8/6/2019 CCNAV3.3 305

1/46

8/6/2019 CCNAV3.3 305

2/46

2

ObjectivesObjectives

Monitor switch activity and status using LEDindicators Set an IP address and default gateway for the

switch to allow connection and management

over a network Set interfaces for speed and duplex operation Examine and manage the switch MAC

address table Configure port security Manage configuration files and IOS images Perform password recovery on a switch Upgrade the IOS of a switch

8/6/2019 CCNAV3.3 305

3/46

3

Table of ContentTable of Content

1 Starting the Switch2 Configuring the Switch

8/6/2019 CCNAV3.3 305

4/46

8/6/2019 CCNAV3.3 305

5/46

5

Physical startup of the Catalyst switchPhysical startup of the Catalyst switch

- Central processing unit (CPU)- Random access memory (RAM),- An operating system several ports for thepurpose

of connecting hosts

8/6/2019 CCNAV3.3 305

6/46

6

Switch LED Indicators: STATSwitch LED Indicators: STAT

Off No link

Solid Green Link operational

Flashing Green Port is sending or receiving

data

Alternating Green/Amber Link fault

Solid Amber Port is not forwarding becozit was disabled bymanagement or addressviolation, or blocked by

spanning tree Protocol

8/6/2019 CCNAV3.3 305

7/46 7

Switch LED Indicators: UTLSwitch LED Indicators: UTL

Off - Each LED that is off indicates areductionby half of the total bandwidth.

- LED are turned off from right to left.- If the right-most LED is off, then the

switch is using less than 50% of totalbandwidth.

-If the two right-most LEDs are off, theswitch is using less than 25% of totalbandwidth

Green If all LEDs are green, the switch is using50% or more of total bandwidth

8/6/2019 CCNAV3.3 305

8/46 8

Switch LED Indicators: FDUP,100Switch LED Indicators: FDUP,100

FDUP Off Port is operating in half-duplex

Green Port is operating in full-duplex

100 Off Port is operating at 10Mbps

Green Port is operating at 100Mbps

8/6/2019 CCNAV3.3 305

9/46 9

Verifying Port Leds During Switch POSTVerifying Port Leds During Switch POST

If the System LED is off but the switch isplugged in, then POST is running. If the System LED is green, then POST was

successful. If the System LED is amber, then POST failed. POST failure is considered to be a fatal error. The Port Status LEDs turn amber for about 30

seconds as the switch discovers the networktopology and searches for loops.

If the Port Status LEDs turn green, the switchhas established a link between the port and atarget

8/6/2019 CCNAV3.3 305

10/46 1

Viewing Initial Bootup Output From The SwitchViewing Initial Bootup Output From The Switch

Use a rollover cable to connect the console

port on the back of the switch to a COM porton the back of the computer Start HyperTerminal on the computer After the switch has booted and completed

POST, prompts for the System Configurationdialog are presented

8/6/2019 CCNAV3.3 305

11/46 1

Examining Help In The Switch CLIExamining Help In The Switch CLI

Switch>?Exec commands:

access-enable Create a temporary Access-List entryclear Reset functionsconnect Open a terminal connection

disable Turn off privileged commandsdisconnect Disconnect an existing network connectionenable Turn on privileged commandsexit Exit from the EXEChelp Description of the interactive help systemlock Lock the terminallogin Log in as a particular userlogout Exit from the EXECname-connection Name an existing network connectionping Send echo messagesrcommand Run command on remote switch

--More--

8/6/2019 CCNAV3.3 305

12/46 1

Switch Command ModesSwitch Command Modes

The User EXEC mode is recognized by itsending in a greater-than character ( > ). The commands available in User EXEC mode are

limited to those that change terminal settings,

perform basic tests, and display systeminformation.

Privileged EXEC mode is also recognized byits ending in a pound-sign character ( # ). The Privileged EXEC mode command set includes

those commands allowed in User EXEC mode, aswell as the configure command.

The configure command allows other commandmodes to be accessed.

8/6/2019 CCNAV3.3 305

13/46 1

CONFIGURING THE SWITCH

8/6/2019 CCNAV3.3 305

14/46 1

Catalyst 1900 and 2950 Default Configuration

IP address: 0.0.0.0

CDP: enabled 100baseT port: autonegotiate duplex mode Spanning tree: enabled

Console password: none

8/6/2019 CCNAV3.3 305

15/46 1

Verifying The Catalyst Switch Default ConfigurationVerifying The Catalyst Switch Default Configuration

Show running-config Show interface FastEthernet 0/1 Show vlan Show flash ( or dir flash:) Show version

8/6/2019 CCNAV3.3 305

16/46 1

show running-configshow running-config

8/6/2019 CCNAV3.3 305

17/46 1

show interfaceshow interface

8/6/2019 CCNAV3.3 305

18/46

1

show vlanshow vlan

8/6/2019 CCNAV3.3 305

19/46

1

show flashshow flash

8/6/2019 CCNAV3.3 305

20/46

2

show versionshow version

8/6/2019 CCNAV3.3 305

21/46

2

Configuring The Catalyst SwitchConfiguring The Catalyst Switch

Note Remove any existing VLAN information by deleting the

VLAN database file vlan.dat from the flash directory Erase the back up configuration file startup-config Reload the switch

Catalyst 2900 Delete flash:vlan.dat Erase startup-config reload

Catalyst 1900 Delete nvram

8/6/2019 CCNAV3.3 305

22/46

2

Configuring The Catalyst Switch (cont)Configuring The Catalyst Switch (cont)

A switch should be given a hostname, and passwordsshould be set on the console and vty lines

switch(config)#hostname ALSwitch

ALSwitch(config)#line console 0 ALSwitch(config-line)#login ALSwitch(config-line)#password funny

ALSwitch(config-line)#line vty 0 4 ALSwitch(config-line)#login ALSwitch(config-line)#password deadman

ALSwitch(config-line)#^Z

8/6/2019 CCNAV3.3 305

23/46

2

Configuring the Switch IP Address

wg_sw_1900(config)#ip address 10.5.5.11 255.255.255.0

wg_sw_1900(config)#ip address { ip_address } { mask }

Configures an IP address and subnet mask on the switch

Catalyst 1900

wg_sw_2950(config)#interface vlan 1wg_sw_2950(config-if)#ip address 10.5.5.11 255.255.255.0

wg_sw_2950(config-if)#ip address { ip_address } { mask }

Catalyst 2950

8/6/2019 CCNAV3.3 305

24/46

2

Configuring the Switch Default Gateway

wg_sw_a(config)# ip default-gateway { ip address }

Configures the switch default gateway for the Catalyst 1900and 2950 switches

wg_sw_a(config)#ip default-gateway 10.5.5.3

8/6/2019 CCNAV3.3 305

25/46

2

Showing the Switch IP Address

Catalyst 1900

Catalyst 2950

wg_sw_1900#show ipIP address: 10.5.5.11Subnet mask: 255.255.255.0Default gateway: 10.5.5.3

Management VLAN: 1wg_sw_a#

wg_sw_2950#show interface vlan 1 Vlan1 is up, line protocol is up

Hardware is Cat5k Virtual Ethernet, address is 0010.f6a9.9800 (bia 0010.f6a9.9800)Internet address is 172.16.80.79/24Broadcast address is 255.255.255.255. . .

wg_sw_2950#

8/6/2019 CCNAV3.3 305

26/46

2

Setting Duplex Options

wg_sw_1900(config)#interface e0/1

wg_sw_1900(config-if)#duplex {auto | full |full-flow-control | half}

Catalyst 1900

Catalyst 2950

wg_sw_2950(config)#interface fe0/1wg_sw_2950(config-if)#duplex {auto | full | half}

8/6/2019 CCNAV3.3 305

27/46

2

Showing Duplex Options

Switch#show interfaces fastethernet0/3

FastEthernet0/3 is up, line protocol is downHardware is Fast Ethernet, address is 0000.0000.0003 (bia 0000.0000.0003)MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,

reliability 255/255, txload 1/255, rxload 1/255Encapsulation ARPA, loopback not setKeepalive set (10 sec)Half-duplex, 10Mb/sinput flow-control is off, output flow-control is offARP type: ARPA, ARP Timeout 04:00:00Last input never, output never, output hang neverLast clearing of "show interface" counters neverQueueing strategy: fifoOutput queue 0/40, 0 drops; input queue 0/75, 0 drops5 minute input rate 0 bits/sec, 0 packets/sec5 minute output rate 0 bits/sec, 0 packets/sec

0 packets input, 0 bytes, 0 no bufferReceived 0 broadcasts, 0 runts, 0 giants, 0 throttles0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 input packets with dribble condition detected 0 packets output, 0 bytes, 0 underruns0 output errors, 0 collisions, 2 interface resets0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier0 output buffer failures, 0 output buffers swapped out

8/6/2019 CCNAV3.3 305

28/46

2

Configuring The Catalyst Switch (cont)Configuring The Catalyst Switch (cont)

Intelligent networking devices can provide a

web-based interface for configuration andmanagement purposes ALSwitch(config)#ip http server ALSwitch(config)#ip http port 8080 Any additional software such as an applet,

can be downloaded to the browser from theswitch

8/6/2019 CCNAV3.3 305

29/46

2

The GUI InterfaceThe GUI Interface

8/6/2019 CCNAV3.3 305

30/46

3

Managing the MAC Address Table

wg_sw_1900#show mac-address-table Number of permanent addresses : 0 Number of restricted static addresses : 0 Number of dynamic addresses : 6

Address Dest Interface Type Source Interface List------------------------------------------------------------------00E0.1E5D.AE2F Ethernet 0/2 Dynamic All00D0.588F.B604 FastEthernet 0/26 Dynamic All00E0.1E5D.AE2B FastEthernet 0/26 Dynamic All0090.273B.87A4 FastEthernet 0/26 Dynamic All00D0.588F.B600 FastEthernet 0/26 Dynamic All00D0.5892.38C4 FastEthernet 0/27 Dynamic All

Catalyst 1900

Catalyst 2950

wg_sw_2950#show mac-address-tableDynamic Address Count: 1

Secure Address Count: 0Static Address (User-defined) Count: 0System Self Address Count: 25Total MAC addresses: 26

Maximum MAC addresses: 8192 Non-static Address Table:

Destination Address Address Type VLAN Destination Port------------------- ------------ ---- --------------------0050.0f02.3372 Dynamic 1 FastEthernet0/2

8/6/2019 CCNAV3.3 305

31/46

3

Configuring Static MAC AddressesConfiguring Static MAC Addresses

The reasons for assigning a permanentMAC address to an interface include:

The MAC address will not be aged outautomatically by the switch. A specific server or user workstation must

be attached to the port and the MACaddress is known.

Security is enhanced.

8/6/2019 CCNAV3.3 305

32/46

3

Setting a Static MAC Address

wg_sw_1900(config)#mac-address-table permanent 2222.2222.2222 ethernet 0/3wg_sw_1900#show mac-address-table

Number of permanent addresses : 1 Number of restricted static addresses : 0 Number of dynamic addresses : 4

Address Dest Interface Type Source Interface List------------------------------------------------------------------00E0.1E5D.AE2F Ethernet 0/2 Dynamic All2222.2222.2222 Ethernet 0/3 Permanent All00D0.588F.B604 FastEthernet 0/26 Dynamic All

00E0.1E5D.AE2B FastEthernet 0/26 Dynamic All00D0.5892.38C4 FastEthernet 0/27 Dynamic All

wg_sw_1900(config)#mac-address-table permanent { mac-address type module/port }

wg_sw_2950(config)#mac-address-table secure mac_addr {vlan vlan_id } [interface int1 [ int2 ... int15 ]]

Catalyst 1900 and 2950

Catalyst 2950 only

8/6/2019 CCNAV3.3 305

33/46

3

Setting a Restricted Static MAC Addresson the Cat 1900

wg_sw_1900(config)#mac-address-table restricted static 1111.1111.1111 e0/4 e0/1wg_sw_1900#show mac-address-table

Number of permanent addresses : 1 Number of restricted static addresses : 1 Number of dynamic addresses : 4

Address Dest Interface Type Source Interface List------------------------------------------------------------------1111.1111.1111 Ethernet 0/4 Static Et0/1

00E0.1E5D.AE2F Ethernet 0/2 Dynamic All2222.2222.2222 Ethernet 0/3 Permanent All00D0.588F.B604 FastEthernet 0/26 Dynamic All00E0.1E5D.AE2B FastEthernet 0/26 Dynamic All00D0.5892.38C4 FastEthernet 0/27 Dynamic All

wg_sw_1900(config)#mac-address-table restricted static{ mac-address type module/port src-if-list }

8/6/2019 CCNAV3.3 305

34/46

3

Setting a Restricted Static MAC Addresson the Cat 2950

wg_sw_2950#mac-address-table secure 0003.3333.3333 fa 0/1 vlan 1wg_sw_2950#show mac-address-tableDynamic Address Count: 1Secure Address Count: 1Static Address (User-defined) Count: 1System Self Address Count: 25Total MAC addresses: 28

Maximum MAC addresses: 8192 Non-static Address Table:

Destination Address Address Type VLAN Destination Port------------------- ------------ ---- --------------------0050.0f02.3372 Dynamic 1 FastEthernet0/20003.3333.3333 Secure 1 FastEthernet0/1 Static Address Table:Destination Address VLAN Input Port Output Ports------------------- ---- ---------- -----------------------2222.2222.2222 1 ALL Fa0/1

wg_sw_2950(config)#mac-address-table securehw-addr interface [vlan vlan-id ]

8/6/2019 CCNAV3.3 305

35/46

3

Port securityPort security

Anyone can plug in a PC or laptop into one of these outlets. This is a potential entry point to the network by

unauthorized users. Switches provide a feature called port security.

It is possible to limit the number of addresses that can belearned on an interface.

The switch can be configured to take an action if this isexceeded. Secure MAC addresses can be set statically.

However, securing MAC addresses statically can be acomplex task and prone to error.

To verify port security status the command show portsecurity is entered.

8/6/2019 CCNAV3.3 305

36/46

3

Secure MAC AddressesSecure MAC Addresses

Set the maximum number of secure MACaddresses on a port

After you have cure MAC addresses isconfigured, they are stored in an addresstable.

Setting a maximum number of addresses toone and configuring the MAC address of an

attached device ensures that the device hasthe full bandwidth of the port.

8/6/2019 CCNAV3.3 305

37/46

3

Secure MAC AddressesSecure MAC Addresses

The switch supports these types of secure MACaddresses :

Static secure MAC

Dynamic secure MAC addresses

Sticky secure MAC addressesSticky secure MAC addressesThese are dynamicallyconfigured, stored in the address table, and added to therunning configuration. If these addresses are saved in theconfiguration file, when the switch restarts, the interface

does not need to dynamically reconfigure them.

8/6/2019 CCNAV3.3 305

38/46

3

Configuring port securityConfiguring port security

Differs on 1900, 2900XL, and 2950 Switches.

8/6/2019 CCNAV3.3 305

39/46

3

2950 Security Commands2950 Security Commands

Switch(config-if)# switchport mode access

Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security

maximum value Switch(config-if)# switchport port-security

mac-address mac-address

8/6/2019 CCNAV3.3 305

40/46

4

2950 Configuration2950 Configuration

8/6/2019 CCNAV3.3 305

41/46

4

Executing Adds, Moves, And ChangesExecuting Adds, Moves, And Changes

8/6/2019 CCNAV3.3 305

42/46

4

Executing Adds, Moves, And Changes (cont)Executing Adds, Moves, And Changes (cont)

8/6/2019 CCNAV3.3 305

43/46

4

Managing Switch Operating System FileManaging Switch Operating System File

An administrator should document andmaintain the operational configuration filesfor networking devices.

The most recent running-configuration fileshould be backed up on a server or disk.

The IOS should also be backed up to a localserver.

8/6/2019 CCNAV3.3 305

44/46

4

1900/2950 Password Recovery1900/2950 Password Recovery

For security and management purposes,passwords must be set on the console andvty lines.

There will be circumstances where physicalaccess to the switch can be achieved, butaccess to the user or privileged EXEC modecannot be gained because the passwords arenot known or have been forgotten.

In these circumstances, a password recoveryprocedure must be followed.

8/6/2019 CCNAV3.3 305

45/46

4

SummarySummary

Monitoring switch activity and status using LED indicators

Examining the switch bootup output using HyperTerminal

Using the help features of the command line interface

Setting an IP address and default gateway for the switch to allowconnection and management over a network

Setting interfaces for speed and duplex operation

Examining and managing the switch MAC address table

Configuring port security

Managing configuration files and IOS images Performing password recovery on a switch

Upgrading the IOS of a switch

8/6/2019 CCNAV3.3 305

46/46

Q&AQ&A