400 likes | 790 Views
Any Questions?. Chapter 9-Ethernet Switch Configuration. Configuration Features in Common with Routers LAN Switch Configuration and Operation. Do I know this?. Go through the Quiz- 5 minutes.
E N D
Chapter 9-Ethernet Switch Configuration • Configuration Features in Common with Routers • LAN Switch Configuration and Operation
Do I know this? Go through the Quiz- 5 minutes
1. Imagine that you have configured the enable secret command, followed by the enable password command, from the console. You log out of the switch and log back in at the console. Which command defines the password that you had to enter to access privileged mode? a. enable password b. enable secret c. Neither d. The password command, if it’s configured
1. Imagine that you have configured the enable secret command, followed by the enable password command, from the console. You log out of the switch and log back in at the console. Which command defines the password that you had to enter to access privileged mode? a. enable password b. enable secret c. Neither d. The password command, if it’s configured Answer:B
2. An engineer had formerly configured a Cisco 2960 switch to allow Telnet access so that the switch expected a password of mypassword from the Telnet user. The engineer then changed the configuration to support Secure Shell. Which of the following commands could have been part of the new configuration? a. A username name password password command in vty config mode b. A username name password password global configuration command c. A transport input ssh command in vty config mode d. A transport input ssh global configuration command
2. An engineer had formerly configured a Cisco 2960 switch to allow Telnet access so that the switch expected a password of mypassword from the Telnet user. The engineer then changed the configuration to support Secure Shell. Which of the following commands could have been part of the new configuration? a. A username name password password command in vty config mode b. A username name password password global configuration command c. A transport input ssh command in vty config mode d. A transport input ssh global configuration command Answer: B, C
3. The following command was copied and pasted into configuration mode when a user was telnetted into a Cisco switch: banner login this is the login banner Which of the following are true about what occurs the next time a user logs in from theconsole? a. No banner text is displayed. b. The banner text “his is” is displayed. c. The banner text “this is the login banner” is displayed. d. The banner text “Login banner configured, no text defined” is displayed.
3. The following command was copied and pasted into configuration mode when a user was telnetted into a Cisco switch: banner login this is the login banner Which of the following are true about what occurs the next time a user logs in from theconsole? a. No banner text is displayed. b. The banner text “his is” is displayed. c. The banner text “this is the login banner” is displayed. d. The banner text “Login banner configured, no text defined” is displayed. Answer: B
4. Which of the following is not required when configuring port security without sticky learning? a. Setting the maximum number of allowed MAC addresses on the interface with the switchport port-security maximum interface subcommand b. Enabling port security with the switchport port-security interface subcommand c. Defining the allowed MAC addresses using the switchport port-security macaddress interface subcommand d. All of the other answers list required commands
4. Which of the following is not required when configuring port security without sticky learning? a. Setting the maximum number of allowed MAC addresses on the interface with the switchport port-security maximum interface subcommand b. Enabling port security with the switchport port-security interface subcommand c. Defining the allowed MAC addresses using the switchport port-security macaddress interface subcommand d. All of the other answers list required commands Answer: A
5. An engineer’s desktop PC connects to a switch at the main site. A router at the main site connects to each branch office via a serial link, with one small router and switch at each branch. Which of the following commands must be configured, in the listed configuration mode, to allow the engineer to telnet to the branch office switches? a. The ip address command in VLAN 1 configuration mode b. The ip address command in global configuration mode c. The ip default-gateway command in VLAN 1 configuration mode d. The ip default-gateway command in global configuration mode e. The password command in console line configuration mode f. The password command in vty line configuration mode
5. An engineer’s desktop PC connects to a switch at the main site. A router at the main site connects to each branch office via a serial link, with one small router and switch at each branch. Which of the following commands must be configured, in the listed configuration mode, to allow the engineer to telnet to the branch office switches? a. The ip address command in VLAN 1 configuration mode b. The ip address command in global configuration mode c. The ip default-gateway command in VLAN 1 configuration mode d. The ip default-gateway command in global configuration mode e. The password command in console line configuration mode f. The password command in vty line configuration mode Answer: A, D, F
6. Which of the following describes a way to disable IEEE standard autonegotiation on a 10/100 port on a Cisco switch? a. Configure the negotiate disable interface subcommand b. Configure the no negotiate interface subcommand c. Configure the speed 100 interface subcommand d. Configure the duplex half interface subcommand e. Configure the duplex full interface subcommand f. Configure the speed 100 and duplex full interface subcommands
6. Which of the following describes a way to disable IEEE standard autonegotiation on a 10/100 port on a Cisco switch? a. Configure the negotiate disable interface subcommand b. Configure the no negotiate interface subcommand c. Configure the speed 100 interface subcommand d. Configure the duplex half interface subcommand e. Configure the duplex full interface subcommand f. Configure the speed 100 and duplex full interface subcommands Answer: F
7. In which of the following modes of the CLI could you configure the duplex setting for interface fastethernet 0/5? a. User mode b. Enable mode c. Global configuration mode d. Setup mode e. Interface configuration mode
7. In which of the following modes of the CLI could you configure the duplex setting for interface fastethernet 0/5? a. User mode b. Enable mode c. Global configuration mode d. Setup mode e. Interface configuration mode Answer: E
8. The show vlan brief command lists the following output: 2 my-vlan active Fa0/13, Fa0/15 Which of the following commands could have been used as part of the configuration for this switch? a. The vlan 2 global configuration command b. The name MY-VLAN vlan subcommand c. The interface range Fa0/13 - 15 global configuration command d. The switchport vlan 2 interface subcommand
8. The show vlan brief command lists the following output: 2 my-vlan active Fa0/13, Fa0/15 Which of the following commands could have been used as part of the configuration for this switch? a. The vlan 2 global configuration command b. The name MY-VLAN vlan subcommand c. The interface range Fa0/13 - 15 global configuration command d. The switchport vlan 2 interface subcommand Answer: A
Securing the CLI • Console is inherently insecure • Physical access means you can password reset • For telnet and ssh • Enable or enable secret must be set • IP, Login, password
Basic password security • Different password work in different places • Line console • Line vty
SSH Configuration • Must turn on transport input • Set up cryptographic keys • line vty 0 15 • Configure for telnet sessions • login local • Use local login details • transport input telnet ssh • Accept ssh • username wendell password hope • Local username • ip domain-name example.com • Configure dns suffix • crytpo key generate rsa • Generate keys
Password Encryption • Most password are in clear text • Vulnerable if saved • service password encryption • Encrypt all passwords on system • Turn it off and change to return to clear text • no service password-encryption
Enable and Enable Secret • Enable secret overrides enable password • Encrypted by default
Console and VTY settings • Banners • MOTD • Login • Exec
Logging Synchronous and Exec Timeout • System gives feedback to screen • Even when you are working • Logging synchronous • Prevents the information from hiding your prompt • Inactivity timeout • How long before the switch ends your session • Exec-timeout command
Switch IP config • Switches don’t NEED and IP • IP address is only needed if you are going to adminster over the network • telnet • SSH • Config with • IP address • Default gateway
Basic Switch Config • IP address is associated to VLAN1 • Not on an actual interface, but looks at all traffic that goes through VLAN1 • configure terminal • interface vlan1 • ip address XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX • no shutdown
Default Gateway • Only needed when you communicate off of network • configure terminal • ip default-gateway XXX.XXX.XXX.XXX
Switch uses DHCP • You can also have the switch ask for an IP address by DHCP • configure terminal • interface vlan1 • ip address dhcp • You will not need the default gateway in this case
Switch Interfaces • The ethernet ports are called interfaces • Can configure if necessary • Descriptions • Speed (10 or 100) • Duplex (half or full) • configure terminal • interface Fastethernet 0/# • # is the port number you want to configure
Port Security • Can limit the number of MAC addresses that a switch will allow in MAC Address table for a port • Can program MAC addresses into the table instead of learning them
Port Security • Switchport Mode access • Set the port to a single VLAN • Switchport port-security • switchport port-security maximum number • Max number of addresses on the port • switchport port-security violation {protect | restrict | shutdown} • What to do if there is a violation • switchport port-security mac-address mac-address • Program the mac address • switchport port-security macaddresssticky • Add the first MAC address in and don’t allow others
VLAN Configuration • Two main steps • Create VLAN router(config)#vlan 2 Adds the vlan 2 to the system router(config-vlan)#name Freds-vlan Associates the name Freds-vlan to vlan 2 • Assign ports to VLAN Router(config)#interface range f0/13-14 Config interface 13 and 14 Router(config-if)#switchport access vlan2 Assigns these ports to VLAN2
Securing Unused Interfaces • Default of interfaces • VLAN1 • No shutdown • Use • shutdown • Turn off interface • switchport mode access • Prevent trunking • switchport access vlan # • Assign to a particular VLAN
Key Topics • Check Handout