Objectives
· Configure initial switch global settings
· Configure hosts PCs and attach them to the switch
· Configure a router and attach it to the switch
· Configure a switch management VLAN IP address.
· Configure basic port security.
· Configure port duplex and speed settings.
Background / Preparation
This lab focuses on the basic configuration of the Cisco 2960 switch using Cisco IOS commands. The information in this lab applies to other switches, however, command syntax may vary. The Cisco Catalyst 2960 switch comes preconfigured and only needs to be assigned basic security information before being connected to a network. To use an IP-based management product or Telnet with a Cisco switch, you must configure a management IP address.
In this lab, you will configure VLAN 1 to provide IP access to management functions. You will also test connectivity from a host to the switch to verify the management IP address. In addition, you will configure port security, port speed, and duplex settings.
The following resources are required:
· Cisco 2960 switch or other comparable switch
· Router with Ethernet interface to connect to switch
· Three Windows-based PCs, one with a terminal emulation program
· RJ-45-to-DB-9 connector console cable
· Three straight-through Ethernet cables
· Access to the PC command prompt
· Access to PC network TCP/IP configuration
NOTE: Go to the “Erasing and Reloading the Switch” instructions at the end of this lab. Perform those steps on the switch in this lab assignment before continuing.
NOTE: Go to the “Erasing and reloading the router” instructions at the end of this lab. Perform those steps on all routers in this lab assignment before continuing.
NOTE: SDM Routers - If the startup-config is erased in an SDM router, SDM will no longer come up by default when the router is restarted. It will be necessary to build a basic router configuration using IOS commands. Refer to the procedure at the end of this lab or contact your instructor.
Step 1: Connect the hosts to the switch and configure them.
a. Connect Host-A to Fast Ethernet switch port Fa0/1, and connect Host-B to port Fa0/4. Configure the hosts to use the same IP subnet for the address and mask as on the switch, as shown in the topology diagram above.
b. Do NOT connect Host-C to the switch yet.
Step 2: Connect the router to the switch and configure the router.
NOTE: If necessary, refer to Lab 5.3.5, “Configuring Basic Router Settings with IOS CLI,” for instructions on setting hostname, passwords, and interface addresses.
Connect the router to Fast Ethernet switch port Fa0/3.
Configure router with a hostname of CustomerRouter.
Configure console access and password, vty access and password, and enable secret password.
Configure the router Fa0/0 interface as shown in the topology diagram above.
Step 3: Perform an initial configuration on the switch.
a. Configure the hostname of the switch as CustomerSwitch:
Switch#Config Terminal
Switch(config)#hostname CustomerSwitch
b. Set the privilege exec mode password to cisco:
CustomerSwitch(config)#enable password cisco
c. Set the privilege exec mode secret password to cisco123:
CustomerSwitch(config)#enable secret cisco123
d. Set the console password to cisco123:
CustomerSwitch(config)#line console 0
CustomerSwitch(config-line)#password cisco123
e. Configure the console line to require a password at login:
CustomerSwitch(config-line)#login
f. Set the vty password to cisco123:
CustomerSwitch(config-line)#line vty 0 15
CustomerSwitch(config-line)#password cisco123
g. Configure the vty to require a password at login:
CustomerSwitch(config-line)#login
CustomerSwitch(config-line)#end
Step 4: Configure the management interface on VLAN 1.
a. Enter global configuration mode. Remember to use the new password.
CustomerSwitch>enable
CustomerSwitch#configure terminal
b. Enter the interface configuration mode for VLAN 1:
CustomerSwitch(config)#interface vlan 1
c. Set the IP address, subnet mask, and default gateway for the management interface. The IP address must be valid for the local network where the switch is installed.
CustomerSwitch(config-if)#ip address 192.168.1.5 255.255.255.0
CustomerSwitch(config-if)#exit
CustomerSwitch(config)#ip default-gateway 192.168.1.1
CustomerSwitch(config)#end
Step 5: Verify configuration of the switch.
a. Verify that the IP address of the management interface on the switch VLAN 1 and the IP address of Host-A are on the same local network. Use the show running-configuration command to check the IP address configuration of the switch:
CustomerSwitch#show running-configuration
Building configuration...
Current configuration : 1283 bytes
!
version 12.2
no service pad
hostname CustomerSwitch
!
enable secret 5 $1$XUe/$ch4WQ/SpcFCDd2iqd9bda/
!
interface FastEthernet0/1
!
*** Output Omitted ***
!
interface FastEthernet0/24
!
interface Vlan1
ip address 192.168.1.5 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.1.1
ip http server
!
line con 0
password cisco123
login
line vty 0 4
password cisco123
login
line vty 5 15
password cisco123
login
!
end
b. Save the configuration using the following command:
CustomerSwitch#copy running-configuration startup-configuration
Step 6: Verify connectivity using ping and Telnet.
a. To verify that the switch and router are correctly configured, ping the router Fa0/0 interface (default gateway) IP address from the Switch CLI.
b. Were the pings successful? Ya
c. To verify that the hosts and switch are correctly configured, ping the switch IP address from Host-A.
d. Were the pings successful? Ya.
e. If the ping is not successful, verify the connections and configurations again. Check to ensure that all cables are correct and that connections are seated. Check the host, switch and router configurations.
f. Open a command prompt on Host-A, and enter the telnet command followed by the IP address assigned to switch management VLAN 1.
g. Enter the vty password configured in Step 3. What was the result?
h. At the switch prompt, issue the show version command.
CustomerSwitch>show version
Cisco IOS Software, C2960 Software (C2960-LANBASE-M), Version 12.2(0.0.16)FX, CISCO
DEVELOPMENT TEST VERSION
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Tue 17-May-05 01:43 by yenanh
ROM: Bootstrap program is C2960 boot loader
BOOTLDR: C2960 Boot Loader (C2960-HBOOT-M), Version 12.2 [lqian-flo_pilsner 100]
Switch uptime is 3 days, 20 hours, 8 minutes
System returned to ROM by power-on
System image file is "flash:c2960-lanbase-mz.122-0.0.16.FX.bin"
cisco WS-C2960-24TC-L (PowerPC405) processor with 61440K/4088K bytes of memory.
Processor board ID FHH0916001J
Last reset from power-on
Target IOS Version 12.2(25)FX
1 Virtual Ethernet interface
24 FastEthernet interfaces
2 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.
64K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address : 00:0B:FC:FF:E8:80
Motherboard assembly number : 73-9832-02
Motherboard serial number : FHH0916001J
Motherboard revision number : 01
System serial number : FHH0916001J
Hardware Board Revision Number : 0x01
Switch Ports Model SW Version SW Image
------ ----- ----- ---------- ----------
* 1 26 WS-C2960-24TC-L 12.2(0.0.16)FX C2960-LANBASE-M
Configuration register is 0xF
i. What is the Cisco IOS version of this switch? 12.2(25)FX
j. Type quit at the switch command prompt to terminate the Telnet session.
Step 7: Determine which MAC addresses that the switch has learned.
a. From the Windows command prompt, determine the Layer 2 addresses of the PC network interface card for each host by using the ipconfig /all command.
b. Determine which MAC addresses the switch has learned by using the show mac-address-table command at the privileged exec mode prompt:
CustomerSwitch#show mac-address-table
Mac Address Table
-------------------------------------------------------
Vlan Mac Address Type Ports
-------- ------------------- -------- -----
All 000b.be7f.ed40 STATIC CPU
All 0100.0ccc.cccc STATIC CPU
All 0100.0ccc.cccd STATIC CPU
All 0100.0cdd.dddd STATIC CPU
1 000b.db04.a5cd DYNAMIC Fa0/1
1 000c.3076.8380 DYNAMIC Fa0/3
1 000d.1496.36ad DYNAMIC Fa0/4
Total Mac Addresses for this criterion: 7
c. How many dynamic addresses are there? 3 alamat
d. Do the MAC addresses match the host MAC addresses?
e. Review the options that the mac-address-table command has by using the ? option:
CustomerSwitch(config)#mac-address-table ?
address address keyword
aging-time aging-time keyword
count count keyword
dynamic dynamic entry type
interface interface keyword
multicast multicast info for selected wildcard
notification MAC notification parameters and history table
static static entry type
vlan VLAN keyword
| Output modifiers
f. Set up a static MAC address on the Fast Ethernet interface 0/4. Use the address that was recorded for Host-B in Step 7. The MAC address XXXX.YYYY.ZZZZ is used in the example statement only.
CustomerSwitch(config)#mac-address-table static XXXX.YYYY.ZZZZ interface fastethernet 0/4 vlan 1
g. Verify the MAC address table entries:
CustomerSwitch#show mac-address-table
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
All 000b.be7f.ed40 STATIC CPU
All 0100.0ccc.cccc STATIC CPU
All 0100.0ccc.cccd STATIC CPU
All 0100.0cdd.dddd STATIC CPU
1 000b.db04.a5cd DYNAMIC Fa0/1
1 000c.3076.8380 DYNAMIC Fa0/3
1 000d.1496.36ad STATIC Fa0/4
How many total MAC addresses are there now? 7 buah
h. What type are they?Static dan Dynamic
Step 8: Configure basic port security.
a. Determine the options for setting port security on Fast Ethernet interface 0/4.
CustomerSwitch#configure terminal
CustomerSwitch(config)#interface fastEthernet 0/4
CustomerSwitch(config-if)#switchport port-security ?
aging Port-security aging commands
mac-address Secure mac address
maximum Max secure addrs
violation Security Violation Mode
b. To allow the switch port FastEthernet 0/4 to accept only one device, configure port security as follows:
CustomerSwitch(config-if)#switchport mode access
CustomerSwitch(config-if)#switchport port-security
CustomerSwitch(config-if)#switchport port-security mac-address sticky
CustomerSwitch(config-if)#end
c. Check the port security settings.
CustomerSwitch#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Fa0/4 1 0 0 Shutdown
---------------------------------------------------------------------------
d. What is the security action for port fa0/4? Shutdown
e. What is the maximum secure address count? 1
f. Display the running configuration
NOTE: Some output omitted in following display.
CustomerSwitch#show running-config
Building configuration...
Current configuration : 1452 bytes
version 12.2
hostname CustomerSwitch
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
switchport mode access
switchport port-security
switchport port-security mac-address sticky
!
interface FastEthernet0/5
!
*** Output Omitted ***
mac-address-table static 000b.db04.a5cd vlan 1 interface FastEthernet0/4
!
end
g. Are there statements that directly reflect the security implementation in the listing of the running configuration?
Step 9: Connect a different PC to the secure switch port.
a. Disconnect Host-B from FastEthernet 0/4 and connect Host-C to the port. Host-C has not yet been attached to the switch. Ping the switch address 192.168.1.5 to generate some traffic.
b. Record any observations at the PC and the switch terminal session.
01:11:12: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/4, putting
Fa0/4 in err-disable state
01:11:12: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, cause
d by MAC address 000c.3076.8380 on port FastEthernet0/4.
01:11:13: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/4, chang
ed state to down
01:11:14: %LINK-3-UPDOWN: Interface FastEthernet0/4, changed state to down
c. To see the configuration information for just FastEthernet port 0/4, enter the following command at the privileged EXEC mode prompt:
CustomerSwitch#show interface fastethernet 0/4
d. What is the state of this interface?
FastEthernet0/4 is and line protocol is
Step 10: Reactivate the port.
a. If a security violation occurs and the port is shut down, use the no shutdown command to reactivate it.
CustomerSwitch(config)#interface fastEthernet 0/4
CustomerSwitch(config-if)#no shutdown
b. Try reactivating this port a few times by switching between the original port 0/4 host and the new one. Plug in the original host, type the no shutdown command on the interface, and ping using the Command prompt. You must ping multiple times or use the ping 192.168.1.5 –n 200 command, which sets the number of ping packets to 200, instead of 4.
c. Switch hosts and try again.
Step 11: Set speed and duplex options for a port.
a. Switch port settings default to Auto-duplex and Auto-speed. If a computer with a 100 Mbps NIC is attached to the port, it automatically goes into full-duplex 100 Mbps mode. If a hub is attached to the switch port, it normally goes into half-duplex 10 Mbps mode.
b. Issue the show interfaces command to see the setting for ports Fa0/1 and Fa0/5. This command generates a large amount of output. Press the Space bar until you can see all the information for these ports. What are the duplex and speed settings for these ports?
c. It is sometimes necessary to set the speed and duplex of a port to ensure that it operates in a particular mode. You can set the speed and duplex with the duplex and speed commands while in interface configuration mode. To force Fast Ethernet port 5 to operate at half duplex and 10 Mbps, issue the following commands:
Switch>enable
Switch#Config Terminal
Switch(config-if)#interface fastEthernet 0/5
Switch(config-if)#speed 10
Switch(config-if)#duplex half
Switch(config-if)#end
Switch#
d. Issue the show interfaces command again. What is the duplex and speed setting for Fa0/5 now?
Step 12: Exit the switch.
a. Type exit to leave the switch and return to the welcome screen:
Switch#exit
b. Once the steps are completed turn off all the devices. The remove and store the cables and adapter.
Step 13: Reflection.
a. Which password needs to be entered to switch from user mode to privilege exec mode on the Cisco switch, and why?
b. Which symbol is used to show a successful ping in the Cisco IOS software?
c. What is the benefit of using port security?
What other port-related security steps could be taken to further improve switch security?
0 komentar:
Posting Komentar