The process to connect to the CLI of a catalyst switch and the initial configuration was covered in detail in Chapter 3. I would recommend reading that chapter again to get familiar with the CLI of a switch. The list below briefly covers some initial configuration steps to get you started.
- Hostname – You can set the name of the device with the hostname command in the global configuration mode. Setting the name of the device does not have any impact on the functions of the switch. It will continue to perform normally respective of the name but it is easier to manage and troubleshoot your network when you give the devices a meaningful name. The example below shows how you can change the hostname. Notice the immediate change in prompt after the command is executed.
- Clock – You can set the date and time on the switch with the clock command in the privileged exec mode. Setting the correct date and time is a requirement for some advanced configuration but it helps when troubleshooting the device. The syntax of the command is clock set hh:mm:ss day month. An example is shown below:
- Setting enable secret – The enable secret allows setting a password for access to the privileged mode. As you know the privileged mode is where most configuration changes can be made. It can be set using the enabled secret command in global configuration mode as shown below:
- Securing access to CLI – As you already know, the switch CLI can be accessed using the console, vty or aux lines. These can be secure by setting a password so that only authorized users can connect. The password can be set using the password command in the line mode as shown below:
SwitchB(config-line)#line vty 0 4
One thing you must remember is that the interface configuration on a switch differs greatly from the interface configuration of a router because switch interfaces are layer 2 interfaces (called switchports) unlike router interfaces which are layer 3 interfaces. Chapter 6 and Chapter 7 cover various interface level configuration for the Switch. The command to enter the interface configuration mode remains the same on the router as shown below:
Typically, the Switch will learn the MAC address of the device directly connected to a particular port and allow traffic through. This behavior can be a huge security risk if an intruder manages to connect a host to your switchport. At some stage (and in CCNA!) you will need to restrict who can connect to the switched network. This is where port security can assist us. Cisco switches allow us to control which devices can connect to a switch port or how many of them can connect to it (such as when a hub or another switch is connected to the port).
Port security is disabled by default. Before configuring the Port Security, we have to enable it. It can be enabled using the switchport port-security command. Here’s how to do it:
As soon as port security is enabled, it will apply the default values, which is one host permitted to connect at a time. If this rule is violated the port will shutdown.
Using the port security feature we can specify:
- Who can connect to the Switchport
- How many can connect to the Switchport
- Violation Action
Let’s take a look at all the three options:
Who can connect – If you know that only a particular host should be connecting to a switchport, then you can restrict access on that port to the MAC address of that host. This will ensure that no one can unplug the authorized host and connect another one. This is a good option for secure locations. This is done using the following command:
Example: If we want only the host with MAC address 0001.14ac.3298 to connect to port fa0/10 on our switch, then the commands required will be:
Switch(config-if)#switchport port-security mac-address 0001.14ac.3298
You have to remember that this command will not add the MAC address to the CAM table. When a host connects to this port and sends the first frame, the source address of the frame is checked against the configured MAC address. If a match is found that the address is added to the CAM table.
So do we have to provide each host’s MAC address manually? That’s a huge task considering thousands of hosts that a network can have! Well, not really. Port security provides something called a sticky address. The Switch will use the MAC-address of the first host connected to the port as a static MAC-address and only that host will be able to connect to the port subsequently. The command required is:
How many can connect – Let’s say we have only one switchport left free and we need to connect 5 hosts to it. What can we do? Connect a Hub or Switch to the free port! Connecting a switch or a hub to a port has implications. It means that the network will have more traffic. If a user instead of an administrator connects a switch or a hub then there are chances that loops will be created. So it is best that number of hosts allowed to connect is restricted at the switch level. This can be done using the “switchport port-security maximum” command. This command configures the maximum number of MAC addresses that can source traffic through a port. Consider the following examples:
- Example 1 – Allow only one host to connect to the port. Learn the MAC address of the allowed host automatically.
Switch(config-if)#switchport port-security mac-address sticky
- Example 2 – Allow 3 hosts to connect at the same time out of which 1 MAC address is static and the other two can vary.
Switch(config-if)#switchport port-security mac-address 001a.14e9.8a7d
- Example 3 – Allow a maximum of 5 hosts to connect simultaneously. Hosts can vary.
Violation Action – What happens if a violation of security occurs on a switchport? What if 5 hosts are allowed on a port but 6 connect to it? The switch can take one of the three configured actions:
- Shutdown the port.
- Keep the port up but do not allow the offending host to send/receive data (protect).
- Keep the port up but do not allow the offending host to send/receive data and notify the administrator through SNMP and/or syslog. (restrict).
The three modes can be configured using the following commands:
Let’s verify our port security configuration using the “show port-security interface” command:
Port Security :Enabled
Port status :SecureUp
Violation mode :Shutdown
Maximum MAC Addresses :5
Total MAC Addresses :5
Configured MAC Addresses :3
Aging time :20 mins
Aging type :Inactivity
SecureStatic address aging :Enabled
Security Violation count :0
The above out shows that Fa0/1 has been configured with 3 static MAC Addresses and will allow a maximum of 5 hosts to connect to it. If a violation is detected then the port (by default) will go into error-disabled mode and shut the port (switch interface) down. You can see this happening on the below switch where an unauthorized MAC address comes into the fast Ethernet 0/2port.
00:55:59: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/2, putting Fa0/2 in err-disable state
00:55:59: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 1234.5678.489d on port FastEthernet0/2.
00:56:00: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to down
00:56:01: %LINK-3-UPDOWN: Interface FastEthernet0/2, changed state to dow
Another important command is “show port-security” command. This command provides an overview of all the ports that have port security configured:
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
Fa0/1 8 7 0 Shutdown
Fa0/2 15 5 0 Restrict
Fa0/3 5 4 0 Protect