● Choose a naming convention for hostnames ● Hostname configuration commands
○ enable ○ config t
○ hostname MySwitch ● Passwords
○ Enable password
■ Access to privileged EXEC mode, non-encrypted or poorly encrypted in config
■ enable password MyPassword ■ service password-encryption
● Hides password from onlookers in config but can easily be decrypted
○ Enable secret
■ Access to privileged EXEC mode, encrypted in config ■ enable secret MyPassword
○ Console password ■ Access to console ■ line console 0 ■ password MyPassword ■ login ○ VTY password
■ Access over Telnet/SSH ■ line vty 0 15
■ password MyPassword ■ login
● Banners
○ banner motd # message # ■ Shown to all connections ○ banner login # message #
Andrew Crouthamel Cisco CCNA Training Notes 41
■ Shown to only services that have login defined ● Saving
○ copy running-config startup-config ○ write memory
● reload
● erase <ConfigName> ○ For NVRAM ● delete vlan.dat
○ For flash memory
● One can use TFTP to copy IOS files from flash to a server ● show flash
● copy flash: tftp:
● c1900-universalk9-mz.SPA.152-4.M3.bin ● 192.168.1.100
● Selecting a new IOS file to boot from
○ boot system flash0://c1900-universalk9-mz.SPA.152-4.M3.bin
Switch Configuration Basics
● Boot sequence
○ Power-On Self-Test (POST) from ROM ○ Loads boot loader from ROM
○ Starts the CPU ○ Initializes flash
○ Loads the IOS from flash and continues booting the OS
● Can recover from a forgotten password or system crash with boot loader ○ Connect a PC to the console port
○ Restart switch
○ Within 15 seconds press and hold the Mode button while the System LED is flashing green
○ Continue to hold Mode until the System LED turns amber and then solid green ○ Release the Mode button
○ The console will display “switch:” as the prompt ● LEDs
○ System LED - Power up/down
○ Redundant Power System (RPS) LED - Power up/down ○ Port Status LED - Link up/down, amber means blocked ○ Port Duplex LED - Green is full duplex, off is half
○ Port Speed LED - Green is 100 Mbps, blinking green is 1 Gigabit, off is 10 Mbps ○ Power of Ethernet (PoE) LED - Power up/down
● VLAN 1 is default management VLAN
Andrew Crouthamel Cisco CCNA Training Notes 42
● To manage a switch, a Switch Virtual Interface (SVI) must be configured ○ This is essentially an interface/IP for a specific VLAN
● SVI configuration ○ vlan 99
○ name Management ○ interface f0/1
○ switchport access vlan 99 ○ interface vlan 99
○ ip address 192.168.99.1 255.255.255.0 ○ no shutdown
○ ip default-gateway 192.168.1.1 ● Speed and duplex configuration
○ interface f0/1 ○ duplex auto ○ speed auto ● MDIX configuration ○ interface f0/1 ○ mdix auto
● show interfaces - Shows detailed information on interface configuration
Switch Security Basics
● Secure Shell (SSH)
○ Encrypts shell access ○ SSH uses TCP port 22 ○ Telnet uses TCP port 23
○ Recommended remote access method ● SSH Configuration
○ show ip ssh - Will display result if device has cryptographic features enabled ○ ip domain-name mydomain.com
○ crypto key generate rsa
○ username UserLogin password UserPassword ○ line vty 0 15
○ transport input ssh ○ login local
● Common Security Attacks ○ MAC Address Flooding
■ Generating thousands of MAC addresses and sending them out onto the wire, causing a switch to learn too many and causing a CAM table overflow
■ This crashes the switch or puts it into fail-open mode
Andrew Crouthamel Cisco CCNA Training Notes 43
frames everywhere, so attacker can capture whatever they want ■ Can be mitigated with port security options
○ DHCP Spoofing
■ Attacker floods DHCP server with requests, using up all available leases ■ Attacker then sets up their own DHCP server to provide leases to clients,
usually with a different DNS server, default gateway set to the attack computer, redirecting all traffic through it for capture
■ Can be mitigated with DHCP snooping and port security options ○ CDP
■ CDP is enabled on all ports by default
■ Provides useful information to an attacker capturing data on their access port
■ Can be mitigated by disabling CDP or disabling it on access ports ● Best Practices
○ Use secure communications methods ○ Encrypt passwords in configuration file ○ Control physical access to devices ○ Shut down unused ports
○ Use port security features
○ Use Access Control Lists (ACLs) ● Security Tools
○ nmap ○ Nessus ○ Metasploit
○ Brute force crackers
○ Kali (BackTrack) Linux distro
Switch Port Security
● Disable unused ports ○ shutdown
○ Can use interface-range command to apply to many ports at once ● DHCP snooping tells the switch what ports can respond to DHCP requests
○ ip dhcp snooping - Enables globally
○ ip dhcp snooping vlan - Enables specific VLAN ○ ip dhcp snooping trust - On specific interfaces ● Port security
○ switchport mode access - Remove it from a dynamic port status ○ Static MAC security - Only configured MAC address is allowed
■ switchport port-security mac-address
○ Dynamic MAC security - Learned during operation, stored in address table ○ Sticky MAC security - Learned during operation, stored in address table and
Andrew Crouthamel Cisco CCNA Training Notes 44
running config
■ switchport port-security mac-address sticky ■ switchport port-security maximum 2
○ Port Security Violation Modes
■ Protect - Once the limit of MAC addresses is reached, unknown source addresses are dropped until MACs are removed or limit is raised. No violation notification
■ Restrict - Same as Protect but with violation notification
■ Shutdown - This is the default mode. Immediately shuts down a port when an unknown MAC is seen. Violation notification
■ switchport port-security violation ○ show port-security
○ show interface - Displays err-disabled status
○ show port-security interface - Displays secure-shutdown status ● Network Time Protocol (NTP)
○ Retrieves time information from local or remote servers
○ Common to use domain controllers or other servers on a domain to ensure all are synchronized
○ pool.ntp.org or more specific sub-pools such as us.pool.ntp.org also commonly used
○ ntp server - Use specified server for time data ○ ntp master - Allow device to be queried for time data ○ show ntp associations - Display peers connected ○ show ntp status - Display NTP information