Basic Switch Concepts and Configuration : Basic Switch Concepts and Configuration LAN Switching and Wireless – Chapter 2
Objectives : Objectives Summarize the operation of Ethernet as defined for 100/1000 Mbps LANs in the IEEE 802.3 standard.
Explain the functions that enable a switch to forward Ethernet frames in a LAN.
Configure a switch for operation in a network designed to support voice, video, and data transmissions.
Configure basic security on a switch that will operate in a network designed to support voice, video, and data transmissions.
REVIEW: CSMA/CD : REVIEW: CSMA/CD
MAC Collision Detection/Backoff : MAC Collision Detection/Backoff Note: collisions do
Not occur in full-duplex
Switched networks
Review: Ethernet Frame : Review: Ethernet Frame Preamble and Start Frame (7 bytes) Delimiter Fields (1 byte)
The Preamble and SFD fields are used for synchronization and to get the attention of the receiving nodes.
Destination MAC Address Field (6 bytes)
The address in the frame is compared to the MAC address in the device. If there is a match, the device accepts the frame.
Source MAC Address Field (6 bytes)
It identifies the originating NIC or interface. Switches use this address to add to their lookup tables.
Length/Type Field (2 bytes)
Length of field or Layer 3 protocol
Data and Pad Fields (46 to 1500 bytes)
It contain the encapsulated data from a higher layer, which is a generic Layer 3 PDU. Frame less than 64 bytes is padded
Frame Check Sequence Field (4 bytes)
The receiving device receives the frame and generates a CRC to look for errors. If the comparison does not match the FCS contents, frame is dicarded
Ethernet Device Addressing : Ethernet Device Addressing Hosts need a Data Link layer address
Physical address burned in to NIC ROM
48 bits in length and displayed in Hexadecimal
Ethernet MAC Terms : Ethernet MAC Terms BIA – burned in address
Stored in NIC ROM
Copied into RAM for comparison with incoming frames
Also known as the Universally Administered Address (UAA)
Locally Administered Address (LAA)
manual configured MAC in software
Uses for MAC Destination Address : Uses for MAC Destination Address Unicast
Frame is destined for a specific node on local segment
Broadcast
Frame is destined for all nodes
All F’s in Hex and all 1’s in Binary
Multicast
Frame is destined for a group of nodes
Group membership is defined at upper layers
Switch Port Settings : Switch Port Settings Ports can be configured to “auto” or manually set for speed and duplex
Auto is default setting on Catalyst switches (full or half would be administratively configured)
10/100 megabit connections can work in full or half-duplex
Gigabit links always operate in full-duplex
Media Dependent Interface option
Allows port to auto sense cable type (straight or Xover)
Command “ mdix auto” supported on new switches
Available on 2960’s but not 2950’s
Recommendation: manually configurecritical devices for speed/duplex
Switch MAC Address Table : Switch MAC Address Table Step 1. Broadcast frame from PC 1 on Port 1.
Step 2. Switch learns the source MAC address on Port 1 and adds to the address table.
Step 3. Switch floods the broadcast frame to all ports, except the port on which it received the frame.
Step 4. PC 2 replies to the broadcast with a unicast frame addressed to PC 1.
Step 5. . Switch learns the source MAC address on of PC 2 and adds to the address table. The destination address of PC 1’s frame and its associated port is found in the MAC address table.
Step 6. The switch can now forward unicast frames between PC1 and PC 2devices without flooding.
Note: broadcast frames will always be flooded Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Collision Domains : Collision Domains The network area where frames originate and collide is called the collision domain.
All shared media environments, such as those created by using hubs, are collision domains.
When a host is connected to a switch port, the switch creates a dedicated connection. This connection is an individual collision domain.
Switched networks eliminate concerns over Collision Domains
Switches create a microsegment between two hosts
The circuit is maintained until the session is terminated.
The microsegment behaves as if the network has only two hosts, one host sending and one receiving, providing maximum available bandwidth
Note: collision detection circuits are turned off in full-duplex
Broadcast Domains : Broadcast Domains Broadcast frames must be forwarded by a switch
Device does not have a port assigned to the address FF-FF-FF-FF-FF-FF
Layer 2 devices form a group or Broadcast Domain
Only a Layer 3 entity, such as a router, or a virtual LAN (VLAN), can stop a Layer 2 broadcast domain.
Routers and VLANs are used to segment both collision and broadcast domains
When a device wants to send out a Layer 2 broadcast, the destination MAC address in the frame is set to all ones
Activity: : Activity: Identify all the collision domain and broadcast domain
Network Latency : Network Latency Latency is the time a frame or a packet takes to travel from the source to the final destination.
Latency has at least 3 sources
First, the time it takes the source and destination NIC to place or read voltage pulses on the wire
This is sometimes called NIC delay,
Second, the actual propagation delay as the signal takes time to travel through the cable.
Longer cable and slower nominal velocity of propagation (NVP) result in more propagation delay.
Third, latency is added based on network devices that are in the path between two devices.
These are either Layer 1, Layer 2, or Layer 3 devices
Switches and routers add some level of latency
Diameter of network becomes issue as well as placement of Layer 3 devices
Switch Forwarding Methods : Switch Forwarding Methods Store-and-Forward
Low error but most latency
Cut-through Switching
Best performance but more errors
Types of Cut-Though Switching
Fast Forwarding – reads frame up to destination MAC
Fragment Free Forwarding – reads first 64 bytes of frame
Symmetric and Asymmetric Switching : Symmetric and Asymmetric Switching Symmetric
Symmetric switching provides switched connections between ports with the same bandwidth, such as all 100 Mb/s ports or all 1000 Mb/s ports.
Symmetric switching is optimized for a distributed traffic load, such as in a peer-to-peer environment.
Asymmetric
Asymmetric LAN switch provides switched connections between ports of unlike bandwidth, such as a combination of 10 Mb/s, 100 Mb/s, and 1000 Mb/s ports.
Asymmetric switching enables more bandwidth to be dedicated to a server switch port to prevent a bottleneck.
Memory buffering is required on an asymmetric switch.
Most current switches are asymmetric switches because this type of switch offers the greatest flexibility.
Memory Buffering : Memory Buffering An Ethernet switch may use a buffering technique to store frames before forwarding them
Buffering may also be used when the port is busy due to congestion and switch stores the frame until it can be transmitted
Memory buffering is not configurable (hardware function)
Two methods of memory buffering
Port-based Memory Buffering
Frames are stored in queues linked to specific incoming ports
Frame waits in line until frames in front are transmitted
Shared Memory Buffering
Frame received on one port and transmitted on another without changing queues
This is important to asymmetric switching, where frames are being exchanged between different rate ports
Layer 2 and Layer 3 Switching : Layer 2 and Layer 3 Switching Layer 2 LAN switching
A Layer 2 LAN switch performs switching and filtering based only on the OSI data link layer (Layer 2) MAC address.
Layer 3 LAN switching
A Layer 3 switch can also use IP address information. Configured with routing tables and can use dynamic routing protocols.
Note: hardware based forwarding on a switch is faster than software based forwarding on router
Configuring a Cisco Switch : Configuring a Cisco Switch Switch IOS command structure is identical to a router’s
Command content varies based on roles and interfaces
Boot Sequence of a Cisco Switch : Boot Sequence of a Cisco Switch
Console Access to Switch Configuration : Console Access to Switch Configuration Roll-over cable attaches to a PC serial port
Basic Switch Configuration : Basic Switch Configuration Use the same rules as a router for basic configuration
Important difference: IP address assigned to VLAN, not physical interface
IP is for management only, does not affect switching
For remote management, default gateway is added
Note: best practice dictates changing management from VLAN1
Show Commands on the Switch : Show Commands on the Switch
Manage (saving) IOS Configuration : Manage (saving) IOS Configuration
Managing the MAC Address Table : Managing the MAC Address Table MAC tables include dynamic and static addresses
show mac-address-table command
Also referred to as content addressable memory (CAM) table.
Dynamic MAC addresses: The source MAC addresses the switch learns and ages when they are not in use
Default time is 300 seconds.
Aging time can be changed (too short results in flooding because of “unlearned” MAC addresses
Static MAC addresses: A network administrator can specifically assign static MAC addresses to certain ports
Static addresses are not aged out
To create a static MAC address table, use the
mac-address-table static vlan {1-4096,
ALL} interfaceinterface-id command. The maximum size of the MAC address table varies with different switches.
For example, the Catalyst 2960 series switch can store up to 8,192 MAC addresses.
Basic Switch Security : Configure password
Enable password
Service password-encryption
Enable secret
Configure Console and VTY lines
Add banners to discourage unauthorized users
Enable Secure Shell (SSH) over telnet
Session is encrypted with SSH
Can use password and username Basic Switch Security
Configuring router passwords (cont.) : Configuring router passwords (cont.) WARNING
service password-encryption uses a Cisco Level 7 encryption which is very easy to decrypt.
For the GetPass! software www.boson.com
However, the enable secret uses a stronger encryption method and cannot be easily hacked. and !
Configuring router passwords (cont.) : Configuring router passwords (cont.) Doesn’t work for enable secret! http://www.boson.com/FreeUtilities.html
Switch Security Attacks : MAC address flooding, spoofing attacks, CDP attacks, and Telnet attacks Switch Security Attacks
Security Tools : Security Tools Network security tools help you test your network weaknesses
Network Security Audit
Network security tools allow you to perform a security audit of your network.
A security audit reveals what sort of information an attacker can gather simply by monitoring network traffic.
Network security auditing tools allow you to flood the MAC table with bogus MAC addresses.
Then you can audit the switch ports as the switch starts flooding traffic out all ports as the legitimate MAC address mappings are aged out and replaced with more bogus MAC address mappings.
In this way, you can determine which ports are compromised and have not been correctly configured to prevent this type of attack.
Network Penetration Testing
Network security tools can also be used for penetration testing against your network. This allows you to identify weaknesses within the configuration of your networking devices.
There are numerous attacks that you can perform, and most tool suites come with extensive documentation detailing the syntax needed to execute the desired attack.
Because these types of tests can have adverse effects on the network, they are carried out under very controlled conditions, following documented procedures detailed in a comprehensive network security policy.
Of course, if you have a small classroom-based network, you can arrange to work with your instructor to try your own network penetration tests.
Configuring Port Security : Configuring Port Security Port security limits the number of valid MAC addresses allowed on a port.
When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses.
Security violation occurs when max MAC addresses is reached
The following describes the ways to configure port security
Static secure MAC addresses:
MAC addresses are manually configured using the switchport port-security mac-addressmac-address
Added to the running configuration and kept after reload
Dynamic secure MAC addresses:
MAC addresses are dynamically learned and stored only in the address table. Removed on switch reload
Using Port Security: Sticky MAC Addresses : Using Port Security: Sticky MAC Addresses Sticky secure MAC addresses have these characteristics:
When you enable sticky learning on an interface by using the switchport port-security mac-address sticky interface configuration command,
the interface converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses and adds all sticky secure MAC addresses to the running configuration.
If you disable sticky learning by using the no switchport port-security mac-address sticky interface configuration command or the running configuration is removed, the sticky secure MAC addresses remain part of the running configuration but are removed from the address table.
The addresses that were removed can be dynamically reconfigured and added to the address table as dynamic addresses.
When you configure sticky secure MAC addresses by using the switchport port-security mac-address sticky mac-address interface configuration command,
these addresses are added to the address table and the running configuration. If port security is disabled, the sticky secure MAC addresses remain in the running configuration.
If you save the sticky secure MAC addresses in the configuration file, when the switch restarts or the interface shuts down, the interface does not need to relearn these addresses. If you do not save the sticky secure addresses, they are lost.
If sticky learning is disabled, the sticky secure MAC addresses are converted to dynamic secure addresses and are removed from the running configuration.
If you disable sticky learning and enter the switchport port-security mac-address sticky mac-address interface configuration command, an error message appears, and the sticky secure MAC address is not added to the running configuration.
Using Port Security: Security Violation Modes : Using Port Security: Security Violation Modes It is a security violation when either of these situations occurs:
The maximum number of secure MAC addresses have been added to the address table and a new MAC is learned
An address learned or configured on one secure interface is seen on another secure interface in the same VLAN
You can configure the interface for one of 3 violation modes:
protect: Packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses.
You are not notified that a security violation has occurred.
restrict: Packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses.
In this mode, you are notified that a security violation has occurred.
Specifically, an SNMP trap is sent, a syslog message is logged, and the violation counter increments.
shutdown: In this mode, a port security violation causes the interface to immediately become error-disabled and turns off the port LED.
It also sends an SNMP trap, logs a syslog message, and increments the violation counter.
When a secure port is in the error-disabled state, you can bring it out of this state by entering the shutdown and no shutdown interface commands.
Verify Port Security : Verify Port Security To display port security settings for the switch or for the specified interface, use the show port-security [interfaceinterface-id] command.
The output displays the following:
Maximum allowed number of secure MAC addresses for each interface
Number of secure MAC addresses on the interface
Number of security violations that have occurred
Violation mode
Verify Secure MAC Addresses
To display all secure MAC addresses configured on all switch interfaces or on a specified interface with aging information for each, use the show port-security [interfaceinterface-id] address command.
Disable Unused Ports : Disable Unused Ports Best practice: disable all unused ports
For example, imagine that a Cisco 2960 switch has 24 ports. If there are three Fast Ethernet connections in use, good security practice demands that you disable the 21 unused ports.
Navigate to each unused port and issue this shutdown command
Use the interface range command to shutdown multiple ports
Activate manually by entering the no shutdown command
Chapter 2 Labs : Chapter 2 Labs Lab 2.5.1: Basic Switch Configuration
Lab 2.5.2: Managing Switch Configuration and Operating System Files
Lab 2.5.3: Managing Switch Operating System and Configuration Files Challenge (includes password recovery)
Slide 37 :