08 - Ethernet Switch Configuration
-
Upload
muhammad-asghar-khan -
Category
Documents
-
view
165 -
download
5
description
Transcript of 08 - Ethernet Switch Configuration
08 - Ethernet Switch Configuration
By Muhammad Asghar Khan
Reference: CCENT/CCNA ICND1 Official Exam Certification Guide By Wendell Odom
www.asghars.blogspot.com2
Agenda Configure Topology in Packet Tracer Configuration Features Common in Routers &
Switches Securing the CLI
Configuring Simple Password Security for Console & Telnet Access
Configuring Usernames & SSH Password Encryption Enable Mode Passwords
Customizing CLI Connection Banners
1/2
www.asghars.blogspot.com3
Agenda History Buffer Configuring Syslog Messages Configuring Inactivity Timeout
LAN Switch Configuration Switch IP Configuration Interface Configuration Port Security VLAN Configuration Securing Unused Interfaces
2/2
www.asghars.blogspot.com4
Configure Topology in Packet Tracer Configure the topology for practice as shown below
Add two PDUs; One for PC0 as source & PC1 as Destination, Similarly One for PC1 as source & PC0as destination
1/1
www.asghars.blogspot.com5
Configuration Features Common in Routers & Switches Securing the CLI
Configuring security on switch or router requires the following steps: Configuring Password for Enable Mode Configuring Password for Console Access Configuring Password for Telnet Access Configuring Usernames & SSH Password Encryption Enable Mode Passwords
1/17
www.asghars.blogspot.com6
Configuration Features Common in Routers & Switches
Configuring Password for Enable Mode By default the enable command allows the console
users to enter the enable mode without password To protect the enable mode use the enable secret
global configuration command
Configuring Password for Console Access
2/17
Move from EXEC to enable mode
Move from enable to global config mode
Set password , pwd for enable mode
Move to line config mode (sub-config mode) to configure consoleSet password , pwd for console mode
Prompt for password / authentication
www.asghars.blogspot.com7
Configuration Features Common in Routers & Switches
Configuring Password for Telnet Access
You can verify the previous configuration by using the show running-config
Move to line config mode for virtual terminalSet password , cis for telnet accessPrompt for password / authentication
3/17
www.asghars.blogspot.com8
Configuration Features Common in Routers & Switches
s
4/17
www.asghars.blogspot.com9
Configuration Features Common in Routers & Switches
Configuring Usernames & SSH SSH is preferred method for remote login to switches or
routers Telnet sends all data, including passwords as clear text,
while SSH provides the mechanism to encrypt the data sent b/w SSH client and the SHH server
SSH can use one of two user authentication methods: Username & Password configured on the switch Username & Password configured on external server called
Authentication, Authorization & Accounting (AAA) server Here we will use the local configuration on the switch
5/17
www.asghars.blogspot.com10
Configuration Features Common in Routers & Switches
Step 8: finally tell switch to accept both Telnet & SSH
6/17
Step 1: both hostname & domain name is required for encryption keys
Step 2: Generate encryption keyStep 3: Max idle timer
Step 4: Max failed attemptsStep 5: Add username & passwordStep 6: Connect vty linesStep 7: Use local authentication
www.asghars.blogspot.com11
Configuration Features Common in Routers & Switches Step 5: Generate a public &
private key pair as well as shared encryption key
Display RSA key pair information
7/17
www.asghars.blogspot.com12
Configuration Features Common in Routers & Switches
Password Encryption The password and the username commands store
the password in clear text in running-config file The enable secret command only hides the
password value To avoid password vulnerability in printed version of the
configuration file, you can encrypt the password using the service password-encryption global configuration command
If no service password-encryption command is used later, the password remain encrypted, until it is changed ; at which point it shown up in clear text
8/17
www.asghars.blogspot.com13
Configuration Features Common in Routers & Switches
Example shows the password encryption process
List running configuration, beginning with first line which contains text line vty
Encrypt the password
Passwords are encrypted, 7 means the type of underlying encryption algorithm
9/17
www.asghars.blogspot.com14
Configuration Features Common in Routers & Switches
Remove the password encryption service
Passwords still encrypted
Change password for vty
10/17
www.asghars.blogspot.com15
Configuration Features Common in Routers & Switches
Enable Mode Passwords The enable secret command use the MD5 hash
to hide the password MD5 is much more secure than the encryption used for service password-encryption command
If enable password and enable secret commands are used; the password set in enable secret is required to be entered
Password encryption is removed
11/17
www.asghars.blogspot.com16
Configuration Features Common in Routers & Switches
Example shows the enable secret and encryption process
Use the enable secret, rather than the enable password
MD5 hash value for the passwordDelete the enable secret password
12/17
www.asghars.blogspot.com17
Configuration Features Common in Routers & Switches Customizing CLI Connection
The following configuration settings affect the behavior of the CLI connection from the console and vty (Telnet & SSH) Banners History Buffer Configuring Syslog Messages Configuring Inactivity Timeout
13/17
www.asghars.blogspot.com18
Configuration Features Common in Routers & Switches
Banners Banner is simply some text that appears on the
screen for the user Cisco routers & switches can display variety of
banners The three most popular banners are:
Message of the Day (MOTD): Show before login prompt. Used for temporary messages
Login: Shown after the MOTD but before the login prompt. Used for permanent messages
Exec: Shown after the login prompt. Used to supply information that should be hidden from unauthorized users
14/17
www.asghars.blogspot.com19
Configuration Features Common in Routers & Switches
History Buffer The last several commands are saved in the history buffer Commands related to history buffer are:
q is used as beginning and delimiter character
List commands currently held in the buffer
From line config mode, set the default number of commands for the user(s) of console or vty lines
From EXEC mode, the user can set the size of history buffer for his or her single connection
15/17
www.asghars.blogspot.com20
Configuration Features Common in Routers & Switches
Configuring Syslog Messages Switch or router puts syslog messages on the console’s
screen at any time, including right in the middle of a command you are entering
To make using the console a little easier, you can tell the switch to display syslog messages only at convenient times
To do this just configure the logging synchronous console line command
16/17
www.asghars.blogspot.com21
Configuration Features Common in Routers & Switches
Configuring Inactivity Timeout By default, the switch or router automatically
disconnects users after 5 minutes of inactivity To set different inactivity timer, you can use the exec-timeout line subcommand
If the timeout is set to 0 minutes and 0 seconds, the router never times out the console connection
17/17
www.asghars.blogspot.com22
LAN Switch Configuration The configurations discussed here will only apply to
switches and not routers LAN switch configurations covered here are:
Switch IP Configuration Interface Configuration Port Security VLAN Configuration Securing Unused Interfaces
1/21
www.asghars.blogspot.com23
LAN Switch Configuration Switch IP Configuration
To allow Telnet, SSH, Simple Network Management Protocol (SNMP) & Cisco Device Manager (CDM) to work properly, the switch needs an IP address
Switches don’t need an IP address to forward Ethernet frames
You can configure a switch with its IP address/mask/gateway or the switch can dynamically learn this using DHCP
IOS-based switch uses special virtual interface called the VLAN 1 interface to configure IP address & mask
This interface plays the same role as an Ethernet interface on PC
2/21
www.asghars.blogspot.com24
LAN Switch Configuration Example shows the static IP address configuration
Enter VLAN 1 configuration mode
Assign IP address & mask using interface subcommand
Enable VLAN1 interface using no shutdown subcommand
Using global config command add the default gateway
sys log messages
3/21
www.asghars.blogspot.com25
LAN Switch Configuration To administratively disable an interface, use the shutdown interface subcommand
You can verify this by using show running-config
4/21
www.asghars.blogspot.com26
LAN Switch Configuration To configure the switch as a DHCP client use the
following steps
To verify it, we can’t use the show running-config command, instead we have to use the show dhcp lease command
Enter VLAN 1 configuration mode
Instead of assign IP address & mask use the dhcp command
No need to define the default gateway
5/21
www.asghars.blogspot.com27
LAN Switch Configuration If you forget to issue the no shutdown command,
the VLAN 1 interface remains in its default shutdown state
You can use the show interfaces vlan1 command to check the state and ip address assigned by DHCP
Interface Configuration Interface refers to the physical ports used to forward
data to and from other devices Interfaces are named with the convention: Media-type
slot#/port# Where media type is Ethernet, FastEthernet,
GigabitEthernet, Serial, Token-ring, or other media types
6/21
www.asghars.blogspot.com28
LAN Switch Configuration Slot numbers are only applicable for routers that
provide slots into which you can install modules (these are called modular routers)
Port number refersto the port within the module
For example;fastethernet 0/0 (module 0/ port 0)
Figure shows theslot numbering andinterface ports
7/21
www.asghars.blogspot.com29
LAN Switch Configuration IOS uses the interface subcommands to configure
several settings for each interface Example shows the interface sub commands duplex, speed and description Enter interface sub
configuration mode for port 1
Specify duplex mode of operation for this interface
Specify speed for this interface
Description of what an interface does
allows specification of a range of interfaces to which subsequent commands are applied
8/21
www.asghars.blogspot.com30
LAN Switch Configuration If duplex & speed command is not configured an
interface uses the auto-negotiation (a-full & a-100) You can use the show running-config or show interfaces status
9/21
www.asghars.blogspot.com31
LAN Switch Configuration Port Security
Engineer can use port security to restrict an interface so that only the expected devices can use it
When an inappropriate device attempts to send frames to the switch interface, the switch can issue informational messages, discard frames
Port security is disabled by default Example on next slide shows port security
configuration
10/21
www.asghars.blogspot.com32
LAN Switch ConfigurationEnter interface sub configuration mode for port number 2
• Make interface as access port• Two types of port i.e access & trunk• Access ports are what you would typically plug a server, PC/laptop, printer, etc into. A device plugged into this port will only be able to communicate with other devices that are in the same VLAN• Trunk ports are what you would typically plug a router into for inter-VLAN routing, or another switch in order to "share" VLANs between switches
11/21
www.asghars.blogspot.com33
LAN Switch ConfigurationDetermine MAC address of the required interface. do command allow to run privileged commands in config mode
• Specify MAC address (es) allowed to send frames into this interface, use this multiple times to define more than on address. • Alternaetly, use switchport port-security mac-address sticky command, to learn & configure the MAC addresses from the first frame sent to the switch
12/21
www.asghars.blogspot.com34
LAN Switch Configuration
Specify maximum number of allowed MAC addresses to be associated with this interface
Enable port security on an interface, opposite is no switchport port-security
Define action when frame is received from MAC address other than the defined address, shutdown means shut down the port if there is a security violation.
Make changes permanent
Verify the previous command
13/21
www.asghars.blogspot.com35
LAN Switch Configuration
Change ports for PCs as shown & check port status again
The port status is secure-up
The port status is changed to secure-shutdown, means the interface has been disabled. Violation occurs bcz PC1 has different MAC address than that of PC0, also the security violation count shows 1
14/21
www.asghars.blogspot.com36
LAN Switch Configuration VLAN Configuration
Interfaces are considered to be either access interfaces or trunk interfaces
Access interfaces send & receive traffic only in a single VLAN, called the access VLAN
Trunking interfaces send & receive traffic in multiple VLANs
VLAN trunking is covered in ICND2 exam course, here we will discuss the access VLAN
By default, Cisco switches already have VLAN1 configured and all interfaces by default assigned to VLAN1
15/21
www.asghars.blogspot.com37
LAN Switch Configuration To add another VLAN & assign access interfaces
consider the following example Design network topology
as shown
Fin_vlanVLAN1
Check summary of the VLAN information, it shows the default five un-deletable VLANs, with all interfaces assigned to VLAN1
16/21
www.asghars.blogspot.com38
LAN Switch ConfigurationVLAN command defines a VLAN with a unique id 2 and puts the switch into VLAN configuration mode.
Name this VLAN fin_vlan
Exit from the vlan configuration mode
Select multiple interfaces to execute commands at the same time on these interfacesSet the VLAN for interfaces, access means that interfaces are already in access mode
Verify the setting by using the show command
17/21
www.asghars.blogspot.com39
LAN Switch Configuration
Check summary of the VLAN information, it now shows the entry for our newly VLAN, with two interfaces assigned to it
18/21
www.asghars.blogspot.com40
LAN Switch Configuration Securing Unused Interfaces
By default the interface is configured in no shutdown state with speed & duplex are configured as auto negotiate
By default all interfaces are assigned to VLAN1, and each interface by default use the VLAN features like VLAN trunking & VLAN Trunking Protocol (VTP) which are covered in ICND2
These default configurations make switches vulnerable to security threats
19/21
www.asghars.blogspot.com41
LAN Switch Configuration The following commands shows how to override the
default settings and make the unused port more secure Enter in ports configuration
mode
Disable the interfaces
Change mode to access ports, to avoid VLAN trunking & VTP
Assign ports to VLAN, usually VLAN which is not used
20/21
www.asghars.blogspot.com42
LAN Switch Configuration
Verify the configuration by using the show command
21/21