I can see the light at the end of the tunnel. This will be my last post on switches for the ICND2 test, and it's going to be a short one. Let's start with the most complex topic of this post first and get it out of the way.
EtherChannel - A way to bundle multiple links into one logical link. Imagine you have 4 links connect SwitchA to SwitchB. Well STP is going to disable 3 of them, which leads to a lot of lost bandwidth. Imagine grabbing all those links and squeezing really hard, until it becomes one big fast link. That's the whole point for EtherChannel. It's important to recognize there are two versions of EtherChannel, the Cisco version and the IEEE version, but since I'm studying for a Cisco Cert, that's the way I'll be configuring.
PAgP is overkill for the CCNA, but I'll explain it anyway.
Port Aggregation Protocol (PAgP) - Adds more features to EtherChannel. Used to learn capabilities of connected EtherChannel ports, and connect Fast EtherChannel automatically. Has four options:
On
Off
Desirable - Actively tries to become a channel.
Auto - Does not try actively, but will become a channel if the other side wants to.
So the following combinations will work, on-on, on-auto, on-desirable, desirable-desirable, desirable-auto.
PAgP must have static VLANs assigned to the ports (not dynamic), have same speed/duplex settings on the ports, and must be in the same VLAN or be trunk ports. Once the EtherChannel bundle is working, any changes made on a port will effect all ports in that bundle, which is pretty neat.
SwitchA#conf t
SwitchA(config)#int port-channel 1
SwitchA(config-if)#int range fa0/1-4
SwitchA(config-if-range)#switchport trunk encapsulation ISL
SwitchA(config-if-range)#switchport mode trunk
SwitchA(config-if-range)#switchport nonegotiate (this stops the switch from trying to autodetect link types and auto-setup trunking)
SwitchA(config-if-range)#channel-group 1 mode desirable
EtherChannel - A way to bundle multiple links into one logical link. Imagine you have 4 links connect SwitchA to SwitchB. Well STP is going to disable 3 of them, which leads to a lot of lost bandwidth. Imagine grabbing all those links and squeezing really hard, until it becomes one big fast link. That's the whole point for EtherChannel. It's important to recognize there are two versions of EtherChannel, the Cisco version and the IEEE version, but since I'm studying for a Cisco Cert, that's the way I'll be configuring.
PAgP is overkill for the CCNA, but I'll explain it anyway.
Port Aggregation Protocol (PAgP) - Adds more features to EtherChannel. Used to learn capabilities of connected EtherChannel ports, and connect Fast EtherChannel automatically. Has four options:
On
Off
Desirable - Actively tries to become a channel.
Auto - Does not try actively, but will become a channel if the other side wants to.
So the following combinations will work, on-on, on-auto, on-desirable, desirable-desirable, desirable-auto.
PAgP must have static VLANs assigned to the ports (not dynamic), have same speed/duplex settings on the ports, and must be in the same VLAN or be trunk ports. Once the EtherChannel bundle is working, any changes made on a port will effect all ports in that bundle, which is pretty neat.
SwitchA#conf t
SwitchA(config)#int port-channel 1
SwitchA(config-if)#int range fa0/1-4
SwitchA(config-if-range)#switchport trunk encapsulation ISL
SwitchA(config-if-range)#switchport mode trunk
SwitchA(config-if-range)#switchport nonegotiate (this stops the switch from trying to autodetect link types and auto-setup trunking)
SwitchA(config-if-range)#channel-group 1 mode desirable
SwitchB#conf t
SwitchB(config)#int port-channel 1
SwitchB(config-if)#int range fa0/1-4
SwitchB(config-if-range)#switchport trunk encapsulation ISL
SwitchB(config-if-range)#switchport mode trunk
SwitchB(config-if-range)#switchport nonegotiate
SwitchB(config-if-range)#channel-group 1 mode desirable
Another important topic for the CCNA is switch security. So much focus is placed on protecting a network from the outside via firewalls that it's easy to overlook the damage malicious users can do from the inside of your network if they manage to sneak into your building. Luckily, the boom of wireless technologies have forced companies to re-examine their internal network security.
Switch security was touched on in the ICND1, so I'll skip past the basics of setting an enable secret password, securing VTY ports and setting up SSH (not that they aren't important!) I mainly want to focus on the importance of assigning ports and port security. It's easy to see why it isn't a good idea to have switchports available for anyone to plug into. One of a hacker's most effective methods of breaking into a network is to piggyback into a building. That is to say, they stand outside a backdoor smoking a cigarette until someone else comes out to smoke, and then just walk right in the building, pretending they work there. From there they can just walk up to the wall, plug in their laptop, and wham, server access. The way to protect against this is port-security. Port-security statically limits the number of MAC addresses that can be assigned to a port, and can assign those MAC addresses, instead of learning them dynamically. You can also set the penalty when a user violates the set policy. You can shutdown the port completely until you re-enable it, or you can just stop it from working until the correct MAC address is heard again.
S1(config)#int range fa0/1-8
S1(config-if-range)#switchport port-security maximum 1
This sets a maximum number of MACs that can be assigned to that port (useful if you only want 1 computer using it, forbids a user from plugging in a hub and using a whole bunch of devices)
S1(config-if-range)#switchport port-security mac-address sticky
The sticky option will learn the MAC of what is connected to that port, and only allow that MAC (or multiple MACs if permitted). This prevents a malicious user from unplugging a computer and plugging theirs in.
You can also assign the MAC address manually, but this could take forever. If you use the Sticky command, just be sure the right devices are currently plugged in.
S1(config-if-range)#switchport port-security violation <restrict | shutdown | protect>
Chooses what will happen if the policy is broken.
Shutdown - Turns the port off, will not work until administrator re-enables it.
Restrict - Alerts administrator via SNMP that the policy has been broken
Protect - Just drops incoming frames from the non-match MAC address.
Finally, the last objective is to setup a switch so that it may be managed remotely. To do this just set an ip address for the management VLAN, and set the switch's default gateway.
Switch(config)#ip default-gateway 192.168.1.1
Switch(config)#int vlan 1 (assuming you haven't changed the management VLAN number)
Switch(config-if)#ip add 192.168.1.2 255.255.255.0
Switch(config-if)#no shut
That's it folks. Hopefully that's everything you (and I) need to know about switches for the ICND2 exam. If you haven't already, please be sure to look over my previous Switching-topic posts, and if you have, thanks for reading!
No comments:
Post a Comment