Escolar Documentos
Profissional Documentos
Cultura Documentos
In what modes can you type the command show mac address-table and expect to get
a response with MAC table entries? (Choose two answers.)
a. User mode
b. Enable mode
c. Global configuration mode
d. Interface configuration mode
2. In which of the following modes of the CLI could you type the command reload and
expect the switch to reboot?
a. User mode
b. Enable mode
c. Global configuration mode
d. Interface configuration mode
3. Which of the following is a difference between Telnet and SSH as supported by a
Cisco switch?
a. SSH encrypts the passwords used at login, but not other traffic; Telnet encrypts
nothing.
b. SSH encrypts all data exchange, including login passwords; Telnet encrypts
nothing.
c. Telnet is used from Microsoft operating systems, and SSH is used from UNIX
and Linux operating systems.
d. Telnet encrypts only password exchanges; SSH encrypts all data exchanges.
4. What type of switch memory is used to store the configuration used by the switch
when it is up and working?
a. RAM
b. ROM
c. Flash
d. NVRAM
e. Bubble
128 CCENT/CCNA ICND1 100-105 Official Cert Guide
5. What command copies the configuration from RAM into NVRAM?
a. copy running-config tftp
b. copy tftp running-config
c. copy running-config start-up-config
d. copy start-up-config running-config
e. copy startup-config running-config
f. copy running-config startup-config
6. A switch user is currently in console line configuration mode. Which of the following
would place the user in enable mode? (Choose two answers.)
a. Using the exit command once
b. Using the end command once
c. Pressing the Ctrl+Z key sequence once
d. Using the quit command
Console access requires both a physical connection between a PC (or other user device)
and the switchs console port, as well as some software on the PC. Telnet and SSH require
software on the users device, but they rely on the existing TCP/IP network to transmit data.
The next few pages detail how to connect the console and set up the software for each
method to access the CLI .
After the PC is physically connected to the console port, a terminal emulator software
package must be installed and configured on the PC. The terminal emulator software treats
all data as text.
The emulator must be configured to use the PCs serial port to match the settings on the
switchs console port settings. The default console port settings on a switch are as follows.
Note that the last three parameters are referred to collectively as 8N1:
9600 bits/second
No hardware flow control
8-bit ASCII
No parity bits
1 stop bit
Cisco IOS stores the collection of configuration commands in a configuration file. In fact,
switches use multiple configuration filesone file for the initial configuration used when
powering on, and another configuration file for the active, currently used running configuration as
stored in RAM.
Key Terms You Should Know
command-line interface (CLI), Telnet, Secure Shell (SSH), enable mode, user mode, configuration mode,
startup-config file, running-config file
enable Moves the user from user mode to enable (privileged) mode and
prompts for a password if one is configured.
disable
configure terminal Moves the user from enable mode to user mode.
Enable mode command that moves the user into configuration mode
Which of the following statements describes part of the process of how a switch
decides to forward a frame destined for a known unicast MAC address?
a. It compares the unicast destination address to the bridging, or MAC address,
table.
b. It compares the unicast source address to the bridging, or MAC address, table.
c. It forwards the frame out all interfaces in the same VLAN except for the incoming interface.
d. It compares the destination IP address to the destination MAC address.
e. It compares the frames incoming interface to the source MAC entry in the MAC
address table.
2. Which of the following statements describes part of the process of how a LAN
switch decides to forward a frame destined for a broadcast MAC address?
a. It compares the unicast destination address to the bridging, or MAC address,
table.
b. It compares the unicast source address to the bridging, or MAC address, table.
c. It forwards the frame out all interfaces in the same VLAN except for the incoming interface.
d. It compares the destination IP address to the destination MAC address.
e. It compares the frames incoming interface to the source MAC entry in the MAC
address table.
3. Which of the following statements best describes what a switch does with a frame
destined for an unknown unicast address?
a. It forwards out all interfaces in the same VLAN except for the incoming interface.
b. It forwards the frame out the one interface identified by the matching entry in
the MAC address table.
c. It compares the destination IP address to the destination MAC address.
d. It compares the frames incoming interface to the source MAC entry in the MAC
address table.
4. Which of the following comparisons does a switch make when deciding whether a
new MAC address should be added to its MAC address table?
a. It compares the unicast destination address to the bridging, or MAC address,
table.
b. It compares the unicast source address to the bridging, or MAC address, table.
c. It compares the VLAN ID to the bridging, or MAC address, table.
d. It compares the destination IP addresss ARP cache entry to the bridging, or
MAC address, table.
148 CCENT/CCNA ICND1 100-105 Official Cert Guide
5. A Cisco Catalyst switch has 24 10/100 ports, numbered 0/1 through 0/24. Ten PCs
connect to the ten lowest numbered port, with those PCs working and sending data
over the network. The other ports are not connected to any device. Which of the following answers lists
facts displayed by the show interfaces status command?
a. Port Ethernet 0/1 is in a connected state.
b. Port Fast Ethernet 0/11 is in a connected state.
c. Port Fast Ethernet 0/5 is in a connected state.
d. Port Ethernet 0/15 is in a notconnected state.
6. Consider the following output from a Cisco Catalyst switch:
SW1# show mac address-table dynamic
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
1 02AA.AAAA.AAAA DYNAMIC Gi0/1
1 02BB.BBBB.BBBB DYNAMIC Gi0/2
1 02CC.CCCC.CCCC DYNAMIC Gi0/3
Total Mac Addresses for this criterion: 3
Which of the following answers are true about this switch?
a. The output proves that port Gi0/2 connects directly to a device that uses address
02BB.BBBB.BBBB.
b. The switch has learned three MAC addresses since the switch powered on.
c. The three listed MAC addresses were learned based on the destination MAC
address of frames forwarded by the switch.
d. 02CC.CCCC.CCCC was learned from the source MAC address of a frame that
entered port Gi0/3.
LAN switches receive Ethernet frames and then make a switching decision: either forward
the frame out some other ports or ignore the frame. To accomplish this primary mission,
switches perform three actions:
1. Deciding when to forward a frame or when to filter (not forward) a frame, based on
the destination MAC address
2. Preparing to forward frames by learning MAC addresses by examining the source
MAC address of each frame received by the switch
3. Preparing to forward only one copy of the frame to the destination by creating
a (Layer 2) loop-free environment with other switches by using Spanning Tree
Protocol (STP)
The first action is the switchs primary job, whereas the other two items are overhead
functions.
Learning MAC Addresses
Thankfully , the networking staff does not have to type in all those MAC table entries.
Instead, the switches do their second main function: to learn the MAC addresses and interfaces to put
into its address table. With a complete MAC address table, the switch can make
accurate forwarding and filtering decisions as just discussed.
Switches build the address table by listening to incoming frames and examining the source
MAC address in the frame. If a frame enters the switch and the source MAC address is not
in the MAC address table, the switch creates an entry in the table. That table entry lists the
interface from which the frame arrived. Switch learning logic is that simple.
The following checklist details the commands to configure local username login, mainly as a
method for easier study and review:
Step 1. Use the username name secret password global configuration command to
add one or more username/password pairs on the local switch.
Step 2. Configure the console to use locally configured username/password pairs:
A. Use the line con 0 command to enter console configuration mode.
B. Use the login local subcommand to enable the console to prompt for both
username and password, checked versus the list of local usernames/passwords.
C. (Optional) Use the no password subcommand to remove any existing
simple shared passwords, just for good housekeeping of the configuration
file.
Step 3. Configure Telnet (vty) to use locally configured username/password pairs.
A. Use the line vty 0 15 command to enter vty configuration mode for all 16
vty lines (numbered 0 through 15).
B. Use the login local subcommand to enable the switch to prompt for both
username and password for all inbound Telnet users, checked versus the list
of local usernames/passwords.
C. (Optional) Use the no password subcommand to remove any existing simple shared passwords, just
for good housekeeping of the configuration file.
To complete this section about SSH, the following configuration checklist details the steps
for one method to configure a Cisco switch to support SSH using local usernames. (SSH
support in IOS can be configured in several ways; this checklist shows one simple way to
configure it.) The process shown here ends with a comment to configure local username
support on vty lines, as was discussed earlier in the section titled Securing User Mode
Access with Local Usernames and Passwords.
Step 1. Configure the switch to generate a matched public and private key pair to use
for encryption:
A. If not already configured, use the hostname name in global configuration
mode to configure a hostname for this switch.
B. If not already configured, use the ip domain-name name in global configuration mode to configure a
domain name for the switch, completing the
switchs FQDN.
C. Use the crypto key generate rsa command in global configuration mode
(or the crypto key generate rsa modulus modulus-value command to
avoid being prompted for the key modulus) to generate the keys. (Use at
least a 768-bit key to support SSH version 2.)
Step 2. (Optional) Use the ip ssh version 2 command in global configuration mode to
override the default of supporting both versions 1 and 2, so that only SSHv2
connections are allowed.
Step 3. (Optional) If not already configured with the setting you want, configure the
vty lines to accept SSH and whether to also allow Telnet:
A. Use the transport input ssh command in vty line configuration mode to
allow SSH only.
B. Use the transport input all command (default) or transport input telnet
ssh command in vty line configuration mode to allow both SSH and Telnet.
Step 4. Use various commands in vty line configuration mode to configure local username login
authentication as discussed earlier in this chapter.
NOTE Cisco routers default to transport input none, so that you must add the transport
input line subcommand to enable Telnet and/or SSH into a router.
Another way to improve the user experience at the console is to control timeouts of the
login session from the console or when using Telnet or SSH. By default, the switch automatically
disconnects console and vty (Telnet and SSH) users after 5 minutes of inactivity.
The exec-timeout minutes seconds line subcommand enables you to set the length of that
inactivity timer. In lab (but not in production), you might want to use the special value of 0
minutes and 0 seconds meaning never time out.
With all default settings in the switch, the switch tries to resolve the hostname, cannot find a DNS
server, and takes about a minute to timeout and give you control of the CLI again.
To avoid this problem, configure the no ip domain-lookup global configuration command,
which disables IOSs attempt to resolve the hostname into an IP address.
Key Terms You Should Know
Telnet, Secure Shell (SSH), local username, AAA, AAA server, enable mode, default gateway, VLAN
interface, history buffer, DNS, name resolution, log message
Command References
Tables 8-5, 8-6, 8-7, and 8-8 list configuration and verification commands used in this chapter. As an easy review exercise, cover
the left column in a table, read the right column, and
try to recall the command without looking. Then repeat the exercise, covering the right column, and try to recall what the
command does.
Chapter 8: Configuring Basic Switch Management 187
8
Table 8-5 Login Security Commands
Command Mode/Purpose/Description
line console 0 Changes the context to console configuration mode.
line vty 1st-vty last- Changes the context to vty configuration mode for the
vty range of
login vty lines listed in the command.
password pass-value Console and vty configuration mode. Tells IOS to
login local prompt for a
username name password.
secret Console and vty configuration mode. Lists the
pass-value password required
crypto key generate if the login command (with no other parameters) is
rsa configured.
[modulus 360..2048] Console and vty configuration mode. Tells IOS to
transport input prompt
{telnet | for a username and password, to be checked against
ssh | all | none} locally
configured username global configuration commands
on this
switch or router.
Global command. Defines one of possibly multiple
usernames
and associated passwords, used for user authentication.
Used
when the login local line configuration command has
been used.
Global command. Creates and stores (in a hidden
location in flash
memory) the keys required by SSH.
vty line configuration mode. Defines whether
Telnet/SSH access
is allowed into this switch. Both values can be
configured on one
command to allow both Telnet and SSH access (the
default).
Those rules define the basics, but port security allows other options as well, including letting you
configure the specific MAC addresses allowed to send frames in an interface. For
example, in Figure 9-4, switch SW1 connects through interface F0/1 to PC1, so the port
security configuration could list PC1s MAC address as the specific allowed MAC address.
But predefining MAC addresses for port security is optional: You can predefine all MAC
addresses, none, or a subset of the MAC addresses.
You might like the idea of predefining the MAC addresses for port security, but finding
the MAC address of each device can be a bother. Port security provides an easy way to
discover the MAC addresses used off each port using a feature called sticky secure MAC
addresses. With this feature, port security learns the MAC addresses off each port and
stores them in the port security configuration (in the running-config file).
Configuring Port Security
Port security configuration involves several steps. First, you need to disable the negotiation
of a feature that is not discussed until Chapter 11, Implementing Ethernet Virtual LANs,
whether the port is an access or trunk port. For now, accept that port security requires a
port to be configured to either be an access port or a trunking port. The rest of the commands enable
port security, set the maximum allowed MAC addresses per port, and configure the actual MAC
addresses, as detailed in this list:
Step 1. Make the switch interface either a static access or trunk interface using the
switchport mode access or the switchport mode trunk interface subcommands, respectively.
Step 2. Enable port security using the switchport port-security interface subcommand.
Step 3. (Optional) Override the default maximum number of allowed MAC addresses associated with the
interface (1) by using the switchport port-security
maximum number interface subcommand.
Step 4. (Optional) Override the default action to take upon a security violation
(shutdown) using the switchport port-security violation {protect | restrict |shutdown} interface
subcommand.
Step 5. (Optional) Predefine any allowed source MAC addresses for this interface
using the switchport port-security mac-address mac-address command. Use
the command multiple times to define more than one MAC address.
Step 6. (Optional) Tell the switch to sticky learn dynamically learned MAC addresses
with the switchport port-security mac-address sticky interface subcommand.
Port Security MAC Addresses as Static and Secure but Not Dynamic
To complete this chapter, take a moment to think about Chapter 7s discussions about
switching, along with all those examples of output from the show mac address-table
dynamic EXEC command.
Once a switch port has been configured with port security, the switch no longer considers
MAC addresses associated with that port as being dynamic entries as listed with the show
mac address-table dynamic EXEC command. Even if the MAC addresses are dynamically
learned, once port security has been enabled, you need to use one of these options to see
the MAC table entries associated with ports using port security:
show mac address-table secure: Lists MAC addresses associated with ports that use port
security
show mac address-table static: Lists MAC addresses associated with ports that use port
security, as well as any other statically defined MAC addresses
Chapter 18
IP Routing
IP routingthe process of forwarding IP packetsdelivers packets across entire TCP/IP
networks, from the device that originally builds the IP packet to the device that is supposed
to receive the packet. In other words, IP routing delivers IP packets from the sending host
to the destination host.
The complete end-to-end routing process relies on network layer logic on hosts and on
routers. The sending host uses Layer 3 concepts to create an IP packet, forwarding the IP
packet to the hosts default gateway (default router). The process requires Layer 3 logic on
the routers as well, by which the routers compare the destination address in the packet to
their routing tables, to decide where to forward the IP packet next.
The routing process also relies on data-link and physical details at each link. IP routing relies
on serial links, Ethernet LANs, wireless LANs, and many other networks that implement
data link and physical layer standards. These lower-layer devices and protocols move the IP
packets around the TCP/IP network by encapsulating and transmitting the packets inside
data link layer frames
The routing process starts with the host that creates the IP packet. First, the host asks the
question: Is the destination IP address of this new packet in my local subnet? The host uses
its own IP address/mask to determine the range of addresses in the local subnet. Based on its
own opinion of the range of addresses in the local subnet, a LAN-based host acts as follows:
Step 1. If the destination is local, send directly:
A. Find the destination hosts MAC address. Use the already-known Address
Resolution Protocol (ARP) table entry, or use ARP messages to learn the
information.
B. Encapsulate the IP packet in a data-link frame, with the destination datalink address of the
destination host.
Step 2. If the destination is not local, send to the default gateway:
A. Find the default gateways MAC address. Use the already-known Address
Resolution Protocol (ARP) table entry, or use ARP messages to learn the
information.
B. Encapsulate the IP packet in a data-link frame, with the destination datalink address of the default
gateway.
In addition, most Cisco routers do not attempt to negotiate trunking, so in most cases, both
the router and switch need to manually configure trunking. This chapter discusses the router
side of that trunking configuration; the matching switch interface would need to be configured with the
switchport mode trunk command.
Example 18-3 shows a full example of the 802.1Q trunking configuration required on
Router B1 in the figure. More generally, these steps detail how to configure 802.1Q trunking on a router:
Step 1. Use the interface type number.subint command in global configuration mode
to create a unique subinterface for each VLAN that needs to be routed.
Step 2. Use the encapsulation dot1q vlan_id command in subinterface configuration
mode to enable 802.1Q and associate one specific VLAN with the subinterface.
Step 3. Use the ip address address mask command in subinterface configuration
mode to configure IP settings (address and mask).
First, look at the subinterface numbers. The subinterface number begins with the period,
like .10 and .20 in this case. These numbers can be any number from 1 up through a very
large number (over 4 billion). The number just needs to be unique among all subinterfaces
associated with this one physical interface. In fact, the subinterface number does not even
have to match the associated VLAN ID. (The encapsulation command, and not the subinterface number,
defines the VLAN ID associated with the subinterface.)
Example 18-3 shows one way to configure ROAS on a router, but that particular example
avoids using the native VLAN. However, each 802.1Q trunk has one native VLAN, and
when used, the configuration to use that native VLAN differs, with two options for the
router side of the configuration:
Configure the ip address command on the physical interface, but without an
encapsulation command; the router considers this physical interface to be using the
native VLAN.
Configure the ip address command on a subinterface, and use the encapsulation...native
subcommand.
! First option: put the native VLAN IP address on the physical interface
interface gigabitethernet 0/0
ip address 10.1.10.1 255.255.255.0
!
interface gigabitethernet 0/0.20
encapsulation dot1q 20
ip address 10.1.20.1 255.255.255.0
! Second option: like normal, but add the native keyword
interface gigabitethernet 0/0.10
encapsulation dot1q 10 native
ip address 10.1.10.1 255.255.255.0
!
interface gigabitethernet 0/0.20
encapsulation dot1q 20
ip address 10.1.20.1 255.255.255.0
The following steps show how to configure Layer 3 switching. Note that on some switches,
like the 2960 switches used for the examples in this book, the ability to route IPv4 packets
must be enabled first, with a reload of the switch required to enable the feature. The rest of
the steps after Step 1 would apply to all models of Cisco switches that are capable of doing
Layer 3 switching.
Step 1. On some older models of switches, enable hardware support for IPv4 routing.
For example, on 2960 switches, use the sdm prefer lanbase-routing in global
configuration mode and reload the switch.
Step 2. Use the ip routing command in global configuration mode to enable IPv4 routing on the switch.
Step 3. Use the interface vlan vlan_id command in global configuration mode to create VLAN interfaces
for each VLAN for which the Layer 3 switch is routing
packets.
Step 4. Use the ip address address mask command in interface configuration mode
to configure an IP address and mask on the VLAN interface, enabling IPv4 on
that VLAN interface.
Step 5. Use the no shutdown command in interface configuration mode to enable the
VLAN interface (if it is currently in a shutdown state).