mod-1-CCNA v7-SRWE - Module 1 Basic Device Switching
mod-1-CCNA v7-SRWE - Module 1 Basic Device Switching
Configuration
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Configure a Switch with Initial Settings
Switch Boot Sequence
After a Cisco switch is powered on, it goes through the following five-step boot
sequence:
Step 1: First, the switch loads a power-on self-test (POST) program stored in ROM. POST checks
the CPU subsystem. It tests the CPU, DRAM, and the portion of the flash device that makes up
the flash file system.
Step 2: Next, the switch loads the boot loader software. The boot loader is a small program
stored in ROM that is run immediately after POST successfully completes.
Step 3: The boot loader performs low-level CPU initialization. It initializes the CPU registers,
which control where physical memory is mapped, the quantity of memory, and its speed.
Step 4: The boot loader initializes the flash file system on the system board.
Step 5: Finally, the boot loader locates and loads a default IOS operating system software image
into memory and gives control of the switch over to the IOS.
Configure a Switch with Initial Settings
The boot system Command
• The switch attempts to automatically boot by using information in the BOOT environment variable. If this
variable is not set, the switch attempts to load and execute the first executable file it can find.
• The IOS operating system then initializes the interfaces using the Cisco IOS commands found in the
startup-config file. The startup-config file is called config.text and is located in flash.
• In the example, the BOOT environment variable is set using the boot system global configuration mode
command. Notice that the IOS is located in a distinct folder and the folder path is specified. Use the
command show boot to see what the current IOS boot file is set to.
Command Definition
The Mode button is used to move between the different modes – STAT, DUPLX,
SPEED, and PoE
Configure a Switch with Initial Settings
Recovering from a System Crash
The boot loader provides access into the switch if the operating system cannot be used because of missing or
damaged system files. The boot loader has a command line that provides access to the files stored in flash
memory. The boot loader can be accessed through a console connection following these steps:
Step 1. Connect a PC by console cable to the switch console port. Configure terminal emulation software to
connect to the switch.
Step 2. Unplug the switch power cord.
Step 3. Reconnect the power cord to the switch and, within 15 seconds, press and hold down
the Mode button while the System LED is still flashing green.
Step 4. Continue pressing the Mode button until the System LED turns briefly amber and then solid green;
then release the Mode button.
Step 5. The boot loader switch: prompt appears in the terminal emulation software on the PC.
The boot loader command line supports commands to format the flash file system, reinstall the operating
system software, and recover a lost or forgotten password. For example, the dir command can be used to
view a list of files within a specified directory.
Configure a Switch with Initial Settings
Switch Management Access
To prepare a switch for remote management
access, the switch must be configured with an
IP address and a subnet mask.
• To manage the switch from a remote
network, the switch must be configured
with a default gateway. This is very similar
to configuring the IP address information
on host devices.
• In the figure, the switch virtual interface
(SVI) on S1 should be assigned an IP
address. The SVI is a virtual interface, not a
physical port on the switch. A console cable
is used to connect to a PC so that the
switch can be initially configured.
Configure a Switch with Initial Settings
Switch SVI Configuration Example (Cont.)
Task IOS Commands
Enter interface configuration mode for the SVI. S1(config)# interface vlan 99
Configure the management interface IPv4
S1(config-if)# ip address 172.17.99.11 255.255.255.0
address.
Configure the management interface IPv6
S1(config-if)# ipv6 address 2001:db8:acad:99::1/64
address
Enable the management interface. S1(config-if)# no shutdown
Save the running config to the startup config. S1# copy running-config startup-config
Configure a Switch with Initial Settings
Switch SVI Configuration Example (Cont.)
Step 2: Configure the Default Gateway
• The switch should be configured with a default gateway if it will be managed remotely from
networks that are not directly connected.
• Note: Because, it will receive its default gateway information from a
router advertisement (RA) message, the switch does not require an
IPv6 default gateway.
Task IOS Commands
Configure the default gateway for the switch. S1(config)# ip default-gateway 172.17.99.1
Save the running config to the startup config. S1# copy running-config startup-config
Configure a Switch with Initial Settings
Switch SVI Configuration Example (Cont.)
Step 3: Verify Configuration
• The show ip interface brief and show ipv6 interface brief commands are useful for
determining the status of both physical and virtual interfaces. The output shown confirms that
interface VLAN 99 has been configured with an IPv4 and IPv6 address.
Note: An IP address applied to the SVI is only for remote management access to the switch; this
does not allow the switch to route Layer 3 packets.
1.2 Configure Switch Ports
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Configure Switch Ports
Duplex Communication
• Full-duplex communication increases bandwidth efficiency by allowing both ends of a
connection to transmit and receive data simultaneously. This is also known as bidirectional
communication and it requires microsegmentation.
• A microsegmented LAN is created when a switch port has only one device connected and is
operating in full-duplex mode. There is no collision domain associated with a switch port
operating in full-duplex mode.
• Unlike full-duplex communication, half-duplex communication is unidirectional. Half-duplex
communication creates performance issues because data can flow in only one direction at a
time, often resulting in collisions.
• Gigabit Ethernet and 10 Gb NICs require full-duplex connections to operate. In full-duplex
mode, the collision detection circuit on the NIC is disabled. Full-duplex offers 100 percent
efficiency in both directions (transmitting and receiving). This results in a doubling of the
potential use of the stated bandwidth.
Configure Switch Ports
Configure Switch Ports at the Physical Layer (Cont.)
Save the running config to the startup config. S1# copy running-config startup-config
Configure Switch Ports
Auto-MDIX
• When automatic medium-dependent interface crossover (auto-MDIX) is enabled, the switch
interface automatically detects the required cable connection type (straight-through or crossover)
and configures the connection appropriately.
• When connecting to switches without the auto-MDIX feature, straight-through cables must be used
to connect to devices such as servers, workstations, or routers. Crossover cables must be used to
connect to other switches or repeaters.
• With auto-MDIX enabled, either type of cable can be used to connect to other devices, and the
interface automatically adjusts to communicate successfully.
• On newer Cisco switches, the mdix auto interface configuration mode command enables the feature.
When using auto-MDIX on an interface, the interface speed and duplex must be set to auto so that
the feature operates correctly.
Note: The auto-MDIX feature is enabled by default on Catalyst 2960 and Catalyst 3560 switches but is
not available on the older Catalyst 2950 and Catalyst 3550 switches.
To examine the auto-MDIX setting for a specific interface, use the show controllers ethernet-
controller command with the phy keyword. To limit the output to lines referencing auto-MDIX, use
the include Auto-MDIX filter.
Configure Switch Ports
Switch Verification Commands
Task IOS Commands
The first line of the output for the show interfaces fastEthernet 0/18 command indicates that the
FastEthernet 0/18 interface is up/up, meaning that it is operational. Further down, the output shows that the
duplex is full and the speed is 100 Mbps.
Configure Switch Ports
Network Access Layer Issues (Cont.)
The show interfaces command
output displays counters and
statistics for the
FastEthernet0/18 interface, as
shown here:
Configure Switch Ports
Network Access Layer Issues (Cont.)
Some media errors are not severe enough to cause the circuit to fail but do cause network
performance issues. The table explains some of these common errors which can be detected using
the show interfaces command.
Error Type Description
Input Errors Total number of errors. It includes runts, giants, no buffer, CRC, frame, overrun, and ignored counts.
Packets that are discarded because they are smaller than the minimum packet size for the medium. For
Runts
instance, any Ethernet packet that is less than 64 bytes is considered a runt.
Packets that are discarded because they exceed the maximum packet size for the medium. For example, any
Giants
Ethernet packet that is greater than 1,518 bytes is considered a giant.
CRC CRC errors are generated when the calculated checksum is not the same as the checksum received.
Sum of all errors that prevented the final transmission of datagrams out of the interface that is being
Output Errors
examined.
Late Collisions A collision that occurs after 512 bits of the frame have been transmitted
1.3 Secure Remote Access
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Secure Remote Access
Telnet Operation
Telnet uses TCP port 23. It is an older
protocol that uses unsecure plaintext
transmission of both the login
authentication (username and password)
and the data transmitted between the
communicating devices.
A threat actor can monitor packets using
Wireshark. For example, in the figure the
threat actor captured the
username admin and password ccna from a
Telnet session.
Secure Remote Access
SSH Operation
Secure Shell (SSH) is a secure protocol that uses TCP
port 22. It provides a secure (encrypted) management
connection to a remote device. SSH should replace
Telnet for management connections. SSH provides
security for remote connections by providing strong
encryption when a device is authenticated (username
and password) and also for the transmitted data
between the communicating devices.
Note: To delete the RSA key pair, use the crypto key zeroize rsa global configuration
mode command. After the RSA key pair is deleted, the SSH server is automatically
disabled.
Step 4: Configure user authentication - The SSH server can authenticate users locally or using an authentication server. To use the local
authentication method, create a username and password pair using the username username secret password global configuration
mode command.
Step 5: Configure the vty lines - Enable the SSH protocol on the vty lines by using the transport input ssh line configuration mode
command. Use the line vty global configuration mode command and then the login local line configuration mode command to require
local authentication for SSH connections from the local username database.
Step 6: Enable SSH version 2 - By default, SSH supports both versions 1 and 2. When supporting both versions, this is shown in
the show ip ssh output as supporting version 2. Enable SSH version using the ip ssh version 2 global configuration command.
Secure Remote Access
Verify SSH is Operational
On a PC, an SSH client such as PuTTY, is used to connect to an SSH server. For example, assume the following is
configured:
• SSH is enabled on switch S1
• Interface VLAN 99 (SVI) with IPv4 address 172.17.99.11 on switch S1
• PC1 with IPv4 address 172.17.99.21
Using a terminal emulator, initiate an SSH connection to the SVI VLAN IPv4 address of S1 from PC1.
When connected, the user is prompted for a username and password as shown in the example. Using the
configuration from the previous example, the username admin and password ccna are entered. After entering the
correct combination, the user is connected via SSH to the command line interface (CLI) on the Catalyst 2960 switch.
Secure Remote Access
Verify SSH is Operational (Cont.)
To display the version and configuration data for SSH on the device that you configured as an SSH server, use
the show ip ssh command. In the example, SSH version 2 is enabled.
1.4 Basic Router Configuration
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Basic Router Configuration
Configure Basic Router Settings
Cisco routers and Cisco switches have many similarities. They support a similar modal operating system, similar
command structures, and many of the same commands. In addition, both devices have similar initial
configuration steps. For example, the following configuration tasks should always be performed. Name the
device to distinguish it from other routers and configure passwords, as shown in the example.
Basic Router Configuration
Configure Basic Router Settings (Cont.)
Configure a banner to provide legal notification of unauthorized access, as shown in the example.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Verify Directly Connected Networks
Interface Verification Commands
There are several show commands that can be used to verify the operation and configuration of
an interface.
The following commands are especially useful to quickly identify the status of an interface:
• show ip interface brief and show ipv6 interface brief - These display a summary for all
interfaces including the IPv4 or IPv6 address of the interface and current operational status.
• show running-config interface interface-id - This displays the commands applied to the
specified interface.
• show ip route and show ipv6 route - These display the contents of the IPv4 or IPv6 routing
table stored in RAM. In Cisco IOS 15, active interfaces should appear in the routing table with
two related entries identified by the code ‘C’ (Connected) or ‘L’ (Local). In previous IOS
versions, only a single entry with the code ‘C’ will appear.
Verify Directly Connected Networks
Verify Interface Status
The output of the show ip interface brief and show ipv6 interface brief commands can be used to quickly reveal the
status of all interfaces on the router. You can verify that the interfaces are active and operational as indicated by the
Status of “up” and Protocol of “up”, as shown in the example. A different output would indicate a problem with either
the configuration or the cabling.
Verify Directly Connected Networks
Verify IPv6 Link Local and Multicast Addresses
The output of the show ipv6 interface brief command displays two configured IPv6 addresses per interface.
One address is the IPv6 global unicast address that was manually entered. The other address, which begins
with FE80, is the link-local unicast address for the interface. A link-local address is automatically added to an
interface whenever a global unicast address is assigned. An IPv6 network interface is required to have a link-
local address, but not necessarily a global unicast address.
The show ipv6 interface gigabitethernet 0/0/0 command displays the interface status and all of the IPv6
addresses belonging to the interface. Along with the link local address and global unicast address, the output
includes the multicast addresses assigned to the interface, beginning with prefix FF02, as shown in the
example.
Verify Directly Connected Networks
Verify Routes
The output of the show ip route and show
ipv6 route commands reveal the three
directly connected network entries and the
three local host route interface entries, as
shown in the example.