Senior Acquisitions Editor: Kenyon Brown Development Editor: Kim Wimpsett
config t Switch(config)# int f0/1
Yüklə 22,5 Mb. Pdf görüntüsü
|
|
config t Switch(config)# int f0/1 Switch(config-if)# switchport mode access Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security ? aging Port-security aging commands mac-address Secure mac address maximum Max secure addresses violation Security violation mode
Most Cisco switches ship with their ports in desirable mode, which means that those ports will desire to trunk when sensing that another switch has just been connected. So first, we need to change the port out from desirable mode and make it an access port instead. If we don’t do that, we won’t be able to configure port security on it at all! Once that’s out of the way, we can move on using our port-security commands, never forgetting that we must enable port security on the interface with the basic command switchport port-security . Notice that I did this after I made the port an access port! The preceding output clearly illustrates that the switchport port- security command can be used with four options. You can use the switchport port-security mac-address
command to assign individual MAC addresses to each switch port, but be warned because if you go with that option, you had better have boatloads of time on your hands! You can configure the device to take one of the following actions when a security violation occurs by using the switchport port-security command: Protect
: The protect violation mode drops packets with unknown source addresses until you remove enough secure MAC addresses to drop below the maximum value. Restrict
: The restrict violation mode also drops packets with unknown source addresses until you remove enough secure MAC addresses to drop below the maximum value. However, it also generates a log message, causes the security violation counter to increment, and sends an SNMP trap. Shutdown
: Shutdown is the default violation mode. The shutdown violation mode puts the interface into an error-disabled state immediately. The entire port is shut down. Also, in this mode, the system generates a log message, sends an SNMP trap, and increments the violation counter. To make the interface usable, you must perform a shut/no shut on the interface. If you want to set up a switch port to allow only one host per port and make sure the port will shut down if this rule is violated, use the following commands like this: Switch(config-if)#
Switch(config-if)# switchport port-security violation shutdown These commands really are probably the most popular because they prevent random users from connecting to a specific switch or access point that’s in their office. The port security default that’s immediately set on a port when it’s enabled is maximum
1 and
violation shutdown . This sounds okay, but the drawback to this is that it only allows a single MAC address to be used on the port, so if anyone, including you, tries to add another host on that segment, the switch port will immediately enter error- disabled state and the port will turn amber. And when that happens, you have to manually go into the switch and re-enable the port by cycling it with a
shutdown and then a no shutdown command.
Probably one of my favorite commands is the sticky
command, and not just because it’s got a cool name. It also makes very cool things happen! You can find this command under the mac-address command: Switch(config-if)# switchport port-security mac-address sticky Switch(config-if)# switchport port-security maximum 2 Switch(config-if)# switchport port-security violation shutdown Basically, with the sticky command you can provide static MAC address security without having to type in absolutely everyone’s MAC address on the network. I like things that save me time like that! In the preceding example, the first two MAC addresses coming into the port “stick” to it as static addresses and will be placed in the running- config, but when a third address tried to connect, the port would shut down immediately. I’ll be going over port security CCENT objectives again in the configuration examples later in this chapter. They're important! Let me show you one more example. Figure 10.6 displays a host in a company lobby that needs to be secured against the Ethernet cable used by anyone other than a single authorized individual.
Protecting a PC in a lobby What can you do to ensure that only the MAC address of the lobby PC is allowed by switch port Fa0/1? The solution is pretty straightforward because in this case, the defaults for port security will work well. All I have left to do is add a static MAC entry: Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security violation restrict Switch(config-if)# switchport port-security mac-address aa.bb.cc.dd.ee.ff To protect the lobby PC, we would set the maximum allowed MAC addresses to 1 and the violation to restrict
so the port didn’t get shut down every time someone tried to use the Ethernet cable (which would be constantly). By using violation restrict , the unauthorized frames would just be dropped. But did you notice that I enabled port-security and then set a static MAC address? Remember that as soon as you enable port- security
on a port, it defaults to violation shutdown and a maximum of 1. So all I needed to do was change the violation mode and add the static MAC address and our business requirement is solidly met!
At a large Fortune 50 company in San Jose, California, there was a PC in the lobby that held the company directory. With no security guard present in the lobby, the Ethernet cable connecting the PC was free game to all vendors, contractors, and visitors waiting in the lobby. Port security to the rescue! When port security was enabled on the port with the switchport port-security command, the switch port connecting to the PC was automatically secured with the defaults of allowing only one MAC address to associate to the port and violation shutdown. However, the port was always going into err-shutdown mode whenever anyone tried to use the Ethernet port. When the violation mode was changed to restrict and a static MAC address was set for the port with the switchport port-security mac-address command, only the Lobby PC was able to connect and communicate on the network! Problem solved! Loop Avoidance Redundant links between switches are important to have in place because they help prevent nasty network failures in the event that one link stops working.
But while it’s true that redundant links can be extremely helpful, they can also cause more problems than they solve! This is because frames can be flooded down all redundant links simultaneously, creating network loops as well as other evils. Here’s a list of some of the ugliest problems that can occur:
If no loop avoidance schemes are put in place, the switches will flood broadcasts endlessly throughout the internetwork. This is sometimes referred to as a broadcast storm. Most of the time, they’re referred to in very unprintable ways! Figure 10.7 illustrates how a broadcast can be propagated throughout the network. Observe how a frame is continually being flooded through the internetwork’s physical network media.
Broadcast storm A device can receive multiple copies of the same frame because that frame can arrive from different segments at the same time. Figure 10.8
demonstrates how a whole bunch of frames can arrive from multiple segments simultaneously. The server in the figure sends a unicast frame to Router C. Because it’s a unicast frame, Switch A forwards the frame and Switch B provides the same service—it forwards the unicast. This is bad because it means that Router C receives that unicast frame twice, causing additional overhead on the network.
FIGURE 10.8 Multiple frame copies You may have thought of this one: The MAC address filter table could be totally confused about the source device’s location because the switch can receive the frame from more than one link. Worse, the bewildered switch could get so caught up in constantly updating the MAC filter table with source hardware address locations that it will fail to forward a frame! This is called thrashing the MAC table. One of the most vile events is when multiple loops propagate throughout a network. Loops can occur within other loops, and if a broadcast storm were to occur simultaneously, the network wouldn’t be able to perform frame switching—period! All of these problems spell disaster or close, and they’re all evil situations that must be avoided or fixed somehow. That’s where the Spanning Tree Protocol comes into play. It was actually developed to solve each and every one of the problems I just told you about! Now that I explained the issues that can occur when you have redundant links, or when you have links that are improperly implemented, I’m sure you understand how vital it is to prevent them. However, the best solutions are beyond the scope of this chapter and among the territory covered in the more advanced Cisco exam objectives. For now, let’s focus on configuring some switching! Configuring Catalyst Switches Cisco Catalyst switches come in many flavors; some run 10 Mbps, while others can speed all the way up to 10 Gbps or higher switched ports with a combination of twisted-pair and fiber. These newer switches, like the 3850, also have more intelligence, so they can give you data fast—mixed media services, too! With that in mind, it’s time to show you how to start up and configure a Cisco Catalyst switch using the command-line interface (CLI). After you get the basic commands down in this chapter, I’ll show you how to configure virtual LANs (VLANs) plus Inter-Switch Link (ISL) and 802.1q trunking in the next one. Here’s a list of the basic tasks we’ll be covering next: Administrative functions Configuring the IP address and subnet mask Setting the IP default gateway Setting port security Testing and verifying the network You can learn all about the Cisco family of Catalyst switches at www.cisco.com/en/US/products/hw/switches/index.html . Catalyst Switch Configuration But before we actually get into configuring one of the Catalyst switches, I’ve got to fill you in regarding the boot process of these switches, just as I did with the routers in Chapter 7, “Managing a Cisco Internetwork.” Figure 10.9 shows a typical Cisco Catalyst switch, and I need to tell you about the different interfaces and features of this device.
A Cisco Catalyst switch The first thing I want to point out is that the console port for the Catalyst switches are typically located on the back of the switch. Yet, on a smaller switch like the 3560 shown in the figure, the console is right in the front to make it easier to use. (The eight-port 2960 looks exactly the same.) If the POST completes successfully, the system LED turns green, but if the POST fails, it will turn amber. And seeing that amber glow is an ominous thing—typically fatal. So you may just want to keep a spare switch around —especially in case it’s a production switch that’s croaked! The bottom button is used to show you which lights are providing Power over Ethernet (PoE). You can see this by pressing the Mode button. The PoE is a very nice feature of these switches. It allows me to power my access point and phone by just connecting them into the switch with an Ethernet cable—sweet. Just as we did with the routers we configured in Chapter 9, “IP Routing,” we’ll use a diagram and switch setup in this chapter as well as in Chapter 11.
Figure 10.10 shows the switched network we’ll be working on. FIGURE 10.10 Our switched network I’m going to use three 3560 switches, which I also used for demonstration in Chapter 6, “Cisco’s Internetworking Operating System (IOS),” and Chapter 7. You can use any layer 2 switches for this chapter to follow the configuration, but when we get to Chapter 11, you’ll need at least one router as well as a layer 3 switch, like my 3560. Now if we connect our switches to each other, as shown in Figure 10.10 , remember that first we’ll need a crossover cable between the switches. My 3560 switches autodetect the connection type, so I was able to use straight-through cables. But not all switches autodetect the cable type. Different switches have different needs and abilities, so just keep this in mind when connecting your various switches together. Make a note that in the Cisco exam objectives, switches never autodetect! When you first connect the switch ports to each other, the link lights are amber and then turn green, indicating normal operation. What you’re actually watching is spanning-tree converging, and this process takes around 50 seconds with no extensions enabled. But if you connect into a switch port and the switch port LED is alternating green and amber, it means the port is experiencing errors. If this happens, check the host NIC or the cabling, possibly even the duplex settings on the port to make sure they match the host setting.
Do We Need to Put an IP Address on a Switch? Absolutely not! Switches have all ports enabled and ready to rock. Take the switch out of the box, plug it in, and the switch starts learning MAC addresses in the CAM. So why would I need an IP address since switches are providing layer 2 services? Because you still need it for in-band management purposes! Telnet, SSH, SNMP, etc. all need an IP address in order to communicate with the switch through the network (in-band). Remember, since all ports are enabled by default, you need to shut down unused ports or assign them to an unused VLAN for security reasons. So where do we put this management IP address the switch needs for management purposes? On what is predictably called the management VLAN interface—a routed interface on every Cisco switch and called interface VLAN 1. This management interface can be changed, and Cisco recommends that you do change this to a different management interface for security purposes. No worries—I’ll demonstrate how to do this in Chapter 11. Let’s configure our switches now so you can watch how I configure the management interfaces on each switch. S1 We’re going to begin our configuration by connecting into each switch and setting the administrative functions. We’ll also assign an IP address to each switch, but as I said, doing that isn’t really necessary to make our network function. The only reason we’re going to do that is so we can manage/administer it remotely, via Telnet for example. Let’s use a simple IP scheme like 192.168.10.16/28. This mask should be familiar to you! Check out the following output: Switch>
Switch#
config t Switch(config)# hostname S1 S1(config)# enable secret todd S1(config)# int f0/15 S1(config-if)# description 1st connection to S3 S1(config-if)# int f0/16 S1(config-if)# description 2nd connection to S3 S1(config-if)# int f0/17 S1(config-if)# description 1st connection to S2 S1(config-if)# int f0/18 S1(config-if)# description 2nd connection to S2 S1(config-if)# int f0/8 S1(config-if)# desc Connection to IVR S1(config-if)# line con 0 S1(config-line)# password console S1(config-line)# login S1(config-line)# line vty 0 15 S1(config-line)# password telnet S1(config-line)# login S1(config-line)# int vlan 1 S1(config-if)# ip address 192.168.10.17 255.255.255.240 S1(config-if)# no shut S1(config-if)# exit S1(config)# banner motd #this is my S1 switch# S1(config)# exit S1#
copy run start Destination filename [startup-config]? [enter] Building configuration... [OK] S1#
The first thing to notice about this is that there’s no IP address configured on the switch’s physical interfaces. Since all ports on a switch are enabled by default, there’s not really a whole lot to configure! The IP address is configured under a logical interface, called a management domain or VLAN. You can use the default VLAN 1 to manage a switched network just as we’re doing here, or you can opt to use a different VLAN for management. The rest of the configuration is basically the same as the process you go through for router configuration. So remember… no IP addresses on physical switch interfaces, no routing protocols, and so on. We’re performing layer 2 switching at this point, not routing! Also, make a note to self that there is no AUX port on Cisco switches. S2 Here is the S2 configuration: Switch#
Switch(config)# hostname S2 S2(config)# enable secret todd S2(config)# int f0/1 S2(config-if)# desc 1st connection to S1 S2(config-if)# int f0/2 S2(config-if)# desc 2nd connection to s2 S2(config-if)# int f0/5 S2(config-if)# desc 1st connection to S3 S2(config-if)# int f0/6 S2(config-if)# desc 2nd connection to s3 S2(config-if)# line con 0 S2(config-line)# password console S2(config-line)# login S2(config-line)# line vty 0 15 S2(config-line)# password telnet S2(config-line)# login S2(config-line)# int vlan 1 S2(config-if)# ip address 192.168.10.18 255.255.255.240 S2(config)# exit S2#
copy run start Destination filename [startup-config]? [enter] Building configuration... [OK] S2#
We should now be able to ping from S2 to S1. Let’s try it: S2#
ping 192.168.10.17 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.10.17, timeout is 2 seconds:
.!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms S2# Okay—now why did I get only four pings to work instead of five? The first period [.] is a time-out, but the exclamation point [!] is a success. It’s a good question, and here’s your answer: the first ping didn’t work because of the time that ARP takes to resolve the IP address to its corresponding hardware MAC address. S3 Check out the S3 switch configuration: Switch>
Switch#
config t SW-3(config)# hostname S3 S3(config)# enable secret todd S3(config)# int f0/1 S3(config-if)# desc 1st connection to S1 S3(config-if)# int f0/2 S3(config-if)# desc 2nd connection to S1 S3(config-if)# int f0/5 S3(config-if)# desc 1st connection to S2 S3(config-if)# int f0/6 S3(config-if)# desc 2nd connection to S2 S3(config-if)# line con 0 S3(config-line)# password console S3(config-line)# login S3(config-line)# line vty 0 15 S3(config-line)# password telnet S3(config-line)# login S3(config-line)# int vlan 1 S3(config-if)# ip address 192.168.10.19 255.255.255.240 S3(config-if)# no shut S3(config-if)# banner motd #This is the S3 switch# S3(config)# Yüklə 22,5 Mb. Dostları ilə paylaş:
|