11zon_Module_3-Basic Device Configuration (2).pdf
Document Details
Uploaded by Deleted User
Tags
Full Transcript
CCNA-2 Module 3: Basic Device Configuration Instructor: Dr. Mohamed Buker 1.1 Configure a Switch with Initial Settings © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 Configure a Switch with Initial Settings Switch Boot Sequence After a...
CCNA-2 Module 3: Basic Device Configuration Instructor: Dr. Mohamed Buker 1.1 Configure a Switch with Initial Settings © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 Configure a Switch with Initial Settings Switch Boot Sequence After a Cisco switch is powered on, it goes through the following five-step boot sequence: Step 1: First, the switch loads a power-on self-test (POST) program stored in ROM. POST tests the CPU, DRAM, and the portion of the flash device that makes up the flash file system. Step 2: Next, the switch loads the boot loader software. The boot loader is a small program stored in ROM that is run immediately after POST successfully completes. Step 3: The boot loader performs low-level CPU initialization. It initializes the CPU registers, which control where physical memory is mapped, the quantity of memory, and its speed. Step 4: The boot loader initializes the flash file system on the system board. Step 5: Finally, the boot loader locates and loads a default IOS operating system software image into memory and gives control of the switch to the IOS. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 Configure a Switch with Initial Settings Switch Management Access To prepare a switch for remote management access, the switch must be configured with an IP address and a subnet mask. To manage the switch from a remote network, the switch must be configured with a default gateway. This is very similar to configuring the IP address information on host devices. In the figure, the switch virtual interface (SVI) on S1 should be assigned an IP address. The SVI is a virtual interface, not a physical port on the switch. A console cable is used to connect to a PC so that the switch can be initially configured. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 Configure a Switch with Initial Settings Switch SVI Configuration Example By default, the switch is configured to have its management controlled through VLAN 1. All ports are assigned to VLAN 1 by default. For security purposes, it is considered a best practice to use a VLAN other than VLAN 1 for the management VLAN, Step 1: Configure the Management Interface: From VLAN interface configuration mode, an IPv4 address and subnet mask is applied to the management SVI of the switch. Note: The SVI for VLAN 99 will not appear as “up/up” until VLAN 99 is created and there is a device connected to a switch port associated with VLAN 99. Note: The switch may need to be configured for IPv6. For example, before you can configure IPv6 addressing on a Cisco Catalyst 2960 running IOS version 15.0, you will need to enter the global configuration command sdm prefer dual-ipv4-and-ipv6 default and then reload the switch. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 Configure a Switch with Initial Settings Switch SVI Configuration Example (Cont.) Task IOS Commands Enter global configuration mode. S1# configure terminal Enter interface configuration mode for the S1(config)# interface vlan 99 SVI. Configure the management interface IPv4 S1(config-if)# ip address 172.17.99.11 255.255.255.0 address. Configure the management interface IPv6 S1(config-if)# ipv6 address 2001:db8:acad:99::1/64 address Enable the management interface. S1(config-if)# no shutdown Return to the privileged EXEC mode. S1(config-if)# end Save the running config to the startup S1# copy running-config startup-config config. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 Configure a Switch with Initial Settings Switch SVI Configuration Example (Cont.) Step 2: Configure the Default Gateway The switch should be configured with a default gateway if it will be managed remotely from networks that are not directly connected. Note: Because, it will receive its default gateway information from a router advertisement (RA) message, the switch does not require an IPv6 default gateway. Task IOS Commands Enter global configuration mode. S1# configure terminal Configure the default gateway for the switch. S1(config)# ip default-gateway 172.17.99.1 Return to the privileged EXEC mode. S1(config-if)# end Save the running config to the startup config. S1# copy running-config startup-config © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7 Configure a Switch with Initial Settings Switch SVI Configuration Example (Cont.) Step 3: Verify Configuration The show ip interface brief and show ipv6 interface brief commands are useful for determining the status of both physical and virtual interfaces. The output shown confirms that interface VLAN 99 has been configured with an IPv4 and IPv6 address. Note: An IP address applied to the SVI is only for remote management access to the switch; this does not allow the switch to route Layer 3 packets. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 1.2 Configure Switch Ports © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 Configure Switch Ports Duplex Communication Full-duplex communication increases bandwidth efficiency by allowing both ends of a connection to transmit and receive data simultaneously. This is also known as bidirectional communication. There is no collision domain associated with a switch port operating in full-duplex mode. Unlike full-duplex communication, half-duplex communication is unidirectional. Half- duplex communication creates performance issues because data can flow in only one direction at a time, often resulting in collisions. Gigabit Ethernet and 10 Gb NICs require full-duplex connections to operate. In full- duplex mode. Full-duplex offers 100 percent efficiency in both directions (transmitting and receiving). © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10 Configure Switch Ports Configure Switch Ports at the Physical Layer Switch ports can be manually configured with specific duplex and speed settings. The respective interface configuration commands are duplex and speed. The default setting for both duplex and speed for switch ports on Cisco Catalyst 2960 and 3560 switches is auto. The 10/100/1000 ports operate in either half- or full-duplex mode when they are set to 10 or 100 Mbps and operate only in full-duplex mode when it is set to 1000 Mbps (1 Gbps). Autonegotiation is useful when the speed and duplex settings of the device connecting to the port are unknown or may change. When connecting to known devices such as servers, dedicated workstations, or network devices, a best practice is to manually set the speed and duplex settings. When troubleshooting switch port issues, it is important that the duplex and speed settings are checked. Note: Mismatched settings for the duplex mode and speed of switch ports can cause connectivity issues. Autonegotiation failure creates mismatched settings. All fiber-optic ports, such as 1000BASE-SX ports, operate only at one preset speed and are always full-duplex © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 Configure Switch Ports Configure Switch Ports at the Physical Layer (Cont.) Task IOS Commands Enter global configuration mode. S1# configure terminal Enter interface configuration mode. S1(config)# interface FastEthernet 0/1 Configure the interface duplex. S1(config-if)# duplex full Configure the interface speed. S1(config-if)# speed 100 Return to the privileged EXEC mode. S1(config-if)# end Save the running config to the startup config. S1# copy running-config startup-config © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12 Configure Switch Ports Auto-MDIX When automatic medium-dependent interface crossover (auto-MDIX) is enabled, the switch interface automatically detects the required cable connection type (straight-through or crossover) and configures the connection appropriately. When connecting to switches without the auto-MDIX feature, straight-through cables must be used to connect to devices such as servers, workstations, or routers. Crossover cables must be used to connect to other switches. With auto-MDIX enabled, either type of cable can be used to connect to other devices, and the interface automatically adjusts to communicate successfully. On newer Cisco switches, the mdix auto interface configuration mode command enables the feature. When using auto-MDIX on an interface, the interface speed and duplex must be set to auto so that the feature operates correctly. Note: The auto-MDIX feature is enabled by default on Catalyst 2960 and Catalyst 3560 switches but is not available on the older Catalyst 2950 and Catalyst 3550 switches. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13 Configure Switch Ports Switch Verification Commands Task IOS Commands Display interface status and configuration. S1# show interfaces [interface-id] Display current startup configuration. S1# show startup-config Display current running configuration. S1# show running-config Display information about flash file system. S1# show flash Display system hardware and software status. S1# show version Display history of command entered. S1# show history S1#Terminal History size 10 S1# show ip interface [interface-id] Display IP information about an interface. OR S1# show ipv6 interface [interface-id] S1# show mac-address-table Display the MAC address table. OR S1# show mac address-table © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 Configure Switch Ports Verify Switch Port Configuration The show running-config command can be used to verify that the switch has been correctly configured. VLAN 99 configured with an IPv4 address of 172.17.99.11 255.255.255.0 Default gateway set to 172.17.99.1 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15 Configure Switch Ports Verify Switch Port Configuration (Cont.) The show interfaces command is another commonly used command, which displays status and statistics information on the network interfaces of the switch. The show interfaces command is frequently used when configuring and monitoring network devices. The first line of the output for the show interfaces fastEthernet 0/18 command indicates that the FastEthernet 0/18 interface is up/up, meaning that it is operational. Further down, the output shows that the duplex is full and the speed is 100 Mbps. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16 Configure Switch Ports Network Access Layer Issues The output from the show interfaces command is useful for detecting common media issues. The line and data link protocol status. (FastEthernet0/18 is up) refers to the hardware layer and indicates whether the interface is receiving a carrier detect signal. (line protocol is up) refers to the data link layer and indicates whether the data link layer protocol keepalives are being received. Possible problems can be fixed as follows: If the interface is up and the line protocol is down. There could be an encapsulation type mismatch, or there could be a hardware problem. If the line protocol and the interface are both down, a cable is not attached, or some other interface problem exists. For example, the other end of the connection may be administratively down. If the interface is administratively down, it has been manually disabled (the shutdown command has been issued) in the active configuration. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17 Configure Switch Ports Network Access Layer Issues (Cont.) The show interfaces command output displays counters and statistics for the FastEthernet0/18 interface, as shown here: © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18 Configure Switch Ports Network Access Layer Issues (Cont.) Some media errors are not severe enough to cause the circuit to fail but do cause network performance issues. The table explains some of these common errors which can be detected using the show interfaces command. Error Type Description Input Errors Total number of errors in incoming packets. It includes runts, giants, CRC. Packets that are discarded because they are smaller than the minimum packet size for the medium. Runts For instance, any Ethernet packet that is less than 64 bytes is considered a runt. Packets that are discarded because they exceed the maximum packet size for the medium. For Giants example, any Ethernet packet that is greater than 1,518 bytes is considered a giant. CRC errors are generated when the calculated checksum is not the same as the checksum CRC received. Total number of errors that prevented the final transmission of datagrams out of the interface that is Output Errors being examined. Collisions Number of messages retransmitted because of an Ethernet collision. Late Collisions A collision that occurs after 512 bits of the frame have been transmitted © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19 Configure Switch Ports Interface Input and Output Errors “Input errors” is the sum of all errors in datagrams that were received on the interface being examined. This includes runts, giants, and CRC. The reported input errors from the show interfaces command include the following: Runt Frames - Ethernet frames that are shorter than the 64-byte minimum allowed length are called runts. Malfunctioning NICs are the usual cause of excessive runt frames, but they can also be caused by collisions. Giants - Ethernet frames that are larger than the maximum allowed size are called giants. CRC errors - On Ethernet and serial interfaces, CRC errors usually indicate a media or cable error. Common causes include electrical interference, loose or damaged connections, or incorrect cabling. If you see many CRC errors, there is too much noise on the link and you should inspect the cable. You should also search for and eliminate noise sources. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20 Configure Switch Ports Interface Input and Output Errors (Cont.) “Output errors” is the sum of all errors that prevented the final transmission of datagrams out the interface that is being examined. The reported output errors from the show interfaces command include the following: Collisions - Collisions in half-duplex operations are normal. However, you should never see collisions on an interface configured for full-duplex communication. Late collisions - A late collision refers to a collision that occurs after 512 bits of the frame have been transmitted. Excessive cable lengths are the most common cause of late collisions. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21 Configure Switch Ports Troubleshooting Network Access Layer Issues To troubleshoot scenarios involving no connection, or a bad connection, follow the general process shown in the figure. Electro-Magnetic Interference © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22 1.3 Secure Remote Access © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23 Secure Remote Access Telnet Operation Telnet uses TCP port 23. An older protocol that uses unsecure plaintext transmission of both the login authentication (username and password) and the data transmitted between the communicating devices. A threat actor can monitor packets using Wireshark. For example, in the figure the threat actor captured the username admin and password ccna from a Telnet session. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24 Secure Remote Access SSH Operation Secure Shell (SSH) is a secure protocol that uses TCP port 22. provides a secure (encrypted) management connection to a remote device by providing strong encryption when a device is authenticated (username and password) and also for the transmitted data between the communicating devices. SSH should replace Telnet for management connections. Unlike Telnet, with SSH the username and password are encrypted. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25 Secure Remote Access Verify the Switch Supports SSH To enable SSH on a Catalyst 2960 switch, the switch must be using a version of the IOS software including cryptographic (encrypted) features and capabilities. Use the show version command on the switch to see which IOS the switch is currently running. An IOS filename that includes the combination “k9” supports cryptographic (encrypted) features and capabilities. Solution : Upgrade the IOS firmware ( from USB, FTP, or TFTP ) © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26 Secure Remote Access Configure SSH ** Configure the switch with a unique hostname and the correct network connectivity settings. Step 1: Verify SSH support - Use the show ip ssh command to verify that the switch supports SSH. If the switch is not running an IOS that supports cryptographic features, this command is unrecognized. Step 2: Configure the IP domain - use the ip domain-name domain-name global configuration mode command. Step 3: Generate RSA key pairs - Generating an RSA key pair automatically enables SSH. [Asym Encr] Use the crypto key generate rsa global configuration mode command to enable the SSH and generate an RSA key pair. [ give a key length ] Note: To delete the RSA key pair, use the crypto key zeroize rsa global configuration mode command. [SSH will automatically disabled] Step 4: Configure user authentication -, create a username and password pair using the USERNAME username PASSWORD/SECRET password global configuration mode command. [ local authentication method ] Step 5: Configure the vty lines - use the line vty 0 15 global configuration mode command , then use transport input ssh line configuration mode command. Step 6: Enable SSH version 2 - By default, SSH supports both versions 1 and 2. Enable SSH version using the ip ssh version 2 global configuration command. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27 C:\> ssh –l username ip Secure Remote Access Verify SSH is Operational To display the version and configuration data for SSH on the device that you configured as an SSH server, use the show ip ssh command. In the example, SSH version 2 is enabled. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28 Secure Remote Access Packet Tracer – Configure SSH Configure SSH.pka © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29 1.4 Basic Router Configuration © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30 Basic Router Configuration Configure Basic Router Settings Cisco routers and Cisco switches have many similarities. They support a similar command structures, and many of the same commands. In addition, both devices have similar initial configuration steps. For example, the following configuration tasks should always be performed. Name the device to distinguish it from other routers and configure passwords, as shown in the example. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31 Basic Router Configuration Configure Basic Router Settings (Cont.) Configure a banner to provide legal notification of unauthorized access, as shown in the example. Save the changes on a router, as shown in the example. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32 Basic Router Configuration Dual Stack Topology One distinguishing feature between switches and routers is the type of interfaces supported by each. For example, Layer 2 switches support LANs; therefore, they have multiple FastEthernet or Gigabit Ethernet ports. The dual stack topology in the figure is used to demonstrate the configuration of router IPv4 and IPv6 interfaces. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33 Basic Router Configuration Configure Router Interfaces Routers support LANs and WANs and can interconnect different types of networks; therefore, they support many types of interfaces such as Fast Ethernet interfaces, Gigabit Ethernet interfaces serial, T1, and others. To be available, an interface must be: Configured with at least one IP address - Use the ip address ip-address subnet-mask and the ipv6 address ipv6-address/prefix interface configuration commands. Activated - By default, LAN and WAN interfaces are not activated (shutdown). To enable an interface, it must be activated using the no shutdown command. The interface must also be connected to another device (a hub, a switch, or another router) for the physical layer to be active. Description - Optionally, the interface could also be configured with a short description of up to 240 characters. It is good practice to configure a description on each interface. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34 Basic Router Configuration Configure Router Interfaces (Cont.) The example shows how to configure the interfaces of R1: © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35 Basic Router Configuration IPv4 Loopback Interfaces The loopback interface is a logical interface that is internal to the router. It is not assigned to a physical port and can never be connected to any other device. It is considered a software interface that is automatically placed in an “up” state, as long as the router is functioning. The loopback interface is useful in testing and managing a Cisco IOS device because it ensures that at least one interface will always be available. Loopback interfaces are also commonly used in lab environments to create additional interfaces. For example, you can create multiple loopback interfaces on a router to simulate more networks for configuration practice and testing purposes. The IPv4 address for each loopback interface must be unique and unused by any other interface. In this curriculum, we often use a loopback interface to simulate a link to the internet. Enabling and assigning a loopback address is simple: Router(config)# interface loopback number Router(config-if)# ip address ip-address subnet-mask © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36 Basic Router Configuration Packet Tracer – Configure Router Interfaces.pka © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37 1.5 Verify Directly Connected Networks © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38 Verify Directly Connected Networks Interface Verification Commands There are several show commands that can be used to verify the operation and configuration of an interface. The following commands are especially useful to quickly identify the status of an interface: show ip interface brief and show ipv6 interface brief - These display a summary for all interfaces including the IPv4 or IPv6 address of the interface and current operational status. Show interfaces interface-id - This displays a detailed information about the specified interface. show ip route and show ipv6 route - These display the contents of the IPv4 or IPv6 routing table stored in RAM. In Cisco IOS 15, active interfaces should appear in the routing table with two related entries identified by the code ‘C’ (Connected) or ‘L’ (Local /32). In previous IOS versions, only a single entry with the code ‘C’ will appear. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39 Verify Directly Connected Networks Verify Interface Status The output of the show ip interface brief and show ipv6 interface brief commands can be used to quickly reveal the status of all interfaces on the router. You can verify that the interfaces are active and operational as indicated by the Status of “up” and Protocol of “up”, as shown in the example. A different output would indicate a problem. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40 Verify Directly Connected Networks Verify IPv6 Link Local and Multicast Addresses The output of the show ipv6 interface brief command displays two configured IPv6 addresses per interface. One address is the IPv6 global unicast address that was manually entered. The other address, which begins with FE80, is the link-local unicast address for the interface. A link-local address is automatically added to an interface whenever a global unicast address is assigned. An IPv6 network interface is required to have a link-local address, but not necessarily a global unicast address. The show ipv6 interface gigabitethernet 0/0/0 command displays the interface status and all of the IPv6 addresses belonging to the interface. Along with the link local address and global unicast address, the output includes the multicast addresses assigned to the interface, beginning with prefix FF02, as shown in the example. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41 Verify Directly Connected Networks Verify Routes The output of the show ip route and show ipv6 route commands reveal the three directly connected network entries and the three local host route interface entries, as shown in the example. The local host route has an administrative distance of 0. It also has a /32 mask for IPv4, and a /128 mask for IPv6. The local host route is for routes on the router that owns the IP address. It is used to allow the router to process packets destined to that IP. A ‘C’ next to a route within the routing table indicates that this is a directly connected network. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42 Verify Directly Connected Networks Filter Show Command Output Multiple screens of output are, by default, paused after 24 lines --More– Pressing Enter displays the next line and pressing the spacebar displays the next set of lines. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43 Verify Directly Connected Networks Command History Feature The command history feature is useful because it temporarily stores the list of executed commands to be recalled. To recall commands in the history buffer, press Ctrl+P or the Up Arrow key. Repeat the key sequence to recall successively older commands. To return to more recent commands in the history buffer, press Ctrl+N or the Down Arrow key. By default, command history is enabled and the system captures the last 10 command lines in its history buffer. Use the show history privileged EXEC command to display the contents of the buffer. To change the history buffer, use the terminal history size no user EXEC command to increase or decrease the size of the buffer. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44 Verify Directly Connected Networks Packet Tracer – Verify Directly Connected Networks Verify Directly Connected Networks.pka Implement a Small Network.pka © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45