Upload
ward
View
60
Download
2
Embed Size (px)
DESCRIPTION
Chap 2 – Basic Switch Concepts and Configuration Learning Objectives. Summarise the operation of Ethernet as defined for 100/1000 Mbps LANs in the IEEE 802.3 standard. Explain the functions that enable a switch to forward Ethernet frames in a LAN. - PowerPoint PPT Presentation
Citation preview
1Chapter 2
Chap 2 – Basic Switch Concepts and Configuration
Learning Objectives
• Summarise the operation of Ethernet as defined for 100/1000 Mbps LANs in the IEEE 802.3 standard.
• Explain the functions that enable a switch to forward Ethernet frames in a LAN.
• Configure a switch for operation in a network designed to support voice, video, and data transmissions.
• Configure basic security on a switch that will operate in a network designed to support voice, video, and data transmissions.
2Chapter 2
Duplex Settings
Half-Duplex (CSMA/CD)•Unidirectional data flow•Potential for collision•Hub connectivity
Full-Duplex •Point-to-point only•Attached to dedicated switch port•Needs full-duplex support at both ends•Collision-free•Collision detect circuit disabled
Hub
Switch
3Chapter 2
The Cisco Catalyst switches have three settings:
• The auto option sets auto-negotiation of duplex mode. With auto-negotiation enabled, the two ports communicate to decide the best mode of operation.
• The full option sets full-duplex mode.
• The half option sets half-duplex mode.
Duplex Settings
4Chapter 2
Auto-MDIX Settings
Computer
Router
Switch
PC
Hub
Computer
Computer
Straight
Straight
Straight
Cross
Cross
Cross
Cross
When the auto-MDIX feature is enabled, the switch detects the required cable type for copper Ethernet connections and configures the interfaces accordingly.
•The auto-MDIX feature is enabled by default on switches running Cisco IOS Release 12.2(18)SE or later.
•For releases between Cisco IOS Release 12.1(14)EA1 and 12.2(18)SE, the auto-MDIX feature is disabled by default.
5Chapter 2
Switch MAC Tables - Summary
• Filter, forward and Flood network traffic using the physical address (MAC) of host computers
• Reads each frame as it passes through the network
• Places the source address in a MAC filter table and keeps track of port it was received on
• Examines the destination address and consults its table before processing the frame
6Chapter 2
Collision Domains
Switch
Hub
Hub
The network area where frames originate and collide is called the collision domain. All shared media environments, such as those created by using hubs, are collision domains.
7Chapter 2
MAC Broadcast Domains
Switch
Hub
Hub
The broadcast domain at Layer 2 is referred to as the MAC broadcast domain. The MAC broadcast domain consists of all devices on the LAN that receive frame broadcasts by a host to all other machines on the LAN
8Chapter 2
20-40 mS 30-60mS
Switch Switch
•Latency is the time a frame or a packet takes to travel from the source station to the final destination.
Network Latency
Latency has at least three sources:.
1. Time taken for NIC to send and receive the signalling pulses (1uS for a 10BASE-T NIC).
2. Propagation delay through the cable. Typically about 0.556uS per 100 m for Cat 5 UTP.
3. Network devices that are in the path between two devices. These are either Layer 1, Layer 2, or Layer 3 devices.
9Chapter 2
In store-and-forward switching, received frames are stored in buffers until the complete frame has been received. The switch analyzes the frame for information about its destination, and performs an error check using the Ethernet Frame Check Sequence
Preamble(7 Bytes)
StartDelimiter(1 Byte)
DestinationAddress(6 Bytes)
Source Address(6 Bytes)
Length(2 Bytes)
Data(46-1500 Bytes)
FrameCheck
Sequence(4 Bytes)
1. Check
Frame In
Store Frame
2. Check
Frame Out
Switch Forwarding
10Chapter 2
In cut-through switching, the switch acts upon the data as soon as it is received, even if the transmission is not complete. The switch buffers just enough of the frame to read the destination MAC address so that it can determine to which port to forward the data.
Switch Forwarding
Preamble(7 Bytes)
StartDelimiter(1 Byte)
DestinationAddress(6 Bytes)
Source Address(6 Bytes)
Length(2 Bytes)
Data(46-1500 Bytes)
FrameCheck
Sequence(4 Bytes)
1. Check
Frame In Frame Out
11Chapter 2
Asymmetric/Symmetric Switching
Switch
100Mbps
100Mbps
100Mbps
•Symmetric switch - all ports are of the same bandwidth.
•Optimized for a reasonably distributed traffic load, such as in a peer-to-peer desktop environment.
Switch
1Gbps
100Mbps
100Mbps
Server•Asymmetric switching enables more bandwidth to be dedicated to a server switch port to prevent a bottleneck.
•Memory buffering is required on an asymmetric switch.
12Chapter 2
Memory Buffering
Frame 1 Frame 2
Frame 3 Frame 4
Frame 5 Frame 6
InPort 1
Port 2
Port 3
OutPort 4
Port 5
Port 6
•Port-Based memory buffering - frames are stored in queues that are linked to specific incoming ports.
•A frame is transmitted to the outgoing port only when all the frames ahead of it in the queue have been successfully transmitted.
•A single frame can delay the transmission of all the frames in memory because of a busy destination port.
Port 1 Buffer
Port 2 Buffer
Port 3 Buffer
13Chapter 2
Memory Buffering
Frame 1
Frame 2
Frame 3
Frame 4
Frame 5
Frame 6
InPort 1
Port 2
Port 3
OutPort 4
Port 5
Port 6
Shared Buffer•Shared memory buffering - all frames enter a common memory buffer that all the ports on the switch share.
•The amount of buffer memory required by a port is dynamically allocated.
•The frames in the buffer are linked dynamically to the destination port, allowing the frame to be received on one port and then transmitted on another port, without moving it to a different queue.
14Chapter 2
Layer 2 & 3 Switching• Instead of using only the Layer 2 MAC address information
for forwarding decisions, a Layer 3 switch can also use IP address information.
• In addition to associating MAC addresses ports, a Layer 3 switch can also learn which IP addresses are associated with its interfaces. This allows the Layer 3 switch to direct traffic throughout the network based on IP address information.
• Layer 3 switches are also capable of performing Layer 3 routing functions, reducing the need for dedicated routers on a LAN. Because Layer 3 switches have specialized switching hardware, they can typically route data as quickly as they can switch.
15Chapter 2
Layer 2 & 3 Switching•Routers perform additional Layer 3 services that Layer 3 switches are not capable of performing. Routers are also capable of performing packet forwarding tasks not found on Layer 3 switches.
•Dedicated routers are more flexible in their support of WAN interface cards (WIC), making them the preferred, and sometimes only, choice for connecting to a WAN.
16Chapter 2
Cisco Switch Boot Sequence1. Switch loads the boot loader software from
NVRAM2. Boot Loader performs:
• Low-level CPU initialisation• Performs POST for CPU subsystem• Initialise flash file system on system board• Loads default IOS into RAM and boots the
switch
3. Operating system runs the config.txt file, stored in flash memory.
17Chapter 2
Show Commands in User EXEC Mode
Show Commands in Privileged EXEC Mode
As with routers, use either the enable <password> or enable secret <password> to protect the switch from unauthorised access
18Chapter 2
Examining Help in the Switch CLI
Word help: Enter the first few character in a command sequence followed by ?. Do not include a space before the question mark.
Command syntax help: If unfamiliar with which commands are available in the current context within the Cisco IOS CLI enter the ? command.
19Chapter 2
Accessing The Command History
•The Cisco CLI provides a history or record of commands that have been entered - called command history.
•Cycle though the history buffer using ‘up’ and ‘down’ arrow keys
20Chapter 2
Verifying LEDs During Switch POST
•The Port Status LEDs turn amber for about 30 seconds as the switch discovers the network topology and searches for loops. •Port Status LEDs turn green to indicate a link between the port and a host.
•Port Status LEDs turn off when nothing is plugged into the port
21Chapter 2
Establishing a Console Session
Connect to Switch console port
Run Hyper terminal
Configure console settings
22Chapter 2
Set IP Address and Default Gateway• To allow the switch to be accessible by Telnet and other TCP/IP applications,
IP addresses and a default gateway should be set. • By default, VLAN 1 is the management VLAN (more later). Security risk,
better to assign a random VLAN as the management VLAN• In a switch-based network, all internetworking devices should be in the
management VLAN. • This will allow a single management workstation to access, configure, and
manage all the internetworking devices.• The default gateway is only for management purposes, not for user
Ethernet frames (and packets) – allows telnet from this switch into a device on another network.
23Chapter 2
Switch Configuration – IP Address & Default Gateway
Switch IP address must be in the same subnet as default gateway ifInter-network configuration and monitoring is required.
Fa0/0192.168.1.1
VLAN 99192.168.1.2192.168.1.10
Fa0/1VLAN99
Fa0/2
24Chapter 2
Switch Configuration – IP Address & Default Gateway
PC IP address must be in the same subnet as default gateway and management VLAN if Inter-network configuration is required.
Fa0/0192.168.1.1
VLAN 99192.168.1.2192.168.1.10
Fa0/1VLAN99
Fa0/2
25Chapter 2
Verify Switch SettingsSh ip interface brief:
•VLAN information is at the end of the display – note that default VLAN1 has no IP address, whereas the new management VLAN99 has the address 192.168.1.2
26Chapter 2
Verify Switch Settings
Sh running-config:
•Confirms that the port selected to allow administrator access is on the management VLAN99
27Chapter 2
Configure Duplex & Speed on an Interface
•Commands duplex auto and speed auto allows the switch to auto-negotiate mode and speed with attached devices.
•It is possible to manually set the duplex mode and speed of switch ports to avoid inter-vendor issues with auto-negotiation
28Chapter 2
Managing the MAC Address Table
Sh mac-address-table:
•The switch provides dynamic addressing by learning the source MAC address of each frame that it receives on each port, and then adding the source MAC address and associated port number to the MAC address table.•The switch updates the MAC address table as computers are added or removed from the network, adding new entries and aging out those that are currently not in use.
29Chapter 2
Managing the MAC Address TableS1(config) mac-address-table static 00d0.970c.1a8c vlan 99 int fa0/1
•A network administrator can specifically assign static MAC addresses to certain ports. Static addresses are not aged out, and the switch always knows which port to send out traffic destined for that specific MAC address. •As a result, there is no need to relearn or refresh which port the MAC address is connected to.
30Chapter 2
Verify Switch Settings – Show Commands
With some minor differences, Cisco switch show commands follow the same syntax and display
similar information to those used on Cisco routers
31Chapter 2
Back-up Switch Configuration - Flash
Back-up copies of the configuration file can be stored on the switch Flash memory, allowing an administrator to
quickly return a switch to a previous configuration
32Chapter 2
Restore Switch Configuration - Flash
Back-up copies of the configuration file can be stored on the switch Flash memory, allowing an administrator to
quickly return a switch to a previous configuration
33Chapter 2
Fa0/0172.168.1.1
VLAN 99172.16.1.2
TFTP Server172.16.1.155
Fa0/1VLAN99
Fa0/2
Back-up Switch Configuration - TFTP
OrS1# copy run tftp
(system will prompt for address and file name)
34Chapter 2
Clearing Switch Configuration
To delete a file from Flash memory, use:delete flash: filename
To erase the current start-up configuration use:erase nvram:
35Chapter 2
Switch Configuration - Security
Also use the following for the console:Logging Sync - prevent status text overwriting input text.Exec-Timeout - log out of sessions after predetermined no. of minutes.
36Chapter 2
Switch Configuration - Security
Securing access to the privileged-exec mode can be done in two ways, in the same manner as a Cisco router:
Remember – enable secret is always automatically encrypted, whereas enable password isn’t.
37Chapter 2
Switch Configuration - Security
show running-config – all console and vty passwords shown in clear text.service password-encryption – all console and vty passwords encrypted.
show running-config – all console and vty passwords shown in encrypted text.
38Chapter 2
Banner MOTD
•The message that you want users to see is entered between the delimiter characters, in this case ‘#’
•Any character can be used as a delimiter.
39Chapter 2
Telnet & SSH
•To re-enable the Telnet protocol on a Cisco 2960 switch,
Configure switch with domain-name,
encryption key, SSH version & enable SSH on
vty lines.
SSH gives the same type of access as Telnet, but guarantees security, as communication between SSH client and SSH server is encrypted. Cisco recommends implementation of SSHv2 when possible, because it uses a more enhanced security encryption algorithm than SSHv1.
40Chapter 2
Common Security Attacks – MAC Address Flooding
•MAC address tables are limited in size. MAC flooding makes use of this limitation to bombard the switch with fake source MAC addresses until the switch MAC address table is full.
•The switch then enters into what is known as a fail-open mode, and starts acting as a hub, broadcasting frames to all the machines on the network.
•As a result, the attacker can see all of the frames sent from a victim host to another host without a MAC address table entry.
41Chapter 2
Common Security Attacks – Spoofing
Client
LegitimateDHCPServer
RogueDHCPServer
1. An attacker activates a DHCP server on a network segment.
2. The client broadcasts a request for DHCP configuration information.
3. The rogue DHCP server responds before the legitimate DHCP server can respond, assigning attacker-defined IP configuration information.
4. Host packets are redirected to the attacker’s address as it emulates a default gateway for the erroneous DHCP address provided to the client.
42Chapter 2
Common Security Attacks – Spoofing
Client
LegitimateDHCPServer
RogueDHCPServer
•DHCP snooping allows the configuration of ports as trusted or untrusted.
•Trusted ports can send DHCP requests and acknowledgements.
•Untrusted ports can forward only DHCP requests.
•DHCP Snooping enables the switch to build a DHCP binding table that maps a client MAC address, IP address, VLAN, and port ID.
•Use the ip dhcp snooping command.
Trusted Untrusted
Untrusted
Untrusted
43Chapter 2
Common Security Attacks – Cisco Discovery Protocol
•CDP contains information about the device, such as the IP address, software version, platform, capabilities, and the native VLAN.
•When this information is available to an attacker, they can use it to find exploits to attack a network, typically in the form of a Denial of Service (DoS) attack.
•To address this vulnerability, it is recommended that CDP is disabled on devices that do not need to use it.
44Chapter 2
Common Security Attacks – Cisco Discovery Protocol
Types of Telnet attacks:1. Brute force password
attacks2. DoS attacks
Protection against brute force attack:1. Use strong passwords2. Change passwords frequently3. Limit Telnet access to essential personnel
Protection against DoS:1. Update to latest version of CISCO
IOS
45Chapter 2
Common Security Attacks –
Network Security Audits help to:
1. Reveal what sorts of information an attacker can gather by monitoring network traffic.
2. Discover incorrectly configured switch ports3. Determine the age out period of MAC address
tables.
Network Penetration Testing helps to:
1. Identify weaknesses within the configuration of networking devices.
2. Launch attacks to test a network.
46Chapter 2
Switch Configuration – Port Security
A simple method to help secure networks from unauthorized access is to disable all unused ports on a network switch.
Navigate to each unused port and issue this Cisco IOS shutdown command.
An alternate way to shutdown multiple ports is to use the interface range command.
47Chapter 2
Switch Configuration – Port Security
•To limit the number of addresses that can be learned on an interface switches provide a feature called port security. •The number of MAC addresses per port can be limited to 1. •The first address dynamically learned by the switch becomes the secure address.
48Chapter 2
• Static secure MAC addresses: MAC addresses are manually configured by using the switchport port-security mac-address interface configuration command. MAC addresses configured in this way are stored in the address table and are added to the running configuration on the switch.
• Dynamic secure MAC addresses: MAC addresses are dynamically learned and stored only in the address table. MAC addresses configured in this way are removed when the switch restarts.
• Sticky secure MAC addresses: You can configure a port to dynamically learn MAC addresses and then save these MAC addresses to the running configuration.
Switch Configuration – Port Security
49Chapter 2
• switchport mode accessSets the interface mode as access; an interface in the default mode (dynamic desirable) cannot be configured as a secure port.
• switchport port-securityEnables port security on the interface
• switchport port-security maximum 6Sets the maximum number of secure MAC addresses for the interface. The range is 1 to 132; the default is 1.
• switchport port-security aging time 5Learned addresses are not aged out by default but can be with this command.
Value
from 1 to 1024 in minutes. • switchport port-security mac-address 0000.0000.000b
Enter a static secure MAC address for the interface, repeating the command as many times as necessary. You can use this command to enter the maximum number of secure MAC addresses. If you configure fewer secure
MAC addresses than the maximum, the remaining MAC addresses are dynamically learned.
• switchport port-security mac-address stickyEnable dynamic learning of MAC address on the interface.
• switchport port-security violation shutdown Set the violation mode, the action to be taken when a security violation is detected.
50Chapter 2
Port Security: Violation
By default, if the maximum number of connections is achieved and a new MAC
address attempts to access the port, the switch must take one of thefollowing actions:
• Protect: Frames from the non-allowed address are dropped, but there is no log of the violation. The protect argument is platform or version dependent.
• Restrict: Frames from the non-allowed address are dropped, a log message is created and Simple Network Management Protocol (SNMP) trap sent.
• Shut down: If any frames are seen from a non-allowed address, the interface is errdisabled, a log entry is made, SNMP trap sent and manual intervention (no shutdown) or errdisable recovery must be used to make the interface usable. Port LED is switched off.
Switch(config-if)#switchport port-security violation {protect | restrict | shutdown}
51Chapter 2
Switch#show port-security
Displays security information for all interfaces
Switch#show port-securitySecure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count)--------------------------------------------------------------------------- Fa5/1 11 11 0 ShutdownFa5/5 15 5 0 RestrictFa5/11 5 4 0 Protect---------------------------------------------------------------------------
Total Addresses in System: 21Max Addresses limit in System: 128
Port Security: Verify
52Chapter 2
Switch#show port-security interface type mod/port
Displays security information for a specific interface
Switch#show port-security interface fastethernet 5/1
Port Security: EnabledPort status: SecureUpViolation mode: ShutdownMaximum MAC Addresses: 11Total MAC Addresses: 11Configured MAC Addresses: 3Aging time: 20 minsAging type: InactivitySecureStatic address aging: EnabledSecurity Violation count: 0
Port Security: Verify
53Chapter 2
Switch#show port-security address
Displays MAC address table security information
Switch#show port-security address Secure Mac Address Table-------------------------------------------------------------------Vlan Mac Address Type Ports Remaining Age (mins)---- ----------- ---- ----- -------------1 0001.0001.0001 SecureDynamic Fa5/1 15 (I)1 0001.0001.0002 SecureDynamic Fa5/1 15 (I)1 0001.0001.1111 SecureConfigured Fa5/1 16 (I)1 0001.0001.1112 SecureConfigured Fa5/1 -1 0001.0001.1113 SecureConfigured Fa5/1 -1 0005.0005.0001 SecureConfigured Fa5/5 231 0005.0005.0002 SecureConfigured Fa5/5 231 0005.0005.0003 SecureConfigured Fa5/5 231 0011.0011.0001 SecureConfigured Fa5/11 25 (I)1 0011.0011.0002 SecureConfigured Fa5/11 25 (I)-------------------------------------------------------------------Total Addresses in System: 10Max Addresses limit in System: 128
Port Security: Verify
54Chapter 2
Chap 2 – Basic Switch Concepts and Configuration
Learning Objectives
• Summarise the operation of Ethernet as defined for 100/1000 Mbps LANs in the IEEE 802.3 standard.
• Explain the functions that enable a switch to forward Ethernet frames in a LAN.
• Configure a switch for operation in a network designed to support voice, video, and data transmissions.
• Configure basic security on a switch that will operate in a network designed to support voice, video, and data transmissions.
55Chapter 2
AnyQuestions?
56Chapter 2
Fa0/0192.168.1.1
VLAN 99192.168.1.2192.168.1.10
Fa0/1VLAN99
Fa0/2
Lab TopologyChapter 2 – Basic
SwitchConfig