Network Activity: 2015

eNSP - Multiplex Vlan ( private vlan )

Mux (multiplex) vlan is Huawei Private vlan. The concept of a private vlan is to provide Layer 2 traffic isolation between ports.

Mux vlan includes three types of ports.

Mux Vlan port - A Mux Vlan is the master Vlan. A Mux Vlan port can communicate with all ports including separate and group ports. Vlans that correspond to the separate and group ports need to be bound to the Mux Vlan.

Subordinate Separate port - separate ports belong to a separe Vlan and can communicate with the Mux Vlan only. Traffic is forward to the related Mux Vlan port.

Subordinate Group port - group ports belong to the group Vlan and can communicate with each other and with the related Mux Vlan ports. Group ports and separate ports do not communicate with each other.

topology:

1 - Configure AR1:

[AR1] interface g0/0/0
[AR1-GigabitEthernet0/0/0] ip address 192.168.0.254 24

2 - Configure S1:

[S1] vlan batch 5 7 10
[S1] vlan 10
[S1-Vlan10] mux-vlan
[S1-Vlan10] subordinate separate 5
[S1-Vlan10] subordinate group 7
[S1-Vlan10] quit
[S1] interface g0/0/1
[S1-GigabitEthernet0/0/1] port link-type access
[S1-GigabitEthernet0/0/1] port default vlan 5
[S1-GigabitEthernet0/0/1] port mux-vlan enable
[S1-GigabitEthernet0/0/1] interface g0/0/2
[S1-GigabitEthernet0/0/2] port link-type access
[S1-GigabitEthernet0/0/2] port default vlan 5
[S1-GigabitEthernet0/0/2] port mux-vlan enable
[S1-GigabitEthernet0/0/2] interface g0/0/3
[S1-GigabitEthernet0/0/3] port link-type access
[S1-GigabitEthernet0/0/3] port default vlan 5
[S1-GigabitEthernet0/0/3] port mux-vlan enable
[S1-GigabitEthernet0/0/3] interface g0/0/9
[S1-GigabitEthernet0/0/9] port link-type access
[S1-GigabitEthernet0/0/9] port default vlan 7
[S1-GigabitEthernet0/0/9] port mux-vlan enable
[S1-GigabitEthernet0/0/9] interface g0/0/10
[S1-GigabitEthernet0/0/10] port link-type access
[S1-GigabitEthernet0/0/10] port default vlan 7
[S1-GigabitEthernet0/0/10] port mux-vlan enable
[S1-GigabitEthernet0/0/10] interface g0/0/24
[S1-GigabitEthernet0/0/24] port link-type access
[S1-GigabitEthernet0/0/24] port default vlan 10
[S1-GigabitEthernet0/0/24] port mux-vlan enable

3 - Clients:

Client1 - 192.168.0.1 255.255.255.0 / GW - 192.168.0.254

Client2 - 192.168.0.2 255.255.255.0 / GW - 192.168.0.254

Client3 - 192.168.0.3 255.255.255.0 / GW - 192.168.0.254

Client7 - 192.168.0.7 255.255.255.0 / GW - 192.168.0.254

Client8 - 192.168.0.8 255.255.255.0 / GW - 192.168.0.254

Connectivity test:

clients in the subordinate separate Vlan will NOT be able to ping clients in the subordinate group vlan and each other but will be able to ping the gateway.

clients in the subordinate group vlan are able to ping the gateway and each other but they are NOT able to ping clients in the subordinate separate vlan.

eNSP - Super-Vlan (Vlan aggregation)

Inter-vlan communication is achieved by configuring a ip address on the Vlanif interfaces. If a network as a large number of vlans, it will require an excessive use of ip addresses.

The concept of Super-vlans was introduced to save ip address space. A Super-vlan is a group of sub-vlans. It has a vlan interface, but no physical ports can be added to it. A sub-vlan has physical ports but no ip address assigned to the vlanif interface. Packets cannot be forward between sub-vlans at Layer 2, if Layer 3 communication is needed from a sub-vlan it will use the ip address of the Super-vlan as the gateway ip address.

The local Address Resolution Protocol (ARP) proxy function is used to perform Layer 3 communications between sub-vlans and between sub-vlans and other networks.

topology:

1 - Create vlans:

[S1] vlan batch 10 20

[S2] vlan batch 10 20

[S3] vlan batch 10 20 100

2 - Configure Trunk ports:

[S1] interface g0/0/1

[S1-GigabitEthernet0/0/1] port link-type trunk

[S1-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 20

[S1-GigabitEthernet0/0/1] interface g0/0/2

[S1-GigabitEthernet0/0/2] port link-type trunk

[S1-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 20

[S2] interface g0/0/1

[S2-GigabitEthernet0/0/1] port link-type trunk

[S2-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 20

[S2-GigabitEthernet0/0/1] interface g0/0/2

[S2-GigabitEthernet0/0/2] port link-type trunk

[S2-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 20

[S3] interface g0/0/1

[S3-GigabitEthernet0/0/1] port link-type trunk

[S3-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 20

[S3-GigabitEthernet0/0/1] interface g0/0/2

[S3-GigabitEthernet0/0/2] port link-type trunk

[S3-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 20

3 - Configure Access ports:

[S1] interface e0/0/1

[S1-Ethernet0/0/1] port link-type access

[S1-Ethernet0/0/1] port default vlan 10

[S1-Ethernet0/0/1] interface e0/0/2

[S1-Ethernet0/0/2] port link-type access

[S1-Ethernet0/0/2] port default vlan 20

[S2] interface e0/0/1

[S2-Ethernet0/0/1] port link-type access

[S2-Ethernet0/0/1] port default vlan 10

[S2-Ethernet0/0/1] interface e0/0/2

[S2-Ethernet0/0/2] port link-type access

[S2-Ethernet0/0/2] port default vlan 20

4 - Configure Super-Vlan:

[S3] vlan 100

[S3-vlan100] aggregate-vlan

[S3-vlan100] access-vlan 10 20

[S3-vlan100] quit

[S3] interface vlanif 100

[S3-Vlanif100] ip address 192.168.0.254 24

[S3-Vlanif100] arp-proxy inter-sub-vlan-proxy enable

Connectivity test:

client1 - 192.168.0.1 24

client2 - 192.168.0.2 24

client3 - 192.168.0.3 24

client4 - 192.168.0.4 24

eNSP - inter-Vlan routing

With Vlan implementation many users are cutoff from other users within other vlan domains. To establish connectivity between Vlan's a Layer 3 device is needed.

topology: (inter-vlan routing with a router)

1 - Create Vlans:

[S1] vlan batch 10 20

note: use "display vlan" to see Vlan database.

2 - Configure access ports:

[S1] interface e0/0/1
[S1-Ethernet0/0/1] port link-type access
[S1-Ethernet0/0/1] port default vlan 10
[S1-Ethernet0/0/1] interface e0/0/2
[S1-Ethernet0/0/2] port link-type access
[S1-Ethernet0/0/2] port default vlan 20

note: use "display port vlan" to see which ports are assigned to which vlans.

3 - Configure trunk on the switch:

[S1] interface g0/0/1
[S1-GigabitEthernet0/0/1] port link-type trunk
[S1-GigabitEthernet0/0/1] port trunk allow-pass vlan all

4 - Configure trunk on the router:

[R1] interface g0/0/0
[R1-GigabitEthernet0/0/0] interface g0/0/0.10
[R1-GigabitEthernet0/0/0.10] dot1q termination vid 10
[R1-GigabitEthernet0/0/0.10] ip address 192.168.10.1 24
[R1-GigabitEthernet0/0/0.10] arp broadcast enable
[R1-GigabitEthernet0/0/0.10] interface g0/0/0.20
[R1-GigabitEthernet0/0/0.20] dot1q termination vid 20
[R1-GigabitEthernet0/0/0.20] ip address 192.168.20.1 24
[R1-GigabitEthernet0/0/0.20] arp broadcast enable

note: ARP broadcast is disable by default, if ARP broadcast remains disable the router will discard the packets. By enabling ARP broadcast on the sub-interface the router is able to construct a tagged ARP broadcast packet and send the packet from the sub-interface.

5 - Assign IP addresses to clients:

Client 1

IP - 192.168.10.100

MASK - 255.255.255.0

GW - 192.168.10.1

Client 2

IP - 192.168.20.100

MASK - 255.255.255.0

GW - 192.168.20.1

Connectivity test

topology: (L3 switch based vlan routing)

1 - Create vlans:

[S1] vlan batch 10 20 30 40

[S2] vlan batch 10 20 30 40

2 - Assign ports to vlans:

[S1] interface e0/0/1
[S1-Ethernet0/0/1] port link-type access
[S1-Ethernet0/0/1] port default vlan 10
[S1-Ethernet0/0/1] interface e0/0/2
[S1-Ethernet0/0/2] port link-type access
[S1-Ethernet0/0/2] port default vlan 20

[S2] interface e0/0/1
[S2-Ethernet0/0/1] port link-type access
[S2-Ethernet0/0/1] port default vlan 40
[S2-Ethernet0/0/1] interface e0/0/2
[S2-Ethernet0/0/2] port link-type access
[S2-Ethernet0/0/2] port default vlan 30

3 - Configure trunk:

[S1] interface g0/0/1
[S1-GigabitEthernet0/0/1] port link-type trunk
[S1-GigabitEthernet0/0/1] port trunk allow-pass vlan all

[S2] interface g0/0/1
[S2-GigabitEthernet0/0/1] port link-type trunk
[S2-GigabitEthernet0/0/1] port trunk allow-pass vlan all

4 - Configure Vlanif interfaces:

[S1] interface vlanif 10
[S1-VlanIf10] ip address 192.168.10.1 24
[S1-VlanIf10] interface vlanif 20
[S1-VlanIf20] ip address 192.168.20.1 24
[S1-VlanIf20] interface vlanif 30
[S1-VlanIf30] ip address 192.168.30.2 24
[S1-VlanIf30] interface vlanif 40
[S1-VlanIf40] ip address 192.168.40.2 24

[S2] interface vlanif 10
[S2-VlanIf10] ip address 192.168.10.2 24
[S2-VlanIf10] interface vlanif 20
[S2-VlanIf20] ip address 192.168.20.2 24
[S2-VlanIf20] interface vlanif 30
[S2-VlanIf30] ip address 192.168.30.1 24
[S2-VlanIf30] interface vlanif 40
[S2-VlanIf40] ip address 192.168.40.1 24

note: Vlan routing is implemented by creating vlan interfaces that operate as a gateway for each vlan within the layer 3 switch.

Connectivity test

eNSP - VLAN (access, trunk and hybrid ports)

VLAN practice...

topology:

Vlan 10 - 192.168.10.0/24
Vlan 20 - 192.168.20.0/24

1 - Create Vlans:

[S1] vlan batch 10 20

note: vlans can be created as well with the command "vlan [id]". Use the command "display Vlan" to see vlan DataBase.

2 - Assign ports to the Vlans:

[S1] interface g0/0/1

[S1-GigabitEthernet0/0/1] port link-type access

[S1-GigabitEthernet0/0/1] port default vlan 10

[S1-GigabitEthernet0/0/1] interface g0/0/2

[S1-GigabitEthernet0/0/2] port link-type access

[S1-GigabitEthernet0/0/2] port default vlan 20

[S1-GigabitEthernet0/0/2] quit

3 - Assign trunk port:

[S1] interface g0/0/24

[S1-GigabitEthernet0/0/24] port link-type trunk

[S1-GigabitEthernet0/0/24] port trunk allow-pass vlan all

[S1-GigabitEthernet0/0/24] quit

4 - Configure S2:

[S2] vlan batch 10 20

[S2] interface g0/0/1

[S2-GigabitEthernet0/0/1] port link-type access

[S2-GigabitEthernet0/0/1] port default vlan 20

[S2-GigabitEthernet0/0/1] interface g0/0/2

[S2-GigabitEthernet0/0/2] port link-type access

[S2-GigabitEthernet0/0/2] port default vlan 10

[S2-GigabitEthernet0/0/2] interface g0/0/24

[S2-GigabitEthernet0/0/24] port link-type trunk

[S2-GigabitEthernet0/0/24] port trunk allow-pass vlan all

[S2-GigabitEthernet0/0/24] quit

5 - Assign ip addresses to hosts:

client 1 - 192.168.10.100 255.255.255.0

client 2 - 192.168.20.100 255.255.255.0

client 3 - 192.168.10.101 255.255.255.0

client 4 - 192.168.20.101 255.255.255.0

Check connectivity by pinging hosts within the same Vlan.

6 - Hybrid ports:

Hybrid ports can operate as access ports and/or trunk ports, they are the default port type on Huawei switches.

This scenario is to simulate an end device that as the ability of tagging vlan packets. The ip address scheme is the same as in the previous scenario.

1 - Create Vlans on both switches:

[S1] vlan batch 10 20

[S2] vlan batch 10 20

2 - Configure interfaces between switches:

[S1] interface g0/0/1

[S1-GigabitEthernet0/0/1] port link-type hybrid

[S1-GigabitEthernet0/0/1] port hybrid tagged vlan 10 20

[S2] interface g0/0/1

[S2-GigabitEthernet0/0/1] port link-type hybrid

[S2-GigabitEthernet0/0/1] port hybrid tagged vlan 10 20

3 - Configure interfaces that connect to end devices:

[S1] interface g0/0/1

[S1-GigabitEthernet0/0/1] port link-type hybrid

[S1-GigabitEthernet0/0/1] port hybrid tagged vlan 20
[S1-GigabitEthernet0/0/1] port hybrid untagged vlan 10
[S1-GigabitEthernet0/0/1] port hybrid pvid vlan 10

[S2] interface g0/0/1

[S2-GigabitEthernet0/0/1] port link-type hybrid

[S2-GigabitEthernet0/0/1] port hybrid tagged vlan 20
[S2-GigabitEthernet0/0/1] port hybrid untagged vlan 10
[S2-GigabitEthernet0/0/1] port hybrid pvid vlan 10

Check connectivity by pinging hosts within the same Vlan. All hosts are in Vlan 10 regardless of the ip address. To test Vlan 20, configure the settings of client 2.

Go to settings > udpPacket

Make sure that the destination MAC and IP are the same as Client 4, the Vlan ID is set to 20, click "Send". Go to client 4, right click and select capture > Ethernet 0/0/1. Wireshark will start.

WireShark is showing that the udp packets are being sent trough Vlan 20, this illustrate the scenario where two end devices connect to the same interface but are in different Vlans.

eNSP - LACP (link aggregation control protocol)

IEEE 802.3ad (LACP) is a technique that helps to increase throughput and to provide redundancy by bundling multiple physical interfaces into a logical one named Eth-trunk. Trunking let us implement load balancing and higher reliability.

topology:

1 - Define which switch is the ACTOR by setting the system priority ( the lower the number the higher the priority ).

[LSW4] lacp priority 100

2 - Chose which method of link aggregation will be used Static / Manual and set the number of maximum active links.

[LSW4] interface eth-trunk 1

[LSW4-Eth-Trunk1] mode lacp-static

[LSW4-Eth-Trunk1] max active-linknumber 2

[LSW4-Eth-Trunk1] quit

3 - Add interfaces to eth-trunk and set priority ( interfaces with higher priority will become active upon link failure ).

[LSW4] interface g0/0/1

[LSW4-GigabitEthernet0/0/1] eth-trunk 1

[LSW4-GigabitEthernet0/0/1] lacp priority 100
[LSW4-GigabitEthernet0/0/1] interface g0/0/2

[LSW4-GigabitEthernet0/0/2] eth-trunk 1

[LSW4-GigabitEthernet0/0/2] lacp priority 100
[LSW4-GigabitEthernet0/0/2] interface g0/0/3

[LSW4-GigabitEthernet0/0/3] eth-trunk 1

[LSW4-GigabitEthernet0/0/3] lacp priority 100
[LSW4-GigabitEthernet0/0/3] interface g0/0/4

[LSW4-GigabitEthernet0/0/4] eth-trunk 1

[LSW4-GigabitEthernet0/0/4]quit

4 - Configure LSW5 to be the PARTNER

[LSW5] interface eth-trunk 1

[LSW5-Eth-Trunk1] mode lacp-static

[LSW5-Eth-Trunk1] quit

[LSW5] interface g0/0/1

[LSW5-GigabitEthernet0/0/1] eth-trunk 1

[LSW5-GigabitEthernet0/0/1] interface g0/0/2

[LSW5-GigabitEthernet0/0/2] eth-trunk 1

[LSW5-GigabitEthernet0/0/2] interface g0/0/3

[LSW5-GigabitEthernet0/0/3] eth-trunk 1

[LSW5-GigabitEthernet0/0/3] interface g0/0/4

[LSW5-GigabitEthernet0/0/4] eth-trunk 1

[LSW5-5GigabitEthernet0/0/4]quit

5 - Display configurations on LSW4

[LSW4] display eth-trunk 1

Interface GigabitEthernet 0/0/2 will became active if one of the selected links goes down, due to the priority number configured in the previous steps.

[LSW4] interface g0/0/1

[LSW4-GigabitEthernet0/0/1] shutdown

[LSW4-GigabitEthernet0/0/1] quit

[LSW4] display eth-trunk 1

eNSP - DHCP and DHCP Snooping

Dynamic Host Configuration Protocol (DHCP) is a client/server protocol that automatically provides an Internet Protocol (IP) host with its IP address and other related configuration information such as the subnet mask and default gateway.

topology:

DHCP Server configuration:

dhcp enable
#
ip pool users
 gateway-list 192.168.0.1 
 network 192.168.0.0 mask 255.255.255.0 
#
interface GigabitEthernet0/0/0
 ip address 192.168.0.1 255.255.255.0 
 dhcp select global
#

Note: This configuration is enough for the clients to get an ip address due to the default configuration of Huawei Switches. All ports are assigned to VLAN 1 and they are configured as hybrid, an hybrid port can either be access or trunk.

The Default configuration poses a threat to the network since anyone with access to the switches can plug a device on to the network or even worst plug a rogue dhcp server a take over the network.

To protect the network against this type of attacks, it is advisable to configure a vlan, assign used ports to that vlan and shutdown all the unused ports or assign unused ports to a vlan that should only be used for unused ports.

Switch configuration:

[SW1] vlan batch 10 99
[SW1] interface GigabitEthernet0/0/24
[SW1-GigabitEthernet0/0/24] port link-type trunk
[SW1-GigabitEthernet0/0/24] port trunk allow-pass vlan 10
[SW1-GigabitEthernet0/0/24] interface GigabitEthernet0/0/23
[SW1-GigabitEthernet0/0/23] port link-type access
[SW1-GigabitEthernet0/0/23] port default vlan 10
[SW1-GigabitEthernet0/0/23] interface GigabitEthernet0/0/1
[SW1-GigabitEthernet0/0/1] port link-type access
[SW1-GigabitEthernet0/0/1] port default vlan 10

[SW2] vlan batch 10 99
[SW2] interface GigabitEthernet0/0/24
[SW2-GigabitEthernet0/0/24] port link-type trunk
[SW2-GigabitEthernet0/0/24] port trunk allow-pass vlan 10
[SW2-GigabitEthernet0/0/24] interface GigabitEthernet0/0/1
[SW2-GigabitEthernet0/0/1] port link-type access
[SW2-GigabitEthernet0/0/1] port default vlan 10
[SW2-GigabitEthernet0/0/1] interface GigabitEthernet0/0/2
[SW2-GigabitEthernet0/0/2] port link-type access
[SW2-GigabitEthernet0/0/2] port default vlan 10

Now create a port group to configure all unused ports at once.

[SW1]port-group unused
[SW1-port-group-unused] group-member GigabitEthernet 0/0/2 to GigabitEthernet 0/0/22
[SW1-port-group-unused] port link-type access
[SW1-port-group-unused] port default vlan 99
[SW1-port-group-unused] shutdown

[SW2]port-group unused
[SW2-port-group-unused] group-member GigabitEthernet 0/0/3 to GigabitEthernet 0/0/23
[SW2-port-group-unused] port link-type access
[SW2-port-group-unused] port default vlan 99
[SW2-port-group-unused] shutdown

With this configuration a malicious user will not have access to any resources on the network upon connecting a device to an available port, but the network is not yet protected against rogue dhcp server attacks, because a malicious user can swap a connected device with bogus dhcp server. To protected against this type of attacks dhcp snooping must be enable on both switches, and a trusted interface must be configured as well (trusted interfaces allow dhcp traffic from the server to the client and and the other way around). In this topology the dhcp server is connected to port GigabitEthernet0/0/23 on SW1 and on SW2 port GigabitEthernet0/0/24 must be configured as trusted as well.

[SW1] dhcp enable
[SW1] dhcp snooping enable
[SW1] vlan 10
[SW1-vlan10] dhcp snooping enable
[SW1-vlan10] quit
[SW1] interface GigabitEthernet 0/0/23
[SW1-GigabitEthernet0/0/23] dhcp snooping trusted

[SW2] dhcp enable
[SW2] dhcp snooping enable
[SW2] vlan 10
[SW2-vlan10] dhcp snooping enable
[SW2-vlan10] quit
[SW2] interface GigabitEthernet 0/0/24
[SW2-GigabitEthernet0/0/24] dhcp snooping trusted

Note: If a trusted interface is not configured on SW2, DHCP Discovery packets will be discarded as soon as they arrive to the switch, because there is no trusted interface to forward this packets to.

The network is now protected agaisnt dhcp rogue server attacks, but there are other attacks that can be executed on the network such as DHCP flood attacks, bogus DHCP messages and DHCP starvation attack.

A DHCP flood attack works by sending a large number of DHCP messages to a device within a short period of time, this will impact on the performance and the device might not work as normally. To prevent this type of attack its a good idea to enable the rate limit of packets per second that will enter the switch.

[SW1] dhcp snooping check dhcp-rate enable
[SW1] dhcp snooping check dhcp-rate 25

[SW2] dhcp snooping check dhcp-rate enable
[SW2] dhcp snooping check dhcp-rate 25

In a bogus DHCP message attack the attacker sends a DHCP request message to the DHCP server, the ip address cannot be released after the lease time expires and legit users are unable to use those ip addresses, also the attacker might send a DHCP release message causing the legit user or users to go offline. This can be prevented by configuring the switch to check whether the DHCP requests or release messages macthes entries in the binding table. Only DHCP messages that match entries can be forward. This prevents malicious users form sending bogus DHCP request or release messages.

[SW1] vlan 10
[SW1-vlan10] dhcp snooping check dhcp-request enable

[SW2] vlan 10
[SW2-vlan10] dhcp snooping check dhcp-request enable

In a DHCP starvation attack a malicious user broadcast DHCP requests with a spoofed mac-address. If enough requests are sent, the network attacker can exhaust the address space available to the DHCP server for a period of time causing legit users to unable to receive an ip address. To stop this kind of attacks a switch can be configured to check whether the mac-address in the ethernet frame match the CHADDR field in the DHCP message (CHADDR field is where the dhcp server identify the mac-address of the client). If the two values match the message is forward otherwise is discarded. Also the maximum number of access users allowed on the switch or interface must be set.

[SW1] interface GigabitEthernet 0/0/1
[SW1-GigabitEthernet0/0/1] dhcp snooping max-user-number 1
[SW1-GigabitEthernet0/0/1] dhcp snooping check dhcp-chaddr enable

[SW2] interface GigabitEthernet 0/0/1
[SW2-GigabitEthernet0/0/1] dhcp snooping max-user-number 1
[SW2-GigabitEthernet0/0/1] dhcp snooping check dhcp-chaddr enable

upgrading to IOS15 on a 2960 switch in Cisco Packet tracer

Cisco packet tracer 6.1 as a feature that allows one to upgrade the IOS on a 2960 switch.
So let's start:
Open packet tracer. :-)

Drag a 2960 switch and a Server (connect the server to any port on the switch), in my scenario i will connect to Fa0/1.

Configure the ip address on the Server, i will use 192.168.0.0/24, the server will be .254 and the SVI on the switch will be .1.

To configure the switch we open the cli and type as shown :

now we can configure the server as shown:.

and we can see the new IOS file in the TFTP section ( c2960-lanbasek9-mz.150-2.SE4.bin ).

Before upgrading check if the Server can ping the Switch, if the ping is successful you are ready to go.

To upload the new IOS image to the Switch:

We can see the new IOS image in the flash directory by typing "dir" or "show flash". To configure the Switch to boot to the new IOS image we have 2 options,

1 - we can delete the current IOS image, and when the Switch reloads it will automatically load the image that is found on the flash directory.

2 - we can use the boot command to configure the Switch to use the new IOS image.

Lets use the 2 choice:

Reload the Switch and type "show ver".

the switch is now running with the new IOS image. ( the same can be done for the 2811 Router ).