PT Activity 2.5.

1: Basic Switch Configuration (Instructor version)

Too!ogy
"#T$ T# %S$&: This activity is a variation of Lab 2.5.1. Packet Tracer may not support all the tasks
specified in the hands-on lab. This activity should not be considered equivalent to completing the hands-on
lab. Packet Tracer is not a substitute for a hands-on lab eperience !ith real equipment.
A''ressing Ta(!e
)evice Interface IP A''ress Su(net *as+ )efau!t ,ateway
PC1 "IC 1"2.1".##.21 255.255.255.$ 1"2.1".##.1
PC2 "IC 1"2.1".##.22 255.255.255.$ 1"2.1".##.1
S1 -.A"// 1"2.1".##.11 255.255.255.$ 1"2.1".##.1
.earning #(0ectives
%lear an eisting configuration on a s!itch.
&erify the default s!itch configuration.
%reate a basic s!itch configuration.
'anage the '(% address table.
%onfigure port security.
Intro'uction
)n this activity* you !ill eamine and configure a standalone L(+ s!itch. (lthough a s!itch performs basic
functions in its default out-of-the-bo condition* there are a number of parameters that a net!ork
administrator should modify to ensure a secure and optimi,ed L(+. This activity introduces you to the
basics of s!itch configuration.
(ll contents are %opyright - 2$$"-2$$. %isco /ystems* )nc. (ll rights reserved. This document is %isco Public )nformation. Page 1 of 1$
%%+( 0ploration
L(+ /!itching and 1ireless2 3asic /!itch %oncepts and %onfiguration PT (ctivity 2.5.12 3asic /!itch %onfiguration
Tas+ 1: C!ear an $1isting Configuration on a Switch
Ste 1. $nter rivi!ege' $2$C 3o'e (y tying the ena(!e co33an'.
%lick /1 and then the C.I tab. )ssue the ena(!e command to enter the privileged 040% mode.
Switch>enable
Switch#
Ste 2. &e3ove the -.A" 'ata(ase infor3ation fi!e.
&L(+ database information is stored separately from the configuration files in vlan.dat in flash. To remove
the &L(+ file* issue the 'e!ete f!ash:v!an.'at command.
Switch#delete flash:vlan.dat
Delete filename [vlan.dat]? [Enter]
Delete flash:vlan.dat? [confirm] [Enter]
Ste 4. &e3ove the switch startu configuration fi!e fro3 "-&A*.
Switch#erase startup-config
Erasing the nvram filesystem will remove all configuration files! ontinue?
[confirm] [Enter]
[!"]
Erase of nvram: com#lete
Ste 5. -erify the -.A" infor3ation was 'e!ete'.
&erify that the &L(+ configuration !as deleted using the show v!an command.
Switch#show vlan brief
$%&' 'ame Status (orts
)))) )))))))))))))))))))))))))))))) ))))))))) )))))))))))))))))))))))))))))
* default active +a,-*. +a,-/. +a,-0. +a,-1
+a,-2. +a,-3. +a,-4. +a,-5
+a,-6. +a,-*,. +a,-**. +a,-*/
+a,-*0. +a,-*1. +a,-*2. +a,-*3
+a,-*4. +a,-*5. +a,-*6. +a,-/,
+a,-/*. +a,-//. +a,-/0. +a,-/1
*, $%&'*, active
0, $%&'0, active
*,,/ fddi)default active
*,,/ fddi)default active
*,,0 to7en)ring)default active
*,,1 fddinet)default active
*,,2 trnet)default active
The &L(+ information is still on the s!itch. 5ollo! the net step to clear it.
Ste 5. &e!oa' the switch.
(t the privileged 040% mode prompt* enter the re!oa' command to begin the process.
Switch#reload
(roceed with reload? [confirm] [Enter]
8S9S)2):E%!&D: :eload re;uested <y console. :eload :eason: :eload ommand.
=out#ut omitted>
(ll contents are %opyright - 2$$"-2$$. %isco /ystems* )nc. (ll rights reserved. This document is %isco Public )nformation. Page 2 of 1$
%%+( 0ploration
L(+ /!itching and 1ireless2 3asic /!itch %oncepts and %onfiguration PT (ctivity 2.5.12 3asic /!itch %onfiguration
(ress :E>?:' to get started! [Enter]
Switch>
Tas+ 2: -erify the )efau!t Switch Configuration
Ste 1. $nter rivi!ege' 3o'e.
6ou can access all the s!itch commands in privileged mode. 7o!ever* because many of the privileged
commands configure operating parameters* privileged access should be pass!ord-protected to prevent
unauthori,ed use. The privileged command set includes those commands contained in user 040% mode*
as !ell as the configure command through !hich access to the remaining command modes are gained.
Switch>enable
Switch#
+otice that the prompt changed in the configuration to reflect privileged 040% mode.
Ste 2. $1a3ine the current switch configuration.
a. 0amine the current running configuration by issuing the show running6config command.
1. 7o! many 5ast 0thernet interfaces does the s!itch have8
999999999999999999999992:
2. 7o! many ;igabit 0thernet interfaces does the s!itch have8 9999999999999999999992
<. 1hat is the range of values sho!n for the vty lines8 9999999999999999999999999999$-
:= 5-15
b. 0amine the current contents of +&>(' by issuing the show startu6config command.
1. 1hy does the s!itch give this response8
9999999999999999999999999999999999999999999999999999999999999999999999
+o configuration has been saved to +&>(' yet. )f the s!itch has been configured and
not erased* the startup configuration !ill be sho!n. ( s!itch fresh out of the bo !ould
not have been pre-configured.
c. 0amine the characteristics of the virtual interface &L(+1 by issuing the command show
interface v!an1.
1. )s there an )P address set on the s!itch8 9999999999999999999999999999999999no
2. 1hat is the '(% address of this virtual s!itch interface8
9999999999999999999999varies
<. )s this interface up8
999999999999999999999999999999999999999999999999999administratively do!n*
protocol do!n
d. +o! vie! the )P properties of the interface using the show i interface v!an1.
1. 1hat output do you see8
999999999999999999999999999999999999999999999999999999999
$lan* is administratively down. line #rotocol is down
@nternet #rotocol #rocessing disa<led
Ste 4. )is!ay Cisco I#S infor3ation.
a. ?isplay %isco )@/ information using the show version command.
(ll contents are %opyright - 2$$"-2$$. %isco /ystems* )nc. (ll rights reserved. This document is %isco Public )nformation. Page < of 1$
%%+( 0ploration
L(+ /!itching and 1ireless2 3asic /!itch %oncepts and %onfiguration PT (ctivity 2.5.12 3asic /!itch %onfiguration
1. 1hat is the %isco )@/ version that the s!itch is running8
9999999999999999999999912.2A25B/00< Amay varyB
2. 1hat is the system image filename8
9999999999999999999999999999999999999999%2#C$-L(+3(/0-' Amay varyB
<. 1hat is the base '(% address of this s!itch8
999999999999999999999999999999999varies
Ste 5. $1a3ine the 7ast $thernet interfaces.
a. 0amine the default properties of the 5ast 0thernet interface used by P%1 using the show
interface fastethernet 891: command.
Switch#show interface fastethernet 0/18
+astEthernet,-*5 is u#. line #rotocol is u# AconnectedB
Cardware is %ance. address is ,,3,.2c03.11*/ A<ia ,,3,.2c03.11*/B
D>? *2,, <ytes. EF *,,,,, "<it. D%9 *,,, usec.
relia<ility /22-/22. tGload *-/22. rGload *-/22
Enca#sulation &:(&. loo#<ac7 not set
"ee#alive set A*, secB
+ull)du#leG. *,,D<-s
=!ut#ut !mitted>
1. )s the interface up or do!n8 99999999999999999999999999999999999999 /hould be
up unless there is a cabling problem
2. 1hat event !ould make an interface go up8 9999999999999999999999999connecting a
host or other device
<. 1hat is the '(% address of the interface8 99999999999999999999999999varies
:. 1hat is the speed and duple setting of the interface8 99999999999999999Full-duplex,
100Mb/s
Ste 5. $1a3ine -.A" infor3ation.
a. 0amine the default &L(+ settings of the s!itch using the show v!an command.
1. 1hat is the name of &L(+ 18 99999999999999999999999999999999default
2. 1hich ports are in this &L(+8 99999999999999999999999999all ports= 5a$D1 E 5a$D2:=
;ig1D1* ;ig1D2
<. )s &L(+ 1 active8 9999999999999999999999999999999999999999999999999yes
:. 1hat type of &L(+ is the default &L(+8 999999999999999999999999999999enet
A0thernetB
Ste ;. $1a3ine f!ash 3e3ory.
a. There are t!o commands to eamine flash memory* 'ir f!ash: or show f!ash. )ssue either one of
the commands to eamine the contents of the flash directory.
1. 1hich files or directories are found8
99999999999999999999999999999999999999999999999999999999999999999999999
c2#C$-lanbase-m,.122-25.54.bin
Ste <. $1a3ine an' save the startu configuration fi!e.
0arlier in step 2 you sa! that the startup configuration file did not eist. 'ake one configuration change to
the s!itch and then save it. Type the follo!ing commands2
(ll contents are %opyright - 2$$"-2$$. %isco /ystems* )nc. (ll rights reserved. This document is %isco Public )nformation. Page : of 1$
%%+( 0ploration
L(+ /!itching and 1ireless2 3asic /!itch %oncepts and %onfiguration PT (ctivity 2.5.12 3asic /!itch %onfiguration
Switch#configure terminal
Enter configuration commands. one #er line. End with '>%-H.
SwitchAconfigB#hostname 1
S*AconfigB#e!it
S*#
To save the contents of the running configuration file to non-volatile >(' A+&>('B* issue the the coy
running6config startu6config command.
Switch#co#y running)config startu#)config
Destination filename [startu#)config]? [enter]
Euilding configuration...
[!"]
+o! display the contents of +&>('. The current configuration has been !ritten to +&>('.
Tas+ 4: Create a Basic Switch Configuration
Ste 1. Assign a na3e to the switch.
0nter global configuration mode. %onfiguration mode allo!s you to manage the s!itch. 0nter the
configuration commands* one on each line. +otice that the command line prompt changes to reflect the
current prompt and s!itch name. )n the last step of the previous task* you configured the hostname.
7ereFs a revie! of the commands used.
S*#configure terminal
S*AconfigB#hostname 1
S*AconfigB#e!it
Ste 2. Set the access asswor's.
0nter config6!ine mode for the console. /et the login pass!ord to cisco. (lso configure the vty lines $ to
15 !ith the pass!ord cisco.
S*#configure terminal
S*AconfigB#line console 0
S*Aconfig)lineB#password cisco
S*Aconfig)lineB#login
S*Aconfig)lineB#line vt" 0 1#
S*Aconfig)lineB#password cisco
S*Aconfig)lineB#login
S*Aconfig)lineB#e!it
S*AconfigB#
1hy is the !ogin command required8 99999999999999999999999999999999999999999999999999999
1ithout the !ogin command* the s!itch !ill not require that a pass!ord be entered.
Ste 4. Set the co33an' 3o'e asswor's.
/et the enable secret pass!ord to class.
S*AconfigB#enable secret class
Ste 5. Configure the .ayer 4 a''ress of the switch.
/et the )P address of the s!itch to 1"2.1".##.11 !ith a subnet mask of 255.255.255.$ on the internal
virtual interface &L(+ ##. The &L(+ must first be created on the s!itch before the address can be
assigned.
S*AconfigB#vlan $$
(ll contents are %opyright - 2$$"-2$$. %isco /ystems* )nc. (ll rights reserved. This document is %isco Public )nformation. Page 5 of 1$
%%+( 0ploration
L(+ /!itching and 1ireless2 3asic /!itch %oncepts and %onfiguration PT (ctivity 2.5.12 3asic /!itch %onfiguration
S*Aconfig)vlanB#e!it
S*AconfigB#interface vlan$$
S*Aconfig)ifB#ip address 1%&.1%.$$.11 &##.&##.&##.0
S*Aconfig)ifB#no shutdown
S*Aconfig)ifB#e!it
Ste 5. Assign orts to the switch -.A".
(ssign 5astethernet $D1* $D.* and $D1. to ports to &L(+ ##.
S*AconfigB#interface fa0/1
S*Aconfig)ifB#switchport access vlan $$
S*Aconfig)ifB#interface fa0/8
S*Aconfig)ifB#switchport access vlan $$
S*Aconfig)ifB#interface fa0/18
S*Aconfig)ifB#switchport access vlan $$
S*Aconfig)ifB#e!it
Ste ;. Set the switch 'efau!t gateway.
/1 is a layer 2 s!itch* so it makes for!arding decisions based on the Layer 2 header. )f multiple net!orks
are connected to a s!itch* you need to specify ho! the s!itch for!ards the internet!ork frames* because
the path must be determined at Layer three. This is done by specifying a default gate!ay address that
points to a router or Layer < s!itch. (lthough this activity does not include an eternal )P gate!ay*
assume that you !ill eventually connect the L(+ to a router for eternal access. (ssuming that the L(+
interface on the router is 1"2.1".##.1* set the default gate!ay for the s!itch.
S*AconfigB#ip default-gatewa" 1%&.1%.$$.1
S*AconfigB#e!it
Ste <. -erify the 3anage3ent .A"s settings.
&erify the interface settings on &L(+ ## !ith the show interface v!an // command.
S*#show interface vlan $$
$lan66 is u#. line #rotocol is u#
Cardware is (? @nterface. address is ,,3,.14ac.*e<5 A<ia ,,3,.14ac.*e<5B
@nternet address is *4/.*4.66.**-/1
D>? *2,, <ytes. EF *,,,,, "<it. D%9 *,,,,,, usec.
relia<ility /22-/22. tGload *-/22. rGload *-/22
Enca#sulation &:(&. loo#<ac7 not set
&:( ty#e: &:(&. &:( >imeout ,1:,,:,,
%ast in#ut /*:1,:/*. out#ut never. out#ut hang never
%ast clearing of Ishow interfaceI counters never
@n#ut ;ueue: ,-42-,-, AsiJe-maG-dro#s-flushesBK >otal out#ut dro#s: ,
Lueueing strategy: fifo
=!ut#ut !mitted>
1hat is the band!idth on this interface8 999999999999999999999999999999 31 1$$$$$$ Gbit
1hat is the queuing strategy8 99999999999999999999fifo
Ste :. Configure the IP a''ress an' 'efau!t gateway for PC1.
/et the )P address of P%1 to 1"2.1".##.21* !ith a subnet mask of 255.255.255.$. %onfigure a default
gate!ay of 1"2.1".##.11. %lick P%1 and its )es+to tab then )P configuration to input the addressing
parameters.
(ll contents are %opyright - 2$$"-2$$. %isco /ystems* )nc. (ll rights reserved. This document is %isco Public )nformation. Page C of 1$
%%+( 0ploration
L(+ /!itching and 1ireless2 3asic /!itch %oncepts and %onfiguration PT (ctivity 2.5.12 3asic /!itch %onfiguration
Ste /. -erify connectivity.
To verify the host and s!itch are correctly configured* ping the s!itch from P%1.
)f the ping is not successful* troubleshoot the s!itch and host configuration. +ote that this may take a
couple of tries for the pings to succeed.
Ste 18. Configure the ort see' an' 'u!e1 settings for a 7ast $thernet interface.
%onfigure the duple and speed settings on 5ast 0thernet $D1.. Hse the en' command to return to
privileged 040% mode !hen finished.
S*#configure terminal
S*AconfigB#interface fastethernet 0/18
S*Aconfig)ifB#speed 100
S*Aconfig)ifB#duple! full
S*Aconfig)ifB#end
The default on the 0thernet interface of the s!itch is auto-sensing* so it automatically negotiates optimal
settings. 6ou should set duple and speed manually only if a port must operate at a certain speed and
duple mode. 'anually configuring ports can lead to duple mismatches* !hich can significantly degrade
performance.
+otice ho! the link bet!een P%1 and /1 !ent do!n. >emove the see' 188 and 'u!e1 fu!!
commands. +o! verify the settings on the 5ast 0thernet interface !ith the show interface fa891:
command.
S*#show interface fastethernet 0/18
+astEthernet,-*5 is u#. line #rotocol is u# AconnectedB
Cardware is %ance. address is ,,3,.2c03.11*/ A<ia ,,3,.2c03.11*/B
D>? *2,, <ytes. EF *,,,,, "<it. D%9 *,,, usec.
relia<ility /22-/22. tGload *-/22. rGload *-/22
Enca#sulation &:(&. loo#<ac7 not set
"ee#alive set A*, secB
+ull)du#leG. *,,D<-s
=!ut#ut omitted>
Ste 11. Save the configuration.
6ou have completed the basic configuration of the s!itch. +o! back up the running configuration file to
+&>(' to ensure that the changes made !ill not be lost if the system is rebooted or loses po!er.
S*#cop" running-config startup-config
Destination filename [startu#)config]?[Enter]
Euilding configuration...
[!"]
S*#
Ste 12. $1a3ine the startu configuration fi!e.
To see the configuration that is stored in +&>('* issue the show startu6config command from
privileged 040% Aenable modeB.
(re all the changes that !ere entered recorded in the file8
(ll contents are %opyright - 2$$"-2$$. %isco /ystems* )nc. (ll rights reserved. This document is %isco Public )nformation. Page " of 1$
%%+( 0ploration
L(+ /!itching and 1ireless2 3asic /!itch %oncepts and %onfiguration PT (ctivity 2.5.12 3asic /!itch %onfiguration
Tas+ 5: *anaging the *AC A''ress Ta(!e
Ste 1. &ecor' the *AC a''resses of the hosts.
?etermine and record the Layer 2 AphysicalB addresses of the P% net!ork interface cards using the
follo!ing steps2
%lick the P%.
/elect the )es+to tab.
%lick Co33an' Pro3t.
Type the iconfig 9a!! command.
Ste 2. )eter3ine the *AC a''resses that the switch has !earne'.
?isplay the '(% addresses using the show 3ac6a''ress6ta(!e command in privileged 040% mode. )f
there are no '(% addresses* ping from P%1 to /1 then check again.
S*#show mac-address-table
Ste 4. C!ear the *AC a''ress ta(!e.
To remove the eisting '(% addresses* use the c!ear 3ac6a''ress6ta(!e 'yna3ic command from
privileged 040% mode.
S*#clear mac-address-table d"namic
Ste 5. -erify the resu!ts.
&erify that the '(% address table !as cleared.
S*#show mac-address-table
Ste 5. $1a3ine the *AC ta(!e again.
Look at the '(% address table again in privileged 040% mode. The table has not changed* ping /1 from
P%1 and check again.
Ste ;. Set u a static *AC a''ress.
To specify !hich ports a host can connect to* one option is to create a static mapping of the host '(%
address to a port.
/et up a static '(% address on 5ast 0thernet interface $D1. using the address that !as recorded for P%1
in /tep 1 of this task* $$$2.1C0..%2.5.
S*AconfigB#mac-address-table static 000&.1'E8.(&8# vlan $$ interface
fastethernet 0/18
S*AconfigB#end
Ste <. -erify the resu!ts.
&erify the '(% address table entries.
S*#show mac-address-table
Ste :. &e3ove the static *AC entry.
0nter configuration mode and remove the static '(% by putting a no in front of the command string.
S*AconfigB#no mac-address-table static 000&.1'E8.(&8# vlan $$ interface
fastethernet 0/18
S*AconfigB#end
(ll contents are %opyright - 2$$"-2$$. %isco /ystems* )nc. (ll rights reserved. This document is %isco Public )nformation. Page . of 1$
%%+( 0ploration
L(+ /!itching and 1ireless2 3asic /!itch %oncepts and %onfiguration PT (ctivity 2.5.12 3asic /!itch %onfiguration
Ste /. -erify the resu!ts.
&erify that the static '(% address has been cleared !ith the show 3ac6a''ress6ta(!e static command.
Tas+ 5: Configuring Port Security
Ste 1. Configure a secon' host.
( second host is needed for this task. /et the )P address of P%2 to 1"2.1".##.22* !ith a subnet mask of
255.255.255.$ and a default gate!ay of 1"2.1".##.11. ?o not connect this P% to the s!itch yet.
Ste 2. -erify connectivity.
&erify that P%1 and the s!itch are still correctly configured by pinging the &L(+ ## )P address of the
s!itch from the host. )f the pings !ere not successful* troubleshoot the host and s!itch configurations.
Ste 4. )eter3ine which *AC a''resses that the switch has !earne'.
?isplay the learned '(% addresses using the show 3ac6a''ress6ta(!e command in privileged 040%
mode.
Ste 5. .ist the ort security otions.
0plore the options for setting port security on interface 5ast 0thernet $D1..
S*# configure terminal
S*AconfigB#interface fastethernet 0/18
S*Aconfig)ifB#switchport port-securit" )
mac)address Secure mac address
maGimum DaG secure addresses
violation Security violation mode
=cr>
Ste 5. Configure ort security on an access ort.
%onfigure s!itch port 5ast 0thernet $D1. to accept only t!o devices* to learn the '(% addresses of those
devices dynamically* and to shutdo!n the port if a violation occurs.
S*Aconfig)ifB#switchport mode access
S*Aconfig)ifB#switchport port-securit"
S*Aconfig)ifB#switchport port-securit" ma!imum &
S*Aconfig)ifB#switchport port-securit" mac-address stic*"
S*Aconfig)ifB#switchport port-securit" violation shutdown
S*Aconfig)ifB#e!it
Ste ;. -erify the resu!ts.
/ho! the port security settings !ith the show ort6security interface fa891: command.
7o! many secure addresses are allo!ed on 5ast 0thernet $D1.8
1hat is the security action for this port8
Ste <. $1a3ine the running configuration fi!e.
S*#show running-config
(re there statements listed that directly reflect the security implementation of the running configuration8
Ste :. *o'ify the ort security settings on a ort.
@n interface 5ast 0thernet $D1.* change the port security maimum '(% address count to 1.
S*Aconfig)ifB#switchport port-securit" ma!imum 1
(ll contents are %opyright - 2$$"-2$$. %isco /ystems* )nc. (ll rights reserved. This document is %isco Public )nformation. Page # of 1$
%%+( 0ploration
L(+ /!itching and 1ireless2 3asic /!itch %oncepts and %onfiguration PT (ctivity 2.5.12 3asic /!itch %onfiguration
Ste /. -erify the resu!ts.
/ho! the port security settings !ith the show ort6security interface fa891: command.
7ave the port security settings changed to reflect the modifications in /tep .8
Ping the &L(+ ## address of the s!itch from P%1 to verify connectivity and to refresh the '(% address
table.
Ste 18. Intro'uce a rogue host.
?isconnect the P% attached to 5ast 0thernet $D1. from the s!itch. %onnect P%2* !hich has been given
the )P address 1"2.1".##.22 to port 5ast 0thernet $D1.. Ping the &L(+ ## address 1"2.1".##.11 from the
ne! host.
1hat happened !hen you tried to ping /18
+ote2 %onvergence may take up to a minute. /!itch bet!een Si3u!ation and &ea!ti3e mode to
accelerate convergence.
Ste 11. &eactivate the ort.
(s long as the rogue host is attached to 5ast 0thernet $D1.* no traffic can pass bet!een the host and
s!itch. >econnect P%1 to 5ast 0thernet $D1.* and enter the follo!ing commands on the s!itch to
reactivate the port2
S*#configure terminal
S*AconfigB#interface fastethernet 0/18
S*Aconfig)ifB#no shutdown
S*Aconfig)ifB#end
Ste 12. -erify connectivity.
(fter convergence* P%1 should be able to again ping /1.
Ste 14. Chec+ resu!ts.
6our completion percentage should be 1$$I. )f not* click Chec+ &esu!ts to see !hich required
components are not yet completed.
(ll contents are %opyright - 2$$"-2$$. %isco /ystems* )nc. (ll rights reserved. This document is %isco Public )nformation. Page 1$ of 1$