Chapter 5: Switch Configuration PDF

Summary

This document details switch configuration, including basic settings, security practices, and management access. It covers topics such as switch boot sequence, LED indicators, and preparing for basic switch management.

Full Transcript

Chapter 5: Switch
Configuration

CCNA Routing and Switching

Routing and Switching
Essentials v6.0
Chapter 5 - Sections & Objectives
 5.1 Basic Switch Configuration
Configure basic switch settings to meet network requirements.
Configure initial settings on a Cisco switch.
Configure switch ports to meet network requirements.
 5.2 Basic Device Configuration
Configure a switch using security best practices in a small to medium-sized business
network.
Configure the management virtual interface on a switch.
Configure the port security feature to restrict network access.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
5.1 Configure a Switch with
Initial Settings

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Configure a Switch with Initial Settings
Switch Boot Sequence
 When a switch is powered on, the boot sequence occurs.
Power-on self-test (POST), a program stored in ROM, executes and checks hardware like CPU and
RAM.
The boot loader, also stored in ROM, runs and initializes parts within the CPU, initializes the flash file
system, and then locates and loads an IOS image.
The IOS image can be defined within the BOOT environment variable.
If the variable is not set, the switch scours through the flash file system searching for an executable image file, loading it
into RAM, and launching it if found.
If an executable image file is not found, the switch shows the prompt switch: where a few commands are allowed in
order to provide access to operating system files found in flash memory and files used to load or reload an operating
system.
If an IOS operating system loads, the switch interfaces are initialized and any commands stored in the
startup-config file load.
The startup-config file is stored in NVRAM.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Configure a Switch with Initial Settings
Switch Boot Sequence (Cont.)
 The boot system command is use to set the BOOT environment variable.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Configure a Switch with Initial Settings
Recovering From a System Crash
 The boot loader prompt can be accessed through a console connection to the switch:
1. Cable the PC to the switch console port.
2. Configure the terminal emulation software on the PC.
3. Unplug the switch power cord.
4. Reconnect the power cord and at the same time or within 15 seconds, press and hold the Mode button
on the front of the switch until the System LED turns an amber color briefly and then turns a solid green.
 The boot loader command prompt is switch: (instead of Switch>).
The commands available through the boot loader command prompt are limited.
Use the help command to display the available commands.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Configure a Switch with Initial Settings
Switch LED Indicators
 System LED shows if the switch has
power applied.

 Port LED states:
Off – no link or shut down
Green – link is present
Blinking green – data activity
Alternating green and amber – link fault

Amber – port is not sending data;
common for first 30 seconds of
connectivity or activation
Blinking amber – port is blocking to
prevent a switch loop

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Configure a Switch with Initial Settings
Preparing for Basic Switch Management
 To configure a switch for remote access,
the switch must be configured with an IP
address, subnet mask, and default
gateway.

 One particular switch virtual interface
(SVI) is used to manage the switch:
A switch IP address is assigned to an SVI.
By default the management SVI is
controlled and configured through VLAN 1.
The management SVI is commonly called
the management VLAN.
Remember that the switch console port is on the back of the switch.
 For security reasons, it is best practice to
use a VLAN other than VLAN 1 for the
management VLAN.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Configure a Switch with Initial Settings
Configuring Basic Switch Management Access with IPv4

exit

Important Concept

The default gateway is the
router address and is used by
the switch to communicate with
other networks.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Configure Switch Ports
Duplex Communication
 Gigabit Ethernet and 10Gb Ethernet NICs require full-duplex connections to operate.

Bidirectional
communication

Unidirectional
communication

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Configure Switch Ports
Configure Switch Ports at the Physical Layer
 Some switches have the default setting of auto for both duplex and speed.

 Mismatched duplex and/or speed settings can cause connectivity issues.

 Always check duplex and speed settings using the show interface interface_id command.

 All fiber ports operate at one speed and are always full-duplex.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Configure Switch Ports
Auto-MDIX
 Some switches have the automatic medium-dependent interface crossover (auto-MDIX) feature
that allows an interface to detect the required cable connection type (straight-through or crossover)
and configure the connection appropriately.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Configure Switch Ports
Auto-MDIX (Cont.)
 Use the show controllers Ethernet-controller command to verify auto-MDIX settings.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Configure Switch Ports
Verifying Switch Port Configuration

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Configure Switch Ports
Verifying Switch Port Configuration (Cont.)

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Configure Switch Ports
Verifying Switch Port Configuration (Cont.)

Layer 1 Layer 2
OK OK

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Configure Switch Ports
Network Access Layer Issues
 Use the show interfaces command to detect common media issues.

 The first parameter refers to Layer 1, the physical layer, and indicates if the interface is receiving a
carrier detect signal.

 The second parameter (protocol status) refers to the data link layer and indicates whether the data
link layer protocol has been configured correctly and keepalives are being received.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Configure Switch Ports
Network Access Layer Issues (Cont.)

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Configure Switch Ports
Troubleshooting Network Access Layer Issues

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
5.2 Switch Security

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Secure Remote Access
SSH Operation
 Secure Shell (SSH)
An alternative protocol to Telnet. Telnet uses unsecure plaintext of the username and password
as well as the data transmitted.
SSH is more secure because it provides an encrypted management connection.
Wireshark Capture of Telnet Wireshark Capture of SSH

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Secure Remote Access
SSH Operation (Cont.)
 A switch must have an IOS version (k9 at the end of the IOS file name) that includes
cryptographic capabilities in order to configure and use SSH.
Use the show version command to see the IOS version.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Secure Remote Access
Commonly forgotten
Configuring SSH command that is used in
key generation
1. Verify SSH support.

2. Configure the IP domain name.
3. Generate RSA key pairs.

4. Configure user authentication.

5. Configure the vty lines.
6. Enable SSH version 2.

Default is to accept both Telnet
The login local command and SSH (transport input all)

forces the use of the local
database for username/
password.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Secure Remote Access
Verifying SSH
 On the PC, connect to the switch using SSH.

The PC is using SSH to communicate and issue
commands on the switch.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Switch Port Security
Secure Unused Ports

The interface range command
can be used to apply a configuration
to several switch ports at one time.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Switch Port Security
Port Security: Operation
 Port security limits the number of valid MAC addresses allowed to transmit data through a switch
port.
If a port has port security enabled and an unknown MAC address sends data, the switch presents a
security violation.
Default number of secure MAC addresses allowed is 1.
 Methods use to configure MAC addresses within port security:
Static secure MAC addresses – manually configure
switchport port-security mac-address mac-address
Dynamic secure MAC addresses – dynamically learned and removed if the switch restarts
Sticky secure MAC addresses – dynamically learned and added to the running configuration (which can
later be saved to the startup-config to permanently retain the MAC addresses)
switchport port-security mac-address sticky mac-address
Note: Disabling sticky learning converts sticky MAC addresses to dynamic secure addresses and removes
them from the running-config.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Switch Port Security
Port Security: Violation Modes
 Protect – data from unknown source MAC addresses are dropped; a security notification IS NOT presented
by the switch

 Restrict - data from unknown source MAC addresses are dropped; a security notification IS presented by
the switch and the violation counter increments.

 Shutdown – (default mode) interface becomes error-disabled and port LED turns off. The violation counter
increments. Issues the shutdown and then the no shutdown command on the interface to bring it out of the
error-disabled state.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Switch Port Security
Port Security: Configuring

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Switch Port Security
Port Security: Configuring (Cont.)
 Before configuring port-security features, place the port in access mode and use the switchport
port-security interface configuration command to enable port security on an interface.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Switch Port Security
Port Security: Configuring (Cont.)

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Switch Port Security
Port Security: Verifying
 Use the show port-security interface command to verify the maximum number of MAC
addresses allowed on a particular port and how many of those addresses were learned dynamically
using sticky.
Dynamic Sticky

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Switch Port Security
Port Security: Verifying (Cont.)
 Use the show running-config command to see learned MAC addresses added to the
configuration.

 The show port-security address command shows how MAC addresses were learned on a
particular port.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Switch Port Security
Ports in Error Disabled State
 Switch console messages display when a port security violation occurs. Notice the port link status
changes to down.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Switch Port Security
Ports in Error Disabled State (Cont.)

 Check the port status and the port security  Do not re-enable a port until the security
settings. threat is investigated and eliminated.

 Notice that you must first shut the port down
and then issue the no shutdown command
in order to use the particular port again after
a security violation has occurred.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
5.3 Chapter Summary

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Conclusion
Packet Tracer - Skills Integration Challenge

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
Conclusion
Chapter 5: Switch Configuration
 Configure basic switch settings to meet network requirements.

 Configure a switch using security best practices in a small to medium-sized business network.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Chapter 8: DHCP

CCNA Routing and Switching

Routing and Switching Essentials v6.0
Chapter 8 - Sections & Objectives
 8.1 DHCPv4
Implement DHCPv4 to operate across multiple LANs in a small to medium-sized business
network.
Explain how DHCPv4 operates in a small- to medium-sized business network.
Configure a router as a DHCPv4 server.
Configure a router as a DHCPv4 client.
Troubleshoot a DHCP configuration for IPv4 in a switched network.
 8.2 DHCPv6
Implement DHCPv6 to operate across multiple LANs in a small to medium-sized business
network.
Explain the operation of DHCPv6.
Configure stateless DHCPv6 for a small to medium-sized business.
Configure stateful DHCPv6 for a small to medium-sized business.
Troubleshoot a DHCP configuration for IPv6 in a switched network.© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
8.1 DHCPv4

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
DHCPv4 Operation
Introducing DHCPv4
 DHCPv4 assigns IPv4 addresses and other network configuration information dynamically.
A dedicated DHCPv4 server is scalable and relatively easy to manage.
A Cisco router can be configured to provide DHCPv4 services in a small network.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
DHCPv4 Operation
DHCPv4 Operation  Four step process for a client to obtain a
lease:
1. DHCP Discover (DHCPDISCOVER) -
client uses Layer 2 and Layer 3 broadcast
addresses to find a DHCP server.
2. DHCP Offer (DHCPOFFER) - DHCPv4
server sends the binding DHCPOFFER
message to the requesting client as a
unicast.
3. DHCP Request (DHCPREQUEST) – the
client sends back a broadcast
DHCPREQUEST in response to the servers
offer.
4. DHCP Acknowledgment (DHCPACK) –
the server replies with a unicast DHCPACK
message.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
DHCPv4 Operation
DHCPv4 Message Format
 DHCPv4 messages:
If sent from the client, use UDP source
port 68 and destination port 67.
If sent from the server, use UDP
source port 67 and destination port 68.

Format and fields of a DHCPv4 Message

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
DHCPv4 Operation
DHCPv4 Discover and Offer Messages

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Configuring a Basic DHCPv4 Server
Configuring a Basic DHCPv4 Server
 Configuring a Cisco router as a
DHCPv4 server:
Excluding IPv4 Addresses – ip
dhcp excluded-address can
exclude a single address or a range
of addresses from being assigned.
Configuring a DHCPv4 Pool - ip
dhcp pool pool-name command
creates a pool with the specified
name and puts the router in
DHCPv4 configuration mode.
Address pool assigned using
network command.
Default gateway assigned using
default-router command.
Other commands are optional.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Configuring a Basic DHCPv4 Server
Verifying DHCPv4

 Verify DHCPv4 configuration using the show running-config |section dhcp command.

 Verify the operation of DHCPv4 using the show ip dhcp binding command.

 Verify that messages are being received or sent by the router using the show ip dhcp server
statistics command.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Configuring a Basic DHCPv4 Server
DHCPv4 Relay

 DHCPDISCOVER messages are sent as broadcast messages.

 Routers do not forward broadcasts.

 A Cisco IOS helper address is configured so that the router acts as a relay agent forwarding the
message to the DHCPv4 server.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Configuring DHCPv4 Client
Configuring a Router as DHCPv4 Client
 Small office/home office (SOHO)
and branch sites often have to be
configured as DHCPv4 clients.
 Use the ip address dhcp
interface configuration mode
command.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Configuring DHCPv4 Client
Configuring a Wireless Router as a DHCPv4 Client
 Wireless routers are set to
receive IPv4 addressing
information automatically from
the ISP.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Troubleshoot DHCPv4
Troubleshooting Tasks

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Troubleshoot DHCPv4
Verify Router DHCPv4 Configuration
 Verify DHCPv4 Relay - use
show running-config
command to verify that the ip
helper address is configured.
 Verify DHCPv4 configuration -
use the show running-
config | include no service
dhcp command to verify dhcp
is enabled because there is
no match for the no service
dhcp.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Troubleshoot DHCPv4
Debugging DHCPv4
 The extended ACL is used with
the debug ip packet command
to display only DHCPv4
messages.
 Another troubleshooting command
is the debug ip dhcp server
events.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
8.2 DHCPv6

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
SLAAC and DHCPv6
Stateless Address Autoconfiguration (SLAAC)
 Two methods to dynamically assign
IPv6 global unicast addresses:
Stateless Address Autoconfiguration
(SLAAC).
Dynamic Host Configuration Protocol
for IPv6 (Stateful DHCPv6).
 SLAAC uses ICMPv6 Router
Solicitation and Router
Advertisement messages to provide
addressing and other configuration
information.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
SLAAC and DHCPv6
SLAAC Operation
 The router must have IPv6 routing enabled–
ipv6 unicast-routing

 PC1 sends an RS message to the all-routers
multicast address that it needs an RA.

 R1 responds with an RA message that has
the prefix and prefix length of the network.

 PC1 uses this information to create its IPv6
global unicast address. It creates its interface
id using EUI-64 or randomly generates it.

 PC1 must verify that the address is unique by
sending an ICMPv6 Neighbor Solicitation
message.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
SLAAC and DHCPv6
SLAAC and DHCPv6
 Different combinations of the Managed
Address Configuration flag (M flag) and
the Other Configuration flag (O flag) in
the RA determine how the IPv6 address
is assigned:
SLAAC (Router Advertisement only)
Stateless DHCPv6 (Router Advertisement
and DHCPv6)
Stateful DHCPv6 (DHCPv6 only)

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
SLAAC and DHCPv6
SLAAC Option
 SLAAC is the default on Cisco routers. Both the M flag and the O flag are set to 0 in the RA.

 This option instructs the client to use the information in the RA message only.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
SLAAC and DHCPv6
Stateless DHCPv6 Option
 DHCPv6 is defined in RFC 3315.

 Stateless DHCPv6 option - client
uses the RA message for
addressing, additional parameters
are obtained from DHCPv6
server.
 O flag is set to 1 and the M flag is
left at the default setting of 0. Use
command ipv6 nd other-config-
flag.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
SLAAC and DHCPv6
Stateful DHCPv6 Option
 RA message informs the client
not to use the information in
the RA message.
 All addressing and
configuration information must
be obtained from a stateful
DHCPv6 server.
 M flag is set to 1. Use the
command ipv6 nd managed-
config-flag.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
SLAAC and DHCPv6
DHCPv6 Operations  DHCPv6 messages from server to client use
UDP port 546. Client to server use UDP port
547.

 Client sends a DHCPv6 SOLICIT message
using FF02::1:2.

 DHCPv6 server responds with a DHCPv6
ADVERTISE unicast message.

 Stateless DHCPv6 client - Generates its own
address. Sends a DHCPv6 INFORMATION-
REQUEST to the DHCPv6 server requesting
only configuration parameters.

 Stateful DHCPv6 client - Sends a DHCPv6
REQUEST message to server for an IPv6
address and all other configuration parameters.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Stateless DHCPv6
Configuring a Router as a Stateless DHCPv6 Server
 Step 1 – Enable IPv6 routing. ipv6 unicast-routing

 Step 2 – Configure a DHCPv6 pool. ipv6 dhcp pool pool-name

 Step 3 – Configure pool parameters. dns-server server-address

 Step 4 – Configure the DHCPv6 interface ipv6 dhcp server pool-name

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Stateless DHCPv6
Configuring a Router as a Stateless DHCPv6 Client
 Step 1 – IPv6 enabled on interface ipv6 enable

 Step 2 – enable automatic configuration of IPv6 addressing ipv6 address autoconfig

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Stateless DHCPv6
Verifying Stateless DHCPv6
 Commands to verify Stateless
DHCPv6:
show ipv6 dhcp pool
show running-config
show ipv6 interface
debug ipv6 dhcp detail

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Stateful DHCPv6 Server
Configuring a Router as a Stateful DHCPv6 Server
 Step 1 – Enable IPv6 Routing.
ipv6 unicast routing
 Step 2 – Configure a DHCPv6 pool.
ipv6 dhcp pool pool-name
 Step 3 – Configure pool parameters:
address prefix prefix/length
dns-server dns-server-address
domain-name domain-name
 Step 4 - Configure DHCPv6 interface:
ipv6 dhcp server pool-name
ipv6 nd managed-config-flag
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Stateful DHCPv6 Server
Configuring a Router as a Stateful DHCPv6 Client

 Step 1 – Allow the router to send RS messages and participate in DHCPv6.
ipv6 enable
 Step 2 – Make the router a DHCPv6 client.
ipv6 address dhcp
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Stateful DHCPv6 Server
Verifying Stateful DHCPv6
 Use the following commands to
verify Stateful DHCPv6:
show ipv6 dhcp pool
show ipv6 dhcp binding
show ipv6 interface

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Stateful DHCPv6 Server
Configuring a Router as a DHCPv6 Relay Agent
 If the DHCPv6 server is located
on a different network than the
client, the router can be
configured as a DHCPv6 relay
agent.
ipv6 dhcp relay destination
destination-address

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Troubleshoot DHCPv6
Troubleshooting Tasks

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Troubleshoot DHCPv6
Verify Router DHCPv6 Configuration
 Use the show ipv6 interface
command to verify DHCPv6
configuration.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Troubleshoot DHCPv6
Debugging DHCPv6
 To verify the receipt and
transmission of DHCPv6
messages:
debug ipv6 dhcp detail

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
8.3 Chapter Summary

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Conclusion
Packet Tracer - Skills Integration Challenge

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Conclusion
Chapter 8: DHCP
 Implement DHCPv4 to operate across multiple LANs in a small to medium-sized business
network.
 Implement DHCPv6 to operate across multiple LANs in a small to medium-sized business
network.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36