A switch that interconnects client computers is typically a Layer 2 device. As such, a Layer 2 switch does not require an IP address to function properly. However, an IP configuration can be configured on a switch to give an administrator remote access to the switch.
To connect to and manage a switch over a local IP network, it must have a switch virtual interface (SVI) configured. The SVI is configured with an IPv4 address and subnet mask on the local LAN. The switch must also have a default gateway address configured to remotely manage the switch from another network.
The default gateway address is typically configured on all devices that will communicate beyond their local network. To configure an IPv4 default gateway on a switch, use the ip default-gateway ip-address global configuration command. The ip-address that is configured is the IPv4 address of the local router interface connected to the switch.
Figure 19-4 shows an administrator establishing a remote connection to switch S1 on another network.
Figure 19-4 Administrator Establishing a Remote Connection to Switch S1
In this example, the administrator host would use its default gateway to send the packet to the G0/0/1 interface of R1. R1 would forward the packet to S1 out of its G0/0/0 interface. Because the packet source IPv4 address came from another network, S1 would require a default gateway to forward the packet to the G0/0/0 interface of R1. Therefore, S1 must be configured with a default gateway to be able to reply and establish an SSH connection with the administrative host.
Note
Packets originating from host computers connected to the switch must already have the default gateway address configured on their host computer operating system.
A workgroup switch can also be configured with an IPv6 address on an SVI. However, the switch does not require the IPv6 address of the default gateway to be configured manually. The switch automatically receives its default gateway from the ICMPv6 Router Advertisement message from the router.
Syntax Checker—Configure the Default Gateway (19.4.3)
Use this Syntax Checker to practice configuring the default gateway of a Layer 2 switch.
Refer to the online course to complete this activity.
Packet Tracer—Build a Switch and Router Network (19.4.4)
In this activity, you will cable and then configure the devices to match the address table. After saving the configurations, you will verify your configurations by testing for network connectivity and retrieve information from the network devices.
Summary (19.5)
The following is a summary of each topic in the chapter:
- Basic Switch Configuration—Elements that are usually configured on a LAN switch include host name, management IP address information, passwords, and descriptive information. You should configure switches with descriptive host names, including the location where the switch will be installed.
A management IP address is necessary only if you plan to configure and manage the switch through an in-band connection on the network.
To secure a Cisco LAN switch, you assign passwords for each of the various access methods to the command line. The minimum requirements include assigning passwords to remote-access methods, such as Telnet, SSH, and the console connection. You must also assign a password to the privileged mode in which configuration changes can be made.
To access the switch remotely, you must configure an IP address and a subnet mask on the SVI. To configure an SVI on a switch, you use the interface vlan 1 global configuration command. VLAN 1 is not an actual physical interface but a virtual one. Next, you assign an IPv4 address using the ip address ip-address subnet-mask interface configuration command. Finally, you enable the virtual interface using the no shutdown interface configuration command.
After the switch has been configured with these commands, the switch has all the IPv4 elements ready for communication over the network.
- Configure Initial Router Settings—Steps to configure a router:
Step 1. Configure the device name.
Step 2. Secure privileged EXEC mode.
Step 3. Secure user EXEC mode.
Step 4. Secure remote Telnet/SSH access.
Step 5. Secure all passwords in the config file.
Step 6. Provide legal notification.
Step 7. Save the configuration.
- Secure the Devices—As good practice, you should use different authentication passwords for each of these levels of access. Here are standard guidelines to follow:
- Use a password length of at least 8 characters but preferably 10 or more characters.
- Include a mix of uppercase and lowercase letters, numbers, symbols, and spaces, if allowed.
- Avoid passwords based on repetition, common dictionary words, letter or number sequences, usernames, relative or pet names, or biographical information.
- Deliberately misspell a password.
- Change passwords often.
- Do not write passwords down and leave them in obvious places such as on a desk or monitor.
- Passphrases are made up of a few words and other text. Passphrases are generally more difficult to crack than passwords.
There are multiple ways to access a device to perform configuration tasks. One of these ways is to use a PC attached to the console port on the device. This type of connection is frequently used for initial device configuration. To set a password for console connection access, you use global configuration mode.
When the device is connected to the network, it can be accessed over the network connection using SSH or Telnet. SSH is the preferred method because it is more secure. When the device is accessed through the network, it is considered a vty connection. A password needs to be set for all available vty lines. The same password can be set for all connections. The global configuration command service password-encryption ensures that all passwords are encrypted.
To configure a Cisco device to support SSH, follow these six steps:
Step 1. Configure a unique device host name. A device must have a unique host name other than the default.
Step 2. Configure the IP domain name. Configure the IP domain name of the network by using the global configuration mode command ip domain-name name.
Step 3. Generate a key to encrypt SSH traffic. SSH encrypts traffic between source and destination. However, to do so, a unique authentication key must be generated by using the global configuration command crypto key generate rsa general-keys modulus bits.
Step 4. Verify or create a local database entry. Create a local database username entry using the username global configuration command.
Step 5. Authenticate against the local database. Use the login local line configuration command to authenticate the vty line against the local database.
Step 6. Enable vty inbound SSH sessions. By default, no input session is allowed on vty lines. You can specify multiple input protocols including Telnet and SSH using the transport input {ssh | telnet} command.
To display the version and configuration data for SSH on the device that you configured as an SSH server, use the show ip ssh command. To check the SSH connections to the device, use the show ssh command.
- Connect the Switch to the Router—If your local network has only one router, it is the gateway router, and all hosts and switches on your network must be configured with this information.
For an end device to communicate over the network, it must be configured with the correct IP address information, including the default gateway address. The default gateway address is generally the router interface address attached to the local network of the host. The IP address of the host device and the router interface address must be in the same network.
To connect the switch and administratively manage it over multiple networks, configure the SVI with an IPv4 address, subnet mask, and default gateway address.
To remotely access the switch from another network using SSH, the switch must have an SVI with an IPv4 address, subnet mask, and default gateway address configured. The IP address configured is that of the router interface of the connected switch. To configure an IPv4 default gateway on a switch, you use the ip default-gateway ip-address global configuration command. The IP address that is configured is the IPv4 address of the local router interface connected to the switch.
A workgroup switch can also be configured with an IPv6 address on an SVI. The switch automatically receives its default gateway from the ICMPv6 Router Advertisement message from the router.