manualshive.com logo in svg

Cisco WS-C2960G-8TC-L, Configuration, Page: 20 / 30

Share
Download
Cisco WS-C2960G-8TC-L Configuration Download Page 20

376

  Chapter 12:  Initial Switch Configuration

CertPrs8

/CCNA

®

 Cisco Certified Network Associate Study Guide/Richard Deal/149728-5/Chapter 12

switch(config-if)# 

switchport port-security

 

switch(config-if)# 

switchport port-security

 

maximum

 

value

 

switch(config-if)# 

switchport port-security

 

violation

 

                        

protect

|

restrict

|

shutdown 

switch(config-if)# 

switchport port-security

 

mac-address

 

MAC_address

 

switch(config-if)# 

switchport port-security mac-address sticky

First, you must enter the appropriate interface where you want to set up restricted 

security. The first command, 

switchport mode access

, defines the interface 

as a host (access) port instead of a trunk port (trunking is explained in Chapter 13). 
The second command places the access port in a specific VLAN (also discussed 

in Chapter 13). The third command on the 
interface, 

switchport port-security

enables port security (it is disabled, by default). 
The fourth command, 

switchport port-

security maximum

, specifies the maximum 

number of devices that can be associated with 
the interface. This defaults to 1 and can range 
from 1 to 132.

The fifth command on the interface specifies what should occur if a security 

violation occurs—the MAC address is seen connected to a different port. Three 
options are possible:

■ 

protect

  When the number of secure addresses reaches the maximum 

number allowed, any additionally learned addresses will be dropped. This 
applies only if you have enabled the sticky option, discussed in the next 
paragraph.

■ 

restrict

  Causes the switch to generate a security violation alert.

■ 

shutdown

  Causes the switch to generate an alert and to disable the 

interface. The only way to re-enable the interface is to use the 

no shutdown

 

command. This is the default violation mode if you don’t specify the mode.

Be familiar with configuring 

port security with the 

switchport 

port-security

 commands (enabling it, 

limiting the MAC addresses, violation mode, 
and sticky learning).

Set the maximum to 

1 address for an interface to prevent 
spoofing of MAC addresses: only one 
MAC address is learned.

ch12.indd   376

3/12/08   4:45:12 PM

Summary of Contents for WS-C2960G-8TC-L

Page 1: ...r 12 Blind Folio 357 12 Initial Switch Configuration CERTIFICATION OBJECTIVES 12 01 2960 Overview 12 02 Switch Startup 12 03 Basic Switch Configuration 12 04 Basic Switch Operation andVerification 12 05 Port Security Feature Two Minute Drill Q A Self Test ch12 indd 357 3 12 08 4 45 00 PM ...

Page 2: ... comes with the LAN based software image which provides advanced quality of service rate limiting access control list ACL and many other features Table 12 1 compares the 2960 switches and their port types and capacities The dual purpose Gigabit Ethernet GE port supports a 10 100 1000 port and an SFP fiber port where one of the two ports not both can be used If a 2960 supports dual ports this is di...

Page 3: ...aseTX ports For the 10 100 ports the ports are numbered in the first column 1 at the top and 2 at the bottom in the second column 3 at the top and 4 at the bottom and so on The front of the chassis contains the MODE button as well as the LEDs The rear of the chassis has the management connections You ll notice that no toggle switch is included to turn the switch on or off To turn the switch on plu...

Page 4: ...he MODE LED will change from STAT to DUPLX The LEDs above each of the ports will reflect the duplex setting of the associated port If the LED above the port is off the port is set to half duplex if the LED is green the port is set to full duplex By pressing the MODE button again the MODE LED will change from DUPLX to SPEED The 2960 supports 10 100 and 10 100 1000 ports When the mode LED is set to ...

Page 5: ...The following sections discuss these processes TABLE 12 3 Status Mode and Port LEDs LED Color LED Meaning Green A powered up physical layer connection to the device is attached to the port Flashing green Traffic is entering and or leaving the port Flashing green and amber An operational problem is occurring with the port perhaps excessive errors or a connection problem Amber The port has been disa...

Page 6: ...t at least one test has failed during POST which is usually catastrophic for the switch in other words the switch won t boot up Running POST takes about a minute Assuming that the POST tests pass at least the critical ones the IOS continues executing Once the IOS completely loads a configuration is found and applied to the switch and you ll be presented with the User EXEC prompt assuming you are c...

Page 7: ...4 Aug 07 01 55 by myl Image text base 0x00003000 data base 0x00FC0000 Initializing flashfs flashfs 1 602 files 19 directories flashfs 1 0 orphaned files 0 orphaned directories flashfs 1 Total bytes 32514048 flashfs 1 Initialization complete done Initializing flashfs POST CPU MIC register Tests Begin POST CPU MIC register Tests End Status Passed POST PortASIC Memory Tests Begin POST PortASIC Memory...

Page 8: ...00 Motherboard assembly number 73 10390 04 Power supply part number 341 0097 02 Motherboard serial number FOC11305QDR Power supply serial number AZS113104M2 Model revision number D0 Motherboard revision number A0 Model number WS C2950 24TT L System serial number FOC1131W4NR Top Assembly Part Number 800 27221 03 Top Assembly Revision Number A0 Version ID V03 CLEI Code Number COM3L00BRB Hardware Boa...

Page 9: ...tings are in square brackets Basic management setup configures only enough connectivity for management of the system extended setup will ask you to configure each interface on the system Would you like to enter basic management setup yes no yes Configuring global parameters Enter host name Switch The enable secret is a password used to protect access to privileged EXEC and configuration modes This...

Page 10: ...igure IP on this interface no yes IP address for this interface 192 168 1 253 Subnet mask for this interface 255 255 255 0 Class C network is 192 168 1 0 24 subnet bits mask is 24 Would you like to enable as a cluster command switch yes no no The following configuration command script was created hostname Switch enable secret 5 1 N L t4q9Jw5DTffPTPE KkKNX enable password boson line vty 0 15 passwo...

Page 11: ... Configuration Common IOS configuration tasks for switches and routers such as assigning a hostname setting up passwords for User and Privilege EXEC access and configuring hardware characteristics for interfaces speed and duplexing were discussed in Chapter 11 This section addresses how to assign an IP address and default gateway address to your switch so that you can access it remotely You ll als...

Page 12: ...nce you re working in the VLAN interface use the ip address command to assign the address and subnet mask Next assign the default gateway ip default gateway This command is necessary if the switch needs to communicate with other devices via IP that are located in other subnets Example Configuration Now let s pull together the basic configuration tasks from Chapter 11 as well as the above configurat...

Page 13: ...255 255 255 0 Switch A config vlan exit Switch A config ip default gateway 10 0 1 1 Switch A config end Switch A copy running config startup config In this example the switch was given a hostname Switch A passwords for the console VTYs Privilege EXEC mode a login banner an IP address for VLAN 1 and a default gateway plus I saved the switch s configuration to NVRAM 12 02 The CD includes a multimedi...

Page 14: ... address of 192 168 1 2 24 to the 2960 in VLAN 1 with a default gateway of 192 168 1 1 4 Access User EXEC mode Type enable to go to Privilege EXEC mode and then type configure terminal to access Configuration mode Your prompt should look like this Switch config 5 Enter the VLAN interface with interface vlan1 6 Enter the addressing information ip address 192 168 1 2 255 255 255 0 Enable the interfa...

Page 15: ... pinging Host 1 and the 2950 1 switch ping 192 168 1 10 and ping 192 168 1 2 The pings should be successful Now configure the 2950 3 switch The commands are the same except use the appropriate configuration information the IP address is 192 168 3 2 24 Test connectivity to the 2600 1 and Host 4 1 Click the eSwitches icon in the toolbar and select 2950 3 2 On the 2950 3 switch access User EXEC mode ...

Page 16: ...an example of the use of this command based on the network shown in Figure 12 2 Switch show mac address table Mac Address Table Vlan Mac Address Type Ports All 0000 0000 0001 STATIC CPU All 0000 0000 0002 STATIC CPU 1 0000 1111 AAAA DYNAMIC FA0 1 1 0000 1111 CCCC DYNAMIC FA0 2 1 0000 1111 BBBB DYNAMIC FA0 3 Total Mac Addresses for this criterion 12 In this example all the STATIC entries represent ...

Page 17: ...ve that device to a different port even though the switch will see the change the static entry will always override the learning function of the switch On a 2960 switch use the following command to create a static entry in the CAM table Switch config mac address table static MAC_address vlan VLAN_ interface type module port_ In addition to specifying the MAC address of the device and the interface...

Page 18: ... menu bar click the eSwitches icon and choose 2950 1 5 Enter Privilege EXEC mode by typing enable View the CAM table by typing show mac address table 6 Clear the CAM table by typing clear mac address table dynamic 7 On the 2950 1 ping Host 1 type ping 192 168 1 10 Examine the CAM table show mac address table What is the MAC address of Host 1 The MAC address will be different for each computer on w...

Page 19: ... you allow this would also be considered a violation As an administrator you control what should happen when a violation occurs be it generating a notification about the issue dropping traffic for the MAC address that caused the violation or completely disabling the port where the violation occurred The port security feature will not work on trunk ports Chapter 13 switch port analyzer ports SPANs ...

Page 20: ... maximum specifies the maximum number of devices that can be associated with the interface This defaults to 1 and can range from 1 to 132 The fifth command on the interface specifies what should occur if a security violation occurs the MAC address is seen connected to a different port Three options are possible protect When the number of secure addresses reaches the maximum number allowed any addi...

Page 21: ...y secure addresses Basically sticky learning lets you avoid having to configure the MAC addresses associated with the interface If you don t statically define the MAC addresses or use sticky learning to learn them with port security dynamic learning is used Dynamic learning is similar to sticky learning in that the switch will learn the MAC addresses dynamically off of the interface up to the maxi...

Page 22: ... port security command switch show port security Port MaxSecureAddr CurrentAddr SecurityViolation Security Action Count Count Count Fa0 1 10 10 0 Shutdown Fa0 2 1 1 0 Restrict Total Addresses in System 21 Max Addresses limit in System 6176 In this example 10 MAC addresses can be learned off of FA0 1 10 have been learned and the violation mode is shut down but currently no violations have occurred ...

Page 23: ...ce and assigning a default gateway address Know when you must configure a default gateway address on a switch Basic Switch Operation and Verification Understand how to view the MAC addresses in the MAC address table show mac address table and how to compare incoming frames to the table to determine how the switch will forward the frame Port Security Feature Of the five sections in this chapter thi...

Page 24: ...ly minimally it will need an IP address associated with a VLAN interface vlan and ip address and a default gateway address ip default gateway To view the MAC addresses the switch learns use the show mac address table command Port security can be used to prevent unauthorized access to a LAN Addresses can be learned dynamically not saved using sticky learning saved or statically configured A violati...

Page 25: ...ound and loaded If a configuration file cannot be found when booting up the System Configuration Dialog questions can be answered to place a basic configuration on the switch Basic Switch Configuration An IP address can be assigned to a VLAN interface on a switch for accessing it remotely via telnet or SSH or to back up its configuration or upgrade its IOS using the ip address command The ip defau...

Page 26: ...hapter 12 The defaults for port security are learning one MAC address on the interface with a violation mode of shutdown Sticky learning allows a switch to dynamically learn which MAC addresses are associated with an interface as well as saving these in the running configuration of the switch ch12 indd 382 3 12 08 4 45 14 PM ...

Page 27: ...T LED is amber on one of the two PCs switch port connections C The SYSTEM LED is off D The MIC connectors on the Ethernet cables are not seated correctly in the switch ports Switch Startup 3 Which of the following is not asked for during the System Configuration Dialog script A Enabling interfaces B Default gateway address C VLAN interface to use for management functions D Enable secret password B...

Page 28: ...1111 AAAA DYNAMIC FA0 1 1 0000 1111 CCCC DYNAMIC FA0 2 1 0000 1111 BBBB DYNAMIC FA0 3 A Flood it B Drop it C Forward it out FA0 1 D Forward it out of FA0 1 and FA0 2 Port Security Feature 8 Which switch feature is used to prevent unauthorized access to a LAN A Port security B Port security and 802 1Q C VTY passwords D Enable password 9 Which of the following is not a default configuration for port...

Page 29: ...itches B C and D are asked for and are thus incorrect answers Basic Switch Configuration 4 C The ip default gateway command is a Global configuration mode command A is incorrect because the Interface mode is used to assign an IP address to a VLAN interface B is incorrect because Line mode is used to restrict User EXEC access to the switch D is a nonexistent configuration mode 5 Here is how to conf...

Page 30: ...ct because 802 1Q is a VLAN trunking protocol C and D are used to restrict access to the switch not to the LAN for which the switch provides connectivity 9 C Dynamic not sticky learning is the default A B and D are defaults and thus incorrect 10 D You should statically define MAC addresses of servers and routers when using port security A and C are used for user ports B is a nonexistent learning m...

Reviews:

No comments