The modern switches are manageable and support extra features than normal old fashion switches.
This features include the support of TCP/IP applications like ping, telnet, trace route etc.
For example, if you want to telnet or ping a switch, the switch must have an IP configured.
0) SWITCH RESET
1) Resetting Catalyst Switches to Factory Defaults
Cat2950# write eraseErasing the nvram filesystem will remove all files! Continue? [confirm]y[OK]
Erase of nvram: complete
Cat2950# reload
2) Reset VLAN Information
To reset the VLAN information to the factory defaults, delete the vlan.dat file from the Flash or NVRAM and reload the switch.
On the 6500/6000 series switches running Cisco IOS Software, the vlan.dat file is stored in const_nvram
erase const_nvram:On the 4500/4000 series switches running Cisco IOS Software, the vlan.dat file is stored in cat4000_flash:
erase cat4000_flash:On the 2940, 2950/2955, 2970, 3550, 3550, 3560, 3570, and 2900XL/3500XL fixed configuration switches, the vlan.dat file is stored in flash:.
delete flash:vlan.dat
DefaultSwitch Information
1) BASIC CONFIGURATION
1) Configuring hostname or Switch name
Switch1(config)#hostname Switch2011
Switch2011(config)#exit
2) Configure password encryption
Switch2011(config)#service password-encryption
Switch2011(config)#
3) Configure the privileged EXEC password
Switch2011#configure terminal
Switch2011(config)#enable secret m3gapassw0rd
Switch2011(config)#
4) Configuring Telnet line (VTY's) and console passwords with user LOGIN requirement:
Switch2011#config t
Switch2011(config)#enable secret cisco
Switch2011(config)#line vty 0 15
Switch2011(config-line)#password cisco
Switch2011(config-line)#login
Switch2011(config)#line con 0
Switch2011(config-line)#password cisco
Switch2011(config-line)#login
Switch2011(config-line)#exit
5) View and Configure the speed or the duplex of the interface
Switch2011# show interface gigabitEthernet 1/0/3
Full-duplex, 100Mb/s, media type is 10/100/1000BaseTX
Switch2011(config)# interface gigabitEthernet 1/0/3
Switch2011(config-if)# speed 100
Switch2011(config-if)# duplex half
2) SWITCH REMOTE MANAGEMENT AND ROUTING
If you want to be able to manage your switch remotely over the network, your switch needs an IP address.
On a router we configure the IP address on the physical interface,
however on a switch the physical interfaces are running at Layer 2 and hence don’t have IP addresses configured on them.
If your switch has multiple VLANs configured, and you want to be able to manage the switch from each VLAN, the switch requires an IP address on a VLAN interface (logical interface of the switch) in each VLAN.
1) To be able to manage your switch — even if all ports are left in default VLAN 1 — you still need to configure an IP address on the “vlan 1" switch interface, which is, of course, in VLAN 1.
Switch2011# conf t
Switch2011(config)# interface vlan 1
Switch2011(config-if)# ip address 192.168.1.11 255.255.255.0
Switch2011(config-if)# no shut
Switch2011(config-if)# exit
2) Defines a default-gateway for this switch.
Switch doesn’t have to have a default gateway configured.
However, if you want to be able to communicate with your switch from another subnet,
you need to configure a default gateway on the switch so it knows how to get to its local LAN switch.
Switch2011(config)# ip default-gateway 192.168.1.1
3) PORT SECURITY
View Switch MAC max capacity
SW01-SC#sh mac address-table aging-time
Global Aging Time: 300
Vlan Aging Time
---- ----------
ALL 300
SW01-SC#sh mac address-table count
Mac Entries for Vlan 1:
---------------------------
Dynamic Address Count : 2
Static Address Count : 0
Total Mac Addresses : 2
Total Mac Address Space Available: 8188
1) Configure Port Security
Before any other port security commands can be configured on the interface, port security must be enabled.
SW1(config-if)#interface fa0/11
SW1(config-if)#switchport port-security
2) Configure the maximum number of MAC addresses
To configure the port to learn only one MAC address, set the maximum to 1:
SW1(config-if)#switchport port-security maximum 1
3) Configure the port to add the MAC address to the running configuration.
The MAC address learned on the port can be added to (“stuck” to) the running configuration for that port.
SW1(config-if)#switchport port-security mac-address sticky
4) Configure the port to automatically shut down if port security is violated
If you do not configure the following command, SW1 only logs the violation in the port security statistics but does not shut down the port.
SW1(config-if)#switchport port-security violation shutdown
SW1#show mac-address-table
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
20 0060.5c4b.cd22 STATIC Fa0/11
SW1#show port-security interface fa0/11
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 1
Sticky MAC Addresses : 0
Last Source Address:Vlan : 00E0.F7B0.086E:20
Security Violation Count : 1
5) How To Secure Unused Ports
Disabling unused switch ports a simple method many network administrators use to help secure their network from unauthorized access.
Disabling an unused port stops traffic from flowing through the port(s)
Disable interface Fa0/10 on SW1.
SW1(config)#interface fa0/10
SW1(config-if)#shutdown
Disable interfaces Fa0/1 to Fa0/24 on SW1
SW1(config)#interface range fa0/1-24Troubleshoot port-security violation
SW1(config-if)#shutdown
Test with macof tool:
switch(config-if)# switchport port-security violation { protect | restrict | shutdown }Check Switch
restrict - no new MAC learned, NO syslog notification
protect - no new MAC learned, syslog notification
shutdown - no new MAC learned, syslog notification, shutdown port
SW01-SC#sh port-securityProtect mode output:
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Fa0/1 5 0 13864 Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024
01:27:14: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address aad5.402a.ffdc on port FastEthernet0/1.shutdown mode output:
01:27:19: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 686d.4b40.2a90 on port FastEthernet0/1.
SW01-SC#show interfaces status err-disabledRecovery port:
Port Name Status Reason
Fa0/1 err-disabled psecure-violation
SW01-SC(config)#errdisable recovery cause psecure-violation
SW01-SC(config)#do show errdisable recovery
ErrDisable Reason Timer Status
----------------- --------------
udld Disabled
bpduguard Disabled
security-violatio Disabled
channel-misconfig Disabled
vmps Disabled
pagp-flap Disabled
dtp-flap Disabled
link-flap Disabled
psecure-violation Enabled
gbic-invalid Disabled
dhcp-rate-limit Disabled
unicast-flood Disabled
loopback Disabled
Timer interval: 300 seconds
Interfaces that will be enabled at the next timeout:
Interface Errdisable reason Time left(sec)
--------- ----------------- --------------
Fa0/1 psecure-violation 231
To recover a port that is in an Errdisable state, manual intervention is required, and the administrator must access the switch and configure the specific port with 'shutdown' followed by the 'no shutdown' command.
int fa0/1
shutdown
no shutdown
4) OPTIONAL
1) Configure and test the MOTD (message-of-the-day) banner
2) PortFast
Almost 100% of Cisco switches will have a 50 second delay on a port before it goes live. What this means, is that when you plug a new device into a switch such as a PC, there will be a 50 second delay before the port will become active and the PC will be able to send and receive data. This is due to the fact the switch is running through the spanning tree process and trying to confirm that you have not just caused a loop on the network by plugging in the new device.
If you are certain that you will not be causing loops on your network by plugging certain types of devices into your switch,
you can force the switch to go live immediately, rather than waiting the 50 second default value.
Switch2011# conf t
Switch2011(config)# interface fastethernet 0/10
Switch2011(config-if)# switchport mode access
Switch2011(config-if)# switchport access vlan 10
Switch2011(config-if)# spanning-tree portfast
Links:
http://www.cisco.com/
http://www.orbit-computer-solutions.com/
http://www.techrepublic.com/
http://www.anythingoverip.co.za/
No comments:
Post a Comment