Exploration Switching and Wireless Chapter 2 1

© 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicITE PC v4.0Chapter 1 1

Basic switch concepts and configuration

Routing Protocols and Concepts – Chapter 2

ITE PC v4.0Chapter 1 2© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public

Objectives Introduction to Ethernet 803.2 LAN’s

Forwarding Frames using a Switch

Switch Management Configuration

The Switch Boot Sequence

Basic Switch Configuration

Configuring Switch Security

Common Security Attacks

Security Tools

Configuring Port Security


Introduction ethernet acces with hub

hub or concentrator is a Layer 1

device


Introduction ethernet acces with bridge

A bridge is a Layer 2 device used to divide, or segment, a network. Layer 2 devices make forwarding decisions based on Media Access Control (MAC) addresses contained within the headers of transmitted data frames.


Introduction ethernet acces with bridgeA switch is also a Layer 2 device and may be referred to as a multi-port bridge.

The implementation of a switch on the network provides microsegmentation.

In theory this creates a collision free environment between the source and destination, which allows maximum utilization of the available bandwidth.

The disadvantage of Layer 2 devices is that they forward broadcast frames to all connected devices on the network.


Introduction to Ethernet 803.2 LAN’s Key Elements of Ethernet/802.3 Networks

–CSMA/CD

•Carrier Sense

•Multi-access

•Collision Detection

•Jam Signal and Random Backoff


Introduction to Ethernet 803.2 LAN’s

Communication in a network occurs in three ways. - unicast transmission, one transmitter tries to reach one receiver. - multicast transmission, one transmitter tries to reach only a subset, or a group, of the entire segment. Broadcasting is when one transmitter tries to reach all the receivers in the network, the destination MAC address in the frame is set to all ones FF:FF:FF:FF:FF:FF .

When two switches are connected, the broadcast domain is increased.



–Ethernet Frame

–MAC Address with Organizationally Unique Identifier OUI



–Duplex Settings

•Half Duplex, data flow is unidirectional

•Full Duplex, data flow is bidirectional



–Switch Port Settings

•Auto sets autonegotiation of duplex mode

–Two ports communicate to decide the best mode of operation

–Default for Fast Ethernet and 10/100/1000 ports

•Full sets full-duplex mode

–Default for 100BASE-FX ports

•Half sets half-duplex mode

•auto-MDIX

–to enable the automatic medium-dependent interface crossover (auto-MDIX) feature



–MAC Addressing and Switch MAC Address Tables

•Switches use MAC addresses to direct network communications

•The switch builds a MAC Address Table

Step 1 Step 2

Step 3 Step 4


Introduction to Ethernet 803.2 LAN’s Design Considerations for Ethernet/802.3 Networks

–Bandwidth and Throughput•More devices are added to the shared media collisions increase •When stating the bandwidth of the Ethernet network is 10 Mb/s, full bandwidth for transmission is available only after any collisions have been resolved. •Throughput of the port (the average data that is effectively transmitted) will be considerably reduced as a function of how many other nodes want to use the network.

–Collision Domains•Hubs make collision domains larger•Switch makes individual collsion domains

–Broadcast Domains•A switch does not filter a broadcasts frame•A router filters broadcasts


Introduction to Ethernet 803.2 LAN’s Design Considerations for

Ethernet/802.3 Networks–Network Latency

•the time a frame or a packet takes to travel from the source station to the final destination

–source NIC to places voltage pulses on the wire–the signal takes time to travel

through the cable (propagation delay)–latency is added based on

network devices –A switch has a lower latency

than a router–A switch uses port-based

memory buffering, port level QoS, and congestion management to reduce latency

Each 10 Mbps Ethernet bit has a 100 ns transmission window. This is the bit time. Therefore, 1 byte takes a minimum of 800 ns to transmit. A 64-byte frame, the smallest 10BASE-T frame allowing CSMA/CD to function properly, takes 51,200 ns ( 51.2 microseconds). Transmission of an entire 1000-byte frame from the source station requires 800 microseconds just to complete the frame.


Introduction to Ethernet 803.2 LAN’s Design Considerations for

Ethernet/802.3 Networks–Network Congestion

•Reasons

–Increasingly powerful computer and network technologies

–Increasing volume of network traffic

–High-bandwidth applications

•Solution

–segmenting a LAN into smaller parts



–LAN Segmentation

•segmented into a number of smaller collisions domains by switches

•segmented into a number of smaller broadcast domains by routers



–LAN Segmentation

•segmented into a number of smaller collisions domains by switches

•segmented into a number of smaller broadcast domains by routers


LAN switch operation


LAN switch operation


Introduction to Ethernet 803.2 LAN’s LAN Design Considerations

–Controlling Network Latency

–Removing Bottlenecks


Forwarding Frames using a Switch Switch Packet Forwarding

Methods–Store-and-Forward Switching

•Switch receives the frame

•Stores the data of the complete frame in the buffer

•Switch looks at destination and does CRC

•Switch sends frame to destination

•High latency and error-check

–Cut-through Switching has two variants

•Fast-forwarding switching

•Fragment-free switching


Forwarding Frames using a Switch Switch Packet Forwarding Methods

–Cut-through Switching has two variants

•Fast-forwarding switching

–Switch send frame to destination after the destination MAC-address is received

–Low latency

–No error-check

•Fragment-free switching

–Switch sends the frame to the destination after the first 64 bytes of the frame are received.

–A compromise between fast-forwarding and store and forward


Forwarding Frames using a Switch

There are three main frame transmission modes

Store-and-forward Cut-through Fast-forward Fragment-free

Adaptive cut-through: checks for errors and senses the best forwarding mode.


Forwarding Frames using a Switch Symmetric and Asymmetric Switching

–Asymmetric•enables more bandwidth to be dedicated to a server switch port to prevent a bottleneck•Memory buffering is required

–Symmetric

•On a symmetric switch all ports are of the same bandwidth


Forwarding Frames using a Switch Memory Buffering

–Port-based Memory Buffering•Frames stored in queues that are linked to specific incoming and outgoing ports•transmitted to the outgoing port only when all the frames ahead of it in the queue have been successfully transmitted

–Shared Memory Buffering•all frames into a common memory buffer that all the ports on the switch share•allows the packet to be received on one port and then transmitted on another port, without moving it to a different queue


Forwarding Frames using a Switch Layer 2 and Layer 3 Switching

–Layer 2 LAN switch

•only on the OSI Data Link layer (Layer 2)

•Works with MAC address

–A Layer 3 switch

•can learn MAC-addresses but also which IP-addresses are associated with its interfaces

•Are capable of performing Layer 3 routing functions

Layer 3 Switch and Router Comparison


Switch Management Configuration Navigating Command-Line Interface Modes

–User Exec Mode

•basic monitoring commands

•identified by the > prompt

–Privileged Exec Mode

•to access all device commands

•can be password-protected

•identified by the # prompt

–Change from User EXEC to Privileged EXEC

•Command enable


Switch Management Configuration Navigating Command-Line

Interface Modes

–Global configuration Mode

•To configure global switch parameters

•Via configure terminal command in privileged EXEC mode

–Interface Configuration Mode

•Configuring interface-specific parameters

•from global configuration mode, enter the interface<interface name> command


Switch Management Configuration Navigating Command-Line Interface Modes


Switch Management Configuration GUI-based Alternatives to the CLI

–Cisco Network Assistant

–CiscoView Application

–Cisco Device Manager

–Network Management


Switch Management Configuration Using the Help Facility

–sh?: command which start with sh

–?: shows all commands in your current CLI

–show ?: a list of options with the show command

Console error message


Switch Management Configuration Accessing the Command History

–The Command History Buffer

•by default, command history is enabled

•records the last 10 command lines

•to view recently entered EXEC commands: show history

–Configure the Command History Buffer


The Switch Boot Sequence Describe the Boot Sequence

–Switch loads boot loader from NVRAM

–The boot loader:

•Performs low-level CPU initialization

•Performs POST for the CPU subsystem

•Initializes the flash file system on the system board

•Loads a default operating system software image into memory and boots the switch

Recovering from a System Crash–provides access into the switch if the operating system cannot be used

–provides access to the files stored on Flash memory before the operating system is loaded

–Use the boot loader command line to perform recovery operations


Basic Switch Configuration Management Interface

Considerations–To manage a switch remotely using TCP/IP, you need to assign the switch an IP address

–This IP address is assigned to a virtual interface called a virtual LAN (VLAN)

–Default configuration on the switch is to have the management of the switch controlled through VLAN

–Configure Management Interface

S1(config)#interface vlan 1

S1(config)# ip address <ip-address> <subnetmask>

S1(config)# no shutdown


Basic Switch Configuration

Configure Default Gateway –You need to configure the switch so that it can forward IP packets to distant networks

–Configure default gateway

S1(config)# ip default gateway <default-gateway>


Basic Switch Configuration View configuration

S1(config)#show ip interface brief

S1(config)# show running-config


Basic Switch Configuration Configure Duplex and Speed


Basic Switch Configuration Configure a Web Interface

–Modern Cisco switches have a number of web-based configuration tools that require that the switch is configured as an HTTP server

–To control who can access the HTTP services on the switch, you can optionally configure authentication.

•AAA

•TACACS


Basic Switch Configuration Managing the MAC Address Table

–MAC tables include dynamic and static addresses

–Dynamic addresses are source MAC addresses that the switch learns and then ages when they are not in use

–Static addresses are not aged out

–View mac address tabel

show mac-address-table

–create a static mapping in the MAC address table

mac-address-table static <MAC address> vlan {1-4096, ALL} interface interface-id command

–remove a static mapping in the MAC address table

no mac-address-table static <MAC address> vlan {1-4096, ALL} interface interface-id command


Basic Switch Configuration Verifying Switch Configuration


Verifying Switch Configuration: flash

The flash directory by default, has a file that contains the IOS image, a file called env_vars, and a sub-directory called html. After configuring the switch, it may contain a config.text file, and a VLAN database.


Basic Switch Management Backing Up the Configuration

–Copy running-config in DRAM to start-up config in NVRAM or flash

copy running-config startup-config

–maintain multiple different startup-config files on the device

copy startup-config flash:filename


Basic Switch Management Restoring the Configuration

–Restore a saved configuration from flash

copy flash:filename startup-config

after restoring, restart the switch with reload


Basic Switch Management Back up Configuration Files to a TFTP Server

–back up the configuration on the network

–It can be archived for a long time

–Backing up the ConfigurationStep 1Verify that the TFTP server is running on your network.Step 2 Log in to the switch through the console port or a Telnet session. Enable

the switch and then ping the TFTP server.Step 3Upload the switch configuration to the TFTP server. Specify the IP address

or hostname of the TFTP server and the destination filename. The Cisco IOS command is:copy system:running-config tftp:[[[//location]/directory]/filename] copy nvram:startup-config tftp:[[[//location]/directory]/filename]


Basic Switch Management Back up Configuration Files to a TFTP Server

–back up the configuration on the network

–It can be archived for a long time

–Restoring the ConfigurationStep 1Copy the configuration file to the appropriate TFTP directory on the

TFTP server if it is not already there.Step 2Verify that the TFTP server is running on your network.Step 3Log in to the switch through the console port or a Telnet session.

Enable the switch and then ping the TFTP server.Step 4Download the configuration file from the TFTP server to configure the

switch. Specify the IP address or hostname of the TFTP server and the name of the f ile to download. The Cisco IOS command is:

copy tftp:[[[//location]/directory]/filename] system:running-config copy tftp:[[[//location]/directory]/filename] nvram:startup-config


Basic Switch Management Clearing Configuration Information

– clear the contents of your startup configuration• erase nvram:• erase startup-config

Clear the switch:– Switch#delete flash:vlan.dat– Delete filename [vlan.dat]?[Enter]– Delete flash:vlan.dat? [confirm] [Enter]– Switch#erase startup-config– Switch#reload

– deleting a Stored Configuration File•delete a file from Flash •delete flash:filename •WARNING: be sure you delete a file from flash and not flash itself!


Configuring Switch Security Configure Password Options

–Secure the Console

•Set console password

•Remove Console Password S1(config)#line con 0

S1(config)#no password S1(config)#no login



–Secure the vty Ports

•Set security

•Remove security S1(config)#line vty 0 4

S1(config)#no password S1(config)#no login



–Configure EXEC Mode Passwords

•Set security

•Remove security

no enable password

no enable secret

encryptednot encrypted



–Configure Encrypted Passwords

•command service password-encryption in global configuration mode

•all system passwords are stored in an encrypted form


Configuring Switch SecurityPassword recovery switch (short briefing)

Power onPush mode buttom until led port1 goes out

Switch: flash_initSwitch: dir flash: (don’t forget :)Switch: rename flash:config.text flash:config.old(Config.text contains password definition)Switch: bootEnter ‘n’EnableSwitch# rename flash:config.old flash:config.textSwitch# copy flash:config.text system:running-configConf tNo enable secretEnable password ciscoCtrl ZCopy run startreload


Configuring Switch SecurityEnable Password Recovery Step 1. Connect a terminal or PC with terminal-emulation software to the switch

console portStep 2. Set the line speed on the emulation software to 9600 baud.Step 3. Power off the switch. Reconnect the power cord to the switch and within 15 seconds, press the Mode button while the System LED is still flashing green. Continue pressing the Mode button until the System LED turns briefly amber and then solid green. Then release the Mode button.Step 4. Initialize the Flash file system using the flash_init command.Step 5. Load any helper files using the load_helper command.Step 6. Display the contents of Flash memory using the dir flash command:The switch file system appears: Directory of flash:13 drwx 192 Mar 01 1993 22:30:48 c2960-lanbase-mz.122-25.FX11 -rwx 5825 Mar 01 1993 22:31:59 config.text18 -rwx 720 Mar 01 1993 02:21:30 vlan.dat16128000 bytes total (10003456 bytes free)


Configuring Switch SecurityEnable Password Recovery

Step 7. Rename the configuration file to config.text.old, which contains the password definition, using the rename flash:config.text flash:config.text.old command.Step 8. Boot the system with the boot command. Step 9. You are prompted to start the setup program. Enter N at the prompt, and then when the system prompts whether to continue with the configuration dialog, enter N.Step 10. At the switch prompt, enter privileged EXEC mode using the enable command.Step 11. Rename the configuration file to its original name using the rename flash:config.text.old flash:config.text command.Step 12. Copy the configuration file into memory using the copy flash:config.text system:running-config command. After this command has been entered, the follow is displayed on the console:Source filename [config.text]? -Destination filename [running-config]?Press Return in response to the confirmation prompts. The configuration file is now reloaded, and you can change the password.


Configuring Switch SecurityEnable Password Recovery

Step 13. Enter global configuration mode using the configure terminal command.Step 14. Change the password using the enable secret password command.Step 15. Return to privileged EXEC mode using the exit command.Step 16. Write the running configuration to the startup configuration file using the copy running-config startup-config command.Step 17. Reload the switch using the reload command.


Configuring Switch SecurityFlash update

Sh version :to see the actuale .bin file orDir flash: if the switch has enough flash memory, rename the existing .bin file#rename flash: c2900…bin flash c2900…old

Interface vlan1Ip addr 10.67.200.205 255.255.0.0No shut

Configure the host pc ip addres in the same network range

Ping to hostStart tftp server on hostCopy tftp flash: newname.binDelete flash: c2900…old (eventually)

Probem: can’t find flash fileswitch: set BOOT flash:c2900xl-c3h2s-mz.120-5.WC8.bin (BOOT uppercase!!)OrSwitch(config)#boot system flash:c2900xl-c3h2s-mz.120-5.WC8.bin


Configuring Switch SecurityXMODEM

1 Setup your PC to do X-modem:On the Hyper Terminal Menu bar, Click on Transfer and choose

Send File. This will bring up a "Send File" popup window.Select the Protocol to be X-modem from the pull down button. Click Close.

2 Set up the switch so it is ready to receive the image: Run the copy xmodem:new_file.bin flash:new_file.bin command on

the switch to copy the image to the Flash using X-modem, where new_file.bin is the file that you downloaded from the Cisco.com on your PC or workstation in Step 1.

For Example: switch: copy xmodem:c2900xl-c3h2s-mz-120-5.WC8.bin

flash:c2900xl-c3h2s-mz-120-5.WC8.binBegin the Xmodem or Xmodem-1K transfer now.. Substitute your

particular Cisco IOS image name for the name used above.


Configuring Switch Security

XMODEM

3 Start the transfer of the file by performing the following steps on the PC: On the Hyper Terminal Menu bar, Click Transfer and choose Send File.This will bring up a "Send File" popup window Fill in the Filename by using the Browse button.Verify the Protocol to be X-modem. If it is other than X-modem, select X-

modem from the pull down button. Click Send and this will start the transfer of the file.

Note: Make sure that you start the transfer of the file immediately after receiving the "Begin the Xmodem or Xmodem-1K transfer now.." message (approximately within 3 to 5 seconds), otherwise the switch will timeout the XMODEM copy.


XMODEM Note: X-modem transfer can take between 25 to 35 minutes, depending

upon the switch and the size of the image.

Verify the successful copy of the file to the Flash by issuing the dir flash: command:

switch: dir flash:Directory of flash:/ -rwx 1803565 Mar 01 1993 01:17:06 c2900xl-c3h2s-mz.120-5.WC8.bin1965568 bytes available (1647104 bytes used)

Set the BOOT parameters so that the switch boots up with the downloaded image when reloaded:

For Example:

(a) switch: set BOOT flash:c2900xl-c3h2s-mz.120-5.WC8.bin (b) Substitute the image name above for the Cisco IOS name you loaded to

flash.Note: BOOT must be in capital letters.


Configuring Switch Security Login Banners

–Configure a Login Banner

–Configure a MOTD Banner


Configuring Switch Security Configure Telnet and SSH

Telnet

–popular protocol used for terminal access

–is an insecure way of accessing a network device

–it sends all communications across the network in clear text

SSH

–the same type of access as Telnet

–benefit of security

–Communication between the SSH client and SSH server is encrypted


Configuring Switch Security Configure Telnet

–the default vty-supported

–re-enable the Telnet protocol

(config-line)#transport input telnet

(config-line)#transport input all


Configuring Switch Security Configure SSH

–is a cryptographic security feature

–The SSH feature has an SSH server and an SSH integrated client

–switch supports SSHv1 or SSHv2 for the server component and only SSHv1 for the client component

–SSH uses DES, 3DES and password-based user authentication

–To implement SSH, you need to generate RSA keys

•A public key

–on a public RSA server

–Used to encrypt messages

•A private key

–kept by the sender and the receiver

–Used to decrypt messages



Generate RSA keysStep 1. Enter global configuration mode using the configure terminal command.Step 2. Configure a hostname for your switch using the hostname hostname command.Step 3. Configure a host domain for your switch using the ip domain-name domain_name command.Step 4. Enable the SSH server for local and remote authentication on the switch and generate an RSA key pair using the crypto key generate rsa command. When you generate RSA keys, you are prompted to enter a modulus length. Cisco recommends using a modulus size of 1024 bits. A longer modulus length might be more secure, but it takes longer to generate and to use.Step 5. Return to privileged EXEC mode using the end command.Step 6. Show the status of the SSH server on the switch using the show ip ssh or show ssh command.

To delete the RSA key pair, use crypto key zeroize rsa



Configuring the SSH ServerStep 1. Enter global configuration mode using the configure terminal command.

Step 2. (Optional) Configure the switch to run SSHv1 or SSHv2 using the ip ssh version [1 | 2] command. If you do not enter this command or do not specify a keyword, the SSH server selects the latest SSH version supported by the SSH client. For example, if the SSH client supports SSHv1 and SSHv2, the SSH server selects SSHv2.

Step 3. Configure the SSH control parameters:Specify the time-out value in seconds; the default is 120 seconds. The range is 0 to 120 seconds. For a SSH connect to be established, a number of phases must be completed, such as connection, protocol negotiation, and parameter negation. The time-out value applies to the amount of time the switch allows for a connection to be established. By default, up to five simultaneous, encrypted SSH connections for multiple CLI-based sessions over the network are available (session 0 to session 4). After the execution shell starts, the CLI-based session time-out value returns to the default of 10 minutes.



Configuring the SSH ServerSpecify the number of times that a client can re-authenticate to the server. The default is 3; the range is 0 to 5. For example, a user can allow the SSH session to sit for more than 10 minutes three times before the SSH session is terminated.Repeat this step when configuring both parameters. To configure both parameters use the ip ssh {timeout seconds | authentication-retries number} command.

Step 4. Return to privileged EXEC mode using the end command.

Step 5. Display the status of the SSH server connections on the switch using the show ip ssh or the show ssh command.

Step 6. (Optional) Save your entries in the configuration file using the copy running-config startup-config command


Common Security Attacks Security Attacks

–MAC Address Flooding



–Spoofing Attacks



–DHCP Snooping

•feature that determines which switch ports can respond to DHCP requests

•Trusted ports

–can source all DHCP messages

–host a DHCP server or can be an uplink toward the DHCP server

–If a rogue device on an untrusted port attempts to send a DHCP response packet into the network, the port is shut down.

•untrusted ports

–can source requests only

–Not explicitly configured as trusted



–DHCP Snooping

–configure DHCP snooping

•Enable DHCP snooping using the ip dhcp snooping global configuration command

•Enable DHCP snooping for specific VLANs using the ip dhcp snooping vlan number [number] command

•Limit the rate at which an attacker can continually send bogus DHCP requests through untrusted ports to the DHCP server using the ip dhcp snooping limit raterate command.



–CDP Attacks

•CDP packerts are sent unencrypted

•An attacker can capture the information sent via CDP



–Telnet Attacks

•Brute Force Password Attack

–Change password frequently

–Use strong passwords

–Limit who can communictae via the vty lines

•DoS attacks

–Makes the telnet service unavailable

–Update the newest version of IOS


Security Tools Network Security Audit

–reveals what sort of information an attacker can gather

–by monitoring network traffic

Monitoring network traffic

–testing against your network

–allows you to identify weaknesses

Network Security Tools Features–Service identification

–Support of SSL services

–Non-destructive and destructive testing

–Database of vulnerabilities


Configuring Port Security Using Port Security to Mitigate Attacks

–limits the number of valid MAC addresses allowed on a port

–limit the number of secure MAC addresses to one only that workstation with that particular secure MAC address can successfully connect to that switch port.

–the maximum number of secure MAC addresses is reached a security violation occurs

Secure MAC Address Types–Static secure MAC addresses

–Dynamic secure MAC addresses

–Sticky secure MAC addresses


Configuring Port Security Sticky MAC Addresses

–Enable sticky learning via command switchport port-security mac-address sticky (on interface level)

•converts all the dynamic secure MAC addresses to sticky MAC addresses

•Addresses are added to the running config

–disable sticky learning by using the no switchport port-security mac-address sticky (on interface level)

•sticky secure MAC addresses remain part of the address table

•Addresses are removed from the running configuration.

–configure sticky secure MAC addresses by using the switchport port-security mac-address sticky mac-address (on interface level)

•addresses are added to the address table

•addresses are added to the running configuration

–save the sticky secure MAC addresses in the configuration file

•interface does not need to relearn these addresses


Configuring Port Security Security Violation Modes

–Occurs in the following situations•The maximum number of secure MAC addresses have been added to the address table, and a station whose MAC address is not in the address table attempts to access the interface.

•An address learned or configured on one secure interface is seen on another secure interface in the same VLAN.

–Modes which can occur•Protect

–packets with unknown source addresses are dropped

–You are not notified that a security violation has occurred

•Restrict–packets with unknown source addresses are dropped

–you are notified that a security violation has occurred

•Shutdown–port security violation causes the interface to immediately become error-disabled and turns off the port LED








Configuring Port Security Verify Port Security


Configuring Port Security Securing Unused Ports

–Navigate to each unused port and issue this Cisco IOS shutdown command

–alternate way to shutdown multiple ports is to use the interface range command


Exploration Switching and Wireless Chapter 2 1

Documents

cisco public

cisco systems

ethernet network

lans ite pc v4

introduction ethernet

device ite pc v4

bidirectional ite pc

objectives ite pc v4