08 - Ethernet Switch Configuration

08 - Ethernet Switch Configuration

By Muhammad Asghar Khan

Reference: CCENT/CCNA ICND1 Official Exam Certification Guide By Wendell Odom

www.asghars.blogspot.com2

Agenda Configure Topology in Packet Tracer Configuration Features Common in Routers &

Switches Securing the CLI

Configuring Simple Password Security for Console & Telnet Access

Configuring Usernames & SSH Password Encryption Enable Mode Passwords

Customizing CLI Connection Banners

1/2


Agenda History Buffer Configuring Syslog Messages Configuring Inactivity Timeout

LAN Switch Configuration Switch IP Configuration Interface Configuration Port Security VLAN Configuration Securing Unused Interfaces

2/2


Configure Topology in Packet Tracer Configure the topology for practice as shown below

Add two PDUs; One for PC0 as source & PC1 as Destination, Similarly One for PC1 as source & PC0as destination

1/1


Configuration Features Common in Routers & Switches Securing the CLI

Configuring security on switch or router requires the following steps: Configuring Password for Enable Mode Configuring Password for Console Access Configuring Password for Telnet Access Configuring Usernames & SSH Password Encryption Enable Mode Passwords

1/17


Configuration Features Common in Routers & Switches

Configuring Password for Enable Mode By default the enable command allows the console

users to enter the enable mode without password To protect the enable mode use the enable secret

global configuration command

Configuring Password for Console Access

2/17

Move from EXEC to enable mode

Move from enable to global config mode

Set password , pwd for enable mode

Move to line config mode (sub-config mode) to configure consoleSet password , pwd for console mode

Prompt for password / authentication



Configuring Password for Telnet Access

You can verify the previous configuration by using the show running-config

Move to line config mode for virtual terminalSet password , cis for telnet accessPrompt for password / authentication

3/17



s

4/17



Configuring Usernames & SSH SSH is preferred method for remote login to switches or

routers Telnet sends all data, including passwords as clear text,

while SSH provides the mechanism to encrypt the data sent b/w SSH client and the SHH server

SSH can use one of two user authentication methods: Username & Password configured on the switch Username & Password configured on external server called

Authentication, Authorization & Accounting (AAA) server Here we will use the local configuration on the switch

5/17



Step 8: finally tell switch to accept both Telnet & SSH

6/17

Step 1: both hostname & domain name is required for encryption keys

Step 2: Generate encryption keyStep 3: Max idle timer

Step 4: Max failed attemptsStep 5: Add username & passwordStep 6: Connect vty linesStep 7: Use local authentication


Configuration Features Common in Routers & Switches Step 5: Generate a public &

private key pair as well as shared encryption key

Display RSA key pair information

7/17



Password Encryption The password and the username commands store

the password in clear text in running-config file The enable secret command only hides the

password value To avoid password vulnerability in printed version of the

configuration file, you can encrypt the password using the service password-encryption global configuration command

If no service password-encryption command is used later, the password remain encrypted, until it is changed ; at which point it shown up in clear text

8/17



Example shows the password encryption process

List running configuration, beginning with first line which contains text line vty

Encrypt the password

Passwords are encrypted, 7 means the type of underlying encryption algorithm

9/17



Remove the password encryption service

Passwords still encrypted

Change password for vty

10/17



Enable Mode Passwords The enable secret command use the MD5 hash

to hide the password MD5 is much more secure than the encryption used for service password-encryption command

If enable password and enable secret commands are used; the password set in enable secret is required to be entered

Password encryption is removed

11/17



Example shows the enable secret and encryption process

Use the enable secret, rather than the enable password

MD5 hash value for the passwordDelete the enable secret password

12/17


Configuration Features Common in Routers & Switches Customizing CLI Connection

The following configuration settings affect the behavior of the CLI connection from the console and vty (Telnet & SSH) Banners History Buffer Configuring Syslog Messages Configuring Inactivity Timeout

13/17



Banners Banner is simply some text that appears on the

screen for the user Cisco routers & switches can display variety of

banners The three most popular banners are:

Message of the Day (MOTD): Show before login prompt. Used for temporary messages

Login: Shown after the MOTD but before the login prompt. Used for permanent messages

Exec: Shown after the login prompt. Used to supply information that should be hidden from unauthorized users

14/17



History Buffer The last several commands are saved in the history buffer Commands related to history buffer are:

q is used as beginning and delimiter character

List commands currently held in the buffer

From line config mode, set the default number of commands for the user(s) of console or vty lines

From EXEC mode, the user can set the size of history buffer for his or her single connection

15/17



Configuring Syslog Messages Switch or router puts syslog messages on the console’s

screen at any time, including right in the middle of a command you are entering

To make using the console a little easier, you can tell the switch to display syslog messages only at convenient times

To do this just configure the logging synchronous console line command

16/17



Configuring Inactivity Timeout By default, the switch or router automatically

disconnects users after 5 minutes of inactivity To set different inactivity timer, you can use the exec-timeout line subcommand

If the timeout is set to 0 minutes and 0 seconds, the router never times out the console connection

17/17


LAN Switch Configuration The configurations discussed here will only apply to

switches and not routers LAN switch configurations covered here are:

Switch IP Configuration Interface Configuration Port Security VLAN Configuration Securing Unused Interfaces

1/21


LAN Switch Configuration Switch IP Configuration

To allow Telnet, SSH, Simple Network Management Protocol (SNMP) & Cisco Device Manager (CDM) to work properly, the switch needs an IP address

Switches don’t need an IP address to forward Ethernet frames

You can configure a switch with its IP address/mask/gateway or the switch can dynamically learn this using DHCP

IOS-based switch uses special virtual interface called the VLAN 1 interface to configure IP address & mask

This interface plays the same role as an Ethernet interface on PC

2/21


LAN Switch Configuration Example shows the static IP address configuration

Enter VLAN 1 configuration mode

Assign IP address & mask using interface subcommand

Enable VLAN1 interface using no shutdown subcommand

Using global config command add the default gateway

sys log messages

3/21


LAN Switch Configuration To administratively disable an interface, use the shutdown interface subcommand

You can verify this by using show running-config

4/21


LAN Switch Configuration To configure the switch as a DHCP client use the

following steps

To verify it, we can’t use the show running-config command, instead we have to use the show dhcp lease command

Enter VLAN 1 configuration mode

Instead of assign IP address & mask use the dhcp command

No need to define the default gateway

5/21


LAN Switch Configuration If you forget to issue the no shutdown command,

the VLAN 1 interface remains in its default shutdown state

You can use the show interfaces vlan1 command to check the state and ip address assigned by DHCP

Interface Configuration Interface refers to the physical ports used to forward

data to and from other devices Interfaces are named with the convention: Media-type

slot#/port# Where media type is Ethernet, FastEthernet,

GigabitEthernet, Serial, Token-ring, or other media types

6/21


LAN Switch Configuration Slot numbers are only applicable for routers that

provide slots into which you can install modules (these are called modular routers)

Port number refersto the port within the module

For example;fastethernet 0/0 (module 0/ port 0)

Figure shows theslot numbering andinterface ports

7/21


LAN Switch Configuration IOS uses the interface subcommands to configure

several settings for each interface Example shows the interface sub commands duplex, speed and description Enter interface sub

configuration mode for port 1

Specify duplex mode of operation for this interface

Specify speed for this interface

Description of what an interface does

allows specification of a range of interfaces to which subsequent commands are applied

8/21


LAN Switch Configuration If duplex & speed command is not configured an

interface uses the auto-negotiation (a-full & a-100) You can use the show running-config or show interfaces status

9/21


LAN Switch Configuration Port Security

Engineer can use port security to restrict an interface so that only the expected devices can use it

When an inappropriate device attempts to send frames to the switch interface, the switch can issue informational messages, discard frames

Port security is disabled by default Example on next slide shows port security

configuration

10/21


LAN Switch ConfigurationEnter interface sub configuration mode for port number 2

• Make interface as access port• Two types of port i.e access & trunk• Access ports are what you would typically plug a server, PC/laptop, printer, etc into. A device plugged into this port will only be able to communicate with other devices that are in the same VLAN• Trunk ports are what you would typically plug a router into for inter-VLAN routing, or another switch in order to "share" VLANs between switches

11/21


LAN Switch ConfigurationDetermine MAC address of the required interface. do command allow to run privileged commands in config mode

• Specify MAC address (es) allowed to send frames into this interface, use this multiple times to define more than on address. • Alternaetly, use switchport port-security mac-address sticky command, to learn & configure the MAC addresses from the first frame sent to the switch

12/21


LAN Switch Configuration

Specify maximum number of allowed MAC addresses to be associated with this interface

Enable port security on an interface, opposite is no switchport port-security

Define action when frame is received from MAC address other than the defined address, shutdown means shut down the port if there is a security violation.

Make changes permanent

Verify the previous command

13/21



Change ports for PCs as shown & check port status again

The port status is secure-up

The port status is changed to secure-shutdown, means the interface has been disabled. Violation occurs bcz PC1 has different MAC address than that of PC0, also the security violation count shows 1

14/21


LAN Switch Configuration VLAN Configuration

Interfaces are considered to be either access interfaces or trunk interfaces

Access interfaces send & receive traffic only in a single VLAN, called the access VLAN

Trunking interfaces send & receive traffic in multiple VLANs

VLAN trunking is covered in ICND2 exam course, here we will discuss the access VLAN

By default, Cisco switches already have VLAN1 configured and all interfaces by default assigned to VLAN1

15/21


LAN Switch Configuration To add another VLAN & assign access interfaces

consider the following example Design network topology

as shown

Fin_vlanVLAN1

Check summary of the VLAN information, it shows the default five un-deletable VLANs, with all interfaces assigned to VLAN1

16/21


LAN Switch ConfigurationVLAN command defines a VLAN with a unique id 2 and puts the switch into VLAN configuration mode.

Name this VLAN fin_vlan

Exit from the vlan configuration mode

Select multiple interfaces to execute commands at the same time on these interfacesSet the VLAN for interfaces, access means that interfaces are already in access mode

Verify the setting by using the show command

17/21



Check summary of the VLAN information, it now shows the entry for our newly VLAN, with two interfaces assigned to it

18/21


LAN Switch Configuration Securing Unused Interfaces

By default the interface is configured in no shutdown state with speed & duplex are configured as auto negotiate

By default all interfaces are assigned to VLAN1, and each interface by default use the VLAN features like VLAN trunking & VLAN Trunking Protocol (VTP) which are covered in ICND2

These default configurations make switches vulnerable to security threats

19/21


LAN Switch Configuration The following commands shows how to override the

default settings and make the unused port more secure Enter in ports configuration

mode

Disable the interfaces

Change mode to access ports, to avoid VLAN trunking & VTP

Assign ports to VLAN, usually VLAN which is not used

20/21



Verify the configuration by using the show command

21/21

08 - Ethernet Switch Configuration

Documents

Transcript of 08 - Ethernet Switch Configuration