is received by all four PC's on S1 and then travels across the link to S2, where it is received by all four PC's and the server on S2.


Page 3:
Network Latency

Latency is the time a frame or a packet takes to travel from the source station to the final destination. Users of network-based applications experience latency when they have to wait many minutes to access data stored in a data center or when a website takes many minutes to load in a browser. Latency has at least three sources.

First, there is the time it takes the source NIC to place voltage pulses on the wire, and the time it takes the destination NIC to interpret these pulses. This is sometimes called NIC delay, typically around 1 microsecond for a 10BASE-T NIC.

Second, there is the actual propagation delay as the signal takes time to travel through the cable. Typically, this is about 0.556 microseconds per 100 m for Cat 5 UTP. Longer cable and slower nominal velocity of propagation (NVP) result in more propagation delay.

Third, latency is added based on network devices that are in the path between two devices. These are either Layer 1, Layer 2, or Layer 3 devices. These three contributors to latency can be discerned from the animation as the frame traverses the network.

Latency does not depend solely on distance and number of devices. For example, if three properly configured switches separate two computers, the computers may experience less latency than if two properly configured routers separated them. This is because routers conduct more complex and time-intensive functions. For example, a router must analyze Layer 3 data, while switches just analyze the Layer 2 data. Since Layer 2 data is present earlier in the frame structure than the Layer 3 data, switches can process the frame more quickly. Switches also support the high transmission rates of voice, video, and data networks by employing application-specific integrated circuits (ASIC) to provide hardware support for many networking tasks. Additional switch features such as port-based memory buffering, port level QoS, and congestion management, also help to reduce network latency.

Switch-based latency may also be due to oversubscribed switch fabric. Many entry-level switches do not have enough internal throughput to manage full bandwidth capabilities on all ports simultaneously. The switch needs to be able to manage the amount of peak data expected on the network. As the switching technology improves, the latency through the switch is no longer the issue. The predominant cause of network latency in a switched LAN is more a function of the media being transmitted, routing protocols used, and types of applications running on the network.


2.1.2 - Design Considerations for Ethernet/8 0 2 dot 3 Networks
The diagram depicts the concept of network latency. Each device in the path introduces latency.

Network Topology:
Two PC's are connected to an Ethernet switch. A clock shows the elapsed time as the packet travels from one PC to the other through the switch.

One. The NIC places voltage pulses on the wire.
Two. The signal propagates through the cable.
Three. The signal traverses a network device (the switch).
Four. The destination NIC interprets the pulses.


Page 4:
Network Congestion

The primary reason for segmenting a LAN into smaller parts is to isolate traffic and to achieve better use of bandwidth per user. Without segmentation, a LAN quickly becomes clogged with traffic and collisions. The figure shows a network that is subject to congestion by multiple node devices on a hub-based network.

These are the most common causes of network congestion:

  • Increasingly powerful computer and network technologies. Today, CPUs, buses, and peripherals are much faster and more powerful than those used in early LANs, therefore they can send more data at higher rates through the network, and they can process more data at higher rates.
  • Increasing volume of network traffic. Network traffic is now more common because remote resources are necessary to carry out basic work. Additionally, broadcast messages, such as address resolution queries sent out by ARP, can adversely affect end-station and network performance.
  • High-bandwidth applications. Software applications are becoming richer in their functionality and are requiring more and more bandwidth. Desktop publishing, engineering design, video on demand (VoD), electronic learning (e-learning), and streaming video all require considerable processing power and speed.


2.1.2 - Design Considerations for Ethernet/8 0 2 dot 3 Networks
The diagram depicts the concept of congestion with a network that has multiple node devices on a hub-based network.

Network Topology:
A central hub has four satellite hubs attached to it. Each satellite hub has four PC's attached to it. This represents one large collision domain.


Page 5:
LAN Segmentation

LANs are segmented into a number of smaller collision and broadcast domains using routers and switches. Previously, bridges were used, but this type of network equipment is rarely seen in a modern switched LAN. The figure shows the routers and switches segmenting a LAN.

In the figure the network is segmented into four collision domains using the switch.

Roll over the Collision Domain to see the size of each collision domain.

However, the broadcast domain, in the figure spans the entire network.

Roll over the Broadcast Domain to see the size of broadcast domain.

Bridges and Switches

Although bridges and switches share many attributes, several distinctions differentiate these technologies. Bridges are generally used to segment a LAN into a couple of smaller segments. Switches are generally used to segment a large LAN into many smaller segments. Bridges have only a few ports for LAN connectivity, whereas switches have many.

Routers

Even though the LAN switch reduces the size of collision domains, all hosts connected to the switch, and in the same VLAN, are still in the same broadcast domain. Because routers do not forward broadcast traffic by default, they can be used to create broadcast domains. Creating additional, smaller broadcast domains with a router reduces broadcast traffic and provides more available bandwidth for unicast communications. Each router interface connects to a separate network, containing broadcast traffic within the LAN segment in which it originated.

Click the Controlled Collision and Broadcast Domain button to see the effect of introducing routers and more switches into the network.

Roll over the two text areas to identify the different broadcast and collision domains.


2.1.2 - Design Considerations for Ethernet/8 0 2 dot 3 Networks
The diagram depicts a comparison between collision domains and broadcast domains.

Uncontrolled Collision and Broadcast Domain:
Network Topology:
A central switch has four satellite hubs attached to it. Each satellite hub has four PC's attached to it. This represents four collision domains, but one large broadcast domain.

Controlled Collision and Broadcast Domain:
Network Topology:
Core router C1 has two distribution routers, R1 and R2, connected to it. Router R1 is connected to access switch S1 in LAN segment A. Switch S1 is connected to switches S2 and S3, each of which has PC's attached from building floors 1 and 2. Router R2 is connected to access switch S4 in LAN segment B. Switch S4 is connected to switches S5 and S6, each of which has PC's attached from building floors 3 and 4.

Broadcast Domain: Each router reduces the size of the broadcast domain on the LAN.
Collision Domain: Each switch reduces the size of the collision domain on the LAN to a single link.


2.1.3 LAN Design Considerations

Page 1:
Controlling Network Latency

When designing a network to reduce latency, you need to consider the latency caused by each device on the network. Switches can introduce latency on a network when oversubscribed on a busy network. For example, if a core level switch has to support 48 ports, each one capable of running at 1000 Mb/s full duplex, the switch should support around 96 Gb/s internal throughput if it is to maintain full wirespeed across all ports simultaneously. In this example, the throughput requirements stated are typical of core-level switches, not of access-level switches.

The use of higher layer devices can also increase latency on a network. When a Layer 3 device, such as a router, needs to examine the Layer 3 addressing information contained within the frame, it must read further into the frame than a Layer 2 device, which creates a longer processing time. Limiting the use of higher layer devices can help reduce network latency. However, appropriate use of Layer 3 devices helps prevent contention from broadcast traffic in a large broadcast domain or the high collision rate in a large collision domain.

Removing Bottlenecks

Bottlenecks on a network are places where high network congestion results in slow performance.

Click on the Removing Network Bottlenecks button in the figure.

In this figure which shows six computers connected to a switch, a single server is also connected to the same switch. Each workstation and the server are all connected using a 1000 Mb/s NIC. What happens when all six computers try to access the server at the same time? Does each workstation get 1000 Mb/s dedicated access to the server? No, all the computers have to share the 1000 Mb/s connection that the server has to the switch. Cumulatively, the computers are capable of 6000 Mb/s to the switch. If each connection was used at full capacity, each computer would be able to use only 167 Mb/s, one-sixth of the 1000 Mb/s bandwidth. To reduce the bottleneck to the server, additional network cards can be installed, which increases the total bandwidth the server is capable of receiving. The figure shows five NIC cards in the server and approximately five times the bandwidth. The same logic applies to network topologies. When switches with multiple nodes are interconnected by a single 1000 Mb/s connection, a bottleneck is created at this single interconnect.

Higher capacity links (for example, upgrading from 100 Mb/s to 1000 Mb/s connections) and using multiple links leveraging link aggregation technologies (for example, combining two links as if they were one to double a connection's capacity) can help to reduce the bottlenecks created by inter-switch links and router links. Although configuring link aggregation is outside the scope of this course, it is important to consider a device's capabilities when assessing a network's needs. How many ports and of what speed is the device capable of? What is the internal throughput of the device? Can it handle the anticipated traffic loads considering its placement in the network?


2.1.3 - LAN Design Considerations
The diagram depicts LAN design considerations of controlling network latency and removing bottlenecks.

Controlling Network Latency:
Consider the latency caused by each device on the network.
- A core level switch supporting 48 ports, running at 1000 Megabits per second (Mbps) full duplex requires 96 Gigabits per second (Gbps) internal throughput if it is to maintain full wirespeed across all ports simultaneously.

Higher O S I layer devices can also increase latency on a network.
- A router must strip away the Layer 2 fields in a frame to interpret Layer 3 addressing information. The extra processing time causes latency.
- Balance the use of higher layer devices to reduce network latency with the need to prevent contention from broadcast traffic or the high collision rates.


Removing Network Bottlenecks:
LAN 1 has one switch, S2, with six PC's and one server attached. The server has one 1000 Mbps NIC installed and one connection to the switch. The NIC bandwidth for each PC to the server is 167 Mbps per computer.

LAN 2 has one switch, S2, with six PC's and one server attached. The server has five 1000 Mbps NIC's installed and five connections to the switch. The NIC bandwidth for each PC to the server is 833 Mbps per computer.


Page 2:


2.1.3 - LAN Design Considerations
The diagram depicts an activity in which you must draw a shape around either a collision domain or broadcast domain for the various network topologies presented.

Note: Contact your instructor for information regarding this activity.


2.2 Forwarding Frames using a Switch

2.2.1 Switch Forwarding Methods

Page 1:
Switch Packet Forwarding Methods

In this topic, you will learn how switches forward Ethernet frames on a network. Switches can operate in different modes that can have both positive and negative effects.

In the past, switches used one of the following forwarding methods for switching data between network ports: store-and-forward or cut-through switching. Referencing the Switch Forwarding Methods button shows these two methods. However, store-and-forward is the sole forwarding method used on current models of Cisco Catalyst switches.

Store-and-Forward Switching

In store-and-forward switching, when the switch receives the frame, it stores the data in buffers until the complete frame has been received. During the storage process, the switch analyzes the frame for information about its destination. In this process, the switch also performs an error check using the Cyclic Redundancy Check (CRC) trailer portion of the Ethernet frame.

CRC uses a mathematical formula, based on the number of bits (1s) in the frame, to determine whether the received frame has an error. After confirming the integrity of the frame, the frame is forwarded out the appropriate port toward its destination. When an error is detected in a frame, the switch discards the frame. Discarding frames with errors reduces the amount of bandwidth consumed by corrupt data. Store-and-forward switching is required for Quality of Service (QoS) analysis on converged networks where frame classification for traffic prioritization is necessary. For example, voice over IP data streams need to have priority over web-browsing traffic.

Click on the Store-and-Forward Switching button and play the animation for a demonstration of the store-and-forward process.

Cut-through Switching

In cut-through switching, the switch acts upon the data as soon as it is received, even if the transmission is not complete. The switch buffers just enough of the frame to read the destination MAC address so that it can determine to which port to forward the data. The destination MAC address is located in the first 6 bytes of the frame following the preamble. The switch looks up the destination MAC address in its switching table, determines the outgoing interface port, and forwards the frame onto its destination through the designated switch port. The switch does not perform any error checking on the frame. Because the switch does not have to wait for the entire frame to be completely buffered, and because the switch does not perform any error checking, cut-through switching is faster than store-and-forward switching. However, because the switch does not perform any error checking, it forwards corrupt frames throughout the network. The corrupt frames consume bandwidth while they are being forwarded. The destination NIC eventually discards the corrupt frames.

Click on the Cut-Through Switching button and play the animation for a demonstration of the cut-through switching process.

There are two variants of cut-through switching:

  • Fast-forward switching: Fast-forward switching offers the lowest level of latency. Fast-forward switching immediately forwards a packet after reading the destination address. Because fast-forward switching starts forwarding before the entire packet has been received, there may be times when packets are relayed with errors. This occurs infrequently, and the destination network adapter discards the faulty packet upon receipt. In fast-forward mode, latency is measured from the first bit received to the first bit transmitted. Fast-forward switching is the typical cut-through method of switching.
  • Fragment-free switching: In fragment-free switching, the switch stores the first 64 bytes of the frame before forwarding. Fragment-free switching can be viewed as a compromise between store-and-forward switching and cut-through switching. The reason fragment-free switching stores only the first 64 bytes of the frame is that most network errors and collisions occur during the first 64 bytes. Fragment-free switching tries to enhance cut-through switching by performing a small error check on the first 64 bytes of the frame to ensure that a collision has not occurred before forwarding the frame. Fragment-free switching is a compromise between the high latency and high integrity of store-and-forward switching, and the low latency and reduced integrity of cut-through switching.

Some switches are configured to perform cut-through switching on a per-port basis until a user-defined error threshold is reached and then they automatically change to store-and-forward. When the error rate falls below the threshold, the port automatically changes back to cut-through switching.


2.2.1 - Switch Forwarding Methods
The diagram compares two switch packet forwarding methods: store-and-forward switching and cut-through switching.

Switch Packet Forwarding Methods:
A store-and-forward switch receives the entire frame, computes the CRC, and checks the frame length and only forwards the frame if the CRC and frame length are valid. A cut-through switch forwards the frame before it is entirely received.

Store-and-Forward Switching animation:
Diagram: Two PC's and a server are connected to an Ethernet switch. The entire frame is read and the CRC checked before the frame is forwarded.

A store-and-forward switch receives the entire frame, computes the CRC, and checks the frame length. If the CRC and frame length are valid, the switch looks up the destination address, which determines the outgoing interface. The frame is then forwarded out the correct port.

Cut-through Switching animation:
Diagram: Two PC's and a server are connected to an Ethernet switch. The frame destination address is read and the frame is forwarded.

A cut-through switch forwards the frame before it is entirely received. At a minimum, the destination address of the frame must be read before the frame can be forwarded.


2.2.2 Symmetric and Asymmetric Switching

Page 1:
Symmetric and Asymmetric Switching

In this topic, you will learn the differences between symmetric and asymmetric switching in a network. LAN switching may be classified as symmetric or asymmetric based on the way in which bandwidth is allocated to the switch ports.

Symmetric switching provides switched connections between ports with the same bandwidth, such as all 100 Mb/s ports or all 1000 Mb/s ports. An asymmetric LAN switch provides switched connections between ports of unlike bandwidth, such as a combination of 10 Mb/s, 100 Mb/s, and 1000 Mb/s ports. The figure shows the differences between symmetric and asymmetric switching.

Asymmetric

Asymmetric switching enables more bandwidth to be dedicated to a server switch port to prevent a bottleneck. This allows smoother traffic flows where multiple clients are communicating with a server at the same time. Memory buffering is required on an asymmetric switch. For the switch to match the different data rates on different ports, entire frames are kept in the memory buffer and are moved to the port one after the other as required.

Symmetric

On a symmetric switch all ports are of the same bandwidth. Symmetric switching is optimized for a reasonably distributed traffic load, such as in a peer-to-peer desktop environment.

A network manager must evaluate the needed amount of bandwidth for connections between devices to accommodate the data flow of network-based applications. Most current switches are asymmetric switches because this type of switch offers the greatest flexibility.


2.2.2 - Symmetric and Asymmetric Switching
The diagram compares symmetric and asymmetric switching.

Symmetric:
Diagram: A central switch with four hubs attached using the same port speed of 100 Mbps. Each hub has end-user devices connected to it. Each port on the switch is assigned the same bandwidth.

Asymmetric:
Diagram: A central switch with three PC's connected to 100 Mbps ports and one server connected to a 1000 Mbps port. More bandwidth is assigned to the port connected to a server.


2.2.3 Memory Buffering

Page 1:
Port Based and Shared Memory Buffering

As you learned in a previous topic, a switch analyzes some or all of a packet before it forwards it to the destination host based on the forwarding method. The switch stores the packet for the brief time in a memory buffer. In this topic, you will learn how two types of memory buffers are used during switch forwarding.

An Ethernet switch may use a buffering technique to store frames before forwarding them. Buffering may also be used when the destination port is busy due to congestion and the switch stores the frame until it can be transmitted. The use of memory to store the data is called memory buffering. Memory buffering is built into the hardware of the switch and, other than increasing the amount of memory available, is not configurable.

There are two methods of memory buffering: port-based and shared memory.

Port-based Memory Buffering

In port-based memory buffering, frames are stored in queues that are linked to specific incoming and outgoing ports. A frame is transmitted to the outgoing port only when all the frames ahead of it in the queue have been successfully transmitted. It is possible for a single frame to delay the transmission of all the frames in memory because of a busy destination port. This delay occurs even if the other frames could be transmitted to open destination ports.

Shared Memory Buffering

Shared memory buffering deposits all frames into a common memory buffer that all the ports on the switch share. The amount of buffer memory required by a port is dynamically allocated. The frames in the buffer are linked dynamically to the destination port. This allows the packet to be received on one port and then transmitted on another port, without moving it to a different queue.

The switch keeps a map of frame to port links showing where a packet needs to be transmitted. The map link is cleared after the frame has been successfully transmitted. The number of frames stored in the buffer is restricted by the size of the entire memory buffer and not limited to a single port buffer. This permits larger frames to be transmitted with fewer dropped frames. This is important to asymmetric switching, where frames are being exchanged between different rate ports.


2.2.3 - Memory Buffering
The diagram compares port-based and shared memory buffering.

Port-based memory: In port-based memory buffering, frames are stored in queues that are linked to specific incoming ports.

Shared memory: Shared memory buffering deposits all frames into a common memory buffer, which all the ports on the switch share.


2.2.4 Layer 2 and Layer 3 Switching

Page 1:
Layer 2 and Layer 3 Switching

In this topic, you will review the concept of Layer 2 switching and learn about Layer 3 switching.

A Layer 2 LAN switch performs switching and filtering based only on the OSI Data Link layer (Layer 2) MAC address. A Layer 2 switch is completely transparent to network protocols and user applications. Recall that a Layer 2 switch builds a MAC address table that it uses to make forwarding decisions.

A Layer 3 switch, such as the Catalyst 3560, functions similarly to a Layer 2 switch, such as the Catalyst 2960, but instead of using only the Layer 2 MAC address information for forwarding decisions, a Layer 3 switch can also use IP address information. Instead of only learning which MAC addresses are associated with each of its ports, a Layer 3 switch can also learn which IP addresses are associated with its interfaces. This allows the Layer 3 switch to direct traffic throughout the network based on IP address information.

Layer 3 switches are also capable of performing Layer 3 routing functions, reducing the need for dedicated routers on a LAN. Because Layer 3 switches have specialized switching hardware, they can typically route data as quickly as they can switch.


2.2.4 - Layer 2 and Layer 3 Switching
The diagram compares Layer 2 and Layer 3 switching.

A Layer 2 switch icon is shown operating at O S I Data Link Layer 2, and the Layer 3 switch icon is shown operating at O S I Network Layer 3.


Page 2:
Layer 3 Switch and Router Comparison

In the previous topic, you learned that Layer 3 switches examine Layer 3 information in an Ethernet packet to make forwarding decisions. Layer 3 switches can route packets between different LAN segments similarly to dedicated routers. However, Layer 3 switches do not completely replace the need for routers on a network.

Routers perform additional Layer 3 services that Layer 3 switches are not capable of performing. Routers are also capable of performing packet forwarding tasks not found on Layer 3 switches, such as establishing remote access connections to remote networks and devices. Dedicated routers are more flexible in their support of WAN interface cards (WIC), making them the preferred, and sometimes only, choice for connecting to a WAN. Layer 3 switches can provide basic routing functions in a LAN and reduce the need for dedicated routers.


2.2.4 - Layer 2 and Layer 3 Switching
The diagram compares a Layer 3 switch and a router.

Feature: Layer 3 Routing.
Layer 3 Switch: Supported.
Router: Supported.

Feature: Traffic Management.
Layer 3 Switch: Supported.
Router: Supported.

Feature: WIC Support.
Layer 3 Switch: (Blank).
Router: Supported.

Feature: Advanced Routing Protocols.
Layer 3 Switch: (Blank).
Router: Supported.

Feature: Wirespeed routing.
Layer 3 Switch: Supported.
Router: (Blank).


Page 3:


2.2.4 - Layer 2 and Layer 3 Switching
Activity 1
The diagram depicts an activity in which you must match the correct switching type to the number of bytes read by the incoming frame before it is forwarded.

Number of bytes read:
A: 6 bytes.
B: 64 bytes.
C: All bytes.

Switching method:
One. Store and forward.
Two. Fast forward.
Three. Fragment free.

Activity 2
The diagram depicts two network topologies to compare symmetric and asymmetric switches.
Diagram 1:
Topology A consists of three PC's and a server connected to a switch. PC1 is connected to switch port F0/6, PC2 is connected to switch port F0/18, PC3 is connected to switch port F0/12, and the server is connected to switch port G i 1/1.
Topology B is identical to Topology A with the following exception: The server is connected to switch port F0/1.

Refer to Topologies A and B to complete the sentences, replacing BLANK with the words provided.
A. Topology A.
B. Topology B.
C. Symmetric.
D. Asymmetric.

BLANK is an example of a or an BLANK switch, which provides connections between ports with the same bandwidth. BLANK is a or an BLANK LAN switch, which provides switched connections between ports of different bandwidth.

Activity 3
Complete the sentences replacing BLANK with the words provided. Not all words are used. Some BLANKs may have more than one correct answer.
A. asymmetric.
B. physical.
C. data link.
D. IP.
E. port based.
F. shared.
G. multicast.
H. store and forward.
I. cut through.
J. network.
K. broadcast.
L. MAC.
M. unicast.
N. symmetric.

Because of the low latency of most modern switches, BLANK is better suited for most switch environments.
A network manager must evaluate the needed amount of bandwidth for connections between devices to accommodate the data flow of network-based applications when deciding the type of switch to select. However, most current switches are BLANK switches because they offer the greatest flexibility.
In BLANK memory buffering, frames are stored in queues that are linked to specific incoming interfaces.
In BLANK memory buffering, all frames are deposited into a common memory buffer that all ports on the switch use.
A Layer 2 LAN switch performs switching and filtering based on the O S I BLANK Layer BLANK address.
A Layer 3 switch operates at the BLANK Layer and uses BLANK address information for switch-forwarding decisions.


2.3 Switch Management Configuration

2.3.1 Navigating Command-Line Interface Modes

Page 1:
The Command Line Interface Modes

In this topic, you will review what you learned in CCNA Exploration: Network Fundamentals about how to navigate the various command line interface (CLI) modes.

As a security feature, Cisco IOS software separated the EXEC sessions into these access levels:

  • User EXEC: Allows a person to access only a limited number of basic monitoring commands. User EXEC mode is the default mode you enter after logging in to a Cisco switch from the CLI. User EXEC mode is identified by the > prompt.
  • Privileged EXEC: Allows a person to access all device commands, such as those used for configuration and management, and can be password-protected to allow only authorized users to access the device. Privileged EXEC mode is identified by the # prompt.

To change from user EXEC mode to privileged EXEC mode, enter the enable command. To change from privileged EXEC mode to user EXEC mode, enter the disable command. On a real network, the switch prompts for the password. Enter the correct password. By default, the password is not configured. The figure shows the Cisco IOS commands used to navigate from user EXEC mode to privileged EXEC mode and back again.

Click the user EXEC and privileged EXEC mode button in the figure.

Navigating Configuration Modes

Once you have entered privileged EXEC mode on the Cisco switch, you can access other configuration modes. Cisco IOS software uses a hierarchy of commands in its command-mode structure. Each command mode supports specific Cisco IOS commands related to a type of operation on the device.

There are many configuration modes. For now, you will explore how to navigate two common configuration modes: global configuration mode and interface configuration mode.

Click the Navigating Configuration Modes button in the figure.

Global Configuration Mode

The example starts with the switch in privileged EXEC mode. To configure global switch parameters such as the switch hostname or the switch IP address used for switch management purposes, use global configuration mode. To access global configuration mode, enter the configure terminal command in privileged EXEC mode. The prompt changes to (config)#.

Interface Configuration Mode

Configuring interface-specific parameters is a common task. To access interface configuration mode from global configuration mode, enter the interface command. The prompt changes to (config-if)#. To exit interface configuration mode, use the exit command. The prompt switches back to (config)#, letting you know that you are in global configuration mode. To exit global configuration mode, enter the exit command again. The prompt switches to #, signifying privileged EXEC mode.


2.3.1 - Navigating Command-Line Interface Modes
The diagram depicts the Cisco I O S Command Line Interface (C L I) modes.

Table Heading: Cisco I O S C L I Command Syntax
user EXEC to privileged EXEC mode
Switch from user EXEC to privileged EXEC mode:
Switch> enable
If a password has been set for privileged EXEC mode, you are prompted to enter it.
password: password

The # prompt signifies privileged EXEC mode.
Switch#

Switch from privileged EXEC to user EXEC mode.
Switch#disable

The > prompt signifies user EXEC mode.
Switch>

Navigating Configuration Modes:
Table Heading: Cisco I O S C L I Command Syntax

Switch from privileged EXEC mode to global configuration mode.
Switch#configure terminal

The (config)# prompt signifies that the switch is in global configuration mode.
Switch(config)#

Switch from global configuration mode to interface configuration mode for Fast Ethernet interface 0/1.
Switch(config)#interface fast ethernet 0/1

The (config-i f)# prompt signifies that the switch is in interface configuration mode.
Switch(config-i f)#

Switch from interface configuration mode to global configuration mode.
Switch(config-i f)#exit

The (config)# prompt signifies that the switch is in global configuration mode.
Switch(config)#

Switch from global configuration mode to privileged EXEC mode.
Switch(config)#exit

The # prompt signifies that the switch is in privileged EXEC mode.
Switch#


Page 2:
GUI-based Alternatives to the CLI

There are a number of graphical management alternatives for managing a Cisco switch. Using a GUI offers simplified switch management and configuration without in-depth knowledge of the Cisco CLI.

Click the Cisco Network Assistant button in the figure.

Cisco Network Assistant

Cisco Network Assistant is a PC-based GUI network management application optimized for small and medium-sized LANs. You can configure and manage groups of switches or standalone switches. The figure shows the management interface for Network Assistant. Cisco Network Assistant is available at no cost and can be downloaded from Cisco (CCO username/password required):

http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps5931/product_data_sheet0900aecd8068820a.html

Click the CiscoView Application button in the figure.

CiscoView Application

The CiscoView device-management application displays a physical view of the switch that you can use to set configuration parameters and to view switch status and performance information. The CiscoView application, purchased separately, can be a standalone application or part of a Simple Network Management Protocol (SNMP) platform. The figure shows the management interface for the CiscoView Device Manager. Learn more about CiscoView Device Manager at:

http://www.cisco.com/en/US/products/sw/cscowork/ps4565/prod_bulletin0900aecd802948b0.html

Click the Cisco Device Manager button in the figure.

Cisco Device Manager

Cisco Device Manager is web-based software that is stored in the switch memory. You can use Device Manager to configure and manage switches. You can access Device Manager from anywhere in your network through a web browser. The figure shows the management interface.

Click the SNMP Network Management button in the figure.

SNMP Network Management

You can manage switches from a SNMP-compatible management station, such as HP OpenView. The switch is able to provide comprehensive management information and provide four Remote Monitoring (RMON) groups. SNMP network management is more common in large enterprise networks.


2.3.1 - Navigating Command-Line Interface Modes
The diagram depicts various G U I-based alternatives to the C L I. Screenshots are shown for:
- Cisco Network Assistant.
- CiscoView Application.
- Cisco Device Manager.
- SNMP Network Management.


2.3.2 Using the Help Facility

Page 1:
Context Sensitive Help

The Cisco IOS CLI offers two types of help:

  • Word help: If you do not remember an entire command but do remember the first few characters, enter the character sequence followed by a question mark (?). Do not include a space before the question mark.

A list of commands that start with the characters that you entered is displayed. For example, entering sh? returns a list of all commands that begin with the sh character sequence.

  • Command syntax help: If you are unfamiliar with which commands are available in your current context within the Cisco IOS CLI, or if you do not know the parameters required or available to complete a given command, enter the ? command.

When only ? is entered, a list of all available commands in the current context is displayed. If the ? command is entered after a specific command, the command arguments are displayed. If is displayed, no other arguments are needed to make the command function. Make sure to include a space before the question mark to prevent the Cisco IOS CLI from performing word help rather than command syntax help. For example, enter show ? to get a list of the command options supported by the show command.

The figure shows the Cisco help functions.

Using the example of setting the device clock, let's see how CLI help works. If the device clock needs to be set but the clock command syntax is not known, the context-sensitive help provides a means to check the syntax.

Context-sensitive help supplies the whole command even if you enter just the first part of the command, such as cl?.

If you enter the command clock followed by the Enter key, an error message indicates that the command is incomplete. To view the required parameters for the clock command, enter ?, preceded by a space. In the clock ? example, the help output shows that the keyword set is required after clock.

If you now enter the command clock set, another error message appears indicating that the command is still incomplete. Now add a space and enter the ? command to display a list of command arguments that are available at that point for the given command.

The additional arguments needed to set the clock on the device are displayed: the current time using hours, minutes, and seconds. For an excellent resource on how to use the Cisco IOS CLI, visit:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hcf_c/ch10/index.htm.


2.3.2 - Using the Help Facility
The diagram depicts the use of context-sensitive help.
Table Heading: Cisco Switch Command Syntax.

Example of command prompting. In this example, the help function provides a list of commands available in the current mode that start with the letters c l, followed by a question mark with no space between the command and the question mark.
Switch#c l question mark
clear clock

Example of incomplete command.
Switch#clock
Percent sign Incomplete command.

Example of symbolic translation.
Switch#clock
Percent sign Unknown command or computer name, or unable to find computer address.

Example of command prompting. In this example, the help function provides a list of subcommands associated with the clock command. There is a space between the command and the question mark.
Switch#clock question mark
set. Set the time and date

In this example, the help function provides a list of command arguments that are required with the clock set command. There is a space between the command and the question mark.
Switch#clock set question mark
hh:mm:ss Current Time


Page 2:
Console Error Messages

Console error messages help identify problems when an incorrect command has been entered. The figure provides example error messages, what they mean, and how to get help when they are displayed.


2.3.2 - Using the Help Facility
The diagram depicts examples of console error messages, what they mean, and how to get help when they are displayed.

Example Error Message One:
Switch#c l
Percent sign Ambiguous command: c l.
Meaning: You did not enter enough characters to recognize the command.
How to Get Help: Re-enter the letters followed by a question mark, without a space between the letters and the question mark. The possible commands that you can enter are displayed.

Example Error Message Two:
Switch#clock
Percent sign Incomplete command.
Meaning: You did not enter all the keywords or values required by this command.
How to Get Help: Re-enter the command followed by a question mark, with a space between the command and the question mark.

Example Error Message Three:
Switch#clock set a a:12:23
Note: A caret is under the first letter A and the following error message is displayed:
Percent sign Invalid input detected at caret marker.
Meaning: You entered the command incorrectly. The caret marks the point of the error.
How to Get Help: Enter a question mark to display all the commands or parameters that are available.


2.3.3 Accessing the Command History

Page 1:
The Command History Buffer

When you are configuring many interfaces on a switch, you can save time retyping commands by using the Cisco IOS command history buffer. In this topic, you will learn how to configure the command history buffer to support your configuration efforts.

The Cisco CLI provides a history or record of commands that have been entered. This feature, called command history, is particularly useful in helping recall long or complex commands or entries.

With the command history feature, you can complete the following tasks:

  • Display the contents of the command buffer.
  • Set the command history buffer size.
  • Recall previously entered commands stored in the history buffer. There is a buffer for each configuration mode.

By default, command history is enabled, and the system records the last 10 command lines in its history buffer. You can use the show history command to view recently entered EXEC commands.


2.3.3 - Accessing the Command History
The diagram depicts the use of the command history buffer and the show history command to view recently entered EXEC commands.

Switch#show history
enable
show history
enable
config
t
confi
t
show history
switch#


Page 2:
Configure the Command History Buffer

In Cisco network products that support the Cisco IOS software, command history is enabled by default, and the last 10 command lines are recorded in the history buffer.

The command history can be disabled for the current terminal session only by using the terminal no history command in user or privileged EXEC mode. When command history is disabled, the device no longer retains any previously entered command lines.

To revert the terminal history size back to its default value of 10 lines, enter the terminal no history size command in privileged EXEC mode. The figure provides an explanation and example of these Cisco IOS commands.


2.3.3 - Accessing the Command History
The diagram depicts configuring the command history buffer.
Table heading: Cisco I O S C L I Command Syntax.

Enable terminal history. This command can be run from either user or privileged EXEC mode.
Switch#terminal history

Configure the terminal history size.
The terminal history can maintain 0 to 256 command lines.
Switch#terminal history size 50

Reset the terminal history size to the default value of 10 command lines.
Switch#terminal no history size

Disable terminal history.
Switch#terminal no history


2.3.4 The Switch Boot Sequence

Page 1:
Describe the Boot Sequence

In this topic, you will learn the sequence of Cisco IOS commands that a switch executes from the off state to displaying the login prompt. After a Cisco switch is turned on, it goes through the following boot sequence:

The switch loads the boot loader software. The boot loader is a small program stored in ROM and is run when the switch is first turned on.

The boot loader:

  • Performs low-level CPU initialization. It initializes the CPU registers, which control where physical memory is mapped, the quantity of memory, and its speed.
  • Performs power-on self-test (POST) for the CPU subsystem. It tests the CPU DRAM and the portion of the flash device that makes up the flash file system.
  • Initializes the flash file system on the system board.
  • Loads a default operating system software image into memory and boots the switch. The boot loader finds the Cisco IOS image on the switch by first looking in a directory that has the same name as the image file (excluding the .bin extension). If it does not find it there, the boot loader software searches each subdirectory before continuing the search in the original directory.

The operating system then initializes the interfaces using the Cisco IOS commands found in the operating system configuration file, config.text, stored in the switch flash memory.

Recovering from a System Crash

The boot loader also provides access into the switch if the operating system cannot be used. The boot loader has a command-line facility that provides access to the files stored on Flash memory before the operating system is loaded. From the boot loader command line you can enter commands to format the flash file system, reinstall the operating system software image, or recover from a lost or forgotten password.


2.3.4 - The Switch Boot Sequence
The diagram depicts the switch boot sequence.

The boot sequence of a Cisco switch:

One. The switch loads the boot loader software from NV RAM.
Two. The boot loader:
- Performs low-level CPU initialization.
- Performs POST for the CPU subsystem.
- Initializes the flash file system on the system board.
- Loads a default operating system software image into memory and boots the switch.

Three. The operating system runs using the config dot text file that is stored in the switch flash memory.

The boot loader can help you recover from an operating system crash:
- Provides access into the switch if the operating system has problems serious enough that it cannot be used.
- Provides access to the files stored on flash before the operating system is loaded.
- Use the boot loader command line to perform recovery operations.


2.3.5 Prepare to Configure the Switch

Page 1:
Prepare to Configure the Switch

The initial startup of a Catalyst switch requires the completion of the following steps:

Step 1. Before starting the switch, verify the following:

All network cable connections are secure.

Your PC or terminal is connected to the console port.

Your terminal emulator application, such as HyperTerminal, is running and configured correctly.

The figure illustrates how to connect a PC to a switch using the console port.

Click the Configure Hyperterminal button in the figure.

The figure shows the correct configuration of HyperTerminal, which can be used to view the console of a Cisco device.

Step 2. Attach the power cable plug to the switch power supply socket. The switch will start. Some Catalyst switches, including the Cisco Catalyst 2960 series, do not have power buttons.

Step 3. Observe the boot sequence as follows:

When the switch is on, the POST begins. During POST, the LEDs blink while a series of tests determine that the switch is functioning properly. When the POST has completed, the SYST LED rapidly blinks green. If the switch fails POST, the SYST LED turns amber. When a switch fails the POST test, it is necessary to repair the switch.

Observe the Cisco IOS software output text on the console.

Click the View Boot Process on Console button in the figure.

The figure shows the boot process on the console of a Cisco switch.

During the initial startup of the switch, if POST failures are detected, they are reported to the console and the switch does not start. If POST completes successfully, and the switch has not been configured before, you are prompted to configure the switch.


2.3.5 - Prepare to Configure the Switch
The diagram depicts multiple images and the preparation process for configuring the switch.

Connect to the Switch:
An RJ-45 to an RJ-45 rollover cable connects the switch console port to an RJ-45 to DB-9 adapter, which then connects to the DB-9 serial port on the PC. The RJ-45 to DB-9 adapter is labeled TERMINAL.

Configure HyperTerminal:
The HyperTerminal terminal emulation program Connect To window screenshot shows the setup of a new connection using the PC COM1 port. The HyperTerminal COM1 Properties window screenshot shows the following settings for connecting to the switch console port:
- Bits per second: 9600.
- Data bits: 8.
- Parity: None.
- Stop Bits: 1.
- Flow Control: None.

View Boot Process on Console:
The figure shows the boot process on the console of a Cisco switch.


2.3.6 Basic Switch Configuration

Page 1:
Management Interface Considerations

An access layer switch is much like a PC in that you need to configure an IP address, a subnet mask, and a default gateway. To manage a switch remotely using TCP/IP, you need to assign the switch an IP address. In the figure, you want to manage S1 from PC1, a computer used for managing the network. To do this, you need to assign switch S1 an IP address. This IP address is assigned to a virtual interface called a virtual LAN (VLAN), and then it is necessary to ensure the VLAN is assigned to a specific port or ports on the switch.

The default configuration on the switch is to have the management of the switch controlled through VLAN 1. However, a best practice for basic switch configuration is to change the management VLAN to a VLAN other than VLAN 1. The implications and reasoning behind this action are explained in the next chapter. The figure illustrates the use of VLAN 99 as the management VLAN; however, it is important to consider that an interface other than VLAN 99 can be considered for the management interface.

Note: You will learn more about VLANs in the next chapter. Here the focus is on providing management access to the switch using an alternative VLAN. Some of the commands introduced here are explained more thoroughly in the next chapter.

For now, VLAN 99 is created and assigned an IP address. Then the appropriate port on switch S1 is assigned to VLAN 99. The figure also shows this configuration information.

Click the Configure Management Interface button in the figure.

Configure Management Interface

To configure an IP address and subnet mask on the management VLAN of the switch, you must be in VLAN interface configuration mode. Use the command interface vlan 99 and enter the ip address configuration command. You must use the no shutdown interface configuration command to make this Layer 3 interface operational. When you see "interface VLAN x", that refers to the Layer 3 interface associated with VLAN x. Only the management VLAN has an interface VLAN associated with it.

Note that a Layer 2 switch, such as the Cisco Catalyst 2960, only permits a single VLAN interface to be active at a time. This means that the Layer 3 interface, interface VLAN 99, is active, but the Layer 3 interface, interface VLAN 1, is not active.

Click the Configure Default Gateway button in the figure.

Configure Default Gateway

You need to configure the switch so that it can forward IP packets to distant networks. The default gateway is the mechanism for doing this. The switch forwards IP packets with destination IP addresses outside the local network to the default gateway. In the figure, router R1 is the next-hop router. Its IP address is 172.17.99.1.

To configure a default gateway for the switch, use the ip default-gateway command. Enter the IP address of the next-hop router interface that is directly connected to the switch where a default gateway is being configured. Make sure you save the configuration running on a switch or router. Use the copy running-config startup-config command to back up your configuration.

Click the Verify Configuration button in the figure.

Verify Configuration

The top screen shot in the figure is an abbreviated screen output showing that VLAN 99 has been configured with an IP address and subnet mask, and Fast Ethernet port F0/18 has been assigned the VLAN 99 management interface.

Show the IP Interfaces

Use the show ip interface brief to verify port operation and status. You will practice using the switchport access vlan 99 command in a hands on lab and a Packet Tracer activity.

The mdix auto Command

You used to be required to use certain cable types (cross-over, straight-through) when connecting between specific devices, switch-to-switch or switch-to-router. Instead, you can now use the mdix auto interface configuration command in the CLI to enable the automatic medium-dependent interface crossover (auto-MDIX) feature.

When the auto-MDIX feature is enabled, the switch detects the required cable type for copper Ethernet connections and configures the interfaces accordingly. Therefore, you can use either a crossover or a straight-through cable for connections to a copper 10/100/1000 port on the switch, regardless of the type of device on the other end of the connection.

The auto-MDIX feature was introduced in Cisco IOS Release 12.2(25)FX.


2.3.6 - Basic Switch Configuration
The diagram depicts multiple images, including management interface considerations, configuring a management interface, configuring a default gateway, and verifying the configuration.

Management Interface Considerations:
Image: The computer PC1 serial port connects to the switch S1 console port, and the PC1 NIC connects to switch port F0/18 using an Ethernet cable.
PC1:
- IP address 172.17.99.12.
- Connected to console port.
- Connected to port F0/18 on S1.

S1:
- V LAN 99
- The management V LAN.
- IP address 172.17.99.11.
- Port F0/18 assigned to V LAN 99.

- For TCP/IP management, a Layer 3 address must be assigned to the switch.
- V LAN 1 is the default management interface for all switches.
- There are security risks associated with using V LAN 1.
- Create another V LAN, for example V LAN 99 or V LAN 150.
- Assign that V LAN to an appropriate port, for example F0/18.

Configuring a Management Interface:
The steps and the necessary commands for configuring IP connectivity are listed as follows:
Switch from privileged EXEC mode to global configuration mode.
S1#configure terminal

Enter the interface configuration mode for the V LAN 99 interface.
S1(config)#interface V LAN 99

Configure the interface IP address.
S1(config-i f)#i p address 172.17.99.11 255.255.255.0

Enable the interface.
S1(config-i f)#no shutdown

Return to privileged EXEC mode.
S1(config-i f)#end

Enter global configuration mode.
S1#configure terminal

Enter the interface to assign the V LAN.
S1(config)#interface fast ethernet 0 /18

Define the V LAN membership mode for the port.
S1(config-i f)#switchport mode access

Assign the port to a V LAN.
S1(config-i f)#switchport access V LAN 99

Return to privileged EXEC mode.
S1(config-i f)#end

Save the running configuration to the switch startup configuration.
S1#copy running-config startup-config

Configuring a Default Gateway:
Image: Computer PC1 connects to switch S1 port F0/18. Switch port F0/5 connects to router R1 interface FA0/1, which has IP address 172.17.99.1. The router R1 interface FA0/0, with IP address 172.17.50.1, connects to a Web/TFTP server with IP address 172.17.50.254. Router R1 is labeled Default Gateway.

Configure the default gateway on the switch.
S1(config)#i p default-gateway 172.17.99.1

Return to privileged EXEC mode.
S1(config)#end

Save the running configuration to the switch startup configuration.
S1#copy running-config startup-config

Verifying the Configuration:
The commands show running-config and show i p interface brief are used to verify the configuration. Highlighted output from these commands includes:
S1#show running-config

Interface FastEthernet0/18.
Switchport access V LAN 99.
Switchport mode access.

Interface V LAN 99
IP address 172.17.99.11 255.255.255.0


S1#show i p interface brief
V LAN 99172.17.99.11YESmanualupup

FastEthernet0/18unassignedYESunsetupup


Page 2:
Configure Duplex and Speed

You can use the duplex interface configuration command to specify the duplex mode of operation for switch ports. You can manually set the duplex mode and speed of switch ports to avoid inter-vendor issues with autonegotiation. Although there can be issues when you configure switch port duplex settings to auto, in this example, S1 and S2 switches have the same duplex settings and speeds. The figure describes the steps to configure the port F0/1 on the S1 switch.


2.3.6 - Basic Switch Configuration
The diagram depicts configuring duplex and speed for switch ports.

Computer PC1 connects to switch S1 port F0/18. Switch port F0/1 connects to router S1 port F0/1. Switch S2 also connects to PC2.

S1 - F0/1 is:
Full Duplex Mode.
100 Mbps.

S2 - F0/1 is:
Full Duplex Mode.
100 Mbps.

Switch from privileged EXEC mode to global configuration mode.
S1#configure terminal

Enter the interface configuration mode.
S1(config)#interface fast ethernet 0/1

Configure the interface duplex mode to enable auto duplex configuration.
S1(config-i f)#duplex auto

Configure the interface duplex speed and enable auto speed configuration.
S1(config-i f)#speed auto

Return to privileged EXEC mode.
S1(config-i f)#end

Save the running configuration to the switch startup configuration.
S1#copy running-config startup-config


Page 3:
Configure a Web Interface

Modern Cisco switches have a number of web-based configuration tools that require that the switch is configured as an HTTP server. These applications include the Cisco web browser user interface, Cisco Router and Security Device Manager (SDM), and IP Phone and Cisco IOS Telephony Service applications.

To control who can access the HTTP services on the switch, you can optionally configure authentication. Authentication methods can be complex. You may have so many people using the HTTP services that you require a separate server specifically to handle user authentication. AAA and TACACS authentication modes are examples that use this type of remote authentication method. AAA and TACACS are authentication protocols that can be used in networks to validate user credentials. You may need to have a less complex authentication method. The enable method requires users to use the server's enable password. The local authentication method requires the user to use the login username, password, and privilege level access combination specified in the local system configuration (by the username global configuration command).

For more information on TACACS, visit: http://www.cisco.com/en/US/tech/tk583/tk642/tsd_technology_support_sub-protocol_home.html.

For more information on AAA, visit: http://www.cisco.com/en/US/products/ps6638/products_data_sheet09186a00804fe332.html.


2.3.6 - Basic Switch Configuration
The diagram depicts configuring a Web interface for the switch. Computer PC1 connects to switch S1 port F0/18. PC1 is labeled Management PC.

Switch from privileged EXEC mode to global configuration mode.
S1#configure terminal

Configure the HTTP server interface for the type of authentication. In the example below the enable option is used. The authentication options are:
- enable: Enable password, which is the default method of HTTP server user authentication, is used.
- local: Local user database, as defined on the Cisco router or access server, is used.
- tac acs: TAC ACS server is used.

S1(config)#i p http authentication enable

Enable the HTTP server.
S1(config)#i p http server

Return to privileged EXEC mode.
S1(config)#end

Save the running configuration to the switch start-up configuration.
S1#copy running-config startup-config


Page 4:
Managing the MAC Address Table

Switches use MAC address tables to determine how to forward traffic between ports. These MAC tables include dynamic and static addresses. The figure shows a sample MAC address table from the output of the show mac-address-table command that includes static and dynamic MAC addresses.

Note: The MAC address table was previously referred to as content addressable memory (CAM) or as the CAM table.

Dynamic addresses are source MAC addresses that the switch learns and then ages when they are not in use. You can change the aging time setting for MAC addresses. The default time is 300 seconds. Setting too short an aging time can cause addresses to be prematurely removed from the table. Then, when the switch receives a packet for an unknown destination, it floods the packet to all ports in the same LAN (or VLAN) as the receiving port. This unnecessary flooding can impact performance. Setting too long an aging time can cause the address table to be filled with unused addresses, which prevents new addresses from being learned. This can also cause flooding.

The switch provides dynamic addressing by learning the source MAC address of each frame that it receives on each port, and then adding the source MAC address and its associated port number to the MAC address table. As computers are added or removed from the network, the switch updates the MAC address table, adding new entries and aging out those that are currently not in use.

A network administrator can specifically assign static MAC addresses to certain ports. Static addresses are not aged out, and the switch always knows which port to send out traffic destined for that specific MAC address. As a result, there is no need to relearn or refresh which port the MAC address is connected to. One reason to implement static MAC addresses is to provide the network administrator complete control over access to the network. Only those devices that are known to the network administrator can connect to the network.

To create a static mapping in the MAC address table, use the mac-address-table static <MAC address> vlan {1-4096, ALL} interface interface-id command.

To remove a static mapping in the MAC address table, use the no mac-address-table static <MAC address> vlan {1-4096, ALL} interface interface-id command.

The maximum size of the MAC address table varies with different switches. For example, the Catalyst 2960 series switch can store up to 8,192 MAC addresses. There are other protocols that may limit the absolute number of MAC address available to a switch.


2.3.6 - Basic Switch Configuration
The diagram depicts output from the show mac-address-table command, which lists the V LAN, MAC address, type (static and dynamic), and associated ports for all MAC addresses known by the switch. Output from this command is shown in Packet Tracer and the hands-on lab activities.


2.3.7 Verifying Switch Configuration

Page 1:
Using the Show Commands

Now that you have performed the initial switch configuration, you should confirm that the switch has been configured correctly. In this topic, you will learn how to verify the switch configuration using various show commands.

Click the Show Commands button in the figure.

When you need to verify the configuration of your Cisco switch, the show command is very useful. The show command is executed from privileged EXEC mode. The figure presents some of the key options for the show command that verify nearly all configurable switch features. There are many additional show commands that you will learn throughout this course.

Click the Show Running-config button in the figure.

One of the more valuable show commands is the show running-config command. This command displays the configuration currently running on the switch. Use this command to verify that you have correctly configured the switch. The figure shows an abbreviated output from the show running-config command. The three periods indicate missing content. The figure has highlighted screen output of the S1 switch showing:

  • Fast Ethernet 0/18 interface configured with the management VLAN 99
  • VLAN 99 configured with an IP address of 172.17.99.11 255.255.0.0
  • Default gateway set to 172.17.50.1
  • HTTP server configured

Click the Show Interfaces button in the figure.

Another commonly used command is the show interfaces command, which displays status and statistics information on the network interfaces of the switch. The show interfaces command is used frequently while configuring and monitoring network devices. Recall that you can type partial commands at the command prompt and, as long as no other command option is the same, the Cisco IOS software interprets the command correctly. For example, you can use show int for this command. The figure shows the output from a show interfaces FastEthernet 0/1 command. The first highlighted line in the figure indicates that the Fast Ethernet 0/1 interface is up and running. The next highlighted line shows that the duplex is auto-duplex and the speed is auto-speed.


2.3.7 - Verifying Switch Configuration
The diagram depicts multiple images. The function and I O S C L I syntax for the commonly used show commands are listed here.

Displays the interface status and configuration for a single interface or all interfaces available on the switch.
show interfaces [interface-id]

Displays the contents of the startup configuration.
show startup-config

Displays the current operating configuration.
show running-config

Displays information about the flash file system.
show flash:

Displays system hardware and software status.
show version

Display the session command history.
show history

Displays IP information.
The interface option displays the IP interface status and configuration.
The http option displays the HTTP information about the device manager running on the switch.
The arp option displays the IP ARP table.
show i p {interface | http | arp}

Displays the MAC forwarding table.
show mac address table

Also shown is the output from the show running-config and show interfaces commands. Highlighted output from these commands includes:

S1#show running-config
interface FastEthernet 0/18
switchport access v lan 99
switchport mode access

interface v lan 99
i p address 172.17.99.11 255.255.0.0

i p default-gateway 172.17.50.1
i p http server

S1#show interfaces
FastEthernet 0 /1 is up, line protocol is up

Auto-duplex, Auto-speed, media type is 10 /100 Base TX

Output from these commands is shown in Packet Tracer and the hands-on lab activities.


2.3.8 Basic Switch Management

Page 1:
Back up and Restore Switch Configurations

A typical job for an apprentice network technician is to load a switch with a configuration. In this topic, you will learn how to load and store a configuration on the switch flash memory and to a TFTP server.

Click the Backup Configurations button in the figure.

Backing Up the Configuration

You have already learned how to back up the running configuration of a switch to the startup configuration file. You have used the copy running-config startup-config privileged EXEC command to back up the configurations you have made so far. As you may already know, the running configuration is saved in DRAM and the startup configuration is stored in the NVRAM section of Flash memory. When you issue the copy running-config startup-config command, the Cisco IOS software copies the running configuration to NVRAM so that when the switch boots, the startup-config with your new configuration is loaded.

You do not always want to save configuration changes you make to the running configuration of a switch. For example, you might want to change the configuration for a short time period rather than permanently.

If you want to maintain multiple different startup-config files on the device, you can copy the configuration to different filenames, using the copy startup-config flash:filename command. Storing multiple startup-config versions allows you to roll back to a point in time if your configuration has problems. The figure shows three examples of backing up the configuration to Flash memory. The first is the formal and complete syntax. The second is the syntax commonly used. Use the first syntax when you are unfamiliar with the network device you are working with, and use the second syntax when you know that the destination is the flash NVRAM installed on the switch. The third is the syntax used to save a copy of the startup-config file in flash.

Click the Restoring Configurations button in the figure.

Restoring the Configuration

Restoring a configuration is a simple process. You just need to copy the saved configuration over the current configuration. For example, if you had a saved configuration called config.bak1, you could restore it over your existing startup-config by entering this Cisco IOS command copy flash:config.bak1 startup-config. Once the configuration has been restored to the startup-config, you restart the switch so that it reloads the new startup configuration by using the reload command in privileged EXEC mode.

The reload command halts the system. If the system is set to restart on error, it reboots itself. Use the reload command after configuration information is entered into a file and saved to the startup configuration.

Note: You cannot reload from a virtual terminal if the switch is not set up for automatic booting. This restriction prevents the system from dropping to the ROM monitor (ROMMON) and thereby taking the system out of the remote user's control.

After issuing the reload command, the system prompts you to answer whether or not to save the configuration. Normally you would indicate "yes", but in this particular case you need to answer "no". If you answered "yes", the file you just restored would be overwritten. In every case you need to consider whether or not the current running configuration is the one you want to be active after reload.

For more details on the reload command, review the Cisco IOS Configuration Fundamentals Command Reference, Release 12.4 found at this website: http://www.cisco.com/en/US/docs/ios/fundamentals/command/reference/cf_book.html.

Note: There is also the option of entering the copy startup-config running-config command. Unfortunately, this command does not entirely overwrite the running configuration; it only adds existing commands from the startup configuration to the running configuration. This can cause unintended results, so be careful when you do this.


2.3.8 - Basic Switch Management
The diagram depicts how to back up and restore switch configurations.

Back up Configurations:

Formal version of Cisco I O S copy command.
Confirm the destination filename. Press the Enter key to accept and use the Ctrl + C key combination to cancel.

S1#copy system: running-config flash: startup-config
Destination filename [startup-config]?

Informal version of the copy command. The assumptions are that the running config is running on the system and that the startup config file will be stored in flash NV RAM. Press the Enter key to accept and use the Ctrl + C key combination to cancel.

S1#copy running-config startup-config
Destination filename [startup-config]?

Back up the startup-config to a file stored in flash NV RAM. Confirm the destination filename. Press the Enter key to accept and use the Ctrl + C key combination to cancel.
S1#copy startup-config flash: config.bak1
Destination filename [config dot bak 1]?

Restore Switch Configurations
Copy the config dot bak 1 file stored in flash to the startup configuration assumed to be stored in flash. Press the Enter key to accept and use the Ctrl + C key combination to cancel.
S1#copy flash: config dot bak 1 startup-config
Destination filename [startup-config]?

Have the Cisco I O S restart the switch. If you have modified the running configuration file, you are asked to save it. Confirm with a y or an n. To confirm the reload, press the Enter key to accept and use the Ctrl + C key combination to cancel.
S1#reload
System configuration has been modified. Save? [yes/no]: n
Proceed with reload? [confirm]?


Page 2:
Back up Configuration Files to a TFTP Server

Once you have configured your switch with all the options you want to set, it is a good idea to back up the configuration on the network where it can then be archived along with the rest of your network data being backed up nightly. Having the configuration stored safely off the switch protects it in the event there is some major catastrophic problem with your switch.

Some switch configurations take many hours to get working correctly. If you lost the configuration because of switch hardware failure, a new switch needs to be configured. If there is a backup configuration for the failed switch, it can be loaded quickly onto the new switch. If there is no backup configuration, you must configure the new switch from scratch.

You can use TFTP to back up your configuration files over the network. Cisco IOS software comes with a built-in TFTP client that allows you to connect to a TFTP server on your network.

Note: There are free TFTP server software packages available on the Internet that you can use if you do not already have a TFTP server running. One commonly used TFTP server is from www.solarwinds.com.

Backing up the Configuration

To upload a configuration file from a switch to a TFTP server for storage, follow these steps:

Step 1. Verify that the TFTP server is running on your network.

Step 2. Log in to the switch through the console port or a Telnet session. Enable the switch and then ping the TFTP server.

Step 3. Upload the switch configuration to the TFTP server. Specify the IP address or hostname of the TFTP server and the destination filename. The Cisco IOS command is: #copy system:running-config tftp:[[[//location]/directory]/filename] or #copy nvram:startup-config tftp:[[[//location]/directory]/filename].

The figure shows an example of backing up the configuration to a TFTP server.

Restoring the Configuration

Once the configuration is stored successfully on the TFTP server, it can be copied back to the switch using the following steps:

Step 1. Copy the configuration file to the appropriate TFTP directory on the TFTP server if it is not already there.

Step 2. Verify that the TFTP server is running on your network.

Step 3. Log in to the switch through the console port or a Telnet session. Enable the switch and then ping the TFTP server.

Step 4. Download the configuration file from the TFTP server to configure the switch. Specify the IP address or hostname of the TFTP server and the name of the file to download. The Cisco IOS command is: #copy tftp:[[[//location]/directory]/filename] system:running-config or #copy tftp:[[[//location]/directory]/filename] nvram:startup-config.

If the configuration file is downloaded into the running-config, the commands are executed as the file is parsed line by line. If the configuration file is downloaded into the startup-config, the switch must be reloaded for the changes to take effect.


2.3.8 - Basic Switch Management
The diagram depicts the process of backing up the switch configuration file to a TFTP server.

S1#copy system running config tftp: //172.16.2.155 /Tokyo config
Write file Tokyo config on host 172.16.2.155? [confirm] y
Writing Tokyo-config!!! [OK]


Page 3:
Clearing Configuration Information

You can clear the configuration information from the startup configuration. You might do this to prepare a used switch to be shipped to a customer or a different department and you want to ensure that the switch gets reconfigured. When you erase the startup configuration file when the switch reboots, it enters the setup program so that you can reconfigure the switch with new settings.

To clear the contents of your startup configuration, use the erase nvram: or the erase startup-config privileged EXEC command. The figure shows an example of erasing the configuration files stored in NVRAM.

Caution: You cannot restore the startup configuration file after it has been erased, so make sure that you have a backup of the configuration in case you need to restore it at a later point.

Deleting a Stored Configuration File

You may have been working on a complex configuration task and stored many backup copies of your files in Flash. To delete a file from Flash memory, use the delete flash:filename privileged EXEC command. Depending on the setting of the file prompt global configuration command, you might be prompted for confirmation before you delete a file. By default, the switch prompts for confirmation when deleting a file.

Caution: You cannot restore the startup configuration file after it has been deleted, so make sure that you have a backup of the configuration in case you need to restore it at a later point.

After the configuration has been erased or deleted, you can reload the switch to initiate a new configuration for the switch.


2.3.8 - Basic Switch Management
The diagram depicts the process of clearing the switch configuration information.

S1#erase nvram:
Erasing the nvram file system will remove all configuration files!
Continue? [confirm]
[OK]
Erase of nvram: complete
S1#


Page 4:
Basic switch management is the foundation for configuring switches. This activity focuses on navigating command-line interface modes, using help functions, accessing the command history, configuring boot sequence parameters, setting speed and duplex settings, as well as managing the MAC address table and switch configuration file. Skills learned in this activity are necessary for configuring basic switch security in later chapters. Detailed instructions are provided within the activity as well as in the PDF link below.

Activity Instructions (PDF)

Click the Packet Tracer icon for more details.


2.3.8 - Basic Switch Management
Link to Packet Tracer Exploration: Configuring Basic Switch Management.

This activity focuses on navigating command line interface modes, using help functions, accessing the command history, configuring boot sequence parameters, setting speed and duplex settings, as well as managing the MAC address table and switch configuration file.


2.4 Configuring Switch Security

2.4.1 Configure Password Options

Page 1:
Configure Console Access

In this topic, you will learn how to configure passwords for the console access, virtual terminal, and EXEC mode. You will also learn how to encrypt and recover passwords on a switch.

Data is very valuable and must be zealously guarded and protected. The U.S. Federal Bureau of Investigation (FBI) estimates that businesses lose $67.2 billion annually because of computer-related crime. Personal customer data in particular sells for very high prices. The following are some current prices for stolen data:

  • Automatic teller machine (ATM) or debit card with personal identification number (PIN): $500
  • Driver's license number: $150
  • Social Security number: $100
  • Credit card number with expiration date: $15 to $20

Securing your switches starts with protecting them from unauthorized access.

You can perform all configuration options directly from the console. To access the console, you need to have local physical access to the device. If you do not secure the console port properly, a malicious user could compromise the switch configuration.

Secure the Console

To secure the console port from unauthorized access, set a password on the console port using the password line configuration mode command. Use the line console 0 command to switch from global configuration mode to line configuration mode for console 0, which is the console port on Cisco switches. The prompt changes to (config-line)#, indicating that the switch is now in line configuration mode. From line configuration mode, you can set the password for the console by entering the password command. To ensure that a user on the console port is required to enter the password, use the login command. Even when a password is defined, it is not required to be entered until the login command has been issued.

The figure shows the commands used to configure and require the password for console access. Recall that you can use the show running-config command to verify your configuration. Before you complete the switch configuration, remember to save the running configuration file to the startup configuration.

Remove Console Password

If you need to remove the password and requirement to enter the password at login, use the following steps:

Step 1. Switch from privileged EXEC mode to global configuration mode. Enter the configure terminal command.

Step 2. Switch from global configuration mode to line configuration mode for console 0. The command prompt (config-line)# indicates that you are in line configuration mode. Enter the command line console 0.

Step 3. Remove the password from the console line using the no password command.

Step 4. Remove the requirement to enter the password at login to the console line using the no login command.

Step 5. Exit line configuration mode and return to privileged EXEC mode using the end command.


2.4.1 - Configure Password Options
The diagram depicts configuring console access using the Cisco I O S C L I. The functions and syntax are listed here:

Switch from privileged EXEC mode to global configuration mode.
S1#configure terminal

Switch from global configuration mode to line configuration mode for console 0.
S1(config)#line con 0

Set cisco as the password for the console 0 line on the switch.
S1(config line)#password cisco

Set the console line to require the password to be entered before access is granted.
S1(config line)#login

Exit from line configuration mode and return to privileged EXEC mode.
S1(config line)#end


Page 2:
Secure the vty Ports

The vty ports on a Cisco switch allow you to access the device remotely. You can perform all configuration options using the vty terminal ports. You do not need physical access to the switch to access the vty ports, so it is very important to secure the vty ports. Any user with network access to the switch can establish a vty remote terminal connection. If the vty ports are not properly secured, a malicious user could compromise the switch configuration.

To secure the vty ports from unauthorized access, you can set a vty password that is required before access is granted.

To set the password on the vty ports, you must be in line configuration mode.

There can be many vty ports available on a Cisco switch. Multiple ports permit more than one administrator to connect to and manage the switch. To secure all vty lines, make sure that a password is set and login is enforced on all lines. Leaving some lines unsecured compromises security and allows unauthorized users access to the switch.

Use the line vty 0 4 command to switch from global configuration mode to line configuration mode for vty lines 0 through 4.

Note: If the switch has more vty lines available, adjust the range to secure them all. For example, a Cisco 2960 has lines 0 through 15 available.

The figure shows the commands used to configure and require the password for vty access. You can use the show running-config command to verify your configuration and the copy running-config startup config command to save your work.

Remove the vty Password

If you need to remove the password and requirement to enter the password at login, use the following steps:

Step 1. Switch from privileged EXEC mode to global configuration mode. Enter the configure terminal command.

Step 2. Switch from global configuration mode to line configuration mode for vty terminals 0 through 4. The command prompt (config-line)# indicates that you are in line configuration mode. Enter the command line vty 0 4.

Step 3. Remove the password from the vty lines using the no password command.

Caution: If no password is defined and login is still enabled, there is no access to the vty lines.

Step 4. Remove the requirement to enter the password at login to the vty lines using the no login command.

Step 5. Exit line configuration mode and return to privileged EXEC mode using the end command.


2.4.1 - Configure Password Options
The diagram depicts configuring virtual terminal access using the Cisco I O S C L I. The functions syntax are listed here:

Switch from privileged EXEC mode to global configuration mode.
S1#configure terminal

Switch from global configuration mode to line configuration mode for console 0.
S1(config)#line v t y 0 4

Set cisco as the password for the console 0 line on the switch.
S1(config-line)#password cisco

Set the console line to require the password to be entered before access is granted.
S1(config-line)#login

Exit from line configuration mode and return to privileged EXEC mode.
S1(config-line)#end


Page 3:
Configure EXEC Mode Passwords

Privileged EXEC mode allows any user enabling that mode on a Cisco switch to configure any option available on the switch. You can also view all the currently configured settings on the switch, including some of the unencrypted passwords! For these reasons, it is important to secure access to privileged EXEC mode.

The enable password global configuration command allows you to specify a password to restrict access to privileged EXEC mode. However, one problem with the enable password command is that it stores the password in readable text in the startup-config and running-config. If someone were to gain access to a stored startup-config file, or temporary access to a Telnet or console session that is logged in to privileged EXEC mode, they could see the password. As a result, Cisco introduced a new password option to control access to privileged EXEC mode that stores the password in an encrypted format.

You can assign an encrypted form of the enable password, called the enable secret password, by entering the enable secret command with the desired password at the global configuration mode prompt. If the enable secret password is configured, it is used instead of the enable password, not in addition to it. There is also a safeguard built into the Cisco IOS software that notifies you when setting the enable secret password to the same password that is used for the enable password. If identical passwords are entered, the IOS will accept the password but will warn you they are the same and instruct you to re-enter a new password.

The figure shows the commands used to configure privileged EXEC mode passwords. You can use the show running-config command to verify your configuration and the copy running-config startup config command to save your work.

Remove EXEC Mode Password

If you need to remove the password requirement to access privileged EXEC mode, you can use the no enable password and the no enable secret commands from global configuration mode.


2.4.1 - Configure Password Options
The diagram depicts configuring EXEC mode passwords using the Cisco I O S C L I. The functions and syntax are listed here:

Switch from privileged EXEC mode to global configuration mode.
S1#configure terminal

Configure the enable password to enter privileged EXEC mode.
S1(config)#enable password password

Configure the enable secret password to enter privileged EXEC mode.
S1(config)#enable secret password

Exit from line configuration mode and return to privileged EXEC mode.
S1(config)#end


Page 4:
Configure Encrypted Passwords

When configuring passwords in Cisco IOS CLI, by default all passwords, except for the enable secret password, are stored in clear text format within the startup-config and running-config. The figure shows an abbreviated screen output from the show running-config command on the S1 switch. The clear text passwords are highlighted in orange. It is universally accepted that passwords should be encrypted and not stored in clear text format. The Cisco IOS command service password-encryption enables service password encryption.

When the service password-encryption command is entered from global configuration mode, all system passwords are stored in an encrypted form. As soon as the command is entered, all the currently set passwords are converted to encrypted passwords. At the bottom of the figure, the encrypted passwords are highlighted in orange.

If you want to remove the requirement to store all system passwords in an encrypted format, enter the no service password-encryption command from global configuration mode. Removing password encryption does not convert currently encrypted passwords back into readable text. However, all newly set passwords are stored in clear text format.

Note: The encryption standard used by the service password-encryption command is referred to as type 7. This encryption standard is very weak and there are easily accessible tools on the Internet for decrypting passwords encrypted with this standard. Type 5 is more secure but must be invoked manually for each password configured.


2.4.1 - Configure Password Options
The diagram depicts configuring encrypted passwords using the Cisco I O S C L I. The unencrypted passwords for the console and V T Y passwords are shown in the output and the necessary syntax are listed here:

line con 0
password cisco
login
line v t y 0 4
password cisco
no login

End

S1#config terminal
S1(config)#service password-encryption
S1(config#end
S1#show running config

Line con 0
Password 7 030752180500
Login
Line v t y 0 4
Password 7 1511021F0725
No login
Line v t y 5 15
Password 7 1511021F0725
No login

end


Page 5:
Enable Password Recovery

After you set passwords to control access to the Cisco IOS CLI, you need to make sure you remember them. In case you have lost or forgotten access passwords, Cisco has a password recovery mechanism that allows administrators to gain access to their Cisco devices. The password recovery process requires physical access to the device. The figure shows a screen capture of the console display indicating that password recovery has been enabled. You will see this display after Step 3 below.

Note that you may not be able to actually recover the passwords on the Cisco device, especially if password encryption has been enabled, but you are able to reset them to a new value.

For more information on the password procedure, visit: http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_tech_note09186a00801746e6.shtml.

To recover the password on a Cisco 2960 switch, use the following steps:

Step 1. Connect a terminal or PC with terminal-emulation software to the switch console port.

Step 2. Set the line speed on the emulation software to 9600 baud.

Step 3. Power off the switch. Reconnect the power cord to the switch and within 15 seconds, press the Mode button while the System LED is still flashing green. Continue pressing the Mode button until the System LED turns briefly amber and then solid green. Then release the Mode button.

Step 4. Initialize the Flash file system using the flash_init command.

Step 5. Load any helper files using the load_helper command.

Step 6. Display the contents of Flash memory using the dir flash command:

The switch file system appears:

Directory of flash:
13 drwx 192 Mar 01 1993 22:30:48 c2960-lanbase-mz.122-25.FX
11 -rwx 5825 Mar 01 1993 22:31:59 config.text
18 -rwx 720 Mar 01 1993 02:21:30 vlan.dat
16128000 bytes total (10003456 bytes free)


Step 7. Rename the configuration file to config.text.old, which contains the password definition, using the rename flash:config.text flash:config.text.old command.

Step 8. Boot the system with the boot command.

Step 9. You are prompted to start the setup program. Enter N at the prompt, and then when the system prompts whether to continue with the configuration dialog, enter N.

Step 10. At the switch prompt, enter privileged EXEC mode using the enable command.

Step 11. Rename the configuration file to its original name using the rename flash:config.text.old flash:config.text command.

Step 12. Copy the configuration file into memory using the copy flash:config.text system:running-config command. After this command has been entered, the follow is displayed on the console:

Source filename [config.text]?

Destination filename [running-config]?

Press Return in response to the confirmation prompts. The configuration file is now reloaded, and you can change the password.

Step 13. Enter global configuration mode using the configure terminal command.

Step 14. Change the password using the enable secret password command.

Step 15. Return to privileged EXEC mode using the exit command.

Step 16. Write the running configuration to the startup configuration file using the copy running-config startup-config command.

Step 17. Reload the switch using the reload command.

Note: The password recovery procedure can be different depending on the Cisco switch series, so you should refer to the product documentation before you attempt a password recovery.


2.4.1 - Configure Password Options
The diagram depicts the enable password recovery procedure. A screen capture of the console display indicating that password recovery has been enabled is shown.

The system has been interrupted prior to initializing the flash file system. The following commands initialize the flash file system and finish loading the operating system software:

Flash init
Load helper
Boot


2.4.2 Login Banners

Page 1:
Configure a Login Banner

The Cisco IOS command set includes a feature that allows you to configure messages that anyone logging onto the switch sees. These messages are called login banners and message of the day (MOTD) banners. In this topic, you will learn how to configure them.

You can define a customized banner to be displayed before the username and password login prompts by using the banner login command in global configuration mode. Enclose the banner text in quotations or using a delimiter different from any character appearing in the MOTD string.

The figure shows the S1 switch being configured with a login banner Authorized Personnel Only!

To remove the MOTD banner, enter the no format of this command in global configuration mode, for example, S1(config)#no banner login.


2.4.2 - Login Banners
The diagram depicts configuring a login banner using the Cisco I O S C L I. The functions and syntax are listed here:

Switch from privileged EXEC mode to global configuration mode.
S1#configure terminal

Configure a login banner.
S1(config)#banner login Authorized Personnel Only!


Page 2:
Configure a MOTD Banner

The MOTD banner displays on all connected terminals at login and is useful for sending messages that affect all network users (such as impending system shutdowns). The MOTD banner displays before the login banner if it is configured.

Define the MOTD banner by using the banner motd command in global configuration mode. Enclose the banner text in quotations.

The figure shows the S1 switch being configured with a MOTD banner to display Device maintenance will be occurring on Friday!

To remove the login banner, enter the no format of this command in global configuration mode, for example S1(config)#no banner motd.


2.4.2 - Login Banners
The diagram depicts configuring an M O T D banner using the Cisco I O S C L I. The functions and syntax are listed here:

Switch from privileged EXEC mode to global configuration mode.
S1#configure terminal

Configure an M O T D login banner.
S1(config)#banner m o t d Device maintenance will be occurring on Friday


2.4.3 Configure Telnet and SSH

Page 1:
Telnet and SSH

Older switches may not support secure communication with Secure Shell (SSH). This topic will help you choose between the Telnet and SSH methods of communicating with a switch.

There are two choices for remotely accessing a vty on a Cisco switch.

Telnet is the original method that was supported on early Cisco switch models. Telnet is a popular protocol used for terminal access because most current operating systems come with a Telnet client built in. However, Telnet is an insecure way of accessing a network device, because it sends all communications across the network in clear text. Using network monitoring software, an attacker can read every keystroke that is sent between the Telnet client and the Telnet service running on the Cisco switch. Because of the security concerns of the Telnet protocol, SSH has become the preferred protocol for remotely accessing virtual terminal lines on a Cisco device.

SSH gives the same type of access as Telnet with the added benefit of security. Communication between the SSH client and SSH server is encrypted. SSH has gone through a few versions, with Cisco devices currently supporting both SSHv1 and SSHv2. It is recommended that you implement SSHv2 when possible, because it uses a more enhanced security encryption algorithm than SSHv1.

The figure presents the differences between the two protocols.


2.4.3 - Configure Telnet and SSH
The diagram depicts the characteristics of Telnet and SSH for gaining remote access to a switch.
Telnet
- Most common access method.
- Sends clear text message streams.
- Is not secure.

SSH
- Should be the common access method.
- Sends an encrypted message stream.
- Is secure.


Page 2:
Configuring Telnet

Telnet is the default vty-supported protocol on a Cisco switch. When a management IP address is assigned to the Cisco switch, you can connect to it using a Telnet client. Initially, the vty lines are unsecured allowing access by any user attempting to connect to them.

In the previous topic, you learned how to secure access to the switch over the vty lines by requiring password authentication. This makes running the Telnet service a little more secure.

Because Telnet is the default transport for the vty lines, you do not need to specify it after the initial configuration of the switch has been performed. However, if you have switched the transport protocol on the vty lines to permit only SSH, you need to enable the Telnet protocol to permit Telnet access manually.

If you need to re-enable the Telnet protocol on a Cisco 2960 switch, use the following command from line configuration mode: (config-line)#transport input telnet or (config-line)#transport input all.

By permitting all transport protocols, you still permit SSH access to the switch as well as Telnet access.


2.4.3 - Configure Telnet and SSH
The diagram depicts configuring the switch for Telnet access using the Cisco I O S C L I. The syntax is shown here:

S1(config)#line v t y 0 15
S1(config-line)#transport input telnet


Page 3:
Configuring SSH

SSH is a cryptographic security feature that is subject to export restrictions. To use this feature, a cryptographic image must be installed on your switch.

The SSH feature has an SSH server and an SSH integrated client, which are applications that run on the switch. You can use any SSH client running on a PC or the Cisco SSH client running on the switch to connect to a switch running the SSH server.

The switch supports SSHv1 or SSHv2 for the server component. The switch supports only SSHv1 for the client component.

SSH supports the Data Encryption Standard (DES) algorithm, the Triple DES (3DES) algorithm, and password-based user authentication. DES offers 56-bit encryption, and 3DES offers168-bit encryption. Encryption takes time, but DES takes less time to encrypt text than 3DES. Typically, encryption standards are specified by the client, so if you have to configure SSH, ask which one to use. (The discussion of data encryption methods is beyond the scope of this course.)

To implement SSH, you need to generate RSA keys. RSA involves a public key, kept on a public RSA server, and a private key, kept only by the sender and receiver. The public key can be known to everyone and is used for encrypting messages. Messages encrypted with the public key can only be decrypted using the private key. This is known as asymmetric encryption and will be discussed in greater detail in the Exploration: Accessing the WAN course.

You need to generate the encrypted RSA keys using the crypto key generate rsa command.

This procedure is required if you are configuring the switch as an SSH server. Beginning in privileged EXEC mode, follow these steps to configure a hostname and an IP domain name and to generate an RSA key pair.

Step 1. Enter global configuration mode using the configure terminal command.

Step 2. Configure a hostname for your switch using the hostname hostname command.

Step 3. Configure a host domain for your switch using the ip domain-name domain_name command.

Step 4. Enable the SSH server for local and remote authentication on the switch and generate an RSA key pair using the crypto key generate rsa command.

When you generate RSA keys, you are prompted to enter a modulus length. Cisco recommends using a modulus size of 1024 bits. A longer modulus length might be more secure, but it takes longer to generate and to use.

Step 5. Return to privileged EXEC mode using the end command.

Step 6. Show the status of the SSH server on the switch using the show ip ssh or show ssh command.

To delete the RSA key pair, use the crypto key zeroize rsa global configuration command. After the RSA key pair is deleted, the SSH server is automatically disabled.

Configuring the SSH Server

Beginning in privileged EXEC mode, follow these steps to configure the SSH server.

Step 1. Enter global configuration mode using the configure terminal command.

Step 2. (Optional) Configure the switch to run SSHv1 or SSHv2 using the ip ssh version [1 | 2] command.

If you do not enter this command or do not specify a keyword, the SSH server selects the latest SSH version supported by the SSH client. For example, if the SSH client supports SSHv1 and SSHv2, the SSH server selects SSHv2.

Step 3. Configure the SSH control parameters:

  • Specify the time-out value in seconds; the default is 120 seconds. The range is 0 to 120 seconds. For a SSH connect to be established, a number of phases must be completed, such as connection, protocol negotiation, and parameter negation. The time-out value applies to the amount of time the switch allows for a connection to be established.

By default, up to five simultaneous, encrypted SSH connections for multiple CLI-based sessions over the network are available (session 0 to session 4). After the execution shell starts, the CLI-based session time-out value returns to the default of 10 minutes.

  • Specify the number of times that a client can re-authenticate to the server. The default is 3; the range is 0 to 5. For example, a user can allow the SSH session to sit for more than 10 minutes three times before the SSH session is terminated.

Repeat this step when configuring both parameters. To configure both parameters use the ip ssh {timeout seconds | authentication-retries number} command.

Step 4. Return to privileged EXEC mode using the end command.

Step 5. Display the status of the SSH server connections on the switch using the show ip ssh or the show ssh command.

Step 6. (Optional) Save your entries in the configuration file using the copy running-config startup-config command.

If you want to prevent non-SSH connections, add the transport input ssh command in line configuration mode to limit the switch to SSH connections only. Straight (non-SSH) Telnet connections are refused.

For a detailed discussion on SSH, visit: http://www.cisco.com/en/US/tech/tk583/tk617/tsd_technology_support_protocol_home.html.

For an overview of RSA technology, visit http://en.wikipedia.org/wiki/Public-key_cryptography.

For a detailed discussion on RSA technology, visit: http://www.rsa.com/rsalabs/node.asp?id=2152.


2.4.3 - Configure Telnet and SSH
The diagram depicts configuring the switch for SSH access using the Cisco I O S C L I. The syntax is shown here:

(config)#i p domain name my domain dot com
(config)#crypto key generate r s a
(config)#i p ssh version 2
(config)#line v t y 0 15
(config-line)#transport input ssh


2.4.4 Common Security Attacks

Page 1:
Security Attacks

Unfortunately, basic switch security does not stop malicious attacks from occurring. In this topic, you will learn about a few common security attacks and how dangerous they are. This topic provides introductory level information about security attacks. The details of how some of these common attacks work are beyond the scope of the course. If you find network security of interest, you should explore the course CCNA Exploration: Accessing the WAN.

MAC Address Flooding

MAC address flooding is a common attack. Recall that the MAC address table in a switch contains the MAC addresses available on a given physical port of a switch and the associated VLAN parameters for each. When a Layer 2 switch receives a frame, the switch looks in the MAC address table for the destination MAC address. All Catalyst switch models use a MAC address table for Layer 2 switching. As frames arrive on switch ports, the source MAC addresses are learned and recorded in the MAC address table. If an entry exists for the MAC address, the switch forwards the frame to the MAC address port designated in the MAC address table. If the MAC address does not exist, the switch acts like a hub and forwards the frame out every other port on the switch. MAC address table overflow attacks are sometimes referred to as MAC flooding attacks. To understand the mechanism of a MAC address table overflow attack, recall the basic operation of a switch.

Click the Step 1 button in the figure to see how MAC address table overflow attack begins.

In the figure, host A sends traffic to host B. The switch receives the frames and looks up the destination MAC address in its MAC address table. If the switch cannot find the destination MAC in the MAC address table, the switch then copies the frame and broadcasts it out every switch port.

Click the Step 2 button in the figure to see the next step.

Host B receives the frame and sends a reply to host A. The switch then learns that the MAC address for host B is located on port 2 and writes that information into the MAC address table.

Host C also receives the frame from host A to host B, but because the destination MAC address of that frame is host B, host C drops that frame.

Click the Step 3 button in the figure to see the next step.

Now, any frame sent by host A (or any other host) to host B is forwarded to port 2 of the switch and not broadcast out every port.

The key to understanding how MAC address table overflow attacks work is to know that MAC address tables are limited in size. MAC flooding makes use of this limitation to bombard the switch with fake source MAC addresses until the switch MAC address table is full. The switch then enters into what is known as a fail-open mode, starts acting as a hub, and broadcasts packets to all the machines on the network. As a result, the attacker can see all of the frames sent from a victim host to another host without a MAC address table entry.

Click the Step 4 button in the figure to see how an attacker uses legitimate tools maliciously.

The figure shows how an attacker can use the normal operating characteristics of the switch to stop the switch from operating.

MAC flooding can be performed using a network attack tool. The network intruder uses the attack tool to flood the switch with a large number of invalid source MAC addresses until the MAC address table fills up. When the MAC address table is full, the switch floods all ports with incoming traffic because it cannot find the port number for a particular MAC address in the MAC address table. The switch, in essence, acts like a hub.

Some network attack tools can generate 155,000 MAC entries on a switch per minute. Depending on the switch, the maximum MAC address table size varies. In the figure, the attack tool is running on the host with MAC address C in the bottom right of the screen. This tool floods a switch with packets containing randomly generated source and destination MAC and IP addresses. Over a short period of time, the MAC address table in the switch fills up until it cannot accept new entries. When the MAC address table fills up with invalid source MAC addresses, the switch begins to forward all frames that it receives to every port.

Click the Step 5 button in the figure to see the next step.

As long as the network attack tool is left running, the MAC address table on the switch remains full. When this happens, the switch begins to broadcast all received frames out every port so that frames sent from host A to host B are also broadcast out of port 3 on the switch.


2.4.4 - Common Security Attacks
The diagram depicts a MAC address flooding attack. There are three host PC's labeled MAC A, MAC B, and MAC C connected to a common switch. MAC A is connected to switch Port 1. MAC B is connected to switch Port 2, and MAC C is connected to switch Port 3. The MAC address table shows MAC A on switch Port 1 and MAC C on switch Port 3. The steps in the MAC address flooding attack are as follows:

Step 1:
The MAC address table is incomplete.
B is unknown, so the switch floods the frame.
MAC C sees traffic to MAC B.
Step 2:
The MAC address table learns that B is on Port 2.
C drops the packet addressed to B.
Step 3:
MAC address tables are limited in size.
The MAC address table has learned B is on Port 2.
MAC C does not see traffic to MAC B anymore.
Step 4:
An intruder runs an attack tool on MAC C.
Bogus addresses are added to the MAC address table.
X and Y are on Port 3, and the MAC address table is updated.
Attacker starts sending unknown bogus MAC addresses.
Step 5:
The MAC address table is full.
MAC B is unknown, so the switch floods the frame looking for MAC B.


Page 2:
Spoofing Attacks

Click the Spoofing button in the figure.

One way an attacker can gain access to network traffic is to spoof responses that would be sent by a valid DHCP server. The DHCP spoofing device replies to client DHCP requests. The legitimate server may also reply, but if the spoofing device is on the same segment as the client, its reply to the client may arrive first. The intruder DHCP reply offers an IP address and supporting information that designates the intruder as the default gateway or Domain Name System (DNS) server. In the case of a gateway, the clients then forward packets to the attacking device, which in turn, sends them to the desired destination. This is referred to as a man-in-the-middle attack, and it may go entirely undetected as the intruder intercepts the data flow through the network.

You should be aware of another type of DHCP attack called a DHCP starvation attack. The attacker PC continually requests IP addresses from a real DHCP server by changing their source MAC addresses. If successful, this kind of DHCP attack causes all of the leases on the real DHCP server to be allocated, thus preventing the real users (DHCP clients) from obtaining an IP address.

To prevent DHCP attacks, use the DHCP snooping and port security features on the Cisco Catalyst switches.

Cisco Catalyst DHCP Snooping and Port Security Features

DHCP snooping is a Cisco Catalyst feature that determines which switch ports can respond to DHCP requests. Ports are identified as trusted and untrusted. Trusted ports can source all DHCP messages; untrusted ports can source requests only. Trusted ports host a DHCP server or can be an uplink toward the DHCP server. If a rogue device on an untrusted port attempts to send a DHCP response packet into the network, the port is shut down. This feature can be coupled with DHCP options in which switch information, such as the port ID of the DHCP request, can be inserted into the DHCP request packet.

Click the DHCP Snooping button.

Untrusted ports are those not explicitly configured as trusted. A DHCP binding table is built for untrusted ports. Each entry contains a client MAC address, IP address, lease time, binding type, VLAN number, and port ID recorded as clients make DHCP requests. The table is then used to filter subsequent DHCP traffic. From a DHCP snooping perspective, untrusted access ports should not send any DHCP server responses.

These steps illustrate how to configure DHCP snooping on a Cisco IOS switch:

Step 1. Enable DHCP snooping using the ip dhcp snooping global configuration command.

Step 2. Enable DHCP snooping for specific VLANs using the ip dhcp snooping vlan number [number] command.

Step 3. Define ports as trusted or untrusted at the interface level by defining the trusted ports using the ip dhcp snooping trust command.

Step 4. (Optional) Limit the rate at which an attacker can continually send bogus DHCP requests through untrusted ports to the DHCP server using the ip dhcp snooping limit raterate command.


2.4.4 - Common Security Attacks
The diagram depicts a spoofing attack and Cisco Catalyst DHCP snooping and port security features.

Spoofing:
Image: There are two Layer 2 switches connected by a link. A Layer 3 switch and a rogue DHCP attacker is connected to one of the Layer 2 switches. A legitimate DHCP server is also connected to the Layer 3 switch. A regular DHCP client is connected to the other Layer 2 switch.

One. An attacker activates a DHCP server on a network segment.
Two. The client broadcasts a request for DHCP configuration information.
Three. The rogue DHCP server responds before the legitimate DHCP server can respond, assigning attacker-defined IP configuration information.
Four. Host packets are redirected to the attacker's address because it emulates a default gateway for the erroneous DHCP address provided to the client.

DHCP Snooping
Image: Same as for spoofing but the Layer 3 switch port connected to the legitimate DHCP server is now labeled as a Trusted Port, and the port connected to the Rogue DHCP Attacker is now labeled as an Untrusted Port

DHCP snooping allows ports to be configured as trusted or untrusted.
- Trusted ports can send DHCP requests and acknowledgements.
- Untrusted ports can only forward DHCP requests.

DHCP snooping enables the switch to build a DHCP binding table that maps a client MAC address, IP address, V LAN, and port ID.

Use the i p dhcp snooping command.


Page 3:
CDP Attacks

The Cisco Discovery Protocol (CDP) is a proprietary protocol that all Cisco devices can be configured to use. CDP discovers other Cisco devices that are directly connected, which allows the devices to auto-configure their connection in some cases, simplifying configuration and connectivity. CDP messages are not encrypted.

By default, most Cisco routers and switches have CDP enabled. CDP information is sent in periodic broadcasts that are updated locally in each device's CDP database. Because CDP is a Layer 2 protocol, it is not propagated by routers.

CDP contains information about the device, such as the IP address, software version, platform, capabilities, and the native VLAN. When this information is available to an attacker, they can use it to find exploits to attack your network, typically in the form of a Denial of Service (DoS) attack.

The figure is a portion of an Ethereal packet trace showing the inside of a CDP packet. The Cisco IOS software version discovered via CDP, in particular, would allow the attacker to research and determine whether there were any security vulnerabilities specific to that particular version of code. Also, because CDP is unauthenticated, an attacker could craft bogus CDP packets and have them received by the attacker's directly connected Cisco device.

To address this vulnerability, it is recommended that you disable the use of CDP on devices that do not need to use it.


2.4.4 - Common Security Attacks
The diagram depicts a screenshot of the Wireshark application capturing the switch software version from a Cisco Discovery Protocol (CDP) frame.


Page 4:
Telnet Attacks

The Telnet protocol can be used by an attacker to gain remote access to a Cisco network switch. In an earlier topic, you configured a login password for the vty lines and set the lines to require password authentication to gain access. This provides an essential and basic level of security to help protect the switch from unauthorized access. However, it is not a secure method of securing access to the vty lines. There are tools available that allow an attacker to launch a brute force password cracking attack against the vty lines on the switch.

Brute Force Password Attack

The first phase of a brute force password attack starts with the attacker using a list of common passwords and a program designed to try to establish a Telnet session using each word on the dictionary list. Luckily, you are smart enough not to use a dictionary word, so you are safe for now. In the second phase of a brute force attack, the attacker uses a program that creates sequential character combinations in an attempt to "guess" the password. Given enough time, a brute force password attack can crack almost all passwords used.

The simplest thing that you can do to limit the vulnerability to brute force password attacks is to change your passwords frequently and use strong passwords randomly mixing upper and lowercase letters with numerals. More advanced configurations allow you to limit who can communicate with the vty lines by using access lists, but that is beyond the scope of this course.

DoS Attack

Another type of Telnet attack is the DoS attack. In a DoS attack, the attacker exploits a flaw in the Telnet server software running on the switch that renders the Telnet service unavailable. This sort of attack is mostly a nuisance because it prevents an administrator from performing switch management functions.

Vulnerabilities in the Telnet service that permit DoS attacks to occur are usually addressed in security patches that are included in newer Cisco IOS revisions. If you are experiencing a DoS attack against the Telnet service, or any other service on a Cisco device, check to see if there is a newer Cisco IOS revision available.


2.4.4 - Common Security Attacks
The diagram depicts text describing a Telnet attack.

Types of Telnet attacks:
- Brute force password attacks.
- D o S attacks.

Protecting against a brute force password attack:
- Change passwords frequently.
- Use strong passwords.
- Limit who can communicate with the v t y lines.

Protecting against a D o S attack:
- Update to the newest version of Cisco I O S software.


2.4.5 Security Tools

Page 1:
After you have configured switch security, you need to verify that you have not left any weakness for an attacker to exploit. Network security is a complex and changing topic. In this section, you are introduced to how network security tools are one component used to protect a network from malicious attacks.

Network security tools help you test your network for various weaknesses. They are tools that allow you to play the roles of a hacker and a network security analyst. Using these tools, you can launch an attack and audit the results to determine how to adjust your security policies to prevent a given attack.

The features used by network security tools are constantly evolving. For example, network security tools once focused only on the services listening on the network and examined these services for flaws. Today, viruses and worms are able to propagate because of flaws in mail clients and web browsers. Modern network security tools not only detect the remote flaws of the hosts on the network, but also determine if there are application level flaws, such as missing patches on client computers. Network security extends beyond network devices, all the way to the desktop of users. Security auditing and penetration testing are two basic functions that network security tools perform.

Network Security Audit

Network security tools allow you to perform a security audit of your network. A security audit reveals what sort of information an attacker can gather simply by monitoring network traffic. Network security auditing tools allow you to flood the MAC table with bogus MAC addresses. Then you can audit the switch ports as the switch starts flooding traffic out all ports as the legitimate MAC address mappings are aged out and replaced with more bogus MAC address mappings. In this way, you can determine which ports are compromised and have not been correctly configured to prevent this type of attack.

Timing is an important factor in performing the audit successfully. Different switches support varying numbers of MAC addresses in their MAC table. It can be tricky to determine the ideal amount of spoofed MAC addresses to throw out on the network. You also have to contend with the age-out period of the MAC table. If the spoofed MAC addresses start to age out while you are performing your network audit, valid MAC addresses start to populate the MAC table, limiting the data that you can monitor with a network auditing tool.

Network Penetration Testing

Network security tools can also be used for penetration testing against your network. This allows you to identify weaknesses within the configuration of your networking devices. There are numerous attacks that you can perform, and most tool suites come with extensive documentation detailing the syntax needed to execute the desired attack. Because these types of tests can have adverse effects on the network, they are carried out under very controlled conditions, following documented procedures detailed in a comprehensive network security policy. Of course, if you have a small classroom-based network, you can arrange to work with your instructor to try your own network penetration tests.

In the next topic, you will learn how to implement port security on your Cisco switches so that you can ensure these network security tests do not reveal any flaws in your security configuration.


2.4.5 - Security Tools
The diagram depicts text describing security tools.
Network security tools perform these functions:
Network security audits help you to:
- Reveal what sort of information an attacker can gather simply by monitoring network traffic.
- Determine the ideal amount of spoofed MAC addresses to remove.
- Determine the age-out period of the MAC address table.

Network penetration testing helps you to:
- Identify weaknesses within the configuration of your networking devices.
- Launch numerous attacks to test your network.
- Caution: Plan penetration tests to avoid network performance impacts.


Page 2:
Network Security Tools Features

A secure network really is a process not a product. You cannot just enable a switch with a secure configuration and declare the job done. To say you have a secure network, you need to have a comprehensive network security plan defining how to regularly verify that your network can withstand the latest malicious network attacks. The changing landscape of security risks means that you need auditing and penetration tools that can be updated to look for the latest security risks. Common features of a modern network security tool include:

  • Service identification: Tools are used to target hosts using the Internet Assigned Numbers Authority (IANA) port numbers. These tools should also be able to discover an FTP server running on a non-standard port or a web server running on port 8080. The tool should also be able to test all the services running on a host.
  • Support of SSL services: Testing services that use SSL level security, including HTTPS, SMTPS, IMAPS, and security certificate.
  • Non-destructive and destructive testing: Performing non-destructive security audits on a routine basis that do not compromise or only moderately compromise network performance. The tools should also let you perform destructive audits that significantly degrade network performance. Destructive auditing allows you to see how well your network withstands attacks from intruders.
  • Database of vulnerabilities: Vulnerabilities change all the time.

Network security tools need to be designed so they can plug in a module of code and then run a test for that vulnerability. In this way, a large database of vulnerabilities can be maintained and uploaded to the tool to ensure that the most recent vulnerabilities are being tested.

You can use network security tools to:

  • Capture chat messages
  • Capture files from NFS traffic
  • Capture HTTP requests in Common Log Format
  • Capture mail messages in Berkeley mbox format
  • Capture passwords
  • Display captured URLs in browser in real time
  • Flood a switched LAN with random MAC addresses
  • Forge replies to DNS address / pointer queries
  • Intercept packets on a switched LAN


2.4.5 - Security Tools
The diagram depicts text describing network security tools features.
Common features of a modern network security tool include:
- Service identification.
- Support of SSL services.
- Non-destructive and destructive testing.
- Database of vulnerabilities.

You can use network security tools to:
- Capture chat messages.
- Capture files from NFS traffic.
- Capture HTTP requests in common log format.
- Capture e-mail messages in Berkeley m box format.
- Capture passwords.
- Display captured URL's in Netscape in real time.
- Flood a switched LAN with random MAC addresses.
- Forge replies to DNS address and pointer queries.
- Intercept packets on a switched LAN.


2.4.6 Configuring Port Security

Page 1:
Using Port Security to Mitigate Attacks

In this topic, you will learn about the issues to consider when configuring port security on a switch. Key port security Cisco IOS commands are summarized. You will also learn about configuring static and dynamic port security.

Click the Port Security button in the figure.

Port Security

A switch that does not provide port security allows an attacker to attach a system to an unused, enabled port and to perform information gathering or attacks. A switch can be configured to act like a hub, which means that every system connected to the switch can potentially view all network traffic passing through the switch to all systems connected to the switch. Thus, an attacker could collect traffic that contains usernames, passwords, or configuration information about the systems on the network.

All switch ports or interfaces should be secured before the switch is deployed. Port security limits the number of valid MAC addresses allowed on a port. When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses.

If you limit the number of secure MAC addresses to one and assign a single secure MAC address to that port, the workstation attached to that port is assured the full bandwidth of the port, and only that workstation with that particular secure MAC address can successfully connect to that switch port.

If a port is configured as a secure port and the maximum number of secure MAC addresses is reached, a security violation occurs when the MAC address of a workstation attempting to access the port is different from any of the identified secure MAC addresses. The figure summarizes these points.

Click the Secure MAC Address Types button in the figure.

Secure MAC Address Types

There are a number of ways to configure port security. The following describes the ways you can configure port security on a Cisco switch:

  • Static secure MAC addresses: MAC addresses are manually configured by using the switchport port-security mac-address mac-address interface configuration command. MAC addresses configured in this way are stored in the address table and are added to the running configuration on the switch.
  • Dynamic secure MAC addresses: MAC addresses are dynamically learned and stored only in the address table. MAC addresses configured in this way are removed when the switch restarts.
  • Sticky secure MAC addresses: You can configure a port to dynamically learn MAC addresses and then save these MAC addresses to the running configuration.

Sticky MAC Addresses

Sticky secure MAC addresses have these characteristics:

  • When you enable sticky learning on an interface by using the switchport port-security mac-address sticky interface configuration command, the interface converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses and adds all sticky secure MAC addresses to the running configuration.
  • If you disable sticky learning by using the no switchport port-security mac-address sticky interface configuration command, the sticky secure MAC addresses remain part of the address table but are removed from the running configuration.
  • When you configure sticky secure MAC addresses by using the switchport port-security mac-address sticky mac-address interface configuration command, these addresses are added to the address table and the running configuration. If port security is disabled, the sticky secure MAC addresses remain in the running configuration.
  • If you save the sticky secure MAC addresses in the configuration file, when the switch restarts or the interface shuts down, the interface does not need to relearn these addresses. If you do not save the sticky secure addresses, they are lost.
  • If you disable sticky learning and enter the switchport port-security mac-address sticky mac-address interface configuration command, an error message appears, and the sticky secure MAC address is not added to the running configuration.

Click the Security Violation Modes button in the figure.

Security Violation Modes

It is a security violation when either of these situations occurs:

  • The maximum number of secure MAC addresses have been added to the address table, and a station whose MAC address is not in the address table attempts to access the interface.
  • An address learned or configured on one secure interface is seen on another secure interface in the same VLAN.

You can configure the interface for one of three violation modes, based on the action to be taken if a violation occurs. The figure presents which kinds of data traffic are forwarded when one of the following security violation modes are configured on a port:

  • protect: When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred.
  • restrict: When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. In this mode, you are notified that a security violation has occurred. Specifically, an SNMP trap is sent, a syslog message is logged, and the violation counter increments.
  • shutdown: In this mode, a port security violation causes the interface to immediately become error-disabled and turns off the port LED. It also sends an SNMP trap, logs a syslog message, and increments the violation counter. When a secure port is in the error-disabled state, you can bring it out of this state by entering the shutdown and no shutdown interface configuration commands. This is the default mode.


2.4.6 - Configuring Port Security
The diagram depicts multiple images including port security, secure MAC address types and security violation modes.

Port Security:
Implement security on all switch ports to:
- Specify a group of valid MAC addresses allowed on a port.
- Allow only one MAC address to access the port.
- Specify that the port automatically shuts down if unauthorized MAC addresses are detected.

Secure MAC Address Types:
Secure MAC addresses are the following types:
- Static secure.
- Dynamic secure.
- Sticky secure.

Sticky secure MAC addresses have these characteristics:
- Learned dynamically and converted to sticky secure MAC addresses stored in the running configuration.
- Disabling sticky learning removes MAC addresses from the running configuration, but not from the MAC table.
- Sticky secure MAC addresses are lost when the switch restarts.
- Saving sticky secure MAC addresses in the startup configuration file enables the switch to have them when it restarts.
- Disabling sticky learning converts sticky MAC addresses to dynamic secure addresses and removes them from the running configuration.

Security Violation Modes:
Security violations occur in these situations:
- A station whose MAC address is not in the address table attempts to access the interface when the table is full.
- An address is being used on two secure interfaces in the same V LAN.

Security violation modes include protect, restrict, and shutdown.

Protect Violation Mode:
- Forwards Traffic: No.
- Sends Syslog Message: No.
- Displays Error Message: No.
- Increases Violation Counter: No.
- Shuts Down Port: No.

Restrict Violation Mode:
- Forwards Traffic: No.
- Sends Syslog Message: Yes.
- Displays Error Message: No.
- Increases Violation Counter: Yes.
- Shuts Down Port: No.

Shutdown Violation Mode:
- Forwards Traffic: No.
- Sends Syslog Message: Yes.
- Displays Error Message: No.
- Increases Violation Counter: Yes.
- Shuts Down Port: Yes.


Page 2:
Configure Port Security

Click the Default Configuration button in the figure.

The ports on a Cisco switch are preconfigured with defaults. The figure summarizes the default port security configuration.

Click the Configure Dynamic Port Security button in the figure.

The figure shows the Cisco IOS CLI commands needed to configure port security on the Fast Ethernet F0/18 port on S1 switch. Notice that the example does not specify a violation mode. In this example, the violation mode is set to shutdown.

Click the Configure Sticky Port Security button in the figure.

The figure shows how to enable sticky port security on Fast Ethernet port 0/18 of switch S1. As stated earlier, you can configure the maximum number of secure MAC addresses. In this example, you can see the Cisco IOS command syntax used to set the maximum number of MAC addresses to 50. The violation mode is set to shutdown by default.

There are other port security settings that you may find useful. For a complete listing of port security configuration options, visit: http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_44_se/configuration/guide/swtrafc.html


2.4.6 - Configuring Port Security
The diagram depicts multiple port security images including default configuration, configuring dynamic port security, and configuring sticky port security. Functions and Cisco I O S C L I syntax are provided.

Default Configuration:
Feature: Port security.
Default Setting: Disabled on a port.

Feature: Maximum number of secure MAC addresses.
Default Setting: One

Feature: Violation mode.
Default Setting: Shutdown. The port shuts down when the maximum number of secure MAC addresses is exceeded and an SNMP trap notification is sent.

Feature: Sticky address learning.
Default Setting: Disabled.

Configuring Dynamic Port Security:
Enter global configuration mode.
S1#configure terminal

Specify the type and number of the physical interface to configure, for example, FastEthernet 0/18, and enter interface configuration mode.
S1(config)#interface FastEthernet 0/18

Set the interface mode as access. An interface in the dynamic desirable default mode cannot be configured as a secure port.
S1(config-i f)#switchport mode access

Enable port security on the interface.
S1(config-i f)#switchport port-security

Return to privileged EXEC mode.
S1(config-i f)#end


Configuring Sticky Port Security:
Enter global configuration mode.
S1#configure terminal

Specify the type and number of the physical interface to configure.
S1(config)#interface FastEthernet 0/18

Set the interface mode as access.
S1(config-i f)#switchport mode access

Enable port security on the interface.
S1(config-i f)#switchport port security

Set the maximum number of secure addresses to 50.
S1(config-i f)#switchport port security maximum 50

Enable sticky learning.
S1(config-i f)#switchport port security mac address sticky

Return to privileged EXEC mode.
S1(config-i f)#end


Page 3:
Verify Port Security

After you have configured port security for your switch, you want to verify that it has been configured correctly. You need to check each interface to verify that you have set the port security correctly. You also have to check to make sure that you have configured static MAC addresses correctly.

Verify Port Security Settings

To display port security settings for the switch or for the specified interface, use the show port-security [interface interface-id] command.

The output displays the following:

  • Maximum allowed number of secure MAC addresses for each interface
  • Number of secure MAC addresses on the interface
  • Number of security violations that have occurred
  • Violation mode

Verify Secure MAC Addresses

Click the Verify Secure MAC Addresses button in the figure.

To display all secure MAC addresses configured on all switch interfaces or on a specified interface with aging information for each, use the show port-security [interface interface-id] address command.


2.4.6 - Configuring Port Security
The diagram depicts command output for verifying port security and secure MAC addresses.

Verify Port Security Settings:
Switch#show port security interface fastEthernet0/18
Port Security: Enabled
Port Status: Secure down
Violation Mode: Shutdown
Aging Time: 0 mins
Aging Type: Absolute
Secure Static Address Aging: Disabled
Maximum MAC Addresses: 1
Total MAC Addresses: 1
Configured MAC Addresses: 0
Sticky MAC Addresses: 0
Last Source Address: V LAN: 0000.0000.0000:0
Security Violation Count: 0

Verify Secure MAC Addresses:
Output from the show port security address command displays:
Secure Mac Address Table
V LAN: 99
MAC Address: 0050.BAA6.06CE
Type: Secure Configured
Ports: FA0/18
Remaining Age (mins): -


2.4.7 Securing Unused Ports

Page 1:
Disable Unused Ports

In this topic, you will learn how to use a simple Cisco IOS command to secure unused switch ports. A simple method many administrators use to help secure their network from unauthorized access is to disable all unused ports on a network switch. For example, imagine that a Cisco 2960 switch has 24 ports. If there are three Fast Ethernet connections in use, good security practice demands that you disable the 21 unused ports. The figure shows partial output for this configuration.

It is simple to disable multiple ports on a switch. Navigate to each unused port and issue this Cisco IOS shutdown command. An alternate way to shutdown multiple ports is to use the interface range command. If a port needs to be activated, you can manually enter the no shutdown command on that interface.

The process of enabling and disabling ports can become a tedious task, but the value in terms of enhancing security on your network is well worth the effort.


2.4.7 - Securing Unused Ports
The diagram depicts disabling unused ports as shown in a partial output of the show running config command.

interface FastEthernet0/4
shutdown

interface FastEthernet0/5
shutdown

interface FastEthernet0/6
shutdown

interface FastEthernet0/18
switchport mode access
switchport port security


Page 2:
In this activity, you will configure basic switch commands and then configure and test port security. Detailed instructions are provided within the activity as well as in the PDF link below.

Activity Instructions (PDF)

Click the Packet Tracer icon for more details.


2.4.7 - Securing Unused Ports
Link to Packet Tracer Exploration: Configuring Switch Security


2.5 Chapter Labs

2.5.1 Basic Switch Configuration

Page 1:
In this lab, you will examine and configure a standalone LAN switch. Although a switch performs basic functions in its default out-of-the-box condition, there are a number of parameters that a network administrator should modify to ensure a secure and optimized LAN. This lab introduces you to the basics of switch configuration.


2.5.1 - Basic Switch Configuration
Link to Hands-on Lab: Basic Switch Configuration.


Page 2:
In this activity, you will examine and configure a standalone LAN switch. Although a switch performs basic functions in its default out-of-the-box condition, there are a number of parameters that a network administrator should modify to ensure a secure and optimized LAN. This activity introduces you to the basics of switch configuration.

Detailed instructions are provided within the activity as well as in the PDF link below.

Activity Instructions (PDF)

Click the Packet Tracer icon for more details.


2.5.1 - Basic Switch Configuration
Link to Packet Tracer Exploration: Basic Switch Configuration


2.5.2 Managing Switch Operating System and Configuration Files

Page 1:
In this lab, you will create and save a basic switch configuration to a TFTP server. You will use a TFTP server to load a configuration to the switch and to upgrade the Cisco IOS software. You will also use password recovery procedures to access a switch for which the password is unknown.


2.5.2 - Managing Switch Operating System and Configuration Files
Link to Hands-on Lab: Managing Switch Operating System and Configuration Files.

In this lab, you will examine and managing switch operating system and configuration Files using a TFTP server.


2.5.3 Managing Switch Operating System and Configuration Files - Challenge

Page 1:
Cable a network that is similar to the one in the topology diagram. Then, create a console connection to the switch. If necessary, refer to Lab 1.3.1. The output shown in this lab is from a 2960 switch. If you use other switches, the switch outputs and interface descriptions may appear different.


2.5.3 - Managing Switch Operating System and Configuration Files - Challenge
Link to Hands-on Lab: Managing Switch Operating System and Configuration Files - Challenge.


2.6 Chapter Summary

2.6.1 Chapter Summary

Page 1:
In this chapter, we discussed IEEE 802.3 Ethernet communication using unicast, broadcast, and multicast traffic. Early implementations of Ethernet networks needed to use CSMA/CD to help prevent and detect collisions between frames on the network. Duplex settings and LAN segmentation improve performance and reduce the need for CSMA/CD.

LAN design is a process with the intended end result a determination of how a LAN is to be implemented. LAN design considerations include collision domains, broadcast domains, network latency, and LAN segmentation.

We discussed how switch forwarding methods influence LAN performance and latency. Memory buffering plays a role in switch forwarding, symmetric and asymmetric switching, and multilayer switching.

An introduction to navigating the Cisco IOS CLI on a Cisco Catalyst 2960 switch was presented. Built-in help functions are used to identify commands and command options. The Cisco IOS CLI maintains a command history that allows you to more quickly configure repetitive switch functions.

We discussed the initial switch configuration and how to verify the switch configuration. Backing up a switch configuration and restoring a switch configuration are key skills for anyone administering a switch.

We learned how to secure access to the switch: implementing passwords to protect console and virtual terminal lines, implementing passwords to limit access to privileged EXEC mode, configuring system-wide password encryption, and enabling SSH. There are a number of security risks common to Cisco Catalyst switches, many of which are mitigated by using port security.


2.6.1 - Summary and Review
In this chapter, you have learned:
- The 8 0 2 dot 3 Ethernet standard communicates using unicast, broadcast, and multicast traffic. Duplex settings and LAN segmentation improved performance. Collision domains, broadcast domains, network latency, and LAN segmentation are key LAN design considerations.
-Switch forwarding methods influence LAN performance and latency. Memory buffering of network traffic allows the switch to store frames so that a switch can provide forwarding, symmetric, asymmetric, and multilayer switching features.
- Using the Cisco I O S C L I, you can quickly configure repetitive switch functions.
- An initial switch configuration consists of providing basic IP connectivity, host names and banners. Verify your configuration using the Cisco I O S show running config command, and always back up your switch configurations.
- Use the Cisco I O S C L I to password protect console and virtual terminal access.
- Implement passwords to limit access to privileged EXEC mode and configure system-wide password encryption.
- Use SSH for remote terminal configuration on Cisco switches.
- Enable port security to mitigate the risks and perform regular security analyses of network switches.


Page 2:


2.6.1 - Summary and Review
This is a review and is not a quiz. Questions and answers are provided.
Question One. Refer to the following diagram description when answering this question: There is one switch, S1 with two PC's attached. PC1 is attached to S1 Port 1, and PC2 is attached to S1 Port 3. A cable is attached to S1 Port 2, but no PC is attached.

There are six steps in the process of a switch learning a MAC address for the purposes of forwarding Ethernet frames. Put the following six steps in order by placing the appropriate number in the blank.
Answer:
One. The switch receives a broadcast frame from PC1 on Port 1.
Two. The switch enters the source MAC address and the switch port that received the frame into the address table.
Three. Because the destination address is a broadcast, the switch floods the frame to all ports, except the port on which it received the frame.
Four. The destination device replies to the broadcast with a unicast frame addressed to PC1.
Five. The switch enters the source MAC address of PC2 and the port number of the switch port that received the frame into the address table. The destination address of the frame and its associated port is found in the MAC address table.
Six. The switch can now forward frames between source and destination devices without flooding, because it has entries in the address table that identify the associated ports.


Question Two. List the two principal switch-forwarding methods and the two primary methods of memory buffering in switches.
Answer:
Store and forward switching and cut-through switching.
Port-based memory buffering and shared memory buffering.

Question Three. Refer to the following command output to answer the question. What is the likely reason for interface V LAN 99 displaying up /down as its status?

S1# show running config

Interface FastEthernet0/18
Switchport access v lan 99
Switchport mode access

Interface V LAN 99
i p address 172.17.99.11 255.255.255.0
No i p route cache

S1# show i p interface brief
InterfaceIP AddressOK?MethodStatus
V LAN 99172.17.99.11YESmanualup

FastEthernet0/18unassignedYESunsetdown
FastEthernet0/19unassignedYESunsetdown

Gigabit Ethernet 0/2 unassigned YES unsetdown

Answer: There are no active physical interfaces associated with V LAN 99.

Question Four. Refer to the following commands to answer the question. Which two commands are unnecessary for a basic SSH configuration providing remote network connectivity for SSH clients? (Choose two.)

Switch (config)#i p domain name my domain dot com
Switch (config)#crypto key generate r s a
Switch (config)#i p ssh version 2
Switch (config)#line v t y 0 15
Switch (config-line)#transport input SSH

Answer: The i p ssh version 2 and transport input SSH commands are not required to provide remote access.

Question Five. List and describe the three port security violation modes.
Answer:
Protect: When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred.

Restrict: When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. In this mode, you are notified that a security violation has occurred. Specifically, an SNMP trap is sent, a syslog message is logged, and the violation counter increments.

Shutdown: In this mode, a port security violation causes the interface to immediately become error disabled and turns off the port L E D. It also sends an SNMP trap, logs a syslog message, and increments the violation counter. When a secure port is in the error disabled state, you can bring it out of this state by entering the err disable recovery cause p secure violation global configuration command, or you can manually re-enable it by entering the shutdown and no shutdown interface configuration commands. This is the default mode.


Page 3:
In this Packet Tracer Skills Integration Challenge activity, you will configure basic switch management, including general maintenance commands, passwords, and port security. This activity provides you an opportunity to review previously acquired skills. Detailed instructions are provided within the activity as well as in the PDF link below.

Activity Instructions (PDF)

Click the Packet Tracer icon for more details.


2.6.1 - Summary and Review
Link to Packet Tracer Exploration: Packet Tracer Skills Integration Challenge.


2.7 Chapter Quiz

2.7.1 Chapter Quiz

Page 1:


2.7.1 - Chapter Quiz
1.Refer to the following command and error message to answer the question:
R2#clock set 19:56:00 04 8
Note: A caret is under the number 8 in the above command and the following error message is displayed:
Percent sign: invalid input detected at caret marker.

What does the error message signify?
A.A parameter is missing.
B.The command was entered in the wrong C L I mode.
C.The data of one of the parameters is incorrect.
D.The command is ambiguous.

2.What is the effect of entering the banner login #Authorized Personnel Only!# command?
A.#Authorized Personnel Only!# appears after the user logs in.
B.Authorized Personnel Only! appears only when the user makes a Telnet connection.
C.#Authorized Personnel Only!# appears only when the user enters global configuration mode.
D.Authorized Personnel Only! appears before the username and password login prompts for any connection.

3.Match the command to the appropriate description.

Commands:
A. Switchport port-security violation protect.
B. Switchport port-security violation restrict.
C. Switchport port-security violation shutdown.
D. Switchport port-security mac-address sticky.
E. Switchport port-security maximum.

Descriptions:
One. Frames with unknown source addresses are dropped and notification is sent.
Two. Frames with unknown source addresses are dropped and no notification is sent.
Three. Frames with unknown source address make the port err disabled and notification is sent.
Four. Defines the number of MAC addresses associated with a port.
Five. Allows dynamically learned MAC addresses to be stored in the running configuration.

4.Refer to the MAC address table described here to answer the question.
MAC Address Table:
Station MAC: 00-00-3D-1F-11-01, Interface: Three
Station MAC: 00-00-3D-1F-11-02, Interface: Four
Station MAC: 00-00-3D-1F-11-03, Interface: One

An Ethernet switch has developed the MAC address table described above. What action does the switch take when it receives the frame with the destination MAC address 00-00-3D-1F-11-03 and the source MAC address 00-00-3D-1F-11-01?
A.Forward the frame out all interfaces.
B.Forward the frame out all interfaces except Interface Three.
C.Discard the frame.
D.Forward the frame out Interface One.
E.Forward the frame out Interface Two.
F.Forward the frame out Interface Three.

5.Refer to the following command output to answer the question.

Switch: show version
Note: Some output has been omitted.
Complied Wed 18-May-05 22:31
Running Standard Image
24 FastEthernet / i e e e 8 0 2 dot 3 interfaces
2 Gigabit Ethernet FastEthernet / i e e e 8 0 2 dot 3 interfaces
32K bytes of flash-simulated non-volatile configuration memory

What can be determined from the command output?
A.The system has 32 KB of NV RAM.
B.The switch has 24 physical ports.
C.The system was last restarted on May 18, 2005.
D.The Cisco I O S is a non-standard image.

6.What does pressing Ctrl P on the command line do?
A.Begins context checking.
B.Accesses symbolic translation.
C.Accesses the command history buffer.
D.Initiates command prompting.

7.What advantage does SSH offer over Telnet when remotely connecting to a device?
A.Encryption.
B.More connection lines.
C.Connection-oriented services.
D.Username and password authentication.

8.Refer to the following network topology diagram description to answer the question:
-PC A and PC B connect to Hub 1. Hub 1 connects to Switch 1. Switch 1 connects to Router 1. Router 1 connects to Router 2 with a WAN link.
-PC C and PC D connect to Switch 2. Switch 2 connects to Router 1.
-PC E and PC F connect to Switch 3. Switch 3 connects to Router 2.
-PC G and PC H connect to Switch 4. Switch 4 connects to Router 2.

How many collision and broadcast domains are presented in the network?
A.Eight collision domains and two broadcast domains.
B.Eight collision domains and three broadcast domains.
C.Eleven collision domains and four broadcast domains.
D.Thirteen collision domains and two broadcast domains.

9.Match the term to the appropriate description.
Terms:
A. MAC address flooding.
B. DHCP starvation.
C. CDP attacks.
D. Telnet attack.

Descriptions:
One. Broadcasting requests for IP addresses with spoofed MAC addresses.
Two. Using proprietary Cisco protocols to gain information about a switch.
Three. The attacker fills the switch Content Addressable Memory (CAM) table with invalid MAC addresses.
Four. Using brute force password attacks to gain access to a switch.

10.Which three statements are true about the Carrier Sense Multiple Access with Collision Detection (CSMA/CD) technology? (Choose three.)
A.In an Ethernet LAN domain, each station continuously listens for traffic on the medium to determine when gaps between frame transmissions occur and then sends the frame.
B.In an Ethernet LAN domain, stations may begin transmitting any time they detect that the network is quiet (that is, there is no traffic).
C.In the CSMA/CD process, priorities are assigned to particular stations, and the station with the highest priority transmits the frame on the medium.
D.If a collision occurs in an Ethernet LAN domain, transmitting stations stop transmitting and wait a random length of time before attempting to retransmit the frame.
E.If a collision occurs in an Ethernet LAN domain, only the station with the highest priority continues to transmit and the rest of the stations wait a random length of time before attempting to retransmit the frame.
F.In an Ethernet LAN domain, all stations execute a backoff algorithm based on their assigned priorities before they transmit frames on the medium.

11.How does the Ethernet switch process the incoming traffic using port-based memory buffering?
A.The frames are stored in queues that are linked to specific incoming ports.
B.The frames are stored in queues that are linked to specific outgoing ports.
C.The frames are transmitted to the outgoing port immediately.
D.The frames are stored in queues that are linked to the common memory area.

12.What are two key features of an Ethernet switch with Layer 2 capabilities? (Choose two.)
A.Full-duplex operation.
B.Broadcast and multicast traffic management.
C.Security through access lists.
D.Layer 3 routing functions.
E.Filtering based on MAC address.
F.Network address translation (NAT).

13.The network administrator wants to configure an IP address on a Cisco switch. How does the network administrator assign the IP address?
A.In privileged EXEC mode.
B.On the switch interface FastEthernet0/0.
C.On the management V LAN.
D.On the physical interface connected to the router or next-hop device.

14.Why should a default gateway be assigned to a switch?
A.To have remote connectivity to the switch via such programs as Telnet and ping.
B.To send frames through the switch to the router.
C.To pass frames generated from workstations and destined for remote networks to a higher level.
D.To access other networks from the command prompt of the switch.

15.Which two tasks does auto-negotiation in an Ethernet network accomplish? (Choose two.)
A.Sets the link speed.
B.Sets the IP address.
C.Sets link duplex mode.
D.Sets MAC address assignments on the switch port.
E.Sets the ring speed.

16.What is the effect of entering the SW1 (config-i f)#duplex full command on a Fast Ethernet switch port?
A.The connected device communicates in two directions, but only one direction at a time.
B.The switch port returns to its default configuration.
C.If the connected device is also set for full duplex, it participates in collision-free communication.
D.The efficiency of this configuration is typically rated at 50 to 60 percent.
E.The connected device should be configured as half duplex.

17.Which term describes the time delay of a frame sent from a source device and received on a destination device?
A.Bandwidth.
B.Latency.
C.Attenuation.
D.Time-To-Live.
E.Frame checksum.

18.Match the command to the correct description. Not all commands have a description.

Commands:
A. Copy startup-config running-config.
B. Copy running-config tftp.
C. Copy tftp startup-config.
D. Copy tftp running-config.
E. Copy startup-config tftp.
F. Copy running-config startup-config.

Descriptions:
One. Copy the current running configuration to a TFTP server.
Two. Save the current running configuration as the startup configuration.
Three. Restore a configuration from a TFTP server to the running configuration.
Four. Restore the startup configuration to the running system.

19.Match the command to the description as required to secure access to the console port on a switch. Not all commands are used.

Commands:
A. Enable.
B. Configure terminal.
C. Line v t y 0 4.
D. Line con 0.
E. Password Cisco.
F. Username admin password Cisco.
G. Login.

Descriptions:
One. Enter global configuration mode.
Two. Enter configuration mode for the console line.
Three. Set a password.
Four. Permit login.

0 comments:

Post a Comment