switching basics and intermediate routing ccna 3 chapter 6

www.ciscopress.com

Switching Basics and Intermediate Routing CCNA 3

Chapter 6

www.ciscopress.com

Catalyst Switch ConfigurationIntroduction

• Switches are Layer 2 devices that serve as concentration points for the connection of workstations, servers, routers, hubs, and other switches

• Switches are multiport bridges that utilize a star topology• Switches provide dedicated, point-to-point virtual circuits

that make collisions unlikely• New switches are configured with factory defaults but

normally need changes• Switches can be configured from a command-line

interface (CLI) or from a web-based interface

www.ciscopress.com

Catalyst Switch ConfigurationIntroduction

• Network engineers must be familiar with these switch configuration tasks:– Maintenance of the switch– Cisco IOS upgrades– Management of interfaces and switching

tables– Password recovery

www.ciscopress.com

Starting the SwitchPhysical Startup of the Catalyst Switch

• Most Catalyst switches have no power switch!– Simply plug in to start

• Before starting the switch, verify the following:– All network cables are secure– A terminal is connected to the console port– A console terminal application, such as

HyperTerminal, is selected

www.ciscopress.com

Starting the SwitchPhysical Startup of the Catalyst Switch

• Steps in starting a switch (continued)– Attach the power cord to the switch– Observe the boot sequence

• Look at the LEDs on the switch• Observe the Cisco IOS software output text on the

console

www.ciscopress.com

Starting the SwitchSwitch Port Types

• Switches in the Catalyst 2950 series have these characteristics:– 12-port, 24-port, or 48-port– All ports are FastEthernet– Optional uplink slots for copper or fiber Gigabit

Interface Converter (GBIC) modules• Asymmetrical switching

• Switches such as the Catalyst 3750 now include small-form-factor pluggable (SFP) slots, which are smaller than GBIC slots

www.ciscopress.com


Catalyst 2950

Switches Are Used

at the Access Layer

www.ciscopress.com


Four Slots on the Right of These Catalyst 3750 Switches are SFP Slots

www.ciscopress.com

Starting the SwitchSwitch LED Indicators

• The following LEDs are seen on the front of a Catalyst 2950 switch:– System LED

• Tells whether the system is receiving power and functioning properly

– Redundant Power Supply (RPS) LED• Indicates whether a redundant power supply is in

use

– Port Mode LEDs– Port Status LEDs

www.ciscopress.com


Catalyst 2950 Switches Have Four Types of LEDs

www.ciscopress.com


System LED and RPS LED

www.ciscopress.com


• After power cable is connected, the switch initiates a series of tests called the power-on self test (POST)– Runs automatically to verify the switch

functions correctly– System LED indicates the status of the POST

• System LED off but switch is plugged in, the POST is running

• System LED is green: POST successful• System LED is amber: POST failed (fatal error)

www.ciscopress.com


• Port Mode LEDs indicate the state of the Mode button– Press the Mode button repeatedly until the

desired mode is selected

• Port Status LEDs indicate various port states– Depends on the value of the Port Mode LEDs

www.ciscopress.com


Catalyst 2950 Port Status LED Display Modes

www.ciscopress.com


Catalyst 2950 Port Status LED Display

Modes (continued)

www.ciscopress.com


Catalyst 2950 Port Status LED Display Modes (continued)

www.ciscopress.com

Starting the SwitchViewing Initial Bootup Output from the Switch

• Connect a computer’s COM port to a switch’s console port using a rollover cable

Console Connection to the Switch Is the Most Common Configuration Method

www.ciscopress.com


• Start HyperTerminal on the computer– Choose the Serial Port

www.ciscopress.com


• Name the connection

• After selecting the COM port, click the OK button– Set up the parameters

as seen in this figure

www.ciscopress.com


• Plug the switch into the wall outlet

• Initial bootup output should be displayed on the HyperTerminal screen– Contains details about POST status and

switch hardware– After POST status a prompt to enter initial

configuration will appear• Can configure manually or with a System

Configuration dialog

www.ciscopress.com


Hardware Platform and Flash Information Displayed During Bootup

www.ciscopress.com


Hardware Platform and Flash Information Displayed During Bootup (continued)

www.ciscopress.com

Starting the SwitchUsing the System Configuration Dialog

Using the System Configuration Dialog

www.ciscopress.com


Using the System Configuration Dialog (continued)

www.ciscopress.com


Option to Use Config

Generated by Setup

www.ciscopress.com

Starting the SwitchLogging on with the Switch CLI and Using the Help Facility

• The Cisco IOS software provides a CLI called the EXEC– Interprets commands that are entered and

carries out corresponding operations

• Two levels of access to the EXEC:– User mode: tasks indicating switch status

• Indicated by the > prompt

– Privileged mode: ability to change the configuration of the switch

• Indicated by the # prompt

www.ciscopress.com


• To change from user EXEC mode to privileged EXEC mode, use the enable command– Switch will prompt for the enable password if

one is configured• Password is not shown on screen as you type• If configuring switch over a network via a modem

or Telnet, password is sent in clear text

www.ciscopress.com


• Privileged EXEC mode includes all commands from user EXEC mode, plus all the configuration commands– The configure command allows access to other

command modes

• Several types of command-line help:– Context-sensitive help: a list of commands and

arguments associated with a specific command– Console error messages: problems with commands

that are entered incorrectly– Command history buffer: recall of long or complex

commands to be altered or corrected

www.ciscopress.com


• The question mark (?) can be used to get help– Two types of context-sensitive help with the ?

command:• Word help: Enter the ? command to get word help

for a list of commands that begin with a particular character sequence; do not use a space before the question mark

• Command syntax help: Enter the ? command to see how to complete a command; enter a question mark in place of a keyword or argument; use a space before the question mark

www.ciscopress.com

Configuring the SwitchCatalyst Switch Default Configuration

• Catalyst 2950 switches come with this default configuration:– IP address: 0.0.0.0– CDP: Enabled– 100BASE-T port: Autonegotiate duplex mode– Spanning tree: Enabled– Console password: None– Hostname: Switch– No passwords set on virtual terminal (VTY)

lines

www.ciscopress.com


• The show running-config command displays the active configuration on the switch– Requires privileged EXEC mode access

Default Output for show running-config Command:

www.ciscopress.com


Default Output for show running-config Command (continued):

www.ciscopress.com


• The show interface f0/2 command displays information about interface FastEthernet 0/2– Switch trunks and switch ports are both

considered interfaces– Output varies, depending on the network for

which you have configured an interface

www.ciscopress.com


Default f0/2 Settings

www.ciscopress.com


Default f0/2 Settings (continued)

www.ciscopress.com


Nondefault f0/1 Settings

www.ciscopress.com


Fields in the show interface f0/1 Output of Previous Slide

www.ciscopress.com


• VLAN membership is displayed using the show vlan command

• In default configuration, all ports are in VLAN 1– VLAN 1 is the default management VLAN

• The flash directory has a file that contains the IOS image, a file called env_vars, and a subdirectory called html

• After switch configuration, two more files are added to the flash directory: config.txt and a VLAN database

www.ciscopress.com


Default Port VLAN Membership

www.ciscopress.com


Output of show flash

www.ciscopress.com


Verify IOS version and configuration register settings with the show version command

www.ciscopress.com


Verify IOS version and configuration register settings with the show version command (continued)

www.ciscopress.com


Fields in the show version Output From Previous Slide

www.ciscopress.com

Configuring the SwitchBasic Catalyst Switch Configuration

• Returning the Switch to Its Default Configuration:– Delete the VLAN database file, vlan.dat from the

flash directory– Erase the backup configuration file, startup-config– Restart the switch with the reload command

www.ciscopress.com


• One of the first tasks in configuring a switch is to name it– Allows you to better manage the network by

uniquely identifying each switch– The name of the switch is considered its

hostname– The name is displayed at the system prompt– The switch name is assigned in global

configuration mode

www.ciscopress.com


Configuring the Hostname and Line Passwords

www.ciscopress.com


• Assign an IP address to the switch– Makes it possible to connect remotely using Telnet or

a web browser

• VLAN 1 is assigned an IP address– Use the no shutdown command to make the Switch

Virtual Interface (SVI), VLAN 1, operational• Required if using Simple Network Management Protocol

(SNMP) to manage the switch

• Assign a default gateway to the switch using the ip default-gateway command– Allows access to other networks

www.ciscopress.com


Configuring the Switch for Management

www.ciscopress.com


• By default, VLAN 1 is the management VLAN– Use it to manage all the network devices on a network– All ports belong to VLAN1– Remove access ports from VLAN 1 and place them in

another VLAN• Allows for VLAN management while keeping traffic from

network hosts off the management VLAN

– Use the no ip address configuration command to remove an IP address for VLAN 1 or to disable IP processing

www.ciscopress.com


• FastEthernet switch ports default to auto-speed and auto-duplex– Allows the interfaces to negotiate these

settings– Can be manually configured

• A web browser can be used to configure the switch if the switch has an http server running on port 80

www.ciscopress.com


Configuring HTTP Support

www.ciscopress.com


• The Cisco Virtual Switch Manager (CVSM) is a web-based graphical user interface (GUI) used to configure and monitor many Cisco switches such as the Catalyst 2950– When the GUI is initialized by opening a browser with

the switch’s URL, an applet is downloaded to the switch

• Another GUI, Cisco Network Assistant (CAN) is also available, as is Cluster Management Suite (CMS)

• Special IOS images that include an additional HTML package are required to make CVSM and CNA work with switches

www.ciscopress.com

Configuring the SwitchDuplex and Speed Configuration

• Half-duplex transmission mode implements CSMA/CD– Traditional shared LAN operates in half-

duplex mode and is susceptible to collisions

• Full-duplex significantly improves network performance without installing new cabling– Can use point-to-point Ethernet, FastEthernet,

and Gigabit Ethernet connections– Collision free connections

www.ciscopress.com


• Full-duplex connections are point-to-point between switches and nodes but not between shared hubs– Most NICs sold today offer full-duplex

capability– In full-duplex mode, the collision detection

circuit is disabled– Nodes that attach to hubs share their

connection to a switch port and must operate in half-duplex mode

www.ciscopress.com


• Standard shared Ethernet uses 50-60% of the 10-Mbps bandwidth (5 to 6 Mbps)

• Full-duplex offers 100% of bandwidth in both directions (10-Mbps transmit and 10-Mbps receive for a total of 20 Mbps)

www.ciscopress.com


• Operation of half-duplex versus full-duplex:– Half-duplex relies on CSMA/CD– Half-duplex supports only unidirectional

data flow– Half-duplex has a higher potential for

collisions– Half-duplex involves the use of hubs

www.ciscopress.com


• Operation of half-duplex versus full-duplex (continued):– Full-duplex is point-to-point– Full-duplex requires full-duplex support

on both ends– Full-duplex is collision free– Full-duplex has the collision detection

circuit disabled

www.ciscopress.com


• Use the duplex {auto | full | half} interface configuration command to specify the duplex mode of switch ports– Set autonegotiation of duplex mode: auto– Set full-duplex mode: full– Set half-duplex mode: half– For FastEthernet and 10/100/1000 ports, the

default is auto– For 100BASE-FX, the default is full

www.ciscopress.com


• Use the show interfaces command to verify duplex settings

• Autonegotiation can cause problems– Sometimes an attached device does not

support autonegotiation and is operating in full duplex mode

• Necessary to manually configure the duplex mode• Check for FCS errors with the show interfaces

command

– It is critical that the setting on the switch is compatible with the setting on the NIC

www.ciscopress.com

Configuring the SwitchManaging the MAC Address Table

• Switches use MAC address tables to forward traffic between ports– The tables include dynamic, permanent and

static addresses• Dynamic addresses: source MAC addresses that

the switch learns and then drops when they are not refreshed and time out

– Learned by examining the source MAC address of each frame received on each port

– MAC address and port number are added to the MAC address table

www.ciscopress.com


– The tables include dynamic, permanent and static addresses (continued)• Permanent addresses: assigned by an

administrator to a port– Reasons for assigning permanent addresses:

» MAC address will not age out» Must attach a server or user workstation to

a specific port and you know the MAC address

» Enhanced security

www.ciscopress.com


• Maximum size of MAC address table varies with different switches– Catalyst 2950: 8192 MAC addresses

• When table is full, traffic for new MAC addresses is flooded

• The show mac-address-table command, entered in privileged EXEC mode, displays the MAC addresses a switch has learned

• The clear mac-address-table command purges dynamically learned entries

www.ciscopress.com


Viewing the MAC Address Table

www.ciscopress.com


Clearing Dynamic Entries in the MAC Address Table

www.ciscopress.com


• The global configuration mode command:

mac address-table static mac-addr vlan vlan-id interface interface-id

can be used to configure a static MAC address for a switch

www.ciscopress.com


Statically Configuring a Port-to-MAC Mapping

www.ciscopress.com

Configuring the SwitchConfiguring Port Security

• Port security features can be used to restrict input on an interface– Limit and identify the MAC addresses of the

stations allowed to access the port– Switch will not forward frames with source

MAC addresses that are outside the group of defined addresses

– Use the switchport port-security interface command without keywords to enable port security on an interface

www.ciscopress.com


• Port security features can be used to restrict input on an interface (continued)– Use the switchport port-security interface

command with keywords to configure a secure MAC address, maximum number of secure MAC addresses, or the violation mode

– Use the no form of this command to disable port security or set the parameters to their default state

www.ciscopress.com


Port Security Options

• Full syntax for switchport port-security interface mode command: switchport port-security [mac-address mac-address]

| [mac-address sticky [mac-address]] | [maximum value] | [violation {protect | restrict | shutdown}]

www.ciscopress.com


• A port must be in access mode to enable port security, and port security is disabled by default

• Methods by which secure addresses can be added to the table after the maximum number of allowed MAC addresses is set:– Manually configure all the addresses– Allow the port to dynamically configure all the

addresses– Configure some MAC addresses and allow

the rest to be dynamically learned

www.ciscopress.com


• An interface can be configured to convert dynamic MAC addresses to sticky secure AMC addresses and add them to the running configuration by enabling sticky learning:– Enter the switchport port-security mac-

address sticky interface configuration command • Converts all dynamically learned addresses

to sticky secure addresses

www.ciscopress.com


• Sticky MAC addresses do not automatically become part of the configuration file– Must save the configuration file or the addresses will

have to be learned the next time the switch is restarted

– Disabling sticky learning converts the sticky secure MAC addresses to dynamic secure addresses and they are removed from the configuration file

– A secure port can have from 1 to 132 associated secure addresses; no more than 1024 on the switch total

www.ciscopress.com


• Security violation situations:– Maximum number of secure MAC addresses

has been added to the address table, and a station whose MAC address is not in the table attempts to access the interface

– An address learned or configured on one secure interface is seen on another secure interface in the same VLAN

www.ciscopress.com


Port Security Keyword Options

www.ciscopress.com


• An address violation occurs when:– A secured port receives an address that has

been assigned to another secured port – A port tries to learn an address that exceeds

its address table size limit• Set with the switchport port-security maximum

command

www.ciscopress.com


Configuring Port Security

www.ciscopress.com


show port security Keyword Options

www.ciscopress.com


• Use the show port-security address command to display MAC addresses for all ports

• Use the show port-security command without keywords to display the port security settings for the switch

Verifying Port Security

www.ciscopress.com


Verifying Port Security (continued)

www.ciscopress.com

Configuring the SwitchExecuting Adds, Moves, and Changes

• To add a new MAC address on an access switch that connects a workstation to the network:– Configure port security– Configure the MAC address to the port allocated for

the new interface so that the first MAC address on the port is the only address permitted

• To delete a MAC address on an access switch that connects a workstation to the network, remove the MAC address restrictions from the port

www.ciscopress.com


• To move a MAC address from one access switch to another:– Add the MAC address to the new physical port– On the new access switch, configure port security– On the new access switch, configure the MAC

address to the port allocated for the new user– When all security is in place in the new location, shut

down the old port and remove any MAC restrictions; remove any old access lists from the original access switch

www.ciscopress.com


• If an Ethernet NIC fails, installing a new NIC changes the MAC address of the workstation– With port security, the new NIC doesn’t have

connectivity because of the now-incorrect MAC address

– Remove the old MAC address from the security on the port and add the new MAC address

www.ciscopress.com


• To add a new switch to a network:– Configure the switch name, IP address, and default

gateway– Configure administrative access for console, auxiliary,

and VTY interfaces as appropriate– Configure security for the device (user EXEC and

privileged EXEC levels)– Configure access switch ports as necessary– To ensure the switch does not become root of the

spanning tree, increase the priority value

www.ciscopress.com

Configuring the SwitchManaging Switch Configuration Files

• The switch configuration file is erased with the erase startup-config privileged EXEC command– Clears non-volatile RAM (NVRAM): RAM that retains

its memory when powered off

• Back up the most current configuration file on a server or disc– Essential for documentation– On Catalyst 2950 use the copy nvram:startup-

config tftp command to upload the configuration file to a TFTP server

www.ciscopress.com


• Steps to upload a configuration file from a switch to a TFTP server:– Verify the TFTP server is accessible (ping it) and properly configured– Log in to the switch through a console port or Telnet session– Upload the switch configuration to the TFTP server, using the IP

address or hostname of the TFTP server and the destination filename• Use one of these commands:

copy system:running-config tftp:[[[//location]/directory]/filename]

copy nvram:startup-config tftp:[[[//location]/directory]/filename]

www.ciscopress.com


Saving Configuration Files

www.ciscopress.com

Configuring the SwitchPassword Recovery

• For security and management purposes, passwords must be set on console and VTY lines– Assures only authorized access

• Sometimes you have physical access to a switch but don’t know the password– Follow the password recovery procedures such as:

http://www.cisco.com/en/US/products/hw/switches/ps628/prod_password_recoveries_list.html

www.ciscopress.com

Configuring the SwitchUpgrading the Cisco IOS Image

• IOS images are replaced because:– Bugs are fixed– New features are made available– Performance improvements are made

• If the network can be made more secure or to operate more efficiently, upgrade the IOS

• To upgrade, log on to cisco.com and download a copy of the new image to your local TFPT server

www.ciscopress.com

Summary

• Switches are similar to routers– Have basic computers components such as CPUs,

RAM, and an operating system– Ports are used to connect hosts and for

management– LEDs on the front of the switch show system status,

RPS, port mode and port status– When powered on, a switch performs a POST

automatically to verify that it functions correctly– Use HyperTerminal to configure or check the status

of a switch

www.ciscopress.com

Summary

• Switches are similar to routers (continued)– Switches use a CLI– A question mark (?) is used to access help

• Word help and syntax help are available

– Command modes:• User EXEC mode

– Prompt is a greater-than character (>)

• Privileged EXEC mode– Prompt is a pound character (#)

• Password protect both modes• The configure command allows use of other command

modes

www.ciscopress.com

Summary

• Switches use default data when powered up the first time– show running-config and show interfaces

display the factory default settings– Assign an IP address for management

purposes– The show version command verifies the

IOS version and the configuration register settings

www.ciscopress.com

Summary

• After an IP address and default gateway are configured, a switch can be accessed with a web-based interface on port 80, if the http server has been enabled on the switch

• The duplex command is used to configure interface duplex options

• Troubleshooting issues with switches usually pertain to speed or duplex misconfigurations

www.ciscopress.com

Summary

• A switch dynamically learns and maintains thousands of MAC addresses– If frames associated with a previously

learned MAC address are not received, they are automatically aged out or discarded after 300 seconds

– The command clear mac-address-table will manually clear address tables

www.ciscopress.com

Summary

• A MAC address permanently assigned to an interface will not age out– Security will be enhanced

• To configure a static MAC address: mac address-table static mac-addr vlan vlan-id interface interface-id

– Use the no form of the command to remove it

• Port security provides a basic level of security– Restricts access based on MAC address or allowable

maximum number of MAC addresses

www.ciscopress.com

Summary

• To verify port security, use these commands:– show port security– show port security address– show port security interface

• On a new switch added to a network, configure:– Switch name– IP address and default gateway– Line passwords

• When you move a switch or host from one port to another, remove configurations that can cause unexpected behavior

• Maintain documentation and do backups to a server

switching basics and intermediate routing ccna 3 chapter 6

Documents