Senior Acquisitions Editor: Kenyon Brown Development Editor: Kim Wimpsett

switches from outside your LAN, you must set a default gateway on the

switches just as you would with a host, and you do this from global

config. Here’s an example where we introduce our router with an IP

address using the last IP address in our subnet range:

S3#

config t

S3(config)#

ip default-gateway 192.168.10.30

Now that we have all three switches basically configured, let’s have some

fun with them!

Port Security

A secured switch port can associate anywhere from 1 to 8,192 MAC

addresses, but the 3560s I am using can support only 6,144, which seems

like way more than enough to me. You can choose to allow the switch to

learn these values dynamically, or you can set static addresses for each

port using the

switchport port-security mac-address

mac-address

command.

So let’s set port security on our S3 switch now. Ports Fa0/3 and Fa0/4

will have only one device connected in our lab. By using port security,

we’re assured that no other device can connect once our hosts in ports

Fa0/3 and in Fa0/4 are connected. Here’s how to easily do that with just

a couple commands:

S3#

config t

S3(config)#

int range f0/3-4

S3(config-if-range)#

switchport mode access

S3(config-if-range)#

switchport port-security

S3(config-if-range)#

do show port-security int f0/3

Port Security : Enabled

Port Status : Secure-down

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 0

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Last Source Address:Vlan : 0000.0000.0000:0

Security Violation Count : 0

The first command sets the mode of the ports to “access” ports. These

ports must be access or trunk ports to enable port security. By using the

command

switchport

​

port-security

on the interface, I’ve enabled port

security with a maximum MAC address of 1 and violation of shutdown.

These are the defaults, and you can see them in the highlighted output of

the

show port-security int f0/3

command in the preceding code.

Port security is enabled, as displayed on the first line, but the second line

shows

Secure-down

because I haven’t connected my hosts into the ports

yet. Once I do, the status will show

Secure-up

and would become

Secure-

shutdown

if a violation occurs.

I’ve just got to point out this all-so-important fact one more time: It’s very

important to remember that you can set parameters for port security but

it won’t work until you enable port security at the interface level. Notice

the output for port F0/6:

S3#

config t

S3(config)#

int range f0/6

S3(config-if-range)#

switchport mode access

S3(config-if-range)#

switchport port-security violation restrict

S3(config-if-range)#

do show port-security int f0/6

Port Security :

Disabled

Port Status : Secure-up

Violation Mode : restrict

[output cut]

Port Fa0/6 has been configured with a violation of restrict, but the first

line shows that port security has not been enabled on the port yet.

Remember, you must use this command at interface level to enable port

security on a port:

S3(config-if-range)#

switchport port-security

There are two other modes you can use instead of just shutting down the

port. The restrict and protect modes mean that another host can connect

up to the maximum MAC addresses allowed, but after the maximum has

been met, all frames will just be dropped and the port won’t be shut

down. Additionally, both the restrict and shutdown violation modes alert

you via SNMP that a violation has occurred on a port. You can then call

the abuser and tell them they’re so busted—you can see them, you know

what they did, and they’re in serious trouble!

If you’ve configured ports with the

violation shutdown

command, then

the ports will look like this when a violation occurs:

S3#

sh port-security int f0/3

Port Security : Enabled

Port Status : Secure-shutdown

Violation Mode : Shutdown

Aging Time : 0 mins

Aging Type : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses : 1

Total MAC Addresses : 2

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Last Source Address:Vlan :

0013:0ca69:00bb3:00ba8:1

Security Violation Count : 1

Here you can see that the port is in

Secure-shutdown

mode and the light

for the port would be amber. To enable the port again, you’d need to do

the following:

S3(config-if)#

shutdown

S3(config-if)#

no shutdown

Let’s verify our switch configurations before we move onto VLANs in the

next chapter. Beware that even though some switches will show

err-

disabled

instead of

Secure-shutdown

as my switch shows, there is no

difference between the two.

Verifying Cisco Catalyst Switches

The first thing I like to do with any router or switch is to run through the

configurations with a

show running-config

command. Why? Because

doing this gives me a really great overview of each device. But it is time

consuming, and showing you all the configs would take up way too many

pages in this book. Besides, we can instead run other commands that will

still stock us up with really good information.

For example, to verify the IP address set on a switch, we can use the

show

interface

command. Here’s the output:

S3#

sh int vlan 1

Vlan1 is up, line protocol is up

Hardware is EtherSVI, address is ecc8.8202.82c0 (bia

ecc8.8202.82c0)

Internet address is 192.168.10.19/28

MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA, loopback not set

[output cut]

The previous output shows the interface is in up/up status. Remember to

always check this interface, either with this command or the

show ip

interface brief

command. Lots of people tend to forget that this

interface is

shutdown

by default.

Never forget that IP addresses aren’t needed on a switch for it

to operate. The only reason we would set an IP address, mask, and

default gateway is for management purposes.

show mac address-table

I’m sure you remember being shown this command earlier in the chapter.

Using it displays the forward filter table, also called a content addressable

memory (CAM) table. Here’s the output from the S1 switch:

S3#

sh mac address-table

Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- -----

All 0100.0ccc.cccc STATIC CPU

[output cut]

1 000e.83b2.e34b DYNAMIC Fa0/1

1 0011.1191.556f DYNAMIC Fa0/1

1 0011.3206.25cb DYNAMIC Fa0/1

1 001a.2f55.c9e8 DYNAMIC Fa0/1

1 001a.4d55.2f7e DYNAMIC Fa0/1

1 001c.575e.c891 DYNAMIC Fa0/1

1 b414.89d9.1886 DYNAMIC Fa0/5

1 b414.89d9.1887 DYNAMIC Fa0/6

The switches use things called base MAC addresses, which are assigned to

the CPU. The first one listed is the base mac address of the switch. From

the preceding output, you can see that we have six MAC addresses

dynamically assigned to Fa0/1, meaning that port Fa0/1 is connected to

another switch. Ports Fa0/5 and Fa0/6 only have one MAC address

assigned, and all ports are assigned to VLAN 1.

Let’s take a look at the S2 switch CAM and see what we can find out.

S2#

sh mac address-table

Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- -----

All 0100.0ccc.cccc STATIC CPU

[output cut

1 000e.83b2.e34b DYNAMIC Fa0/5

1 0011.1191.556f DYNAMIC Fa0/5

1 0011.3206.25cb DYNAMIC Fa0/5

1 001a.4d55.2f7e DYNAMIC Fa0/5

1 581f.aaff.86b8 DYNAMIC Fa0/5

1 ecc8.8202.8286 DYNAMIC Fa0/5

1 ecc8.8202.82c0 DYNAMIC Fa0/5

Total Mac Addresses for this criterion: 27

S2#

This output tells us that we have seven MAC addresses assigned to Fa0/5,

which is our connection to S3. But where’s port 6? Since port 6 is a

redundant link to S3, STP placed Fa0/6 into blocking mode.

Assigning Static MAC Addresses

You can set a static MAC address in the MAC address table, but like

setting static MAC port security without the

sticky

command, it’s a ton of

work. Just in case you want to do it, here’s how it’s done:

S3(config)#

mac address-table ?

aging-time Set MAC address table entry maximum age

learning Enable MAC table learning feature

move Move keyword

notification Enable/Disable MAC Notification on the switch

static static keyword

S3(config)#

mac address-table static aaaa.bbbb.cccc vlan 1 int fa0/7

S3(config)#

do show mac address-table

Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- -----

All 0100.0ccc.cccc STATIC CPU

[output cut]

1 000e.83b2.e34b DYNAMIC Fa0/1

1 0011.1191.556f DYNAMIC Fa0/1

1 0011.3206.25cb DYNAMIC Fa0/1

1 001a.4d55.2f7e DYNAMIC Fa0/1

1 001b.d40a.0538 DYNAMIC Fa0/1

1 001c.575e.c891 DYNAMIC Fa0/1

1 aaaa.bbbb.0ccc STATIC Fa0/7

[output cut]

Total Mac Addresses for this criterion: 59

As shown on the left side of the output, you can see that a static MAC

address has now been assigned permanently to interface Fa0/7 and that

it’s also been assigned to VLAN 1 only.

Now admit it—this chapter had a lot of great information, and you really

did learn a lot and, well, maybe even had a little fun along the way too!

You’ve now configured and verified all switches and set port security.

That means you’re now ready to learn all about virtual LANs! I’m going to

save all our switch configurations so we’ll be able to start right from here

in Chapter 11.

Summary

In this chapter, I talked about the differences between switches and

bridges and how they both work at layer 2. They create MAC address

forward/filter tables in order to make decisions on whether to forward or

flood a frame.

Although everything in this chapter is important, I wrote two port-

security sections—one to provide a foundation and one with a

configuration example. You must know both these sections in detail.

I also covered some problems that can occur if you have multiple links

between bridges (switches).

Finally, I covered detailed configuration of Cisco’s Catalyst switches,

including verifying the configuration.

Exam Essentials

Remember the three switch functions. Address learning,

forward/filter decisions, and loop avoidance are the functions of a switch.

Remember the command

show mac address-table.

The command

show mac address-table

will show you the forward/filter table used on

the LAN switch.

Understand the reason for port security. Port security restricts

access to a switch based on MAC addresses.

Know the command to enable port security. To enable port

security on a port, you must first make sure the port is an access port with

switchport mode access

and then use the

switchport port-security

command at the interface level. You can set the port security parameters

before or after enabling port security.

Know the commands to verify port security. To verify port

security, use the

show port-security, show port-security interface

interface

, and

show running-config

commands.

Written Lab 10

In this section, you’ll complete the following lab to make sure you’ve got

the information and concepts contained within them fully dialed in:

Lab 10.1: Layer 2 Switching

You can find the answers to this lab in Appendix A, “Answers to

Written Labs.”

Write the answers to the following questions:

1.  What command will show you the forward/filter table?

2.  If a destination MAC address is not in the forward/filter table, what

will the switch do with the frame?

3.  What are the three switch functions at layer 2?

4.  If a frame is received on a switch port and the source MAC address is

not in the forward/filter table, what will the switch do?

5.  What are the default modes for a switch port configured with port

security?

6.  Which two violation modes send out an SNMP trap?

7.  Which violation mode drops packets with unknown source addresses

until you remove enough secure MAC addresses to drop below the

maximum but also generates a log message, causes the security

violation counter to increment, and sends an SNMP trap but does not

disable the port?

8.  What does the

sticky

keyword in the

port-security

command

provide?

9.  What two commands can you use to verify that port security has been

configured on a port FastEthernet 0/12 on a switch?

10.  True/False: The layer 2 switch must have an IP address set and the

PCs connecting to the switch must use that address as their default

gateway.

Hands-on Labs

In this section, you will use the following switched network to configure

your switching labs. You can use any Cisco switches to do this lab, as well

as LammleSim IOS version simulator found at

www.lammle.com/ccna

. They

do not need to be multilayer switches, just layer 2 switches.

The first lab (Lab 10.1) requires you to configure three switches, and then

you will verify them in Lab 10.2.

The labs in this chapter are as follows:

Hands-on Lab 10.1: Configuring Layer 2 Switches

Hands-on Lab 10.2: Verifying Layer 2 Switches

Hands-on Lab 10.3: Configuring Port Security

Lab 10.1: Configuring Layer 2 Switches

In this lab, you will configure the three switches in the graphic:

1.  Connect to the S1 switch and configure the following, not in any

particular order:

Hostname

Banner

Interface description

Passwords

IP address, subnet mask, default gateway

Switch>

en

Switch#

config t

Switch(config)#

hostname S1

S1(config)#

enable secret todd

S1(config)#

int f0/15

S1(config-if)#

description 1st connection to S3

S1(config-if)#

int f0/16

S1(config-if)#

description 2nd connection to S3

S1(config-if)#

int f0/17

S1(config-if)#

description 1st connection to S2

S1(config-if)#

int f0/18

S1(config-if)#

description 2nd connection to S2

S1(config-if)#

int f0/8

S1(config-if)#

desc Connection to IVR

S1(config-if)#

line con 0

S1(config-line)#

password console

S1(config-line)#

login

S1(config-line)#

line vty 0 15

S1(config-line)#

password telnet

S1(config-line)#

login

S1(config-line)#

int vlan 1

S1(config-if)#

ip address 192.168.10.17 255.255.255.240

S1(config-if)#

no shut

S1(config-if)#

exit

S1(config)#

banner motd #this is my S1 switch#

S1(config)#

exit

S1#

copy run start

Destination filename [startup-config]?

[enter]

Building configuration...

2.  Connect to the S2 switch and configure all the settings you used in

step 1. Do not forget to use a different IP address on the switch.

3.  Connect to the S3 switch and configure all the settings you used in

steps 1 and 2. Do not forget to use a different IP address on the switch.

Lab 10.2: Verifying Layer 2 Switches

Once you configure a device, you must be able to verify it.

1.  Connect to each switch and verify the management interface.

S1#

sh interface vlan 1

2.  Connect to each switch and verify the CAM.

S1#

sh mac address-table

3.  Verify your configurations with the following commands:

S1#

sh running-config

S1#

sh ip int brief

Lab 10.3: Configuring Port Security

Port security is a big Cisco objective. Do not skip this lab!

1.  Connect to your S3 switch.

2.  Configure port Fa0/3 with port security.

S3#

config t

S(config)#

int fa0/3

S3(config-if#

Switchport mode access

S3(config-if#

switchport port-security

3.  Check your default setting for port security.

S3#

show port-security int f0/3

4.  Change the settings to have a maximum of two MAC addresses that

can associate to interface Fa0/3.

S3#

config t

S(config)#

int fa0/3

S3(config-if#

switchport port-security maximum 2

5.  Change the violation mode to

restrict

.

S3#

config t

S(config)#

int fa0/3

S3(config-if#

switchport port-security violation restrict

6.  Verify your configuration with the following commands:

S3#

show port-security

S3#

show port-security int fa0/3

S3#

show running-config

Review Questions

The following questions are designed to test your

understanding of this chapter's material. For more information on

how to get additional questions, please see

www.lammle.com/ccna

.

You can find the answers to these questions in Appendix B, “Answers to

Review Questions.”

1.  Which of the following statements is not true with regard to layer 2

switching?

A.  Layer 2 switches and bridges are faster than routers because they

don’t take up time looking at the Data Link layer header

information.

B.  Layer 2 switches and bridges look at the frame’s hardware

addresses before deciding to either forward, flood, or drop the

frame.

C.  Switches create private, dedicated collision domains and provide

independent bandwidth on each port.

D.  Switches use application-specific integrated circuits (ASICs) to

build and maintain their MAC filter tables.

2.  List the two commands that generated the last entry in the MAC

address table shown.

Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- -----

All 0100.0ccc.cccc STATIC CPU

[output cut]

1 000e.83b2.e34b DYNAMIC Fa0/1

1 0011.1191.556f DYNAMIC Fa0/1

1 0011.3206.25cb DYNAMIC Fa0/1

1 001a.4d55.2f7e DYNAMIC Fa0/1

1 001b.d40a.0538 DYNAMIC Fa0/1

1 001c.575e.c891 DYNAMIC Fa0/1

1 aaaa.bbbb.0ccc STATIC Fa0/7

3.  In the diagram shown, what will the switch do if a frame with a

destination MAC address of 000a.f467.63b1 is received on Fa0/4?

(Choose all that apply.)

A.  Drop the frame.

B.  Send the frame out of Fa0/3.

C.  Send the frame out of Fa0/4.

D.  Send the frame out of Fa0/5.

E.  Send the frame out of Fa0/6.

4.  Write the command that generated the following output.

Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- -----

All 0100.0ccc.cccc STATIC CPU

[output cut]

1 000e.83b2.e34b DYNAMIC Fa0/1

1 0011.1191.556f DYNAMIC Fa0/1

1 0011.3206.25cb DYNAMIC Fa0/1

1 001a.2f55.c9e8 DYNAMIC Fa0/1

1 001a.4d55.2f7e DYNAMIC Fa0/1

1 001c.575e.c891 DYNAMIC Fa0/1

1 b414.89d9.1886 DYNAMIC Fa0/5

1 b414.89d9.1887 DYNAMIC Fa0/6

5.  In the work area in the following graphic, draw the functions of a

switch from the list on the left to the right.

6.  What statement(s) is/are true about the output shown here? (Choose

all that apply.)

S3#

Yüklə 22,5 Mb.

Dostları ilə paylaş: