ccna exp3 - chapter02 - basic switch concepts and configurations

8/3/2019 CCNA Exp3 - Chapter02 - Basic Switch Concepts and Configurations

http://slidepdf.com/reader/full/ccna-exp3-chapter02-basic-switch-concepts-and-configurations 1/144

Chapter 2: Basic switch concepts

and configurations

CCNA Ex loration 4.0

Please purchase apersonal license.



Overview

Hc vin mng Bach Khoa - Website: www.bkacad.com 2



Key elements of Ethernet/802.3

networks




Media Access Control (MAC)

•MAC refers to protocols thatdetermine which computeron a shared-medium

environment, or collisiondomain, is allowed totransmit the data.•MAC, with LLC, comprises

logical bustopology and

physical star orextended star

Deterministic, Non-Deterministic


the IEEE version of the OSILayer 2•There are two broadcategories of Media AccessControl, deterministic (taking

turns) and non-deterministic(first come, first served)

topology and a

physical startopology

logical ringtopology andphysical dual-ring

topology



CSMA/CD

• CSMA/CD used withEthernet performs threefunctions:

1. Transmitting and receivingdata packets

2. Decoding data packetsand checking them for

listen-before-transmit


valid addresses beforepassing them to the upperlayers of the OSI model

3. Detecting errors withindata packets or on the

network

Transmitting&listening.



CSMA/CD

Flow chart




•After a collision occurs andall stations allow the cable tobecome idle (each waits the

full inter-frame spacing)•The stations that collidedmust wait an additional andpotentially progressively

Backoff

Randomly Backoff Time


onger per o o me e oreattempting to retransmit thecollided frame•The waiting period isintentionally designed to be

random•If the MAC layer is unable tosend the frame after 16attempts, it gives up andgenerates an error to thenetwork layer



Extra: Backoff


then reschedule their frames for retransmission. The transmitting stations dothis by generating a period of time to wait before retransmission, which isbased on a random number chosen by each station and used in that station'sbackoff calculations.

• k= min(n,10) ; n= the number of transmission attempts

• 0<= r <2^k

• The backoff delay= r* slot time



Ethernet Slot Time




Ethernet Communications




Remind




Ethernet frame structure

•At the data link layer the framestructure is nearly identical forall speeds of Ethernet from 10

Mbps to 10,000 Mbps•At the physical layer almost allversions of Ethernet aresubstantially different from


having a distinct set ofarchitecture design rules•The Ethernet II Type field isincorporated into the current

802.3 frame definition. Thereceiving node must determinewhich higher-layer protocol ispresent in an incoming frameby examining the Length/Type

field




•The Preamble is used fortiming synchronization in theasynchronous 10 Mbps andslower implementations of

Ethernet. Faster versions ofEthernet are synchronous, andthis timing information isredundant but retained for

10101011

Synchronization, Address types


compatibility•The Destination Address fieldcontains the MAC destinationaddress. It can be unicast,multicast (group), or broadcast

(all nodes)•The source address isgenerally the unicast addressof the transmitting Ethernet

node (can be virtual entity – group or multicast)




•The type value specifies theupper-layer protocol toreceive the data after

Ethernet processing iscompleted.•The length indicates thenumber of bytes of data that

Length if value < 1536 decimal,(0x600) need LLC to identify

upper protocol


.

of the Data field are decodedper the protocol indicated)•The maximum transmissionunit (MTU) for Ethernet is

1500 octets, so the datashould not exceed that size•Ethernet requires that theframe be not less than 46octets or more than 1518

octets (Pad is required if notenou h data

Type if value => 1536 decimal,

(0x600) it identify upperprotocol

4bytesCRC



Naming on Ethernet

MAC ADDRESS


•Ethernet uses MAC addresses that are 48 bits in length and expressed as12 hexadecimal digits

•Sometimes referred to as burned-in addresses (BIA) because they areburned into read-only memory (ROM) and are copied into random-access

memory (RAM) when the NIC initializes



OUI




Ethernet in full duplex

Full-duplexFull-duplexF ul l - d u pl e

F ul l - d u pl ex

Collision occurs only in half-duplex


• If the attached station is operating in full duplex then the station may

send and receive simultaneously and collisions should not occur.• Full-duplex operation also changes the timing considerations andeliminates the concept of slot time

• In half-duplex, if no collision, the sending station will transmit 64 bits(timing synchronization) preamble, DA, SA, certain other header

information, actual data payload, FCS

x



Extra: Half-duplex networks




Note

• Fast Ethernet and 10/100/1000 ports: default is auto.

• 100BASE-FX ports: default is full.

• 10/100/1000 ports operate in either half- or full-duplexmode when they are set to 10 or 100 Mb/s, but when set to1,000 Mb/s, they operate only in full-duplex mode.


• Default: when autonegotiation failsCatalyst switch setsthe corresponding switch port to half-duplex mode. Thistype of failure happens when an attached device does not

support autonegotiation.



auto-MDIX


• auto-MDIX is enabledswitch auto detects cable type can useeither a crossover or a straight-through

• The auto-MDIX feature is enabled by default on switches running CiscoIOS Release 12.2(18)SE or later. For releases between Cisco IOSRelease 12.1(14)EA1 and 12.2(18)SE, the auto-MDIX feature isdisabled by default.



MAC Addressing and Switch MAC Address Tables




Design Considerations for Ethernet/802.3Networks




Bandwidth and Throuhgput


• Bandwidth is defined as the amount of information that can flow through anetwork connection in a given period of time.

• Throughput refers to actual measured bandwidth, at a specific time of day,using specific Internet routes, and while a specific set of data is transmitted onthe network.



Collision Domains




Broadcast Domains


• The broadcast domain at Layer 2 is referred to as the MAC

broadcast domain.



Broadcast Domains - Example


When a switch receives a broadcast frame, it forwards the frame to each ofits ports, except the incoming port where the switch received the broadcastframe. Each attached device recognizes the broadcast frame and processesit.



Broadcast Domains - Example




Network Latency




Network Congestion

• The primary reason for segmenting a LAN into smaller parts is toisolate traffic and to achieve better use of bandwidth per user.

–


,

and collisions.• Causes of network congestion:

– Increasingly powerful computer and network technologies.

– Increasing volume of network traffic.

– High-bandwidth applications.



LAN Segmentation


• LANs are segmented into a number of smaller collision and broadcastdomains using routers and switches.



LAN Segmentation


S



LAN Segmentation


LAN S i



LAN Segmentation


C t lli N t k L t



Controlling Network Latency


R i N t k B ttl k



Removing Network Bottlenecks


Activity 2 1 3 2



Activity 2.1.3.2




Forwarding Frames Using a Switch


Switch Forwarding Methods



Switch Forwarding Methods


Store and Forward Switching



Store- and- Forward Switching


• Store-and-forward switching is required for Quality of Service (QoS)analysis on converged networks where frame classification for trafficprioritization is necessary.

Cut- Through Switching



Cut- Through Switching


• There are 2 variants of cut-through switching:

– Fast-forward switching - immediately forwards a packet afterreading the destination address.

– Fragment-free switching - reads the first 64 bytes of an Ethernetframe and then begins forwarding it to the appropriate port or ports

Extra: Adaptive Cut- Through



Extra: Adaptive Cut- Through


• Some switches are configured to perform cut-through switching on a

per-port basis until a user-defined error threshold is reached and thenthey automatically change to store-and-forward.

• When the error rate falls below the threshold, the port automaticallychanges back to cut-through switching.

Symmetric and Asymmetric Switching



Symmetric and Asymmetric Switching


Most current switches are asymmetric switches

because this type of switch offers the greatest flexibility.

Memory Buffering



Memory Buffering


• Port-based Memory Buffering

– A frame is transmitted to the outgoing port only when all the frames aheadof it in the queue have been successfully transmitted.

• Shared Memory Buffering – The frames in the buffer are linked dynamically to the destination port. This

allows the packet to be received on one port and then transmitted onanother port, without moving it to a different queue.

Layer 2 and Layer 3 Switching



Layer 2 and Layer 3 Switching


Layer 3 Switch and Router Comparison



Layer 3 Switch and Router Comparison


Review your understanding



y g




Switch Management Configuration


The Command Line Interface Modes




The Command Line Interface Modes




GUI-based Alternatives to the CLI




Context Sensitive Help




Console Error Messages




The Command History Buffer




Configure the Command History Buffer




Describe the Boot Sequence




Extra: Boot Loader Command Line



• During normal boot loader operation, you are not presented with theboot loader command-line prompt. You gain access to the boot loadercommand line if: – the switch is set to manually boot

– an error occurs during power-on self test (POST) DRAM testing – an error occurs while loading the operating system (a corruptedIOS image).

• You can also access the boot loader if you have lost or forgotten the


sw c passwor .

• You can access the boot loader through a switch console connection at9600 bps: – unplug the switch power cord – press the switch Mode button while reconnecting the power cord. – You can release the Mode button a second or two after the LED

above port 1 goes off. – You should then see the boot loader Switch: prompt.

• The boot loader performs low-level CPU initialization, performs POST,and loads a default operating system image into memory.

Prepare to Configure the Switch




Step 1





Step 2





Step 3



Basic Switch Configuration


Management Interface Considerations




Configure Duplex and Speed




Configure a Web Interface




Managing the MAC Address Table



show mac-address-table


The MAC address entry is automatically discarded or aged out after 300 seconds.





The 0x0100.0cdd.dddd is multicast

MAC address that used by CiscoGroup Management Protocol(CGMP)

Extra: Managing the MAC Address Table



•sw(config)#mac-address-table ?

aging-time Set MAC address table entry maximum age

notification Enable/Disable MAC Notification on the switch


s a c stat c eywor

• sw(config)#mac-address-table aging-time ?<0-0> Enter 0 to disable aging

<10-1000000> Aging time in seconds

• Rather than wait for a dynamic entry to age out, the administrator has

the option to use the privileged EXEC command: – sw# clear mac-address-table dynamic

Extra: Configuring static MAC addresses




• The reasons for assigning a permanent MAC address to an interfaceinclude: – The MAC address will not be aged out automatically by the switch. – A specific server or user workstation must be attached to the port

and the MAC address is known. – Security is enhanced.

• To set a static MAC address entry for a switch:sw(config)#mac-address-table static <mac-address of host >interface FastEthernet <Ethernet numer > vlan <vlan-id >

Show Commands




Show running-config




Show interfaces




Backing Up the Configuration




Restoring the Configuration




Back up Configuration Files to a TFTP Server




Clearing Configuration Information




Extra: Reset Default Switch Configurations




• The following steps will ensure that a new configuration willcompletely overwrite any existing configuration:

1. Remove any existing VLAN information by deleting the VLANdatabase file vlan.dat from the flash directory

2. Erase the back up configuration file startup-config

3. Reload the switch

Configure Password Options



Configure Password Options


Configure Console Access




Secure the vty Ports




Configure EXEC Mode Passwords




Encrypted, Priority than enable password

Clear text password

Configure Encrypted Passwords

After




Before

Enable Password Recovery




Extra: Switch LED indicators




utilization

Password Recovery

• Step 1. Connect a terminal or PC with terminal-emulation software toth it h l t



the switch console port.

• Step 2. Set the line speed on the emulation software to 9600 baud.

• Step 3. Power off the switch. Reconnect the power cord to the switchand within 15 seconds, press the Mode button while the System LED is


s as ng green. on nue press ng e o e u on un e ys emLED turns briefly amber and then solid green. Then release the Mode

button. – OR: enter reload command and then to press the Mode button until

the System LED turns briefly amber and then solid green.

• Step 4. Initialize the Flash file system using the flash_init command.

• Step 5. Load any helper files using the load_helper command.

Password Recovery

• Step 6. Display the contents of Flash memory using the dir flashcommand:



command:

• The switch file system appears:

Directory of flash:13 drwx 192 Mar 01 1993 22:30:48 c2960-lanbase-mz.122-25.FX

-


18 -rwx 720 Mar 01 1993 02:21:30 vlan.dat

16128000 bytes total (10003456 bytes free)

• Step 7. Rename the configuration file to config.text.old, whichcontains the password definition, using the rename flash:config.textflash:config.text.old command.

• Step 8. Boot the system with the boot command.

Password Recovery

• Step 9. You are prompted to start the setup program. Enter N at the prompt,and then when the system prompts whether to continue with the configuration



and then when the system prompts whether to continue with the configurationdialog, enter N.

• Step 10. At the switch prompt, enter privileged EXEC mode using the enablecommand.

• Step 11. Rename the configuration file to its original name using the renameflash:config.text.old flash:config.text command.


• Step 12. Copy the configuration file into memory using the copy

flash:config.text system:running-config command. After this command hasbeen entered, the follow is displayed on the console:

Source filename [config.text]?Destination filename [running-config]?

– Press Return in response to the confirmation prompts. The configurationfile is now reloaded, and you can change the password.

Password Recovery

• Step 13. Enter global configuration mode using the configure terminalcommand



command.

• Step 14. Change the password using the enable secret password

command.

• Step 15. Return to privileged EXEC mode using the exit command.


• Step 16. Write the running configuration to the startup configuration fileusing the copy running-config startup-config command.

• Step 17. Reload the switch using the reload command.

• Note: The password recovery procedure can be different depending onthe Cisco switch series, so you should refer to the productdocumentation before you attempt a password recovery.

Configure a Login Banner



• Create the local database: – sw(config)# username student password student

• Enable authentication for the console line:

– sw(config)# line console 0 – sw(config-line)# login local

• sw(config)# banner login "Authorized Personnel Only !“


Configure a MOTD Banner



• sw(config)# banner motd “This is a security system !”• sw#exit


Telnet and SSH




• Remote control tool of

switch and router• SSH encrypt data

before transmit

Configuring Telnet




Configuring SSH




Configuring SSH

• The switch supports SSHv1 or SSHv2 for the server component. Theswitch supports only SSHv1 for the client component.



• To implement SSH, you need to generate RSA keys. – Step 1. Enter global configuration mode using the configure terminal

command. – Step 2. Configure a hostname for your switch using the hostnamehostname command.

– Step 3. Configure a host domain for your switch using the ip domain-


name domain_name command.

– Step 4. Enable the SSH server for local and remote authentication on the

switch and generate an RSA key pair using the crypto key generate rsacommand.

– Step 5. Return to privileged EXEC mode using the end command. – Step 6. Show the status of the SSH server on the switch using the show ip

ssh or show ssh command.

– To delete the RSA key pair, use the crypto key zeroize rsa globalconfiguration command. After the RSA key pair is deleted, the SSH serveris automatically disabled.

Configuring the SSH Server

• Step 1. Enter global configuration mode using the configure terminalcommand.



• Step 2. (Optional) Configure the switch to run SSHv1 or SSHv2 usingthe ip ssh version [1 | 2] command.

– If you do not enter this command or do not specify a keyword, theSSH server selects the latest SSH version supported by the SSHclient. For example, if the SSH client supports SSHv1 and SSHv2,


.

• Step 3. Configure the SSH control parameters:

– Specify the time-out value in seconds: default of 10 minutes. – Specify the number of times that a client can re-authenticate to the

server. The default is 3; the range is 0 to 5 – Command: ip ssh {timeoutseconds | authentication-

retriesnumber}

Configuring the SSH Server

• St 4 R t t i il d EXEC d i th d



• Step 4. Return to privileged EXEC mode using the endcommand.

• Step 5. Display the status of the SSH server connections


command.

• Step 6. (Optional) Save your entries in the configurationfile using the copy running-config startup-config

command.

Layer 2 common security attacks




MAC Address Flooding




Spoofing Attacks



Solution: Cisco Catalyst DHCP Snooping




Config DHCP Snooping

• Step 1. Enable DHCP snooping using the ip dhcp snooping globalconfiguration command.



• Step 2. Enable DHCP snooping for specific VLANs using the ip dhcp

snooping vlan number [number ] command.

•


.defining the trusted ports using the ip dhcp snooping trust command.

• Step 4. (Optional) Limit the rate at which an attacker can continuallysend bogus DHCP requests through untrusted ports to the DHCPserver using the ip dhcp snooping limit rate rate command.

CDP Attacks




• Solution: Disable the use of CDP on devices that do not need to useit.

• (config)# no cdp run• (config-if)# no cdp enable

Telnet Attacks




Other: Working with Passwords



• Passwords should be as long and as complicated as possible. Most securityexperts believe a password of 10 characters is the minimum that should beused if security is a real concern. – use onl the lowercase letters of the al habet: have 26 characters.


– add the numeric values (0 – 9): get another 10 characters. – add the uppercase letters: have an additional 26 characters

giving you a total of 62 characters with which to construct a password.• If you used a 4 character password, this would be 62×62×62× 62, or

approximately 14 million password possibilities.• If you used 5 characters in your password, this would give you 62 to the fifth

power, or approximately 92 million password possibilities.

• If you used a 10-character password, this would give you 64 to the tenth power(a very big number) possibilities.

• The 4 digit password could probably be broken in a day, while the 10 digitpassword would take a millennium to break given current processing power.

Extra: Other Attacks




• This attack can also be mitigated using port security.





Extra: Cisco CatOS Telnet, HTTP and SSH Vulnerability

• Cisco CatOS is susceptible to a TCP-ACK Denial of Service (DoS) attack on the Telnet, HTTP andSSH service. If exploited, the vulnerability causes the Cisco CatOS running device to stop functioningand reload.




Security tools




Network Security Tools Features



Hc vi

n m

ng Bach Khoa - Website: www.bkacad.com 133

Using Port Security to Mitigate Attacks



Hc vi

n m

ng Bach Khoa - Website: www.bkacad.com 134

Type of security mac address



switchport port-security mac-address

switchport port-security mac-address sticky


Violation types




Extra: Violation types




Port security default




Config dynamic port security




Config port security sticky




Verify




Should be Disable Unused Ports




Chapter summary

ccna exp3 - chapter02 - basic switch concepts and configurations

Documents