Section 2.3: Switch Management
Cisco Catalyst switch devices can be configured to support many different features. Configuration is generally performed using a terminal emulator application when a computer is connected to the serial console port. Further configurations can be performed through a Telnet session across the LAN or through a web-based interface. Catalyst switches support one of two types of user interface for configuration: Cisco IOS-based commands, and set-based, command-line interface (CLI) commands. The IOS-based commands found in Catalyst 1900/2900 and 3560 switches are similar to many IOS commands used on Cisco routers. However, the CLI commands found in CAT OS uses set and clear commands to change configuration parameters.
2.3.1: Switch Naming
All switches are shipped from the factory with a default configuration and a default system name or prompt. This name can be changed, which can be useful when you are using Telnet to move from switch to switch in a network. On an IOS-based switch, use the following command in configuration mode to change the host or system name:
Switch(config)# hostname host_name
To change the host or system name on a CLI-based switch, you can use the following command in configuration mode:
Switch(enable) set system name system._na.me
2.3.2: Password Protection
A network device should be configured to secure it from unauthorized access. Catalyst switches allows you to set passwords on them to restrict who can log in to the user interface. Catalyst switches have two levels of user access: regular login, which is called exec mode, and enable login, which is called privileged mode. Exec mode is the first level of access, which gives access to the basic user interface through any line or the console port. The privileged mode requires a second password and allows users to set or change switch operating parameters or configurations.
On an IOS-based switch, you can use the following commands in global configuration mode to set the login passwords:
Switch(config)# enable password level 1 password Switch(config)# enable password level 15 password
The first line in this command sets the exec mode password with a privilege level of 1, while the enable password is set with a privilege level of 15. Both passwords must a string of four to eight alphanumeric characters. The passwords on these switches are not case-sensitive.
On a CLI-based switch, you can use the following commands in enable mode to set the login passwords:
Switch (enable) set password
Enter old password: |
old. password |
Enter new password: |
newpassword |
Retype new password |
new password |
Password changed. | |
Switch (enable) set |
enablepass |
Enter old password: |
old enable password |
Enter new password: |
newenable password |
Retype new password |
new enable password |
Password changed. | |
Switch (enable) |
On these switches, password is the exec mode password, and the enabiepass is the privileged mode password. Unlike on the IO-based switches, passwords on these switches are case-sensitive.
Cisco provides various methods for providing device security and user authentication, many of which are more secure than using the login passwords. These methods are discussed in Topic 11.
2.3.3: Remote Access
By default, the switch login passwords allow user access only via the console port. To use Telnet to access a switch from within the campus network you must configure the switch for remote access. Although a switch operates at Layer 2, the switch supervisor processor must maintain an IP stack at Layer 3 for administrative purposes. An IP address and subnet mask can then be assigned to the switch so that remote communications with the switch supervisor are possible. By default, all ports on a switch are assigned to the same virtual LAN (VLAN) or broadcast domain. The switch supervisor and its IP stack must be assigned to a VLAN before remote Telnet and ping sessions will be supported. VLANs are discussed in detail in Topic 3.
To enable remote access on an IOS-based switch, assign an IP address to the management VLAN using the following commands in global configuration mode:
Switch(config)# interface vlan vlan_number Switch(config-if)# ip address ip_address subnet_mask Switch(config-if)# ip default-gateway ip_address
These commands assign an IP address, subnet mask and a gateway to the management VLAN (VLAN1 by default) specified in the vlan_number parameter. You can check the switch's current switch IP settings by using the show ip command.
To enable remote access on a CLI-based switch, configure an IP address for in-band management by entering the following commands in privileged mode:
Switch(enable) set interface sc0 ip_address subnet_mask broadcast_address Switch(enable) set interface sc0 vlan_number Switch(enable) set ip route default gateway
You can check the switch's current IP settings, use the show interface command.
2.3.4: Inter-Switch Communication
Because switch devices are usually interconnected, management is simplified by inter-switch communication. Cisco has implemented protocols on its devices so that neighboring Cisco equipment can be found. Also, some families of switch devices can be clustered and managed as a unit once they discover one another. The Cisco Discovery Protocol is used for this purpose. CDP is a Cisco proprietary layer 2 protocol that is bundled in Cisco IOS release 10.3 and later versions. CDP can run on all Cisco manufactured devices, including switches. It uses SNAP (layer 2 frame type) and is multicast based, using a destination MAC address of 01:00:0C:CC:CC:CC. CDP communication occurs at the data link layer so that it is independent of any network layer protocol that may be running on a network segment. By default, a Cisco device running CDP sends information about itself on each of its ports every 60 seconds. Neighbor devices that are directly connected to the device will add the device and its information to their dynamic CDP tables. Switches regard the CDP address as a special address designating a multicast frame that should not be forwarded. Instead, CDP multicast frames are redirected to the switch's management port, and are processed by the switch supervisor alone. Therefore, Cisco switches only become aware of other directly connected Cisco devices.
The information a switch sends includes:
• Its device name;
• Its device capabilities;
• Its hardware platform;
• The port type and number through which CDP information is being sent; and
• One address per upper layer protocol.
On an IOS-based switch, CDP is enabled by default. To disable CDP, you use the following command:
Switch(config-if)# no cdp enable
To re-enable CDP again, use the same command without the no keyword. To view the information an IOS-based switch learned from CDP advertisements of neighboring Cisco devices, you use one of the following commands:
Switch# show cdp interface [ type module_number/port_number ]
or
Switch# show cdp neighbors [ type module/port ] [ detail ]
The first command displays CDP information pertaining to a specific interface. If the type, moduie_number, and port_number are not specified, CDP information from all interfaces is listed. The second command displays CDP information about neighboring Cisco devices. If the detail keyword is used, all CDP information about each neighbor is displayed.
CDP is also enabled by default on a CLI-based switch. You can, however, enable or disable CDP by using the following command:
Switch(enable) set cdp {enable | disable} module_number/port_number
In this command, the moduie_number and port_number can be specified to enable or disable CDP on that specific port or else CDP is enabled or disabled for all ports on the switch. To view information learned from CDP advertisements of neighboring Cisco devices, use the following command:
Switch(enable) show cdp neighbors [ module_number/port_number ] [ vlan | duplex | capabilities | detail ]
Again the moduie_number and port_number can be specified to view information learned via the specified port. The vlan keyword displays information about the native VLAN numbers of neighboring devices. The duplex keyword displays the duplex type of each neighboring device. Using capabilities displays capability codes for the neighboring devices. The detail keyword displays all possible CDP information about each neighboring device, including the IP address assigned to the neighboring interface or management interface.
2.3.5: Switch Clustering and Stacking
Up to 16 Cisco switch devices can be grouped into a management cluster, regardless of their physical location on the network. An entire cluster of switches can be managed through a single IP address. Furthermore, cluster management can be performed through HTML, IOS-based, and SNMP-based management interfaces on the command switch. Cluster discovery takes place once a command switch has been assigned an IP address and configured as a command switch. CDP messages are used to discover neighboring switches that are candidates for cluster membership. However, cluster discovery takes place only on switch ports that are assigned and connected to the default management VLAN, i.e., VLAN1. Also, the command switch can only discover the switch devices that are directly connected to it. Other switches daisy-chained behind the directly connected neighbors can be manually added to the cluster. To configure a switch to become the command switch for a cluster, assign an IP address for the management interface and then use the following command.
Switch(config)# cluster enable cluster_name