C H A P T E R 9 Ethernet Switch Configuration Chapter 3, “Fundamentals of LANs,” and Chapter 7, “Ethernet LAN Switching Concepts,” have already explained the most common Ethernet LAN concepts. Those chapters explained how Ethernet cabling and switches work, including the concepts of how switches forward Ethernet frames based on the frames’ destination MAC addresses. Cisco LAN switches perform their core functions without any configuration. You can buy a Cisco switch, plug in the right cables to connect various devices to the switch, plug in the power cable, and the switch works. However, in most networks, the network engineer needs to configure and troubleshoot various switch features. This chapter explains how to configure various switch features, and Chapter 10, “Ethernet Switch Troubleshooting,” explains how to troubleshoot problems on Cisco switches. “Do I Know This Already?” Quiz The “Do I Know This Already?” quiz allows you to assess whether you should read the entire chapter. If you miss no more than one of these eight self-assessment questions, you might want to move ahead to the “Exam Preparation Tasks” section. Table 9-1 lists the major headings in this chapter and the “Do I Know This Already?” quiz questions covering the material in those sections. This helps you assess your knowledge of these specific areas. The answers to the “Do I Know This Already?” quiz appear in Appendix A. Table 9-1 “Do I Know This Already?” Foundation Topics Section-to-Question Mapping Foundation Topics Section Questions Configuration of Features in Common with Routers 1–3 LAN Switch Configuration and Operation 4–8 1828xbook.fm Page 231 Thursday, July 26, 2007 3:10 PM 232 Chapter 9: Ethernet Switch Configuration 1. Imagine that you have configured the enable secret command, followed by the enable password command, from the console. You log out of the switch and log back in at the console. Which command defines the password that you had to enter to access privileged mode? a. enable password b. enable secret c. Neither d. The password command, if it’s configured 2. An engineer had formerly configured a Cisco 2960 switch to allow Telnet access so that the switch expected a password of mypassword from the Telnet user. The engineer then changed the configuration to support Secure Shell. Which of the following commands could have been part of the new configuration? a. A username name password password command in vty config mode b. A username name password password global configuration command c. A transport input ssh command in vty config mode d. A transport input ssh global configuration command 3. The following command was copied and pasted into configuration mode when a user was telnetted into a Cisco switch: bb bb aa aa nn nn nn nn ee ee rr rr ll ll oo oo gg gg ii ii nn nn tt tt hh hh ii ii ss ss ii ii ss ss tt tt hh hh ee ee ll ll oo oo gg gg ii ii nn nn bb bb aa aa nn nn nn nn ee ee rr rr Which of the following are true about what occurs the next time a user logs in from the console? a. No banner text is displayed. b. The banner text “his is” is displayed. c. The banner text “this is the login banner” is displayed. d. The banner text “Login banner configured, no text defined” is displayed. 4. Which of the following is not required when configuring port security without sticky learning? a. Setting the maximum number of allowed MAC addresses on the interface with the switchport port-security maximum interface subcommand b. Enabling port security with the switchport port-security interface subcommand 1828xbook.fm Page 232 Thursday, July 26, 2007 3:10 PM “Do I Know This Already?” Quiz 233 c. Defining the allowed MAC addresses using the switchport port-security mac- address interface subcommand d. All of the other answers list required commands 5. An engineer’s desktop PC connects to a switch at the main site. A router at the main site connects to each branch office via a serial link, with one small router and switch at each branch. Which of the following commands must be configured, in the listed configuration mode, to allow the engineer to telnet to the branch office switches? a. The ip address command in VLAN 1 configuration mode b. The ip address command in global configuration mode c. The ip default-gateway command in VLAN 1 configuration mode d. The ip default-gateway command in global configuration mode e. The password command in console line configuration mode f. The password command in vty line configuration mode 6. Which of the following describes a way to disable IEEE standard autonegotiation on a 10/100 port on a Cisco switch? a. Configure the negotiate disable interface subcommand b. Configure the no negotiate interface subcommand c. Configure the speed 100 interface subcommand d. Configure the duplex half interface subcommand e. Configure the duplex full interface subcommand f. Configure the speed 100 and duplex full interface subcommands 7. In which of the following modes of the CLI could you configure the duplex setting for interface fastethernet 0/5? a. User mode b. Enable mode c. Global configuration mode d. Setup mode e. Interface configuration mode 1828xbook.fm Page 233 Thursday, July 26, 2007 3:10 PM 234 Chapter 9: Ethernet Switch Configuration 8. The show vlan brief command lists the following output: 2 my-vlan active Fa0/13, Fa0/15 Which of the following commands could have been used as part of the configuration for this switch? a. The vlan 2 global configuration command b. The name MY-VLAN vlan subcommand c. The interface range Fa0/13 - 15 global configuration command d. The switchport vlan 2 interface subcommand 1828xbook.fm Page 234 Thursday, July 26, 2007 3:10 PM Configuration of Features in Common with Routers 235 Foundation Topics Many Cisco Catalyst switches use the same Cisco IOS Software command-line interface (CLI) as Cisco routers. In addition to having the same look and feel, the switches and routers sometimes support the exact same configuration and show commands. Additionally, as mentioned in Chapter 8, the some of same commands and processes shown for Cisco switches work the same way for Cisco routers. This chapter explains a wide variety of configurable items on Cisco switches. Some topics are relatively important, such as the configuration of usernames and passwords so that any remote access to a switch is secure. Some topics are relatively unimportant, but useful, such as the ability to assign a text description to an interface for documentation purposes. However, this chapter does contain the majority of the switch configuration topics for this book, with the exception of Cisco Discovery Protocol (CDP) configuration commands in Chapter 10. Configuration of Features in Common with Routers This first of the two major sections of this chapter examines the configuration of several features that are configured the exact same way on both switches and routers. In particular, this section examines how to secure access to the CLI, plus various settings for the console. Securing the Switch CLI To reach a switch’s enable mode, a user must reach user mode either from the console or from a Telnet or SSH session, and then use the enable command. With default configuration settings, a user at the console does not need to supply a password to reach user mode or enable mode. The reason is that anyone with physical access to the switch or router console could reset the passwords in less than 5 minutes by using the password recovery procedures that Cisco publishes. So, routers and switches default to allow the console user access to enable mode. NOTE To see the password recovery/reset procedures, go to Cisco.com and search on the phrase “password recovery.” The first listed item probably will be a web page with password recovery details for most every product made by Cisco. 1828xbook.fm Page 235 Thursday, July 26, 2007 3:10 PM 236 Chapter 9: Ethernet Switch Configuration To reach enable mode from a vty (Telnet or SSH), the switch must be configured with several items: ■ An IP address ■ Login security on the vty lines ■ An enable password Most network engineers will want to be able to establish a Telnet or SSH connection to each switch, so it makes sense to configure the switches to allow secure access. Additionally, although someone with physical access to the switch can use the password recovery process to get access to the switch, it still makes sense to configure security even for access from the console. This section examines most of the configuration details related to accessing enable mode on a switch or router. The one key topic not covered here is the IP address configuration, which is covered later in this chapter in the section “Configuring the Switch IP Address.” In particular, this section covers the following topics: ■ Simple password security for the console and Telnet access ■ Secure Shell (SSH) ■ Password encryption ■ Enable mode passwords Configuring Simple Password Security An engineer can reach user mode in a Cisco switch or router from the console or via either Telnet or SSH. By default, switches and routers allow a console user to immediately access user mode after logging in, with no password required. With default settings, Telnet users are rejected when they try to access the switch, because a vty password has not yet been configured. Regardless of these defaults, it makes sense to password protect user mode for console, Telnet, and SSH users. A user in user mode can gain access to enable mode by using the enable command, but with different defaults depending on whether the user is at the console or has logged in remotely using Telnet or SSH. By default, the enable command allows console users into enable mode without requiring a password, but Telnet users are rejected without even a chance to 1828xbook.fm Page 236 Thursday, July 26, 2007 3:10 PM Configuration of Features in Common with Routers 237 supply a password. Regardless of these defaults, it makes sense to password protect enable mode using the enable secret global configuration command. Example 9-1 shows a sample configuration process that sets the console password, the vty (Telnet) password, the enable secret password, and a hostname for the switch. The example shows the entire process, including command prompts, which provide some reminders of the different configuration modes explained in Chapter 8, “Operating Cisco LAN Switches.” NOTE The later section “The Two Enable Mode Passwords” explains two options for configuring the password required by the enable command, as configured with the enable secret and enable password commands, and why the enable secret command is preferred. Example 9-1 Configuring Basic Passwords and a Hostname Switch>ee ee nn nn aa aa bb bb ll ll ee ee Switch#cc cc oo oo nn nn ff ff ii ii gg gg uu uu rr rr ee ee tt tt ee ee rr rr mm mm ii ii nn nn aa aa ll ll Switch(config)#ee ee nn nn aa aa bb bb ll ll ee ee ss ss ee ee cc cc rr rr ee ee tt tt cc cc ii ii ss ss cc cc oo oo Switch(config)#hh hh oo oo ss ss tt tt nn nn aa aa mm mm ee ee EE EE mm mm mm mm aa aa Emma(config)#ll ll ii ii nn nn ee ee cc cc oo oo nn nn ss ss oo oo ll ll ee ee 00 00 Emma(config-line)#pp pp aa aa ss ss ss ss ww ww oo oo rr rr dd dd ff ff aa aa ii ii tt tt hh hh Emma(config-line)#ll ll oo oo gg gg ii ii nn nn Emma(config-line)#ee ee xx xx ii ii tt tt Emma(config)#ll ll ii ii nn nn ee ee vv vv tt tt yy yy 00 00 11 11 55 55 Emma(config-line)#pp pp aa aa ss ss ss ss ww ww oo oo rr rr dd dd ll ll oo oo vv vv ee ee Emma(config-line)#ll ll oo oo gg gg ii ii nn nn Emma(config-line)#ee ee xx xx ii ii tt tt Emma(config)#ee ee xx xx ii ii tt tt Emma# ! The next command lists the switch’s current configuration (running-config) Emma#ss ss hh hh oo oo ww ww rr rr uu uu nn nn nn nn ii ii nn nn gg gg cc cc oo oo nn nn ff ff ii ii gg gg ! Building configuration Current configuration : 1333 bytes ! version 12.2 no service pad service timestamps debug uptime service timestamps log uptime ! hostname Emma ! enable secret 5 $1$YXRN$11zOe1Lb0Lv/nHyTquobd. continues 1828xbook.fm Page 237 Thursday, July 26, 2007 3:10 PM 238 Chapter 9: Ethernet Switch Configuration Example 9-1 begins by showing the user moving from enable mode to configuration mode by using the configure terminal EXEC command. As soon as the user is in global configuration mode, he enters two global configuration commands (enable secret and hostname) that add configuration that applies to the whole switch. For instance, the hostname global configuration command simply sets the one and only name for this switch (in addition to changing the switch’s command prompt). The enable secret command sets the only password used to reach enable mode, so it is also a global command. However, the login command (which tells the switch to ask for a text password, ! spanning-tree mode pvst spanning-tree extend system-id ! interface FastEthernet0/1 ! interface FastEthernet0/2 ! ! Several lines have been omitted here - in particular, lines for FastEthernet ! interfaces 0/3 through 0/23. ! interface FastEthernet0/24 ! interface GigabitEthernet0/1 ! interface GigabitEthernet0/2 ! interface Vlan1 no ip address no ip route-cache ! ip http server ip http secure-server ! control-plane ! ! line con 0 password faith login line vty 0 4 password love login line vty 5 15 password love login Example 9-1 Configuring Basic Passwords and a Hostname (Continued) 1828xbook.fm Page 238 Thursday, July 26, 2007 3:10 PM Configuration of Features in Common with Routers 239 but no username) and the password command (which defines the required password) are shown in both console and vty line configuration submodes. So, these commands are subcommands in these two different configuration modes. These subcommands define different console and vty passwords based on the configuration submodes in which the commands were used, as shown in the example. Pressing the Ctrl-z key sequence from any part of configuration mode takes you all the way back to enable mode. However, the example shows how to repeatedly use the exit command to move back from a configuration submode to global configuration mode, with another exit command to exit back to enable mode. The end configuration mode command performs the same action as the Ctrl-z key sequence, moving the user from any part of configuration mode back to privileged EXEC mode. The second half of Example 9-1 lists the output of the show running-config command. This command shows the currently used configuration in the switch, which includes the changes made earlier in the example. The output highlights in gray the configuration commands added due to the earlier configuration commands. Configuring Usernames and Secure Shell (SSH) Telnet sends all data, including all passwords entered by the user, as clear text. The Secure Shell (SSH) application provides the same function as Telnet, displaying a terminal emulator window and allowing the user to remotely connect to another host’s CLI. However, SSH encrypts the data sent between the SSH client and the SSH server, making SSH the preferred method for remote login to switches and routers today. To add support for SSH login to a Cisco switch or router, the switch needs several configuration commands. For example, SSH requires that the user supply both a username and password instead of just a password. So, the switch must be reconfigured to use one of two user authentication methods that require both a username and password: one method with the usernames and passwords configured on the switch, and the other with the usernames and passwords configured on an external server called an Authentication, Authorization, and Accounting (AAA) server. (This book covers the configuration using locally configured usernames/passwords.) Figure 9-1 shows a diagram of the configuration and process required to support SSH. NOTE The output of the show running-config command lists five vty lines (0 through 4) in a different location than the rest (5 through 15). In earlier IOS releases, Cisco IOS routers and switches had five vty lines, numbered 0 through 4, which allowed five concurrent Telnet connects to a switch or router. Later, Cisco added more vty lines (5 through 15), allowing 16 concurrent Telnet connections into each switch and router. That’s why the command output lists the two vty line ranges separately. 1828xbook.fm Page 239 Thursday, July 26, 2007 3:10 PM 240 Chapter 9: Ethernet Switch Configuration Figure 9-1 SSH Configuration Concepts The steps in the figure, explained with the matching numbered list that follows, detail the required transactions before an SSH user can connect to the switch using SSH: Step 1 Change the vty lines to use usernames, with either locally configured usernames or an AAA server. In this case, the login local subcommand defines the use of local usernames, replacing the login subcommand in vty configuration mode. Step 2 Tell the switch to accept both Telnet and SSH with the transport input telnet ssh vty subcommand. (The default is transport input telnet, omitting the ssh parameter.) Step 3 Add one or more username name password pass-value global configuration commands to configure username/password pairs. Step 4 Configure a DNS domain name with the ip domain-name name global configuration command. Step 5 Configure the switch to generate a matched public and private key pair, as well as a shared encryption key, using the crypto key generate rsa global configuration command. Step 6 Although no switch commands are required, each SSH client needs a copy of the switch’s public key before the client can connect. NOTE This book contains several step lists that refer to specific configuration steps, such as the one shown here for SSH. You do not need to memorize the steps for the exams; however, the lists can be useful for study—in particular, to help you remember all the required steps to configure a certain feature. SSH Client line vty 0 15 login local transport input telnet ssh username wendell password hope ip domain-name example.com crypto key generate rsa (Switch Generates Keys) Cisco Switch Public Key Private Key 1 2 3 4 5 6 1828xbook.fm Page 240 Thursday, July 26, 2007 3:10 PM [...]... PM 242 Chapter 9: Ethernet Switch Configuration Example 9- 2 SSH Configuration Process (Continued) Key Data: 307C300D 06 092 A86 4886F70D 01010105 00036B00 30680261 00AC339C D 491 6728 6ACB627E A5EE26A5 0 094 6AF9 E63FF322 A2DB 499 4 9E37BFDA AB1C503E AAF69FB3 2A22A5F3 0AA94454 B8242D72 A8582E7B 0642CF2B C06E0710 B0A06048 D90CBE9E F0B881 79 EC1C5EAC D551109D 69E 391 60 86C50122 9A37E954 85020301 0001 The example... 00DB43DC 49C258FA 8E0B8EB2 0A6C8888 A00D29CE EAEE615B 456B68FD 491 A9B63 B39A4334 86F64E02 1B320256 0 194 1831 7B7304A2 720A57DA FBB3E75A 94 51 790 1 7764C332 A3A482B1 DB4F154E A84773B5 5337CE8C B1F5E832 8213EE6B 73B77006 BA8782DE 18 096 6D9 9A6476D7 C9164ECE 1DC752BB 95 5F5BDE F82BFCB2 A273C58C 8B020301 0001 % Key pair was generated at: 00:04:01 UTC Mar 1 199 3 Key name: Emma.example.com.server Usage: Encryption... address dhcp command, instead of the ip address ip-address mask command, on the VLAN 1 interface 2 49 1828xbook.fm Page 250 Thursday, July 26, 2007 3:10 PM 250 Chapter 9: Ethernet Switch Configuration Step 4: Do not configure the ip default-gateway global command Example 9- 8 shows an example of configuring a switch to use DHCP to acquire an IP address Example 9- 8 Switch Dynamic IP Address Configuration with... Number Example 9- 1 Example showing basic password configuration 23 7-2 38 Figure 9- 1 Five-step SSH configuration process example 240 List Five-step list for SSH configuration 240 List Key points about enable secret and enable password 244 Table 9- 3 List of commands related to the command history buffer 247 List Configuration checklist for a switch’s IP address and default gateway configuration 2 49 List Port... %SSH-5-ENABLED: SSH 1 .99 has been enabled ^ Emma(config)#^Z ! Next, the contents of the public key are listed; the key will be needed by the SSH client s Emma#show crypto key mypubkey rsa % Key pair was generated at: 00:03:58 UTC Mar 1 199 3 Key name: Emma.example.com Usage: General Purpose Key Key is not exportable Key Data: 30819F30 0D06 092 A 864886F7 0D010101 05000381 8D003081 890 28181 00DB43DC 49C258FA... DHCP Lease server: 192 .168.1.1, state: 3 Bound DHCP transaction id: 196 6 Lease: 86400 secs, Renewal: 43200 secs, Rebind: 75600 secs Temp default-gateway addr: 192 .168.1.1 Next timer fires after: 11: 59: 45 Retry count: 0 Client-ID: cisco-00 19. e86a.6fc0-Vl1 Hostname: Emma s Emma#show interface vlan 1 Vlan1 is up, line protocol is up Hardware is EtherSVI, address is 00 19. e86a.6fc0 (bia 00 19. e86a.6fc0) Internet... default) Example 9- 9 shows how to configure duplex and speed, as well as the description command, which is simply a text description of what an interface does Example 9- 9 Interface Configuration Basics c Emma#configure terminal Enter configuration commands, one per line End with CNTL/Z i Emma(config)#interface FastEthernet 0/1 d Emma(config-if)#duplex full s Emma(config-if)#speed 100 d Emma(config-if)#description... Page 252 Thursday, July 26, 2007 3:10 PM 252 Chapter 9: Ethernet Switch Configuration Example 9- 9 Interface Configuration Basics (Continued) Fa0/4 connected 1 a-full Fa0/5 notconnect 1 auto a-100 10/100BaseTX auto 10/100BaseTX Fa0/6 connected 1 a-full a-100 10/100BaseTX Fa0/7 notconnect 1 auto auto 10/100BaseTX Fa0/8 notconnect 1 auto auto 10/100BaseTX Fa0 /9 notconnect 1 auto auto 10/100BaseTX Fa0/10... address ip-address mask interface subcommand Step 3 Enable the VLAN 1 interface using the no shutdown interface subcommand Step 4 Add the ip default-gateway ip-address global command to configure the default gateway Example 9- 7 shows a sample configuration Example 9- 7 Switch Static IP Address Configuration c Emma#configure terminal i Emma(config)#interface vlan 1 i Emma(config-if)#ip address 192 .168.1.200... learning Figure 9- 2 Port Security Configuration Example Fa0/1 Server 1 0200.1111.1111 Fa0/2 Server 2 0200.2222.2222 Fa0/3 Company Comptroller Fa0/4 Example 9- 1 0 User1 Using Port Security to Define Correct MAC Addresses of Particular Interfaces s fred#show running-config (Lines omitted for brevity) interface FastEthernet0/1 switchport mode access switchport port-security switchport port-security mac-address . 00AC339C D 491 6728 6ACB627E A5EE26A5 0 094 6AF9 E63FF322 A2DB 499 4 9E37BFDA AB1C503E AAF69FB3 2A22A5F3 0AA94454 B8242D72 A8582E7B 0642CF2B C06E0710 B0A06048 D90CBE9E F0B881 79 EC1C5EAC D551109D 69E 391 60. A00D29CE EAEE615B 456B68FD 491 A9B63 B39A4334 86F64E02 1B320256 0 194 1831 7B7304A2 720A57DA FBB3E75A 94 51 790 1 7764C332 A3A482B1 DB4F154E A84773B5 5337CE8C B1F5E832 8213EE6B 73B77006 BA8782DE 18 096 6D9. PM Configuration of Features in Common with Routers 241 Example 9- 2 shows the same switch commands shown in Figure 9- 1 , entered in configuration mode. Example 9- 2 SSH Configuration Process Emma# Emma#cc cc oo oo nn nn ff ff ii ii gg gg uu uu rr rr ee ee