ccna exp3 - chapter02 - basic switch concepts and configurations_dpf

8/3/2019 CCNA Exp3 - Chapter02 - Basic Switch Concepts and Configurations_dpf

1/132

Chapter 2: Basic switch concepts

an con gura ons

CCNA Exploration 4.0

1


2/132

Overview

Hc vin m ng Bach Khoa - Website: www.bkacad.com 2


3/132

Ke elements ofethernet/802.3

network



4/132


5/132

CSMA/CD

CSMA/CD used withEthernet performs three

???

unc ons:1. Transmitting and receiving

data packetslisten-before-transmit

???.

and checking them for

valid addresses beforeTransmitting&

layers of the OSI model3. Detecting errors within

data ackets or on the

.

network

???



6/132

CSMA/CD

Flow chart



7/132

Backoff

After a collision occurs andall stations allow the cable to

Randomly Backoff Time

full inter-frame spacing)The stations that collided

potentially progressivelylonger period of time beforeattempting to retransmit thecollided frameThe waiting period isintentionally designed to be

randomIf the MAC layer is unable tosend the frame after sixteen


a emp s , g ves up angenerates an error to thenetwork layer


8/132

Ethernet Communications



9/132

Remind

Layer 1: 802.3Layer 2: 802.2



10/132

Ethernet frame structure

At the data link layer the framestructure is nearly identical for all s eeds of Ethernet from 10

Mbps to 10,000 MbpsAt the physical layer almost allversions of Ethernet aresubstantially different fromone another with each speedhaving a distinct set of architecture design rulesThe Ethernet II Type field isincorporated into the current

. .receiving node must determinewhich higher-layer protocol is


by examining the Length/Typefield


11/132

Ethernet frame structureThe Preamble is used for timing synchronization in theasynchronous 10 Mbps and

Synchronization, Address types

s ower mp emen a ons oEthernet. Faster versions of Ethernet are synchronous, and

10101011

redundant but retained for

compatibilitycontains the MAC destinationaddress. It can be unicast ,multicast rou , or broadcast(all nodes)The source address isgenerally the unicast address


of the transmitting Ethernet

node (can be virtual entity group or multicast)


12/132

Ethernet frame structure

The type value specifies theupper-layer protocol toreceive the data after

Length if value < 1536 decimal,

Ethernet processing iscompleted.The length indicates the

upper protocol

number of bytes of data thatfollows this field. (so contentsof the Data field are decodedper the protocol indicated)The maximum transmissionunit ( MTU) for Ethernet is

,should not exceed that sizeEthernet requires that the4bytes


octets or more than 1518octets (Pad is required if notenou h data

Type if value => 1536 decimal,

(0x600) it identify upper protocol


13/132

Naming on Ethernet

MAC ADDRESS

12 hexadecimal digits

Sometimes referred to as burned-in addresses ( BIA) because they are


burned into read-only memory (ROM) and are copied into random-access

memory (RAM) when the NIC initializes


14/132

OUI



15/132

Ethernet in full duplex

ul l - d u pl

Collision occurs only in half-duplex

--

F ul l -

x

u pl ex

If the attached station is operating in full duplex then the station may

. -duplex operation also changes the timing considerations andeliminates the concept of slot time

-


, ,(timing synchronization) preamble, DA, SA, certain other header information, actual data payload, FCS


16/132




17/132




18/132

Note

Fast Ethernet and 10/100/1000 ports: default is auto. 100BASE-FX orts: default is full.

10/100/1000 ports operate in either half- or full-duplexmode when they are set to 10 or 100 Mb/s, but when set to, s, ey opera e on y n u - up ex mo e.

the corresponding switch port to half-duplex mode.



19/132

auto-MDIX

auto-MDIX is enabled switch auto detects cable t e

can use either a crossover or a straight-through

The auto-MDIX feature is enabled by default on switchesrunning Cisco IOS Release 12.2(18)SE or later. For releases between Cisco IOS Release 12.1 14 EA1 and12.2(18)SE, the auto-MDIX feature is disabled by default.



20/132

MAC Addressing and Switch MAC AddressTables



21/132



22/132


23/132



24/132


25/132



26/132

Bandwidth and Throuhgput



27/132

Collision Domains



28/132

Collision Domains



29/132

Broadcast Domains



30/132

Broadcast Domains - Example

When a switch receives a broadcast frame, it forwards the frame to each ofits ports, except the incoming port where the switch received the broadcastframe. Each attached device recognizes the broadcast frame and processes

.



31/132

Broadcast Domains - Example



32/132

Network Latency



33/132

Network Congestion

Causes of network con estion:

Increasingly powerful computer and networktechnologies. Increasing volume of network traffic. High-bandwidth applications.



34/132

LAN Segmentation



35/132



36/132



37/132



38/132


39/132

Removing Network Bottlenecks



40/132

Switch Packet

Forwarding Methods



41/132

Switch Packet Forwarding Methods



42/132



43/132


d h


44/132

Symmetric and Asymmetric Switching


P B d d Sh d M B ff i


45/132

Port Based and Shared Memory Buffering



46/132



47/132


L 3 S it h d R t C i


48/132

Layer 3 Switch and Router Comparison



49/132

Review you understanding


50/132

Review you understanding



51/132


The Command Line Interface Modes


52/132

The Command Line Interface Modes



53/132


GUI-based Alternatives to the CLI


54/132

GUI based Alternatives to the CLI



55/132



56/132



57/132



58/132

Console Error Messages


59/132

g



60/132

Configure the Command History Buffer


61/132

g y


Describe the Boot Sequence


62/132


Prepare to Configure the Switch


63/132

Step 1



64/132

Step 2



65/132

Step 3



66/132


Management Interface Considerations


67/132



68/132



69/132



70/132

Configure Duplex and Speed


71/132


Configure a Web Interface


72/132


Managing the MAC Address Table


73/132

- -



74/132

Show running-config


75/132


Show interfaces


76/132


Backing Up the Configuration


77/132


Restoring the Configuration


78/132



79/132

Clearing Configuration Information


80/132



81/132

Confi Password

o tions


Configure Console Access


82/132


Secure the vty Ports


83/132


Configure EXEC Mode Passwords


84/132

Clear text password

Encrypted, Priority than enable password


Configure Encrypted Passwords


85/132

After

e ore


Enable Password Recovery


86/132


Password Recovery


87/132

Step 1. Connect a terminal or PC with terminal-emulation software tothe switch console port.

Step 2. Set the line speed on the emulation software to 9600 baud.

Step 3. Power off the switch. Reconnect the power cord to the switchand within 15 seconds, press the Mode button while the System LED isstill flashing green. Continue pressing the Mode button until the SystemLED turns briefly amber and then solid green. Then release the Modebutton.

Step 4. Initialize the Flash file system using the flash_init command.


_

Password Recovery


88/132

Step 6. Display the contents of Flash memory using the dir flashcommand:

The switch file system appears:

Directory of flash: 13 drwx 192 Mar 01 1993 22:30:48 c2960-lanbase-mz.122-25.FX 11 -rwx 5825 Mar 01 1993 22:31:59 config.text 18 -rwx 720 Mar 01 1993 02:21:30 vlan.dat

y es o a y es ree

Step 7. Rename the configuration file to config.text.old, which containsthe assword definition usin the rename flash:confi .text flash:config.text.old command.

Step 8. Boot the system with the boot command.


Password Recovery

S 9 Y d h E N h d h


89/132

Step 9. You are prompted to start the setup program. Enter N at the prompt, and thenwhen the system prompts whether to continue with the configuration dialog, enter N.

. , .

Step 11. Rename the configuration file to its original name using the renameflash:config.text.old flash:config.text command.

Step 12. Copy the configuration file into memory using the copy flash:config.textsystem:running-config command. After this command has been entered, the follow isdisplayed on the console:

Source filename [config.text]?

Destination filename [running-config]?

Press Return in response to the confirmation prompts. The configuration file is nowreloaded, and you can change the password.


Password Recovery

S 13 E l b l fi i d i h fi i l


90/132

Step 13. Enter global configuration mode using the configure terminalcommand.

Step 14. Change the password using the enable secretpasswordcommand.

Step 15. Return to privileged EXEC mode using the exit command.

.using the copy running-config startup-config command.

Ste 17. Reload the switch usin the reload command.

Note: The password recovery procedure can be different depending onthe Cisco switch series so ou should refer to the roduct


documentation before you attempt a password recovery.

Configure a Login Banner


91/132



92/132

Telnet and SSH

R l l f i h d


93/132

Remote control tool of switch and router SSH encr t data before transmit


Configuring Telnet


94/132


Configuring SSH


95/132


Configuring SSH

The switch supports SSHv1 or SSHv2 for the server component The


96/132

The switch supports SSHv1 or SSHv2 for the server component. Theswitch supports only SSHv1 for the client component.

To implement SSH, you need to generate RSA keys. Step 1. Enter global configuration mode using the configure terminal

command. Step 2. Configure a hostname for your switch using thehostnamehostname command.

Step 3. Configure a host domain for your switch using the ip domain-namedomain_name command.

Ste 4. Enable the SSH server for local and remote authentication on theswitch and generate an RSA key pair using the crypto key generate rsacommand.

Step 5. Return to privileged EXEC mode using the end command. Ste 6. Show the status of the SSH server on the switch using the show ip

ssh or show ssh command.

To delete the RSA key pair, use the crypto key zeroize rsa globalconfiguration command. After the RSA key pair is deleted, the SSH server is automatically disabled.


Configuring the SSH Server

Step 1. Enter global configuration mode using the configure terminal


97/132

Step 1. Enter global configuration mode using the configure terminalcommand.

.the ip ssh version [1 | 2] command.

,SSH server selects the latest SSH version supported by the SSHclient. For example, if the SSH client supports SSHv1 and SSHv2,the SSH server selects SSHv2.

Step 3. Configure the SSH control parameters:

Specify the time-out value in seconds: default of 10 minutes.

Specify the number of times that a client can re-authenticate to theserver. The default is 3; the range is 0 to 5


Command: ip ssh {timeoutseconds | authentication-retriesnumber}.

Configuring the SSH Server


98/132

Ste 4. Return to rivile ed EXEC mode usin the endcommand.

Step 5. Display the status of the SSH server connectionson the switch using the show ip ssh or the show sshcommand.

Step 6. (Optional) Save your entries in the configuration fileusing the copy running-config startup-config command.



99/132

La er 2 common

securit attacks


Types of Attacks

MAC Address Flooding


100/132

MAC Address Flooding DHCP "starvation"




101/132




102/132




103/132



104/132



105/132


Mitigating MAC the Address Flooding


106/132

switch(config-if)#

switchport port-security

.

switch(config-if)#

switchport port-security [mac_addr]

Enable port security and set specific MAC address(H.H.H).


Mitigating MAC the Address Flooding


107/132

switch(config-if)#

switchport port-security maximum (1-132)

.

switch(config-if)#switchport port-security violation shutdown [protect |restrict | shutdown]

Set action on violation.



108/132

Mitigating MAC Spoofing Attacks - CatOS


109/132

switch> (enable)

set port security enable [mac_addr]

.

switch> (enable)

set port security mac_addr

Set MAC addresses.

switch> (enable)

set port security violation [shutdown|restrict]


Specify action to take when violation occurs.


110/132

ARP Spoofing


111/132

192.168.10.0/24..

.1!

.3.2 Attacker


Mitigating ARP Spoofing with DHCP Snoopingand DAI

f


112/132

switch(config)#

ip dhcp snooping

Enable DHCP Snoo in .

ip dhcp snooping vlan vlan_id {,vlan_id}

switch(config)#

Enable DHCP Snooping for specific VLANs.switch(config-if)#

ip dhcp snooping trust


purposes.

Mitigating ARP Spoofing with DHCP Snoopingand DAI (Cont.)

i h( fi if)#


113/132

switch(config-if)#

ip dhcp snooping limit rate rate

Set rate limit for DHCP Snoo in .


Spoofing Attacks


114/132


Solution:

Cisco Catalyst DHCP SnoopingP S i F l i hi d l


115/132

Port Securit Features later in this module


Solution: Cisco Catalyst DHCP Snooping


116/132


Config DHCP Snooping

Step 1. Enable DHCP snooping using the ip dhcp snooping globalconfiguration command.


117/132

Step 2. Enable DHCP snooping for specific VLANs using the ip dhcpsnooping vlan number [number] command.

Step 3. Define ports as trusted or untrusted at the interface level bydefining the trusted ports using the ip dhcp snooping trust command.

Step 4. (Optional) Limit the rate at which an attacker can continuallysend bogus DHCP requests through untrusted ports to the DHCPserver using the ip dhcp snooping limit raterate command.


CDP Attacks


118/132


Solution

Disable the use of CDP on devices that do not need to useit.


119/132

it.


Telnet Attacks


120/132


Security tools


121/132


Network Security Tools Features


122/132


Using Port Security to Mitigate Attacks


123/132


Type of security mac address


124/132

switch ort ort-securit mac-address

switchport port-security mac-address sticky


Violation types


125/132


Port security default


126/132


Config dynamic port security


127/132


Config port security sticky


128/132


Verify


129/132


Verify


130/132


Should be Disable Unused Ports


131/132


Chapter summary


132/132


ccna exp3 - chapter02 - basic switch concepts and configurations_dpf

Documents