Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
CiscoNetworkingAcademy'sIntroductionto
BasicSwitchingConceptsandConfiguration
Date:Mar31,2014ByCiscoNetworkingAcademy.SampleChapterisprovidedcourtesyof
CiscoPress.
Thischapterexaminessomeofthebasicswitchconfigurationsettingsrequiredtomaintain
asecure,available,switchedLANenvironment.
Objectives
Uponcompletionofthischapter,youwillbeabletoanswerthefollowingquestions:
Whatarethestepsaswitchtakesafterpowerisapplied?
Whatisthefunctionofthebootloaderiftheoperatingsystemiscorruptormissing?
HowmighttheswitchLEDshelpwithtroubleshooting?
WhatarethestepstakentoconfigureaCiscoswitchwithanIPaddress,subnetmask,
anddefaultgateway?
WhatinterfaceisusedtoapplyanIPaddresstoaCiscoswitch?
WhatfunctionalityisavailableonceaswitchhasanIPaddressanddefaultgateway?
Whattypeofcustomizationcanbeappliedtoaswitchport?
WhattoolscanbeusedtotroubleshootaLayer1or2problem?
WhatstepsarerequiredtoconfigureaswitchforSSHaccess?
Whataresomecommonsecurityattacksthataffectswitches?
WhatmitigationtoolscouldbeusedonaCiscoswitchtopreventorreacttoasecurity
attack?
Whatarebestpracticesforswitchsecurity?
Whatstepsarerequiredtoconfigureswitchsecurity?
WhatisthepurposeofNTP?
KeyTerms
Thischapterusesthefollowingkeyterms.YoucanfindthedefinitionsintheGlossary.
bootloaderpage36
switchvirtualinterface(SVI)page40
automaticmediumdependentinterfacecrossover(autoMDIX)page46
runtpage51
giantpage51
CRCerrorpage52
latecollisionpage52
SecureShell(SSH)page55
MACaddresstableoverflowattackpage60
MACfloodingattackpage60
DHCPstarvationattackpage63
denialofservice(DoS)attackpage63
DHCPspoofingattackspage63
CiscoDiscoveryProtocol(CDP)page64
bruteforcepasswordattackpage65
TelnetDoSattackpage65
securityauditpage67
penetrationtestingpage67
DHCPsnoopingpage69
trustedportpage69
untrustedportpage69
portsecuritypage71
staticsecureMACaddresspage71
dynamicsecureMACaddresspage72
stickysecureMACaddresspage72
NetworkTimeProtocol(NTP)page78
Introduction(2.0.1.1)
http://www.ciscopress.com/articles/printerfriendly/2181836 1/37
3/5/2017 CiscoNetworkingAcademy'sIntroductiontoBasicSwitchingConceptsandConfiguration|Objectives
Switchesareusedtoconnectmultipledevicesonthesamenetwork.Inaproperlydesigned
network,LANswitchesareresponsiblefordirectingandcontrollingthedataflowatthe
accesslayertonetworkedresources.
Ciscoswitchesareselfconfiguringandnoadditionalconfigurationsarenecessaryforthem
tofunctionoutofthebox.However,CiscoswitchesrunCiscoIOS,andcanbemanually
configuredtobettermeettheneedsofthenetwork.Thisincludesadjustingportspeedand
bandwidth,aswellasimplementingsecurityrequirements.
Additionally,Ciscoswitchescanbemanagedbothlocallyandremotely.Toremotelymanage
aswitch,itneedstohaveanIPaddressanddefaultgatewayconfigured.Thesearejusttwoof
theconfigurationsdiscussedinthischapter.
Switchesoperateattheaccesslayerwhereclientnetworkdevicesconnectdirectlytothe
networkandITdepartmentswantuncomplicatednetworkaccessfortheusers.Theaccess
layerisoneofthemostvulnerableareasofthenetworkbecauseitissoexposedtotheuser.
Switchesneedtobeconfiguredtoberesilienttoattacksofalltypeswhiletheyareprotecting
userdataandallowingforhighspeedconnections.Portsecurityisoneofthesecurity
featuresCiscomanagedswitchesprovide.
Thischapterexaminessomeofthebasicswitchconfigurationsettingsrequiredtomaintaina
secure,available,switchedLANenvironment.
ClassActivity2.0.1.2:StandbyMe
Scenario
Whenyouarrivedtoclasstoday,youweregivenanumberbyyourinstructortouseforthis
introductoryclassactivity.
Whenclassbegins,yourinstructorwillaskcertainstudentswithspecificnumberstostand.
Yourjobistorecordthestandingstudentsnumbersforeachscenario.
Scenario1:Studentswithnumbersstartingwiththenumber5shouldstand.Recordthe
numbersofthestandingstudents.
Scenario2:StudentswithnumbersendinginBshouldstand.Recordthenumbersofthe
standingstudents.
Scenario3:Studentswiththenumber504Cshouldstand.Recordthenumberofthestanding
student.
Attheendofthisactivity,divideintosmallgroupsandrecordanswerstotheReflection
questionsonthePDFcontainedintheonlinecourse.
Saveyourworkandbepreparedtoshareitwithanotherstudentortheentireclass.
BasicSwitchConfiguration(2.1)
Switchesareoneofthemostnumerousdevicesinstalledontothecorporatenetwork
infrastructure.Configuringthemcanbefunandchallenging.Knowinghowswitchesnormally
bootandloadanoperatingsystemisalsoimportant.
SwitchBootSequence(2.1.1.1)
AfteraCiscoswitchispoweredon,itgoesthroughthefollowingbootsequence:
Step1.First,theswitchloadsapoweronselftest(POST)programstoredinROM.POST
checkstheCPUsubsystem.ItteststheCPU,DRAM,andtheportionoftheflashdevicethat
makesuptheflashfilesystem.
Step2.Next,theswitchloadsthebootloadersoftware.Thebootloaderisasmallprogram
storedinROMandisrunimmediatelyafterPOSTsuccessfullycompletes.
Step3.ThebootloaderperformslowlevelCPUinitialization.ItinitializestheCPUregisters
thatcontrolwherephysicalmemoryismapped,thequantityofmemory,andmemoryspeed.
http://www.ciscopress.com/articles/printerfriendly/2181836 2/37
3/5/2017 CiscoNetworkingAcademy'sIntroductiontoBasicSwitchingConceptsandConfiguration|Objectives
Step4.Thebootloaderinitializestheflashfilesystemonthesystemboard.
Step5.Finally,thebootloaderlocatesandloadsadefaultIOSoperatingsystemsoftware
imageintomemoryandhandscontroloftheswitchovertotheIOS.
ThebootloaderfindstheCiscoIOSimageontheswitchusingthefollowingprocess:The
switchattemptstoautomaticallybootbyusinginformationintheBOOTenvironmentvariable.
Ifthisvariableisnotset,theswitchattemptstoloadandexecutethefirstexecutablefileitcan
byperformingarecursive,depthfirstsearchthroughouttheflashfilesystem.Inadepthfirst
searchofadirectory,eachencounteredsubdirectoryiscompletelysearchedbefore
continuingthesearchintheoriginaldirectory.OnCatalyst2960Seriesswitches,theimage
fileisnormallycontainedinadirectorythathasthesamenameastheimagefile(excluding
the.binfileextension).
TheIOSoperatingsystemtheninitializestheinterfacesusingtheCiscoIOScommandsfound
intheconfigurationfile,startupconfiguration,whichisstoredinNVRAM.
InFigure21,theBOOTenvironmentvariableissetusingthebootsystemglobal
configurationmodecommand.Usetheshowbootvarcommand(showbootinolderIOS
versions)toseethecurrentIOSbootfileversion.
Figure21ConfigureBOOTEnvironmentVariable
RecoveringfromaSystemCrash(2.1.1.2)
Thebootloaderprovidesaccessintotheswitchiftheoperatingsystemcannotbeused
becauseofmissingordamagedsystemfiles.Thebootloaderhasacommandlinethat
providesaccesstofilesstoredinflashmemory.
Thebootloadercanbeaccessedthroughaconsoleconnectionusingthesesteps:
Step1.ConnectaconsolecablefromthePCtotheswitchconsoleport.Configureterminal
emulationsoftwaretoconnecttotheswitch.
Step2.Unplugtheswitchpowercord.
Step3.Reconnectthepowercordtotheswitchandwithin15secondspressandholddown
theModebuttonwhiletheSystemLEDisstillflashinggreen.
Step4.ContinuepressingtheModebuttonuntiltheSystemLEDturnsbrieflyamberandthen
solidgreenthenreleasetheModebutton.
Step5.Thebootloaderswitch:promptappearsintheterminalemulationsoftwareonthePC.
Thebootloadercommandlinesupportscommandstoformattheflashfilesystem,reinstall
theoperatingsystemsoftware,andrecoverfromalostorforgottenpassword.Forexample,
thedircommandcanbeusedtoviewalistoffileswithinaspecifieddirectoryasshownin
Figure22.
http://www.ciscopress.com/articles/printerfriendly/2181836 3/37
3/5/2017 CiscoNetworkingAcademy'sIntroductiontoBasicSwitchingConceptsandConfiguration|Objectives
Figure22DirectoryListinginBootLoader
SwitchLEDIndicators(2.1.1.3)
CiscoCatalystswitcheshaveseveralstatusLEDindicatorlights.Youcanusetheswitch
LEDstoquicklymonitorswitchactivityanditsperformance.Switchesofdifferentmodelsand
featuresetswillhavedifferentLEDs,andtheirplacementonthefrontpaneloftheswitchmay
alsovary.
Figure23showstheswitchLEDsandtheModebuttonforaCiscoCatalyst2960switch.The
Modebuttonisusedtotogglethroughportstatus,portduplex,portspeed,andPoE(if
supported)statusoftheportLEDs.
Figure23Cisco2960SwitchLEDs
Table21containsthepurposeoftheCisco2960switchLEDindicators,andthemeaningof
theircolors.
Table21PurposeofCiscoSwitchLEDs
System Showswhetherthesystemisreceivingpowerandis
LED functioningproperly.IftheLEDisoff,itmeansthesystem
isnotpowered.IftheLEDisgreen,thesystemis
operatingnormally.IftheLEDisamber,thesystemis
receivingpowerbutisnotfunctioningproperly.
Redundant ShowstheRPSstatus.IftheLEDisoff,theRPSisoffor
Power notproperlyconnected.IftheLEDisgreen,theRPSis
System connectedandreadytoprovidebackuppower.IftheLED
(RPS) isblinkinggreen,theRPSisconnectedbutisunavailable
LED becauseitisprovidingpowertoanotherdevice.IftheLED
isamber,theRPSisinstandbymodeorinafault
condition.IftheLEDisblinkingamber,theinternalpower
supplyintheswitchhasfailed,andtheRPSisproviding
power.
http://www.ciscopress.com/articles/printerfriendly/2181836 4/37
3/5/2017 CiscoNetworkingAcademy'sIntroductiontoBasicSwitchingConceptsandConfiguration|Objectives
Port Indicatesthattheportstatusmodeisselectedwhenthe
Status LEDisgreen.Thisisthedefaultmode.Whenselected,the
LED portLEDswilldisplaycolorswithdifferentmeanings.Ifthe
LEDisoff,thereisnolink,ortheportwasadministratively
shutdown.IftheLEDisgreen,alinkispresent.IftheLED
isblinkinggreen,thereisactivityandtheportissendingor
receivingdata.IftheLEDisalternatinggreenamber,there
isalinkfault.IftheLEDisamber,theportisblockedto
ensurealoopdoesnotexistintheforwardingdomainand
isnotforwardingdata(typically,portswillremaininthis
stateforthefirst30secondsafterbeingactivated).Ifthe
LEDisblinkingamber,theportisblockedtopreventa
possibleloopintheforwardingdomain.
Port IndicatestheportduplexmodeisselectedwhentheLED
Duplex isgreen.Whenselected,portLEDsthatareoffareinhalf
LED duplexmode.IftheportLEDisgreen,theportisinfull
duplexmode.
Port Indicatestheportspeedmodeisselected.Whenselected,
Speed theportLEDswilldisplaycolorswithdifferentmeanings.If
LED theLEDisoff,theportisoperatingat10Mb/s.IftheLED
isgreen,theportisoperatingat100Mb/s.IftheLEDis
blinkinggreen,theportisoperatingat1000Mb/s.
Power IfPoEissupported,aPoEmodeLEDwillbepresent.If
over theLEDisoff,itindicatesthePoEmodeisnotselected
Ethernet andnoneoftheportshavebeendeniedpowerorplaced
(PoE) inafaultcondition.IftheLEDisblinkingamber,thePoE
ModeLED modeisnotselectedbutatleastoneoftheportshasbeen
deniedpower,orhasaPoEfault.IftheLEDisgreen,it
indicatesthePoEmodeisselectedandtheportLEDswill
displaycolorswithdifferentmeanings.IftheportLEDis
off,PoEisoff.IftheportLEDisgreen,PoEisbeing
providedtoadevice.IftheportLEDisalternatinggreen
amber,PoEisdeniedbecauseprovidingpowertothe
powereddevicewillexceedtheswitchpowercapacity.If
theLEDisblinkingamber,PoEisoffduetoafault.Ifthe
LEDisamber,PoEfortheporthasbeendisabled.
PreparingforBasicSwitchManagement(2.1.1.4)
Toprepareaswitchforremotemanagementaccess,theswitchmustbeconfiguredwithanIP
addressandasubnetmask.Keepinmindthattomanagetheswitchfromaremotenetwork,
theswitchmustbeconfiguredwithadefaultgateway.ThisisverysimilartoconfiguringtheIP
addressinformationonhostdevices.InFigure24,theswitchvirtualinterface(SVI)onS1
shouldbeassignedanIPaddress.TheSVIisavirtualinterface,notaphysicalportonthe
switch.
http://www.ciscopress.com/articles/printerfriendly/2181836 5/37
3/5/2017 CiscoNetworkingAcademy'sIntroductiontoBasicSwitchingConceptsandConfiguration|Objectives
Figure24PreparingforRemoteSwitchManagement
SVIisaconceptrelatedtoVLANs.VLANsarenumberedlogicalgroupstowhichphysical
portscanbeassigned.ConfigurationsandsettingsappliedtoaVLANarealsoappliedtoall
theportsassignedtothatVLAN.
Bydefault,theswitchisconfiguredtohavethemanagementoftheswitchcontrolledthrough
VLAN1.AllportsareassignedtoVLAN1bydefault.Forsecuritypurposes,itisconsidereda
bestpracticetouseaVLANotherthanVLAN1forthemanagementVLAN.Furthermore,itis
alsoabestpracticetouseaVLANthatisnotusedbyenddevicessuchasusersandprinters.
NOTE
TheseIPsettingsareonlyforremotemanagementaccesstotheswitchassigninganIP
addresstotheswitchdoesnotallowtheswitchtorouteLayer3packets.
ConfiguringBasicSwitchManagementAccesswithIPv4
(2.1.1.5)
Step1.ConfiguretheManagementInterface.
AnIPaddressandsubnetmaskisconfiguredonthemanagementSVIoftheswitch
fromVLANinterfaceconfigurationmode.AsshowninTable22,theinterfacevlan99
commandisusedtoenterinterfaceconfigurationmode.Theipaddresscommandis
usedtoconfiguretheIPaddress.Thenoshutdowncommandenablestheinterface.
Table22ConfiguretheSwitchManagementInterface
Enterglobalconfigurationmode. S1#configureterminal
Enterinterfaceconfiguration S1(config)#interfacevlan99
modefortheSVI.
Configurethemanagement S1(configif)#ipaddress
interfaceIPaddress. 172.17.99.11255.255.0.0
Enablethemanagement S1(configif)#noshutdown
interface.
ReturntoprivilegedEXECmode. S1(configif)#end
Savetherunningconfigtothe S1#copyrunningconfigstartup
startupconfig. config
Inthisexample,VLAN99isconfiguredwiththeIPaddressandmaskof172.17.99.11.
TocreateaVLANwiththevlan_idof99andassociateittoaninterface,usethe
followingcommands:
S1(config)#vlanvlan_id
S1(configvlan)#namevlan_name
S1(config)#end
S1(config)#configterminal
http://www.ciscopress.com/articles/printerfriendly/2181836 6/37
3/5/2017 CiscoNetworkingAcademy'sIntroductiontoBasicSwitchingConceptsandConfiguration|Objectives
S1(config)#interfaceinterface_id
S1(configif)#switchportmodeaccess
S1(configif)#switchportaccessvlanvlan_id
NOTE
TheSVIforVLAN99willnotappearasup/upuntilVLAN99iscreated,theIPaddress
assignedtotheSVI,thenoshutdowncommandentered,andeither(1)adeviceisconnected
toanaccessportassociatedwithVLAN99(notabestpractice)or(2)atrunklink(coveredin
theVLANchapter)connectstoanothernetworkdevicesuchasaswitch.
Step2.ConfiguretheDefaultGateway.
Theswitchshouldbeconfiguredwithadefaultgatewayiftheswitchwillbemanaged
remotelyfromnetworksnotdirectlyconnected.ThedefaultgatewayisthefirstLayer3
device(suchasarouter)onthesamemanagementVLANnetworktowhichtheswitch
connects.TheswitchwillforwardIPpacketswithdestinationIPaddressesoutsidethe
localnetworktothedefaultgateway.AsshowninTable23andFigure25,R1isthe
defaultgatewayforS1.TheinterfaceonR1connectedtotheswitchhasIPaddress
172.17.99.1.ThisaddressisthedefaultgatewayaddressforS1.
Table23CommandstoConfigureaSwitchDefaultGateway
Enterglobalconfigurationmode. S1#configureterminal
Configuretheswitchdefault S1(config)#ipdefaultgateway
gateway. 172.17.99.1
ReturntoprivilegedEXECmode. S1(config)#end
Savetherunningconfigtothe S1#copyrunningconfigstartup
startupconfig. config
Figure25ConfiguringtheSwitchDefaultGateway
Toconfigurethedefaultgatewayfortheswitch,usetheipdefaultgatewaycommand.
EntertheIPaddressofthedefaultgateway.ThedefaultgatewayistheIPaddressof
therouterinterfacetowhichtheswitchconnects.Usethefollowingcommandto
backuptheconfiguration:copyrunningconfigstartupconfig.
Step3.VerifytheConfiguration.
AsshowninFigure26,theshowipinterfacebriefcommandisusefulwhen
determiningthestatusofbothphysicalandvirtualinterfaces.Theoutputshownin
Figure26confirmsthatinterfaceVLAN99hasbeenconfiguredwithanIPaddress
andasubnetmask,andthatFastEthernetportFa0/18hasbeenassignedtotheVLAN
99managementinterface.Bothinterfacesarenowup/upandoperational.
http://www.ciscopress.com/articles/printerfriendly/2181836 7/37
3/5/2017 CiscoNetworkingAcademy'sIntroductiontoBasicSwitchingConceptsandConfiguration|Objectives
Figure26VerifyingtheSwitchManagementInterfaceConfiguration
Lab2.1.1.6:BasicSwitchConfiguration
Inthislab,youwillcompletethefollowingobjectives:
Part1:CabletheNetworkandVerifytheDefaultSwitchConfiguration
Part2:ConfigureBasicNetworkDeviceSettings
Part3:VerifyandTestNetworkConnectivity
Part4:ManagetheMACAddressTable
ConfigureSwitchPorts(2.1.2)
Portconfigurationstartswiththebasicsofduplexandspeed.Sometimesswitchportsmust
manuallyhavetheirduplexmodeandspeedmanuallyconfigured.Mostofthetimethe
techniciansimplyconnectsacableandletsthenetworkdeviceandswitchautomatically
negotiatetheseparameters.Therearealsotimeswhenthingsgoawryandthereareissues.
Thissectionhelpsyouwiththesebasicconcepts.
DuplexCommunication(2.1.2.1)
Figure27illustratesfullduplexandhalfduplexcommunication.
Figure27DuplexModes
FullduplexcommunicationimprovestheperformanceofaswitchedLAN.Fullduplex
communicationincreaseseffectivebandwidthbyallowingbothendsofaconnectionto
http://www.ciscopress.com/articles/printerfriendly/2181836 8/37
3/5/2017 CiscoNetworkingAcademy'sIntroductiontoBasicSwitchingConceptsandConfiguration|Objectives
transmitandreceivedatasimultaneously.Thisisalsoknownasbidirectionalcommunication.
Thismethodofoptimizingnetworkperformancerequiresmicrosegmentation.Amicro
segmentedLANiscreatedwhenaswitchporthasonlyonedeviceconnectedandis
operatingatfullduplex.Thisresultsinamicrosizecollisiondomainofasingledevice.
Becausethereisonlyonedeviceconnected,amicrosegmentedLANiscollisionfree.
Unlikefullduplexcommunication,halfduplexcommunicationisunidirectional.Sendingand
receivingdatadoesnotoccuratthesametime.Halfduplexcommunicationcreates
performanceissuesbecausedatacanflowinonlyonedirectionatatime,oftenresultingin
collisions.Halfduplexconnectionsaretypicallyseeninolderhardware,suchashubs.Full
duplexcommunicationhasreplacedhalfduplexinmosthardware.
MostEthernetandFastEthernetNICssoldtodayofferfullduplexcapability.GigabitEthernet
and10GbNICsrequirefullduplexconnectionstooperate.Infullduplexmode,thecollision
detectioncircuitontheNICisdisabled.Framesthataresentbythetwoconnecteddevices
cannotcollidebecausethedevicesusetwoseparatecircuitsinthenetworkcable.Full
duplexconnectionsrequireaswitchthatsupportsfullduplexconfiguration,oradirect
connectionusinganEthernetcablebetweentwodevices.
Standard,sharedhubbasedEthernetconfigurationefficiencyistypicallyratedat50to60
percentofthestatedbandwidth.Fullduplexoffers100percentefficiencyinbothdirections
(transmittingandreceiving).Thisresultsina200percentpotentialuseofthestated
bandwidth.
ConfigureSwitchPortsatthePhysicalLayer(2.1.2.2)
JustasanetworkcardinaPCcanhavespecificconditionssuchasduplexandspeedset,so
toocanaswitchport.ThissectionexamineshowtoconfigurespecificparametersonaCisco
switchportandintroducesautoMDIX.
DuplexandSpeed
Switchportscanbemanuallyconfiguredwithspecificduplexandspeedsettings.Usethe
duplexinterfaceconfigurationmodecommandtomanuallyspecifytheduplexmodefora
switchport.Usethespeedinterfaceconfigurationmodecommandtomanuallyspecifythe
speedforaswitchport.InFigure28andTable24,portF0/1onswitchS1andS2are
manuallyconfiguredwiththefullkeywordfortheduplexcommandandthe100keywordfor
thespeedcommand.
Figure28ManuallyConfigureDuplexandSpeed
Table24CiscoSwitchPortConfiguration
Enterglobalconfigurationmode. S1#configureterminal
Enterinterfaceconfigurationmode. S1(config)#interface
fastethernet0/1
Configuretheinterfaceduplexmode. S1(configif)#duplexfull
Configuretheinterfacespeed. S1(configif)#speed100
ReturntoprivilegedEXECmode. S1(configif)#end
Savetherunningconfigtothestartup S1#copyrunningconfigstartup
config. config
ThedefaultsettingforbothduplexandspeedforswitchportsonCiscoCatalyst2960and
3560switchesisauto.The10/100/1000portsoperateineitherhalforfullduplexmodewhen
theyaresetto10or100Mb/s,butwhentheyaresetto1000Mb/s(1Gb/s),theyoperateonly
infullduplexmode.Whentroubleshootingswitchportissues,theduplexandspeedsettings
shouldbechecked.
http://www.ciscopress.com/articles/printerfriendly/2181836 9/37
3/5/2017 CiscoNetworkingAcademy'sIntroductiontoBasicSwitchingConceptsandConfiguration|Objectives
NOTE
Mismatchedsettingsfortheduplexmodeandspeedofswitchportscancauseconnectivity
issues.Autonegotiationfailurecreatesmismatchedsettings.Ciscorecommendsusingthe
autocommandforduplexandmanuallyconfiguringinterfacespeedusingthespeed
commandinordertoavoidconnectivityissuesbetweendevices.
Allfiberopticports,suchas100BASEFXports,operateonlyatonepresetspeedandare
alwaysfullduplex.
Activity2.1.2.2:ConfigureSwitchPortDuplexandSpeed
AccessthesecondfigureintheonlinecoursetousetheSyntaxCheckertopractice
configuringportFa0/1ofswitchS1.
Note
Thevideoandinteractivecontentdescribedinthischapterareonlyavailabletostudents
enrolledinrelatedCiscoNetworkingAcademycoursesandnotinthissample.
AutoMDIX(2.1.2.3)
Untilrecently,certaincabletypes(straightthroughorcrossover)wererequiredwhen
connectingdevices.Switchtoswitchorswitchtorouterconnectionsrequiredusingdifferent
Ethernetcables.Usingtheautomaticmediumdependentinterfacecrossover(autoMDIX)
featureonaninterfaceeliminatesthisproblem.WhenautoMDIXisenabled,theinterface
automaticallydetectstherequiredcableconnectiontype(straightthroughorcrossover)and
configurestheconnectionappropriately.WhenconnectingtoswitcheswithouttheautoMDIX
feature,straightthroughcablesmustbeusedtoconnecttodevicessuchasservers,
workstations,orrouters.Crossovercablesmustbeusedtoconnectaswitchtoanotherswitch
orrepeater.
WithautoMDIXenabled,eithertypeofcablecanbeusedtoconnecttootherdevices,and
theinterfaceautomaticallycorrectsforanyincorrectcabling.OnnewerCiscoroutersand
switches,themdixautointerfaceconfigurationmodecommandenablesthefeature.When
usingautoMDIXonaninterface,theinterfacespeedandduplexmustbesettoautosothat
thefeatureoperatescorrectly.
Figure29showsthetopology,andTable25showsthecommandstoenableautoMDIX.
Figure29ConfigureAutoMDIX
Table25CiscoSwitchAutoMDIXCommands
Enterglobalconfigurationmode. S1#configure
terminal
Enterinterfaceconfigurationmode. S1(config)#
interface
fastethernet0/1
Configuretheinterfacetoautomaticallynegotiate S1(configif)#
theduplexmodewiththeconnecteddevice. duplexauto
Configuretheinterfacetoautomaticallynegotiate S1(configif)#speed
speedwiththeconnecteddevice. auto
EnableautoMDIXontheinterface. S1(configif)#mdix
auto
ReturntoprivilegedEXECmode. S1(configif)#end
Savetherunningconfigtothestartupconfig. S1#copyrunning
configstartup
config
http://www.ciscopress.com/articles/printerfriendly/2181836 10/37
3/5/2017 CiscoNetworkingAcademy'sIntroductiontoBasicSwitchingConceptsandConfiguration|Objectives
NOTE
TheautoMDIXfeatureisenabledbydefaultonCatalyst2960andCatalyst3560switchesbut
isnotavailableontheolderCatalyst2950andCatalyst3550switches.
ToexaminetheautoMDIXsettingforaspecificinterface,usetheshowcontrollersethernet
controllercommandwiththeargumentinterfaceidandthephykeyword.Tolimittheoutput
tolinesreferencingautoMDIX,usetheincludeAutoMDIXfilter.AsshowninFigure210,the
outputindicatesOnorOffforthefeature.
Figure210VerifyAutoMDIX
Activity2.1.2.3:EnableAutoMDIX
GototheonlinecourseandselectthethirdgraphictousetheSyntaxCheckertopractice
configuringtheFastEthernet0/1interfaceonS2forautoMDIX.
VerifyingSwitchPortConfiguration(2.1.2.4)
Table26describessomeoftheoptionsfortheshowcommandthatarehelpfulinverifying
commonconfigurableswitchfeatures.
Table26SwitchVerificationCommands
Displayinterfacestatusand S1#show
configuration. interfaces[interfaceid]
Displaycurrentstartupconfiguration. S1#showstartupconfig
Displaycurrentoperatingconfiguration. S1#showrunningconfig
Displayinformationabouttheflashfile S1#showflash:
system.
Displaystatusofsystemhardwareand S1#showversion
software.
Displayahistoryofcommandsentered. S1#showhistory
DisplayIPinformationaboutaninterface. S1#showip[interfaceid]
DisplaytheMACaddresstable. S1#showmacaddresstable
or
S1#showmacaddresstable
Lookatthesampleabbreviatedoutputfromtheshowrunningconfigcommand.Usethis
commandtoverifythattheswitchhasbeencorrectlyconfigured.AsseenintheoutputforS1,
somekeyinformationisshown:
FastEthernet0/18interfaceconfiguredwiththemanagementVLAN99
VLAN99configuredwithanIPaddressof172.17.99.11255.255.0.0
Defaultgatewaysetto172.17.99.1
S1#showrunningconfig
Buildingconfiguration...
Currentconfiguration:1664bytes
http://www.ciscopress.com/articles/printerfriendly/2181836 11/37
3/5/2017 CiscoNetworkingAcademy'sIntroductiontoBasicSwitchingConceptsandConfiguration|Objectives
!
<outputomitted>
!
interfaceFastEthernet0/18
switchportaccessvlan99
switchportmodeaccess
!
<outputomitted>
!
interfaceVlan99
ipaddress172.17.99.11255.255.0.0
!
<outputomitted>
!
ipdefaultgateway172.17.99.1
!
<outputomitted>
Theshowinterfacescommandisanothercommonlyusedcommand,whichdisplaysstatus
andstatisticsinformationonthenetworkinterfacesoftheswitch.Theshowinterfaces
commandisfrequentlyusedwhenconfiguringandmonitoringnetworkdevices.
Lookattheoutputfromtheshowinterfacesfastethernet0/18command.Thefirstlineinthe
outputindicatesthattheFastEthernet0/18interfaceisup/upmeaningthatitisoperational.
Furtherdowntheoutputshowsthattheduplexisfullandthespeedis100Mb/s.
S1#showinterfacesfastethernet0/18
FastEthernet0/18isup,lineprotocolisup(connected)
HardwareisFastEthernet,addressis0cd9.96e8.8a01(bia0cd9.96e8.8a01)
MTU1500bytes,BW100000Kbit/sec,DLY100usec,
reliability255/255,txload1/255,rxload1/255
EncapsulationARPA,loopbacknotset
Keepaliveset(10sec)
Fullduplex,100Mb/s,mediatypeis10/100BaseTX
inputflowcontrolisoff,outputflowcontrolisunsupported
ARPtype:ARPA,ARPTimeout04:00:00
Lastinput00:00:01,output00:00:06,outputhangnever
Lastclearingof"showinterface"countersnever
Inputqueue:0/75/0/0(size/max/drops/flushes);
Totaloutputdrops:0
Queueingstrategy:fifo
Outputqueue:0/40(size/max)
5minuteinputrate0bits/sec,0packets/sec
5minuteoutputrate0bits/sec,0packets/sec
25994packetsinput,2013962bytes,0nobuffer
Received22213broadcasts(21934multicasts)
0runts,0giants,0throttles
0inputerrors,0CRC,0frame,0overrun,0ignored
0watchdog,21934multicast,0pauseinput
0inputpacketswithdribbleconditiondetected
7203packetsoutput,771291bytes,0underruns
<outputomitted>
NetworkAccessLayerIssues(2.1.2.5)
Theoutputfromtheshowinterfacescommandcanbeusedtodetectcommonmediaissues.
Oneofthemostimportantpartsofthisoutputisthedisplayofthelineanddatalinkprotocol
status.ThefollowingoutputandTable27indicatethesummarylinetocheckthestatusofan
interface.
S1#showinterfacesfastethernet0/18
FastEthernet0/18isup,lineprotocolisup(connected)
HardwareisFastEthernet,addressis0022.91c4.0301(bia0022.91c4.0e01)
MTU1500bytes,BW100000Kbit/sec,DLY100usec,
<outputomitted>
Table27VerifytheStatusofaSwitchInterface
http://www.ciscopress.com/articles/printerfriendly/2181836 12/37
3/5/2017 CiscoNetworkingAcademy'sIntroductiontoBasicSwitchingConceptsandConfiguration|Objectives
Basedontheoutputoftheshowinterfacescommand,possibleproblemscanbefixedas
follows:
Iftheinterfaceisupandthelineprotocolisdown,aproblemexists.Therecouldbean
encapsulationtypemismatch,theinterfaceontheotherendcouldbeerrordisabled,
ortherecouldbeahardwareproblem.
Ifthelineprotocolandtheinterfacearebothdown,acableisnotattachedorsome
otherinterfaceproblemexists.Forexample,inabacktobackconnection(a
connectionwherethetransmitterofonedeviceconnectsdirectlytothereceiverof
anotherdevicewithoutatransmissionmediabetweenthetwodevices),oneendof
theconnectionmaybeadministrativelydown.
Iftheinterfaceisadministrativelydown,ithasbeenmanuallydisabled(theshutdown
commandhasbeenissued)intheactiveconfiguration.
Thefollowingoutputshowsanexampleofshowinterfacescommand.Theexampleshows
countersandstatisticsfortheFastEthernet0/1interface.
S1#showinterfacesfastethernet0/1
FastEthernet0/1isup,lineprotocolisup
HardwareisFastEthernet,addressis0022.91c4.0e01(bia
0022.91c4.0e01)MTU1500bytes,BW100000Kbit,DLY100usec,
<outputomitted>
2295197packetsinput,305539992bytes,0nobuffer
Received1925500broadcasts,0runts,0giants,0throttles
3inputerrors,3CRC,0frame,0overrun,0ignored
0watchdog,68multicast,0pauseinput
0inputpacketswithdribbleconditiondetected
3594664packetsoutput,436549843bytes,0underruns
8outputerrors,1790collisions,10interfaceresets
0unknownprotocoldrops
0babbles,235latecollision,0deferred
<outputomitted>
Somemediaerrorsarenotsevereenoughtocausethecircuittofailbutdocausenetwork
performanceissues.Table28explainssomeofthesecommonerrorsthatcanbedetected
usingtheshowinterfacescommand.
Table28NetworkAccessLayerIssues
Input Totalnumberoferrors.Itincludesrunts,giants,nobuffer,
Errors CRC,frame,overrun,andignoredcounts.
Runts Packetsthatarediscardedbecausetheyaresmallerthan
theminimumpacketsizeforthemedium.Forinstance,any
Ethernetpackthatislessthan64bytesisconsidereda
runt.
Giants Packetsthatarediscardedbecausetheyexceedthe
maximumpacketsizeforthemedium.Forexample,any
Ethernetpacketthatisgreaterthan1,518bytesis
consideredagiant.
CRC CRCerrorsaregeneratedwhenthecalculatedchecksum
errors isnotthesameasthechecksumreceived.
Output Thesumofallerrorsthatpreventedthefinaltransmission
Errors ofdatagramsoutoftheinterfacethatisbeingexamined.
Collisions Thenumberofmessagesretransmittedbecauseofan
Ethernetcollision.
Late Acollisionthatoccursafter512bitsoftheframehave
Collisions beentransmitted.
Inputerrorsisthesumofallerrorsindatagramsthatwerereceivedontheinterfacebeing
examined.Thisincludesrunts,giants,CRC,nobuffer,frame,overrun,andignoredcounts.
Thereportedinputerrorsfromtheshowinterfacescommandincludethefollowing:
RuntFrames:Ethernetframesthatareshorterthanthe64byteminimumallowed
lengtharecalledrunts.MalfunctioningNICsaretheusualcauseofexcessiverunt
frames,buttheycanbecausedbyimproperlyorunterminatedcableswhichcanalso
causeexcessivecollisions.
http://www.ciscopress.com/articles/printerfriendly/2181836 13/37
3/5/2017 CiscoNetworkingAcademy'sIntroductiontoBasicSwitchingConceptsandConfiguration|Objectives
Giants:Ethernetframesthatarelongerthanthemaximumallowedlengtharecalled
giants.Giantsarecausedbythesameissuesasthosethatcauserunts.
CRCerrors:OnEthernetandserialinterfaces,CRCerrorsusuallyindicateamedia
orcableerror.Commoncausesincludeelectricalinterference,looseordamaged
connections,orusingtheincorrectcablingtype.IfyouseemanyCRCerrors,thereis
toomuchnoiseonthelinkandyoushouldinspectthecablefordamageandlength.
Youshouldalsosearchforandeliminatenoisesources,ifpossible.
Outputerrorsisthesumofallerrorsthatpreventedthefinaltransmissionofdatagramsout
ofaninterfacethatisbeingexamined.Thereportedoutputerrorsfromtheshowinterfaces
commandincludethefollowing:
Collisions:Collisionsinhalfduplexoperationsarecompletelynormal,andyou
shouldnotworryaboutthem,aslongasyoucantoleratetheperformancewhenhalf
duplexmodeisused.However,youshouldneverseecollisionsinaproperly
designedandconfigurednetworkthatusesfullduplexcommunication.Itishighly
recommendedthatyouusefullduplexunlessyouhaveolderorlegacyequipment
thatrequireshalfduplex.
Latecollisions:Alatecollisionreferstoacollisionthatoccursafter512bitsofthe
frame(thepreamble)havebeentransmitted.Excessivecablelengthsarethemost
commoncauseoflatecollisions.Anothercommoncauseisduplexmisconfiguration.
Forexample,youcouldhaveoneendofaconnectionconfiguredforfullduplexand
theotherforhalfduplex.Youwouldseelatecollisionsontheinterfacethatis
configuredforhalfduplex.Inthatcase,youmustconfigurethesameduplexsettingon
bothends.Aproperlydesignedandconfigurednetworkshouldneverhavelate
collisions.
TroubleshootingNetworkAccessLayerIssues(2.1.2.6)
Mostissuesthataffectaswitchednetworkareencounteredduringtheoriginal
implementation.Theoretically,afteritisinstalled,anetworkcontinuestooperatewithout
problems.However,cablinggetsdamaged,configurationschange,andnewdevicesare
connectedtotheswitchthatrequireswitchconfigurationchanges.Ongoingmaintenanceand
troubleshootingofthenetworkinfrastructureisrequired.
Totroubleshoottheseissueswhenyouhavenoconnectionorabadconnectionbetweena
switchandanotherdevice,followthisgeneralprocess,asshowninFigure211,and
explainedthereafter.
Figure211TroubleshootingSwitchMediaIssues
Usetheshowinterfacescommandtochecktheinterfacestatus.
Iftheinterfaceisdown:
Checktomakesurethatthepropercablesarebeingused.Additionally,checkthe
cableandconnectorsfordamage.Ifabadorincorrectcableissuspected,replacethe
cable.
http://www.ciscopress.com/articles/printerfriendly/2181836 14/37
3/5/2017 CiscoNetworkingAcademy'sIntroductiontoBasicSwitchingConceptsandConfiguration|Objectives
Iftheinterfaceisstilldown,theproblemmaybeduetoamismatchinspeedsetting.
Thespeedofaninterfaceistypicallyautonegotiatedtherefore,evenifspeedis
manuallyconfiguredononeinterface,theconnectinginterfaceshouldautonegotiate
accordingly.Ifaspeedmismatchdoesoccurthroughmisconfigurationorahardware
orsoftwareissue,thenthatmayresultintheinterfacegoingdown.Manuallysetthe
samespeedonbothconnectionendsifanautonegotiationproblemissuspected.
Iftheinterfaceisup,butissueswithconnectivityarestillpresent:
Usingtheshowinterfacescommand,checkforindicationsofexcessivenoise.
Indicationsmayincludeanincreaseinthecountersforrunts,giants,andCRCerrors.
Ifthereisexcessivenoise,firstfindandremovethesourceofthenoise,ifpossible.
Also,verifythatthecabledoesnotexceedthemaximumcablelengthandcheckthe
typeofcablethatisused.Forcoppercable,itisrecommendedthatyouuseatleast
Category5.
Ifnoiseisnotanissue,checkforexcessivecollisions.Iftherearecollisionsorlate
collisions,verifytheduplexsettingsonbothendsoftheconnection.Muchlikethe
speedsetting,theduplexsettingisusuallyautonegotiated.Iftheredoesappeartobe
aduplexmismatch,manuallysettheduplexonbothconnectionends.Itis
recommendedtousefullduplexifbothsidessupportit.
SwitchSecurity:ManagementandImplementation(2.2)
Whenyoutakeanewswitchoutofthebox,thefirstthingthenetworkengineerdoesissecure
theswitchandassignitanIPaddress,subnetmask,anddefaultgatewaysotheswitchcan
bemanagedfromaremotelocation.Learningthedifferentmethodsusedtosecureaswitch
isimportant.Alsoimportantislearningthetypesofattacksthatcanbelaunchedon,toward,
orthroughaswitch.Byunderstandingtheattacksandtheavailabletoolsand
countermeasures,atechniciancanbebetterpreparedtosecuretheswitchandmakeuseof
thetoolsandsecuritycommands.
SecureRemoteAccess(2.2.1)
TherearedifferentmethodsthatcanbeusedtosecureaswitchincludingTelnetandSSH.
Telnethasalreadybeencovered,butSSHisamuchbettermethodusedtosecurelymanage
theswitchfromaremotelocation.
SSHOperation(2.2.1.1)
SecureShell(SSH)isaprotocolthatprovidesasecure(encrypted)managementconnection
toaremotedevice.SSHshouldreplaceTelnetformanagementconnections.Telnetisan
olderprotocolthatusesinsecureplaintexttransmissionofboththeloginauthentication
(usernameandpassword)andthedatatransmittedbetweenthecommunicatingdevices.
SSHprovidessecurityforremoteconnectionsbyprovidingstrongencryptionwhenadevice
isauthenticated(usernameandpassword)andalsoforthetransmitteddatabetweenthe
communicatingdevices.SSHisassignedtoTCPport22.TelnetisassignedtoTCPport23.
Lookattheonlinecourse,andselectthefirstgraphictoseehowanattackercanmonitor
packetsusingaproductsuchasWireshark.ATelnetstreamcanbetargetedtocapturethe
usernameandpassword.
Inthefollowingoutput,youcanseehowtheattackercancapturetheusernameand
passwordoftheadministratorfromtheplaintextTelnetsession.
...........
UserAccessverification
username:..................P.........vt100..BBoobb
.
Password:cisco
.
R1>eenn
.
Password:class
.
R1#
ClickonthethirdgraphicintheonlinecoursetoseeaWiresharkviewofanSSHsession.
TheattackercantrackthesessionusingtheIPaddressoftheadministratordevice.
However,ifaWiresharkcaptureismadeontheSSHsession,thefourthgraphicintheonline
courseshowshowtheusernameandpasswordareencrypted.
http://www.ciscopress.com/articles/printerfriendly/2181836 15/37
3/5/2017 CiscoNetworkingAcademy'sIntroductiontoBasicSwitchingConceptsandConfiguration|Objectives
ToenableSSHonaCatalyst2960switch,theswitchmustbeusingaversionoftheIOS
softwareincludingcryptographic(encrypted)featuresandcapabilities.Inthefollowingoutput,
usetheshowversioncommandontheswitchtoseewhichIOStheswitchiscurrently
running,andIOSfilenamethatincludesthecombinationk9supportscryptographic
(encrypted)featuresandcapabilities.
S1>showversion
CiscoIOSSoftware,C2960Software(C2960LANBASEK9M),
Version15.0(@)SE,RELEASESOFTWARE(fc1)
<outputomitted>
ConfiguringSSH(2.2.1.2)
BeforeconfiguringSSH,theswitchmustbeminimallyconfiguredwithauniquehostname
andthecorrectnetworkconnectivitysettings.
VerifySSHsupport:Usetheshowipsshcommandtoverifythattheswitchsupports
SSH.IftheswitchisnotrunninganIOSthatsupportscryptographicfeatures,this
commandisunrecognized.
ConfiguretheIPdomain:ConfiguretheIPdomainnameofthenetworkusingtheip
domainnamedomainnameglobalconfigurationmodecommand.InFigure212,the
domainnamevalueiscisco.com.
Figure212ConfigureSSHforRemoteManagement
GenerateRSAkeypairs:GeneratinganRSAkeypairautomaticallyenablesSSH.
Usethecryptokeygeneratersaglobalconfigurationmodecommandtoenablethe
SSHserverontheswitchandgenerateanRSAkeypair.WhengeneratingRSAkeys,
theadministratorispromptedtoenteramoduluslength.Ciscorecommendsa
minimummodulussizeof1024bits(refertothesampleconfigurationinFigure212).
Alongermoduluslengthismoresecure,butittakeslongertogenerateanduse.
NOTE
TodeletetheRSAkeypair,usethecryptokeyzeroizersaglobalconfigurationmode
command.AftertheRSAkeypairisdeleted,theSSHserverisautomaticallydisabled.
Configureuserauthentication:TheSSHservercanauthenticateuserslocallyor
usinganauthenticationserver.Tousethelocalauthenticationmethod,createa
usernameandpasswordpairusingtheusernameusernamepasswordpasswordglobal
configurationmodecommand.Intheexample,theuseradminisassignedthe
passwordccna.
Configurethevtylines:EnabletheSSHprotocolonthevtylinesusingthetransport
inputsshlineconfigurationmodecommand.TheCatalyst2960hasvtylinesranging
from0to15.ThisconfigurationpreventsnonSSH(suchasTelnet)connectionsand
limitstheswitchtoacceptonlySSHconnections.Usethelinevtyglobalconfiguration
http://www.ciscopress.com/articles/printerfriendly/2181836 16/37
3/5/2017 CiscoNetworkingAcademy'sIntroductiontoBasicSwitchingConceptsandConfiguration|Objectives
modecommandandthentheloginlocallineconfigurationmodecommandtorequire
localauthenticationforSSHconnectionsfromthelocalusernamedatabase.
Activity2.2.1.2:ConfigureSSH
GototheonlinecourseandselectthesecondgraphictousetheSyntaxCheckertoconfigure
SSHonswitchS1.
VerifyingSSH(2.2.1.3)
OnaPC,anSSHclient,suchasPuTTY,isusedtoconnecttoanSSHserver.Forthe
examplesinFigures216to218,thefollowinghavebeenconfigured:
SSHenabledonswitchS1
InterfaceVLAN99(SVI)withIPaddress172.17.99.11onswitchS1
PC1withIPaddress172.17.99.21
InFigure213,thePCinitiatesanSSHconnectiontotheSVIVLANIPaddressofS1.
Figure213ConfigurePuTTYwithSSHClientConnectionParameters
InFigure214,theuserhasbeenpromptedforausernameandpassword.Usingthe
configurationfromthepreviousexample,theusernameadminandpasswordccnaare
entered.Afterenteringthecorrectcombination,theuserisconnectedviaSSHtotheCLIon
theCatalyst2960switch.
http://www.ciscopress.com/articles/printerfriendly/2181836 17/37
3/5/2017 CiscoNetworkingAcademy'sIntroductiontoBasicSwitchingConceptsandConfiguration|Objectives
Figure214RemoteManagementSSHConnection
TodisplaytheversionandconfigurationdataforSSHonthedevicethatyouconfiguredasan
SSHserver,usetheshowipsshcommand.Intheexample,SSHversion2isenabled.To
checktheSSHconnectionstothedevice,usetheshowsshcommand(seeFigure215).
Figure215VerifySSHStatusandSettings
PacketTracerActivity2.2.1.4:ConfiguringSSH
SSHshouldreplaceTelnetformanagementconnections.Telnetusesinsecureplaintext
communications.SSHprovidessecurityforremoteconnectionsbyprovidingstrong
encryptionofalltransmitteddatabetweendevices.Inthisactivity,youwillsecurearemote
switchwithpasswordencryptionandSSH.
SecurityConcernsinLANs(2.2.2)
WiredLANsareacommonsourceofattackbecausesomuchinformationcanbegained
aboutthewirednetworkusingfreedownloadabletools.Byexaminingdownloadedframes,
attackerscandetermineIPaddressesofnetworkdevices,protocolsbeingused,validserver
namesandIPaddresses,etc.Withthisinformationanattackercanlaunchfurtherattacksor
eveninsertaroguedevice.Thissectionintroducesthetypesofattacksandcountermeasures
tobeperformedonawiredLAN.
http://www.ciscopress.com/articles/printerfriendly/2181836 18/37
3/5/2017 CiscoNetworkingAcademy'sIntroductiontoBasicSwitchingConceptsandConfiguration|Objectives
CommonSecurityAttacks:MACAddressFlooding(2.2.2.1)
Basicswitchsecuritydoesnotstopmaliciousattacks.Securityisalayeredprocessthatis
essentiallynevercomplete.Themoreawarenetworkingprofessionalswithinanorganization
areregardingsecurityattacksandthedangerstheypose,thebetter.Sometypesofsecurity
attacksaredescribedhere,butthedetailsofhowsomeoftheseattacksworkarebeyondthe
scopeofthiscourse.MoredetailedinformationisfoundintheCCNAWANProtocolscourse
andtheCCNASecuritycourse.
MACAddressFlooding
AllCatalystswitchmodelsuseaMACaddresstableforLayer2switching.TheMACaddress
tableinaswitchcontainstheMACaddressesassociatedwitheachphysicalportandthe
associatedVLANforeachport.Asaframearrivesonaswitchport,thesourceMACaddress
isrecordedintheMACaddresstable.Theswitchthenexaminesthereceiveddestination
MACaddressandlooksintheMACaddresstabletoseeifitcontainsthedestinationMAC
address.IfanentryalreadyexistsforthedestinationMACaddress,theswitchforwardsthe
frametothecorrectport.IfthedestinationMACaddressdoesnotexistintheMACaddress
table,theswitchfloodstheframeoutofeveryportontheswitch,excepttheportwherethe
framewasreceived.
TheMACaddressfloodingbehaviorofaswitchforunknownaddressescanbeusedtoattack
aswitch.ThistypeofattackiscalledaMACaddresstableoverflowattack.MACaddress
tableoverflowattacksaresometimesreferredtoasMACfloodingattacksandCAMtable
overflowattacks.Thefollowingfiguresshowhowthistypeofattackworks.
InFigure216,hostAsendstraffictohostB.Theswitchreceivestheframesandlooksupthe
destinationMACaddressinitsMACaddresstable.Iftheswitchcannotfindthedestination
MACintheMACaddresstable,theswitchthencopiestheframeandfloods(broadcasts)it
outofeveryswitchport,excepttheportwhereitwasreceived.
Figure216MACAddressFloodingSwitchFloodsFrameforUnknownMAC
InFigure217,hostBreceivestheframeandsendsareplytohostA.Theswitchthenlearns
thattheMACaddressforhostBislocatedonport2andrecordsthatinformationintotheMAC
addresstable.
HostCalsoreceivestheframefromhostAtohostB,butbecausethedestinationMAC
addressofthatframeishostB,hostCdropsthatframe.
http://www.ciscopress.com/articles/printerfriendly/2181836 19/37
3/5/2017 CiscoNetworkingAcademy'sIntroductiontoBasicSwitchingConceptsandConfiguration|Objectives
Figure217MACAddressFloodingSwitchRecordsMACAddress
AsshowninFigure218,anyframesentbyhostA(oranyotherhost)tohostBisforwardedto
port2oftheswitchandnotbroadcastedouteveryport.
Figure218MACAddressFloodingSwitchUsesMACAddressTabletoForwardTraffic
MACaddresstablesarelimitedinsize.MACfloodingattacksmakeuseofthislimitationto
overwhelmtheswitchwithfakesourceMACaddressesuntiltheswitchMACaddresstableis
full.
AsshowninFigure219,anattackerathostCcansendframeswithfake,randomly
generatedsourceanddestinationMACaddressestotheswitch.TheswitchupdatestheMAC
addresstablewiththeinformationinthefakeframes.WhentheMACaddresstableisfullof
fakeMACaddresses,theswitchentersintowhatisknownasfailopenmode.Inthismode,
theswitchbroadcastsallframestoallmachinesonthenetwork.Asaresult,theattackercan
seealloftheframes.
http://www.ciscopress.com/articles/printerfriendly/2181836 20/37
3/5/2017 CiscoNetworkingAcademy'sIntroductiontoBasicSwitchingConceptsandConfiguration|Objectives
Figure219MACAddressFloodingAttackAttackerLaunchesAttack
Somenetworkattacktoolscangenerateupto155,000MACentriesonaswitchperminute.
ThemaximumMACaddresstablesizeisswitchmodeldependent.
AsshowninFigure220,aslongastheMACaddresstableontheswitchremainsfull,the
switchbroadcastsallreceivedframesoutofeveryportexcepttheingressport.Inthis
example,framessentfromhostAtohostBarealsobroadcastoutofport3ontheswitchand
seenbytheattackerathostC.
Figure220MACAddressFloodingAttackAttackerSeesBroadcasts
OnewaytomitigateMACaddresstableoverflowattacksistoconfigureportsecurity.
CommonSecurityAttacks:DHCPSpoofing(2.2.2.2)
DHCPistheprotocolthatautomaticallyassignsahostavalidIPaddressoutofaDHCPpool.
DHCPhasalwaysbeenthemainprotocolusedwithinindustryforallocatingclientsIP
addresses.TwotypesofDHCPattackscanbeperformedagainstaswitchednetwork:DHCP
starvationattacksandDHCPspoofing,asshowninFigure221.
http://www.ciscopress.com/articles/printerfriendly/2181836 21/37
3/5/2017 CiscoNetworkingAcademy'sIntroductiontoBasicSwitchingConceptsandConfiguration|Objectives
Figure221DHCPSpoofingandStarvationAttack
InDHCPstarvationattacks,anattackerfloodstheDHCPserverwithDHCPrequeststouse
alltheavailableIPaddressesthattheDHCPservercanissue.AftertheseIPaddressesare
issued,theservercannotissueanymoreaddresses,andthissituationproducesadenialof
service(DoS)attackasnewclientscannotobtainnetworkaccess.ADoSattackisany
attackthatisusedtooverloadspecificdevicesandnetworkserviceswithillegitimatetraffic,
therebypreventinglegitimatetrafficfromreachingthoseresources.
InDHCPspoofingattacks,anattackerconfiguresafakeDHCPserveronthenetworkto
issueDHCPaddressestoclients.Thenormalreasonforthisattackistoforcetheclientsto
usefalseDomainNameSystem(DNS)orWindowsInternetNamingService(WINS)servers
andtomaketheclientsusetheattacker,oramachineunderthecontroloftheattacker,as
theirdefaultgateway.
DHCPstarvationisoftenusedbeforeaDHCPspoofingattacktodenyservicetothe
legitimateDHCPserver,makingiteasiertointroduceafakeDHCPserverintothenetwork.
TomitigateDHCPattacks,usetheDHCPsnoopingandportsecurityfeaturesontheCisco
Catalystswitches.Thesefeaturesarecoveredinalatertopic.
CommonSecurityAttacks:LeveragingCDP(2.2.2.3)
TheCiscoDiscoveryProtocol(CDP)isaproprietaryprotocolthatallCiscodevicescanbe
configuredtouse.CDPdiscoversotherCiscodevicesthataredirectlyconnected,which
allowsthedevicestoautoconfiguretheirconnection.Insomecases,thissimplifies
configurationandconnectivity.
Bydefault,mostCiscoroutersandswitcheshaveCDPenabledonallports.CDPinformation
issentinperiodic,unencryptedbroadcasts.ThisinformationisupdatedlocallyintheCDP
databaseofeachdevice.EventhoughCDPisaLayer2protocol,allCiscodevicescanuse
CDPtocommunicateandsharedeviceinformationwithanadjacentCiscodevicehowever,
thisinformationcannotbesharedbeyondasingle,adjacentCiscodevice.
CDPcontainsinformationaboutthedevice,suchastheIPaddress,softwareversion,
platform,capabilities,andthenativeVLAN.Thisinformationcanbeusedbyanattackerto
findwaystoattackthenetwork,typicallyintheformofaDoSattack.
Figure222showsaportionofaWiresharkcaptureshowingthecontentsofaCDPpacket.
TheCiscoIOSsoftwareversiondiscoveredviaCDP,inparticular,wouldallowtheattackerto
determinewhethertherewereanysecurityvulnerabilitiesspecifictothatparticularversionof
IOS.Also,becauseCDPisnotauthenticated,anattackercouldcraftbogusCDPpacketsand
sendthemtoadirectlyconnectedCiscodevice.
http://www.ciscopress.com/articles/printerfriendly/2181836 22/37
3/5/2017 CiscoNetworkingAcademy'sIntroductiontoBasicSwitchingConceptsandConfiguration|Objectives
Figure222WiresharkCDPPacketCapture
NOTE
ItisrecommendedthatyoudisabletheuseofCDPondevicesorportsthatdonotneedto
useitbyusingthenocdprunglobalconfigurationmodecommand.CDPcanbedisabledon
aperportbasis.
TelnetAttacks
TheTelnetprotocolisinsecureandcanbeusedbyanattackertogainremoteaccesstoa
Cisconetworkdevice.Therearetoolsavailablethatallowanattackertolaunchabruteforce
passwordcrackingattackagainstthevtylinesontheswitch.
BruteForcePasswordAttack
Abruteforcepasswordattacktriestocrackapasswordonanotherdevice.Thefirstphase
ofabruteforcepasswordattackstartswiththeattackerusingalistofcommonpasswordsand
aprogramdesignedtotrytoestablishaTelnetsessionusingeachwordonthedictionarylist.
Ifthepasswordisnotdiscoveredbythefirstphase,asecondphasebegins.Inthesecond
phaseofabruteforceattack,theattackerusesaprogramthatcreatessequentialcharacter
combinationsinanattempttoguessthepassword.Givenenoughtime,abruteforce
passwordattackcancrackalmostallpasswordsused.
Tomitigateagainstbruteforcepasswordattacks,usestrongpasswordsthatarechanged
frequently.Astrongpasswordshouldhaveamixofuppercaseandlowercaselettersand
shouldincludenumeralsandsymbols(specialcharacters).Accesstothevtylinescanalso
belimitedusinganaccesscontrollist(ACL)thatdesignateswhatIPaddress(es)areallowed
accesstothevtylines.
TelnetDoSAttack
TelnetcanalsobeusedtolaunchaDoSattack.InaTelnetDoSattack,theattackerexploits
aflawintheTelnetserversoftwarerunningontheswitchthatrenderstheTelnetservice
unavailable.Thissortofattackpreventsanadministratorfromremotelyaccessingswitch
managementfunctions.Thiscanbecombinedwithotherdirectattacksonthenetworkaspart
ofacoordinatedattempttopreventthenetworkadministratorfromaccessingcoredevices
duringthebreach.
VulnerabilitiesintheTelnetservicethatpermitDoSattackstooccurareusuallyaddressedin
securitypatchesthatareincludedinnewerCiscoIOSrevisions.
NOTE
ItisabestpracticetouseSSH,ratherthanTelnetforremotemanagementconnections.
Activity2.2.2.4:CommonSecurityAttacks
Gototheonlinecoursetoperformthepracticeactivitywhereyoumatchthetypeofattackto
thedescription.
http://www.ciscopress.com/articles/printerfriendly/2181836 23/37
3/5/2017 CiscoNetworkingAcademy'sIntroductiontoBasicSwitchingConceptsandConfiguration|Objectives
SecurityBestPractices(2.2.3)
Withsomanydevicesbeingattachedtothewirednetwork,networksecurityisevenmore
importanttoday.Securitystartsthemomentyoutakeanetworkdevice,suchasaswitch,out
oftheboxforthefirsttime.Nowthatsomeofthecommonattackshavebeencovered,nextis
whatanetworkadministratorcandotoprotectandcounteractthoseattacks.
BestPractices(2.2.3.1)
Defendingyournetworkagainstattackrequiresvigilanceandeducation.Thefollowingare
bestpracticesforsecuringanetwork:
Developawrittensecuritypolicyfortheorganization.
Shutdownunusedservicesandports.
Usestrongpasswordsandchangethemoften.
Controlphysicalaccesstodevices.
AvoidusingstandardinsecureHTTPwebsites,especiallyforloginscreensinstead
usethemoresecureHTTPS.
Performbackupsandtestthebackedupfilesonaregularbasis.
Educateemployeesaboutsocialengineeringattacks,anddeveloppoliciestovalidate
identitiesoverthephone,viaemail,andinperson.
Encryptandpasswordprotectsensitivedata.
Implementsecurityhardwareandsoftware,suchasfirewalls.
Keepsoftwareuptodatebyinstallingsecuritypatchesweeklyordaily,ifpossible.
Thesemethodsareonlyastartingpointforsecuritymanagement.Organizationsmustremain
vigilantatalltimestodefendagainstcontinuallyevolvingthreats.Usenetworksecuritytools
tomeasurethevulnerabilityofthecurrentnetwork.
NetworkSecurityToolsandTesting(2.2.3.2)
Networksecuritytoolshelpanetworkadministratortestanetworkforweaknesses.Some
toolsallowanadministratortoassumetheroleofanattacker.Usingoneofthesetools,an
administratorcanlaunchanattackagainstthenetworkandaudittheresultstodeterminehow
toadjustsecuritypoliciestomitigatethosetypesofattacks.Securityauditingandpenetration
testingaretwobasicfunctionsthatnetworksecuritytoolsperform.
Networksecuritytestingtechniquesmaybemanuallyinitiatedbytheadministrator.Other
testsarehighlyautomated.Regardlessofthetypeoftesting,thestaffthatsetsupand
conductsthesecuritytestingshouldhaveextensivesecurityandnetworkingknowledge.This
includesexpertiseinthefollowingareas:
Networksecurity
Firewalls
Intrusionpreventionsystems
Operatingsystems
Programming
Networkingprotocols(suchasTCP/IP)
NetworkSecurityAudits(2.2.3.3)
Networksecuritytoolsallowanetworkadministratortoperformasecurityauditofanetwork.
Asecurityauditrevealsthetypeofinformationanattackercangathersimplybymonitoring
networktraffic.
Forexample,networksecurityauditingtoolsallowanadministratortofloodtheMACaddress
tablewithfictitiousMACaddresses.Thisisfollowedbyanauditoftheswitchportsasthe
switchstartsfloodingtrafficoutofallports.Duringtheaudit,thelegitimateMACaddress
mappingsareagedoutandreplacedwithfictitiousMACaddressmappings.Thisdetermines
whichportsarecompromisedandnotcorrectlyconfiguredtopreventthistypeofattack.
Timingisanimportantfactorinperformingtheauditsuccessfully.Differentswitchessupport
varyingnumbersofMACaddressesintheirMACtable.Itcanbedifficulttodeterminethe
idealamountofspoofedMACaddressestosendtotheswitch.Anetworkadministratoralso
hastocontendwiththeageoutperiodoftheMACaddresstable.IfthespoofedMAC
addressesstarttoageoutwhileperforminganetworkaudit,validMACaddressesstartto
populatetheMACaddresstable,andlimitingthedatathatcanbemonitoredwithanetwork
auditingtool.
http://www.ciscopress.com/articles/printerfriendly/2181836 24/37
3/5/2017 CiscoNetworkingAcademy'sIntroductiontoBasicSwitchingConceptsandConfiguration|Objectives
Networksecuritytoolscanalsobeusedforpenetrationtestingagainstanetwork.
Penetrationtestingisasimulatedattackagainstthenetworktodeterminehowvulnerableit
wouldbeinarealattack.Thisallowsanetworkadministratortoidentifyweaknesseswithin
theconfigurationofnetworkingdevicesandmakechangestomakethedevicesmore
resilienttoattacks.Therearenumerousattacksthatanadministratorcanperform,andmost
toolsuitescomewithextensivedocumentationdetailingthesyntaxneededtoexecutethe
desiredattack.
Becausepenetrationtestscanhaveadverseeffectsonthenetwork,theyarecarriedout
underverycontrolledconditions,followingdocumentedproceduresdetailedina
comprehensivenetworksecuritypolicy.Anofflinetestbednetworkthatmimicstheactual
productionnetworkistheideal.Thetestbednetworkcanbeusedbynetworkingstaffto
performnetworkpenetrationtests.
SwitchPortSecurity(2.2.4)
Portsecurityistheprocessofenablingspecificcommandsonswitchportstoprotectagainst
unauthorizedwireddevicesbeingattachedtothenetwork.Aneasywayforanintruderto
gainaccesstoacorporatenetworkistoplugintoanunusedEthernetjackortounplugan
authorizeddeviceandusethatconnector.Ciscoprovideswaystoprotectagainstsuch
behavior.
SecureUnusedPorts(2.2.4.1)
Thefirststepinportsecurityistobeawareofportsthatarenotcurrentlybeingusedonthe
switch.
DisableUnusedPorts
Asimplemethodthatmanyadministratorsusetohelpsecurethenetworkfromunauthorized
accessistodisableallunusedportsonaswitch.Forexample,ifaCatalyst2960switchhas
24portsandtherearethreeFastEthernetconnectionsinuse,itisgoodpracticetodisable
the21unusedports.NavigatetoeachunusedportandissuetheCiscoIOSshutdown
command.Ifaportlateronneedstobereactivated,itcanbeenabledwiththenoshutdown
command.Figure223showspartialoutputforthisconfiguration.
Figure223DisableUnusedSwitchPorts
Itissimpletomakeconfigurationchangestomultipleportsonaswitch.Ifarangeofports
mustbeconfigured,usetheinterfacerangecommand.
Switch(config)#interfacerangetypemodule/firstnumberlastnumber
Theprocessofenablinganddisablingportscanbetimeconsuming,butitenhancessecurity
onthenetworkandiswellworththeeffort.
DHCPSnooping(2.2.4.2)
DHCPsnoopingisaCiscoCatalystfeaturethatdetermineswhichdevicesattachedtoswitch
portscanrespondtoDHCPrequests.DHCPsnoopingcanbeusedtopreventunauthorized
http://www.ciscopress.com/articles/printerfriendly/2181836 25/37
3/5/2017 CiscoNetworkingAcademy'sIntroductiontoBasicSwitchingConceptsandConfiguration|Objectives
DHCPmessagesthatcontaininformationsuchasIPaddressrelateddatabeingprovidedto
legitimatenetworkdevices.
AspartoftheDHCPconfigurationprocess,switchportscanbeidentifiedastrustedand
untrusted.TrustedportscansourceanytypeofDHCPmessageuntrustedportscan
sourceDHCPrequestsonly.Thisconfigurationprotectsthenetworkfromsomeoneattacking
adevicebyactingasarogueDHCPserver.TrustedportshostaDHCPserverorcanbean
uplinktowardtheDHCPserver.Ifaroguedeviceonanuntrustedportattemptstosenda
DHCPresponsepacketintothenetwork,theportisshutdown.Thisfeaturecanbecoupled
withDHCPoptionsinwhichswitchinformation,suchastheportIDoftheDHCPrequest,can
beinsertedintotheDHCPrequestpacket.
AsshowninFigures224and225,untrustedportsarethosenotexplicitlyconfiguredas
trusted.ADHCPbindingtableisbuiltforuntrustedports.EachentrycontainsaclientMAC
address,IPaddress,leasetime,bindingtype,VLANnumber,andportIDrecordedasclients
makeDHCPrequests.ThetableisthenusedtofiltersubsequentDHCPtraffic.FromaDHCP
snoopingperspective,untrustedaccessportsshouldnotsendanyDHCPserverresponses.
Figure224DHCPSnoopingOperation
Figure225DHCPSnoopingConfiguration
ThesestepsillustratehowtoconfigureDHCPsnoopingonaCatalyst2960switch:
http://www.ciscopress.com/articles/printerfriendly/2181836 26/37
3/5/2017 CiscoNetworkingAcademy'sIntroductiontoBasicSwitchingConceptsandConfiguration|Objectives
Step1.EnableDHCPsnoopingusingtheipdhcpsnoopingglobalconfigurationmode
command.
Step2.EnableDHCPsnoopingforspecificVLANsusingtheipdhcpsnoopingvlannumber
command.
Step3.Defineportsastrustedattheinterfacelevelbydefiningthetrustedportsusingtheip
dhcpsnoopingtrustcommand.
OptionalLimittherateatwhichanattackercancontinuallysendbogusDHCP
Step4.requeststhroughuntrustedportstotheDHCPserverusingtheipdhcpsnoopinglimit
rateratecommand.
PortSecurity:Operation(2.2.4.3)
Allswitchports(interfaces)shouldbesecuredbeforetheswitchisdeployedforproduction
use.Onewaytosecureportsisbyimplementingafeaturecalledportsecurity.Ciscoport
securitylimitsthenumberofvalidMACaddressesallowedonaport.TheMACaddressesof
legitimatedevicesareallowedaccess,whileotherMACaddressesaredenied.
PortSecurity
PortsecuritycanbeconfiguredtoallowoneormoreMACaddresses.IfthenumberofMAC
addressesallowedontheportislimitedtoone,thenonlythedevicewiththatspecificMAC
addresscansuccessfullyconnecttotheport.
IfaportisconfiguredasasecureportandthemaximumnumberofMACaddressesis
reached,anyadditionalattemptstoconnectbyunknownMACaddresseswillgeneratea
securityviolation.
NOTE
Rememberthatwhenimplementingportsecurityonaswitchportto:
Turnportsecurityonbeforedoinganyothercommands.
SpecifyasingleMACaddressoragroupofvalidMACaddressesallowedontheport.
SpecifythataportautomaticallyshutsdownifunauthorizedMACaddressesare
detected.
SecureMACAddressTypes
Thereareanumberofwaystoconfigureportsecurity.Thetypeofsecureaddressisbasedon
theconfigurationandincludes:
StaticsecureMACaddresses:MACaddressesthataremanuallyconfiguredona
portbyusingtheswitchportportsecuritymacaddressmacaddressinterface
configurationmodecommand.MACaddressesconfiguredinthiswayarestoredin
theaddresstableandareaddedtotherunningconfigurationontheswitch.
DynamicsecureMACaddresses:MACaddressesthataredynamicallylearnedand
storedonlyintheaddresstable.MACaddressesconfiguredinthiswayareremoved
whentheswitchrestarts.
StickysecureMACaddresses:MACaddressesthatcanbedynamicallylearnedor
manuallyconfiguredstoredintheaddresstable,andaddedtotherunning
configuration.
StickySecureMACaddresses
ToconfigureaninterfacetoconvertdynamicallylearnedMACaddressestostickysecure
MACaddressesandaddthemtotherunningconfiguration,youmustenablestickylearning.
Stickylearningisenabledonaninterfacebyusingtheswitchportportsecuritymac
addressstickyinterfaceconfigurationmodecommand.
Whenthiscommandisentered,theswitchconvertsalldynamicallylearnedMACaddresses,
includingthosethatweredynamicallylearnedbeforestickylearningwasenabled,tosticky
http://www.ciscopress.com/articles/printerfriendly/2181836 27/37
3/5/2017 CiscoNetworkingAcademy'sIntroductiontoBasicSwitchingConceptsandConfiguration|Objectives
secureMACaddresses.AllstickysecureMACaddressesareaddedtotheaddresstableand
totherunningconfiguration.
StickysecureMACaddressescanalsobemanuallydefined.WhenstickysecureMAC
addressesareconfiguredbyusingtheswitchportportsecuritymacaddressstickymac
addressinterfaceconfigurationmodecommand,allspecifiedaddressesareaddedtothe
addresstableandtherunningconfiguration.
IfthestickysecureMACaddressesaresavedtothestartupconfigurationfile,thenwhenthe
switchrestartsortheinterfaceshutsdown,theinterfacedoesnotneedtorelearnthe
addresses.Ifthestickysecureaddressesarenotsaved,theywillbelost.
Ifstickylearningisdisabledbyusingthenoswitchportportsecuritymacaddresssticky
interfaceconfigurationmodecommand,thestickysecureMACaddressesremainpartofthe
addresstablebutareremovedfromtherunningconfiguration.
ThefollowinglistshowsthecharacteristicsofstickysecureMACaddresses.
NOTE
Onaswitchport,switchportportsecuritycommandswillnotfunctionuntilportsecurityis
enabled.
Learneddynamically,convertedtostickysecureMACaddressesstoredinthe
runningconfig.
Removedfromtherunningconfigifportsecurityisdisabled.
Lostwhentheswitchreboots(powercycled).
SavingstickysecureMACaddressesinthestartupconfigmakesthempermanent,
andtheswitchretainsthemafterareboot.
DisablingstickylearningconvertsstickyMACaddressestodynamicsecure
addressesandremovesthemfromtherunningconfig.
PortSecurity:ViolationModes(2.2.4.4)
Itisasecurityviolationwheneitherofthesesituationsoccurs:
ThemaximumnumberofsecureMACaddresseshavebeenaddedtotheaddress
tableforthatinterface,andastationwhoseMACaddressisnotintheaddresstable
attemptstoaccesstheinterface.
Anaddresslearnedorconfiguredononesecureinterfaceisseenonanothersecure
interfaceinthesameVLAN.
Aninterfacecanbeconfiguredforoneofthreeviolationmodes,specifyingtheactiontobe
takenifaviolationoccurs.Table29presentswhichkindsofdatatrafficareforwardedwhen
oneofthefollowingsecurityviolationmodesareconfiguredonaport:
Protect:WhenthenumberofsecureMACaddressesreachesthelimitallowedonthe
port,packetswithunknownsourceaddressesaredroppeduntilasufficientnumberof
secureMACaddressesareremovedorthenumberofmaximumallowableaddresses
isincreased.Thereisnonotificationthatasecurityviolationhasoccurred.
Restrict:WhenthenumberofsecureMACaddressesreachesthelimitallowedon
theport,packetswithunknownsourceaddressesaredroppeduntilasufficient
numberofsecureMACaddressesareremovedorthenumberofmaximumallowable
addressesisincreased.Inthismode,thereisanotificationthatasecurityviolationhas
occurred.
Shutdown:Inthis(default)violationmode,aportsecurityviolationcausesthe
interfacetoimmediatelybecomeerrordisabledandturnsofftheportLED.It
incrementstheviolationcounter.Whenasecureportisintheerrordisabledstate,it
canbebroughtoutofthisstatebyenteringtheshutdownandnoshutdowninterface
configurationmodecommands.
Table29SecurityViolationsModes
AstationwithMACaddressthatisnotintheaddresstableattemptstoaccessthe
interfacewhenthetableisfull.
AnaddressisbeingusedontwosecureinterfacesinthesameVLAN.
Tochangetheviolationmodeonaswitchport,usetheswitchportportsecurityviolation
{protect|restrict|shutdown}interfaceconfigurationmodecommand.
PortSecurity:Configuring(2.2.4.5)
Table210summarizesthedefaultportsecurityconfigurationonaCiscoCatalystswitch.
Table210PortSecurityDefaultSettings
Feature DefaultSetting
Portsecurity Disabledonaport
Maximumnumberof 1
secureMAC
addresses
Violationmode Shutdown.Theportshutsdownwhenthe
maximumnumberofsecureMACaddressesis
exceeded.
Stickyaddress Disabled
learning
Figure226showsthetopologyusedwhenconfiguringF0/18ontheS1switch.Table211
showstheCiscoIOSCLIcommandsneededtoconfigureportsecurityontheFastEthernet
F0/18portontheS1switch.Noticethattheexampledoesnotspecifyaviolationmode.Inthis
example,theviolationmodeisthedefaultmodeofshutdown.
Figure226PortSecurityConfigurationTopology
Table211CiscoSwitchIOSCLICommandsforDynamicPortSecurity
Specifytheinterfacetobeconfigured S1(config)#interface
forportsecurity. fastethernet0/18
Settheinterfacemodetoaccess. S1(configif)#switchport
modeaccess
Enableportsecurityontheinterface. S1(configif)#switchport
portsecurity
Table212showsthecommandsneededtoenablestickysecureMACaddressesforport
securityonFastEthernetport0/19ofswitchS1.Asstatedearlier,aspecificmaximumnumber
ofsecureMACaddressescanbemanuallyconfigured.Inthisexample,theCiscoIOS
http://www.ciscopress.com/articles/printerfriendly/2181836 29/37
3/5/2017 CiscoNetworkingAcademy'sIntroductiontoBasicSwitchingConceptsandConfiguration|Objectives
commandsyntaxisusedtosetthemaximumnumberofMACaddressesto50forport0/19.
Theviolationmodeissettothedefaultmodeofshutdown.
Table212CiscoSwitchIOSCLICommandsforStickyPortSecurity
Specifytheinterfacetobeconfigured S1(config)#interface
forportsecurity. fastethernet0/19
Settheinterfacemodetoaccess. S1(configif)#switchportmode
access
Enableportsecurityontheinterface. S1(configif)#switchportport
security
Setthemaximumnumberofsecure S1(configif)#switchportport
addressesallowedontheport. securitymaximum50
Enablestickylearning. S1(configif)#switchportport
securitymacaddresssticky
PortSecurity:Verifying(2.2.4.6)
Manystudentsmakethemistakeofforgettingtoenableportsecuritybeforedoingthespecific
portsecurityoptions.Foranyconfigurationstep,verificationisimportant.Itisespecially
importantwhenconfiguringportsecurity.
VerifyPortSecurity
Afterconfiguringportsecurityonaswitch,checkeachinterfacetoverifythattheportsecurity
issetcorrectly,andchecktoensurethatthestaticMACaddresseshavebeenconfigured
correctly.
VerifyPortSecuritySettings
Todisplayportsecuritysettingsfortheswitchorforthespecifiedinterface,usetheshowport
security[interfaceinterfaceid]command.Theoutputforthedynamicportsecurity
configurationisshownasfollows.Bydefault,thereisoneMACaddressallowedonthisport.
S1#showportsecurityinterfacefastethernet0/18
PortSecurity:Enabled
PortStatus:Secureup
ViolationMode:Shutdown
AgingTime:0mins
AgingType:Absolute
SecureStaticAddressAging:Disabled
MaximumMACAddresses:1
TotalMACAddresses:1
ConfiguredMACAddresses:0
StickyMACAddresses:0
LastSourceAddress:Vlan:0025.83e6.4b01:1
SecurityViolationCount:0
Takingalookattheportaftertheconfigurationhasbeenappliedshowsthevaluesforthe
stickyportsecuritysettings.Themaximumnumberofaddressesissetto50asconfigured.
S1#showportsecurityinterfacefastethernet0/19
PortSecurity:Enabled
PortStatus:Secureup
ViolationMode:Shutdown
AgingTime:0mins
AgingType:Absolute
SecureStaticAddressAging:Disabled
MaximumMACAddresses:50
TotalMACAddresses:1
ConfiguredMACAddresses:0
StickyMACAddresses:1
LastSourceAddress:Vlan:0025.83e6.4b02:1
SecurityViolationCount:0
NOTE
TheMACaddressinthepreviousoutputas0025.83e6.4b02:1isidentifiedasastickyMAC
address.
StickyMACaddressesareaddedtotheMACaddresstableandtotherunningconfiguration.
Asshownintheoutput,thestickyMACaddressforPC2hasbeenautomaticallyaddedtothe
http://www.ciscopress.com/articles/printerfriendly/2181836 30/37
3/5/2017 CiscoNetworkingAcademy'sIntroductiontoBasicSwitchingConceptsandConfiguration|Objectives
runningconfigurationforS1.
S1#showrun|beginFastEthernet0/19
interfaceFastEthernet0/19
switchportmodeaccess
switchportportsecurity
switchportportsecuritymaximum50
switchportportsecuritymacaddresssticky
switchportportsecuritysticky0025.83e6.4b02
VerifySecureMACAddresses
TodisplayallsecureMACaddressesconfiguredonallswitchinterfaces,oronaspecified
interfacewithaginginformationforeach,usetheshowportsecurityaddresscommand.As
shownintheoutput,thesecureMACaddressesarelistedalongwiththetypes.
S1#showportsecurityaddress
SecureMacAddressTable
VlanMacAddressTypePortsRemainingAge
(mins)
10025.83e6.4b01SecureDynamicFa0/18
10025.83e6.4b02SecureStickyFa0/19
PortsinErrorDisabledState(2.2.4.7)
Whenaportisconfiguredwithportsecurity,aviolationcancausetheporttobecomeerror
disabled.Whenaportiserrordisabled,itiseffectivelyshutdownandnotrafficissentor
receivedonthatport.Aseriesofportsecurityrelatedmessagesdisplayontheconsoleas
shown.
Sep2006:44:54.966:%PM4ERR_DISABLE:psecureviolation
errordetectedonFa0/18,puttingFa0/18inerrdisablestate
Sep2006:44:54.966:%PORT_SECURITY2PSECURE_VIOLATION:
Securityviolationoccurred,causedbyMACaddress
000c.292b.4c75onportFastEthernet0/18.
Sep2006:44:53.973:%LINEPROTO5PPDOWN:Lineprotocolon
InterfaceFastEthernet0/18,changedstatetodown
Sep2006:44:56.971:%LINK3UPDOWN:Interface
FastEthernet0/18,changedstatetodown
NOTE
Noticeintheoutputhowtheportprotocolandlinkstatuschangedtodown.
AnotherindicationthataportsecurityviolationhasoccurredisthattheswitchportLEDwill
changetoorange.Theshowinterfacescommandidentifiestheportstatusaserrdisabledas
showninthefollowingoutput.Theoutputoftheshowportsecurityinterfacecommandnow
showstheportstatusassecureshutdown.Becausetheportsecurityviolationmodeissetto
shutdown,theportwiththesecurityviolationgoestotheerrordisabledstate.
S1#showinterfacesfastethernet0/18status
PortNameStatusVlanDuplexSpeedType
Fa0/18errdisabled1autoauto10/100BaseTX
S1#showportsecurityinterfacefastethernet0/18
PortSecurity:Enabled
PortStatus:Secureshutdown
ViolationMode:Shutdown
AgingTime:0mins
AgingType:Absolute
SecureStaticAddressAging:Disabled
MaximumMACAddresses:1
TotalMACAddresses:0
ConfiguredMACAddresses:0
StickyMACAddresses:0
LastSourceAddress:Vlan:000c.292b.4c75:1
SecurityViolationCount:1
Theadministratorshoulddeterminewhatcausedthesecurityviolationbeforereenablingthe
port.Ifanunauthorizeddeviceisconnectedtoasecureport,theportshouldnotbere
enableduntilthesecuritythreatiseliminated.Toreenabletheport,usetheshutdown
interfaceconfigurationmodecommand.Then,usethenoshutdowninterfaceconfiguration
commandtomaketheportoperational,asshowninthefollowingoutput.
S1(config)#interfaceFastEthernet0/18
S1(configif)#shutdown
Sep2006:57:28.532:%LINK5CHANGED:Interface
http://www.ciscopress.com/articles/printerfriendly/2181836 31/37
3/5/2017 CiscoNetworkingAcademy'sIntroductiontoBasicSwitchingConceptsandConfiguration|Objectives
FastEthernet0/18,changedstatetoadministrativelydown
S1(configif)#noshutdown
Sep2006:57:48.186:%LINK3UPDOWN:Interface
FastEthernet0/18,changedstatetoup
Sep2006:57:49.193:%LINEPROTO5UPDOWN:Lineprotocolon
InterfaceFastEthernet0/18,changedstatetoup
NetworkTimeProtocol(NTP)(2.2.4.8)
Havingthecorrecttimewithinnetworksisimportant.Correcttimestampsarerequiredto
accuratelytracknetworkeventssuchassecurityviolations.Additionally,clock
synchronizationiscriticalforthecorrectinterpretationofeventswithinsyslogdatafilesaswell
asfordigitalcertificates.
NetworkTimeProtocol(NTP)isaprotocolthatisusedtosynchronizetheclocksofcomputer
systemsoverpacketswitched,variablelatencydatanetworks.NTPallowsnetworkdevicesto
synchronizetheirtimesettingswithanNTPserver.AgroupofNTPclientsthatobtaintime
anddateinformationfromasinglesourcewillhavemoreconsistenttimesettings.
Asecuremethodofprovidingclockingforthenetworkisfornetworkadministratorsto
implementtheirownprivatenetworkmasterclocks,synchronizedtoUTC,usingsatelliteor
radio.However,ifnetworkadministratorsdonotwanttoimplementtheirownmasterclocks
becauseofcostorotherreasons,otherclocksourcesareavailableontheInternet.NTPcan
getthecorrecttimefromaninternalorexternaltimesourceincludingthefollowing:
Localmasterclock
MasterclockontheInternet
GPSoratomicclock
AnetworkdevicecanbeconfiguredaseitheranNTPserveroranNTPclient.Toallowthe
softwareclocktobesynchronizedbyanNTPtimeserver,usethentpserveripaddress
commandinglobalconfigurationmode.AsampleconfigurationisshowninFigure227.
RouterR2isconfiguredasanNTPclient,whilerouterR1servesasanauthoritativeNTP
server.
Figure227ConfiguringNTP
ToconfigureadeviceashavinganNTPmasterclocktowhichpeerscansynchronize
themselves,usethentpmaster[stratum]commandinglobalconfigurationmode.The
stratumvalueisanumberfrom1to15andindicatestheNTPstratumnumberthatthesystem
willclaim.IfthesystemisconfiguredasanNTPmasterandnostratumnumberisspecified,it
willdefaulttostratum8.IftheNTPmastercannotreachanyclockwithalowerstratum
number,thesystemwillclaimtobesynchronizedattheconfiguredstratumnumber,andother
systemswillbewillingtosynchronizetoitusingNTP.
Figure228displaystheverificationofNTP.TodisplaythestatusofNTPassociations,usethe
showntpassociationscommandinprivilegedEXECmode.Thiscommandwillindicatethe
IPaddressofanypeerdevicesthataresynchronizedtothispeer,staticallyconfiguredpeers,
andstratumnumber.TheshowntpstatususerEXECcommandcanbeusedtodisplaysuch
informationastheNTPsynchronizationstatus,thepeerthatthedeviceissynchronizedto,
andinwhichNTPstratathedeviceisfunctioning.
http://www.ciscopress.com/articles/printerfriendly/2181836 32/37
3/5/2017 CiscoNetworkingAcademy'sIntroductiontoBasicSwitchingConceptsandConfiguration|Objectives
Figure228VerifyingNTP
PacketTracerActivity2.2.4.9:ConfiguringSwitchPortSecurity
Inthisactivity,youwillconfigureandverifyportsecurityonaswitch.Portsecurityallowsyou
torestrictingresstrafficonaswitchportbylimitingtheMACaddressesthatareallowedto
sendtrafficintotheport.
PacketTracerActivity2.2.4.10:TroubleshootingSwitchPortSecurity
TheemployeewhonormallyusesPC1broughthislaptopfromhome,disconnectedPC1,and
connectedthelaptoptothetelecommunicationoutlet.Afterremindinghimofthesecurity
policythatdoesnotallowpersonaldevicesonthenetwork,younowmustreconnectPC1and
reenabletheport.
Lab2.2.4.11:ConfiguringSwitchSecurityFeatures
Inthislab,youwillcompletethefollowingobjectives:
Part1:SetUptheTopologyandInitializeDevices
Part2:ConfigureBasicDeviceSettingsandVerifyConnectivity
Part3:ConfigureandVerifySSHAccessonS1
Part4:ConfigureandVerifySecurityFeaturesonS1
Summary(2.3)
Nowthatyouaregettingthesenseofwhatnetworkadministratorsdotoconfigurebasic
featuresandsecurityfeaturesonaswitch,youarereadytolookbackandreviewallyouhave
learned.Thenperformtheactivityandskillsintegrationchallengetoprovetoyourselfyouare
readytomovetothenextchapter.
ClassActivity2.3.1.1:SwitchTrio
Scenario
Youarethenetworkadministratorforasmalltomediumsizedbusiness.Corporate
headquartersforyourbusinesshasmandatedthatonallswitchesinalloffices,securitymust
beimplemented.Thememorandumdeliveredtoyouthismorningstates:
ByMonday,April18,20xx,thefirstthreeportsofallconfigurableswitcheslocatedinall
officesmustbesecuredwithMACaddressesoneaddresswillbereservedforthePC,one
addresswillbereservedforthelaptopintheoffice,andoneaddresswillbereservedforthe
officeserver.
http://www.ciscopress.com/articles/printerfriendly/2181836 33/37
3/5/2017 CiscoNetworkingAcademy'sIntroductiontoBasicSwitchingConceptsandConfiguration|Objectives
Ifsecurityisbreached,weaskyoutoshuttheaffectedportdownuntilthereasonforthe
breachcanbecertified.
Pleaseimplementthispolicynolaterthanthedatestatedinthismemorandum.Forquestions,
call1.800.555.1212.Thankyou.TheNetworkManagementTeam.
WorkwithapartnerintheclassandcreateaPacketTracerexampletotestthisnewsecurity
policy.Afteryouhavecreatedyourfile,testitwithatleastonedevicetoensureitis
operationalorvalidated.
Saveyourworkandbepreparedtoshareitwiththeentireclass.
PacketTracerActivity2.3.1.2:SkillsIntegrationChallenge
Thenetworkadministratoraskedyoutoconfigureanewswitch.Inthisactivity,youwillusea
listofrequirementstoconfigurethenewswitchwithinitialsettings,SSH,andportsecurity.
WhenaCiscoLANswitchisfirstpoweredon,itgoesthroughthefollowingbootsequence:
Step1.First,theswitchloadsapoweronselftest(POST)programstoredinROM.POST
checkstheCPUsubsystem.ItteststheCPU,DRAM,andtheportionoftheflashdevicethat
makesuptheflashfilesystem.
Step2.Next,theswitchloadsthebootloadersoftware.Thebootloaderisasmallprogram
storedinROMandisrunimmediatelyafterPOSTsuccessfullycompletes.
Step3.ThebootloaderperformslowlevelCPUinitialization.ItinitializestheCPUregisters,
whichcontrolwherephysicalmemoryismapped,thequantityofmemory,anditsspeed.
Step4.Thebootloaderinitializestheflashfilesystemonthesystemboard.
Step5.Finally,thebootloaderlocatesandloadsadefaultIOSoperatingsystemsoftware
imageintomemoryandhandscontroloftheswitchovertotheIOS.
ThespecificCiscoIOSfilethatisloadedisspecifiedbytheBOOTenvironmentalvariable.
AftertheCiscoIOSisloadeditusesthecommandsfoundinthestartupconfigfiletoinitialize
andconfiguretheinterfaces.IftheCiscoIOSfilesaremissingordamaged,thebootloader
programcanbeusedtoreloadorrecoverfromtheproblem.
TheoperationalstatusoftheswitchisdisplayedbyaseriesofLEDsonthefrontpanel.These
LEDsdisplaysuchthingsasportstatus,duplex,andspeed.
AnIPaddressisconfiguredontheSVIofthemanagementVLANtoallowforremote
configurationofthedevice.AdefaultgatewaybelongingtothemanagementVLANmustbe
configuredontheswitchusingtheipdefaultgatewaycommand.Ifthedefaultgatewayisnot
properlyconfigured,remotemanagementisnotpossible.ItisrecommendedthatSecure
Shell(SSH)beusedtoprovideasecure(encrypted)managementconnectiontoaremote
devicetopreventthesniffingofunencryptedusernamesandpasswordswhichispossible
whenusingprotocolssuchasTelnet.
Oneoftheadvantagesofaswitchisthatitallowsfullduplexcommunicationbetweendevices
effectivelydoublingthecommunicationrate.Althoughitispossibletospecifythespeedand
duplexsettingsofaswitchinterface,itisrecommendedthattheswitchbeallowedtosetthese
parametersautomaticallytoavoiderrors.
SwitchportsecurityisarequirementtopreventsuchattacksasMACAddressFloodingand
DHCPSpoofing.Switchportsshouldbeconfiguredtoallowonlyframeswithspecificsource
MACaddressestoenter.FramesfromunknownsourceMACaddressesshouldbedenied
andcausetheporttoshutdowntopreventfurtherattacks.
Portsecurityisonlyonedefenseagainstnetworkcompromise.Thereare10bestpractices
thatrepresentthebestinsuranceforanetwork:
Developawrittensecuritypolicyfortheorganization.
Shutdownunusedservicesandports.
Usestrongpasswordsandchangethemoften.
Controlphysicalaccesstodevices.
AvoidusingstandardinsecureHTTPwebsites,especiallyforloginscreens.Instead
usethemoresecureHTTPS.
Performbackupsandtestthebackedupfilesonaregularbasis.
http://www.ciscopress.com/articles/printerfriendly/2181836 34/37
3/5/2017 CiscoNetworkingAcademy'sIntroductiontoBasicSwitchingConceptsandConfiguration|Objectives
Educateemployeesaboutsocialengineeringattacks,anddeveloppoliciestovalidate
identitiesoverthephone,viaemail,andinperson.
Encryptsensitivedataandprotectitwithastrongpassword.
Implementsecurityhardwareandsoftware,suchasfirewalls.
KeepIOSsoftwareuptodatebyinstallingsecuritypatchesweeklyordaily,ifpossible.
Thesemethodsareonlyastartingpointforsecuritymanagement.Organizationsmustremain
vigilantatalltimestodefendagainstcontinuallyevolvingthreats.
NTPisusedtosynchronizethedateandtimeamongnetworkdevices.NTPclientscan
synchronizetheirtimesettingswithanNTPserver.Clocksynchronizationisimportantwhen
usingsystemlogmessagesforverificationandtroubleshooting.
Practice
Thefollowingactivitiesprovidepracticewiththetopicsintroducedinthischapter.TheLabs
andClassActivitiesareavailableinthecompanionRoutingandSwitchingEssentialsLab
Manual(9781587133206).YoucanfindthePacketTracerActivitiesPKAfilesintheonline
course.
ClassActivities
ClassActivity2.0.1.2:StandbyMe
ClassActivity2.3.1.1:SwitchTrio
Labs
Lab2.1.1.6:BasicSwitchConfiguration
Lab2.2.4.11:ConfiguringSwitchSecurityFeatures
PacketTracerActivities
PacketTracerActivity2.2.1.4:ConfiguringSSH
PacketTracerActivity2.2.4.9:ConfiguringSwitchPortSecurity
PacketTracerActivity2.2.4.10:TroubleshootingSwitchPortSecurity
PacketTracerActivity2.3.1.2:SkillsIntegrationChallenge
CheckYourUnderstandingQuestions
Completeallthereviewquestionslistedheretotestyourunderstandingofthetopicsand
conceptsinthischapter.Theappendix,AnswerstotheCheckYourUnderstanding
Questions,liststheanswers.
1.Whichthreeoptionscorrectlyassociatethecommandwiththepairedbehavior?
(Choosethree.)
A.switchportportsecurityviolationprotect:Frameswithunknownsource
addressesaredroppedandanotificationissent.
B.switchportportsecurityviolationrestrict:Frameswithunknownsource
addressesaredroppedandnonotificationissent.
C.switchportportsecurityviolationshutdown:Frameswithunknownsource
addressesresultintheportbecomingerrordisabled,andanotificationissent.
D.switchportportsecuritymacaddresssticky:Allowsdynamicallylearned
MACaddressestobestoredintherunningconfiguration.
E.switchportportsecuritymaximum:DefinesthenumberofMACaddresses
associatedwithaport.
http://www.ciscopress.com/articles/printerfriendly/2181836 35/37
3/5/2017 CiscoNetworkingAcademy'sIntroductiontoBasicSwitchingConceptsandConfiguration|Objectives
2.WhatistheeffectofenteringthefollowingcommandonaFastEthernetswitchport?
SW1(configif)#duplexfull
A.Theconnecteddevicecommunicatesintwodirections,butonlyonedirection
atatime.
B.Theswitchportreturnstoitsdefaultconfiguration.
C.Ifthedeviceconnectedtothisportisalsosetforfullduplex,thedevice
participatesincollisionfreecommunication.
D.Theefficiencyofthisconfigurationistypicallyratedat50to60percent.
E.Theconnecteddeviceshouldbeconfiguredashalfduplex.
3.WhichtwotasksdoesautonegotiationinanEthernetnetworkaccomplish?(Choose
two.)
A.Setsthelinkspeed
B.SetstheIPaddress
C.Setsthelinkduplexmode
D.SetsMACaddressassignmentsonswitchport
E.Setstheringspeed
4.Whyshouldadefaultgatewaybeassignedtoaswitch?
A.Sothattherecanberemoteconnectivitytotheswitchviasuchprogramsas
Telnetandping
B.Sothatframescanbesentthroughtheswitchtotherouter
C.Sothatframesgeneratedfromworkstationsanddestinedforremotenetworks
canpasstoahigherlevel
D.Sothatothernetworkscanbeaccessedfromthecommandpromptofthe
switch
5.ThenetworkadministratorwantstoconfigureanIPaddressonaCiscoswitch.How
doesthenetworkadministratorassigntheIPaddress?
A.InprivilegedEXECmode
B.OntheswitchinterfaceFastEthernet0/0
C.OnthemanagementVLAN
D.Onthephysicalinterfaceconnectedtotherouterornexthopdevice
6.WhichoptioncorrectlyassociatestheLayer2securityattackwiththedescription?
A.MACaddressflooding:BroadcastrequestsforIPaddresseswithspoofedMAC
addresses.
B.DHCPstarvation:UsingproprietaryCiscoprotocolstogaininformationabouta
switch.
C.CDPattack:TheattackerfillstheswitchMACaddresstablewithinvalidMAC
addresses.
D.Telnetattack:Usingbruteforcepasswordattackstogainaccesstoaswitch.
7.WhatisanadvantageofusingSSHoverTelnetwhenremotelyconnectingtoa
switch?
A.Encryption
B.Moreconnectionlines
C.Connectionorientedservices
D.Usernameandpasswordauthentication
8.Considertheconfiguration.Whichtwocommandsarenotneededontheswitchin
orderforaremotenetworkadministratortoaccesstheswitchusingSSH?
A.Switch(config)#ipdomainnamemydomain.com
B.Switch(config)#cryptokeygeneratersa
C.Switch(config)#ipsshversion2
D.Switch(config)#linevty015
E.Switch(configif)#transportinputssh
9.Whatisanadvantageofhavingthecorrectdateandtimeonanetworkdevice?
A.Networkadministratorsareprovidedwithcorrecttimestampsonlogmessages.
B.Whenworkingattheconsoleprompt,thenetworkadministratorhasagood
ideahowlongtheconfigurationortroubleshootingprocessistaking.
http://www.ciscopress.com/articles/printerfriendly/2181836 36/37
3/5/2017 CiscoNetworkingAcademy'sIntroductiontoBasicSwitchingConceptsandConfiguration|Objectives
C.OtherdevicescanuseCDPtodiscoverneighbordeviceinformationifthetime
anddatearesynchronizedbetweenthetwodevices.
D.Secureremoteconnectivitycanbeaccomplishedifthedateandtimeare
accurate.
10.WhatisthepurposeofDHCPsnooping?
A.EnsuresdevicesareconfiguredforautomaticIPaddressassignment
B.PreventsunauthorizedDHCPservers
C.PreventsDHCPmessagesfromgoingacrossatrunk
D.PreventsDHCPmessagesfrombeingsenttoanothernetwork
11.WhatisaCiscobestpracticefordeployingswitches?
A.Whenaserverconnectstoaswitch,theswitchportshouldhavetheportspeed
manuallyconfigured,buttheautonegotiationfeatureusedforduplex.
B.Acompoundwordshouldbeusedasapasswordonaninfrastructurenetwork
devicesuchasaswitch.
C.Telnetshouldbeusedwheneverpossibleontheswitchvtylines.
D.Theenablesecretpasswordshouldbeusedwhenconfiguringaswitchtouse
SSHonthevtylines.
12.WhenwouldautoMDIXbebesttouse?
A.Whenaswitchconnectstoarouter
B.Whenaswitchconnectstoanotherswitch
C.Whenanydeviceconnectstoanaccesslayerswitch
D.Whenthecabletypeisunknown
2017PearsonEducation,CiscoPress.Allrightsreserved.
800East96thStreet,Indianapolis,Indiana46240
http://www.ciscopress.com/articles/printerfriendly/2181836 37/37