1 / 56

Chap 2 – Basic Switch Concepts and Configuration Learning Objectives

Chap 2 – Basic Switch Concepts and Configuration Learning Objectives. Summarise the operation of Ethernet as defined for 100/1000 Mbps LANs in the IEEE 802.3 standard. Explain the functions that enable a switch to forward Ethernet frames in a LAN.

ward
Download Presentation

Chap 2 – Basic Switch Concepts and Configuration Learning Objectives

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chap 2 – Basic Switch Concepts and Configuration Learning Objectives • Summarise the operation of Ethernet as defined for 100/1000 Mbps LANs in the IEEE 802.3 standard. • Explain the functions that enable a switch to forward Ethernet frames in a LAN. • Configure a switch for operation in a network designed to support voice, video, and data transmissions. • Configure basic security on a switch that will operate in a network designed to support voice, video, and data transmissions.

  2. Hub Duplex Settings • Half-Duplex (CSMA/CD) • Unidirectional data flow • Potential for collision • Hub connectivity • Full-Duplex • Point-to-point only • Attached to dedicated switch port • Needs full-duplex support at both ends • Collision-free • Collision detect circuit disabled Switch

  3. Duplex Settings The Cisco Catalyst switches have three settings: • The auto option sets auto-negotiation of duplex mode. With auto-negotiation enabled, the two ports communicate to decide the best mode of operation. • The full option sets full-duplex mode. • The half option sets half-duplex mode.

  4. Auto-MDIX Settings Cross Straight Cross Cross Straight Straight Cross When the auto-MDIX feature is enabled, the switch detects the required cable type for copper Ethernet connections and configures the interfaces accordingly. • The auto-MDIX feature is enabled by default on switches running Cisco IOS Release 12.2(18)SE or later. • For releases between Cisco IOS Release 12.1(14)EA1 and 12.2(18)SE, the auto-MDIX feature is disabled by default. Router Hub Switch PC

  5. Switch MAC Tables - Summary Filter, forward and Flood network traffic using the physical address (MAC) of host computers Reads each frame as it passes through the network Places the source address in a MAC filter table and keeps track of port it was received on Examines the destination address and consults its table before processing the frame

  6. Collision Domains The network area where frames originate and collide is called the collision domain. All shared media environments, such as those created by using hubs, are collision domains. Hub Switch Hub

  7. MAC Broadcast Domains The broadcast domain at Layer 2 is referred to as the MAC broadcast domain. The MAC broadcast domain consists of all devices on the LAN that receive frame broadcasts by a host to all other machines on the LAN Hub Switch Hub

  8. Network Latency • Latency is the time a frame or a packet takes to travel from the source station to the final destination. Switch Switch 30-60mS 20-40 mS • Latency has at least three sources:. • Time taken for NIC to send and receive the signalling pulses (1uS for a 10BASE-T NIC). • Propagation delay through the cable. Typically about 0.556uS per 100 m for Cat 5 UTP. • Network devices that are in the path between two devices. These are either Layer 1, Layer 2, or Layer 3 devices.

  9. In store-and-forward switching, received frames are stored in buffers until the complete frame has been received. The switch analyzes the frame for information about its destination, and performs an error check using the Ethernet Frame Check Sequence Switch Forwarding Frame In Frame Out Store Frame 1. Check Preamble (7 Bytes) Start Delimiter (1 Byte) Destination Address (6 Bytes) Source Address (6 Bytes) Length (2 Bytes) Data (46-1500 Bytes) Frame Check Sequence (4 Bytes) 2. Check

  10. Switch Forwarding In cut-through switching, the switch acts upon the data as soon as it is received, even if the transmission is not complete. The switch buffers just enough of the frame to read the destination MAC address so that it can determine to which port to forward the data. Frame In Frame Out 1. Check Preamble (7 Bytes) Start Delimiter (1 Byte) Destination Address (6 Bytes) Source Address (6 Bytes) Length (2 Bytes) Data (46-1500 Bytes) Frame Check Sequence (4 Bytes)

  11. Asymmetric/Symmetric Switching • Symmetric switch - all ports are of the same bandwidth. • Optimized for a reasonably distributed traffic load, such as in a peer-to-peer desktop environment. 100Mbps 100Mbps Switch 100Mbps Server • Asymmetric switching enables more bandwidth to be dedicated to a server switch port to prevent a bottleneck. • Memory buffering is required on an asymmetric switch. 1Gbps 100Mbps Switch 100Mbps

  12. Frame 2 Frame 1 Port 2 Port 6 Port 5 Frame 4 Frame 3 Port 3 Frame 6 Frame 5 Memory Buffering • Port-Based memory buffering - frames are stored in queues that are linked to specific incoming ports. • A frame is transmitted to the outgoing port only when all the frames ahead of it in the queue have been successfully transmitted. • A single frame can delay the transmission of all the frames in memory because of a busy destination port. In Out Port 1 Buffer Port 1 Port 4 Port 2 Buffer Port 3 Buffer

  13. Port 6 Port 5 Port 2 Port 3 Memory Buffering In Out • Shared memory buffering - all frames enter a common memory buffer that all the ports on the switch share. • The amount of buffer memory required by a port is dynamically allocated. • The frames in the buffer are linked dynamically to the destination port, allowing the frame to be received on one port and then transmitted on another port, without moving it to a different queue. Shared Buffer Port 1 Port 4 Frame 1 Frame 2 Frame 3 Frame 4 Frame 5 Frame 6

  14. Layer 2 & 3 Switching • Instead of using only the Layer 2 MAC address information for forwarding decisions, a Layer 3 switch can also use IP address information. • In addition to associating MAC addresses ports, a Layer 3 switch can also learn which IP addresses are associated with its interfaces. This allows the Layer 3 switch to direct traffic throughout the network based on IP address information. • Layer 3 switches are also capable of performing Layer 3 routing functions, reducing the need for dedicated routers on a LAN. Because Layer 3 switches have specialized switching hardware, they can typically route data as quickly as they can switch.

  15. Layer 2 & 3 Switching • Routers perform additional Layer 3 services that Layer 3 switches are not capable of performing. Routers are also capable of performing packet forwarding tasks not found on Layer 3 switches. • Dedicated routers are more flexible in their support of WAN interface cards (WIC), making them the preferred, and sometimes only, choice for connecting to a WAN.

  16. Cisco Switch Boot Sequence • Switch loads the boot loader software from NVRAM • Boot Loader performs: • Low-level CPU initialisation • Performs POST for CPU subsystem • Initialise flash file system on system board • Loads default IOS into RAM and boots the switch • 3. Operating system runs the config.txt file, stored in flash memory.

  17. Show Commands in User EXEC Mode Show Commands in Privileged EXEC Mode As with routers, use either the enable <password> or enable secret <password> to protect the switch from unauthorised access

  18. Examining Help in the Switch CLI Command syntax help: If unfamiliar with which commands are available in the current context within the Cisco IOS CLI enter the ? command. Word help: Enter the first few character in a command sequence followed by ?. Do not include a space before the question mark.

  19. Accessing The Command History • The Cisco CLI provides a history or record of commands that have been entered - called command history. • Cycle though the history buffer using ‘up’ and ‘down’ arrow keys

  20. Verifying LEDs During Switch POST • The Port Status LEDs turn amber for about 30 seconds as the switch discovers the network topology and searches for loops. • Port Status LEDs turn green to indicate a link between the port and a host. • Port Status LEDs turn off when nothing is plugged into the port

  21. Establishing a Console Session Connect to Switch console port Run Hyper terminal Configure console settings

  22. Set IP Address and Default Gateway • To allow the switch to be accessible by Telnet and other TCP/IP applications, IP addresses and a default gateway should be set. • By default, VLAN 1 is the management VLAN (more later). Security risk, better to assign a random VLAN as the management VLAN • In a switch-based network, all internetworking devices should be in the management VLAN. • This will allow a single management workstation to access, configure, and manage all the internetworking devices. • The default gateway is only for management purposes, not for user Ethernet frames (and packets) – allows telnet from this switch into a device on another network.

  23. Switch Configuration – IP Address & Default Gateway 192.168.1.10 VLAN 99 192.168.1.2 Fa0/0 192.168.1.1 Fa0/1 VLAN99 Fa0/2 Switch IP address must be in the same subnet as default gateway if Inter-network configuration and monitoring is required.

  24. Switch Configuration – IP Address & Default Gateway 192.168.1.10 VLAN 99 192.168.1.2 Fa0/0 192.168.1.1 Fa0/1 VLAN99 Fa0/2 PC IP address must be in the same subnet as default gateway and management VLAN if Inter-network configuration is required.

  25. Verify Switch Settings Sh ip interface brief: • VLAN information is at the end of the display – note that default VLAN1 has no IP address, whereas the new management VLAN99 has the address 192.168.1.2

  26. Verify Switch Settings Sh running-config: • Confirms that the port selected to allow administrator access is on the management VLAN99

  27. Configure Duplex & Speed on an Interface • Commands duplex auto and speed auto allows the switch to auto-negotiate mode and speed with attached devices. • It is possible to manually set the duplex mode and speed of switch ports to avoid inter-vendor issues with auto-negotiation

  28. Managing the MAC Address Table Sh mac-address-table: • The switch provides dynamic addressing by learning the source MAC address of each frame that it receives on each port, and then adding the source MAC address and associated port number to the MAC address table. • The switch updates the MAC address table as computers are added or removed from the network, adding new entries and aging out those that are currently not in use.

  29. Managing the MAC Address Table S1(config) mac-address-table static 00d0.970c.1a8c vlan 99 int fa0/1 • A network administrator can specifically assign static MAC addresses to certain ports. Static addresses are not aged out, and the switch always knows which port to send out traffic destined for that specific MAC address. • As a result, there is no need to relearn or refresh which port the MAC address is connected to.

  30. Verify Switch Settings – Show Commands With some minor differences, Cisco switch show commands follow the same syntax and display similar information to those used on Cisco routers

  31. Back-up Switch Configuration - Flash Back-up copies of the configuration file can be stored on the switch Flash memory, allowing an administrator to quickly return a switch to a previous configuration

  32. Restore Switch Configuration - Flash Back-up copies of the configuration file can be stored on the switch Flash memory, allowing an administrator to quickly return a switch to a previous configuration

  33. Back-up Switch Configuration - TFTP Or S1# copy run tftp (system will prompt for address and file name) TFTP Server 172.16.1.155 VLAN 99 172.16.1.2 Fa0/0 172.168.1.1 Fa0/1 VLAN99 Fa0/2

  34. Clearing Switch Configuration To erase the current start-up configuration use: erase nvram: To delete a file from Flash memory, use: delete flash: filename

  35. Switch Configuration - Security Also use the following for the console: Logging Sync - prevent status text overwriting input text. Exec-Timeout - log out of sessions after predetermined no. of minutes.

  36. Switch Configuration - Security Securing access to the privileged-exec mode can be done in two ways, in the same manner as a Cisco router: Remember – enable secret is always automatically encrypted, whereas enable password isn’t.

  37. Switch Configuration - Security show running-config – all console and vty passwords shown in clear text. service password-encryption – all console and vty passwords encrypted. show running-config – all console and vty passwords shown in encrypted text.

  38. Banner MOTD • The message that you want users to see is entered between the delimiter characters, in this case ‘#’ • Any character can be used as a delimiter.

  39. Telnet & SSH SSH gives the same type of access as Telnet, but guarantees security, as communication between SSH client and SSH server is encrypted. Cisco recommends implementation of SSHv2 when possible, because it uses a more enhanced security encryption algorithm than SSHv1. Configure switch with domain-name, encryption key, SSH version & enable SSH on vty lines. • To re-enable the Telnet protocol on a Cisco 2960 switch,

  40. Common Security Attacks – MAC Address Flooding • MAC address tables are limited in size. MAC flooding makes use of this limitation to bombard the switch with fake source MAC addresses until the switch MAC address table is full. • The switch then enters into what is known as a fail-open mode, and starts acting as a hub, broadcasting frames to all the machines on the network. • As a result, the attacker can see all of the frames sent from a victim host to another host without a MAC address table entry.

  41. Common Security Attacks – Spoofing Rogue DHCP Server • An attacker activates a DHCP server on a network segment. • The client broadcasts a request for DHCP configuration information. • The rogue DHCP server responds before the legitimate DHCP server can respond, assigning attacker-defined IP configuration information. • Host packets are redirected to the attacker’s address as it emulates a default gateway for the erroneous DHCP address provided to the client. Client Legitimate DHCP Server

  42. Common Security Attacks – Spoofing Rogue DHCP Server • DHCP snooping allows the configuration of ports as trusted or untrusted. • Trusted ports can send DHCP requests and acknowledgements. • Untrusted ports can forward only DHCP requests. • DHCP Snooping enables the switch to build a DHCP binding table that maps a client MAC address, IP address, VLAN, and port ID. • Use the ip dhcp snooping command. Client Untrusted Legitimate DHCP Server Untrusted Trusted Untrusted

  43. Common Security Attacks – Cisco Discovery Protocol • CDP contains information about the device, such as the IP address, software version, platform, capabilities, and the native VLAN. • When this information is available to an attacker, they can use it to find exploits to attack a network, typically in the form of a Denial of Service (DoS) attack. • To address this vulnerability, it is recommended that CDP is disabled on devices that do not need to use it.

  44. Common Security Attacks – Cisco Discovery Protocol • Types of Telnet attacks: • Brute force password attacks • DoS attacks • Protection against brute force attack: • Use strong passwords • Change passwords frequently • Limit Telnet access to essential personnel • Protection against DoS: • Update to latest version of CISCO IOS

  45. Common Security Attacks – • Network Security Audits help to: • Reveal what sorts of information an attacker can gather by monitoring network traffic. • Discover incorrectly configured switch ports • Determine the age out period of MAC address tables. • Network Penetration Testing helps to: • Identify weaknesses within the configuration of networking devices. • Launch attacks to test a network.

  46. Switch Configuration – Port Security A simple method to help secure networks from unauthorized access is to disable all unused ports on a network switch. Navigate to each unused port and issue this Cisco IOS shutdown command. An alternate way to shutdown multiple ports is to use the interface range command.

  47. Switch Configuration – Port Security • To limit the number of addresses that can be learned on an interface switches provide a feature called port security. • The number of MAC addresses per port can be limited to 1. • The first address dynamically learned by the switch becomes the secure address.

  48. Switch Configuration – Port Security • Static secure MAC addresses: MAC addresses are manually configured by using the switchport port-security mac-address interface configuration command. MAC addresses configured in this way are stored in the address table and are added to the running configuration on the switch. • Dynamic secure MAC addresses: MAC addresses are dynamically learned and stored only in the address table. MAC addresses configured in this way are removed when the switch restarts. • Sticky secure MAC addresses: You can configure a port to dynamically learn MAC addresses and then save these MAC addresses to the running configuration.

  49. switchport mode access Sets the interface mode as access; an interface in the default mode (dynamic desirable) cannot be configured as a secure port. • switchport port-security Enables port security on the interface • switchport port-security maximum 6 Sets the maximum number of secure MAC addresses for the interface. The range is 1 to 132; the default is 1. • switchport port-security aging time 5 Learned addresses are not aged out by default but can be with this command. Value from 1 to 1024 in minutes. • switchport port-security mac-address 0000.0000.000b Enter a static secure MAC address for the interface, repeating the command as many times as necessary. You can use this command to enter the maximum number of secure MAC addresses. If you configure fewer secure MAC addresses than the maximum, the remaining MAC addresses are dynamically learned. • switchport port-security mac-address sticky Enable dynamic learning of MAC address on the interface. • switchport port-security violation shutdown Set the violation mode, the action to be taken when a security violation is detected.

  50. Port Security: Violation Switch(config-if)#switchport port-security violation {protect | restrict | shutdown} By default, if the maximum number of connections is achieved and a new MAC address attempts to access the port, the switch must take one of the following actions: • Protect:Frames from the non-allowed address are dropped, but there is no log of the violation. The protect argument is platform or version dependent. • Restrict: Frames from the non-allowed address are dropped, a log message is created and Simple Network Management Protocol (SNMP) trap sent. • Shut down: If any frames are seen from a non-allowed address, the interface is errdisabled, a log entry is made, SNMP trap sent and manual intervention (no shutdown) or errdisable recovery must be used to make the interface usable. Port LED is switched off.

More Related