4. CSMA/CD reminder
Shared medium
Physical shared
cable or hub.
Ethernet was
designed to work
with collisions.
Uses carrier sense multiple access collision detection.
Used only with half duplex communication
30 Sep 2012 4
5. CSMA/CD reminder
If a device needs to transmit;
It “listens” for signals on the medium.
If finds signals – it waits. If clear – it sends.
While transmitting Carry on listening for traffic or
collision.
If transmitting devices was not able to detect signals due
to latency then collision occur.
Stop sending frame if collision detected,
send out jam signal that notifies collision to other devices.
Wait for random time (backoff algorithim)
Try again – listen for signals etc.
30 Sep 2012 5
6. No collisions
Fully switched network with full duplex operation = no
collisions.
Higher bandwidth Ethernet does not define collisions –
must be fully switched.
Cable length limited if CSMA/CD needed.
Fibre optic – always fully switched, full duplex.
(Shared medium must use half duplex in order to detect
collisions.)
30 Sep 2012 6
7. Switch Port Settings
Auto (default for UTP) - negotiates half/full duplex with
connected device.
Full – sets full-duplex mode
Half - sets half-duplex mode
Auto is fine if both devices are using it.
Potential problem if switch uses it and other device does
not. Switch defaults to half.
Full one end and half the other – errors.
Command to set duplex mode:
(config-if)#duplex [auto|full|half]
30 Sep 2012 7
8. mdix auto
Command makes switch detect whether cable is straight
through or crossover and compensate so you can use
either.
Depends on IOS version
Enabled by default from 12.2(18)SE on
Disabled from 12.1(14)EA1 to 12.2(18)SE
Not available in earlier versions
30 Sep 2012 8
9. Communication types reminder
Unicast – one sender to one recievier
e.g. most user traffic: http, ftp, smtp etc.
Broadcast – one sender to all hosts on the network
e.g. ARP requests.
Multicast – one sender to a group of devices
e.g. routers running EIGRP, group of hosts using
videoconferencing.
IP addresses have first octet in range 224 – 239.
30 Sep 2012 9
10. Ethernet frame reminder
IEEE 802.3 (Data link layer, MAC sublayer)
7 bytes 1 6 6 2 46 to 4
1500
Preamble Start of Destination Source Length / 802.2 Frame
frame address address type header check
delimiter and data sequence
Frame header data trailer
802.2 is data link layer LLC sublayer
30 Sep 2012 10
11. ETHERNET Frame
From layer3 PDU to layer 2 which adds header
and trailer uysed by the ethernet protocol
Preamble : for synchronization bet. Sending and
receiving device
Destination MAC: identifier for intended recepient
Source MAC: frames forma originating NIC or
interface, used by switch to add to their look up table
Length/packet type : exact length of frame data field
and type of protocol implemented
Data and PAD field: encapsulated data from higher
layer
FCS: uses CRC to check data error
30 Sep 2012 11
12. MAC address
48-bits written as 12 hexadecimal digits. Format varies:
00-05-9A-3C-78-00, 00:05:9A:3C:78:00, or
0005.9A3C.7800.
MAC address can be permanently encoded into a ROM
chip on a NIC - burned in address (BIA).
Some manufacturers allow the MAC address to be
modified locally.
30 Sep 2012 12
13. MAC address
Two parts: Organizational Unique Identifier (OUI) and
number assigned by manufacturer.
MAC address
OUI Vendor number
1 bit 1 bit 22 bits 24 bits
Broadcast Local OUI number Vendor assigns
Set if broadcast or multicast
30 Sep 2012 13
14. MAC address
Two parts: Organizational Unique Identifier (OUI) and
number assigned by manufacturer.
MAC address
OUI Vendor number
1 bit 1 bit 22 bits 24 bits
Broadcast Local OUI number Vendor assigns
Set if vendor number can be changed
30 Sep 2012 14
15. MAC address
Two parts: Organizational Unique Identifier (OUI) and
number assigned by manufacturer.
MAC address
OUI Vendor number
1 bit 1 bit 22 bits 24 bits
Broadcast Local OUI number Vendor assigns
Allocated to vendor by IEEE
30 Sep 2012 15
16. MAC address
Two parts: Organizational Unique Identifier (OUI) and
number assigned by manufacturer.
MAC address
OUI Vendor number
1 bit 1 bit 22 bits 24 bits
Broadcast Local OUI number Vendor assigns
Unique identifier for port on device
30 Sep 2012 16
17. Switch MAC Address Table
Switch uses MAC address to direct network
communications to the appropriate port
Switch builds its MAC address of nodes connected to
each port
command: #show mac-address-table
Process:
Table matches switch port with MAC address of attached device
Built by inspecting source MAC address of incoming frames
Destination MAC address checked against table, frame sent through
correct port
If not in table, frame flooded
Broadcasts flooded
30 Sep 2012 17
18. Collision domain
Shared medium – same collision domain.
Collisions reduce throughput (average data that
is transmitted effectively)
The more devices – the more collisions
Hub – maybe 60% of bandwidth available
Switch (+ full duplex) dedicated link each way
100% bandwidth in each direction
Collision = bandwidth reduced = affects
throughput
30 Sep 2012 18
21. Broadcast domains
Layer 2 switches flood broadcasts.
Devices linked by switches are in the same
broadcast domain.
(We ignore VLANs here – they come later.)
A layer 3 device (router) splits up broadcast
domains, does not forward broadcasts
Destination MAC address for broadcast is
all 1s, that is FF:FF:FF:FF:FF:FF
30 Sep 2012 21
24. Network Latency
Refers to the time that a packet takes to
travel form source to destination
Sources of latency
NIC delay – time taken to put signal on medium
and to interpret it on receipt.
Propagation delay – time spent travelling on
medium
Latency from intermediate devices e.g. switch or
router. Depends on number and type of devices.
**** Routers add more latency than switches.
30 Sep 2012 24
25. Network congestion
Causes:
More powerful PCs can send and process more
data at higher rates.
Increasing use of remote resources (servers,
Internet) generates more traffic.
More broadcasts, more congestion.
Applications make more use of advanced
graphics, video etc. Need more bandwidth.
Splitting collision and broadcast domains helps.
30 Sep 2012 25
26. Control latency
Choose switches that can process data fast
enough for all ports to work simultaneously at
full bandwidth.
Use switches rather than routers where
possible.
But – balance this against need to split up
broadcast domains.
30 Sep 2012 26
27. Remove bottlenecks
Use a faster link.
Have several links and use link aggregation
so that they act as one link with the combined
bandwidth.
30 Sep 2012 27
28. Switch Forwarding Methods
Cisco switches now all use Store and
Forward
Some older switches used Cut Through – it
had two variants: Fast Forward and Fragment
Free
Cut thourgh switching acts upon data as soon as
it is recieved
Store and forward stores data in buffer until
complete frames has been received.
30 Sep 2012 28
29. Store and forward
Read whole frame into buffer
Discard any frames that are too short/long
Perform cyclic redundancy check (CRC) and
discard any frames with errors
Find correct port and forward frame.
Allows QoS checks
Allows entry and exit at different bandwidths
30 Sep 2012 29
30. Cut Through - Fast forward
Read start of frame as it comes in, as far as
end of destination MAC address (first 6 bytes
after start delimiter)
Look up port and start forwarding while
remainder of frame is still coming in.
No checks or discarding of bad frames
Entry and exit must be same bandwidth
Lowest latency
30 Sep 2012 30
31. Cut Through – Fragment Free
Read start of frame as it comes in, as far as
end of byte 64
Look up port and start forwarding while
remainder of frame (if any) is still coming in.
May forward corrupt frames
Does not perform error checking
Entry and exit must be same bandwidth
Compromise between store and forward and
cut through
30 Sep 2012 31
32. Symmetric and Asymmetric
Switching
Symmetric – all ports operate at same
bandwidth
Asymmetric – different bandwidths used, e.g.
server or uplink has greater bandwidth
Requires store and forward operation with
buffering.
Most switches now are asymmetric to allow
flexibility.
30 Sep 2012 32
33. Memory buffering
Used when destination port is busy due to
congestion and switch stores frame until it
can be transmitted
2 types:
Port based
Shared memory
30 Sep 2012 33
34. Port Based Buffering
Each incoming port has its own queue.
Frames stay in buffer until outgoing port is
free.
Frame destined for busy outgoing port can
hold up all the others even if their outgoing
ports are free.
Each incoming port has a fixed and limited
amount of memory.
30 Sep 2012 34
35. Shared Memory Buffering
Allincoming frames go in a common buffer.
Switch maps frame to destination port and
forwards it when port is free.
Frames do not hold each other up.
Flexible use of memory allows larger frames.
Important for asymmetric switching where
some ports work faster than others.
30 Sep 2012 35
36. Layer 2 and Layer 3 Switching
Traditional Ethernet
switches work at layer 2.
They use MAC
addresses to make
forwarding decisions.
They do not look at layer
3 information.
30 Sep 2012 36
37. Layer 2 and Layer 3 Switching
Layer 3 switches can
carry out the same
functions as layer 2
switches.
They can also use layer
3 IP addresses to route
between networks.
The can control the
spread of broadcasts.
30 Sep 2012 37
38. Switch CLI is similar to router
Switch>enable
Switch#config t
Switch(config)#int fa 0/1
Switch(config-if)#exit
Switch(config)#line con 0
Switch(config-line)#end
Switch#disable
Switch>
30 Sep 2012 38
39. Cisco Device manager- alternative to CLI
Builtin web based GUI
for managing switch.
Access via browser on
PC.
Other GUI options
available but need to be
downloaded/bought.
30 Sep 2012 39
40. Help, history etc.
Help with ? Is similar to router.
Error messages for bad commands – same.
Command history – as for router.
Up arrow or Ctrl + P for previous
Down arrow or Ctrl + N for next
Each mode has its own buffer holding 10
commands by default.
30 Sep 2012 40
41. CISCO IOS History buffer
commands
Show history – display the contents of the
command buffer
To enable either in Privileged or user exec
mode: # terminal history
#terminal history size 50 to store or maintain
0 to 256 command lines
#terminal no history size – reset history size
to default value
#terminal no history – disable
30 Sep 2012 41
42. Storage and start-up
ROM, Flash, NVRAM, RAM generally similar
to router.
Boot loader, POST, load IOS from flash, load
configuration file.
Similar idea to router. Some difference in
detail.
Boot loader lets you re-install IOS or recover
from password loss.
30 Sep 2012 42
43. Password recovery (2950)
Hold down mode switch during start-up
flash_init
load_helper
dir flash:
rename flash:config.text flash:config.old
boot
Continue with the configuration dialog? [yes/no] : N
rename flash:config.old flash:config.text
copy flash:config.text system:running-config
Configure new passwords
30 Sep 2012 S Ward Abingdon and Witney College 43
44. IP address
A switch works without an IP address or any
other configuration that you give it.
IP address lets you access the switch
remotely by Telnet, SSH or browser.
Switch needs only one IP address.
It goes on a virtual (VLAN) interface.
VLAN 1 is the default but is not very secure
for management.
30 Sep 2012 44
45. IP address
S1(config)#int vlan 99 ( or another VLAN)
S1(config-if)#ip address 192.168.1.2
255.255.255.0
S1(config-if)#no shutdown
S1(config-if)#exit
All very well, but by default all the ports are
associated with VLAN 1.
VLAN 99 needs to have a port to use.
30 Sep 2012 45
46. IP address
S1(config)#int fa 0/18 (or other interface)
S1(config-if)#switchport mode access
S1(config-if)#switchport access vlan 99
S1(config-if)#exit
S1(config)#
Messages to and from the switch IP address
can pass via port fa 0/18.
Other ports could be added if necessary.
30 Sep 2012 46
47. Default gateway
S1(config)#ip default-gateway 192.168.1.1
Justlike a PC, the switch needs to know the
address of its local router to exchange
messages with other networks.
Note global configuration mode.
30 Sep 2012 47
48. Web based GUI
Includes cisco web browser user interface, cisco
router, SDM, IPphone and cisco ip telephony
service application
required switch to be configured as http server
SW1(config)#ip http server
SW1(config)#ip http authentication enable
(uses enable secret/password for access)
SW1(config)#ip http authentication local
SW1(config)#username admin password cisco
(log in using this username and password)
30 Sep 2012 48
49. MAC address table (CAM)
Static:
built-in or configured, do not time out.
Dynamic:
Learned,
Time out
300 sec.
Note that VLAN is included in table.
30 Sep 2012 S Ward Abingdon and Witney College 49
50. Set a static address
SW1(config)#mac-address-table static
000c.7671.10b4 vlan 2 interface fa0/6
30 Sep 2012 S Ward Abingdon and Witney College 50
51. Save configuration
Copy run start
Copy running-config startup-config
This assumes that running-config is coming
from RAM and startup-config is going in
NVRAM (file is actually in flash).
Full version gives path.
Copy system:running-config flash:startup-
config
30 Sep 2012 S Ward Abingdon and Witney College 51
52. Back up
copy startup-config flash:backupJan08
You could go back to this version later if
necessary.
copy system:running-config
tftp://192.168.1.8/sw1config
copy nvram:startup-config
tftp://192.168.1.8/sw1config
(or try copy run tftp and wait for prompts)
30 Sep 2012 S Ward Abingdon and Witney College 52
53. Login Passwords
Line con 0 Service password-encryption
Password cisco Line con 0
Login Password 7 030752180500
Line vty 0 15 Login
Line vty 0 15
Password cisco
Password 7 1511021f0725
Login
Login
30 Sep 2012 S Ward Abingdon and Witney College 53
54. Banners
banner motd “Shut down 5pm Friday”
banner login “No unauthorised access”
Motd will show first.
Delimiter can be “ or # or any character not in
message.
30 Sep 2012 S Ward Abingdon and Witney College 54
55. Secure Shell SSH
Similar interface to Telnet.
Encrypts data for transmission.
SW1(config)#line vty 0 15
SW1(config-line)#transport input SSH
Use SSH or telnet or all if you want both.
Default is telnet.
For SSH you must configure host domain
and generate RSA key pair.
30 Sep 2012 S Ward Abingdon and Witney College 55
56. Common security attacks
MAC Address Flooding: send huge numbers of frames
with fake source MAC addresses and fill up MAC
address table. Switch then floods all frames.
DHCP spoofing: rogue server allocates fake IP address
and default gateway, all remote traffic sent to attacker.
(Use DHCP snooping feature to mark ports as
trustworthy or not.)
DHCP STARVATION ATTACK attacker PC continually request IP
from real DHCP server.
Causes all leases on real DHCP to be allocated preventing real users
from obtaining an IP address.
Can be prevented with the use of DHCP snooping and port security
30 Sep 2012 56
57. DHCP snooping
Cisco catalyst feature that determines which
switchports can respond to DHCP request.
Ports are identified as trusted and untrusted.
Commands:
Ip dhcp snooping-enable dhcp in global config
Ip dhcp snooping vlannumber[number] – define dhcp
fo specific vlan
Ip dhcp snooping trust – define ports as trusted or
untrusted at the interface level
30 Sep 2012 57
58. Cisco Discovery Protocol
CDP is enabled by default.
Switch it off unless it is really needed.
CDP attacks – cdp unauthenticated attacker could
craft bogus packets
Itis a security risk. Frames could be captured
using Wireshark (or the older Ethereal).
TELNET attacks
Configure it with secure password
30 Sep 2012 58
59. More security
Use strong passwords.
Even these can be found in time so change
them regularly.
Using access control lists (semester 4) you
can control which devices are able to access
vty lines.
Network security tools for audits and
penetration testing.
30 Sep 2012 59
60. Port security
Configure each port to accept
One MAC address only
A small group of MAC addresses
Frames from other MAC addresses are not
forwarded.
By default, the port will shut down if the
wrong device connects. It has to be brought
up again manually.
30 Sep 2012 60
61. Static secure MAC address
Staticsecure MAC addresses:
Manually configured in interface config mode
switchport port-security mac-address
000c.7259.0a63 interface fa 0/4
Stored in MAC address table
In running configuration
Can be saved with the rest of the
configuration.
30 Sep 2012 61
62. Dynamic secure MAC address
Learned dynamically
Default – learn one address.
Put in MAC address table
Not in running configuration
Not saved, not there when switch restarts.
SW1(config-if)#switchport mode access
SW1(config-if)#switchport port-security
30 Sep 2012 62
63. Sticky secure MAC address
Dynamically learned
Choose how many can be learned, default 1.
Put in running configuration
Saved if you save running configuration and
still there when switch restarts.
Existing dynamic address(es) will convert to
sticky if you enable sticky learning.
30 Sep 2012 63
65. Violation modes
Violation occurs if a device with the wrong
MAC address attempts to connect.
Shutdown mode is default.
Protect mode just prevents traffic.
Restrict mode sends error message to
network management software.
30 Sep 2012 65
66. Check port security
show port-security int fa 0/4
to see settings on a particular port
Show port-security address
to see the table of secure MAC addresses
Ifyou don’t need to use a port:
shutdown
30 Sep 2012 66
67. Interface range
Switch(config)#interface range fa0/1 - 20
Switch(config-if-range)#
A useful command if you want to put the
same configuration on several interfaces.
30 Sep 2012 67
68. The End
30 Sep 2012 S Ward Abingdon and Witney College 68
Notas do Editor
Switches.ppt 30/09/12 S Ward Abingdon and Witney College