Chapter 2

Router and Switch

Switch
 Routing versus Switching Layer 2 versus Layer 3
▪ Routers provide more isolation between devices (they stop
broadcasts)
▪ Routing is more complicated, but also more sophisticated and can
make more efficient use of the network, particularly if there are
redundancy elements such as loops
Switching versus Routing
These links must be routed, not switched
Core Network
▪ Reliability is the key
▪ remember many users and possibly your whole network relies on the core
▪ May have one or more network core locations
▪ Core location must have reliable power
▪ UPS battery backup (redundant UPS as your network evolves)
▪ Generator
▪ Core location must have reliable air conditioning
▪ As your network evolves, core equipment should be equipped with dual power
supplies, each powered from separate UPS
▪ Border routers separate from Core
▪ Firewalls and Traffic Shaping Devices
▪ Intrusion Detection
▪ Intrusion Prevention
▪ Network Address Translation
Core Network
▪ At the core of your network should be routers – you must route, not
switch.
▪ Routers give isolation between subnets
▪ A simple core:
Firewall/
Border Router Core Router All router
Traffic Shaper
interfaces on a
separate subnet

Fiber optic links to remote buildings

Central
Servers for
campus
Where to put Servers?
▪ Servers should be on a high speed interface off of your core
router
▪ Servers should be at your core location where there is good
power and air conditioning
Firewall/
Border Router Core Router All router
Traffic Shaper
interfaces on a
separate subnet

Fiber optic links to remote buildings

Servers
in core
Border Router
▪ Connects to outside world
▪ RENs and Peering are the reason you need them
▪ Must get Provider Independent IP address space to really make
this work right

Internet
Exchange REN

Campus
Network
Putting it all Together
Firewall/
Border Traffic Shaper
Router

REN switch
Core
Router

Core Servers

Fiber Optic Links Fiber Optic Links

 Core Network
• At the core of your network should be routers – you must route, not switch.
• Routers give isolation between subnets
• A simple core:

Firewall/
Border Router Core Router All router
Traffic Shaper
interfaces on a
separate subnet

Fiber optic links to remote buildings

Central
Servers for
campus
 Where to put Servers?
• Servers should be on a high speed interface off of your core
router
• Servers should be at your core location where there is good
power and air conditioning
Firewall/
Border Router Core Router All router
Traffic Shaper
interfaces on a
separate subnet

Fiber optic links to remote buildings

Servers
in core
 Border Router
• Connects to outside world
• RENs and Peering are the reason you need them
• Must get Provider Independent IP address space to really
make this work right

Internet
Exchange REN

Campus
Network
Putting it all Together
Firewall/
Border Traffic Shaper
Router

REN switch
Core
Router

Core Servers

Fiber Optic Links Fiber Optic Links

 Notes on IP Addressing
• Get your own Public IP address space (get your V6 block
when you get your V4 one)
• Make subnet IP space large enough for growth
• Use DHCP to assign addresses to individual PCs
• Use static addressing for switches, printers, and servers
 More Complex Core Designs
• One Armed Router for Core
VLAN Trunk
carrying all
subnets

Core Core
Router Switch

Core Servers

Fiber Optic Links Fiber Optic Links

 Complex Core Designs
• Multiple Core Routers
Border Router Firewall/
Traffic Shaper

Core Switch
Local Internet
exchange switch
Core Router Fiber Links to remote buildings Core Router
 Alternative Core Designs
• Wireless Links versus Fiber
Firewall/
Traffic Shaper
Border
Router

REN switch
Core
Router

Core Servers

Fiber Optic Links

Wireless Links
Configure a Switch with Initial Settings Switch Boot Sequence
▪After a switch is powered on, it goes through the following five-step boot
sequence:
oStep 1: First, the switch loads a power-on self-test (POST) program
stored in ROM. POST checks the CPU subsystem. It tests the CPU,
DRAM, and the portion of the flash device that makes up the flash
file system.
oStep 2: Next, the switch loads the boot loader software. The boot
loader is a small program stored in ROM that is run immediately
after POST successfully completes.
oStep 3: The boot loader performs low-level CPU initialization. It
initializes the CPU registers, which control where physical memory is
mapped, the quantity of memory, and its speed.
oStep 4: The boot loader initializes the flash file system on the system
board.
oStep 5: Finally, the boot loader locates and loads a default IOS
operating system software image into memory and gives control of
the switch over to the IOS.
 Configure a Switch with Initial Settings The boot system Command
▪ The switch attempts to automatically boot by using information in
the BOOT environment variable. If this variable is not set, the
switch attempts to load and execute the first executable file it can
find.
▪ The IOS operating system then initializes the interfaces using the
(Cisco) IOS commands found in the startup-config file. The
startup-config file is called config.text and is located in flash.
▪ In the example, the BOOT environment variable is set using
the boot system global configuration mode command.
▪ Notice that the IOS is located in a distinct folder and the folder path is
specified. Use the command show boot to see what the current IOS boot
file is set to.
Configure a Switch with Initial Settings The boot system Command
▪ Notice that the IOS is located in a distinct folder and the folder
path is specified.
▪ Use the command show boot to see what the current IOS boot file is
set to.

Command Definition

boot system The main command

flash: The storage device

c2960-lanbasek9-mz.150-2.SE/ The path to the file system

c2960-lanbasek9-mz.150-2.SE.bin The IOS file name

 Configure a Switch with Initial Settings Switch LED Indicators
▪ System LED (SYST): Shows whether the system is receiving power and functioning
properly.
▪ Redundant Power Supply LED (RPS): Shows the RPS status.
▪ Port Status LED (STAT): When green, indicates port status mode is selected, which is
the default. Port status can then be understood by the light associated with each port.
▪ Port Duplex LED (DUPLX): When green, indicates port duplex mode is selected. Port
duplex can then be understood by the light associated with each port.
▪ Port Speed LED (SPEED): When green, indicates port speed mode is selected. Port speed
can then be understood by the light associated with each port.
▪ Power over Ethernet LED (PoE): Present if the switch supports PoE. Indicates the PoE
status of ports on the switch.
▪ The Mode button is used to move between the different modes – STAT, DUPLX,
SPEED, and PoE
Configure a Switch with Initial Settings Switch LED Indicators
Configure a Switch with Initial Settings Recovering from a System Crash
▪The boot loader provides access into the switch if the operating system cannot be
used because of missing or damaged system files. The boot loader has a command
line that provides access to the files stored in flash memory. The boot loader can be
accessed through a console connection following these steps:
o Step 1. Connect a PC by console cable to the switch console port. Configure terminal
emulation software to connect to the switch.
o Step 2. Unplug the switch power cord.
o Step 3. Reconnect the power cord to the switch and, within 15 seconds, press and hold
down the Mode button while the System LED is still flashing green.
o Step 4. Continue pressing the Mode button until the System LED turns briefly amber
and then solid green; then release the Mode button.
o Step 5. The boot loader switch: prompt appears in the terminal emulation software on
the PC.

▪The boot loader command line supports commands to format the flash file system,
reinstall the operating system software, and recover a lost or forgotten password. For
example, the dir command can be used to view a list of files within a specified
directory.
 Configure a Switch with Initial Settings Recovering from a System
Crash
▪To prepare a switch for remote
management access, the switch must
be configured with an IP address and
a subnet mask.
o To manage the switch from a remote
network, the switch must be configured
with a default gateway. This is very
similar to configuring the IP address
information on host devices.
o In the figure, the switch virtual interface
(SVI) on S1 should be assigned an IP
address. The SVI is a virtual interface, not
a physical port on the switch. A console
cable is used to connect to a PC so that
the switch can be initially configured.
Configure a Switch with Initial Settings Switch SVI Configuration
Example
▪By default, the switch is configured to have its management
controlled through VLAN 1. All ports are assigned to VLAN 1 by
default. For security purposes, it is considered a best practice to use
a VLAN other than VLAN 1 for the management VLAN,
▪Step 1: Configure the Management Interface: From VLAN interface
configuration mode, an IPv4 address and subnet mask is applied to the
management SVI of the switch.
▪Note:-
▪The SVI for VLAN 99 will not appear as “up/up” until VLAN 99 is created
and there is a device connected to a switch port associated with VLAN 99.
▪The switch may need to be configured for IPv6. For example, before you
can configure IPv6 addressing on a Cisco Catalyst 2960 running IOS
version 15.0, you will need to enter the global configuration command sdm
prefer dual-ipv4-and-ipv6 default and then reload the switch.
 Configure a Switch with Initial Settings
Switch SVI Configuration Example (Cont.)
Task IOS Commands

Enter global configuration mode. S1# configure terminal

Enter interface configuration mode for the
S1(config)# interface vlan 99
SVI.
Configure the management interface IPv4 S1(config-if)# ip address 172.17.99.11
address. 255.255.255.0
Configure the management interface IPv6 S1(config-if)# ipv6 address
address 2001:db8:acad:99::1/64

Enable the management interface. S1(config-if)# no shutdown

Return to the privileged EXEC mode. S1(config-if)# end

Save the running config to the startup

S1# copy running-config startup-config
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26

config.
Configure a Switch with Initial Settings
Switch SVI Configuration Example (Cont.)
Step 2: Configure the Default Gateway
• The switch should be configured with a default gateway if it will be managed
remotely from networks that are not directly connected.
• Note: Because, it will receive its default gateway information from a router advertisement
(RA) message, the switch does not require an IPv6 default gateway.
Task IOS Commands
Enter global configuration mode. S1# configure terminal
Configure the default gateway for S1(config)# ip default-gateway
the switch. 172.17.99.1
Return to the privileged EXEC
S1(config-if)# end
mode.
Save the running config to the
S1# copy running-config startup-config
startup config. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
 Configure a Switch with Initial Settings
Switch SVI Configuration Example (Cont.)
▪Step 3: Verify Configuration
▪The show ip interface brief and show ipv6 interface brief commands are
useful for determining the status of both physical and virtual interfaces. The
output shown confirms that interface VLAN 99 has been configured with an
IPv4 and IPv6 address.
▪Note: An IP address applied to the SVI is only for remote management access to
the switch; this does not allow the switch to route Layer 3 packets.
Lab – Basic Switch Configuration
▪In this lab, you will complete the following
objectives:
1. Cable the Network(you install Network emulator) and
Verify the Default Switch Configuration
2. Configure Basic Network Device Settings
3. Verify and Test Network Connectivity
4. Manage the MAC Address Table
Configure Switch Ports
 Configure Switch Ports Duplex Communication
• Full-duplex communication increases bandwidth efficiency by allowing both
ends of a connection to transmit and receive data simultaneously. This is also
known as bidirectional communication and it requires microsegmentation.
• A microsegmented LAN is created when a switch port has only one device
connected and is operating in full-duplex mode. There is no collision domain
associated with a switch port operating in full-duplex mode.
• Unlike full-duplex communication, half-duplex communication is
unidirectional. Half-duplex communication creates performance issues because
data can flow in only one direction at a time, often resulting in collisions.
• Gigabit Ethernet and 10 Gb NICs require full-duplex connections to operate. In
full-duplex mode, the collision detection circuit on the NIC is disabled. Full-
duplex offers 100 percent efficiency in both directions (transmitting and
receiving). This results in a doubling of the potential use of the stated
bandwidth.
 Configure Switch Ports
Configure Switch Ports at the Physical Layer
• Full-duplex communication increases bandwidth efficiency by allowing both
ends of a connection to transmit and receive data simultaneously. This is also
known as bidirectional communication and it requires microsegmentation.
• A microsegmented LAN is created when a switch port has only one device
connected and is operating in full-duplex mode. There is no collision domain
associated with a switch port operating in full-duplex mode.
• Unlike full-duplex communication, half-duplex communication is
unidirectional. Half-duplex communication creates performance issues because
data can flow in only one direction at a time, often resulting in collisions.
• Gigabit Ethernet and 10 Gb NICs require full-duplex connections to operate. In
full-duplex mode, the collision detection circuit on the NIC is disabled. Full-
duplex offers 100 percent efficiency in both directions (transmitting and
receiving). This results in a doubling of the potential use of the stated
bandwidth.
Configure Switch Ports Configure Switch Ports at the Physical Layer
• Switch ports can be manually configured with specific duplex and speed settings. The
respective interface configuration commands are duplex and speed.
• The default setting for both duplex and speed for switch ports on Cisco Catalyst 2960
and 3560 switches is auto. The 10/100/1000 ports operate in either half- or full-duplex
mode when they are set to 10 or 100 Mbps and operate only in full-duplex mode
when it is set to 1000 Mbps (1 Gbps).
• Autonegotiation is useful when the speed and duplex settings of the device
connecting to the port are unknown or may change. When connecting to known
devices such as servers, dedicated workstations, or network devices, a best practice is
to manually set the speed and duplex settings.
• When troubleshooting switch port issues, it is important that the duplex and speed
settings are checked.
Note: Mismatched settings for the duplex mode and speed of switch ports can cause
connectivity issues. Autonegotiation failure creates mismatched settings.
All fiber-optic ports, such as 1000BASE-SX ports, operate only at one preset speed and are
always full-duplex
Configure Switch Ports
Configure Switch Ports at the Physical Layer (Cont.)

Task IOS Commands

Enter global configuration mode. S1# configure terminal

Enter interface configuration mode. S1(config)# interface FastEthernet 0/1

Configure the interface duplex. S1(config-if)# duplex full

Configure the interface speed. S1(config-if)# speed 100

Return to the privileged EXEC mode. S1(config-if)# end

Save the running config to the startup config. S1# copy running-config startup-config
Configure Switch Ports
Switch Verification Commands
Task IOS Commands

Display interface status and configuration. S1# show interfaces [interface-id]

Display current startup configuration. S1# show startup-config

Display current running configuration. S1# show running-config

Display information about flash file system. S1# show flash

Display system hardware and software status. S1# show version

Display history of command entered. S1# show history

S1# show ip interface [interface-id]

Display IP information about an interface.
Display the MAC address table.
OR
S1# show ipv6 interface [interface-id]
S1# show mac-address-table
OR
S1# show mac address-table
Configure Switch Ports
Verify Switch Port Configuration
The show running-config command can be used to verify that the switch has been
correctly configured. From the sample abbreviated output on S1, some important
information is shown in the figure:
• Fast Ethernet 0/18 interface configured with the management VLAN 99
• VLAN 99 configured with an IPv4 address of 172.17.99.11 255.255.255.0
• Default gateway set to 172.17.99.1
Configure Switch Ports
Verify Switch Port Configuration (Cont.)
The show interfaces command is another commonly used command, which displays status and
statistics information on the network interfaces of the switch. The show interfaces command is
frequently used when configuring and monitoring network devices.

The first line of the output for the show interfaces fastEthernet 0/18 command indicates that the
FastEthernet 0/18 interface is up/up, meaning that it is operational. Further down, the output shows
that the duplex is full and the speed is 100 Mbps.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Configure Switch Ports
Network Access Layer Issues
The output from the show interfaces command is useful for detecting common media issues. One
of the most important parts of this output is the display of the line and data link protocol status, as
shown in the example.
The first parameter (FastEthernet0/18 is up) refers to the hardware layer and indicates whether the
interface is receiving a carrier detect signal. The second parameter (line protocol is up) refers to the
data link layer and indicates whether the data link layer protocol keepalives are being received.
Based on the output of the show interfaces command, possible problems can be fixed as follows:
• If the interface is up and the line protocol is down, a problem exists. There could be an encapsulation type mismatch,
the interface on the other end could be error-disabled, or there could be a hardware problem.
• If the line protocol and the interface are both down, a cable is not attached, or some other interface problem exists. For
example, in a back-to-back connection, the other end of the connection may be administratively down.
• If the interface is administratively down, it has been manually disabled (the shutdown command has been issued) in
the active configuration.
Configure Switch Ports
Network Access Layer Issues (Cont.)

The show interfaces command

output displays counters and
statistics for the FastEthernet0/18
interface, as shown here:
Configure Switch Ports
Network Access Layer Issues (Cont.)
Some media errors are not severe enough to cause the circuit to fail but do
cause network performance issues. The table explains some of these
common errors which can be detected using the show interfaces command.
Error Type Description

Input Errors Total number of errors. It includes runts, giants, no buffer, CRC, frame, overrun, and ignored counts.

Packets that are discarded because they are smaller than the minimum packet size for the medium.
Runts
For instance, any Ethernet packet that is less than 64 bytes is considered a runt.
Packets that are discarded because they exceed the maximum packet size for the medium. For
Giants
example, any Ethernet packet that is greater than 1,518 bytes is considered a giant.

CRC CRC errors are generated when the calculated checksum is not the same as the checksum received.

Sum of all errors that prevented the final transmission of datagrams out of the interface that is being
Output Errors
examined.

Collisions Number of messages retransmitted because of an Ethernet collision.

Late Collisions A collision that occurs after 512 bits of the frame have been transmitted
Configure Switch Ports
Interface Input and Output Errors
“Input errors” is the sum of all errors in datagrams that were received on the
interface being examined. This includes runts, giants, CRC, no buffer, frame,
overrun, and ignored counts. The reported input errors from the show
interfaces command include the following:
• Runt Frames - Ethernet frames that are shorter than the 64-byte minimum
allowed length are called runts. Malfunctioning NICs are the usual cause of
excessive runt frames, but they can also be caused by collisions.
• Giants - Ethernet frames that are larger than the maximum allowed size
are called giants.
• CRC errors - On Ethernet and serial interfaces, CRC errors usually
indicate a media or cable error. Common causes include electrical
interference, loose or damaged connections, or incorrect cabling. If you see
many CRC errors, there is too much noise on the link and you should
inspect the cable. You should also search for and eliminate noise sources.
Configure Switch Ports
Interface Input and Output Errors (Cont.)

“Output errors” is the sum of all errors that prevented the final
transmission of datagrams out the interface that is being examined.
The reported output errors from the show interfaces command
include the following:
• Collisions - Collisions in half-duplex operations are normal.
However, you should never see collisions on an interface
configured for full-duplex communication.
• Late collisions - A late collision refers to a collision that occurs
after 512 bits of the frame have been transmitted. Excessive
cable lengths are the most common cause of late collisions.
Another common cause is duplex misconfiguration.
1.3 Secure Remote Access

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
 Secure Remote Access
Telnet Operation
Telnet uses TCP port 23. It is an older
protocol that uses unsecure plaintext
transmission of both the login authentication
(username and password) and the data
transmitted between the communicating
devices.
A threat actor can monitor packets using
Wireshark. For example, in the figure the
threat actor captured the
username admin and password ccna from a
Telnet session.
Secure Remote Access
SSH Operation
Secure Shell (SSH) is a secure protocol that uses
TCP port 22. It provides a secure (encrypted)
management connection to a remote device. SSH
should replace Telnet for management connections.
SSH provides security for remote connections by
providing strong encryption when a device is
authenticated (username and password) and also
for the transmitted data between the communicating
devices.

The figure shows a Wireshark capture of an SSH

session. The threat actor can track the session
using the IP address of the administrator device.
However, unlike Telnet, with SSH the username and
password are encrypted.
Secure Remote Access
Verify the Switch Supports SSH
To enable SSH on a Catalyst 2960 switch, the switch must be using a version of the IOS
software including cryptographic (encrypted) features and capabilities. Use the show
version command on the switch to see which IOS the switch is currently running. An IOS
filename that includes the combination “k9” supports cryptographic (encrypted) features
and capabilities.

The example shows the output of the show version command.

Secure Remote Access Configure SSH
Before configuring SSH, the switch must be minimally configured with a unique hostname and the correct network
connectivity settings.
Step 1: Verify SSH support - Use the show ip ssh command to verify that the switch supports SSH. If the switch is not
running an IOS that supports cryptographic features, this command is unrecognized.
Step 2: Configure the IP domain - Configure the IP domain name of the network using the ip domain-name domain-
name global configuration mode command.
Step 3: Generate RSA key pairs - Generating an RSA key pair automatically enables SSH. Use the crypto key
generate rsa global configuration mode command to enable the SSH server on the switch and generate an RSA key
pair.
Note: To delete the RSA key pair, use the crypto key zeroize rsa global configuration mode command. After the RSA
key pair is deleted, the SSH server is automatically disabled.
Step 4: Configure user authentication - The SSH server can authenticate users locally or using an authentication
server. To use the local authentication method, create a username and password pair using
the username username secret password global configuration mode command.
Step 5: Configure the vty lines - Enable the SSH protocol on the vty lines by using the transport input ssh line
configuration mode command. Use the line vty global configuration mode command and then the login local line
configuration mode command to require local authentication for SSH connections from the local username database.
Step 6: Enable SSH version 2 - By default, SSH supports both versions 1 and 2. When supporting both versions, this
is shown in the show ip ssh output as supporting version 2. Enable SSH version using the ip ssh version 2 global
configuration command.
 Secure Remote Access Verify SSH is Operational
On a PC, an SSH client such as PuTTY, is used to connect to an SSH server. For example,
assume the following is configured:
• SSH is enabled on switch S1
• Interface VLAN 99 (SVI) with IPv4 address 172.17.99.11 on switch S1
• PC1 with IPv4 address 172.17.99.21
Using a terminal emulator, initiate an SSH connection to the SVI VLAN IPv4 address of S1 from
PC1.
When connected, the user is prompted for a username and password as shown in the example.
Using the configuration from the previous example, the username admin and password ccna are
entered. After entering the correct combination, the user is connected via SSH to the command line
interface (CLI) on the Catalyst 2960 switch.
Secure Remote Access Verify SSH is Operational (Cont.)

To display the version and configuration data for SSH on the device that you
configured as an SSH server, use the show ip ssh command. In the example,
SSH version 2 is enabled.
Secure Remote Access Packet Tracer – Configure SSH
In this Packet Tracer, you will do the following:
• Secure passwords
• Encrypt communications
• Verify SSH implementation