Switch Configuration CCNA 3, Module 6 William Widulski

Table of Contents Overview Starting the Switch Configuring the Switch Summary Go There!

Overview Table of Contents

Overview A switch operates at Layer 2 of the OSI model. A switch is a concentration point for the connection of workstations, servers, routers, hubs, and other switches. A hub is an older type of concentration device which also provides multiple ports. A hub operates a Layer 1 of the OSI model.

Switches vs. Hubs Hubs: reside in the same bandwidth domain that produces collisions. They only operate in half-duplex mode. In half-duplex mode, the hubs can send or receive data at any given time, but not both at the same time. Switches: Basically, they are multi-port bridges. Switches can operate in full-duplex mode, which means they can send and receive data simultaneously. Switches are the current standard technology for Ethernet LANs that utilize a star topology. A switch provides dedicated, point-to-point virtual circuits between connected networking devices, so collisions are virtually impossible.

Configuring a Switch Switches can be configured and managed from A command-line interface (CLI). A web-based interface and a browser. A network administrator must be familiar with many tasks to be effective in managing a network with switches.

Network Administration Some tasks are associated with maintaining the switch and its Internetworking Operating System (IOS). Others are associated with managing interfaces and tables for optimal, reliable, and secure operation. Basic switch configuration, upgrading the IOS, and performing password recovery (like router configuration) are essential network administrator skills.

Starting the Switch Table of Contents

Physical Startup Switches are dedicated, specialized computers, which contain a central processing unit (CPU), random access memory (RAM), and an operating system. A switch can be managed by connecting to the console port. Using HyperTerminal, you can view and make changes to the configuration. Switches typically have no power switch to turn them on and off.

Switch LED indicators The System LED shows whether the system is receiving power and functioning correctly. The RPS LED indicates whether or not the remote power supply is in use. The Mode LEDs indicate the current state of the Mode button. The modes are used to determine how the Port Status LEDs are interpreted. To select or change the port mode, press the Mode button repeatedly until the Mode LEDs indicate the desired mode. The Port Status LEDs have different meanings, depending on the current value of the Mode LED.

Port LED Definitions Mode LEDColorDescription STATOffNo Link Solid Green Link Operational Flashing Green Port is sending or receiving data Alternating Green/ Amber Link Fault Solid Amber Port is not forwarding because it was disabled by management or address violation, or blocked by STP

Port LED Definitions Mode LEDColorDescription UTLOff Each LED that is off indicates a reduction by half of the total bandwidth. The LEDs are turned off from right to left. If the right- most LED is off, then the switch is using less than 50% of total bandwidth. If the two right-most LEDs are off, the switch is using less than 25% of total bandwidth. GreenLink Operational FDUPOffPort is operating in half-duplex. GreenPort is operating in full-duplex. 100OffPort is operating at 10Mbps. GreenPort is operating at 100Mbps.

Switch POST and System LED Once power is supplied to the switch, the switch executes a power-on self test (POST). POST runs automatically to verify that the switch functions correctly. The System LED indicates the success or failure of POST. If the System LED is off but the switch is plugged in, then POST is running. If the System LED is green, then POST was successful. If the System LED is amber, then POST failed.

System LED and Switch POST POST failure is considered to be a fatal error and the switch should not be expexted to operate reliably. The Port Status LEDs also change during switch POST. The Port Status LEDs turn amber for about 30 seconds as the switch discovers the network topology and searches for loops. If the Port Status LEDs turn green, the switch has established a link between the port and a target, such as a computer. If the Port Status LEDs turn off, the switch has determined that nothing is plugged into the port.

Initial Bootup Output In order to configure or check the status of a switch, use a rollover cable to connect the console port on the back of the switch to a COM port on the back of the computer. Use HyperTerminal, with the same settings you use when connecting to a router. If you then plug the switch into the wall, the initial bootup output from the switch should be displayed on the HyperTerminal screen.

Initial Bootup Output The bootup output shows information about the switch, details about POST status, and data about the switch hardware. After the switch has booted and completed POST, it prompts you to enter the System Configuration dialog (or setup mode, which is simpler than that on a router). The switch may be configured manually with or without the assistance of the System Configuration dialog.

Examining Help in the Switch CLI The command-line interface (CLI) for Cisco switches is very similar to the CLI for Cisco routers. The help command is issued by entering a question mark ( ? ). To obtain a list of commands that begin with a particular character sequence (called word help), enter those characters followed immediately by the question mark ( ? ). To list keywords or arguments that are associated with a particular command (called command syntax help), enter one or more words associated with the command, followed by a space and then a question mark ( ? ).

Switch Command Modes Switches have several command modes just like routers. The default mode is User EXEC mode whose prompt, which ends in a greater- than character ( > ). The commands available in User EXEC mode are limited to those that change terminal settings, perform basic tests, and display system information.

Show Commands CommandsDescription show version Gives version information for software and hardware. Used to see which modules and software are in use. show running-config Displays the current configuration file of the switch. show interface Displays the administrative and operational status of a switching port, packets in/out, and errors. show interface status Displays the operational mode of the port. show controllers ethernet-controller Gives discarded frames, deferred frames, alignment errors, collisions, and so on. show post Tells if the switch passed the Power-On Self Test (POST).

Switch Command Modes The enable command is used to change from User EXEC mode to Privileged EXEC mode, whose prompt ends in a pound- sign character (#). The Privileged EXEC mode command set includes those commands allowed in User EXEC mode, as well as the configure command. The configure command allows other command modes to be accessed, in particular global configuration mode (just like a router).

Switch Command Modes Access to Privileged EXEC mode should be password protected to prevent unauthorized use. If the system administrator has set a password, then users are prompted to enter the password before being granted access to Privileged EXEC mode. The password does not appear on the screen, and is case sensitive. To enter a password use, enable secret command.

Configuring the Switch Table of Contents

Default Configuration To view the current configuration, use the show running-config command. The default hostname is Switch. No passwords are set on the console or virtual terminal (vty) lines. By default, the switch has no IP address but it may be given an IP address for management purposes. This is configured on the virtual interface (not an actual real interface), VLAN 1.

Default Configuration This is done with the commands: interface vlan 1 ip address The switch ports or interfaces are set to auto mode. Use the command show interface [fa slot#/port#] to view these settings. All switch ports are in VLAN 1 called the default management VLAN. Use the command show vlan to view their port assignment..

Default Flash Contents The flash directory by default contains: A file that contains the IOS image. A file called env_vars (environment variables). A sub-directory called html. After configuring the switch, it may contain a config.text file and a VLAN database vlan.dat. The default configuration has neither a VLAN database file, vlan.dat, nor a saved configuration file, config.text.

Verifying IOS Version Use the show version command to verify the IOS version and the configuration register settings. The default configuration register setting is 0xF. In its default state, the switch has: One broadcast domain and can be managed or configured through the console port using the CLI. The Spanning-Tree Protocol is also enabled (allowing the switch to construct a loop-free topology).

Configuring the Catalyst switch The default User EXEC mode prompt is Switch>. The default privileged EXEC mode prompt is Switch#. Configuring a switch is very similar to configuring a router. Enter global configuration using the configure terminal command. Give the switch a hostname with the hostname command.

Configuring Passwords Passwords are configured using the enable password or the enable secret commands. Line console passwords are configured using the line console 0 command followed by the password cisco and the login commands. Telnet session passwords are configured using the line vty 0 15 command followed by the password cisco and the login commands.

Allowing Telnet Sessions In order to allow the switch to be accessible by Telnet and other TCP/IP applications, you must set IP addresses and a default gateway. In the Catalyst 2950: Enter interface vlan 1 followed by ip address ip default-gateway In the Catalyst 1900: ip address ip default-gateway

Configuring Speed and Line Mode The Fast Ethernet switch ports default to auto-speed and auto-duplex. To enter interface configuration mode, type interface [fa slot#/port#]. Then the speed can be set by using speed [10 | 100 | auto] To set the line mode to either full duplex or half duplex use duplex [auto | full | half] auto option only for fixed Fast Ethernet TX ports.

Web-based Configuration Once a switch is configured with an IP address and gateway, it can be accessed using a web browser. The HTTP service can be turned on or off using the command: ip http server The port address for the service can be chosen using the command: ip http port 80

Removing a Configuration In order to clear out the configuration on the Catalyst 2950, you must: Remove any existing VLAN information by deleting the VLAN database file vlan.dat from the flash directory using the command delete flash:vlan.dat erase the back up configuration file startup- config reload the switch On a Catalyst 1900, use delete nvram command and then reload.

Managing the MAC address table Switches learn MAC addresses dynamically by examining the source address of frames. They are then stored in a MAC address table which is located in the switches CAM (content- addressable memory). To examine the addresses that a switch has learned, enter the privileged EXEC command show mac-address–table. If no frames are seen with a previously learned address, theMAC address entry is automatically discarded or aged out after 300 seconds. To manually clear the table use the privileged EXEC command clear mac-address-table.

Static MAC Addresses A MAC address may be permanently assigned to an interface. The reasons for assigning a static MAC address to an interface include: The MAC address will not be aged out automatically by the switch. A specific server or user workstation must be attached to the port and the MAC address is known. Security is enhanced.

Static MAC Addresses To configure a static MAC address entry, use: Switch(config)# mac-address-table static interface FastEthernet vlan To remove the entry use the no form of the command: Switch(config)# no mac-address-table static interface FastEthernet vlan

Configuring Port Security Network security is an important responsibility for an administrator. Access layer switchports are accessible through the structured cabling at wall outlets in offices and rooms. Anyone can plug in a PC or laptop into one of these outlets. This is a potential entry point to the network by unauthorized users. Switches provide a feature called port security.

Port Security Port security is done by limiting the number of addresses that can be learned on an interface and configuring the switch to take an action when this limit is exceeded. Secure MAC addresses can be set statically. However, securing MAC addresses statically can be a complex task and prone to error.

Configuring Port Security An alternative approach is to set port security on a switch interface. Limit the number of MAC address per port to 1. Using the command port security max-mac-count 1. Then the action using the port security action action command Possible actions include shutdown or trap. Then first address dynamically learned by the switch becomes the secure address. To verify port security status use the command show port security.

Adds, Moves, and Changes When a new switch is added to a network, you should configure the following: The hostname for the Switch The IP address for the switch in the management VLAN A default gateway Line passwords When a host is moved from one port or switch to another, configurations that can cause unexpected behavior should be removed. Configuration that is required can then be added.

Managing the Switch IOS file An administrator should document and maintain the operational configuration files for all networking devices. The most recent running-configuration file should be backed up on a server or disk. This is not only essential documentation, but is very useful if a configuration needs to be restored. copy run start – to save the running-config file to nvram

Managing the Switch IOS file The IOS should also be backed up to a local server. The IOS can then be reloaded to flash memory if needed. The IOS-based commands: copy run tftp – to save config file to tftp server. copy tftp run – to download config from tftp server to active config and to NVRAM.

Password Recovery Connect to the switch via the console port. Turn off the power to the switch. Turn the power back on while holding down the MODE button. Release the MODE button when the LED over port 1 goes out. At the prompt, type: flash_init load_helper

Password Recovery The check the content of flash memory using the dir flash: command. Rename the config.text file to config.old using the command: rename flash:config.text flash:config.old The reboot the switch using the boot command. When prompted for setup mode say n for no.

Password Recovery Rename the config.old file to config.text using the command: rename flash:config.old flash:config.text Enter privileged EXEC mode with the enable command. Load the config file into ram using the command: copy flash:config.text system:running-config

Password Recovery Enter global configuration mode and remove the enable secret password with the command: no enable secret The add new passwords to privileged mode, line console and telnet sessions. Be sure to save the new configuartion to nvram using the command: copy running-config startup-config

Firmware Upgrade Form privileged mode, enter the command show boot to see the running- config file name. Use show flash command to display the files in flash (Note: dir flash: does the same thing.) Rename the current IOS to another name using rename flash:c2950-c3h2s-mz wc.1.bin flash:c2950-c3h2s- mz wc.1.old

Firmware Upgrade Be sure to turn off web access with no ip http server command. Extract the new IOS file c2950-c3h2s-mz wc.1.tar from a tftp server at using the command: tar /x tftp:// //c2950-c3h2s- mz wc.1.tar flash: Enter global configuration mode and turn web access back on. Next, restart the switch. Finally, associate the switch with the newboot file

Firmware Upgrade Finally, associate the switch with the new boot file using: boot system flash:c2950-c3h2s-mz wc.1.bin You should verify that the new version is running with show version command. And delete the old version with the delete flash:c2950-c3h2s-mz wc.1.old

Summary Table of Contents

Summary Switches are dedicated, specialized computers, which contain a CPU, RAM and an IOS. The front panel of a switch has several LEDs to help monitor system activity and performance. Switches have several command modes, including user EXEC and privileged EXEC modes. When powered up for the first time, a switch has default data in the running configuration file.

Summary The default hostname is Switch. No passwords are set on the console or virtual terminal (vty) lines. Switches learn MAC addresses of PCs that are connected to their switch ports by examining the source address of frames that are received on that port.

Command Summary User EXEC mode and Privileged EXEC mode. enable command. IOS based switch is just like the router IOS. configure command – go to global config mode. copy run start – to save config to NVRAM. Host Name configuration characters hostname [name] Comment to help identify the interface. description [description-string] - interface config. mode Use quotes when using spaces in string. IOS-based: same as on a router. access help by entering ?

Remote Access to Switch To telnet, ping, or globally manage the switch: Enter an IP address and management VLAN. Configuration interface vlan 1 ip address [address][mask] ip default-gateway [address] Verify with show ip interface

Defining Port Speed / Duplex Speed: Interface config mode: speed [10 | 100 | auto] Line mode is either full duplex or half duplex. Interface config mode: duplex [auto | full | half] auto option only for fixed Fast Ethernet TX ports.

Backup on TFTP Server IOS-based commands: copy run tftp – to save config file to tftp server. copy tftp run – to download config from tftp server to active config and to NVRAM.

Required Labs for this Chapter Spend your lab time completing all labs in this Chapter Lab – Verifying Default Switch Configuration Lab – Basic Switch Configuration Lab – Managing the MAC Address Tables Lab – Configuring Static MAC Addresses Lab – Configuring Port Security Lab – Add, Move, and Change MAC Addresses Lab 6.2.7a – Managing Switch Operating System Files

Required Labs for this Chapter Lab 6.2.7b – Managing Switch Startup Configuration Files Lab – Password Recovery Procedure on a Catalyst 2900 Series Switch Lab – Firmware Upgrade of a Catalyst 2900 Series Switch E-labs for all of the above labs are also available in the curriculum. The more you practice the better off you will be.

Table of Contents End Slide Show