Configuring a catalyst switch Configuring a Web Interface: Switches have web-based config tools that require an onboard HTTP

server: Web browser GUI. Security Device Manager (SDM). IP Phone and Telephony apps. HTTP services ? security hole ? optional authentication. If many users access HTTP services you may require a separate authentication server. AAA and TACACS can be used to validate user credentials, (robust). A less complex method allows use of the enable password. A local authentication method requires the user to use a login username and password specified in the config. Quote: S1(config)#ip http server ? turns on the server (on by default). S1(config)#ip http authentication enable. This requires only the enable password for authentication. May also specify aaa or tacacs authentication. These require a separate server or aaa services. Userids and password combos are used for a variety of security purposes. Quote: S1(config)#username ____ password ____. The MAC Address Table: Determines how to forward traffic between ports. Includes dynamic and static MAC addresses. MAC address table = CAM table = SAT = bridge table. Content Addressable Memory. Source Address Table. Dynamic addresses are source MAC addresses learned and aged out when not used. Default max age = 300 seconds. Setting age too short can cause premature removal. When a switch rcvs a frame for an unknown dest,it floods it to all ports in the same LAN/VLAN. This unnecessary flooding can impact performance. Setting too long an age can fill table with unused addresses ? also causes flooding. Dynamic addresses are learned from the source MAC address of each frame rcved on each port. As PCs are added/removed, the switch updates the table. An admin can assign static MAC addresses to certain ports. These are not aged out. They provide the admin complete control over net access. Quote: S1(config)#mac-address-table static MAC vlan # interface id. E.G. To remove a static mapping prefix the command with no. The max size of the table varies by model.

E.G. 2960 <= 8,192 MAC addresses. Config a Switch for Operation in a Network: Backing up the Config. Quote: S1# copy running-config startup-config. To keep multiple startup-config files use: Quote: S1# copy startup-config flash:filename. Allows for rollbacks. Restoring the configuration. Quote: S1#copy flash:filename startup-config. S1#reload. The system prompts to save the config. In this particular case you need to answer no. NOTE: copy startup-config running-config does not entirely overwrite the running config. it only adds to existing config. Back up Config Files to a TFTP Server: It is a good practice to B/U configs on the network for archiving. Use TFTP to B/U configs over the network. The IOS has a built-in TFTP client. 1. Verify TFTP server is running. 2. From the switch ping the TFTP server. 3. Upload the config: S1#copy system:running-config tftp. OR S1#copy startup-config tftp. Answer prompts for tftp IP address and filename, etc Restoring from TFTP: 1. Copy the config file to the TFTP server directory. 2. Verify that the TFTP server is running on your network. 3. From the switch ping the TFTP server. 4. Download the config file. Quote: S1#copy tftp system:running-config. OR S1#copy tftp nvram:startup-config. Answer prompts for tftp IP address and filename, etc. Configure Basic Security on a Switch:

Physical security: do not let users access console port! Secure the Console. Set a password on line console 0 and use login command. If you want to Remove Console Password. Quote: S1(config-line)#no password. S1(config-line)#no login. If no password and login still enabled ? NO access! Secure the vty Ports: Vty ports allow you to access the device remotely. You do not need physical access to access the vty ports, so it is very important to secure the vty ports. There can be 16 vty ports available permits more then one admin to manage the switch. Quote: S1(config)#line vty 0 15. S1(config-line)#password Password. S1(config-line)#login. If no enable password has been set, the switch will deny vty access, even if the above config are correctly set. Config EXEC Mode Passwords: One problem with the enable password is that it is stored in readable text in the config files. As a result, Cisco introduced enable secret (md5). If the secret is configured, it is used instead of the enable password. Config Encrypted Passwords. By default all passwords except enable secret, are stored in clear text. Service password-encryption enables password encryption, (global config line). The encryption standard used is type 7 (very weak). Enable Password Recovery (2950): Disconnect/Reconnect pwr cord. Press the Mode button while System LED is still flashing. Hold until the LED turns solid green and release. (15 sec). Type: flash_int ? Initializes the file system. Type: load_helper ? Loads any helper files. Type: dir flash: Type: rename flash:config.text flash:config.text.old. Type: boot. Type: #rename flash:config.text.old flash:config.text. Type: #copy flash:config.text system:running-config. Set new password(s). Type: #copy running-config startup-config command. Config Basic Security on a Switch:

Telnet and SSH. Telnet is the original access method ? insecure. SSH is preferred but much more complex. Communication btwn the SSH client and server is encrypted. Cisco devices currently supporting both SSHv1 and SSHv2. SSHv2 recommended when possible better encryption. (not supported in Cisco Clients). Much more powerful then version 1. Config Telnet: Telnet is the default transport for vty lines. Do not need to specify it before initial configuration. However, if you have switched to SSH and want to go back to Telnet, it does require the following command: Quote: S1(config-line)#transport input telnet. OR S1(config-line)#transport input all. All permits SSH and Telnet access. Config SSH: SSH is subject to export restrictions. A cryptographic image must be installed on your switch. SSH requires an SSH server and SSH client. To connect with a PC requires a PC client like PuTTy. To connect from one switch to another requires that SSH be running on both switches. Switches currently only support SSHv1 for the client. SSH supports (Data Encryption Standard) DES (56b) and 3(triple)DES (168b). To implement SSH, you need to generate RSA public and private keys (i.e. asymmetric encryption). Asymmetric encryption (private and public keys). Before config SSH, generate RSA keys: 1. Configure a hostname. 2. Configure a host domain ? Quote: S1(config)#ip domain-name name. 3. Enable SSH server for local and remote authentication and generate an RSA key pair using: Quote: S1(config)#crypto key generate rsa. Prompts for modulus len (1024 is current sweet spot). 4. From enable check status with: show ip ssh or show ssh. NOTE: delete RSA key pairs with crypto key zeroize rsa. The SSH server is automatically disabled.

Config the SSH Server: 1. (Optional) Configure version with ip ssh version [1 | 2]. Otherwise selects the latest version supported. 2. Configure the SSH control parameters: Time-out values (do not worry about these details). 3. Display the SSH status using: show ip ssh or show ssh. 4. Back up your configs! To prevent non-SSH connections (Telnet), add: Quote: S1(config-line)#transport input ssh.

Dynamic Routing Protocols & router password recovery Dynamic Routing Protocols: Dynamic routing helps the admin overcome the time-consuming process of configuring and maintaining static routes. Routing protocols have been used since the early 80s. Routing algorithms have been in use since 1969. Some function(s) of Dynamic Routing Protocols: Dynamically share information between routers. Automatically update routing table when topology changes. Determine best path to a destination. The purpose of a dynamic routing protocol is to: Discover remote networks. Maintain up-to-date routing information. Choose the best path to destination networks. Find a new best path if the current path disappears. Components of a routing protocol: Data Structures Some routing protocols use tables and/or databases for operations. This info is kept in RAM. Algorithm A procedure for accomplishing a certain task. Different protocols use different algorithms. Routing protocol messages These are messages for discovering neighbours and exchange of routing information. Advantages of static routing: Can backup multiple interfaces/networks on a router. Easy to configure. No extra resources (CPU/memory) are needed. More secure. Disadvantages of static routing: Network changes require manual reconfiguration. Config is error-prone, especially in large networks. Admin intervention is required to maintain changing route info Does not scale well in large topologies. Requires complete knowledge of the whole network for proper implementation.

Advantages of Dynamic routing: Admin has less work maintaining the config when adding or deleting networks. Protocols automatically react to the topology changes. Config is less error-prone. More scalable, growing the network usually does not present a problem. Disadvantages of Dynamic routing: Router resources are used (CPU cycles, memory and link BW). More admin knowledge is required for config, verification, and troubleshooting. Classifying Routing Protocols: Dynamic routing protocols are grouped according to characteristics. Dynamic Routing Protocols. Interior Gateway Protocols. Distance Vector Protocols. Link-State Protocols. Exterior Gateway Protocols. Autonomous System is a group of routers under the control of a single authority (eg. Company). Interior Gateway Routing Protocols (IGP). Used for routing inside an autonomous system and used to route within the individual networks themselves. Example: RIP, EIGRP, OSPF. Exterior Routing Protocols (EGP). Used for routing between autonomous systems. Example: BGPv4. IGP: Comparison of Distance Vector and Link State routing protocols. Distance vector. Routes are advertised as vectors of distance and direction. Incomplete view of network topology. Generally, periodic updates. Link State. Complete view of network topology is created. Updates are not periodic. Classifying Routing Protocols: Classful routing protocols. Do NOT include subnet mask information in routing updates. RIPv1, IGRP. Classless routing protocols. Do include subnet mask in routing updates. (support VLSM) RIPv2, EIGRP, OSPF, IS-IS, BGP Convergence is defined as when all routers routing tables are at a state of consistency (not identical but will know about the same networks). Convergence time is the time it takes for all routers to converge. Faster is better! (RIP

is a poor one can take up to 7.5min, OSPF a matter of seconds, EIGRP can converge the fastest, under a second). Convergence properties include the speed of propagation of routing information and the calculation of optimal paths. Routing protocols can be rated based on the speed to convergence. The faster the convergence, the better the routing protocol. Generally, RIP and IGRP are slow to converge, whereas EIGRP and OSPF are faster to converge. Routing Protocols Metrics: Metric a value or unit of measure used by a routing protocol to determine which routes are better then others. Metrics used in IP routing protocols: Hop count counts the number of routers a packet must traverse. Bandwidth path selection by preferring the path with the highest bandwidth. Load traffic utilization of a certain link. Delay time a packet takes to traverse a path. Reliability assesses the probability of a link failure, calculated frm the interface error count or previous link failures. Cost value determined either by the IOS or by the network admin to indicate preference for a route. Cost can represent a metric, a combination of metrics or a policy. The Metric Field in the Routing Table: (1st number is the administrative distance, second number is the hop count in [120/1]) Metric used for each routing protocol. RIP hop count. IGRP and EIGRP Bandwidth and Delay (default), Load, Reliability. IS-IS and OSPF Cost, Bandwidth (Ciscos implementation). The metric associated with a certain route can be best viewed using the #show ip route command. Load balancing: This is the ability of a router to distribute packets among multiple same cost paths. Load balancing across equal cost paths. Administrative Distance of a route: A metric is used to determine the best path to a destination. When comparing routes using different protocols, the metrics are incompatible. E.g. hops vs. Bandwidth. Administrative Distance (AD): A numeric value specifying the preference of a particular routing source. I.E. the reliablility of the route information. Identifying the Administrative Distance (AD) in a routing table. It is the first number in the brackets in the routing table. The lower the value the better best = 0, worst = 255. The lower the value the more trustworthy the route. 0 is directly connected to the router. #show ip protocol.

If you see the word distance it usually means AD. Dynamic Routing Protocols: Quote: #show ip route #show ip protocols. Static Routes: AD of a static route has a default value of 1 regardless of how it is configured. You can verify AD values with #show ip protocols. It is possible to change the AD of static routes Directly connected routes: Immediately appear in the routing table as soon as the interface is configured, enabled and operational. Password Recovery: Do a hard reboot (cold reboot) i.e. turn power off/on. In Hyperterminal, Hit Ctrl-Break key combination with 60s (hit a few times). Router prompt should display rommon >(read only memory monitor mode). Type: rommon> confreg 02142 to change config register. rommon> i - to reboot/initialize router. router should reboot into setup mode (ctrl-C to bypass). Type: .R1(config)#config-register 02102 - to change back to default otherwise if you have to reboot again you will not be using th. Then either 1) erase startup-config OR 2) copy it to RAM and change passwords (then save back to NVRAM). In the real world. Copy startup-config running-config. Quote: R1(config)# enable secret NEWPASSWORD. # copy running-config startup config

Distance Vector Routing Protocols Distance Vector Routing Protocols The meaning of Distance Vector: A router using distance vector routing protocols knows 2 things: Distance to final destination. Vector, or direction, traffic should be directed. RIP uses hop count as the metric for path selection. If hop count for a network is greater then 15, RIP cannot supply a route to that network. IGRP/EIGRP use Bandwidth, delay, load and reliability for path selection. EIGRP can perform unequal cost load balancing.

EIGRP uses Diffusing Update Algorithm (DUAL) to calculate the shortest path. EIGRP only sends updates when there is a change in the topology. Characteristics of Distance Vector routing protocols: Periodic updates RIP 30sec, IGRP 90sec. Neighbours, directly connected routers, (Routers using distance vector routing are not aware of the nework topology. Broadcast updates 255.255.255.255. Entire routing table is included with routing updates. Routing Protocol algorithms: Defined as a procedure for accomplishing a certain task. Purpose of Routing Algorithms: 1. Send and Receive Updates. 2. Calculate best path, install routes. 3. Detect and react to topology changes. Routing Protocol Characteristics: Criteria used to compare routing protocols includes. Time to convergence. Scalability. Classless (Use of VLSM) or Classful. Resource usage. Implementation and maintenance. Advantages & Disadvantages of Distance Vector Routing Protocols: Network Discovery: Router initial start up (Cold Starts): Initial network discovery. Directly connected networks are initially placed in routing table. Initial Exchange of Routing Information: If a routing protocol is configured then. Routers will exchange routing information. Routing updates received from other routers: Router checks update for new information. If there is new information: 1. Metric is updated. 2. New information is stored in routing table. Exchange of Routing Information: Router convergence is reached when. All routing tables in the network contain the same network information. Routers continue to exchange routing information: If no new information is found then Convergence is reached. Convergence must be reached before a network is considered completely operable. Speed of achieving convergence consists of 2 interdependent categories. How quickly the routers propagates a change in the topology in a routing update to it s neighbour, (Speed of broadcasting routing information).

Speed of calculating best path routes. Routing Table Maintenance: Periodic Updates: RIPv1 and RIPv2. These are time intervals in which a router sends out its entire routing table. RIP uses 4 timers: Update timer 30 sec. Invalid timer 180 sec, (if update has not been received to refresh). Holddown timer 180 sec. Flush timer 240 sec. Bounded Updates: EIGRP. EIGRP routing updates are. (uses reliable exchanges, waits for a confirmation) Partial updates, sent (triggered) only when there is a change in topology that influences routing info. Bounded, propagation of partial updates are automatically bounded so that only those routers that need the information are updated. Non periodic, because they are not sent out on a regular basis. Triggered Updates: (Routing table update that is sent immediately in response to a routing change). Conditions in which triggered updates are sent: Interface changes state, (up or down). Route has entered (or exited) the unreachable state. Route is placed in routing table. Random (RIP) Jitter: Synchronized updates, (between routers): Adds a variable amount of time to the update interval for each router in the network. This random jitter, or variable amount of time, ranges from 0% to 15% of the specified update interval. In this way, the update interval varies randomly in a range from 25 to 30 seconds for the default 30-second interval. A condition where multiple routers on multi access LAN segments transmit routing updates at the same time: Problems with synchronized updates: Bandwidth consumption. Packet collisions. Solution to problems with synchronized updates: Use a random variable, called RIP_JITTER. Routing Loops: Routing loops are: A condition in which a packet is continuously transmitted within a series of routers without ever reaching its destination. Routing loops may be caused by: Incorrectly configured static routes. Incorrectly configured route redistribution. (more then one Routing protocol) Slow convergence.

Incorrectly configured discard routes. Routing loops can create the following issues: Excess use of bandwidth. CPU resources may be strained. Network convergence is degraded. Lost routing updates lead to more loops, which lead to black holes. Count to Infinity: This is a routing loop where packets bounce infinitely around the network. A condition that exists when inaccurate routing updates increase the metric value to infinity for a network that is no longer reachable. Setting a maximum (to prevent loops???). Distance Vector routing protocols set a specified metric value to indicate infinity. Once a router counts to infinity it marks the route as unreachable: RIP defines infinity as 16 hops. An unreachable metric. Once the routers count to infinity, they mark the route as unreachable.. Holddown Timers: Allow a router to not accept any changes to a route for a specified period of time. Allows routing updates to propagate through network with the most current information. RIP set at 180sec. The Split Horizon Rule is used to prevent routing loops: Split Horizon rule: A router should not advertise a network through the same interface from which the update came. Split horizon with poison reverse (or Route Poinsoning): Once a router learns of an unreachable route, advertise it back through the same interface as unreachable. (setting the count to infinity as described above) Speeds up convergence. AKA route poisoning. IP & TTL The TTL field in a IP header is used to prevent packets from endlessly traveling on a network. TTL value is decreased by one by every router on the route to the destination. If the value reaches 0 then Packet is discarded. Factors used to determine whether to use RIP or EIGRP include: Network size. (RIP has a max of 15 hops in between 2 PCs) Compatibility between models of routers. Administrative knowledge. RIP: Features of RIP: (RIPv1 & RIPv2) Supports split horizon and poison reverse.

Capable of load balancing, (up to 6 and by default is set to 4). Easy to configure. Works in a multi vendor router environment. Does support Triggered updates. Additional for RIPv2: Includes the subnet mask in the routing updates, making it a classless routing protocol. Has authentication mechanism to secure routing table updates. Supports variable length subnet mask (VLSM). Uses multicast addresses instead of broadcast. Supports manual route summarization. EIGRP: Features of EIGRP: Triggered updates only, (no periodic updates). EIGRP hello protocol neighbour adjacencies. Supports VLSM and route summarization. Use of topology table to maintain all routes, (unlike RIPv2). Classless supports VLSM. Cisco proprietary protocol. Advantages: Metric based on minimum BW and cumulative delay of the path rather then hop count. Fast convergence due to DUAL, which allows the insertion of backup routes into the EIGRP topology table. Bounded updates mean that it uses less bandwidth. Supports multiple network layer protocols through Protocol Dependent Modules, which include support for IP, IPX and AppleTalk. Layer 3 Switching 1. What might you need to implement interVLAN routing? ** One or more Layer 3 interfaces One or more SVIs Static routes A dynamic routing protocol 2. Can interVLAN routing be performed over a single trunk link? ** Yes. Packets can be forwarded between the VLANs carried over the trunk. 3. To configure an SVI, what commands are needed? ** First, make sure the VLAN is defined on the switch. interface vlan vlan-id ip address ip-address mask

no shutdown 4. What command can verify the VLAN assignments on a Layer 2 port? ** show interface type mod/num switchport or show interface status 5. A switch has the following interface configurations in its running configuration: interface fastethernet 0/1 switchport access vlan 5 ! interface vlan 5 ip address 192.168.10.1 255.255.255.0 no shutdown What is necessary for packets to get from the FastEthernet interface to the VLAN 5 SVI? Answer: Nothing. Both are assigned to VLAN 5, so normal Layer 2 transparent bridging will take care of all forwarding between the two. 6. What is the source of FIB information? ** The routing table, as computed by the Layer 3 engine portion of a switch. 7. How often is the FIB updated? ** As needed. It is downloaded or updated dynamically by the Layer 3 engine whenever the routing topology changes or an ARP entry changes. 8. What is meant by the term "CEF punt"? ** A packet can't be forwarded or switched by CEF directly because it needs further processing. The packet is "punted" to the Layer 3 engine, effectively bypassing CEF for a more involved resolution. 9. What happens to the FIB when distributed CEF (dCEF) is used? ** It is simply replicated to each of the independent CEF engines. The FIB itself remains intact so that each engine receives a duplicate copy. 10. What happens during a "CEF glean" process? ** The MAC address (ARP reply) for a next-hop FIB entry is not yet known. The Layer 3 engine must generate an ARP request and wait for a reply before CEF

forwarding can continue to that destination. 11. What does a multilayer switch do to the IP TTL value just before a packet is forwarded? ** The TTL is decremented by one, as if a router had forwarded the packet. 12. What is fallback bridging? ** On switch platforms that cannot multilayer-switch (route) all routable protocols, those protocols can be bridged transparently between VLANs instead. 13. Is it possible for an SVI to go down? If so, for what reasons? ** Yes. The SVI can be shut down administratively with the shutdown command, as with any other interface. Also, if the VLAN associated with the SVI is not defined or active, the SVI will appear to be down