SlideShare uma empresa Scribd logo

Switches module 2

Transferir como PPT, PDF
kratos2424
kratos2424
1 de 68
Switches CCNA Exploration Semester 3 Chapter 2 Warning – horribly long! 30 Sep 2012 1
Topics  Operation of 100/1000 Mbps Ethernet  Switches and how they forward frames  Configure a switch  Basic security on a switch 30 Sep 2012 2
Semester 3 LAN Design Basic Switch Wireless Concepts VLANs STP VTP Inter-VLAN routing 30 Sep 2012 3
CSMA/CD reminder  Shared medium Physical shared cable or hub.  Ethernet was designed to work with collisions.  Uses carrier sense multiple access collision detection.  Used only with half duplex communication 30 Sep 2012 4
CSMA/CD reminder If a device needs to transmit;  It “listens” for signals on the medium.  If finds signals – it waits. If clear – it sends.  While transmitting Carry on listening for traffic or collision.  If transmitting devices was not able to detect signals due to latency then collision occur.  Stop sending frame if collision detected,  send out jam signal that notifies collision to other devices.  Wait for random time (backoff algorithim)  Try again – listen for signals etc. 30 Sep 2012 5
No collisions  Fully switched network with full duplex operation = no collisions.  Higher bandwidth Ethernet does not define collisions – must be fully switched.  Cable length limited if CSMA/CD needed.  Fibre optic – always fully switched, full duplex.  (Shared medium must use half duplex in order to detect collisions.) 30 Sep 2012 6
Switch Port Settings  Auto (default for UTP) - negotiates half/full duplex with connected device.  Full – sets full-duplex mode  Half - sets half-duplex mode  Auto is fine if both devices are using it. Potential problem if switch uses it and other device does not. Switch defaults to half.  Full one end and half the other – errors.  Command to set duplex mode: (config-if)#duplex [auto|full|half] 30 Sep 2012 7
mdix auto  Command makes switch detect whether cable is straight through or crossover and compensate so you can use either.  Depends on IOS version  Enabled by default from 12.2(18)SE on  Disabled from 12.1(14)EA1 to 12.2(18)SE  Not available in earlier versions 30 Sep 2012 8
Communication types reminder  Unicast – one sender to one recievier e.g. most user traffic: http, ftp, smtp etc.  Broadcast – one sender to all hosts on the network e.g. ARP requests.  Multicast – one sender to a group of devices e.g. routers running EIGRP, group of hosts using videoconferencing. IP addresses have first octet in range 224 – 239. 30 Sep 2012 9
Ethernet frame reminder IEEE 802.3 (Data link layer, MAC sublayer) 7 bytes 1 6 6 2 46 to 4 1500 Preamble Start of Destination Source Length / 802.2 Frame frame address address type header check delimiter and data sequence Frame header data trailer  802.2 is data link layer LLC sublayer 30 Sep 2012 10
ETHERNET Frame  From layer3 PDU to layer 2 which adds header and trailer uysed by the ethernet protocol  Preamble : for synchronization bet. Sending and receiving device  Destination MAC: identifier for intended recepient  Source MAC: frames forma originating NIC or interface, used by switch to add to their look up table  Length/packet type : exact length of frame data field and type of protocol implemented  Data and PAD field: encapsulated data from higher layer  FCS: uses CRC to check data error 30 Sep 2012 11
MAC address  48-bits written as 12 hexadecimal digits. Format varies: 00-05-9A-3C-78-00, 00:05:9A:3C:78:00, or 0005.9A3C.7800.  MAC address can be permanently encoded into a ROM chip on a NIC - burned in address (BIA).  Some manufacturers allow the MAC address to be modified locally. 30 Sep 2012 12
MAC address  Two parts: Organizational Unique Identifier (OUI) and number assigned by manufacturer. MAC address OUI Vendor number 1 bit 1 bit 22 bits 24 bits Broadcast Local OUI number Vendor assigns Set if broadcast or multicast 30 Sep 2012 13
MAC address  Two parts: Organizational Unique Identifier (OUI) and number assigned by manufacturer. MAC address OUI Vendor number 1 bit 1 bit 22 bits 24 bits Broadcast Local OUI number Vendor assigns Set if vendor number can be changed 30 Sep 2012 14
MAC address  Two parts: Organizational Unique Identifier (OUI) and number assigned by manufacturer. MAC address OUI Vendor number 1 bit 1 bit 22 bits 24 bits Broadcast Local OUI number Vendor assigns Allocated to vendor by IEEE 30 Sep 2012 15
MAC address  Two parts: Organizational Unique Identifier (OUI) and number assigned by manufacturer. MAC address OUI Vendor number 1 bit 1 bit 22 bits 24 bits Broadcast Local OUI number Vendor assigns Unique identifier for port on device 30 Sep 2012 16
Switch MAC Address Table  Switch uses MAC address to direct network communications to the appropriate port  Switch builds its MAC address of nodes connected to each port command: #show mac-address-table Process:  Table matches switch port with MAC address of attached device  Built by inspecting source MAC address of incoming frames  Destination MAC address checked against table, frame sent through correct port  If not in table, frame flooded  Broadcasts flooded 30 Sep 2012 17
Collision domain  Shared medium – same collision domain.  Collisions reduce throughput (average data that is transmitted effectively)  The more devices – the more collisions  Hub – maybe 60% of bandwidth available  Switch (+ full duplex) dedicated link each way 100% bandwidth in each direction  Collision = bandwidth reduced = affects throughput 30 Sep 2012 18
How many collision domains? 30 Sep 2012 19
How many collision domains? 11 30 Sep 2012 20
Broadcast domains  Layer 2 switches flood broadcasts.  Devices linked by switches are in the same broadcast domain.  (We ignore VLANs here – they come later.)  A layer 3 device (router) splits up broadcast domains, does not forward broadcasts  Destination MAC address for broadcast is all 1s, that is FF:FF:FF:FF:FF:FF 30 Sep 2012 21
How many broadcast domains? No VLANs 30 Sep 2012 22
How many broadcast domains? 30 Sep 2012 23
Network Latency  Refers to the time that a packet takes to travel form source to destination Sources of latency  NIC delay – time taken to put signal on medium and to interpret it on receipt.  Propagation delay – time spent travelling on medium  Latency from intermediate devices e.g. switch or router. Depends on number and type of devices. **** Routers add more latency than switches. 30 Sep 2012 24
Network congestion Causes:  More powerful PCs can send and process more data at higher rates.  Increasing use of remote resources (servers, Internet) generates more traffic.  More broadcasts, more congestion.  Applications make more use of advanced graphics, video etc. Need more bandwidth.  Splitting collision and broadcast domains helps. 30 Sep 2012 25
Control latency  Choose switches that can process data fast enough for all ports to work simultaneously at full bandwidth.  Use switches rather than routers where possible.  But – balance this against need to split up broadcast domains. 30 Sep 2012 26
Remove bottlenecks  Use a faster link.  Have several links and use link aggregation so that they act as one link with the combined bandwidth. 30 Sep 2012 27
Switch Forwarding Methods  Cisco switches now all use Store and Forward  Some older switches used Cut Through – it had two variants: Fast Forward and Fragment Free  Cut thourgh switching acts upon data as soon as it is recieved  Store and forward stores data in buffer until complete frames has been received. 30 Sep 2012 28
Store and forward  Read whole frame into buffer  Discard any frames that are too short/long  Perform cyclic redundancy check (CRC) and discard any frames with errors  Find correct port and forward frame.  Allows QoS checks  Allows entry and exit at different bandwidths 30 Sep 2012 29
Cut Through - Fast forward  Read start of frame as it comes in, as far as end of destination MAC address (first 6 bytes after start delimiter)  Look up port and start forwarding while remainder of frame is still coming in.  No checks or discarding of bad frames  Entry and exit must be same bandwidth  Lowest latency 30 Sep 2012 30
Cut Through – Fragment Free  Read start of frame as it comes in, as far as end of byte 64  Look up port and start forwarding while remainder of frame (if any) is still coming in.  May forward corrupt frames  Does not perform error checking  Entry and exit must be same bandwidth  Compromise between store and forward and cut through 30 Sep 2012 31
Symmetric and Asymmetric Switching  Symmetric – all ports operate at same bandwidth  Asymmetric – different bandwidths used, e.g. server or uplink has greater bandwidth  Requires store and forward operation with buffering.  Most switches now are asymmetric to allow flexibility. 30 Sep 2012 32
Memory buffering  Used when destination port is busy due to congestion and switch stores frame until it can be transmitted  2 types:  Port based  Shared memory 30 Sep 2012 33
Port Based Buffering  Each incoming port has its own queue.  Frames stay in buffer until outgoing port is free.  Frame destined for busy outgoing port can hold up all the others even if their outgoing ports are free.  Each incoming port has a fixed and limited amount of memory. 30 Sep 2012 34
Shared Memory Buffering  Allincoming frames go in a common buffer.  Switch maps frame to destination port and forwards it when port is free.  Frames do not hold each other up.  Flexible use of memory allows larger frames.  Important for asymmetric switching where some ports work faster than others. 30 Sep 2012 35
Layer 2 and Layer 3 Switching Traditional Ethernet switches work at layer 2. They use MAC addresses to make forwarding decisions. They do not look at layer 3 information. 30 Sep 2012 36
Layer 2 and Layer 3 Switching Layer 3 switches can carry out the same functions as layer 2 switches. They can also use layer 3 IP addresses to route between networks. The can control the spread of broadcasts. 30 Sep 2012 37
Switch CLI is similar to router  Switch>enable  Switch#config t  Switch(config)#int fa 0/1  Switch(config-if)#exit  Switch(config)#line con 0  Switch(config-line)#end  Switch#disable  Switch> 30 Sep 2012 38
Cisco Device manager- alternative to CLI  Builtin web based GUI for managing switch.  Access via browser on PC.  Other GUI options available but need to be downloaded/bought. 30 Sep 2012 39
Help, history etc.  Help with ? Is similar to router.  Error messages for bad commands – same.  Command history – as for router.  Up arrow or Ctrl + P for previous  Down arrow or Ctrl + N for next  Each mode has its own buffer holding 10 commands by default. 30 Sep 2012 40
CISCO IOS History buffer commands  Show history – display the contents of the command buffer  To enable either in Privileged or user exec mode: # terminal history  #terminal history size 50 to store or maintain 0 to 256 command lines  #terminal no history size – reset history size to default value  #terminal no history – disable 30 Sep 2012 41
Storage and start-up  ROM, Flash, NVRAM, RAM generally similar to router.  Boot loader, POST, load IOS from flash, load configuration file.  Similar idea to router. Some difference in detail.  Boot loader lets you re-install IOS or recover from password loss. 30 Sep 2012 42
Password recovery (2950)  Hold down mode switch during start-up  flash_init  load_helper  dir flash:  rename flash:config.text flash:config.old  boot  Continue with the configuration dialog? [yes/no] : N  rename flash:config.old flash:config.text  copy flash:config.text system:running-config  Configure new passwords 30 Sep 2012 S Ward Abingdon and Witney College 43
IP address A switch works without an IP address or any other configuration that you give it.  IP address lets you access the switch remotely by Telnet, SSH or browser.  Switch needs only one IP address.  It goes on a virtual (VLAN) interface.  VLAN 1 is the default but is not very secure for management. 30 Sep 2012 44
IP address  S1(config)#int vlan 99 ( or another VLAN)  S1(config-if)#ip address 192.168.1.2 255.255.255.0  S1(config-if)#no shutdown  S1(config-if)#exit  All very well, but by default all the ports are associated with VLAN 1.  VLAN 99 needs to have a port to use. 30 Sep 2012 45
IP address  S1(config)#int fa 0/18 (or other interface)  S1(config-if)#switchport mode access  S1(config-if)#switchport access vlan 99  S1(config-if)#exit  S1(config)#  Messages to and from the switch IP address can pass via port fa 0/18.  Other ports could be added if necessary. 30 Sep 2012 46
Default gateway  S1(config)#ip default-gateway 192.168.1.1  Justlike a PC, the switch needs to know the address of its local router to exchange messages with other networks.  Note global configuration mode. 30 Sep 2012 47
Web based GUI  Includes cisco web browser user interface, cisco router, SDM, IPphone and cisco ip telephony service application  required switch to be configured as http server  SW1(config)#ip http server  SW1(config)#ip http authentication enable (uses enable secret/password for access)  SW1(config)#ip http authentication local  SW1(config)#username admin password cisco (log in using this username and password) 30 Sep 2012 48
MAC address table (CAM)  Static: built-in or configured, do not time out.  Dynamic: Learned, Time out 300 sec.  Note that VLAN is included in table. 30 Sep 2012 S Ward Abingdon and Witney College 49
Set a static address  SW1(config)#mac-address-table static 000c.7671.10b4 vlan 2 interface fa0/6 30 Sep 2012 S Ward Abingdon and Witney College 50
Save configuration  Copy run start  Copy running-config startup-config  This assumes that running-config is coming from RAM and startup-config is going in NVRAM (file is actually in flash).  Full version gives path.  Copy system:running-config flash:startup- config 30 Sep 2012 S Ward Abingdon and Witney College 51
Back up  copy startup-config flash:backupJan08  You could go back to this version later if necessary.  copy system:running-config tftp://192.168.1.8/sw1config  copy nvram:startup-config tftp://192.168.1.8/sw1config  (or try copy run tftp and wait for prompts) 30 Sep 2012 S Ward Abingdon and Witney College 52
Login Passwords Line con 0 Service password-encryption Password cisco Line con 0 Login Password 7 030752180500 Line vty 0 15 Login Line vty 0 15 Password cisco Password 7 1511021f0725 Login Login 30 Sep 2012 S Ward Abingdon and Witney College 53
Banners  banner motd “Shut down 5pm Friday”  banner login “No unauthorised access”  Motd will show first.  Delimiter can be “ or # or any character not in message. 30 Sep 2012 S Ward Abingdon and Witney College 54
Secure Shell SSH  Similar interface to Telnet.  Encrypts data for transmission.  SW1(config)#line vty 0 15  SW1(config-line)#transport input SSH  Use SSH or telnet or all if you want both.  Default is telnet.  For SSH you must configure host domain and generate RSA key pair. 30 Sep 2012 S Ward Abingdon and Witney College 55
Common security attacks  MAC Address Flooding: send huge numbers of frames with fake source MAC addresses and fill up MAC address table. Switch then floods all frames.  DHCP spoofing: rogue server allocates fake IP address and default gateway, all remote traffic sent to attacker. (Use DHCP snooping feature to mark ports as trustworthy or not.)  DHCP STARVATION ATTACK attacker PC continually request IP from real DHCP server.  Causes all leases on real DHCP to be allocated preventing real users from obtaining an IP address.  Can be prevented with the use of DHCP snooping and port security 30 Sep 2012 56
DHCP snooping  Cisco catalyst feature that determines which switchports can respond to DHCP request.  Ports are identified as trusted and untrusted.  Commands:  Ip dhcp snooping-enable dhcp in global config  Ip dhcp snooping vlannumber[number] – define dhcp fo specific vlan  Ip dhcp snooping trust – define ports as trusted or untrusted at the interface level 30 Sep 2012 57
Cisco Discovery Protocol  CDP is enabled by default.  Switch it off unless it is really needed.  CDP attacks – cdp unauthenticated attacker could craft bogus packets  Itis a security risk. Frames could be captured using Wireshark (or the older Ethereal).  TELNET attacks  Configure it with secure password 30 Sep 2012 58
More security  Use strong passwords.  Even these can be found in time so change them regularly.  Using access control lists (semester 4) you can control which devices are able to access vty lines.  Network security tools for audits and penetration testing. 30 Sep 2012 59
Port security  Configure each port to accept  One MAC address only  A small group of MAC addresses  Frames from other MAC addresses are not forwarded.  By default, the port will shut down if the wrong device connects. It has to be brought up again manually. 30 Sep 2012 60
Static secure MAC address  Staticsecure MAC addresses:  Manually configured in interface config mode  switchport port-security mac-address 000c.7259.0a63 interface fa 0/4  Stored in MAC address table  In running configuration  Can be saved with the rest of the configuration. 30 Sep 2012 61
Dynamic secure MAC address  Learned dynamically  Default – learn one address.  Put in MAC address table  Not in running configuration  Not saved, not there when switch restarts.  SW1(config-if)#switchport mode access  SW1(config-if)#switchport port-security 30 Sep 2012 62
Sticky secure MAC address  Dynamically learned  Choose how many can be learned, default 1.  Put in running configuration  Saved if you save running configuration and still there when switch restarts.  Existing dynamic address(es) will convert to sticky if you enable sticky learning. 30 Sep 2012 63
Sticky secure MAC address  SW1(config-if)#switchport mode access  SW1(config-if)#switchport port-security  SW1(config-if)#switchport port-security maximum 4  SW1(config-if)#switchport port-security mac-address sticky 30 Sep 2012 64
Violation modes  Violation occurs if a device with the wrong MAC address attempts to connect.  Shutdown mode is default.  Protect mode just prevents traffic.  Restrict mode sends error message to network management software. 30 Sep 2012 65
Check port security  show port-security int fa 0/4 to see settings on a particular port  Show port-security address to see the table of secure MAC addresses  Ifyou don’t need to use a port: shutdown 30 Sep 2012 66
Interface range  Switch(config)#interface range fa0/1 - 20 Switch(config-if-range)# A useful command if you want to put the same configuration on several interfaces. 30 Sep 2012 67
The End 30 Sep 2012 S Ward Abingdon and Witney College 68

Recomendados

Chapter 1 landesign
Chapter 1 landesignChapter 1 landesign
Chapter 1 landesignkratos2424
 
Network switching
Network switchingNetwork switching
Network switchingAung Thu Rha Hein
 
Switching
SwitchingSwitching
SwitchingCYBERINTELLIGENTS
 
Stp premdeep gill-lu045310-14aug12
Stp premdeep gill-lu045310-14aug12Stp premdeep gill-lu045310-14aug12
Stp premdeep gill-lu045310-14aug12CYBERINTELLIGENTS
 
Spannig tree
Spannig treeSpannig tree
Spannig tree1 2d
 
Spanning tree protocol
Spanning tree protocolSpanning tree protocol
Spanning tree protocolhazimalghalayini
 
Ethernet technology
Ethernet technologyEthernet technology
Ethernet technologyJosekutty James
 
Chapter 13
Chapter 13Chapter 13
Chapter 13guest35417d
 

Recomendados

Chapter 1 landesign
Chapter 1 landesignChapter 1 landesign
Chapter 1 landesignkratos2424
 
Network switching
Network switchingNetwork switching
Network switchingAung Thu Rha Hein
 
Switching
SwitchingSwitching
SwitchingCYBERINTELLIGENTS
 
Stp premdeep gill-lu045310-14aug12
Stp premdeep gill-lu045310-14aug12Stp premdeep gill-lu045310-14aug12
Stp premdeep gill-lu045310-14aug12CYBERINTELLIGENTS
 
Spannig tree
Spannig treeSpannig tree
Spannig tree1 2d
 
Spanning tree protocol
Spanning tree protocolSpanning tree protocol
Spanning tree protocolhazimalghalayini
 
Ethernet technology
Ethernet technologyEthernet technology
Ethernet technologyJosekutty James
 
Chapter 13
Chapter 13Chapter 13
Chapter 13guest35417d
 
Attacking the spanning tree protocol
Attacking the spanning tree protocolAttacking the spanning tree protocol
Attacking the spanning tree protocolAsmadzakirah
 
Switching seminar ppt
Switching seminar pptSwitching seminar ppt
Switching seminar pptAshish Kushwah
 
Odl010024 qin q laboratory exercise guide issue1
Odl010024 qin q laboratory exercise guide issue1Odl010024 qin q laboratory exercise guide issue1
Odl010024 qin q laboratory exercise guide issue1jcbp_peru
 
Spanning Tree Protocol
Spanning Tree ProtocolSpanning Tree Protocol
Spanning Tree ProtocolManoj Gharate
 
VLAN Trunking Protocol
VLAN Trunking ProtocolVLAN Trunking Protocol
VLAN Trunking ProtocolNetwax Lab
 
Metro ethernet-services
Metro ethernet-servicesMetro ethernet-services
Metro ethernet-servicesc09271
 
Spanning tree protocol
Spanning tree protocolSpanning tree protocol
Spanning tree protocolMuhammad Arshad
 
RSTP (rapid spanning tree protocol)
RSTP (rapid spanning tree protocol)RSTP (rapid spanning tree protocol)
RSTP (rapid spanning tree protocol)Netwax Lab
 
Spanning Tree Protocol Cheat Sheet
Spanning Tree Protocol Cheat SheetSpanning Tree Protocol Cheat Sheet
Spanning Tree Protocol Cheat SheetPrasanna Shanmugasundaram
 
STP (spanning tree protocol)
STP (spanning tree protocol)STP (spanning tree protocol)
STP (spanning tree protocol)Netwax Lab
 
CCNA ppt
CCNA pptCCNA ppt
CCNA pptSumant Garg
 
Overview of Spanning Tree Protocol
Overview of Spanning Tree ProtocolOverview of Spanning Tree Protocol
Overview of Spanning Tree ProtocolArash Foroughi
 
Carrier ethernet essentials
Carrier ethernet essentialsCarrier ethernet essentials
Carrier ethernet essentialsbeachghim
 
Spanning tree protocol (stp)
Spanning tree protocol (stp)Spanning tree protocol (stp)
Spanning tree protocol (stp)RaghulR21
 
CCNA PPP and Frame Relay
CCNA PPP and Frame RelayCCNA PPP and Frame Relay
CCNA PPP and Frame RelayDsunte Wilson
 
Proper spanning tree.pptx
Proper spanning tree.pptxProper spanning tree.pptx
Proper spanning tree.pptxEoin Irwin
 
Ethernet
EthernetEthernet
EthernetAbdullah Zaigham
 
Networking
NetworkingNetworking
NetworkingRashmi
 
Protocolo Spanning Tree
Protocolo Spanning TreeProtocolo Spanning Tree
Protocolo Spanning TreeAlberto Jimenez
 
Chapter 2 switches
Chapter 2 switchesChapter 2 switches
Chapter 2 switcheskratos2424
 
Network devices
Network devicesNetwork devices
Network devicesNitesh Singh
 
The Basics of Industrial Ethernet Communications
The Basics of Industrial Ethernet CommunicationsThe Basics of Industrial Ethernet Communications
The Basics of Industrial Ethernet CommunicationsWestermo Network Technologies
 

Mais conteúdo relacionado

Mais procurados

Attacking the spanning tree protocol
Attacking the spanning tree protocolAttacking the spanning tree protocol
Attacking the spanning tree protocolAsmadzakirah
 
Odl010024 qin q laboratory exercise guide issue1
Odl010024 qin q laboratory exercise guide issue1Odl010024 qin q laboratory exercise guide issue1
Odl010024 qin q laboratory exercise guide issue1jcbp_peru
 
Spanning Tree Protocol
Spanning Tree ProtocolSpanning Tree Protocol
Spanning Tree ProtocolManoj Gharate
 
VLAN Trunking Protocol
VLAN Trunking ProtocolVLAN Trunking Protocol
VLAN Trunking ProtocolNetwax Lab
 
Metro ethernet-services
Metro ethernet-servicesMetro ethernet-services
Metro ethernet-servicesc09271
 
RSTP (rapid spanning tree protocol)
RSTP (rapid spanning tree protocol)RSTP (rapid spanning tree protocol)
RSTP (rapid spanning tree protocol)Netwax Lab
 
STP (spanning tree protocol)
STP (spanning tree protocol)STP (spanning tree protocol)
STP (spanning tree protocol)Netwax Lab
 
Overview of Spanning Tree Protocol
Overview of Spanning Tree ProtocolOverview of Spanning Tree Protocol
Overview of Spanning Tree ProtocolArash Foroughi
 
Carrier ethernet essentials
Carrier ethernet essentialsCarrier ethernet essentials
Carrier ethernet essentialsbeachghim
 
Spanning tree protocol (stp)
Spanning tree protocol (stp)Spanning tree protocol (stp)
Spanning tree protocol (stp)RaghulR21
 
CCNA PPP and Frame Relay
CCNA PPP and Frame RelayCCNA PPP and Frame Relay
CCNA PPP and Frame RelayDsunte Wilson
 
Proper spanning tree.pptx
Proper spanning tree.pptxProper spanning tree.pptx
Proper spanning tree.pptxEoin Irwin
 
Networking
NetworkingNetworking
NetworkingRashmi
 

Mais procurados (19)

Attacking the spanning tree protocol
Attacking the spanning tree protocolAttacking the spanning tree protocol
Attacking the spanning tree protocol
 
Switching seminar ppt
Switching seminar pptSwitching seminar ppt
Switching seminar ppt
 
Odl010024 qin q laboratory exercise guide issue1
Odl010024 qin q laboratory exercise guide issue1Odl010024 qin q laboratory exercise guide issue1
Odl010024 qin q laboratory exercise guide issue1
 
Spanning Tree Protocol
Spanning Tree ProtocolSpanning Tree Protocol
Spanning Tree Protocol
 
VLAN Trunking Protocol
VLAN Trunking ProtocolVLAN Trunking Protocol
VLAN Trunking Protocol
 
Metro ethernet-services
Metro ethernet-servicesMetro ethernet-services
Metro ethernet-services
 
Spanning tree protocol
Spanning tree protocolSpanning tree protocol
Spanning tree protocol
 
RSTP (rapid spanning tree protocol)
RSTP (rapid spanning tree protocol)RSTP (rapid spanning tree protocol)
RSTP (rapid spanning tree protocol)
 
Spanning Tree Protocol Cheat Sheet
Spanning Tree Protocol Cheat SheetSpanning Tree Protocol Cheat Sheet
Spanning Tree Protocol Cheat Sheet
 
STP (spanning tree protocol)
STP (spanning tree protocol)STP (spanning tree protocol)
STP (spanning tree protocol)
 
CCNA ppt
CCNA pptCCNA ppt
CCNA ppt
 
Overview of Spanning Tree Protocol
Overview of Spanning Tree ProtocolOverview of Spanning Tree Protocol
Overview of Spanning Tree Protocol
 
Carrier ethernet essentials
Carrier ethernet essentialsCarrier ethernet essentials
Carrier ethernet essentials
 
Spanning tree protocol (stp)
Spanning tree protocol (stp)Spanning tree protocol (stp)
Spanning tree protocol (stp)
 
CCNA PPP and Frame Relay
CCNA PPP and Frame RelayCCNA PPP and Frame Relay
CCNA PPP and Frame Relay
 
Proper spanning tree.pptx
Proper spanning tree.pptxProper spanning tree.pptx
Proper spanning tree.pptx
 
Ethernet
EthernetEthernet
Ethernet
 
Networking
NetworkingNetworking
Networking
 
Protocolo Spanning Tree
Protocolo Spanning TreeProtocolo Spanning Tree
Protocolo Spanning Tree
 

Semelhante a Switches module 2

Chapter 2 switches
Chapter 2 switchesChapter 2 switches
Chapter 2 switcheskratos2424
 
Networking devices
Networking devicesNetworking devices
Networking devicesfrestoadi
 
Westermo webinar: Learning the Basics of Ethernet Networking
Westermo webinar: Learning the Basics of Ethernet NetworkingWestermo webinar: Learning the Basics of Ethernet Networking
Westermo webinar: Learning the Basics of Ethernet NetworkingWestermo Network Technologies
 
networking devices -161021181705452555
networking devices -161021181705452555networking devices -161021181705452555
networking devices -161021181705452555mercyzyada1999
 
CCNA Routing and Switching Lesson 05 - WANs - Eric Vanderburg
CCNA Routing and Switching Lesson 05 - WANs - Eric VanderburgCCNA Routing and Switching Lesson 05 - WANs - Eric Vanderburg
CCNA Routing and Switching Lesson 05 - WANs - Eric VanderburgEric Vanderburg
 
z/OS 2.3 HiperSockets Converged Interface (HSCI) support
z/OS 2.3 HiperSockets Converged Interface (HSCI) supportz/OS 2.3 HiperSockets Converged Interface (HSCI) support
z/OS 2.3 HiperSockets Converged Interface (HSCI) supportzOSCommserver
 
Networing basics
Networing basicsNetworing basics
Networing basicsMohd Arif
 
Basic Networking
Basic NetworkingBasic Networking
Basic NetworkingCEC Landran
 
Some important networking questions
Some important networking questionsSome important networking questions
Some important networking questionsSrikanth
 
Networking interview questions and answers
Networking interview questions and answersNetworking interview questions and answers
Networking interview questions and answersAmit Tiwari
 
Aspects Stratégiques des Réseaux
Aspects Stratégiques des RéseauxAspects Stratégiques des Réseaux
Aspects Stratégiques des RéseauxEric Vyncke
 
Best fit topology - lo1 part iii
Best fit topology - lo1 part iiiBest fit topology - lo1 part iii
Best fit topology - lo1 part iiiAbenezer Abiti
 
Wireless Personal Area Networks
Wireless Personal Area NetworksWireless Personal Area Networks
Wireless Personal Area NetworksDilum Bandara
 

Semelhante a Switches module 2 (20)

Chapter 2 switches
Chapter 2 switchesChapter 2 switches
Chapter 2 switches
 
Network devices
Network devicesNetwork devices
Network devices
 
The Basics of Industrial Ethernet Communications
The Basics of Industrial Ethernet CommunicationsThe Basics of Industrial Ethernet Communications
The Basics of Industrial Ethernet Communications
 
Networking devices
Networking devicesNetworking devices
Networking devices
 
Westermo webinar: Learning the Basics of Ethernet Networking
Westermo webinar: Learning the Basics of Ethernet NetworkingWestermo webinar: Learning the Basics of Ethernet Networking
Westermo webinar: Learning the Basics of Ethernet Networking
 
Network administration
Network administrationNetwork administration
Network administration
 
networking devices -161021181705452555
networking devices -161021181705452555networking devices -161021181705452555
networking devices -161021181705452555
 
Presentasi cisco
Presentasi ciscoPresentasi cisco
Presentasi cisco
 
CCNA Routing and Switching Lesson 05 - WANs - Eric Vanderburg
CCNA Routing and Switching Lesson 05 - WANs - Eric VanderburgCCNA Routing and Switching Lesson 05 - WANs - Eric Vanderburg
CCNA Routing and Switching Lesson 05 - WANs - Eric Vanderburg
 
C C N A Day4
C C N A Day4C C N A Day4
C C N A Day4
 
z/OS 2.3 HiperSockets Converged Interface (HSCI) support
z/OS 2.3 HiperSockets Converged Interface (HSCI) supportz/OS 2.3 HiperSockets Converged Interface (HSCI) support
z/OS 2.3 HiperSockets Converged Interface (HSCI) support
 
Networing basics
Networing basicsNetworing basics
Networing basics
 
Basic Networking
Basic NetworkingBasic Networking
Basic Networking
 
Some important networking questions
Some important networking questionsSome important networking questions
Some important networking questions
 
Chapter 4ver2
Chapter 4ver2Chapter 4ver2
Chapter 4ver2
 
Networking interview questions and answers
Networking interview questions and answersNetworking interview questions and answers
Networking interview questions and answers
 
Aspects Stratégiques des Réseaux
Aspects Stratégiques des RéseauxAspects Stratégiques des Réseaux
Aspects Stratégiques des Réseaux
 
Best fit topology - lo1 part iii
Best fit topology - lo1 part iiiBest fit topology - lo1 part iii
Best fit topology - lo1 part iii
 
ch5-network.ppt
ch5-network.pptch5-network.ppt
ch5-network.ppt
 
Wireless Personal Area Networks
Wireless Personal Area NetworksWireless Personal Area Networks
Wireless Personal Area Networks
 

Mais de kratos2424

Final exam ccna exploration 3 lan switching and wireless
Final exam ccna exploration 3 lan switching and wirelessFinal exam ccna exploration 3 lan switching and wireless
Final exam ccna exploration 3 lan switching and wirelesskratos2424
 
Ch6 ccna exploration 3 lan switching and wireless
Ch6 ccna exploration 3 lan switching and wirelessCh6 ccna exploration 3 lan switching and wireless
Ch6 ccna exploration 3 lan switching and wirelesskratos2424
 
Ch7 ccna exploration 3 lan switching and wireless
Ch7 ccna exploration 3 lan switching and wirelessCh7 ccna exploration 3 lan switching and wireless
Ch7 ccna exploration 3 lan switching and wirelesskratos2424
 
Ch5 ccna exploration 3 lan swtching and wireless
Ch5 ccna exploration 3 lan swtching and wirelessCh5 ccna exploration 3 lan swtching and wireless
Ch5 ccna exploration 3 lan swtching and wirelesskratos2424
 
Ch4 ccna exploration 3 lan switching and wireless
Ch4 ccna exploration 3 lan switching and wirelessCh4 ccna exploration 3 lan switching and wireless
Ch4 ccna exploration 3 lan switching and wirelesskratos2424
 
Ch3 ccna exploration 3 lan switching and wireless
Ch3 ccna exploration 3 lan switching and wirelessCh3 ccna exploration 3 lan switching and wireless
Ch3 ccna exploration 3 lan switching and wirelesskratos2424
 
Ch2 ccna exploration 3 lan switching and wireless
Ch2 ccna exploration 3 lan switching and wirelessCh2 ccna exploration 3 lan switching and wireless
Ch2 ccna exploration 3 lan switching and wirelesskratos2424
 
Ccna exploration 3 lan switching and wireless
Ccna exploration 3 lan switching and wirelessCcna exploration 3 lan switching and wireless
Ccna exploration 3 lan switching and wirelesskratos2424
 
Chapter 7 wireless
Chapter 7 wirelessChapter 7 wireless
Chapter 7 wirelesskratos2424
 
Chapter 6 intervlanrouting
Chapter 6 intervlanroutingChapter 6 intervlanrouting
Chapter 6 intervlanroutingkratos2424
 
Chapter 3 vlans
Chapter 3 vlansChapter 3 vlans
Chapter 3 vlanskratos2424
 

Mais de kratos2424 (13)

Final exam ccna exploration 3 lan switching and wireless
Final exam ccna exploration 3 lan switching and wirelessFinal exam ccna exploration 3 lan switching and wireless
Final exam ccna exploration 3 lan switching and wireless
 
Ch6 ccna exploration 3 lan switching and wireless
Ch6 ccna exploration 3 lan switching and wirelessCh6 ccna exploration 3 lan switching and wireless
Ch6 ccna exploration 3 lan switching and wireless
 
Ch7 ccna exploration 3 lan switching and wireless
Ch7 ccna exploration 3 lan switching and wirelessCh7 ccna exploration 3 lan switching and wireless
Ch7 ccna exploration 3 lan switching and wireless
 
Ch5 ccna exploration 3 lan swtching and wireless
Ch5 ccna exploration 3 lan swtching and wirelessCh5 ccna exploration 3 lan swtching and wireless
Ch5 ccna exploration 3 lan swtching and wireless
 
Ch4 ccna exploration 3 lan switching and wireless
Ch4 ccna exploration 3 lan switching and wirelessCh4 ccna exploration 3 lan switching and wireless
Ch4 ccna exploration 3 lan switching and wireless
 
Ch3 ccna exploration 3 lan switching and wireless
Ch3 ccna exploration 3 lan switching and wirelessCh3 ccna exploration 3 lan switching and wireless
Ch3 ccna exploration 3 lan switching and wireless
 
Ch2 ccna exploration 3 lan switching and wireless
Ch2 ccna exploration 3 lan switching and wirelessCh2 ccna exploration 3 lan switching and wireless
Ch2 ccna exploration 3 lan switching and wireless
 
Ccna exploration 3 lan switching and wireless
Ccna exploration 3 lan switching and wirelessCcna exploration 3 lan switching and wireless
Ccna exploration 3 lan switching and wireless
 
Chapter 7 wireless
Chapter 7 wirelessChapter 7 wireless
Chapter 7 wireless
 
Chapter 6 intervlanrouting
Chapter 6 intervlanroutingChapter 6 intervlanrouting
Chapter 6 intervlanrouting
 
Chapter 5 stp
Chapter 5 stpChapter 5 stp
Chapter 5 stp
 
Chapter 4 vtp
Chapter 4 vtpChapter 4 vtp
Chapter 4 vtp
 
Chapter 3 vlans
Chapter 3 vlansChapter 3 vlans
Chapter 3 vlans
 

Switches module 2

  • 1. Switches CCNA Exploration Semester 3 Chapter 2 Warning – horribly long! 30 Sep 2012 1
  • 2. Topics  Operation of 100/1000 Mbps Ethernet  Switches and how they forward frames  Configure a switch  Basic security on a switch 30 Sep 2012 2
  • 3. Semester 3 LAN Design Basic Switch Wireless Concepts VLANs STP VTP Inter-VLAN routing 30 Sep 2012 3
  • 4. CSMA/CD reminder  Shared medium Physical shared cable or hub.  Ethernet was designed to work with collisions.  Uses carrier sense multiple access collision detection.  Used only with half duplex communication 30 Sep 2012 4
  • 5. CSMA/CD reminder If a device needs to transmit;  It “listens” for signals on the medium.  If finds signals – it waits. If clear – it sends.  While transmitting Carry on listening for traffic or collision.  If transmitting devices was not able to detect signals due to latency then collision occur.  Stop sending frame if collision detected,  send out jam signal that notifies collision to other devices.  Wait for random time (backoff algorithim)  Try again – listen for signals etc. 30 Sep 2012 5
  • 6. No collisions  Fully switched network with full duplex operation = no collisions.  Higher bandwidth Ethernet does not define collisions – must be fully switched.  Cable length limited if CSMA/CD needed.  Fibre optic – always fully switched, full duplex.  (Shared medium must use half duplex in order to detect collisions.) 30 Sep 2012 6
  • 7. Switch Port Settings  Auto (default for UTP) - negotiates half/full duplex with connected device.  Full – sets full-duplex mode  Half - sets half-duplex mode  Auto is fine if both devices are using it. Potential problem if switch uses it and other device does not. Switch defaults to half.  Full one end and half the other – errors.  Command to set duplex mode: (config-if)#duplex [auto|full|half] 30 Sep 2012 7
  • 8. mdix auto  Command makes switch detect whether cable is straight through or crossover and compensate so you can use either.  Depends on IOS version  Enabled by default from 12.2(18)SE on  Disabled from 12.1(14)EA1 to 12.2(18)SE  Not available in earlier versions 30 Sep 2012 8
  • 9. Communication types reminder  Unicast – one sender to one recievier e.g. most user traffic: http, ftp, smtp etc.  Broadcast – one sender to all hosts on the network e.g. ARP requests.  Multicast – one sender to a group of devices e.g. routers running EIGRP, group of hosts using videoconferencing. IP addresses have first octet in range 224 – 239. 30 Sep 2012 9
  • 10. Ethernet frame reminder IEEE 802.3 (Data link layer, MAC sublayer) 7 bytes 1 6 6 2 46 to 4 1500 Preamble Start of Destination Source Length / 802.2 Frame frame address address type header check delimiter and data sequence Frame header data trailer  802.2 is data link layer LLC sublayer 30 Sep 2012 10
  • 11. ETHERNET Frame  From layer3 PDU to layer 2 which adds header and trailer uysed by the ethernet protocol  Preamble : for synchronization bet. Sending and receiving device  Destination MAC: identifier for intended recepient  Source MAC: frames forma originating NIC or interface, used by switch to add to their look up table  Length/packet type : exact length of frame data field and type of protocol implemented  Data and PAD field: encapsulated data from higher layer  FCS: uses CRC to check data error 30 Sep 2012 11
  • 12. MAC address  48-bits written as 12 hexadecimal digits. Format varies: 00-05-9A-3C-78-00, 00:05:9A:3C:78:00, or 0005.9A3C.7800.  MAC address can be permanently encoded into a ROM chip on a NIC - burned in address (BIA).  Some manufacturers allow the MAC address to be modified locally. 30 Sep 2012 12
  • 13. MAC address  Two parts: Organizational Unique Identifier (OUI) and number assigned by manufacturer. MAC address OUI Vendor number 1 bit 1 bit 22 bits 24 bits Broadcast Local OUI number Vendor assigns Set if broadcast or multicast 30 Sep 2012 13
  • 14. MAC address  Two parts: Organizational Unique Identifier (OUI) and number assigned by manufacturer. MAC address OUI Vendor number 1 bit 1 bit 22 bits 24 bits Broadcast Local OUI number Vendor assigns Set if vendor number can be changed 30 Sep 2012 14
  • 15. MAC address  Two parts: Organizational Unique Identifier (OUI) and number assigned by manufacturer. MAC address OUI Vendor number 1 bit 1 bit 22 bits 24 bits Broadcast Local OUI number Vendor assigns Allocated to vendor by IEEE 30 Sep 2012 15
  • 16. MAC address  Two parts: Organizational Unique Identifier (OUI) and number assigned by manufacturer. MAC address OUI Vendor number 1 bit 1 bit 22 bits 24 bits Broadcast Local OUI number Vendor assigns Unique identifier for port on device 30 Sep 2012 16
  • 17. Switch MAC Address Table  Switch uses MAC address to direct network communications to the appropriate port  Switch builds its MAC address of nodes connected to each port command: #show mac-address-table Process:  Table matches switch port with MAC address of attached device  Built by inspecting source MAC address of incoming frames  Destination MAC address checked against table, frame sent through correct port  If not in table, frame flooded  Broadcasts flooded 30 Sep 2012 17
  • 18. Collision domain  Shared medium – same collision domain.  Collisions reduce throughput (average data that is transmitted effectively)  The more devices – the more collisions  Hub – maybe 60% of bandwidth available  Switch (+ full duplex) dedicated link each way 100% bandwidth in each direction  Collision = bandwidth reduced = affects throughput 30 Sep 2012 18
  • 19. How many collision domains? 30 Sep 2012 19
  • 20. How many collision domains? 11 30 Sep 2012 20
  • 21. Broadcast domains  Layer 2 switches flood broadcasts.  Devices linked by switches are in the same broadcast domain.  (We ignore VLANs here – they come later.)  A layer 3 device (router) splits up broadcast domains, does not forward broadcasts  Destination MAC address for broadcast is all 1s, that is FF:FF:FF:FF:FF:FF 30 Sep 2012 21
  • 22. How many broadcast domains? No VLANs 30 Sep 2012 22
  • 23. How many broadcast domains? 30 Sep 2012 23
  • 24. Network Latency  Refers to the time that a packet takes to travel form source to destination Sources of latency  NIC delay – time taken to put signal on medium and to interpret it on receipt.  Propagation delay – time spent travelling on medium  Latency from intermediate devices e.g. switch or router. Depends on number and type of devices. **** Routers add more latency than switches. 30 Sep 2012 24
  • 25. Network congestion Causes:  More powerful PCs can send and process more data at higher rates.  Increasing use of remote resources (servers, Internet) generates more traffic.  More broadcasts, more congestion.  Applications make more use of advanced graphics, video etc. Need more bandwidth.  Splitting collision and broadcast domains helps. 30 Sep 2012 25
  • 26. Control latency  Choose switches that can process data fast enough for all ports to work simultaneously at full bandwidth.  Use switches rather than routers where possible.  But – balance this against need to split up broadcast domains. 30 Sep 2012 26
  • 27. Remove bottlenecks  Use a faster link.  Have several links and use link aggregation so that they act as one link with the combined bandwidth. 30 Sep 2012 27
  • 28. Switch Forwarding Methods  Cisco switches now all use Store and Forward  Some older switches used Cut Through – it had two variants: Fast Forward and Fragment Free  Cut thourgh switching acts upon data as soon as it is recieved  Store and forward stores data in buffer until complete frames has been received. 30 Sep 2012 28
  • 29. Store and forward  Read whole frame into buffer  Discard any frames that are too short/long  Perform cyclic redundancy check (CRC) and discard any frames with errors  Find correct port and forward frame.  Allows QoS checks  Allows entry and exit at different bandwidths 30 Sep 2012 29
  • 30. Cut Through - Fast forward  Read start of frame as it comes in, as far as end of destination MAC address (first 6 bytes after start delimiter)  Look up port and start forwarding while remainder of frame is still coming in.  No checks or discarding of bad frames  Entry and exit must be same bandwidth  Lowest latency 30 Sep 2012 30
  • 31. Cut Through – Fragment Free  Read start of frame as it comes in, as far as end of byte 64  Look up port and start forwarding while remainder of frame (if any) is still coming in.  May forward corrupt frames  Does not perform error checking  Entry and exit must be same bandwidth  Compromise between store and forward and cut through 30 Sep 2012 31
  • 32. Symmetric and Asymmetric Switching  Symmetric – all ports operate at same bandwidth  Asymmetric – different bandwidths used, e.g. server or uplink has greater bandwidth  Requires store and forward operation with buffering.  Most switches now are asymmetric to allow flexibility. 30 Sep 2012 32
  • 33. Memory buffering  Used when destination port is busy due to congestion and switch stores frame until it can be transmitted  2 types:  Port based  Shared memory 30 Sep 2012 33
  • 34. Port Based Buffering  Each incoming port has its own queue.  Frames stay in buffer until outgoing port is free.  Frame destined for busy outgoing port can hold up all the others even if their outgoing ports are free.  Each incoming port has a fixed and limited amount of memory. 30 Sep 2012 34
  • 35. Shared Memory Buffering  Allincoming frames go in a common buffer.  Switch maps frame to destination port and forwards it when port is free.  Frames do not hold each other up.  Flexible use of memory allows larger frames.  Important for asymmetric switching where some ports work faster than others. 30 Sep 2012 35
  • 36. Layer 2 and Layer 3 Switching Traditional Ethernet switches work at layer 2. They use MAC addresses to make forwarding decisions. They do not look at layer 3 information. 30 Sep 2012 36
  • 37. Layer 2 and Layer 3 Switching Layer 3 switches can carry out the same functions as layer 2 switches. They can also use layer 3 IP addresses to route between networks. The can control the spread of broadcasts. 30 Sep 2012 37
  • 38. Switch CLI is similar to router  Switch>enable  Switch#config t  Switch(config)#int fa 0/1  Switch(config-if)#exit  Switch(config)#line con 0  Switch(config-line)#end  Switch#disable  Switch> 30 Sep 2012 38
  • 39. Cisco Device manager- alternative to CLI  Builtin web based GUI for managing switch.  Access via browser on PC.  Other GUI options available but need to be downloaded/bought. 30 Sep 2012 39
  • 40. Help, history etc.  Help with ? Is similar to router.  Error messages for bad commands – same.  Command history – as for router.  Up arrow or Ctrl + P for previous  Down arrow or Ctrl + N for next  Each mode has its own buffer holding 10 commands by default. 30 Sep 2012 40
  • 41. CISCO IOS History buffer commands  Show history – display the contents of the command buffer  To enable either in Privileged or user exec mode: # terminal history  #terminal history size 50 to store or maintain 0 to 256 command lines  #terminal no history size – reset history size to default value  #terminal no history – disable 30 Sep 2012 41
  • 42. Storage and start-up  ROM, Flash, NVRAM, RAM generally similar to router.  Boot loader, POST, load IOS from flash, load configuration file.  Similar idea to router. Some difference in detail.  Boot loader lets you re-install IOS or recover from password loss. 30 Sep 2012 42
  • 43. Password recovery (2950)  Hold down mode switch during start-up  flash_init  load_helper  dir flash:  rename flash:config.text flash:config.old  boot  Continue with the configuration dialog? [yes/no] : N  rename flash:config.old flash:config.text  copy flash:config.text system:running-config  Configure new passwords 30 Sep 2012 S Ward Abingdon and Witney College 43
  • 44. IP address A switch works without an IP address or any other configuration that you give it.  IP address lets you access the switch remotely by Telnet, SSH or browser.  Switch needs only one IP address.  It goes on a virtual (VLAN) interface.  VLAN 1 is the default but is not very secure for management. 30 Sep 2012 44
  • 45. IP address  S1(config)#int vlan 99 ( or another VLAN)  S1(config-if)#ip address 192.168.1.2 255.255.255.0  S1(config-if)#no shutdown  S1(config-if)#exit  All very well, but by default all the ports are associated with VLAN 1.  VLAN 99 needs to have a port to use. 30 Sep 2012 45
  • 46. IP address  S1(config)#int fa 0/18 (or other interface)  S1(config-if)#switchport mode access  S1(config-if)#switchport access vlan 99  S1(config-if)#exit  S1(config)#  Messages to and from the switch IP address can pass via port fa 0/18.  Other ports could be added if necessary. 30 Sep 2012 46
  • 47. Default gateway  S1(config)#ip default-gateway 192.168.1.1  Justlike a PC, the switch needs to know the address of its local router to exchange messages with other networks.  Note global configuration mode. 30 Sep 2012 47
  • 48. Web based GUI  Includes cisco web browser user interface, cisco router, SDM, IPphone and cisco ip telephony service application  required switch to be configured as http server  SW1(config)#ip http server  SW1(config)#ip http authentication enable (uses enable secret/password for access)  SW1(config)#ip http authentication local  SW1(config)#username admin password cisco (log in using this username and password) 30 Sep 2012 48
  • 49. MAC address table (CAM)  Static: built-in or configured, do not time out.  Dynamic: Learned, Time out 300 sec.  Note that VLAN is included in table. 30 Sep 2012 S Ward Abingdon and Witney College 49
  • 50. Set a static address  SW1(config)#mac-address-table static 000c.7671.10b4 vlan 2 interface fa0/6 30 Sep 2012 S Ward Abingdon and Witney College 50
  • 51. Save configuration  Copy run start  Copy running-config startup-config  This assumes that running-config is coming from RAM and startup-config is going in NVRAM (file is actually in flash).  Full version gives path.  Copy system:running-config flash:startup- config 30 Sep 2012 S Ward Abingdon and Witney College 51
  • 52. Back up  copy startup-config flash:backupJan08  You could go back to this version later if necessary.  copy system:running-config tftp://192.168.1.8/sw1config  copy nvram:startup-config tftp://192.168.1.8/sw1config  (or try copy run tftp and wait for prompts) 30 Sep 2012 S Ward Abingdon and Witney College 52
  • 53. Login Passwords Line con 0 Service password-encryption Password cisco Line con 0 Login Password 7 030752180500 Line vty 0 15 Login Line vty 0 15 Password cisco Password 7 1511021f0725 Login Login 30 Sep 2012 S Ward Abingdon and Witney College 53
  • 54. Banners  banner motd “Shut down 5pm Friday”  banner login “No unauthorised access”  Motd will show first.  Delimiter can be “ or # or any character not in message. 30 Sep 2012 S Ward Abingdon and Witney College 54
  • 55. Secure Shell SSH  Similar interface to Telnet.  Encrypts data for transmission.  SW1(config)#line vty 0 15  SW1(config-line)#transport input SSH  Use SSH or telnet or all if you want both.  Default is telnet.  For SSH you must configure host domain and generate RSA key pair. 30 Sep 2012 S Ward Abingdon and Witney College 55
  • 56. Common security attacks  MAC Address Flooding: send huge numbers of frames with fake source MAC addresses and fill up MAC address table. Switch then floods all frames.  DHCP spoofing: rogue server allocates fake IP address and default gateway, all remote traffic sent to attacker. (Use DHCP snooping feature to mark ports as trustworthy or not.)  DHCP STARVATION ATTACK attacker PC continually request IP from real DHCP server.  Causes all leases on real DHCP to be allocated preventing real users from obtaining an IP address.  Can be prevented with the use of DHCP snooping and port security 30 Sep 2012 56
  • 57. DHCP snooping  Cisco catalyst feature that determines which switchports can respond to DHCP request.  Ports are identified as trusted and untrusted.  Commands:  Ip dhcp snooping-enable dhcp in global config  Ip dhcp snooping vlannumber[number] – define dhcp fo specific vlan  Ip dhcp snooping trust – define ports as trusted or untrusted at the interface level 30 Sep 2012 57
  • 58. Cisco Discovery Protocol  CDP is enabled by default.  Switch it off unless it is really needed.  CDP attacks – cdp unauthenticated attacker could craft bogus packets  Itis a security risk. Frames could be captured using Wireshark (or the older Ethereal).  TELNET attacks  Configure it with secure password 30 Sep 2012 58
  • 59. More security  Use strong passwords.  Even these can be found in time so change them regularly.  Using access control lists (semester 4) you can control which devices are able to access vty lines.  Network security tools for audits and penetration testing. 30 Sep 2012 59
  • 60. Port security  Configure each port to accept  One MAC address only  A small group of MAC addresses  Frames from other MAC addresses are not forwarded.  By default, the port will shut down if the wrong device connects. It has to be brought up again manually. 30 Sep 2012 60
  • 61. Static secure MAC address  Staticsecure MAC addresses:  Manually configured in interface config mode  switchport port-security mac-address 000c.7259.0a63 interface fa 0/4  Stored in MAC address table  In running configuration  Can be saved with the rest of the configuration. 30 Sep 2012 61
  • 62. Dynamic secure MAC address  Learned dynamically  Default – learn one address.  Put in MAC address table  Not in running configuration  Not saved, not there when switch restarts.  SW1(config-if)#switchport mode access  SW1(config-if)#switchport port-security 30 Sep 2012 62
  • 63. Sticky secure MAC address  Dynamically learned  Choose how many can be learned, default 1.  Put in running configuration  Saved if you save running configuration and still there when switch restarts.  Existing dynamic address(es) will convert to sticky if you enable sticky learning. 30 Sep 2012 63
  • 64. Sticky secure MAC address  SW1(config-if)#switchport mode access  SW1(config-if)#switchport port-security  SW1(config-if)#switchport port-security maximum 4  SW1(config-if)#switchport port-security mac-address sticky 30 Sep 2012 64
  • 65. Violation modes  Violation occurs if a device with the wrong MAC address attempts to connect.  Shutdown mode is default.  Protect mode just prevents traffic.  Restrict mode sends error message to network management software. 30 Sep 2012 65
  • 66. Check port security  show port-security int fa 0/4 to see settings on a particular port  Show port-security address to see the table of secure MAC addresses  Ifyou don’t need to use a port: shutdown 30 Sep 2012 66
  • 67. Interface range  Switch(config)#interface range fa0/1 - 20 Switch(config-if-range)# A useful command if you want to put the same configuration on several interfaces. 30 Sep 2012 67
  • 68. The End 30 Sep 2012 S Ward Abingdon and Witney College 68

Notas do Editor

  1. Switches.ppt 30/09/12 S Ward Abingdon and Witney College