Ministry of Communications and Information

Information Technology Technology Institute

Information Technology Institute

CCNA Switching

Advanced Networking
Lec 1
 Today Agenda

 Configuring SSH

 Interface configuration

 Erasing & backup the configuration file

 Port Security

 CDP protocol
SSH “Secure Shell”
SSH “Secure Shell”
 Password Encryption

Switch>enable
Switch#config t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#service password-encryption

 When this command is configured, all passwords be encrypted.

 When password change in the future, it will be encrypted.
 To disable this command use “no service password-
encryption”
 Type “sh run” again, what do you see??
 Exec-timeout

 By default, the switch automatically disconnects users after

5 minutes of inactivity, for both console users and users
who connect to vty lines using Telnet or SSH.

 When you configure the exec-timeout minutes seconds

line subcommand, the switch can be told a different
inactivity timer.

 Also, if you set the timeout to 0 minutes and 0 seconds, the

switch never times out the console connection.
Exec-timeout
 Show configuration

 Running Config (stored in RAM)

 Switch#show running-config
 Switch#sh run

 Switch#sh run | include hostname

 Switch#sh run | begin line vty

 Startup config (Stored in NVRAM)

 Switch#show startup-config

 Switch#show version

 Switch#show flash:

 startup-config is not present (if the switch has no config

saved)
 Banner

 A banner is simply some text that appears on the screen for

the user
 Sometimes used to give a security notice to anyone who
telnet into the router or switch.
 Message of the day (MOTD) is the most extensively used
banner. It gives a message to every person dialing into or
connecting to the router via Telnet or a console port
 Switch(config)#banner motd ?
LINE $ banner-text c, where ‘$’ is a delimiting character
Switch(config)#banner motd $ message $
Enter TEXT message. End with the character ‘$’.
 History Buffer

Note:
Switch (config)#Line console 0
Switch(config-line)#history size ?
 Duplexing and Speed

Duplex Overview
●
Half Duplex (CSMA/CD)
Unidirectional data flow
Higher potential for collisions
Hubs Connectivity

Full Duplex
Point-to-point only
Attached to dedicated switch port
Requires full duplex support on both ends
Collision free
Collision detect circuit disabled
 The Interface Duplex Mode and Speed

Todd2950(config)#int fastEthernet 0/1

Todd2950(config-if)#duplex {auto | full | half}
Todd2950(config-if)#speed {10|100|auto}
Todd2950(config-if)#mdix auto

●The duplex parameters are as follow:

●auto: sets auto negotiation of duplex mode

●full: sets full-duplex mode

●half: sets half-duplex mode

Show Interface Status
 Configuring Interface Descriptions & Range

●You can administratively set a name for each interface on the

switches, and as with the hostname, the descriptions are only
locally significant.
 The interface range are being used to include range of

interfaces use only one command to all range of interfaces.

Todd2950(config)#int fastEthernet 0/1
Todd2950(config-if)#description Sales Printer
Todd(config-if)#interface range fastEthernet 0/2 – 10
Todd(config-if-range)# description Marketing vlan
 To show the configuration
Todd#show interfaces status
Todd#show interfaces
Todd#show interface fastethernet 0/1
 Mac Address Table

 All learned Mac addresses are saved in the mac

address table or (CAM).
 The mac address table learning based on manual
(static) configuration or the switch have learned it
due to incoming frame (dynamic)
 To show the mac-address table
Sw1#show mac-address-table
 Learned mac address remained by default for 300
seconds and this value can be configured.
Sw1(config)# mac address-table aging-time
Sw1#show mac address-table aging
 Mac Address Table

 Learned mac address remained by default for 300 seconds

and this value can be configured.
Sw1(config)# mac address-table aging-time
To show the mac address aging we use command
Sw1#show mac address-table aging
 To configure mac address static
Sw1(config)#mac-address-table static mac vlan no.
interface fa 0/1
LAN switch interface status
 Erase Configuration file

● Switch# write erase

● Switch# erase startup-config

● Switch# erase nvram:

 Another way to erase configuration Files

●press on mode button + put the power supply then it

will show you the commands:
flash_init
load_helper
boot
●switch: flash_init

●switch: load_helper
 Another way to erase configuration Files

●switch:dir flash:
2 -rwx c3500XL-c3hz-mz.120-5.wc5.bin
3 -rwx vlan.dat
4 drwx html
227 -rwx config.text
●The two files valn.dat & config.text should be erased

●Switch: delete Flash:config.text

●switch:dir flash:

●switch:dir flash:vlan.dat

●switch: reset

●switch: boot

##############################################
##############################################
continue with configuration dialog ? [yes/no] NO
 Password recovery

●press on mode button + reboot the switch

switch:flash-init
switch:load-helper
switch: rename falsh:config.text flash:-----
switch:reset
●Setup mode? No

Switch#rename falsh:--- falsh:config.text

Switch#copy flash:config.text system:running-config
●Change password

Copy run start

 Sys logging

switch(config)#no logging consol

switch(config)#logging 163.121.12.5

●To display the SYLOG on a centralized location , you

can setup the KIWISYSLOG or CISCO SYSLOG or
SOLARWINS

● Logging address of host

 Port Security

●The engineer can use port security to restrict that

interface so that only the expected devices can use it.
●When that inappropriate device attempts to send

frames to the switch interface, the switch can:

●Issue informational messages
●Discard frames from that device

●Shut down the interface.

 Port Security Configuration

●You need to make the port an access port

Switch(config-if)#switchport mode ?
access Set trunking mode to ACCESS unconditionally
dynamic Set trunking mode to dynamically negotiate access or trunk mode (Default)
trunk Set trunking mode to TRUNK unconditionally
●You then need to enable port security

Switch(config-if)#switchport port-security
●Configure the actual MAC addresses of the devices allowed to use that port

Switch(config-if)#switchport port-security mac-address mac-address command.

OR
Switch(config-if)#switchport port-security mac address sticky
●Optional configuration:

Switch(config-if)#switchport port-security maximum number

Switch(config-if)#switchport port-security violation {protect | restrict | shutdown}
 Port Security Violation Actions

●An interface in err-disabled state requires that someone manually

shutdown the interface and then use the no shutdown command to
recover the interface.
Switch#show port-security interface type number
Switch#show errdisable recovery
Switch(Config)#errdisable recovery cause psecure-violation
Switch(Config)#errdisable recovery interval timer_interval_in_seconds
 CDP Information

●Device Identifier: Host name

●Address list : IP and MAC address

●Port identifier: interface used to discover the device

●Capabilities list : device type router or switch

●Platform : OS Level
 CDP

●Cisco Discovery Protocol

●Cisco proprietary

●Discover basic configuration of the Cisco devices.

●Devices support CDP, listening to the advertising

messages of each others.

 CDP

●CDP timer is how often CDP packets are transmitted out all
active interfaces.
●CDP hold time is the amount of time that the device will hold

packets received from neighbor devices.

●switch#sh cdp

Global CDP information:

Sending CDP packets every 60 seconds
Sending a holdtime value of 180 seconds
Sending CDPv2 advertisements is enabled
Use the global commands cdp holdtime and cdp timer to
configure the CDP holdtime and timer on a router
 CDP

●Corp(config)#cdp holdtime ?
<10-255> Length of time (in sec) that receiver must
keep this packet
●Corp(config)#cdp timer ?

<5-254> Rate at which CDP packets are sent (in sec)

●To turn off cdp on all switch int

Corp(config)# no cdp run.

●To turn CDP off or on for an interface,

Corp(config-if)#no cdp enable

CDP Configuration
 Recommendations

●Disable the auto configuration

●Use description command to label each interface in

the switch
●Use Syslog to get every event on the switch

●Use SSH , avoid using Telnet protocol

●Enable the user access to use username and password

●Use port security on each connected interface

●Disable CDP protocol on the end users interface

 Switch Commands

show running-config Shows the currently active configuration.

show startup-config Shows startup-config, which is used the

next time the switch is reloaded
show version Lists information about the version of
software in the switch.
show interface Displays the interface status for a physical
fastethernet 0/x 10/100 interface.

show interface vlan 1 Displays the IP address configuration.

Show mac-address-tableList all dynamic entries in the MAC table

dynamic
 Switch Commands

Hostname Set the switch’s hostname

name
line con 0 Global command that places the user in console
configuration mode.

line vty 0 15 Global command that places the user in vty

configuration mode.

Login Console or vty configuration mode command that tells

the switch to ask for a password for a console user or
Telnet user, respectively.
 Switch Commands

password Console or vty configuration mode command that

sets the password required.

enable secret Global command that sets the switch’s enable

password password. The password is stored in a hashed
format, meaning that someone reading the
configuration file will not see the correct text
password.

enable Global command that sets the switch’s enable

password password. The enable secret password is used if
password both are configured.
 Switch Commands

interface vlan 1 interface vlan 1 Global command. Moves the user to

interface configuration mode for a VLAN interface.

ip address Interface configuration mode command that sets the

address subnet- IP address for switch management
mask
ip default- Global command that sets the default gateway so that
gateway address the management interface can be reached from a
remote network.

interface Puts the user into interface configuration mode for

fastethernet 0/x that interface.
Thank you