Chapter 2: Basic switch concepts and configurations d fi ti

CCNA Exploration 4.0

Overview

Hc vin mng Bach Khoa - Website: www.bkacad.com

Key elements of y ethernet/802.3 network

Hc vin mng Bach Khoa - Website: www.bkacad.com

Media Access Control (MAC)

Deterministic, Non-Deterministic
logical bus topology and physical star or extended star

logical ring topology and a physical star topology

logical ring topology and physical dual ring dual-ring topology

MAC refers to protocols that determine which computer on a shared-medium h d di environment, or collision domain, is allowed to transmit the data data. MAC, with LLC, comprises the IEEE version of the OSI Layer 2 There are two broad categories of Media Access Control, deterministic (taking , ( g turns) and non-deterministic (first come, first served)

Hc vin mng Bach Khoa - Website: www.bkacad.com

CSMA/CD
???

listen-before-transmit
???

Transmitting& listening. listening Why ???

CSMA/CD used with Ethernet performs three functions: f ti 1. Transmitting and receiving data packets 2. 2 Decoding data packets and checking them for valid addresses before passing them to the upper layers of the OSI model 3. Detecting errors within data packets or on the p network

???

Hc vin mng Bach Khoa - Website: www.bkacad.com

CSMA/CD
Flow chart

Hc vin mng Bach Khoa - Website: www.bkacad.com

Backoff
Randomly Backoff Time After a collision occurs and all stations allow the cable to become idle (each waits the full inter-frame spacing) The stations that collided must wait an additional and potentially progressively longer period of time before attempting to retransmit the p g collided frame The waiting period is intentionally designed to be random If the MAC layer is unable to send the frame after sixteen attempts, gives p attempts it gi es up and generates an error to the network layer
7

Hc vin mng Bach Khoa - Website: www.bkacad.com

Ethernet Communications

Hc vin mng Bach Khoa - Website: www.bkacad.com

Remind
Layer 1: 802.3 Layer 2: 802.2

Hc vin mng Bach Khoa - Website: www.bkacad.com

Ethernet frame structure

At the data link layer the frame structure is nearly identical for all speeds of Ethernet from 10 Mbps to 10,000 Mbps At the physical layer almost all versions of Ethernet are substantially different from one another with each speed having a distinct set of architecture design rules The Ethernet II Type field is incorporated into the current 802.3 802 3 frame definition. The definition receiving node must determine which higher-layer protocol is present in an incoming frame by examining the Length/Type field
Hc vin mng Bach Khoa - Website: www.bkacad.com 10

Ethernet frame structure

The Preamble is used for Synchronization, Address types timing synchronization in the asynchronous 10 Mbps and slower i l l implementations of t ti f 10101011 Ethernet. Faster versions of Ethernet are synchronous, and this timing information is redundant but retained for compatibility The Destination Address field The contains the MAC destination address. It can be unicast, multicast (group), or broadcast (g p), (all nodes) The source address is generally the unicast address of the transmitting Ethernet node (can be virtual entity group or multicast) Hc vin mng Bach Khoa - Website: www.bkacad.com 11

Ethernet frame structure

The type value specifies the upper-layer protocol to Length if value < 1536 decimal, receive the data after (0x600) need LLC to identify Ethernet processing is upper protocol completed. The length indicates the number of bytes of data that follows this field. (so contents of the Data field are decoded per the protocol indicated) The maximum transmission unit (MTU) for Ethernet is 1500 octets so the data octets, should not exceed that size 4 bytes Ethernet requires that the CRC frame be not less than 46 Type if value => 1536 decimal, octets or more than 1518 (0x600) it identify upper octets (Pad is required if not protocol Hc vin mng Bach Khoa - Website: www.bkacad.com 12 enough data)

Naming on Ethernet
MAC ADDRESS

Ethernet uses MAC addresses that are 48 bits in length and expressed as Ethernet 12 hexadecimal digits Sometimes referred to as burned-in addresses (BIA) because they are burned into read-only memory (ROM) and are copied into random-access memory (RAM) when the NIC initializes
Hc vin mng Bach Khoa - Website: www.bkacad.com 13

OUI

Hc vin mng Bach Khoa - Website: www.bkacad.com

14

Ethernet in full duplex

duplex Full-duple Full-d F ex Collision occurs only in half-duplex Full-duplex Full duplex

Full-duplex Full duplex

If the attached station is operating in full duplex then the station may send and receive simultaneously and collisions should not occur Full occur. Fullduplex operation also changes the timing considerations and eliminates the concept of slot time In half-duplex if no collision, the sending station will transmit 64 bits half-duplex, collision (timing synchronization) preamble, DA, SA, certain other header information, actual data payload, FCS
Hc vin mng Bach Khoa - Website: www.bkacad.com 15

Ethernet in full duplex

Hc vin mng Bach Khoa - Website: www.bkacad.com

16

Ethernet in full duplex

Hc vin mng Bach Khoa - Website: www.bkacad.com

17

Note

Fast Ethernet and 10/100/1000 ports: default is auto. 100BASE-FX ports: default is full. p 10/100/1000 ports operate in either half- or full-duplex mode when they are set to 10 or 100 Mb/s, but when set to 1,000 Mb/s, 1 000 Mb/s they operate only in full duplex mode full-duplex mode. Default: when autonegotiation fails Catalyst switch sets the corresponding switch port to half-duplex mode.

Hc vin mng Bach Khoa - Website: www.bkacad.com

18

auto-MDIX

auto-MDIX is enabled switch auto detects cable type yp can use either a crossover or a straight-through The auto-MDIX feature is enabled by default on switches running Cisco IOS Release 12.2(18)SE or later. For releases between Cisco IOS Release 12.1(14)EA1 and ( ) 12.2(18)SE, the auto-MDIX feature is disabled by default.

Hc vin mng Bach Khoa - Website: www.bkacad.com

19

MAC Addressing and Switch MAC Address Tables

Hc vin mng Bach Khoa - Website: www.bkacad.com

20

Hc vin mng Bach Khoa - Website: www.bkacad.com

21

Hc vin mng Bach Khoa - Website: www.bkacad.com

22

Hc vin mng Bach Khoa - Website: www.bkacad.com

23

Hc vin mng Bach Khoa - Website: www.bkacad.com

24

Hc vin mng Bach Khoa - Website: www.bkacad.com

25

Bandwidth and Throuhgput

Hc vin mng Bach Khoa - Website: www.bkacad.com

26

Collision Domains

Hc vin mng Bach Khoa - Website: www.bkacad.com

27

Collision Domains

Hc vin mng Bach Khoa - Website: www.bkacad.com

28

Broadcast Domains

Hc vin mng Bach Khoa - Website: www.bkacad.com

29

Broadcast Domains - Example

When a switch receives a broadcast frame, it forwards the frame to each of its ports, except the incoming port where the switch received the broadcast frame. Each attached device recognizes the broadcast frame and processes it. it

Hc vin mng Bach Khoa - Website: www.bkacad.com

30

Broadcast Domains - Example

Hc vin mng Bach Khoa - Website: www.bkacad.com

31

Network Latency

Hc vin mng Bach Khoa - Website: www.bkacad.com

32

Network Congestion

Causes of network congestion: g Increasingly powerful computer and network technologies. Increasing volume of network traffic. High-bandwidth applications.

Hc vin mng Bach Khoa - Website: www.bkacad.com

33

LAN Segmentation

Hc vin mng Bach Khoa - Website: www.bkacad.com

34

Hc vin mng Bach Khoa - Website: www.bkacad.com

35

Hc vin mng Bach Khoa - Website: www.bkacad.com

36

Hc vin mng Bach Khoa - Website: www.bkacad.com

37

Controlling Network Latency

Hc vin mng Bach Khoa - Website: www.bkacad.com

38

Removing Network Bottlenecks

Hc vin mng Bach Khoa - Website: www.bkacad.com

39

Switch Packet Forwarding Methods

Hc vin mng Bach Khoa - Website: www.bkacad.com

40

Switch Packet Forwarding Methods

Hc vin mng Bach Khoa - Website: www.bkacad.com

41

Hc vin mng Bach Khoa - Website: www.bkacad.com

42

Hc vin mng Bach Khoa - Website: www.bkacad.com

43

Symmetric and Asymmetric Switching

Hc vin mng Bach Khoa - Website: www.bkacad.com

44

Port Based and Shared Memory Buffering

Hc vin mng Bach Khoa - Website: www.bkacad.com

45

Layer 2 and Layer 3 Switching

Hc vin mng Bach Khoa - Website: www.bkacad.com

46

Hc vin mng Bach Khoa - Website: www.bkacad.com

47

Layer 3 Switch and Router Comparison

Hc vin mng Bach Khoa - Website: www.bkacad.com

48

Review you understanding

Hc vin mng Bach Khoa - Website: www.bkacad.com

49

Review you understanding

Hc vin mng Bach Khoa - Website: www.bkacad.com

50

Switch configuration

Hc vin mng Bach Khoa - Website: www.bkacad.com

51

The Command Line Interface Modes

Hc vin mng Bach Khoa - Website: www.bkacad.com

52

Hc vin mng Bach Khoa - Website: www.bkacad.com

53

GUI-based Alternatives to the CLI

Hc vin mng Bach Khoa - Website: www.bkacad.com

54

Hc vin mng Bach Khoa - Website: www.bkacad.com

55

Hc vin mng Bach Khoa - Website: www.bkacad.com

56

Hc vin mng Bach Khoa - Website: www.bkacad.com

57

Context Sensitive Help

Hc vin mng Bach Khoa - Website: www.bkacad.com

58

Console Error Messages

Hc vin mng Bach Khoa - Website: www.bkacad.com

59

The Command History Buffer

Hc vin mng Bach Khoa - Website: www.bkacad.com

60

Configure the Command History Buffer

Hc vin mng Bach Khoa - Website: www.bkacad.com

61

Describe the Boot Sequence

Hc vin mng Bach Khoa - Website: www.bkacad.com

62

Prepare to Configure the Switch

Step 1

Hc vin mng Bach Khoa - Website: www.bkacad.com

63

Step 2

Hc vin mng Bach Khoa - Website: www.bkacad.com

64

Step 3

Hc vin mng Bach Khoa - Website: www.bkacad.com

65

Basic Switch Configuration

Hc vin mng Bach Khoa - Website: www.bkacad.com

66

Management Interface Considerations

Hc vin mng Bach Khoa - Website: www.bkacad.com

67

Hc vin mng Bach Khoa - Website: www.bkacad.com

68

Hc vin mng Bach Khoa - Website: www.bkacad.com

69

Hc vin mng Bach Khoa - Website: www.bkacad.com

70

Configure Duplex and Speed

Hc vin mng Bach Khoa - Website: www.bkacad.com

71

Configure a Web Interface

Hc vin mng Bach Khoa - Website: www.bkacad.com

72

Managing the MAC Address Table

show mac address table mac-address-table

Hc vin mng Bach Khoa - Website: www.bkacad.com

73

Show Commands

Hc vin mng Bach Khoa - Website: www.bkacad.com

74

Show running-config

Hc vin mng Bach Khoa - Website: www.bkacad.com

75

Show interfaces

Hc vin mng Bach Khoa - Website: www.bkacad.com

76

Backing Up the Configuration

Hc vin mng Bach Khoa - Website: www.bkacad.com

77

Restoring the Configuration

Hc vin mng Bach Khoa - Website: www.bkacad.com

78

Back up Configuration Files to a TFTP Server

Hc vin mng Bach Khoa - Website: www.bkacad.com

79

Clearing Configuration Information

Hc vin mng Bach Khoa - Website: www.bkacad.com

80

Config Password g options p

Hc vin mng Bach Khoa - Website: www.bkacad.com

81

Configure Console Access

Hc vin mng Bach Khoa - Website: www.bkacad.com

82

Secure the vty Ports

Hc vin mng Bach Khoa - Website: www.bkacad.com

83

Configure EXEC Mode Passwords

Clear text password Encrypted, Priority than enable password

Hc vin mng Bach Khoa - Website: www.bkacad.com

84

Configure Encrypted Passwords

After

Before B f

Hc vin mng Bach Khoa - Website: www.bkacad.com

85

Enable Password Recovery

Hc vin mng Bach Khoa - Website: www.bkacad.com

86

Password Recovery

Step 1. Connect a terminal or PC with terminal-emulation software to the switch console port. Step 2. Set the line speed on the emulation software to 9600 baud. Step 3. Power off the switch. Reconnect the power cord to the switch and within 15 seconds, press the Mode button while the System LED is still flashing green. Continue pressing the Mode button until the System LED turns briefly amber and then solid green. Then release the Mode button. Step 4. Initialize the Flash file system using the flash_init command. Step 5. Load any helper files using the load helper command. load_helper

Hc vin mng Bach Khoa - Website: www.bkacad.com

87

Password Recovery

Step 6. Display the contents of Flash memory using the dir flash command: The switch file system appears: Directory of flash: 13 drwx 192 Mar 01 1993 22:30:48 c2960-lanbase-mz.122-25.FX 11 -rwx 5825 Mar 01 1993 22:31:59 config.text 18 -rwx 720 Mar 01 1993 02:21:30 vlan.dat 16128000 b t t t l (10003456 b t f ) bytes total bytes free) Step 7. Rename the configuration file to config.text.old, which contains the password definition, using the rename flash:config.text flash:config.text.old command. Step 8. Boot the system with the boot command.

Hc vin mng Bach Khoa - Website: www.bkacad.com

88

Password Recovery

Step 9. You are prompted to start the setup program. Enter N at the prompt, and then when the system prompts whether to continue with the configuration dialog, enter N. Step 10 At the switch prompt enter privileged EXEC mode using the enable command 10. prompt, command. Step 11. Rename the configuration file to its original name using the rename flash:config.text.old flash:config.text command. Step 12. Copy the configuration file into memory using the copy flash:config.text system:running-config command. After this command has been entered, the follow is displayed on the console: Source filename [config.text]? Destination filename [running-config]? Press Return in response to the confirmation prompts. The configuration file is now f f f reloaded, and you can change the password.

Hc vin mng Bach Khoa - Website: www.bkacad.com

89

Password Recovery

Step 13. Enter global configuration mode using the configure terminal command. Step 14. Change the password using the enable secretpassword command. Step 15. Return to privileged EXEC mode using the exit command. Step 16 Write the running configuration to the startup configuration file 16. using the copy running-config startup-config command. Step 17. Reload the switch using the reload command. Note: The password recovery procedure can be different depending on , y p the Cisco switch series, so you should refer to the product documentation before you attempt a password recovery.
Hc vin mng Bach Khoa - Website: www.bkacad.com 90

Configure a Login Banner

Hc vin mng Bach Khoa - Website: www.bkacad.com

91

Configure a MOTD Banner

Hc vin mng Bach Khoa - Website: www.bkacad.com

92

Telnet and SSH

Remote control tool of switch and router SSH encrypt data before transmit yp

Hc vin mng Bach Khoa - Website: www.bkacad.com

93

Configuring Telnet

Hc vin mng Bach Khoa - Website: www.bkacad.com

94

Configuring SSH

Hc vin mng Bach Khoa - Website: www.bkacad.com

95

Configuring SSH

The switch supports SSHv1 or SSHv2 for the server component. The switch supports only SSHv1 for the client component. To implement SS you need to generate RSA keys. SSH, S Step 1. Enter global configuration mode using the configure terminal command. Step 2. Configure a hostname for y p g your switch using the g hostnamehostname command. Step 3. Configure a host domain for your switch using the ip domainnamedomain_name command. Step 4. Enable the SSH server for local and remote authentication on the p switch and generate an RSA key pair using the crypto key generate rsa command. Step 5. Return to privileged EXEC mode using the end command. Step 6. Show the status of the SSH server on the switch using the show ip p g p ssh or show ssh command. To delete the RSA key pair, use the crypto key zeroize rsa global configuration command. After the RSA key pair is deleted, the SSH server is automatically disabled.

Hc vin mng Bach Khoa - Website: www.bkacad.com

96

Configuring the SSH Server

Step 1. Enter global configuration mode using the configure terminal command. Step 2 (Optional) Configure the switch to run SSHv1 or SSHv2 using 2. the ip ssh version [1 | 2] command. If you do not enter this command or do not specify a keyword, the SSH server selects the latest SSH version supported by the SSH client. For example, if the SSH client supports SSHv1 and SSHv2, the SSH server selects SSHv2.

Step 3. Configure the SSH control parameters: Specify the time-out value in seconds: default of 10 minutes. Specify the number of times that a client can re-authenticate to the server. The default is 3; the range is 0 to 5 Command: ip ssh {timeoutseconds | authentication-retriesnumber}.
Hc vin mng Bach Khoa - Website: www.bkacad.com 97

Configuring the SSH Server

Step 4. Return to p p privileged EXEC mode using the end g g command. Step 5. Display the status of the SSH server connections on the switch using the show ip ssh or the show ssh command. Step 6. (Optional) Save your entries in the configuration file using the copy running-config startup-config command.

Hc vin mng Bach Khoa - Website: www.bkacad.com

98

Layer 2 common y security attacks y

Hc vin mng Bach Khoa - Website: www.bkacad.com

99

Types of Attacks
MAC Address Flooding
Media Access Control (MAC) Address Spoofing DHCP "starvation"

Hc vin mng Bach Khoa - Website: www.bkacad.com

100

MAC Address Flooding

Hc vin mng Bach Khoa - Website: www.bkacad.com

101

MAC Address Flooding

Hc vin mng Bach Khoa - Website: www.bkacad.com

102

MAC Address Flooding

Hc vin mng Bach Khoa - Website: www.bkacad.com

103

MAC Address Flooding

Hc vin mng Bach Khoa - Website: www.bkacad.com

104

MAC Address Flooding

Hc vin mng Bach Khoa - Website: www.bkacad.com

105

Mitigating MAC the Address Flooding

switch(config-if)#

switchport port-security

Enable port security on interface interface.

switch(config-if)#

switchport port-security [mac_addr]

Enable port security and set specific MAC address (H.H.H).

Hc vin mng Bach Khoa - Website: www.bkacad.com

106

Mitigating MAC the Address Flooding

switch(config-if)#

switchport port-security maximum (1-132)

Set maximum number of MAC addresses addresses.

switch(config-if)# #

switchport port-security violation shutdown [protect | restrict | shutdown]

Set action on violation.

Hc vin mng Bach Khoa - Website: www.bkacad.com

107

MAC Spoofing Man in the Middle Attacks

SWITCH PORT 1 2 3
Attacker

SWITCH PORT 1 2 3

A B C
B A MAC A A

AB C
B

Attacker

Hc vin mng Bach Khoa - Website: www.bkacad.com

108

Mitigating MAC Spoofing Attacks - CatOS

switch> (enable)

set port security <mod/port> enable [mac_addr]

Enable port security and set specific MAC address address.

switch> (enable)

set port security <mod/port> mac_addr /

Set MAC addresses.

switch> (enable)

set port security <mod/port> violation [shutdown|restrict]

Specify action to take when violation occurs.

Hc vin mng Bach Khoa - Website: www.bkacad.com 109

Mitigating MAC Spoofing Attacks Cisco IOS

switch(config-if)#

port security max-mac-count {1-132}

Enable port security and set maximum MAC address address.

switch(config-if)#

port security action {shutdown|trap}

Specify action to take when violation occurs.

switch(config-if)#

arp timeout seconds

Specify ARP timeout.

Hc vin mng Bach Khoa - Website: www.bkacad.com 110

ARP Spoofing

192.168.10.0/24
ARP for .1 1

.1 1

Im Im .1!

.2

.3

Attacker

Hc vin mng Bach Khoa - Website: www.bkacad.com

111

Mitigating ARP Spoofing with DHCP Snooping and DAI

switch(config)#

ip dhcp snooping

Enable DHCP Snooping. p g

switch(config)#

ip dhcp snooping vlan vlan_id {,vlan_id}

Enable DHCP Snooping for specific VLANs.

switch(config-if)#

ip dhcp snooping trust

Configure an interface as trusted for DHCP snooping purposes.

Hc vin mng Bach Khoa - Website: www.bkacad.com 112

Mitigating ARP Spoofing with DHCP Snooping and DAI (Cont.)

switch(config-if)#

ip dhcp snooping limit rate rate

Set rate limit for DHCP Snooping. p g

Hc vin mng Bach Khoa - Website: www.bkacad.com

113

Spoofing Attacks

Hc vin mng Bach Khoa - Website: www.bkacad.com

114

Solution:

Cisco Catalyst DHCP Snooping Port Security Features (later in this module) y ( )

Hc vin mng Bach Khoa - Website: www.bkacad.com

115

Solution: Cisco Catalyst DHCP Snooping

Hc vin mng Bach Khoa - Website: www.bkacad.com

116

Config DHCP Snooping

Step 1. Enable DHCP snooping using the ip dhcp snooping global configuration command. Step 2. Enable DHCP snooping for specific VLANs using the ip dhcp snooping vlan number [number] command. Step 3. Define ports as trusted or untrusted at the interface level by defining the trusted ports using the ip dhcp snooping trust command. Step 4. (Optional) Limit the rate at which an attacker can continually send bogus DHCP requests through untrusted p g q g ports to the DHCP server using the ip dhcp snooping limit raterate command.

Hc vin mng Bach Khoa - Website: www.bkacad.com

117

CDP Attacks

Hc vin mng Bach Khoa - Website: www.bkacad.com

118

Solution

Disable the use of CDP on devices that do not need to use it.

Hc vin mng Bach Khoa - Website: www.bkacad.com

119

Telnet Attacks

Hc vin mng Bach Khoa - Website: www.bkacad.com

120

Security tools

Hc vin mng Bach Khoa - Website: www.bkacad.com

121

Network Security Tools Features

Hc vin mng Bach Khoa - Website: www.bkacad.com

122

Using Port Security to Mitigate Attacks

Hc vin mng Bach Khoa - Website: www.bkacad.com

123

Type of security mac address

s tc po t po t secu ty ac add ess switchport port-security mac-address switchport port-security mac-address sticky

Hc vin mng Bach Khoa - Website: www.bkacad.com

124

Violation types

Hc vin mng Bach Khoa - Website: www.bkacad.com

125

Port security default

Hc vin mng Bach Khoa - Website: www.bkacad.com

126

Config dynamic port security

Hc vin mng Bach Khoa - Website: www.bkacad.com

127

Config port security sticky

Hc vin mng Bach Khoa - Website: www.bkacad.com

128

Verify

Hc vin mng Bach Khoa - Website: www.bkacad.com

129

Verify

Hc vin mng Bach Khoa - Website: www.bkacad.com

130

Should be Disable Unused Ports

Hc vin mng Bach Khoa - Website: www.bkacad.com

131

Chapter summary

Hc vin mng Bach Khoa - Website: www.bkacad.com

132