lecture notes
TRANSCRIPT
1
CCNA Exploration-3 LAN Switching And Wireless
CHAPTER-1 LAN DESIGN 1.1 Switched LAN Arhitecture
1.1.1 The Hierarchical Network Model A hierarchical network is easier to manage and expand, and problems are solved more quickly. Dividing the network into discrete layers. Each layer provides specific functions that define its role within the overall network. Typical hierarchical design model is broken up in to three layers:
access,
distribution
core Access layer
interfaces with the end devices (PCs, printers, switches, IP telephones, etc).
Controlls which devices are allowed to communicate over the network. Distribution Layer
Aggregates the traffic coming from the access layer,
Controls the traffic flow according to the policies (ACLs).
Devides the network into multiple segments by VLANs,
Routes traffic between VLANs.
Typically high performance switches
Uses redundant links Core Layer
High speed backbone of the network.
Allows interconnectivity of the distribution layer switches.
High availability (redundant links)
Usually connects to the Internet In smaller networks distribution layer and core may be combined. Benefits of a Hierarchical Network
Scalability: Can be expanded quickly
Redundancy : Redundant links
Performance : Link aggregation between layers
Security : Port security at the access layer and policies at the distribution layer
Manageability : Consistant configuration of switches at each layer.
Maintainability: Modular design allows easy maintainability. Switch selection is easy.
1.1.2 Principles of Hierarchical Network Model
2
Just because a network seems to have a hierarchical design does not mean that the network is well designed.
Hierarchical Network Design Principles:
Network Diameter: the number of devices that a packet has to cross before it reaches its destination. Should be kept small to have low latency (each switch process the frame). In a hierarchical network, network diameter is always going to be a predictable number of hops between the source and destination devices.
Bandwidth aggregation: Allows multiple switch port links to be combined to achieve higher throughput between switches.
Redundant Links: Adding redundant links between the switches to increase availability.
Design requirements, such as the level of performance or redundancy necessary, are determined by the business goals of the organization.
1. Determine the number of access layer switches, 2. Determine the number of distribution layer switches and redundancy, 3. Determine the number of core layer switches.
1.1.3 What is a Converged Network?
Convergence is the process of combining voice and video communications on a data network. Converged networks were only feasible in large enterprise organizations.
Expensive hardware
Extensive management (Quality of Service – Classification and prioritization of data)
Still analog equipment is used With the advanced technology, converged networks are now
Easier to implement and manage
Less expensive
So becoming popular in small and medium sized businesses.
Benefits of using a converged network
there is just one network to manage => less management costs.
No need for three sets of expensive wiring.
Allows telephone and video conferencing integrated on a PC.
1.2 Matching Switches to Specific LAN Functions
1.2.1 Considerations for Hierarchical Network Switches
Traffic Flow Analysis Traffic Flow Analysis Tools User Communities Analysis affects port density and traffic flow
End users are grouped according to their job function, because they require similar access to resources and applications.
Future Growth Addition of new users => Scalable and modular switches
3
Data Stores and Data Servers Analysis
Client-server traffic => Locating the data storage and servers close to the users (small network diameter)
Server-server traffic = Locating the servers close to each other typically in a datacenter and choosing high performance switches.
Topology Diagrams : Graphical representation of a network infrastructure.
Shows how all switches are interconnected.
Displays any redundant paths or aggregated ports
Allows visually identify possible bottlenecks
It should be documented during the design of a network.
1.2.2 Switch Features
Fixed Configuration Switches :
The ports are fixed, cannot be changed. Modular Switches :
Allows installation of modular line cards (interfaces)
Different sized chassis options
The larger the chassis, the more modules it can support. Stackable Switches
Allows interconnection with a special backplane cable.
All operate as a single switch
Used where fault tolerance and bandwidth availability are critical When selecting a switch consider:
Port Density : Number of ports o Fixed configuration switches have upto 48 ports. o Modular switches can support 1000+ ports on a single device (saves space
and performance)
Forwarding Rates : How much data the switch can process per second. o Switches with low forwarding rates may not operate at full wire speed at all
ports simultaneously. o At the distribution and core layers, forwarding rate is more important.
Link Aggregation o A single uplink port may not be sufficient to handle uplink traffic resulting in a
bottleneck. o Up to eight switch ports can be bound together (EtherChannel)
Power over Ethernet (PoE) o Deliver power over existing Ethernet cabling. o No need for external power o Usefull for wireless Access Points and Ip Phones.
Layer 3 Functions (Multi layer switches) o Switches normally operate at OSI Layer-2 o Some switches have some layer 3 functionality. o Security policies can be implemented o Layer 3 routing can be implemented
4
1.2.3 Switch Features in a Hierarchical Network
Access Layer Switch Features Used for connection of the end devices to the network. Need to support features:
Port security : How many/what devices are allowed to connect
VLANs : Traffic may need to be seperated into different VLANs
Fast/Gigabit Ethernet : Port speed need to be decided
PoE : Power may need to be carried over Ethernet cabling
Link Aggregation : Uplink bandwidth may need to be increased
Quality of Service (QoS) : Different types of traffic may need to be prioritized. Distribution Layer Switch Features They collect the data from all the access layer switches and forward it to the core layer switches.
Layer-3 support : Inter-VLAN routing (traffic coming from a VLAN may need to access to other VLANs).
High forwarding rate
Gigabit/10Gigabit Ethernet support
Redundant Components : Usually installed in pairs. Hot swappable power supplies, modules, etc.
Security Policies/Access Control Lists : Instead of using ACLs for every access layer switch in the network, they are defined on the fewer distribution layer switches, making management of the ACLs much easier.
Link Aggregation :
Quality of Service (QoS) : Prioritization of traffic coming from the access layer. All devices on the path must support QoS.
Core Layer Switch Features
Layer-3 support
Very High forwarding rate
Gigabit/10G Ethernet support
Redundant components
Link Aggregation
Quality of Service (QoS)
1.2.4 Switches for Small and Medium Sized Businesses (SMB) The features of Cisco Catalyst Switches Catalyst Express 500 Catalyst 2960 Catalyst 3560 Catalyst 3750 Catalyst 4500 Catalyst 4900 Catalyst 6500
1.3 Chapter Labs
1
CCNA Exploration-3 LAN Switching And Wireless
CHAPTER-2 Basic Switch Concepts And Configuration
2.1 Introduction to Ethernet/802.3 LANs
2.1.1 Key Elements of Ethernet/802.3 Networks CSMA/CD
Carrier Sense
Multi-access
Collision Detection
Jam Signal and Random Backoff Ethernet Communications
Unicast
Broadcast
Multicast Ethernet Frame (The figure) MAC Address (The figure) Duplex Setting
Half Duplex
Full Duplex Switch Port Settings
Auto
Half
Full auto-MDIX (automatic medium-dependent interface crossover)
Enabled by default on IOS 12.2(18) Disabled on earlier versions
MAC Addressing and Switch MAC Address Tables
1. When a switch receives a frame, it records the source MAC address in its MAC table with the port number where it received the frame.
2. When it finds the dest MAC in its table, it forwards the frame from the port only. 3. When the dest MAC address is not found in the table, it floods the frame out to all ports except the one it
received it from. 2.1.2 Design Considerations for Ethernet/802.3 Networks Bandwidth and Throughput
A major disadvantage of Ethernet 802.3 networks is collisions.
Full bandwidth is available only after any collisions have been resolved.
The net throughput of the port (the average data that is effectively transmitted) will be considerably reduced as a function of how many other nodes want to use the network.
2
Collision Domains
Creating more collision domains increases the throughput. Broadcast Domains
Switches always forward broadcast frames.
A collection of interconnected switches forms a single broadcast domain.
Routers and VLANs are used to segment both collision and broadcast domains. Network Latency Latency is the time a frame or a packet takes to travel from the source station to the final destination.
1. NIC delay : The time it takes the source NIC to place voltage pulses on the wire, 2. Propagation delay : The time it takes a signal to travel through the cable. 3. Networking device delay : Each networking device adds to the total latency.
Network Congestion The primary reason for segmenting a LAN into smaller parts is to isolate traffic and to achieve better use of bandwidth per user. The following contribute to the network congestion.
Increasingly powerful computer and network technologies.
Increasing volume of network traffic
High-bandwidth applications LAN Segmentation
Using bridges and switches
Using routers 2.1.3 LAN Design Considerations Controlling Network Latency
Consider the latency caused by each device on the network.
The use of higher layer devices can also increase latency on a network. Removing Bottlenecks
Increasing bandwidth
Adding more connections
Link aggregation
2.2 Forwarding Frames using a Switch
2.2.1 Switch Forwarding Methods Store-and-Forward Switching
1. Stores the entire frame in its buffers 2. Checks the CRC 3. If no error detected, searches the MAC table, and 4. forwards the frame 5. QoS mechanisms require store-and-forward switching. 6. Slow (high latency) and high integrity
Cut-through Switching
Fast-Forward switching: 1. As soon as the destination MAC address is read, the switch
3
2. Looks up the destination MAC in the table, 3. Starts forwarding the frame 4. No error checking can be performed 5. Fast (low latency) and low integrity Fragment-free switching: 1. Switch reads the first 64 bytes of a frame (collision?) 2. Then forwards the frame. 3. Compromise between store-and-forward and cut-through.
2.2.2 Symmetric And Asymmetric Switching LAN switching may be classified as: Asymmetric Switching
Switch ports have different bandwidth connections.
Memory buffering is required
Uses store-and-forward switching Symmetric Switching
Switch ports have all same bandwidth connections. 2.2.3 Memory Buffering
To store frames before forwarding them.
When the destination port is busy Port-based Memory Buffering
Frames are stored in queues that are linked to specific incoming ports.
A frame is transmitted to the outgoing port only when all the frames ahead of it in the queue have been successfully transmitted.
A single frame may delay all other frames. Shared Memory Buffering
All frames are stored into a shared memory buffer.
The amount of memory required by a specific port is dynamically allocated. 2.2.4 Layer-2 and Layer-3 Switching Layer-2 LAN Switching
Performs switching and filtering based only on the OSI Data Link layer (Layer 2) MAC address only. Layer-3 LAN Switching
May also use IP addresses to filter and forward traffic.
Also can learn which IP addresses are associated to which ports.
Can also perform routing
2.3 Switch Management Configuration
2.3.1 Navigating Command-Line Interface Modes The Command Line Interface Modes
4
User EXEC: Limited number of basic monitoring commands
Priviledged EXEC: All device commands including configuration and management. Can be password protected.
Navigating Configuration Modes
Switch> enable (to enter priviledged mode from user EXEC) Switch# Switch# disable (to return to the user EXEC mode)
Global Configuration Mode To configure global switch parameters
Switch# config t Switch(config)#
Interface Configuration Mode
Switch(config)# interface <interface name> Switch(config-if)# Switch(config-if)# exit Switch(config)#
GUI-based Alternatives to the CLI Simplified switch configuration and management
Cisco Network Assistant
CiscoView Application
Cisco Device Manager
SNMP Network Management 2.3.2 Using The Help Facility Context Sensitive Help
The figure Console Error Messages
The figure 2.3.3 Accessing the Command History The Command History Buffer
switch# show history
Configure the Command History Buffer
switch# terminal history (to enable history) switch# terminal history size <size>
switch# terminal no history (to disable history) 2.3.4 The Switch Boot Sequence After s Cisco switch is turned on:
1. Switch first loads the Boot Loader from NVRAM 2. The boot loader:
a. Performs low level CPU initialization b. Performs power-on-self-test (POST) c. Initializes the flash file system on the system board d. Loads a default OS image and boots the switch
5
3. The OS then initializes the interfaces using the IOS commands found in config.text stored in the switch flash memory.
Recovering from a System Crash The boot loader:
Provides access to the switch files if the OS crashes.
Has its own command line facility
Can be used to initialize the flash file system and reinstall the OS
Recover a lost or forgotten password 2.3.5 Prepare to Configure the Switch
Connect to Switch
Configure hyperterminal
Observe the boot sequence 2.3.6 Basic Switch Configuration Management Interface Considerations To manage a switch remotely using TCP/IP, it needs to be configured with:
An IP address
A subnet mask
A default gateway Assigning an IP address:
1. IP address is assigned to a virtual interface that is a part of a virtual LAN (VLAN). 2. VLAN 1 is the default management VLAN (it should be changed). 3. Then the management VLAN must be assigned to one (or more) physical interface.
switch(config)# int vlan <vlan_no> switch(config-if)# ip address <IP_Addr> <subnet_mask>
switch(config)# int <physical interface name> switch(config-if)# switchport mode access
switch(config-if)# switchport access vlan <vlan_no> Configure a Default Gateway
Switch# ip default-gateway <IP_Address> Verify Configuration
switch# show running-config switch# show ip interface brief
Configure Duplex and Speed Show figure Configure a Web Interface If a web based configuration tool will be used, then the switch must be configured as a HTTP server. Authentication methods (optional):
Enable (using enable password to access the web interface)
Local (using local username-password pair configured on the local switch)
TACACS (using a separate authentication server) S1(config)# ip http authentication <auth_method> S1(config)# ip http server
6
Managing the MAC Address Table
Switch# show mac_address-table
Dynamic addresses o Learned by the switch by recording the source MAC addresses and their ports. o Ages out (dropped) after 300sec (default)
Static Addresses o Entered by the NA o Switch(config)# mac_address-table static <MAC_Addr> vlan <vlan_no>
interface <int_id>
2.3.7 Verifying Switch Configuration Using the show Commands:
show running-config show startup-config show interfaces
2.3.8 Basic Switch Management Backing up a Configuration
copy system:running-config flash:startup-config
copy startup-config flash:config.bak1 (saving the config to another file) Restoring a Configuration
copy flash:config.bak1 startup-config
reload
Back up Configuration Files to a TFTP Server
Make sure a TFTP server is running on your network and accessible. switch#copy nvram:startup-config tftp:[[[//location]/directory]/filename]
Restoring Configuration Files from a TFTP Server
switch#copy tftp:[[[//location]/directory]/filename] nvram:startup-config
Clearing Configuration Information
switch#erase nvram
To delete any configuration file: switch#delete flash:filename
2.4 Configuring Switch Security
2.4.1 Configure Password Options Secure the Console Secure the vty Ports Configure EXEC Mode Passwords Configure Encrypted Passwords Enable Password Recovery 2.4.2 Login Banners
switch#conf t
7
switch(config)#banner login “Authorized Personnel Only”
8
2.4.3 Configure Telnet and SSH Two choices that can be used to remotely access to Cisco switches: Telnet
Default vty-supported protocol on Cisco switches
Supported also on older Cisco switches
Sends the communication in clear text => not secure SSH
Sends the communication in encrypted form => is secure
ssh client on the client computers, ssh server on the switch must be running.
ssh supports different encryption standards such as DES, 3DES and RSA.
To configure ssh, the encryption keys must be generated on the switch (server). Configuring Telnet switch(config)# line vty 0 15
switch(config-line)# transport input telnet
Configuring SSH switch(config)# ip domain-name <domain-name>
switch(config)# crypto key generate rsa
switch(config)# ip ssh ver 2
switch(config)# line vty 0 15
switch(config-line)# transport input SSH
2.4.4 Common Security Attacks MAC Address Flooding Filling the MAC address table by bombarding the switch with many MAC-IP addresses pairs. The switch then starts
to act like a hub, flooding all frames.
Show figure
Spoofing Attacks Using a fake DHCP server, an attacker can redirect all traffic to a specific host, obtaining and possibly altering the
information in the packets.
DHCP Snooping Is a Cisco feature to avoid spoofing attacks. All ports can request a DHCP service, however only the trusted ports can
reply to DHCP requests.
switch(config)# ip dhcp snooping vlan number <vlan_no>
switch(config-if)# ip dhcp snooping trust
switch(config-if)# ip dhcp snooping limit rate <rate>
CDP Attacks Cisco Discovery Protocol is used to discover directly connected Cisco devices and share information such as:
IOS version
IP addresses
VLAN information
CDP is enabled by default, however CDP should be turned off when not needed.
Telnet Attacks
Brute Force Password Attack o An attacker tries to guess the password with some software.
9
o Choosing a strong password and changing it frequently may make it difficult.
DoS Attack o An attacker may use a flaw in the Telnet server to make the service unavailable.
o Security patches are available to avoid this.
2.4.5 Security Tools Network security tools help you test your network for various weaknesses.
They are tools that allow you to play the roles of a hacker and a network security analyst.
Network Security Audit
After a MAC table attack,
A security audit reveals what sort of information an attacker can gather simply by monitoring network traffic.
Network Penetration Testing
This allows you to identify weaknesses within the configuration of your networking devices.
Network Security Tools Features
2.4.6 Configuring Port Security Secure MAC Address Types:
Static secure MAC addresses:
o The addresses are entered in the MAC table and added to the running-config o switchport port-security mac-address mac-address
Dynamic secure MAC addresses:
o MAC addresses are dynamically learned and stored only in the MAC table.
o switchport port-security
Sticky secure MAC addresses:
o Dynamically learned and added to the running config. o switchport port-security mac-address sticky
Security Violation Modes
When the number of secure MAC addresses reaches the limit allowed on the port,
Protect : drops the packets with unknown source addresses until the violation ends.
Restrict : drops the packets with unknown source addresses, until the violation ends. A SNMP trap is sent, a
syslog message is logged, and the violation counter increments.
Shutdown : the interface immediately becomes error-disabled and turns off the port. It also sends an SNMP
trap, logs a syslog message, and increments the violation counter.
Default Port Security Configuration
Port security = Disabled on a port
Max number of secure addresses = 1
violation mode = shutdown
sticky = disabled Verify Port Security Settings
show port-security [interface int-id]
show port-security address
2.4.7 Securing Unused Ports Disable Unused Ports shutdown
10
2.5 Chapter Labs
1
CCNA Exploration-3 LAN Switching And Wireless
CHAPTER-3 VLANs
3.1 Introducing VLANs
3.1.1 Introducing VLANs Before VLANs
All computers are in the same LAN.
Computers that belong to the same group can be seperated into multiple buildings,
These computers share the same security and resource needs. VLAN Overview A VLAN allows a NA to create groups of logically networked devices that act as if they are on their own independent network, even if they share a common infrastructure with other VLANs. VLAN Details
A VLAN is a seperate IP subnet.
Each computer on the same VLAN must be assigned an IP address within the same subnet.
By using VLANs, more than one subnet can be used on a single switch.
First the VLANs must be configured on the switch,
Then the ports must be added to the VLANs. Benefits of a VLAN
Security
Cost Reduction
Higher Performance
Broadcast storm mitigation
Improved IT staff efficiency
Simpler project or application management VLAN ID Ranges
Normal Range VLANs : Used by small to medium organizations o 1 to 1005 o 1002 – 1005 reserved for token ring and FDDI networks o VLAN 1, 1002 – 1005 are automatically created and cannot be removed. o Stored in vlan.dat file in flash memory
Extended Range VLANs : Designed for service providers o 1006 to 4096 o Have fewer features than normal range VLANs. o Stored in the running configuration file
A Cisco Catalyst switch can support up to 255 VLANs. 3.1.2 Types of VLANs There are a number of terms for VLANs. Some terms define the type of network traffic they carry and others define a specific function a VLAN performs.
2
Data VLAN
A VLAN that carries only user generated traffic
A VLAN carrying voice or management traffic is NOT a data VLAN. Default VLAN
All interfaces of a switch becomes a part of the default VLAN after the initial bootup process (same broadcast domain)
VLAN 1 is the default VLAN
VLAN 1 cannot be renamed or deleted
CDP and STP uses VLAN 1 Native VLAN
A native VLAN is assigned to a 802.1Q trunk port.
A trunk port supports both tagged traffic (coming from VLANs) and untagged (non VLAN) traffic .
The trunk port places untagged traffic on the native VLAN.
Default native VLAN is VLAN 1 (should be changed). Management VLAN
Any VLAN you configure to access the management capabilities of a switch.
Default management VLAN is VLAN 1.
Assign an IP address and subnet mask for this VLAN. Voice VLAN
A seperate VLAN assigned for voice traffic only. Network Traffic Types
Network Management and Control Traffic : CDP, SNMP, etc.
IP Telephony : o Signalling o Voice
IP Multicast : IP TV, radio, etc.
Normal Data : E-mail, database transactions, print services, etc.
Scavenger Class : P2P applications, gaming, etc. 3.1.3 Switch Port Membership Modes Switch Ports belong to one or more VLANs. A port can be configured to support these VLAN types:
Static VLAN : Switch ports are manually configured to be a member of a VLAN.
Dynamic VLAN: VLAN membership is configured dynamically based on the MAC address of the device, using a special server called a VLAN Membership Policy Server (VMPS).
Voice VLAN: A port is configured to be in voice mode so that it can support an IP phone attached to it.
o Both a voice VLAN and data VLAN need to be configured. o S3(config-if)# mls qos trust cos
o S3(config-if)# switchport voice vlan <vlan_id>
3.1.4 Controlling Broadcast Domains with VLANs
3
Network Without VLANS : One broadcast domain Network with VLANs : Intra-VLAN Communication : Communication within a VLAN. (Show the animation) Inter-VLAN Communication : Communication between VLANs. (Show the animation) Controlling Broadcast Domains with VLANs and Layer 3 Forwarding Switches that support layer-3 routing are called layer-3 switches. SVI (Switch Virtual Interface)
A logical interface configured for a specific VLAN.
By default a SVI is created for default VLAN (VLAN 1). Layer 3 Forwarding Show the animation: PC1 on VLAN 10 communicates with PC5 on VLAN 20.
3.2 VLAN Trunking
3.2.1 VLAN Trunks
Definition of a VLAN Trunk:
A VLAN trunk is a point-to-point link between two network devices that carries more than one VLAN.
It allows you to extend the VLANs across an entire network.
Cisco supports IEEE 802.1Q for coordinating trunks on Fast Ethernet and Gigabit Ethernet interfaces.
802.1Q Frame Tagging
The original Ethernet frame header does not contain VLAN information.
A 801.1Q VLAN header, adds a tag to the original Ethernet frame specifying the VLAN for
which the frame belongs to.
Tagged Frames on the Native VLAN
When a switch trunk port receives a tagged frame, it is dropped.
Devices should not tag control traffic destined for the native VLAN.
Untagged Frames on the Native VLAN
When a Cisco switch trunk port receives untagged frames, it forwards those frames to the
native VLAN.
3.2.2 Trunking Operation
Show the animation
3.2.3 Trunking Modes
4
Two types of trunks:
IEEE 802.1Q (Used today)
o Both tagged and untagged frames are supported
ISL (Cisco Inter-switch link )
o All frames must be tagged with ISL header. Non-tagged frames are dropped.
DTP (Dynamic Trunking Protocol)
Cisco proprietary trunking negotiation protocol
Enabled by default on Cisco switches that support DTP.
Sends periodic advertisements to the remote port to establish a trunk.
Trunking Modes:
On (default)
o The command used is switchport mode trunk
o DTP advertisements are sent to the remote, the immediately the local port is set as
the trunk port.
Dynamic auto
o The command used is switchport mode dynamic auto.
o The local port ends up in trunking state only if the remote port trunk mode has been
configured to be on or desirable.
Dynamic desirable
o The command used is switchport mode dynamic desirable.
o If the remote has been configured in on, desirable, or auto mode, the local port ends
up in trunking state.
Nonegotiate (DTP turned off)
o The command is switchport nonegotiate.
o No DTP advertisements are sent.
o The local port is then considered to be in an unconditional trunking state.
3.3 Configure VLANs and Trunks
3.3.1 Configuring VLANs and Trunks Overview Use the following steps to configure and verify VLANs and trunks on a switched network:
1. Create the VLANs 2. Assign switch ports to the VLANs statically 3. Verify VLAN configuration 4. Enable trunking on the inter-switch connections 5. Verify trunk configuration
3.3.2 Configure a VLAN Add a vlan: S1(config)# vlan <vlan_id>
S1(config-vlan)# vlan name <vlan_name>
S1(config-vlan)# end
5
To verify: S1# show vlan brief
Assign a Switch Port: S1(config)# interface <int_id>
S1(config-int)# switchport mode access
S1(config-int)# switchport access vlan <vlan_id>
S1(config-int)# end 3.3.3 Managing VLANs Verify VLANs and Port Memberships S1# show vlan brief S1# show interfaces vlan <vlan_id>
To see the vlan type and native VLAN information: S1# show interfaces <int_id> switchport
Manage Port Memberships S1(config)# interface <int_id>
S1(config-int)# no switchport access vlan Delete VLANs S1(config)# no vlan <vlan_id>
Removing all vlan configuration: S1(config)#delete flash:vlan.dat 3.3.4 Configure a Trunk Configure an 802.1Q Trunk S1(config)# interface <int_id>
S1(config-int)# switchport mode trunk
S1(config-int)# switchport trunk native vlan <vlan_id>
S1(config-int)# end Verify Trunk Configuration: S1# show interfaces <int_id> switchport Managing a Trunk Configuration To reset all allowed vlans on the trunk port S1(config-int)# no switchport trunk allowed vlan
To reset the native vlan back to the default vlan: S1(config-int)# no switchport trunk native vlan
To reset the trunk port back to the access mode: S1(config-int)# switchport mode access
6
3.4 Troubleshooting VLANs and Trunks
3.4.1 Common Problems with Trunks
Native VLAN mismatches : Both ends of a trunk link must be configured with the same native vlan.
Trunk mode mismatches : Both ends of a trunk link must be configured with the appropriate trunk mode so that they can form the trunk link successfully.
VLANs and IP Subnets : Each vlan uses a different subnet, and all devices in the same subnet must be configured with the correct IP addresses.
Allowed VLANs on trunks : Both ends of a vlan trunk must be configured to allow the same vlans to be transmitted.
3.4.2 A Common Problem with VLAN Configurations
3.5 Chapter Labs
1
CCNA Exploration-3 LAN Switching And Wireless
CHAPTER-4 VTP
4.1 VTP Concepts
4.1.1 What is VTP
The VLAN Management Challenge: When a new VLAN is created,
it needs to be added to all switches manually,
it needs to be added in the allowed list of all trunks manually.
In a large network this is a difficult task and prone to configuration errors. What is VTP? VTP allows a network manager to configure a switch so that it will propagate VLAN configurations to other switches in the network.
VTP enabled switches exchange vlan information over an active trunk.
Switches have VTP roles: server or client
Only the vlans within the normal range are supported
VTP stores the VLAN configurations in the vlan.dat file. Benefits of VTP
VLAN configuration consistency
Accurate tracking and monitoring of VLANs.
Dynamic reporting of added VLANs across a network.
Dynamic trunk configuration when VLANs are added to the network. VTP Components: VTP Domain: The switches in the same domain can exchange VLAN info. Layer-3 device is the boundary. VTP Advertisements: The VTP messages exchanged VTP Modes: A switch can be configured in one of the three VTP modes:
VTP Server : VLANs can be created, deleted or renamed. Stores in the vlan.dat file.
VTP Client : VLAN information is stored but cannot be changed. Does not store VLAN info in the NVRAM.
VTP Transparent : Only passes VLAN info to the other switches, however do not participate in VTP. All VLAN config must be made manually in this mode.
VTP Pruning : Restricts broadcast, multicast traffic on some trunks.
4.2 VTP Operation
4.2.1 Default VTP Configuration
VTP version = 1 VTP Domain name = null
2
VTP mode = server Config Revision = 0 VLANs = 1
VTP versions: 1, 2, 3
Only one VTP version is allowed in a VTP domain. Displaying the VTP Status:
switch# show vtp status
4.2.2 VTP Domains
A VTP domain consists of one switch or several interconnected switches sharing the same VTP domain name.
A switch can be a member of only one VTP domain at a time.
Until the VTP domain name is specified you cannot create or modify VLANs on a VTP server, and VLAN information is not propagated over the network.
4.2.3 VTP Advertising A VTP message is inserted in the data field of an Ethernet frame. The Ethernet frame is then encapsulated as a 802.1Q trunk frame. VTP Frame Details
Destination MAC Address: 01-00-0C-CC-CC-CC (Reserved multicast for all VTP advertisements)
LLC field : AA AA (means a type field follows)
SNAP field : 00-00-0C (OUI for Cisco) and type value 2003 for VTP.
VTP Header field o VTP domain name o Domain name-lenght, o version, message type, o Config revision number
VTP Message field (varies depending on the VTP message type) o Global domain information:
VTP Domain name The IP address of the sending switch, time and date MD5 digest (Carries the VTP password when MD5 is configured) Frame format : ISL or 802.1Q
o VLAN information (for each VLAN) VLAN ID VLAN name VLAN type VLAN state Additional VLAN config info.
VTP Configuration Revision Number
Each time a VLAN is added or deleted, this number is incremented.
32-bit number
Default is 0.
3
A VTP domain name change resets this number to zero (0).
The higher the config number, the more recent the config is. VTP Advertisements
Summary: o Sent every 5 min by a server or client. o Sent immediately after a config change. o Contains VTP domain name and config revision number.
Subset : o Contains VLAN information o Changes that trigger a subset advertisement:
Creating or deleting a VLAN Suspending or activating a VLAN Changing the name of a VLAN Changing the MTU of a VLAN
Request : o When a request advertisement is sent to a server in the same VTP domain, the VTP
server responds by sending a summary ad and a subset ad. o Sent if:
The VTP domain name has been changed The switch receives a summary ad with a higher config rev. No. A subset ad is missed The switch has been reset
VTP Advertisements Details
(Show the figures) 4.2.4 VTP Modes
Server Mode Client Mode Transparent Mode (Show the comparison table)
4.2.5 VTP Pruning
If there are no switch ports configured for a specific VLAN, then the broadcast frames should not be sent to that switch over the trunk links.
When VTP pruning is enabled, switches negotiate and block the unnecessary broadcast traffic.
4.3 Configure VTP
4.3.1 Configuring VTP Configure a switch in VTP server mode:
1. Make sure the switch is in default settings. 2. Reset the config revison number 3. Configure at least two VTP servers. 4. Configure a VTP domain on the server.
a. switch(config)#vtp domain domain-name 5. If there is an existing VTP domain, make sure to set exactly the same domain name.
4
6. If you will use password authentication, make sure you use the same password in all switches.
7. All switches must be configured with the same VTP version.
a. switch(config)#vtp version 1 8. Create VLANs after you have enabled VTP on the VTP server.
Configure a switch in VTP client mode:
1. Start with the default settings 2. Set the switch to client mode.
a. switch(config)#vtp mode client 3. Configure trunks 4. Connect to a VTP server. 5. Verify VTP status 6. Configure access ports.
4.3.2 Troubleshooting VTP Configurations switch# show vtp status
switch# show vtp counters
4.3.3 Managing VLANs on a VTP Server
4.4 Chapter Labs
1
CCNA Exploration-3 LAN Switching And Wireless
CHAPTER-5 STP
5.1 Redundant Layer 2 Topologies
5.1.1 Redundancy
5.1.2 Issues with Redundancy
5.1.3 Real-world Redundancy Issues
5.2 Introduction to STP
5.2.1 The Spanning Tree Algorithm
STP ensures that there is only one logical path between all destinations on the network;
Blocks redundant paths that could cause a loop.
A blocked port does not forward frames in any direction.
BPDUs used by STP are always forwarded.
If the link fails, STP unblocks the necessary ports to allow the redundant path to become active.
STP Algorithm 1. A single switch (with the lowest BID) is selected as the root bridge. 2. STA calculates the shortest paths to the root bridge.
a. Uses path costs (associated with the port speed) to calculate the shortest path. b. Least cost path becomes the shortest path.
3. Each switch uses STA to decide which ports to block to prevent loops. 4. Blocked ports are called non-designated ports. 5. Non blocked ports are:
a. Ports closest to the root bridge are called root ports. b. Other non-root forwarding ports are called designated ports.
The Root Bridge Election
The switch with the lowest BID is elected as the root bridge.
Bridge ID consists of: o Bridge priority o Extended system id o MAC address
Switches send periodic BPDUs to each other every two seconds, that contains: o Local BID (BID of itself) o BID of the root.
If a switch receives a root BID lower than the known root BID, it updates the root BID and its path cost.
Sends the updated root BID and path cost to neighbors.
2
Best Paths to the Root Bridge Cost of links along the path to the root bridge is added to calculate the path cost. Default port link costs:
10Mb/s 100
100Mb/s 19
1Gb/s 4
10Gb/s 2 Port costs are configurable with the command:
switch(config-if)# spanning-tree cost <cost> switch# show spanning-tree command is used to verify port costs.
5.2.2 STP BPDU
The BPDU Fields (12 fields):
First four fields: Protocol (2), Version (1), Message Type (1), Status (1)
Next four fields: Root ID (8), Cost of path(4), BID (8), Port ID (2)
Last four fields: Message age (2), Max age (2), Hello time (2), Forward delay (2) The BPDU Process Show step-by-step example
5.2.3 Bridge ID
BID Fields:
Bridge Priority (4 bits) Priority value, increments by 4096. Default 32768.
Extended System ID (12 bits) : VLAN ID of the STP
MAC address (48 bits) Configure and Verify the BID To ensure that the switch has the lowest bridge priority value, use the command:
spanning-tree vlan <vlan-id> root primary (sets the priority value to 24576)
For an alternate root switch, use the command:
spanning-tree vlan <vlan-id> root secondary (sets the priority value to 28672)
Another method for configuring the bridge priority value is using the command:
spanning-tree vlan <vlan-id> priority <value>
To verify:
show spanning-tree
5.2.4 Port Roles
3
Root Port
Exists on non-root switches.
Switch port with the best path to the root switch.
Only one root port is allowed per switch.
Can populate the MAC table with the incoming source MAC addresses. Designated Port
Exists on both root and non-root switches.
Receives and forwards frames towards the root.
Only one designated port is allowed per segment.
Can populate the MAC table with the incoming source MAC addresses. Non-designated Port
A blocked switch port. Does not receive or forward frames.
Does not populate the MAC table. The Root port election:
All switches that are using spanning tree, except for the root bridge, have a single root port defined.
The switch port with the lowest overall path cost to the root switch is automatically assigned the root port role.
If more than one port have the same lowest cost path, o Port with the lowest port priority is selected. o If all port priorities are the same, then the lowest port ID is selected.
When one root port is defined, the other ports to the root switch are defined as non-designated ports.
Configuring Port Priority:
Port priority values range from 0 to 240 in increments of 16.
Default is 128.
switch(config-if)# spanning-tree port-priority <pri_value>
Other Port Role Decisions:
1. The root switch automatically configures all of its switch ports in the designated role. 2. Other switches define all non-root ports as either designated or non-designated ports. 3. If two non-root ports of two switches connect to the same LAN segment, the switch ports
with the lowest BID becomes designated, the other becomes non-designated. Show the seven step figure. Verifying Port Roles and Port Priority
switch# show spanning-tree
5.2.5 STP Port States and BPDU Timers
Switch ports do not change modes immediately to prevent temporary loops and facilitate the learning of the logical spanning-tree.
Blocking : Non-designated port. Receives and processes BPDUs, no data forwarding, no MAC learning.
4
Listening : Receives, forwards and processes BPDUs, no data forwarding, preparing to forward data. Learning : Receives, forwards and processes BPDUs, no data forwarding, populates MAC address table. Forwarding : Receives, forwards and processes BPDUs, forwards data normally. Disabled : No forwarding, administratively shutdown.
BPDU Timers: The amount of time that a port stays in the various port states depends on the BPDU timers.
Hello timer : The period of BPDUs transmitted. Default is 2 secs, but can be configured between 1 to 10 secs.
Forward delay : The time spent in listening and learning states. Default is 15 sec. Can be configured between 4 to 30 secs.
Maximum Age : The max amount of time a switch save the BPDU config data. Default is 20 secs, but can be configured between 6 to 40 secs.
The default values are optimized for network diameter of 7.
The following command can be used on the root switch to adjust the timers automatically. spanning-tree vlan <vlan id> root primary diameter <value>
Cisco PortFast Technology
Allows an access port transition from blocking state to forwarding state immediately, bypassing the listening and learning states.
Minimizes the delay that access ports must wait for the network to converge.
Should be used only on the access ports.
Switch(config-if)# spanning-tree portfast
5.3 STP Convergence 5.3.1 STP Convergence Convergence is the time it takes for :
1. The network to determine which switch is going to assume the role of the root bridge, 2. Go through all the different port states, and set all switch ports to their final spanning-tree
port roles where all potential loops are eliminated.
STP Convergence Steps 1. Elect a root bridge 2. Elect root ports 3. Elect designated and non-designated ports.
5.3.2 Step 1. Electing A Root Bridge Immediately after the switches finished booting up, they start sending BPDU frames advertising their BID in an attempt to become the root bridge.
The switches send their own BID and the root BID to their neighbors.
Initially all switches think that they are the root bridge.
When a switch receives a lower root BID than the root BID known to itself, it updates the root BID, and starts to advertise the new root BID.
Eventually all switches receive the lowest BID, which becomes the root bridge.
5
If a switch does not receive a BPDU in 20 sec (default max age), the election process restarts.
5.3.3 Step 2. Elect Root Ports Every switch in an ST topology, except for the root bridge, has a single root port defined.
A port having the lowest path cost to the root bridge becomes the root port.
If path costs are same, then the lowest port priority becomes the root port.
If root priorities are the same, then the lowest port id is elected as the root port.
5.3.4 Step 3 Electing Designated Ports and Non-designated Ports After a switch determines the root port, the remaining ports must be configured as either a
designated port or a non-designated port.
Root switch configures all of its ports as the designated ports.
Lowest path cost the the root switch is elected as the designated port,
If path costs are same, then lowest BID determines the designated port, the losing port becomes the non-designated (blocking state) port.
5.3.5 STP Topology Change A switch detecting a topology change, sends a special notification BPDU called topology
change notification (TCN) from the root port toward the root bridge.
The receiving switch responds with topology change acknowledgement (TCA) message.
This exchange continues until the root bridge receives TCN and responds with TCA.
Once the root bridge is aware that there has been a topology change event in the network, it
starts to send out BPDU with TC bit set,
All switches receving the BPDU with TC bit set, reduce their aging time to forward delay.
5.4 PVST+, RSTP and Rapid-PVST+ There are many variants of STP:
Cisco Proprietary
o Per-VLAN Spanning Tree Protocol (PVST) :
Maintains a spanning-tree instance for each VLAN configured in the network.
Uses Cisco ISL trunking.
Supports Cisco STP extensions Portfast, Uplinkfast, BackboneFast.
Ability to load balance over the trunks.
o Per-VLAN Spanning Tree Protocol Plus (PVST+) :
Same functionality as PVST
Supports both Cisco ISL and IEEE 802.1Q trunking.
Supports Cisco proprietary STP extensions including BPDU guard.
Only supported on Cisco switches.
o Rapid PVST+ :
Based on 802.1w
Faster convergence than standard STP (802.1D).
IEEE Standards
o Rapid Spanning Tree Protocol (RSTP) (802.1w) :
An evolution of 802.1D standard.
Provides faster ST convergence
6
Supports Cisco STP extensions into the public standard.
IEEE has incorporated RSTP into 802.1D as 802.1D-2004.
o Multiple STP (MSTP) :
Enables multiple VLANs to be mapped to the same spanning-tree instance,
reducing the number of instances needed to support a large number of
VLANs.
Inspired by Cisco MISTP
An evolution of STP and RSTP
5.4.1 Cisco and STP Variants 5.4.2 PVST+
A seperate STP instance is created for each VLAN.
Seperate root bridges can be elected for different STP instances
Load balancing per VLAN can be performed on the trunks
The two byte bridge priority is modified as 4 bit bridge priority + 12 bit VLAN ID.
Default spanning-tree mode is PVST+.
Configure PVST+
Select and configure one switch as primary root, and one other as secondary roor for each VLAN. switch(config)#spanning-tree vlan <vlan-id> root primary | secondary
switch(config)#spanning-tree vlan <vlan-id> root 4096
5.4.3 RSTP 802.1w (based on 802.1D)
Faster convergenge than 802.1D
Preferred protocol to prevent loops.
Not compatible with some Cisco enhancements such as UplinkFast, BackboneFast
Port states are : discarding, learning or forwarding.
BPDU format is the same as 802.1D
Backward compatible with 802.1D.
Does not need 802.1D timers.
Protocol information ages out on a port if 3 consecutive Hello messages are missed (6 sec)
RSTP Flag field.
5.4.4 Edge Ports Ports that will never be connected to another switch are called.
Immediately transitions to forwarding state when enabled.
Similar to Cisco PortFast technology.
If recieves a BPDU, becomes a normal STP port.
spanning-tree portfast command is used at the interface.
5.4.5 Link Types
Edge ports : Transitions to the forwarding state immediately.
Non-edge ports
7
o Point-to-point : Full duplex (Transitions to the forwarding state immediately)
o Shared : Half duplex
5.4.6 RSTP Port States and Port Roles
RSTP Port States
RSTP provides rapid convergence following a failure or during re-establishment of a switch, switch
port, or link.
STP port states – RSTP port states:
Blocking – Discarding
Listenning – discarding
Learning – learning
Forwarding – forwarding
Disabled – discarding
RSTP Port Roles
The port role defines the ultimate purpose of a switch port and how it handles data frames.
Root
Designated
Backup (discarding state in active topology)
Alternate (discarding state in active topology)
RSTP Proposal or Agreement Process
RSTP significantly speeds up the recalculation process after a topology change, because
o it converges on a link-by-link basis and
o does not rely on timers expiring before ports can transition.
o Rapid transition to the forwarding state on edge ports and point-to-point ports.
5.4.7 Configuring Rapid-PVST+ Rapid-PVST+ is a Cisco implementation of RSTP.
It supports ST for each VLAN and is the rapid STP variant to use in Cisco-based networks.
A ST instance is created when an interface is assigned to a VLAN
And is removed when the last interface is moved to another VLAN.
Cisco 2960 switch supports PVST+, Rapid-PVST+, and MSTP, however only one version can be
active at any time.
switch(config)# spanning-tree mode rapid-pvst
switch(config-if)# spanning-tree link-type point-to-point
switch# clear spanning-tree detected-protocols
switch# show spanning-tree vlan <vlan-id>
5.4.8 Design STP for Trouble Avoidance
8
Know Where the Root Is
Do not leave it up to the STP to decide which bridge is root.
For each VLAN, you can usually identify which switch can best serve as root.
Generally, choose a powerful bridge in the middle of the network, with a direct connection
to the servers and routers.
For each VLAN, configure the root bridge and the backup root bridge using lower priorities.
Minimize the Number of Blocked Ports
For each VLAN, know which ports should be blocking in the stable network.
Have a network diagram that clearly shows each physical loop in the network and which
blocked ports break the loops.
VTP Pruning
Prune any VLAN that you do not need off your trunks.
Use Layer 3 switching. Layer-3 switches route approximately at the speed of switching.
Final Points:
Keep STP even if it is unnecessary
Keep traffic off the administrative VLAN. A high rate of broadcast or multicast traffic on the
administrative VLAN can adversely impact the CPU and its ability to process vital BPDUs.
Do not have a single VLAN span the entire network.
5.4.9 Troubleshoot STP Operation PortFast Configuration Error Do not use PortFast on switch ports or interfaces that connect to other switches, hubs, or routers.
Otherwise, you may create a network loop.
Network Diameter Issues
Switches discard the BPDUs that have age field more than 7.
Take special care if you plan to change STP timers from the default value.
5.5 Chapter Labs
1
CCNA Exploration-3 LAN Switching And Wireless
CHAPTER-6 INTER-VLAN ROUTING
6.1 Inter-VLAN Routing
6.1.1 Introducing Inter-VLAN Routing
Inter-VLAN routing is a process of forwarding network traffic from one VLAN to another.
Two implementations:
1. Using a router
a. Traditional (Using a seperate link for each VLAN)
b. Router-on-a-stick (Using a trunk link)
2. Using a layer-3 switch
Traditional Inter-VLAN routing:
1. Each VLAN uses a seperate physical link to the router.
2. The switch ports that connect to the router are configured in access mode.
3. The router interfaces are also configured to belong to individual VLANs.
4. The router receives frames from one interface (a VLAN) and forwards them to another
interface (another VLAN)
5. If many VLANs are used, then the router may not have enough physical interfaces.
Router-On-A-Stick:
1. A single link is used between the switch and the router.
2. This link is configured as a trunk link to carry all traffic belonging to different VLANs (tagged
traffic).
3. Subinterfaces (logical-virtual interfaces) are used at the router interface. Multiple virtual
interfaces are assigned to a single physical interface.
4. Each subinterface belongs to a different VLAN.
5. Router receives frames from one subinterface and forwards from another subinterface out
from the same physical interface.
6.1.2 Interfaces and Subinterfaces
Using the Router as a Gateway
Router interfaces are assigned IP addresses from their own VLAN subnet.
The devices that belong to a VLAN must be configured with a Default Gateway address.
The Default Gateway Address is the router interface IP address that belongs to a specific
VLAN.
Subinterface Configuration
2
R1(config)# interface fa0/0.10 (subinterface created)
R1(config-subif)# encapsulation dot1q 10
R1(config-subif)# ip address <IP-Address> <subnet-mask>
..
R1(config)# interface fa0/0
R1(config-if)# no shutdown
Subinterfaces cannot be enabled or disabled individually.
When the physical interface is enabled, all subinterfaces are enabled.
When it is shutdown, all subinterfaces interfaces are shutdown.
Advantages of using subinterfaces:
Cost
There is no physical port limit.
A single trunk connection to the router.
Disadvantages:
Performance
More complex configuration
6.2 Configuring Inter-VLAN Routing
6.2.1 Configure Inter-VLAN Routing
6.2.2 Configure Router on a Stick Inter-VLAN Routing
6.3 Troubleshooting Inter-VLAN Routing
6.3.1 Switch Configuration Issues
6.3.2 Router Configuration Issues
6.3.3 IP Addressing Issues
6.4 Chapter Labs
1
CCNA Exploration-3 LAN Switching And Wireless
CHAPTER-7 BASIC WIRELESS CONCEPTS AND CONFIGURATION
7.1 The Wireless LAN
7.1.1 Why Use Wireless
Why have Wireless LANs Become so Popular?
Mobility and flexibility at work and at home.
Reduced costs
o When moving a person within a building, reorganizing a lab, etc.
o When installing a LAN in a new buildng
Wireless Technologies (The figure)
PAN (802.15 - Bluetooth)
LAN (802.11 – WLAN)
MAN (802.16 – Wimax)
WAN ( GSM )
Wireless LANs (WLAN) is an extension of Ethernet LAN.
Comparing a WLAN to a LAN
WLANs use radio frequencies (RF) instead of cables at the Physical layer and MAC sub-layer of the
Data Link layer. RF characteristics:
No boundaries
Uses collision avoidance mechanism
Unprotected from outside signals
RF bands are regulated differently in various countries.
Wireless LAN components
Wireless router or access point
Wireless NIC on client devices
7.1.2 Wireless LAN Standards
Two modulation techniques :
Direct Sequence Spread Spectrum (DSSS) : Slower transmission rates
Ortogonal Frequency Division Multiplexing (OFDM) : Faster transmission rates
Unlicensed ISM (Industrial, Scientific, Medical) bands :
900Mhz, 2.4Ghz, 5.0Ghz
No need for a licence
2
Subject to local regulations
RF bands are allocated by ITU
IEEE WLAN Standards:
802.11a : 5Ghz . Upto 54Mbps. Shorter range. Signal is more absorbed by walls, etc,. Less
interference, OFDM
802.11b : 2.4Ghz. Upto 11Mbps. Longer range. Uses DSSS. more prone to interference
802.11g : 2.4Ghz. Upto 54Mbps. Longer range, uses OFDM, but also compatible with DSSS.
More prone to interference.
802.11n (Draft) : 2.4 or 5 Ghz. Upto 600Mbps. Uses multiple radios and antennas at
endpoints to achieve higher rates. Uses MIMO-OFDM.
Wi-Fi Certification
Standards ensure interoperability between devices made by different manufacturers. Internationally,
the three key organizations influencing WLAN standards are:
ITU-R : Regulates the allocation of RF bands.
IEEE : Specifies how RF is modulated to carry information.
Wi-Fi Alliance : (www.wi-fi.org) A non-profit global organization devoted to promote WLAN
technologies and products. Provides Wi-fi certification.
7.1.3 Wireless Infrastructure Components
Wireless NICs
The wireless NIC, using the modulation technique it is configured to use, encodes a data stream onto
an RF signal.
Wireless Access Points
An access point connects wireless clients (or stations) to the wired LAN.
Clients must associate (join) with an access point to obtain network services.
An ap is a layer-2 device just like an Ethernet hub.
RF is the shared medium.
Uses CSMA/CA
Hidden Nodes Problem:
When two stations at opposite ends of the range and cannot see each other collisions may
occur.
Solution: Request-to-send/Clear-to-send (RTS/CTS) messages are used to allocate the
medium to the requesting station.
Wireless Routers:
Perform the role of an access-point, an Ethernet switch, and a router.
7.1.4 Wireless Operation
Configurable Parameters for Wireless Endpoints
3
The wireless network mode:WLAN protocols: 802.11a, b, g, n.
o Mixed mode is possible between b and g with a single radio.
o Other mixed modes will require multiple radios.
SSID : Shared Service Set Identifier : A unique case-sensitive name identifies a wireless
network.
o Several access points can share an SSID.
Channel: 2.4Ghz bandwidth is broken down into 11 channels for North America, 13 channels
for Europe.
o Each channel bandwidth is 22 Mhz.
o Center frequency seperation is 5 Mhz. There is an overlap between the successive
channels.
o Any two channels that are 5 apart do not overlap.
o WLANs requiring multiple access points should use non-overlapping channels.
o Many access points can automatically select a channel based on adjacent channel
use.
802.11 Topologies:
Basic Service Set (BSS) : A group of stations that communicate with each other.
Ad hoc Networks:
Devices communicate with each other without an access point.
Independent BSS (IBSS)
Basic Service Set (BSS)
A single access point in infrastructure mode manages the wireless parameters.
The coverage area for both IBSS and BSS is the basic service area (BSA).
Extended Service Sets (ESS)
If a single BSS is not sufficient to cover an area, multiple can be joined to form an ESS.
One BSS is differentiated from another by the BSS Identifier (BSSID) : MAC address of the
access point.
The coverage area is the extended service area (ESA).
Common Distribution System
Multiple access points appear to be a single BSS.
Generally includes a common SSID to allow a user to roam from access point to access point.
10-15 percent overlap between cells
Non overlapping channels
Client and Access Point Association
Beacons – Sent by access points periodically to advertise the WLAN. Includes:
SSID
4
Supported rates
Security implementation
The 802.11 Join Process (Association)
Stage-1: Probing – Sending a probe request to find a WLAN. Includes:
o SSID (If no SSID is specified, then all WLANs configured to reply, responds)
o Bit rates
Stage-2 : Authentication
o Open authentication
o Wired Equivalency Protection (WEP)
Stage-3 : Association – Establishing the data-link between an access-point and a WLAN client.
o Finalizes the security and bit rate options
o Establishes the data-link between the WLAN client and the access-point.
o The client learns the BSSID (MAC address of the AP)
o AP maps a logical port known as the association identifier (AID) to the WLAN client.
Planning the Wireless LAN
Considerations:
The estimated number of users (RF is a shared medium)
The expected data rates per user.
The use of non-overlapping channels by multiple access-points.
The transmit power settings and limitations.
Position access points above obstructions
Position access points vertically near the ceiling in the center of each coverage area, if
possible.
Position access points in locations where users are expected to be.
Calculate the coverage area, and place access points so that coverage circles overlap. (The
Example)
7.2 The Wireless LAN Security
7.2.1 Threats to Wireless Security
There are three major categories of threat that lead to unauthorized access:
War drivers
Hackers (Crackers)
Employees
Man-in-the-Middle Attacks (MITM)
Normally each NIC in a BSS hears all the traffic. However they discard any traffic not
addressed to it.
A hacker located between an access point and a client host, uses a packet sniffer software to
receive all frames and obtain all information such as, usernames, passwords, server name, IP
addresses.
5
Denial of Service
Attachers :
can create noise in the 2.4Ghz ISM band by other wireless consumer devices (microwave
oven, cordless phones, baby phones, etc.)
using a PC as an access point, can flood the BSS with clear-to-send (CTS) messages, which
defeat the CSMA/CA function used by the stations.
Can send disassociate messages, causing all stations to disconnect, and try to reassociate
again.
7.2.2 Wireless Security Protocols
Two types of authentication were introduced by the original 802.11 standard:
Open authentication (No authentication)
Shared WEP key authentication : Flaws:
o Weak WEP key algorithm (can be cracked easily)
o Manual entry of keys (often incorrectly entered by users)
Not broadcasting the SSID and MAC filtering were used as additional security.
o However it is not difficult to sniff and modify MAC addresses.
o Also SSID can be obtained from the traffic between the client and ap.
Cisco developed Temporal Key Intergrity Protocol (TKIP) to improve security.
TKIP later linked to the Wifi Alliance Wifi Protected Access (WPA) security.
The latest standard is the 802.11i (similar to the WPA2 by Wifi Alliance).
WPA2 also includes a connection to a Remote Authentication Dial In User Service (RADIUS) database.
Authenticating to the Wireless LAN
Extensible Authentication Protocol (EAP) : Universal authentication framework used by wireless
networks. IEEE developed a 802.1x standard for WLAN authentication and authorization that uses
EAP.
Enterprise WLAN authentication process:
Association : Creating a virtual port at the access point for each client.
The ap blocks all traffic except 802.1x traffic.
802.1x frames carry EAP packets via the ap to the AAA server (running RADIUS protocol).
If the EAP authentication is successful, the AAA server sends and EAP success message to the
ap.
Before openning the virtual port, data-link encryption between the ap and the client is
established.
Encryption
Two enterprise-level encryption mechanisms specified by 802.11i :
6
Temporal Key Intergrity Protocol (TKIP)
Advanced Encryption Standard (AES)
TKIP (WPA) addresses the weaknesses of WEP, however AES (WPA2) is the preferred method.
In some access points you may not see WPA or WPA2 options. Instead,
PSK (Pre-shared-key) or PSK2 with TKIP is the same as WPA
PSK or PSK2 with AES is the same as WPA2
PSK2 without an encryption is the same as WPA2.
7.2.3 Securing a Wireless LAN
Controlling Access to the Wireless LAN
If you want to do something extra to secure access to your WLAN, you can add depth, as shown in
the figure, by implementing this three-step approach:
SSID cloaking - Disable SSID broadcasts from access points
MAC address filtering - Tables are manually constructed on the access point to allow or
disallow clients based on their physical hardware address
WLAN security implementation - WPA or WPA2
7.3 Configure Wireless LAN Access
7.3.1 Configuring the Wireless Access Point
7.3.2 Configuring the Wireless NIC
7.4 Troubleshooting Simple WLAN Problems
7.4.1 Solve Access Point Radio and Firmware Issues
7.4.2 Incorrect Channel Settings
7.4.3 Solve Access Point Radio and Firmware Issues
7.4.4 Solve Access Point Radio and Firmware Issues
7.4.5 Problems with Authentication and Encryption
7.5 Chapter Labs