Chapter 5 - Switch Configuration With Voice

Chapter 5: Switch Configuration
Instructor Materials
CCNA Routing and Switching

Routing and Switching Essentials v6.0
Chapter 5 - Sections & Objectives
 5.1 Basic Switch Configuration
• Configure basic switch settings to meet network requirements.
• Configure initial settings on a Cisco switch.
• Configure switch ports to meet network requirements.
 5.2 Basic Device Configuration
• Configure a switch using security best practices in a small to medium-sized business
network.
• Configure the management virtual interface on a switch.
• Configure the port security feature to restrict network access.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
5.2 Switch Security
>telnet 192.168.99.11 >ssh –l kassem 192.168.99.11
Secure Remote Access Open connection: Open connection:
SSH Operation Pass: telpass
S1>enable
Pass: sshpass
S1>enable
Pass:enpass Pass:enpass
 Secure Shell (SSH) S1#
S1#
• An alternative protocol to Telnet. Telnet uses unsecure plaintext of the username and password
as well as the data transmitted.
• SSH is more secure because it provides an encrypted management connection.
Wireshark Capture of Telnet Wireshark Capture of SSH
Secure Remote Access
SSH Operation (Cont.)
 A switch must have an IOS version (k9 at the end of the IOS file name) that includes
cryptographic capabilities in order to configure and use SSH.
• Use the show version command to see the IOS version.
Commonly forgotten
Configuring SSH command that is used in
key generation
1. Verify SSH support.
2. Configure the IP domain name.
3. Generate RSA key pairs.

4. Configure user authentication.
5. Configure the vty lines.

6. Enable SSH version 2.
Default is to accept both Telnet

The login local command and SSH (transport input all)
forces the use of the local

database for username/
password.
Verifying SSH
 On the PC, connect to the switch using SSH.
ss
h IP a ddr e
Switc
The PC is using SSH to communicate and issue

commands on the switch.
Packet Tracer – Configuring SSH
Security Concerns in LANs
MAC Address Flooding (cont.)
An attacker flooding the CAM table with bogus entries.
3-
1-
2-
 MAC address tables are limited in size. MAC flooding makes use of this limitation to send to the switch a whole bunch of fake source MAC
addresses until the switch MAC address table is fully loaded and can not save any more MAC address – Port
© 2016 Cisco mapping
and/or its entries.
affiliates. All rights reserved. Cisco Confidential 9
Security Concerns in LANs
MAC Address Flooding (cont.)
The switch now behaves as a hub.
 The switch then enters into a fail-open mode that means that it starts acting as a hub. In this situation switch will broadcasts all received
framses to all the machines on the network. As a result, the attacker (in our case “PC C”) can see all the frames sent from a victim host to
another host without a MAC address table entry.
Switch Port Security
Secure Unused Ports
The interface range command

can be used to apply a
configuration to several switch ports
at one time.
S1(config)#interface range fa0/4-7

S1(config-if)#shutdown
Port Security: Operation
 Port security limits the number of valid MAC
addresses allowed on a port.
Switchport Security
 The MAC addresses of legitimate devices are allowed Switch(config)#interface FastEthernet0/10
access, while other MAC addresses are denied. Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
 Any additional attempts to connect by unknown MAC Switch(config-if)# switchport port-security mac-address sticky
addresses generate a security violation. Switch(config-if)# switchport port-security maximum 1
 Secure MAC addresses can be configured in a Switch(config-if)# switchport port-security violation shutdown

number of ways:
Switch#Show port-security interface fa0/10
• Static secure MAC addresses Switch#Show interfaces fa0/1 switchport
• Dynamic secure MAC addresses Switch#show running-config
Switch#show port-security address //to see how MAC addresses
• Sticky secure MAC addresses were learned on a port (static, dynamic or sticky)

Port Security: Operation
 Port security limits the number of valid MAC addresses allowed to transmit data through a switch
port.
• If a port has port security enabled and an unknown MAC address sends data, the switch presents a
security violation.
• Default number of secure MAC addresses allowed is 1.
 Methods use to configure MAC addresses within port security:
• Static secure MAC addresses – manually configure
switchport port-security mac-address mac-address
• Dynamic secure MAC addresses – dynamically learned and removed if the switch restarts
• Sticky secure MAC addresses – dynamically learned and added to the running configuration (which can
later be saved to the startup-config to permanently retain the MAC addresses)
switchport port-security mac-address sticky
Note: Disabling sticky learning converts sticky MAC addresses to dynamic secure addresses and removes
them from the running-config.
Port Security: Violation Modes
 Protect – data from unknown source MAC addresses are dropped; a security notification IS NOT
presented by the switch
 Restrict - data from unknown source MAC addresses are dropped; a security notification IS presented by
the switch and the violation counter increments.
 Shutdown – (default mode) interface becomes error-disabled and port LED turns off. The violation counter
increments. Issues the shutdown and then the no shutdown command on the interface to bring it out of
the error-disabled state.
Port Security: Configuring
Port Security: Configuring (Cont.)
 Before configuring port-security features, place the port in access mode and use the switchport
port-security interface configuration command to enable port security on an interface.
rro
r Dynamic
n e
ratio nd!
gu a
onfi omm
c c
m on this
t
om ge
st c o fo r
M o is t
Port Security: Configuring (Cont.)
o r
n err
io !
u rat and
i g m
nf m
n co s co
o thi
o mm rget
c
os t to f o
M is
Port Security: Verifying
 Use the show port-security interface command to verify the maximum number of MAC
addresses allowed on a particular port and how many of those addresses were learned
dynamically using sticky.
Dynamic Sticky
Port Security: Verifying (Cont.)
 Use the show running-config command to see learned MAC addresses added to the
configuration.
 The show port-security address command shows how MAC addresses were learned on a
particular port.
Ports in Error Disabled State
 Switch console messages display when a port security violation occurs. Notice the port link status
changes to down.
Ports in Error Disabled State (Cont.)
 Check the port status and the port security  Do not re-enable a port until the security
settings. threat is investigated and eliminated.
 Notice that you must first shut the port down
and then issue the no shutdown command
in order to use the particular port again after
a security violation has occurred.
Packet Tracer – Configuring Switch Port Security
Packet Tracer – Troubleshooting Switch Port Security
Packet Tracer – Configuring Switch Security Features
5.3 Chapter Summary

Chapter 5 - Switch Configuration With Voice

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chapter 5 - Switch Configuration With Voice

Uploaded by

Copyright:

Available Formats

Chapter 5: Switch Configuration

CCNA Routing and Switching

2. Configure the IP domain name.

3. Generate RSA key pairs.

5. Configure the vty lines.

Default is to accept both Telnet

forces the use of the local

The PC is using SSH to communicate and issue

The interface range command

S1(config)#interface range fa0/4-7

You might also like