EDTECH552(SP11)SusanFerdon

Notes – Odom, Chapter 9 Flashcards Set: http://www.flashcardmachine.com/1296100/1xp3

Access Interface A LAN network design term that refers to a switch interface connected to end-user devices.

Trunk Interface On a LAN switch, an interface that is currently using either 802.1Q or Inter-Switch Link (ISL) trunking.

Trunking Also called VLAN trunking. A method (using either the Cisco ISL protocol or the IEEE 802.1q protocol) to support multiple VLANs that have members on more than one switch.

MD5 hash value Message-Digest algorithm 5

The MD5 hash also known as checksum for a file is a 128-bit value, something like a fingerprint of the file. MD5 hash values share the following properties: - Hash length (128 or 160 bits) - Non-discoverability (non-identical files translate

into different hash value) - Repeatability (file hashed with same algorithm will

always produce the same hash value) - Irreversibility (one-way can’t get password if

you have the hash value) Syslog A standard for logging program messages. It allows

separation of the software that generates messages from the system that stores them and the software that reports and analyzes them. It also provides devices, which would otherwise be unable to communicate, a means to notify administrators of problems or performance.

VLAN Trunking Allows a single network adapter to behave as “n” number of virtual network adapters, where ”n” has a theoretical upper limit of 4096 but is typically limited to 1000 VLAN network segments.

Chapter 9 Configuration Command Reference

Basic Password Configuration:

Command Mode/Purpose/Description

line console 0 Changes the context to console configuration mode.

Line vty 1st-vty 2nd-vty

Changes the context to vty configuration mode for the range of vty lines listed in the command.

Login Console and vty configuration mode. Tells IOS to prompt for a password.

Password pass-value

Console and vty configuration mode. Lists the password required if the login command (with no other parameters) is configured.

Username/Password and SSH Configuration:

login local Console and vty configuration mode. Tells IOS to prompt for a username and password, to be checked against locally configured username global configuration commands on this switch or router.

username name password passvalue

Global command. Defines one of possibly multiple usernames and associated passwords, used for user authentication. Used when the login local line configuration command has been used.

crypto key generate rsa

Global command. Creates and stores (in a hidden location in flash memory) the keys required by SSH.

transport input {telnet | ssh}

vty line configuration mode. Defines whether Telnet and/or SSH access is allowed into this switch. Both values can be configured on one command to allow both Telnet and SSH access (the default).

IP Address Configuration

interface vlan number

Changes the context to VLAN interface mode. For VLAN 1, allows the configuration of the switch’s IP address.

ip address ip-address subnet-mask

VLAN interface mode. Statically configures the switch’s IP address and mask.

ip address dhcp VLAN interface mode. Configures the switch as a DHCP client to discover its IP address, mask, and default gateway.

ip default-gateway address

Global command. Configures the switch’s default gateway IP address. Not required if the switch uses DHCP.

Interface Configuration

interface type port-number

Changes context to interface mode. The type is typically FastEthernet or gigabitEthernet. The possible port numbers vary depending on the model of switch—for example, Fa0/1, Fa0/2, and so on.

interface range type port-range

Changes the context to interface mode for a range of consecutively numbered interfaces. The subcommands that follow then apply to all interfaces in the range.

shutdown no shutdown

Interface mode. Disables or enables the interface, respectively.

speed {10 | 100 | 1000 | auto}

Interface mode. Manually sets the speed to the listed speed or, with the auto setting, automatically negotiates the speed.

duplex {auto | full | half}

Interface mode. Manually sets the duplex to half or full, or to autonegotiate the duplex setting.

description text Interface mode. Lists any information text that the engineer wants to track for the interface, such as the expected device on the other end of the cable.

Miscellaneous

hostname name Global command. Sets this switch’s hostname, which is also used as the first part of the switch’s command prompt.

enable secret pass-value

Global command. Sets this switch’s password that is required for any user to reach enable mode.

history size length Line config mode. Defines the number of commands held in the history buffer, for later recall, for users of those lines.

switchport port-security macaddress mac-address

Interface configuration mode command that statically adds a specific MAC address as an allowed MAC address on the interface.

switchport port-security macaddress sticky

Interface subcommand that tells the switch to learn MAC addresses on the interface and add them to the configuration for the interface as secure MAC addresses.

switchport port-security maximum value

Interface subcommand that sets the maximum number of static secure MAC addresses that can be assigned to a single interface.

switchport port-security violation {protect | restrict | shutdown}

Interface subcommand that tells the switch what to do if an inappropriate MAC address tries to access the network through a secure switch port.

Chapter 9 EXEC Command Reference

Basic Password Configuration:

Command Mode/Purpose/Description

show mac address-table dynamic

Lists the dynamically learned entries in the switch’s address (forwarding) table.

show dhcp lease Lists any information the switch acquires as a DHCP client. This includes IP address, subnet mask, and default gateway information.

show crypto key mypubkey rsa

Lists the public and shared key created for use with SSH using the crypto key generate rsa global configuration command.

show interfaces status

Lists one output line per interface, noting the description, operating state, and settings for duplex and speed on each interface.

show interfaces vlan 1

Lists the interface status, the switch’s IP address and mask, and much more.

show port-security interface type number

Lists an interface’s port security configuration settings and security operational status.

Configuration of Features in Common with Routers Securing the Switch CLI, p. 235

Access from the console or Telnet/SSH session then use enable command.

From console, with default settings, no password is needed for user or enable mode.

To reach enable mode from vty (Telnet or SSH) you need an IP address, login security, and enable password.

Recommended to configure security, even from console.

Configuring Simple Password Security, p. 236 Password protect user mode from console, Telnet, and SSH. User can gain access to enable mode using enable command but with

different defaults depending on whether they logged in from the console or remotely using Telnet or SSH. Console can get to enable without a password, but Telnet can’t. Password protect enable mode using the secret enable global configuration command.

Exit command takes you out of current mode and moves you up one level. End command or Cntl-Z takes you back to enable mode.

Configuring Usernames and Secure Shell (SHH), p. 239 SSH encrypts data so it is the preferred method for remote login to

switches and routers. SSH needs to be configured to use one of two authentication methods

– on the switch or an external server – an Authentication, Authorization and Accounting (AAA) server. The book uses locally configured passwords/usernames.

Procedures listed in book. For even greater security, you can disable Telnet (not encrypted)

completely by using transport input ssh command. Default is transport input telnet, to allow both use transport input telnet ssh command.

Password Encryption, p. 242 Simple passwords configured on the console and vty lines, with the

password command, plus the password in the username command, are all stored in clear text by default.

The enable secret command automatically hides the password value. Prevent password vulnerability in printed version of the configuration

file, or in a backup stored on a server, by encrypting/encoding passwords using the service password-encryption global configuration command.

o When the service password-encryption command is configured, all existing console, vty, and username command passwords are immediately encrypted. Future changes to these passwords are also encrypted.

o If the no service password-encryption command is used later, the passwords remain encrypted, until they are changed—at which point they show up in clear text.

The Two Enable Mode Passwords, p. 244 A router or switch can be configured to require a password to reach

enable mode. o Global configuration enable password actual-password

command - configuration file lists password as clear text by default.

o Global configuration enable secret actual-password command - configuration file lists password as a hidden MD5 hash value.

o If both commands are used, the password set in the enable secret command defines which password is required.

When enable secret command is configured the router or switch automatically hides the password using a mathematical algorithm (not encrypted) and stores the formula in the configuration file – IOS calls this type 5.

To delete the enable secret password use the no enable secret command which deletes the enable secret password without having to enter the password value. Typically, one would just do enable secret command and put in a new value for the password.

MD5 encoding is much more secure than encryption used for passwords with the service password-encryption command.

Console and vty Settings, p. 245 Banners: MOTD is default.

o The banner global configuration command can be used to configure all three types of these banners. The banner text can span several lines, with the CLI user pressing Enter at the end of each line.

o Delimiting character is used in the command (# in example on p.245) and same character ends the banner text.

History Buffer Commands: You can use up-arrow key or Ctrl-p to move back in the history buffer, which makes it easy and fast to use a set of commands repeatedly.

The logging synchronous and exec-timeout Commands: o The console automatically receives copies of all unsolicited

syslog messages on a switch or router; that feature cannot be disabled.

o The message is put on the screen immediately, even in the middle of a command or output.

o To make the switch send the syslog message at a more convenient time, configure the logging synchronous console line subcommand.

o You can make using the console more convenient by setting an inactivity timeout - configure the exec-timeout minutes seconds line subcommand. If you set it to 0 minutes 0 seconds it will never timeout the console connection.

LAN Switch Configuration and Operation Cisco switches ship from the factory with all interfaces enabled (a default configuration of no shutdown) and with autonegotiation enabled for ports that run at multiple speeds and duplex settings (a default configuration of duplex auto and speed auto). That which follows applies only to switches – not to routers. Configuring the Switch IP Address, p. 248

The switch needs an IP address for several reasons: o Allow Telnet or SSH access o Allow IP Management protocols, like Simple Network

Management Protocol (SNMP) to function o Allow access using graphical tools like Cisco Device Manager

(CDM) IP Configuration

o Works like a host with a single Ethernet interface.

o Needs one IP address, a matching subnet mask and to know its default gateway/nearby router.

o Statically configure a switch with its IP address/mask/gateway, or the switch can dynamically learn this information using DHCP.

o IOS-based switch configures IP address and mask on a special virtual interface called the VLAN 1 interface; same role as Ethernet interface on a PC.

o To administratively enable an interface on a switch or router, use the no shutdown interface subcommand. To disable use the shutdown interface subcommand.

o To configure DHCP, use same steps as static, but use ip

address dhcp command, instead of the ip address ip-address mask command, on the VLAN 1 interface and do not configure the ip default-gateway global command.

o For static interface IP address use the show running-config command to see the IP address.

o For DHCP client use the show dhcp lease command to see the (temporarily) leased IP address and other parameters.

o The output of the show interface vlan 1 command lists two very important details related to switch IP addressing.

o Output lists interface status of the VLAN 1 interface – must be up to send and receive traffic - default shutdown state is “administratively down”.

o Output lists IP address - if switch fails to acquire with DHCP, the output would instead list the fact that the address will (hopefully) be acquired by DHCP. Nothing in the output mentions that the IP address is either statically configured or DHCP-leased.

Configuring Switch Interfaces, p. 248 IOS uses the term interface to refer to physical ports used to forward

data to and from other devices.

Each interface can be configured separately using IOS subcommands - statically or dynamically. Default is autonegotiation.

“a” in “a-full” and “a-100” (example p. 253) means they were autonegotiated.

Port Security, p. 253 If you know what devices should be cabled and connected to particular

interfaces on a switch, you can use port security to restrict that interface so that only the expected devices can use it. This reduces exposure to some kinds of attacks.

Make the switch interface an access interface, which means the port is not doing any VLAN trunking.

Enable port security and configure MAC addresses of devices allowed to use that port (steps listed on p. 258).

The 2960 must think that the interface is an access interface, so the switchport mode access command is required. The switchport port-security command is required to enable portsecurity on the interface. Use switchport portsecurity mac-address MAC address command. Together, these three interface subcommands enable port security.

The switchport portsecurity mac-address sticky command tells the switch to learn the MAC address from the first frame sent to the switch and then adds the MAC address as a secure MAC to the running configuration. In other words, the first MAC address heard “sticks” to the configuration.

If you wanted to save the configuration with that first MAC address heard, you would use the copy running-config startup-config command.

The switch can be configured to use one of three actions when a violation occurs. All three cause the switch to discard the offending frame, but some of the configuration options include additional actions.

Port Security, p. 253 If you know what devices should be cabled and connected to particular

interfaces on a switch, you can use port security to restrict that interface so that only the expected devices can use it. This reduces exposure to some kinds of attacks.

VLAN Configuration, p. 256 Cisco switch interfaces are considered to be either access interfaces or

trunk interfaces. o Access interfaces send and receive frames only in a single VLAN,

called the access VLAN. (covered in the book) o Trunking interfaces send and receive traffic in multiple VLANs.

(not covered in the book). The switch must be configured to believe that the VLAN exists and

must have one or more access interfaces assigned to the VLAN. One VLAN is configured by default but the switch would need to be

configured for additional VLANs (procedure on p. 257). To disable trunking use switchport mode access interface

subcommand.

Securing Unused Switch Interfaces, p. 259 Plug-and-Play operation of Cisco switches expose some security

threats. Recommendations for unused switch interfaces to override default

interface settings: o Administratively disable the interface using the shutdown

interface subcommand. o Prevent VLAN trunking and VTP by making the port a

nontrunking interface using the switchport mode access interface subcommand.

o Assign the port to an unused VLAN using the switchport access vlan number interface subcommand.

“Do I Know This Already” Quiz, Chapter 9 - pp. 232-234

TOPIC Q# 1st Try 2nd Try Answer

1 B 2 ABCD B, C Configuration of Features

in Common with Router 3 B 4 D A 5 B, D, F A, D, F 6 CDEF F 7 E

LAN Switch Configuration and Operation

8 B, D A

Q2: An engineer had formerly configured a Cisco 2960 switch to allow Telnet access so that the switch expected a password of mypassword from the Telnet user. The engineer then changed the configuration to support Secure Shell. Which of the following commands could have been part of the new configuration? a. A username name password password command in vty config mode b. A username name password password global configuration command c. A transport input ssh command in vty config mode d. A transport input ssh global configuration command

Answer: B and C

Explanation: Global configuration commands apply to features that affect the system as a whole, rather than just one protocol or interface. From global configuration mode you can also enter specifiec configuration modes and submodes used to configure specific system features. Use the configure terminal privileged EXEC command to enter global configuration mode. Global configuration would mean that the password and username would apply to console, Telnet and SSH access.

Not A: Secure shell automatically has username and password so A is not necessary.

Not D: Transport input ssh is not a global command – it would apply only to remote access so it’s vty config.

Yes B: Using the global configuration command, username and password would now apply to all forms of access.

Yes C: Telnet is default for remote access so ssh is needed in vty config.

Q4: Which of the following is not required when configuring port security without sticky learning? a. Setting the maximum number of allowed MAC addresses on the interface with the switchport port-security maximum interface subcommand b. Enabling port security with the switchport port-security interface subcommand c. Defining the allowed MAC addresses using the switchport port-security macaddress interface subcommand d. All of the other answers list required commands

Answer: A

Explanation: “Not required when configuring port security without sticky learning” means the same thing as “not required with configuring port security for specific MAC addresses.” That means that whatever answers I don’t pick ARE required

Not B: switchport port-security interface subcommand is needed to initiate port security.

Not C: Allowed MAC addresses need to be defined because sticky in not being used.

Not D: A is superfluous so “all of the above” is not correct.

Yes A: The setting for the maximum number of MAC addresses has a default of 1, so the switchport port-security maximum command does not have to be configured.

Q5: An engineer’s desktop PC connects to a switch at the main site. A router

at the main site connects to each branch office via a serial link, with one small router and switch at each branch. Which of the following commands must be configured, in the listed configuration mode, to allow the engineer to telnet to the branch office switches? a. The ip address command in VLAN 1 configuration mode b. The ip address command in global configuration mode c. The ip default-gateway command in VLAN 1 configuration mode d. The ip default-gateway command in global configuration mode e. The password command in console line configuration mode f. The password command in vty line configuration mode

Answer: A, D, F

Explanation: Global configuration commands apply to features that affect the device as a whole. To allow access via Telnet, the switch must have password security enabled, at a minimum using the password vty line configuration subcommand. Additionally, the switch needs an IP address (configured under the VLAN 1 interface) and a default gateway when the switch needs to communicate with hosts in a different subnet. See IP Address Configuration Table in book and notes above. Not B: IP Address is configured under VLAN interface, not global. Not C: Default gateway is configured under global, since it affects the device as a whole. Not E: This is for remote access, which is vty. Console is for physical connection. Yes A: IP address is configured under VLAN interface Yes D: Default gateway is configured under global Yes F: Telnet requires password and it’s vty at a minimum

Q6: Which of the following describes a way to disable IEEE standard

autonegotiation on a 10/100 port on a Cisco switch? a. Configure the negotiate disable interface subcommand b. Configure the no negotiate interface subcommand c. Configure the speed 100 interface subcommand d. Configure the duplex half interface subcommand e. Configure the duplex full interface subcommand f. Configure the speed 100 and duplex full interface subcommands

Answer: F

Explanation: Choices A and B are not correct syntax – subcommands are auto, speed and duplex. To disable autonegotiation, you need to specify values for both speed and duplexing (F), not one or the other (C, D, E). Q8: The show vlan brief command lists the following output:

2 my-vlan active Fa0/13, Fa0/15 Which of the following commands could have been used as part of the configuration for this switch? a. The vlan 2 global configuration command b. The name MY-VLAN vlan subcommand c. The interface range Fa0/13 - 15 global configuration command d. The switchport vlan 2 interface subcommand

Answer: A (I had B a d D)

Explanation: VLAN names are case-sensitive, so the name MY-VLAN command, while using the correct syntax, would set a different VLAN name than the name shown in the question (B). The interface range command in one of the answers includes interfaces Fa0/13, Fa0/14, and Fa0/15. Because Fa0/14 is not assigned to VLAN 2, this command would not have allowed the right VLAN assignment (C). To assign a port to a VLAN, the switchport access vlan 2 command would have been required, not the switchport vlan 2 command, which is syntactically incorrect (D).