Module 6: Switch Configuration  
6.1 Starting the Switch 
   
6.1.1 Physical startup of the Catalyst switch 

Switches are dedicated, specialized computers that contain a central processing unit (CPU), random access memory (RAM), and an operating system. As shown in Figure , switches usually have several ports that hosts can connect to, as well as specialized ports for the purpose of management. Switches can be managed and the configuration can be viewed and changed through the console port.

交換器是特製的專用電腦,擁有一顆中央處理器(CPU)、隨機存取記憶體(RAM)以及作業系統。如圖 所示,通常交換器不僅有幾個能讓其他主機連進來的連接埠,而且有一些為了管理用途的專用連接埠。透過主控台連接埠可以管理這些交換器,並檢視及修改它們的組態設定。

Several switches from the Cisco Catalyst 2900 series are shown in Figure . There are 12-port, 24-port, and 48-port models. The top two switches in Figure are fixed configuration symmetrical switches that offer FastEthernet on all ports or a combination of 10Mbps and 100Mbps ports. The next three switches are asymmetrical models with two fixed fiber or copper Gigabit Ethernet ports. The bottom four switches are asymmetrical models with modular Gigabit Interface Converter (GBIC) slots, which can accommodate a variety of copper and fiber media options.

展示了思科Catalyst 2950系列的幾種交換器。有12個連接埠的、24個連接埠的、還有48個連接埠的型號。在圖 最上面二台交換器是固定組態的對稱式交換器,全部的連接埠都是高速乙太網路(FastEthernet)或10/100的樣式。接下來的三台交換器是非對稱式,擁有二條固接光纖或銅線的Gigabit乙太網路(Gigabit Ethernet)的連接埠。最下面四台交換器則是非對稱式,擁有模組式Gigabit介面轉換器(GigaBit Interface Converter, GBIC)的槽孔,可容許各式各樣的銅線或光纖媒體的選擇。

6.1.2 Switch LED indicators 

The front panel of a switch has several lights to help monitor system activity and performance. These lights are called light-emitting diodes (LEDs). This page will discuss the LEDs on the front of a switch:

交換器正面的面板有幾個光點,可以幫助監看系統的動作與效能。這些光點稱為發光二極體(light-emitting diodes, LEDs)。本頁所談的交換器前面的燈號有:

The System LED shows whether the system is receiving power and functioning correctly.

系統燈號顯示系統是否接收到供電並且正常工作。

The RPS LED indicates whether or not the remote power supply is in use.

遠端供電燈號(RPS LED)顯示是不是在使用遠端的電源供應。

The Mode LEDs indicate the state of the Mode button. The modes are used to determine how the Port Status LEDs are interpreted. To select or change the port mode, press the Mode button repeatedly until the Mode LEDs indicate the desired mode.

模式燈號(Mode LEDs)顯示模式按鈕的狀態。模式是用在決定該怎麼解釋連接埠狀態燈號(Port Status LEDs)。要選擇或改變連接埠模式,就重覆按壓模式按鈕直到模式燈號顯示想要的模式為止。

Figure describes the Port Status LED colors as these are dependent on the value of the Mode LEDs.

說明連接埠狀態燈號的顏色,這些顏色隨模式燈號的意義而定。

6.1.3 Verifying port LEDs during switch POST 

Once the power cable is connected, the switch initiates a series of tests called the power-on self test (POST). POST runs automatically to verify that the switch functions correctly. The System LED indicates the success or failure of POST. If the System LED is off but the switch is plugged in, then POST is running. If the System LED is green, then POST was successful. If the System LED is amber, then POST failed. POST failure is considered to be a fatal error. Reliable operation of the switch should not be expected if POST fails.

只要電源線有接上,交換器會開始一連串的測試,這稱為開機自我測試(power-on self test, POST)。開機自我測試會自動執行以證實這台交換器正常運作。系統LED燈號說明了開機自我測試的成功或失敗。如果系統燈號是熄掉的,但交換器的電源線有插著,表示開機自我測試是正在執行。如果系統燈號是綠色的,則開機自我測試成功。如果系統燈號是黃褐色的,則開機自我測試失敗了。開機自我測試失敗被認為是個嚴重錯誤。假如開機自我測試失敗,就不能夠期望交換器能夠運作正常。

The Port Status LEDs also change during POST. The Port Status LEDs turn amber for about 30 seconds as the switch discovers the network topology and searches for loops. If the Port Status LEDs turn green, the switch has established a link between the port and a target, such as a computer. If the Port Status LEDs turn off, the switch has determined that nothing is plugged into the port.

在開機自我測試的時候,連接埠狀態的LED燈號也會改變。當交換器找到網路拓樸並檢查是否有迴路的時候,連接埠狀態燈號會轉為黃褐色約30秒。如果連接埠狀態燈號轉為綠色,就是交換器為該連接埠與某個目標(例如一台電腦)建立好連結。如果連接埠燈號熄掉,就是交換器已經判斷出沒有東西插接在那個連接埠上。

6.1.4 Viewing initial bootup output from the switch 

In order to configure or check the status of a switch, connect a computer to the switch in order to establish a communication session. Use a rollover cable to connect the console port on the back of the switch to a COM port on the back of the computer.

為了設定或檢查交換器的狀態,把一部電腦連上一台交換器來建立通訊交談。用一條rollover纜線,讓交換器背面的主控台連接埠(console port)連線到電腦的背後的一個通訊連接埠(COM port)。

Start HyperTerminal on the computer. A dialog window will be displayed. The connection must first be named when initially configuring the HyperTerminal communication with the switch. Select the COM port to which the switch is connected from the pull-down menu, and click the OK button. A second dialog window will be displayed. Set up the parameters as shown in Figure , and click the OK button.

啟動電腦中的HyperTerminal軟體,然後會顯示一個撥號視窗。 當初始設定HyperTerminal與交換器通訊時,必需為該連線命名。從下拉選單選取用來連到交換器的COM連接埠,然後按一下OK按鈕。第二個撥號視窗就會冒出來。如圖 所示建立參數,然後按一下OK按鈕。

Plug the switch into a wall outlet. The initial bootup output from the switch should be displayed on the HyperTerminal screen. This output shows information about the switch, details about POST status, and data about the switch hardware.

把交換器電源線插上插座。初始的啟動輸出就會顯示在HyperTerminal的螢幕上。 這些輸出顯示了有關交換器、開機自我測試狀態的細節、以及有關交換器硬體的資料。

After the switch has booted and completed POST, prompts for the System Configuration dialog are presented. The switch may be configured manually with or without the assistance of the System Configuration dialog. The System Configuration dialog on the switch is simpler than that on a router.

交換器開機並完成開機自我測試之後,有個系統設定(System Configuration)對話的提示文字會出現。交換器可以有系統設定對話的提示文字的輔助來做手動設定,也可以不要輔助來做手動設定。交換器的系統設定對話比路由器的還要簡單。

6.1.5 Examining help in the switch CLI 

The CLI for Cisco switches is very similar to the CLI for Cisco routers.

思科交換器的命列列介面非常類似於思科路由器的命令列介面。

To use the help system enter a question mark (?).

鍵入問號(?)執行help命令。

6.1.6 Switch command modes 

The default mode is User EXEC mode. The User EXEC mode is recognized by its prompt, which ends in a greater-than character (>).

預設模式是使用者執行模式(User EXEC mode)。使用者執行模式可由提示符號識別,提示符號是以一個大於字元(>)結尾。

The enable command is used to enter Privileged EXEC mode from User EXEC mode. Privileged EXEC mode is also recognized by its prompt, which ends in a pound-sign character (#).

enable指令是用來從使用者執行模式進入特權執行模式的。特權執行模式也可由提示符號識別,是以一個(#)記號結尾。

 
6.2 Configuring the Switch 
   
6.2.1 Verifying the Catalyst switch default configuration 

When powered up for the first time, a switch has default data in the running configuration file. The default hostname is Switch.  No passwords are set on the console or virtual terminal (vty) lines.

第一次開機啟動時,交換器正在運作的組態檔就有預設的資料。預設的主機名稱為Switch。在主控台與虛擬終端線路都沒設定密碼。

A switch may be given an IP address for management purposes. This is configured on the virtual interface, VLAN 1. By default, the switch has no IP address.

為了管理的目的,交換器應該要給個IP位址。這項設定被安排在虛擬介面VLAN 1。在預設情況下,交換器並沒有IP位址。

The switch ports or interfaces are set to auto mode , and all switch ports are in VLAN 1. VLAN 1 is known as the default management VLAN.

交換器連接埠或介面都設為自動模式 ,而且所有的連接埠都在VLAN 1中。 VLAN 1是預設的管理VLAN。

The flash directory by default, has a file that contains the IOS image, a file called env_vars, and a sub-directory called html. After the switch is configured, the flash directory will contain a file called config.text as well as a VLAN database. As seen in Figure , the flash directory does not contain a config.text file or a VLAN database file called vlan.dat.

快閃目錄(flash directory)預設有一個檔案與一個子目錄,檔案包含著一套網路作業系統映像,是個叫做env_vars的檔案,子目錄則名為html。交換器設定了之後,快閃目錄就會包含有一份稱為config.text的檔案,以及一套虛擬區域網路的資料庫(VLAN database)。如圖 所示,快閃目錄並沒有一個叫config.text的檔案或一份叫vlan.dat虛擬區域網路資料庫檔案。

The IOS version and the configuration register settings can be verified with the show version command.

網路作業系統的版本與組態暫存的設定都可以用show version指令來檢查。

In this default state, the switch has one broadcast domain and the CLI can be used to manage and configure the switch through the console port. The Spanning-Tree Protocol is also enabled, and allows the bridge to construct a loop-free topology across an extended LAN.

在這樣預設狀態中,交換器擁有一個廣播網域(broadcast domain),而命令列介面(CLI)可用來透過主控台連接埠管理並設定交換器。擴充樹協定(Spanning-Tree Protocol)也是啟用的,並且容許橋接器能夠跨越擴充的區域網路來建立一組無迴路拓樸(loop-free topology)。

For small networks, the default configuration may be sufficient. The benefits of better performance with microsegmentation are obtained immediately.

對小型網路而言,用預設組態設定應該就夠了,因為可立即收到微區段(microsegmentation)效率較佳的好處。

6.2.2 Configuring the Catalyst switch 

A switch may be preconfigured and only passwords may need to be entered for the User EXEC or Privileged EXEC modes. Switch configuration mode is entered from Privileged EXEC mode.

一台交換器可以預先組態成進入使用者執行模式或特權執行模式只需要輸入密碼。交換器組態模式是經由特權執行模式進入的。

In the CLI, the default Privileged EXEC mode prompt is Switch#. In User EXEC mode the prompt is Switch>.

在命令列介面中,預設的特權執行模式提示文字是Switch#。在使用者執行模式,提示文字則是Switch>。

The following steps will ensure that a new configuration will completely overwrite the current configuration:

下列步驟可保證一組新的組態將會完整覆蓋掉現有的組態:

Lab Exercise: Basic Switch Configuration

In this lab, the student will configure a switch with a name and an IP address.

6.2.3 Managing the MAC address table  

Switches examine the source address of frames that are received on the ports to learn the MAC address of PCs or workstations that are connected to it. These learned MAC addresses are then recorded in a MAC address table. Frames that have a destination MAC address that has been recorded in the table can be switched out to the correct interface.

交換器檢驗從連接埠所接受的訊框的來源位址,以學習連線到它的那些個人電腦或工作站的MAC 位址。這些所學到的媒體存取控制位址,後來被記錄在一個MAC 位址表中。訊框擁有的目標MAC位址若被記錄在此表中,就能夠被轉換到正確的介面。

The show mac-address-table command can be entered in the Privileged EXEC mode to examine the addresses that a switch has learned.

在特權命令模式輸入show mac-address-table指令來檢查交換器已經學到的位址。

A switch dynamically learns and maintains thousands of MAC addresses. To preserve memory and for optimal operation of the switch, learned entries may be discarded from the MAC address table. Machines may have been removed from a port, turned off, or moved to another port on the same switch or a different switch. This can cause confusion when frames are forwarded. For all these reasons, if no frames are seen with a previously learned address, the MAC address entry is automatically discarded or aged out after 300 seconds.

交換器是動態地學習並維護數以千計的MAC位址。為了保留記憶體並且考慮到交換器的理想運作,已經學到的記錄有可能從MAC位址表中移除。機器可能會從某個連接埠移開、被關機、或是移到同一台交換器另一個連接埠或另一台交換器。當訊框傳送時,這可能造成混亂。為了這種種原因,如果一個之前學到的位址未出現在訊框中的話,在300秒之後,那個MAC位址記錄就會自動被移除。

Rather than wait for a dynamic entry to age out, network administrators can use the clear mac-address-table command in Privileged EXEC mode. MAC address entries configured by network administrators can also be removed with this command. This method to clear table entries ensures that invalid addresses are removed immediately.

如果網路管理人員不想等待一筆動態記錄時間到了被移除,可以在特權執行模式中使用clear mac-address-table指令清除紀錄。 由網路管理人員所組態MAC位址的記錄,也能夠用這個指令移掉。這個清掉記錄表的方法確實能立刻移除沒有用的位址。

6.2.4 Configuring static MAC addresses 

A MAC address can be permanently assigned to an interface. The following are reasons to assign a permanent MAC address to an interface:

一個MAC位址能夠永久指定在一個介面上。以下是在為一個介面指定永久MAC位址的理由:

The following command can be used to configure a static MAC address for a switch:

以下指令能夠用來幫交換器設定一個靜態MAC位址:

Switch(config)#mac-address-table static <mac-address of host > interface FastEthernet <Ethernet number > vlan <vlan name >

The following command can be used to remove a static MAC address for a switch:

以下指令能用來幫交換器移掉一個靜態MAC位址:

Switch(config)#no mac-address-table static <mac-address of host > interface FastEthernet <Ethernet number > vlan <vlan name >

6.2.5 Configuring port security 

Network security is an important responsibility for network administrators. Access layer switch ports are accessible through the structured cabling at wall outlets. Anyone can plug in a PC or laptop into one of these outlets. This is a potential entry point to the network by unauthorized users. Switches provide a feature called port security. It is possible to limit the number of addresses that can be learned on an interface. The switch can be configured to take an action if this is exceeded. Secure MAC addresses can be configured statically. However, it is a complex task to configure secure MAC addresses statically, and is usually prone to error.

網路的安全是網路管理人員的重要職責。存取層級的交換器連接埠,可經由牆壁插孔的結構化佈線來存取。誰都可以把一台個人電腦或膝上型電腦接上這其中一個插孔。這是個可能讓未授權使用者進入內部網路的入口。交換器提供一個叫做連接埠安全性(port security)的功能。學習限制一個介面的位址數目是可能的。當數目超過的時候,交換器可以被設定此時應採取的動作。 安全的MAC位址能夠被設定為靜態。不過,設定靜態安全的MAC位址是個複雜的工作,而且通常容易出錯。

An alternative approach is to set port security on a switch interface. The number of MAC addresses per port can be limited to 1. The first address dynamically learned by the switch becomes the secure address.

另一個方法是在交換器介面上設定連接埠安全性。每個連接埠MAC位址的數目可以限定為1。第一個動態學習的位址就變成安全位址。

To reverse port security on an interface use the no form of the command.

要逆轉一個介面的連接埠安全性,可以使用相關指令的no型式。

The command show port security can be used to verify port security status.

show port security指令能夠用來檢驗連接埠安全性的狀態。

Lab Exercise: Configuring Port Security

In this lab, the student will configure port security on individual FastEthernet ports.

6.2.6 Executing adds, moves, and changes 

The following are parameters that should be configured on a new switch that is added to a network:

以下是新的交換器加入一個網路之前應該設定的參數:

When a host is moved from one port or switch to another, configurations that can cause unexpected behavior should be removed. The switch can then be reconfigured to reflect the changes.

當一台主機從一個連接埠移到另一個連接埠,或是從一台交換器移往另一台交換器的時候,可能會造成未預期表現的組態應該要移掉。這時可以重新設定交換器,以反映這些改變。

Lab Exercise: Add, Move, and Change MAC Addresses

In this lab, the student will create and verify a basic switch configuration

6.2.7 Managing switch operating system file 

Network administrators should document and maintain the operational configuration files for network devices. The most current running-configuration file should be backed up on a server or disk. This is not only essential documentation, but is very useful if a configuration needs to be restored.

網路管理人員須記錄並維護正在使用中的網路設備組態檔。最新的、正在運作的組態檔應該要備份在一台伺服器或磁碟中。這不僅是基本的文件製作,當需要還原一份組態時,也是很有用的。

The IOS should also be backed up to a local server. The IOS can then be reloaded to flash memory if needed.

網路作業系統也得備份在一台本地伺服器中。若有需要,網路作業系統就可以重新載入到快閃記憶體中。

Lab Exercise: Managing Switch Operating System Files

In this lab, the student will create and verify a basic switch configuration, backup the switch IOS to a TFTP server, and then restore it.

6.2.8 1900/2950 password recovery 

For security and management purposes, passwords must be set on the console and vty lines. An enable password and an enable secret password must also be set. These practices help ensure that only authorized users have access to the User and Privileged EXEC modes of the switch.

為了安全與管理的目的,在主控台(console)與虛擬終端機連線(vty lines)必須要設定密碼。而且要設定一個有效的密碼與一個有效的加密密碼。這些實作可以擔保,只有授權的使用者才可以存取交換器使用者與特權的執行模式。

There will be circumstances where physical access to the switch can be achieved, but access to the User or Privileged EXEC mode cannot be gained because the passwords are not known or have been forgotten.

會有一些情況必須實際存取交換器,但因為不知道或忘掉密碼,就不能夠取得存取使用者或特權的執行模式的權力。

In these circumstances, a password recovery procedure must be followed.

在這些情況下,就必須採用密碼復原程序。

Lab Exercise: Password Recovery Procedure on a Catalyst 2900 Series Switch

In this lab, the student will reset the console password and recover access to the switch.

6.2.9 1900/2950 firmware upgrade 

IOS and firmware images are periodically released with bugs fixes, new features, and performance improvements. If the network can be made more secure, or can operate more efficiently with a new version of the IOS, then the IOS should be upgraded.

網路作業系統與韌體的映像時常會更新,包含了錯誤修正、新功能以及效能的改善。假如使用新版的網路作業系統,網路能夠變得更安全一點,或者能夠運作得更有效率一點,那麼網路作業系統就應該要更新。

To upgrade the IOS, download a copy of the new image to a local server from the Cisco Connection Online (CCO) Software Center.

要更新網路作業系統,可以從思科線上連接(Cisco Connection Online, CCO)的軟體中心把一份新的映像複本下載到一台本地伺服器。

Lab Exercise: Firmware Upgrade of a Catalyst 2950 Series Switch

In this lab, the student will create and verify a basic switch configuration, then upgrade the IOS and HTML files from a file supplied by the instructor.