Cisco 3550 Switch Ios
- Cisco 3650 Switch Ios Upgrade
- Cisco Catalyst 3550 Series Intelligent Ethernet Switches
- Cisco - Networking, Cloud, And Cybersecurity Solutions
- Recovery From Corrupt Or Missing Software Image On Cisco Catalyst 2900XL And 3500XL Series Switches
- Cisco 3550 EMI Ios Image Version — TechExams Community
- Cisco 3650 Switch Eos
Apr 19, 2017 The Cisco Catalyst ® 3550 Series Intelligent Ethernet Switches is a line of enterprise-class, stackable, multilayer switches that provide high availability, security and quality of service (QoS) to enhance the operation of the network. Cisco delivers innovative software-defined networking, cloud, and security solutions to help transform your business, empowering an inclusive future for all.
Real World Application
This lab will help you will identify the Cisco Internetwork Operating System (Cisco IOS) Running on a Cisco Device. Knowing what Cisco IOS Version and Feature Set is running on your Cisco devices is crucial to planning and deploying required features. Think of Feature Sets as Windows Vista Distributions, you have Basic, Home Edition, Home Premium, Business, Ultimate and Enterprise. In Cisco IOS, we have similar distributions called “Feature Sets” that dictate which features will be available for you to configure. Each feature set have different prices. Some feature sets contain the same features as others; this will be discussed later in the lab.
Lab Prerequisites
- Complete Lab 1.2 before attempting this lab or have a current Cisco console session open to your Cisco device.
Lab Objectives
- Identify what IOS Version and Features Set your Cisco device is currently running.
Lab Instruction
There are several ways to identify which Cisco IOS your Cisco device is running. First way being to examine the boot dispatch, this will display the image name that is loaded from flash which in return can be used to identify the IOS Version and Feature Set of the image.
Provided below is an example of the required dispatch from the boot process which can be used to identify which IOS Version and Feature Sets the router is currently loading.
Turn your attention to line 2 where you see C3620-IK9O3S7-M; this displays the features that are included in the image and the loading type (which will be discussed later) for the image that is currently be loaded by the Router. Following the feature set being loaded you can also see the Version of the IOS. As shown in this example, the router is currently booting IOS Version 12.3(25)
The most common way of obtaining IOS identification information is by using the show version command. This command shows various information pertaining to the Cisco IOS Version and Feature Set as well as hardware information about the router.
The textbox below shows the dispatch of the show version command.
As you can see lines 2, 3 & 4 are identical to previously discussed boot dispatch information. However take look at line 13 and you’ll see System image file is “flash:c3620-ik9o3s7-mz.123-25.bin” This is the actual image file name that is currently running on the router. This image name is very helpful in identifying the IOS Version and Feature set.
Prior to Cisco IOS Version 12.4, Cisco had a very complex naming convention for their Feature Sets. This naming convention consisted of letters identifying certain features in the image.
Below is a chart comprised of common pre-standing naming convention identification letters;
| Image Letter | Feature Set |
|---|---|
| I | IP |
| Y | IP on 1700 Series Platforms |
| S | IP Plus |
| S6 | IP Plus – No ATM |
| S7 | IP Plus – No Voice |
| J | Enterprise |
| O | IOS Firewall/Intrusion Detection |
| K | Cryptorgaphy/IPSEC/SSH |
| K8 | 56Bit DES Encryption (Weak Cryptography) |
| K9 | 3DES/AES Encryption (Strong Cryptography) |
| X | H323 |
| G | Services Selection Gateway (SSG) |
| C | Remote Access Server or Packet Data Serving Node (PDSN) |
| B | Apple Talk |
| N | Novel IP/IPX |
| V | Vox |
| R | IBM |
| U | Unlawful Intercept |
| P | Service Provider |
| Telco | Telecommunications Feature Set |
| Boot | Boot Image (Used on high end routers/switches) |
Now let’s break down the naming convention of the image name for our previous image; flash:c3620-ik9o3s7-mz.123-25.bin;
Now let’s break down the Features included with this image as shown below;
i = IP
k9 = Strong Cryptography (3DES / AES)
o3 = IOS Firewall/Intrusion Detection
s7 = Plus (7 = No Voice)
Official Image Name: Cisco 3620 12.3(25) IP/FW/IDS PLUS 3DES IPSEC NO VOICE
Many images differ in how they load and their compression. As these features are also identified in the image name below, the following chart will identify execution types and compression formats.
| Image Letter | IOS Boot Location |
|---|---|
| f | The image executes from Flash memory. |
| m | The image executes from RAM. |
| r | The image executes from ROM |
| l | The image is relocatable. |
| z | The image is compressed using ZIP format. |
| x | The image is compressed using MZIP format. |
| w | The image is compressed using STAC format. |
The example 3620 image used in this lab executes from RAM and uses ZIP compression.
As of 2006, Cisco has introduced a new naming convention for feature sets. This new naming convention started in 12.3 and was implemented as the feature set naming standard in 12.4
Below is a feature tree comprised of the new naming convention used for Cisco router images 12.3T and greater;
You can see that IP Base is the basic image, from this image it branches off into IP Voice, Advanced Security or Enterprise Base.
IP Voice also has an upgrade to Service Provider Services, which includes SP Services Features, IP Voice Features and IP Base features.
Only “Advanced” Images contain Advanced Encryption Standard (AES) Cryptography
The following categories summarize the new naming convention:
| Feature Set | Description |
|---|---|
| Base | Entry level image (IP Base, Enterprise Base) |
| Services | addition of IP Telephony Service, MPLS, Voice over IP, Voice over Frame Relay and ATM (Included in SP Services, Enterprise Services) |
| Advanced | Addition of VPN, Cisco IOS Firewall, 3DES encryption, SSH, Cisco IOS IPSec and Intrusion Detection Systems (IDS) (Advanced Security, Advanced IP Services) |
| Enterprise | Addition of multi-protocols, including IBM, IPX, AppleTalk (Enterprise Base, Enterprise Services) |
Just like the new naming convention for Cisco Router IOS, Cisco has given the Switch IOS a new naming convention as well. This naming convention is very similar to the router IOS naming convention. Shown below is a feature tree of the new switch IOS naming convention;
Below are some examples of images using the new Cisco naming convention;
Example images for a Cisco 2800 Series Router:
c2800nm-adventerprisek9-mz.124-21.bin
c2800nm-ipbase-mz.124-21.bin
Example Images for a Cisco Catalyst 3750 Series Switch:
c3750-advipservicesk9-mz.122-44.SE.bin
c3750-ipservicesk9-mz.122-44.SE.bin
c3750-ipbase-mz.122-44.SE.bin
IP Base; formally known as Standard Multilayer Image (SMI) on Cisco Catalyst 3550 Series switches includes advanced quality of service, rate limiting, access control lists (ACL’s) and basic static and RIP routing functionality.
IP Services; formally known as Enhanced Multilayer Image (EMI) on Cisco Catalyst 3550 Series Switches has a more feature rich set of enterprise-class routing functionality as well as advanced hardware-based IP Unicast and IP Multicast routing, policy based routing (PBR).
Advanced IP Services is not available as a pre-installed license but is available as an upgrade license. This feature set includes IPv6 routing and IPv6 ACL support.
Enterprise Services & Advanced Enterprise Services are the cream of the crop. The images includes all features available to the platform; also these license(s) are the most expensive. These license(s) are only supported on various modular switches such as the Catalyst 4500, 4900, 6500 and others.
Below are a few examples of switch models you can purchase and the software license that’s bundled with the platform(s).
C3560-24PS-S = Cisco 3560 Series 24 Ports PoE with Standard Image (IP Base)
C3750-48TS-E = Cisco 3750 Series 48 Port Non-PoE with Enhanced Image (IP Services)
The Cisco Catalyst 2960 Series has a different license model due to the switch being strictly layer 2. The Catalyst 2960 Series license model is similar to the Catalyst 2950 Series which includes two separate feature sets, Standard Image and Enhanced Image however, the new feature sets are called LAN LITE & LAN BASE. These new feature sets do have a significant difference including Quality of Services (QoS), Gigabit Ethernet Support, RPS, Rapid Spanning Tree, Link State Tracking, 802.1x enhancements, DHCP Snooping and many more features which can be found on the Cisco website.
Cisco IOS 15.0 was released October 1st 2009 and with this new mainline IOS release, we’ll see the use of the Universal Image. The feature sets have not changed but now with the use of these new universal images, image feature sets have to be licensed using a license file stored in NVRAM. Upon boot, the IOS looks at this license file and activates the features specified in the license; that of which you’ve purchased.
Each license file is specific to each platform serial number so therefore license files will not be swappable. No doubt with all the Cisco IOS piracy that occurs in the Cisco networking world today, Cisco systems is losing millions if not billions in license profit.
The next generation Integrated Services Routers which include the 1900 Series, 2900 Series and 3900 Series will use a single universal image file and require feature sets to be licensed. As part of the license management suite, Cisco offers a license management server as well as an IOS feature that can automatically download the license file from Cisco if your router is able to access the internet.
Cisco also utilized this technology with the 3560E and 3750E Switches. Example IOS IMAGE names shown below;
c3560e-universalk9-mz.122-50.SE2.bin
c3750e-universalk9-mz.122-50.SE2.bin
c3900-universalk9-mz.150-1M.bin
[/text]
Catalyst 3550 Security
Because the 3550 family of Catalyst switches uses the IOS-based command-line interface, the handling of the basic security features on the switch is virtually the same as it is on the router. By the time this book is released, the 3550 switches will even offer full support of routing protocol security. For now, use Access Control Lists (ACLs), covered in Chapter 16, to enforce remote administration security.
A few security concepts, however, remain specific to the Catalyst switch. Among them is the network security configuration with ACLs, mentioned in the preceding paragraph, and L2VPN, covered in Chapter 25, 'Internet Service Provider Security Services.' In this lesson, you concentrate on port-based traffic control configuration.
Lesson 15-4: Port-Based Traffic Control
This lesson discusses how to configure the port-based traffic control features on your switch. The lesson consists of the following configuration tasks:
- Configuring storm control
- Configuring protected ports
- Configuring port blocking
- Configuring port security
- Port security aging
Configuring Storm Control
A LAN storm takes place when packets overflow the LAN, causing unnecessary traffic and diminishing network stability. Storm control or the traffic suppression feature configured on a physical interface prevents switchports on a LAN from being overwhelmed by a broadcast, multicast, or unicast storm. Storm control screens the incoming traffic over a period of 1 second and compares the amount with the control level threshold if one exists. If the threshold is exceeded, additional traffic is blocked until the continuing monitoring determines that incoming traffic fell below the threshold level, and traffic is then allowed to be forwarded again.
The switch handles separate storm control thresholds for broadcast, multicast, and unicast traffic. Interestingly, when broadcast or unicast thresholds are reached, traffic is suppressed for only that specific type. On the other hand, when the multicast traffic rate exceeds the threshold, all incoming traffic, except spanning-tree packets, including broadcast and unicast, is throttled until the level drops below the specified threshold.
Storm control on an interface is enabled separately for each type of traffic. The configured threshold level is the percentage of total available bandwidth that you want to serve as a limit indicator. The percentage can be from 1 to 100, with an optional fraction. The higher the level, the more packets are allowed to pass through. The default is no storm control, which translates into 100 percent threshold. In contrast, a value of 0.0 means that all port traffic is blocked for a particular type. The syntax for configuring traffic suppression is as follows:
Configuring Protected Ports
A protected port feature is used in those environments where no traffic can be forwarded between two ports on the same switch. This way, one neighbor connected to one port does not see the traffic that is generated by another neighbor connected to the second port. The blocking of traffic (unicast, broadcast, or multicast) only works when both ports are protected. When a protected port is communicating with an unprotected port, the traffic is forwarded in the usual manner. Once the ports are protected, traffic between them can only be forwarded by a Layer 3 device.
By default, the protected port feature is not enabled. You can configure protected ports on either a physical interface or an EtherChannel group. Once you enable the protected port feature on the latter, it is extended to all the group's ports. The following command sets port protection:
Cisco 3650 Switch Ios Upgrade
Configuring Port Blocking
The default behavior of a switch is to forward the packets with unknown destination MAC addresses to all its ports. This might not always be desirable, especially in terms of security. If you configure a port block feature, then depending on what type of traffic you specified, unicast or multicast packets are not forwarded from one port to another. Blocking unicast or multicast traffic is not automatically enabled, even on a protected port; you must manually define it.
As with the protected interface, you can configure blocking on a physical interface and an EtherChannel group. If blocking is configured on an EtherChannel, it applies to all ports in the group. To block unknown multicast or unicast packets from a port, use the following command:
Configuring Port Security
The port security feature is used to limit access to an interface to only those devices whose MAC address is identified as allowed and as long as the maximum number of allowed addresses is not already reached. In other words, if a port that is configured as secure recognizes that a station is trying to gain access, it checks whether the configured maximum number of secure MAC addresses has been exceeded. If it has not, the port checks the table of secure MAC addresses, and if the MAC address in question is not there yet, the port learns it and marks it as secure. If the preset maximum number has been reached, and the MAC address is not a member of the secure addresses, a security violation is noted. Similarly, the violation occurs when a device whose MAC address is known as secure on one secure port tries to access another secure port.
Cisco Catalyst 3550 Series Intelligent Ethernet Switches
To configure a secure port, first set the physical interface's mode to 'access' because an interface in the default mode cannot be configured as a secure port:
Then, enable port security on that interface by using the following command:
Placement of the following three commands is optional because the exact commands you choose depend on the desired functional effect. The following command specifies the maximum number of secure MAC addresses for the interface (the number ranges from 1 to 128, with 128 being default):
Next, you can configure the interface to take one of the following actions in case of a security violation:
The protect keyword causes the packets with unknown source addresses to be dropped when the maximum threshold is reached.
The restrict keyword increments a violation counter.
The shutdown keyword, the default, deactivates the port immediately and sends an SNMP trap notification.
NOTE
If a secure port has been shut down as a result of a security violation, you can bring it out of this state by entering the errdisable recovery causepsecure-violation global configuration command, or you can manually reenable it by entering the shutdown and no shut down interface configuration commands.
Finally, to enter a secure MAC address for the interface, use the following command. If the number of manually defined addresses is less than the configured maximum, the rest are learned dynamically.
Port Security Aging
You can define an optional security-aging feature to cause all secure addresses to become obsolete without having to manually remove each of them. The types of aging mechanisms are as follows:
Absolute—Specifies an aging period after which the secure addresses on that port are deleted
Inactivity—Discards secure addresses only if they have been inactive for the specified aging time
The aging time command includes a number of arguments. The static keyword involves the manually configured addresses for the interface. The time keyword specifies the aging time, ranging from 0 to 1440 minutes. The type identifier indicates either absolute or inactivity, as follows:
Verification
The following examples display the outputs from a number of show commands on both switches that assist in the verification and monitoring of port-based traffic control.
Example 15-22 captures a portion of the 3550-A running configuration for interface FastEthernet0/1.
Example 15-22 Running Configuration of 3550-A
Example 15-23 shows a portion of the 3550-B running configuration for interface FastEthernet0/2.
Example 15-23 Running Configuration of 3550-B
Example 15-24 shows the output of the show interfaces fastEthernet switchport command for the 0/1 and 0/2 ports.
Cisco - Networking, Cloud, And Cybersecurity Solutions
Example 15-24 The show interfaces fastEthernet switchport Command Output
Recovery From Corrupt Or Missing Software Image On Cisco Catalyst 2900XL And 3500XL Series Switches
Example 15-25 shows the output of the show storm-control command. You can use this command to view your storm control configuration per port.
Cisco 3550 EMI Ios Image Version — TechExams Community
Example 15-25 The show storm-control Command Output
Example 15-26 shows the ports configured as secure.