CCNA Video: Switchport Security
Hi. Welcome to this CertificationKits CCNA training video on basic switch configuration. We are going to be talking about the commands used to configure the switch and how we configure the switch, switch port security, verifying connectivity, such as people are complaining they can’t get on to the network as well as troubleshooting poor connectivity.
Now I’ve brought up a diagram of a network I’ve loaded into my CCNA simulator. I have a center switch which is 2950 switch. The 2950 switch is the switch that the Cisco CCNA test revolves around. I’ve got four PCs connected to it. Palestra 1 is connected to port one, Palestra 2, port two, Palestra 3, port three and Palestra 4 on port four. I’m using the 192.168.1.0 network address with the /24 subnet mask. /24 is bit wise notation while subnet mask is 255.255.255.0 and I’ve given each PC and IP address of .10 .20 .30 .40. The switch IP is going to be .1, but I have not configured the switch IP. So let’s take a look at what we have to go in and do to the switch that will allow these machines to have connectivity with one another. Now I’ve gone in and configured the design in the CCNA simulator I’m using. I’ve set up a center switch, switch one and then the four machines and connected them to the appropriate ports. I have not done any configuration to the switch whatever. It does have power to it and does have the cabling connected up. The four machines have been configured with their IP addresses, but nothing has been done to the center switch. I connect to the switch in the CCNA simulator and I go from user mode to privilege mode by typing in the enable command and real quick I’m going to go in and take a look at the initial configuration of the switch. Show running-config allows me to view how the switch is initially configured. Name, switch, IP subnet zero allows it to use a zero subnet, spanning tree we will be talking about later and all 12 interfaces on the switch have no configuration underneath them.
We see a VTP domain which again we will talk about later. Interface VLAN1 which is where we put our IP address and I will be going over that in a moment and then we see the rest of the configuration for the switch here is totally blank. Now, all I need to do to allow these machines to connect to each other is nothing. If I just leave the switch alone, plug power into it, hook the computers up to it, the witch will do its switching function, it will allow the machines to communicate. If I go in to Palestra computer one and I ping some of the other machines, IP config allows me to view my IP address, that’s 192168.1.10. I can go in and ping 192.168.1.20 and I’ll get a response back. I can go in and ping .1.30, get a response back. 1.40, get a response back, so I don’t have to do anything to the switch to get it to function, it’s not a like a router. All the switch needs is power plugged into the back, and a lot of switches do not even have a power switch. You just simply plug the cable in or the power cord in the back and then go in and hook the machines up and it will function.
Now there is some initial configuration or basic configuration we can do to test connectivity and that first thing would be going and setting an IP address and maybe configuring a host name. Let’s take a look at some of those commands. So I’m at the switch here and again I did a show running-config to view the current configuration. The first thing I might want to do is go in and set a name for the switch. Right now it’s at a default name switch. I want to go in and set the name to something completely different, switch 1. Like I’ve said before, everything you view in the running configuration is a valid command. So all I have to do to go in and change the host name of the switch is go into global mode and type host name and then the new host name. I get to global mode by typing configure terminal. I could also just type the shortcut, config space t and then I type hostname switch1 and I have just changed the name of the switch from switch to switch1. After we change the name we might want to do something else like set an IP address. If I look right now and I type show run for show running configuration. Interface VLAN1 is where we would set an IP address. Why would I want to set an IP address? Mainly just so I can test connectivity and I can manage the switch remotely. I might be setting up simple networking management protocol traps on the switch which all allow me to monitor the switch. I might want to build the test connectivity by making sure I can ping the switch. For those things to function I need an IP address and this is where I put an IP but what the heck I interface VLAN1? To know that, we need to know what a VLAN is.
Let’s go in and take a brief overview of what a VLAN is before we come back and set this IP address. Now I’ve brought up the CCNA slide of the switch so we can talk about what a VLAN is. A VLAN stands for Virtual LAN and all it is a broadcast domain. By default, there is VLAN1 on a Cisco switch and all ports are in VLAN1. Meaning all ports on the front of the switch, port one, port two, port three and port four, you can count really well, all four of those ports are in VLAN1 by default; meaning they are all in the same broadcast domain. So what effect does that have on the computers if Palestra 1 sends a broadcast message? Palestra 2, 3 and 4 will all receive that broadcast. What we can do with these switches is we can chop them up and basically create more than one broadcast domain. I have the ability to go into the switch and create VLAN 2. Just because I’ve created VLAN 2, an additional broadcast domain doesn’t mean anything is in it. If I wanted to I could put ports one and two in VLAN 2 and ports three and four would be the only things in VLAN 1. What effect would that have on the computers? The effect would be now that ports one and two are in VLAN two if Palestra 1 sends a broadcast message out, only Palestra 2 will receive that broadcast message and three and four will not. The reason they won’t is because the switch will not allow it. It’s almost like the switch is being cut in half. One and two can communicate, three and four can communicate, but one cannot communicate with three or four because the switch will not let it, that’s what a VLAN does and that allows us to create or finally tune our broadcast domains to make for a more efficient communication method and a cut down on traffic in our network. The only thing that can go in between those domains would be a router. We would need a router if we wanted to be able to have Palestra 1 talk to Palestra 3).
We’ll be getting into inter VLAN routing in later CCNA videos. But for now just remember that all ports on the switch, not just three and four, one through 12 on the switch 1 that we are working on are in VLAN1. So the IP address of the switch is going to be on VLAN1, that’s where that interface VLAN1 comes from. Let’s go in and configure that IP now. I’ve gotten back to switch one and I want to configure that IP address on interface VLAN1 here. Right now it says no IP address so we can’t test connectivity to the switch by pinging it, we can’t set up management of the switch so we want to go and set an IP address right now, I can’t tell that into it. So all I have to do is go in the global mode. config space t takes me to global mode and the command, again. Everything I see in the running config is a valid command so the command I have to do is type in is interface, VLAN1. I’m going to type that in first and then I’m going to set the IP address. Interface, VLAN1, enter. Now I’m at the interface mode for the switch and I forgot. I forgot the command that set the IP address so what can I do? I can just look in the running configuration that says no IP address so what that tells me is, if I want to set an IP address I’ll just put IP address. If I don’t remember what comes next, I can put a space and a question mark and it says “Hey, I want an IP address and this is the format I want it in, A, B, C, D, meaning dotted decimals so 192.168.1.1 is the IP address for setting. If I don’t know what comes next, go to space question mark, it says “Hey, I want the subnet mask and I want it in dotted decimal format.” 255.255.255.0. I hit enter, control Z, show run and I look in here and I see interface VLAN1, no IP… or IP address, not no IP address. IP address 192168.1.1, 255255255.0.
So I’ve set the IP, the interface is on, now it should be able to test connectivity between machines. So I can go in and ping those machines from the switch now. That can be helpful when you are trying to figure out where the connectivity and a network is stopping. Let’s go in and test that. One thing before we go test that connectivity real quick. If I need to be able to get outside of my broadcast domain, meaning I need to go through a router and I need that connectivity from the switch to be able to go through a router; I must go in a set a default gateway. The command that set the gateway is a global mode command, it’s not under interfaced VLAN1, that’s IP, default gateway and I would put the IP address at the Ethernet interface of the router that’s closest to the switch. 192.1681.254, if there was a router out there with that IP, that would be the gateway. Now, with the proper gateway set, I could go in and tell that to the switch from… externally to this broadcast I’m in.
Now let’s go in and take a look at that connectivity. Now I have to do to test connectivity is ping from the switch to any of the machines or vice versa. Now by receiving a successful ping or response to my pings, it tells me that layers one, layer two, and layer three of the OSI mode are functioning perfectly well. Layer one being the cabling, power turned on, all the connection is made appropriately. Layer 2 being the Ethernet encapsulation and layer three being the IP addressing. Once I’ve got the host name and IP address set up right, I might want to go and lock my switch down a little bit so if somebody does try to connect to my device, they are not going to have access without having to enter a password. So the first thing I would do is I would type in enable secret and I won’t necessarily use Cisco I’d use something a little harder for people to guess at. I typed the enable secret password and that’s the password that prevents anybody from getting from user mode to privilege mode. If I exit out and I’m user mode right now, I type the disable command to go from privilege mode to user mode, I type enable, I get hit with a password prompt now. I didn’t get that before and the reason I get here with that password prompt is again the enabled secret Cisco command and this is the same that you would do on the router.
So the password I have to type in is Cisco, if I type it right it will take me into privilege mode so I have to type in it correctly the second time around I get into privilege mode. I know I’m in privilege mode because of that pound sign. A couple of other passwords I want to put in if I go to global mode by typing in configured terminal, I go into line consol zero and what this does is it locks down that console port of on the back of my switch that people use to connect to. I type password Cisco, enter and type log in and log in turns on the password prompt. That way, if somebody tries to get to my system, they plug into the console on the back even though they have physical access; they are going to have to enter a password. Then I go to the line vty 0 15 and I type in password Cisco and again turn on the prompt. So if anybody tries to telnet in, what line vty 0 15 is, is I can have up to 16 telnet sessions at one time. Zero being the first, 15 being the last, zero through 15 that’s 16 possible telnet session going on at one time. What this does is I put a password, the same password on everyone of those telnet sessions. If I wanted to, I could just go line VTY space zero, space four and think figure four, telnet sessions with a particular password. I can also assign different executive privileges based on people, based on the password that admins are entering when they access the switch so it allows me some flexibility there. Control z, show run and I can go in and check out on my passwords. There’s my enable secret and down at the bottom I’ve got password Cisco and password Cisco for line console as well as the telnet line VTY space zero, space 15.
One thing, service password encryption write is now… it says now service passwords encryption. If I type in service passwords encryption in global mode, what it does is it will go in and encrypt these passwords so if anyone were to come in and check out the router, let’s say I walked away from the router, I didn’t log out, I do a show run, somebody could come in behind me and they could go in and check out these passwords in that way later on they would have these passwords available to them. By keeping them encrypted makes it a little more secure. Now one thing about locking the switch down. If somebody has physical access to this thing, there is not much you can do even though I have these passwords setup in my running configuration. The switch is using them at that time, I even save the running configuration by going copy, run which is running config to the startup config so I’m saving it. So if the switch were to be rebooted, the passwords would be there. It’s very easy to get around passwords if you have physical access. So keep your server room locked.
Let’s take a look at some additional security we can add to the switch by preventing unauthorized users from getting into or plugging into our switch. I brought up a CCNA slide here showing the center switch. Switch one and the forwarding table as well as two character MAC addresses for each one of the Palestra PCs. So MAC address for Palestra 1 is 7C and the forwarding table based today is completed at this point so port one, 7C, port two B9, port three D7, port four 4E so the switch knows what interfaces that needs to go out of to get to what particular device. What port security can do is if an unauthorized machine would have plugged into the switch, the switch would take the MAC address and take inappropriate action. Let’s take a look at what I mean. This switch, switch one and our CCNA sim has a total of 12 ports on it. One through twelve even though we are only using ports one, ports two, ports three and ports four. So if we are very worried about security, what we would do is ports four through 12, they would be shut down. So that way if they have a cable running to a wall jack somewhere or somebody was able to plug directly into one of those ports, that system would not function on the network. Switch port security takes this a bit further.
Let’s take a look at the example of Palestra four here. MAC address is 4E and the forwarding table, the switch knows that 4Es destined for port four. So what we could do as switch port security will say “Hey, 4E is the only MAC address we want to communicate on port four here. So 4E is it. If any other MAC address tries to communicate on port four, I want you to shut down. So what could happen is somebody could take their laptop unplug Palestra four here. Plugged in their laptop into the network, this is a picture of a laptop by the way. They are plugging their laptop into the network and the laptop’s MAC address might be 6D. So the switch, when this laptop tries to communicate, the switch recognizes this MAC address as 6D is trying to communicate on port four and goes “Hey, only 4E can communicate on port four since this is not about MAC address, I’m going to shut the port down. So if this laptop here were to try to plug into any port on the network, the port four through 12 would either be shut down or they would already have MAC addresses associated with the port and you know, not communicate on the network. That’s a very helpful addition to your physical security. A lot of companies if you want to go swap out a MAC address on the machine, let’s say we wanted to change the network interface card, not MAC address, we want to change the network interface card on Palestra 4, maybe it went out, all we’d have to do is we’d have to find the MAC address with a new card, it might be nine… rather than 9A, we’d have to find out the MAC address for the new card and go and reprogram a switch so the switch. We are expecting 9A to communicate on port four instead of 4E so we’d have to actually go in and reprogram the switch and again if unauthorized MAC address tries to communicate on network. The port will go ahead and shut down and if it’s an unused port. It will already be shut down so very helpful addition to physical security. Let’s figure out how we can go in and configure this switch port security. Let’s bring up the CCNA simulator.
Now I’ve brought up the CCNA simulator and the first thing I want to do is I want to go in and shut down all unused ports so I’ve entered in the global mode and what’s cool is I know interfaces five through 12 are not being used so I’d want to go and shut those down in case somebody were to plug into them. They will be a dead interfaces and they wouldn’t be able to communicate on the network. So what I can do is I can use the interface range commands, so I go interface range, FA for Fast Ethernet, zero slash five, space, dash 12 and what I’ve done is you can see it says config if configure interface range and I’ve got the range of interfaces five through 12 here. What I would do is I just type shut down and it would shut down all interfaces of five through 12 so each one of those interfaces are shut down. Now even though it doesn’t show up on the CCNA simulator, if I do a show run, what would happen is I would go in and I would see the shut down command underneath each one of these interfaces on a regular switch.
Again I’m using CCNA simulator. Sometimes it’s not going to be quite that hot so in this situation I would see the word shut down underneath these interfaces here. However, again I’m on a CCNA simulator so I don’t get 100% of the functionality, I get 99% of it and it works well for this purpose, a couple of little differences you will notice. Now I’ve shut down all interfaces that I’m not using. So what I want to do now is I want to go in and configure the interfaces that I am using to only allow the MAC address that the switch is detected to communicate on that interface so I’m going to first start by going to interface FA0/1. Then I’m going to turn on port security. So I’m at my interface of FA0/1 which is interface, Fast Ethernet one. Palestra 1 is plugged into that interface. The first thing I want to do is I want to use my switch port command to go in and tell the switch that the MAC address that is currently at the interest is the one I want to make secure. So I go switch port, port security and then I use the command MAC address sticky and what it will do is it will detect the current MAC address on the interface and make it permanent and use that one on the interface. So whatever MAC address is there, the sticky means to detect it and make that a permanent entry in the MAC address table instead of a dynamic one.
By default, all entries in the MAC address table are dynamic, meaning they time out if they don’t hear from that device for a while so by making it sticky, it puts us a permanent entry in the MAC address table and then I can turn on my security so I go port security and MAC address sticky by default. Only one MAC address can communicate on the port when I’m turning port security on. So I’ve turned on port security, MAC address sticky and after I hit enter on the switch port, port security MAC address sticky command, I have to go in and turn it on so all I have to do to turn it on is use the switch port; port dash security and that turns it on. By default if a different MAC address than the one that was detected with a sticky command is trying to communicate on Port FA0/1 that interface will shut down. If want to, I can have multiple MAC addresses communicate on a port, I can use the maximum command and I can have up to 132 MAC addresses available on a port.
You might ask yourself why the heck would 132 MAC addresses need to be communicate on a port when only one computer plug is into the port, it might be an uplink point. It might be a port that plugs into another switch and there might be 50 nodes on the other side of that port or you might be plugging into a hub that’s got 50 nodes on it. They don’t want anybody else to be able to plug into it so under our situations where more than one MAC address can be communicated on a port. Now let’s take a look at some of our show commands to go in and view all of these configurations we’ve done. We brought up a CCNA slide with the important commands here. Show running-config, the most important command put a star next to it and multiple stars next to it, whatever you needed to do to remember this command. Show running-config. Everything that you actually configure will show up in the running configuration. Remember running configuration is stored in RAM and that’s how the device is current configured to operate. Startup configuration shows you what’s stored in NVRAM and that’s where you would save your changes if you liked what you had. So if you like what’s running in RAM, you would go ahead and save it to NVRAM so if the device were to be restarted, this is the configuration that the device would use when you start to back up. Copy, run, start or copy running-config, startup-config is the command you would use to save your running configuration in the RAM. Show MAC address table shows your MAC address table entries. You could either do it with just show MAC address table or you can put dynamic or static on the end of it to slap that on the end and take a guess. If you put dynamic at the end you would see the dynamic entries. The entries that would time out. If you put static at the end, you would see the static entry as the ones that are permanent and another one if you want to actually check out our security for particular interface. We go show port of security interface and then whatever interface we wanted to look at and now it shows the status of our security whether it was on, off and things like that.
So these are some very important commands build to go in and view how the device is configured and how it’s operating. Another command that I forgot to put up here is just show interface. Show interface… show interface, just show interface, what happens when you type that in is you will be able to see whether the interface is up or down. Let’s actually go and take a look at that one real quick. So if I type in show interface, it shows me the status of the interface. Not necessarily everything how it’s configured with the status of it. Let’s take a look here. Fast Ethernet zero one is administratively down, line protocol is down. What that’s telling me is right now that the interface ahs bee shut down and to turn it on, I would have to actually go to the interface and type no shut down interface FA0/1. If it says administratively down, I’d go to the interface and I type “No shut down.” And now we’ll go ahead and turn the interface back on so we’d say up. So show interface is a very helpful command when testing connectivity.
Let’s take a look at some troubleshooting and how we can use these commands. Now we talked about some basic CCNA troubleshooting here. I brought up the CCNA net map that we are looking at so switch one is a center device and we’ve got our four computers plugged into ports one, two, three and four and the switch. So how I would test basic connectivity, the first thing I would do is ping. I go to computer Palestra 1 and I tried pinging the other machines, I’ll try pinging .20, so that works, pinging .30, that works, pinging .40, that works. So I’d go in and check out and make sure that everybody can ping each other. If for some reason one of these switches or one of these devices cannot ping, let’s say Palestra 1 cannot ping Palestra 4. I would try to look at… okay what can Palestra 1 ping? Can Palestra 1 ping the switch? So I would just try pinging the IP address of the switch, that’s one of the things that’s helpful in having an IP on the switch even though it’s not necessary. Since I got a reply back, it says “Reply from one and two and 6811” I got a reply on that, that tells me that the cabling between Palestra 1 and the switch is good that power is on. The cables are plugged in right, all that, Ethernet is working appropriately and IPs are good.
So what I would do at that point is I’d go in a check out Palestra 4 and see if that could ping the switch. So I’d use ping as a way to kind of narrow down where I think the problem might be. On the switch, a couple of other things I could check out is I would do show interface, if… let’s say that a machine was unable to ping the switch, it’s plugged in to fast Ethernet zero one, I’d make sure it said “Is up, line protocol is up.” This right here verifies that layer one and layer two of the OSI model are functioning appropriately. This first part refers to layer one, second part refers to layer two since it says “Is up” and up, then I know layer one and layer two are good. If I had a MAC address table security, I might check out that, show MAC or show MAC address table, take a look at the MAC address table and make sure that it’s populating MAC addresses and things like that so very important to check layer one, layer two, layer three when we are testing this connectivity up and verify that the IP is right as well. All the time I see people overlook a mistyped IP so it’s very important to look at layer one, layer two and layer three of that OSI model when we are testing for a connectivity.
We have talked about CCNA commands and configuration for the switch, port security, verifying connectivity as well as troubleshooting. I hope you have enjoyed this CertificationKits CCNA training video on basic switch configuration. Thank you.