The following is a summary of each topic in the chapter and some questions for your reflection.
What Did I Learn in this Module? (28.5.1)
• Basic Switch Configuration—Elements that are usually configured on a LAN switch include: host name, management IP address information, passwords, and descriptive information. Configure switches with descriptive host names, including the location where the switch will be installed.
A management IP address is only necessary if you plan to configure and manage the switch through an in-band connection on the network.
To secure a Cisco LAN switch, assign passwords for each of the various access methods to the command line. The minimum requirements include assigning passwords to remote access methods, such as Telnet, SSH, and the console connection. You must also assign a password to the privileged mode in which configuration changes can be made.
To access the switch remotely, an IP address and a subnet mask must be configured on the SVI. To configure an SVI on a switch, use the interface vlan 1 global configuration command. Vlan 1 is not an actual physical interface but a virtual one. Next assign an IPv4 address using the ip address ip-address subnet-mask interface configuration command. Finally, enable the virtual interface using the no shutdown interface configuration command.
After the switch has been configured with these commands, the switch has all the IPv4 elements ready for communication over the network.
• Configure Initial Router Settings—Steps to configure a router:
Step 1. Configure the device name.
Step 2. Secure privileged EXEC mode.
Step 3. Secure user EXEC mode.
Step 4. Secure remote Telnet / SSH access.
Step 5. Secure all passwords in the config file.
Step 6. Provide legal notification.
Step 7. Save the configuration.
• Secure the Devices—As good practice, use different authentication passwords for each of these levels of access. Here are standard guidelines to follow:
• Use a password length of at least eight characters, preferably 10 or more characters.
• Include a mix of uppercase and lowercase letters, numbers, symbols, and spaces, if allowed.
• Avoid passwords based on repetition, common dictionary words, letter or number sequences, usernames, relative or pet names, or biographical information.
• Deliberately misspell a password.
• Change passwords often.
• Do not write passwords down and leave them in obvious places such as on the desk or monitor.
• Passphrases are made up of a few words and other text. Passphrases are generally more difficult to crack than passwords.
There are multiple ways to access a device to perform configuration tasks. One of these ways is to use a PC attached to the console port on the device. This type of connection is frequently used for initial device configuration. Setting a password for console connection access is done in global configuration mode.
When the device is connected to the network, it can be accessed over the network connection using SSH or Telnet. SSH is the preferred method because it is more secure. When the device is accessed through the network, it is considered a vty connection. A password needs to be set for all available vty lines. The same password can be set for all connections. The global configuration command service password-encryption ensures that all passwords are encrypted.
Configure a Cisco device to support SSH using the following six steps:
Step 1. Configure a unique device hostname. A device must have a unique hostname other than the default.
Step 2. Configure the IP domain name. Configure the IP domain name of the network by using the global configuration mode command ip domain-name name.
Step 3. Generate a key to encrypt SSH traffic. SSH encrypts traffic between source and destination. However, to do so, a unique authentication key must be generated by using the global configuration command crypto key generate rsa general-keys modulus bits.
Step 4. Verify or create a local database entry. Create a local database username entry using the username global configuration command.
Step 5. Authenticate against the local database. Use the login local line configuration command to authenticate the vty line against the local database.
Step 6. Enable vty inbound SSH sessions. By default, no input session is allowed on vty lines. You can specify multiple input protocols including Telnet and SSH using the transport input {ssh | telnet} command.
To display the version and configuration data for SSH on the device that you configured as an SSH server, use the show ip ssh command. To check the SSH connections to the device, use the show ssh command.
• Configure the Default Gateway—If your local network has only one router, it will be the gateway router and all hosts and switches on your network must be configured with this information.
For an end device to communicate over the network, it must be configured with the correct IP address information, including the default gateway address. The default gateway address is generally the router interface address attached to the local network of the host. The IP address of the host device and the router interface address must be in the same network.
To connect the switch and administratively manage it over multiple networks, configure the switch virtual interface (SVI) with an IPv4 address, subnet mask, and default gateway address.
To remotely access the switch from another network using SSH, the switch must have an SVI with an IPv4 address, subnet mask, and default gateway address configured. The IP address configured is that of the router interface of the connected switch. To configure an IPv4 default gateway on a switch, use the ip default-gateway ip-address global configuration command. The IP address that is configured is the IPv4 address of the local router interface connected to the switch.
A workgroup switch can also be configured with an IPv6 address on an SVI. The switch will automatically receive its default gateway from the ICMPv6 Router Advertisement message from the router.
It’s nice to have some help when you have a big project, like Diego has. This module has almost everything I would need to know to set up a branch network. Based on what you have learned in this course so far, I bet you could have helped Diego. Do you have access to a network that is large enough to contain switches and more than one router? If so, ask your IT department if you could have a tour. You might be surprised at how much you already understand!