Upload
erik-aerts
View
111
Download
2
Tags:
Embed Size (px)
Citation preview
© 2007 Cisco Systems, Inc. All rights reserved. Cisco PublicITE PC v4.0Chapter 1 1
Basic switch concepts and configuration
Routing Protocols and Concepts – Chapter 2
ITE PC v4.0Chapter 1 2© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Objectives Introduction to Ethernet 803.2 LAN’s
Forwarding Frames using a Switch
Switch Management Configuration
The Switch Boot Sequence
Basic Switch Configuration
Configuring Switch Security
Common Security Attacks
Security Tools
Configuring Port Security
ITE PC v4.0Chapter 1 3© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Introduction ethernet acces with hub
hub or concentrator is a Layer 1
device
ITE PC v4.0Chapter 1 4© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Introduction ethernet acces with bridge
A bridge is a Layer 2 device used to divide, or segment, a network. Layer 2 devices make forwarding decisions based on Media Access Control (MAC) addresses contained within the headers of transmitted data frames.
ITE PC v4.0Chapter 1 5© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Introduction ethernet acces with bridgeA switch is also a Layer 2 device and may be referred to as a multi-port bridge.
The implementation of a switch on the network provides microsegmentation.
In theory this creates a collision free environment between the source and destination, which allows maximum utilization of the available bandwidth.
The disadvantage of Layer 2 devices is that they forward broadcast frames to all connected devices on the network.
ITE PC v4.0Chapter 1 6© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Introduction to Ethernet 803.2 LAN’s Key Elements of Ethernet/802.3 Networks
–CSMA/CD
•Carrier Sense
•Multi-access
•Collision Detection
•Jam Signal and Random Backoff
ITE PC v4.0Chapter 1 7© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Introduction to Ethernet 803.2 LAN’s
Communication in a network occurs in three ways. - unicast transmission, one transmitter tries to reach one receiver. - multicast transmission, one transmitter tries to reach only a subset, or a group, of the entire segment. Broadcasting is when one transmitter tries to reach all the receivers in the network, the destination MAC address in the frame is set to all ones FF:FF:FF:FF:FF:FF .
When two switches are connected, the broadcast domain is increased.
ITE PC v4.0Chapter 1 8© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Introduction to Ethernet 803.2 LAN’s Key Elements of Ethernet/802.3 Networks
–Ethernet Frame
–MAC Address with Organizationally Unique Identifier OUI
ITE PC v4.0Chapter 1 9© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Introduction to Ethernet 803.2 LAN’s Key Elements of Ethernet/802.3 Networks
–Duplex Settings
•Half Duplex, data flow is unidirectional
•Full Duplex, data flow is bidirectional
ITE PC v4.0Chapter 1 10© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Introduction to Ethernet 803.2 LAN’s Key Elements of Ethernet/802.3 Networks
–Switch Port Settings
•Auto sets autonegotiation of duplex mode
–Two ports communicate to decide the best mode of operation
–Default for Fast Ethernet and 10/100/1000 ports
•Full sets full-duplex mode
–Default for 100BASE-FX ports
•Half sets half-duplex mode
•auto-MDIX
–to enable the automatic medium-dependent interface crossover (auto-MDIX) feature
ITE PC v4.0Chapter 1 11© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Introduction to Ethernet 803.2 LAN’s Key Elements of Ethernet/802.3 Networks
–MAC Addressing and Switch MAC Address Tables
•Switches use MAC addresses to direct network communications
•The switch builds a MAC Address Table
Step 1 Step 2
Step 3 Step 4
ITE PC v4.0Chapter 1 12© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Introduction to Ethernet 803.2 LAN’s Design Considerations for Ethernet/802.3 Networks
–Bandwidth and Throughput•More devices are added to the shared media collisions increase •When stating the bandwidth of the Ethernet network is 10 Mb/s, full bandwidth for transmission is available only after any collisions have been resolved. •Throughput of the port (the average data that is effectively transmitted) will be considerably reduced as a function of how many other nodes want to use the network.
–Collision Domains•Hubs make collision domains larger•Switch makes individual collsion domains
–Broadcast Domains•A switch does not filter a broadcasts frame•A router filters broadcasts
ITE PC v4.0Chapter 1 13© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Introduction to Ethernet 803.2 LAN’s Design Considerations for
Ethernet/802.3 Networks–Network Latency
•the time a frame or a packet takes to travel from the source station to the final destination
–source NIC to places voltage pulses on the wire–the signal takes time to travel
through the cable (propagation delay)–latency is added based on
network devices –A switch has a lower latency
than a router–A switch uses port-based
memory buffering, port level QoS, and congestion management to reduce latency
Each 10 Mbps Ethernet bit has a 100 ns transmission window. This is the bit time. Therefore, 1 byte takes a minimum of 800 ns to transmit. A 64-byte frame, the smallest 10BASE-T frame allowing CSMA/CD to function properly, takes 51,200 ns ( 51.2 microseconds). Transmission of an entire 1000-byte frame from the source station requires 800 microseconds just to complete the frame.
ITE PC v4.0Chapter 1 14© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Introduction to Ethernet 803.2 LAN’s Design Considerations for
Ethernet/802.3 Networks–Network Congestion
•Reasons
–Increasingly powerful computer and network technologies
–Increasing volume of network traffic
–High-bandwidth applications
•Solution
–segmenting a LAN into smaller parts
ITE PC v4.0Chapter 1 15© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Introduction to Ethernet 803.2 LAN’s Design Considerations for Ethernet/802.3 Networks
–LAN Segmentation
•segmented into a number of smaller collisions domains by switches
•segmented into a number of smaller broadcast domains by routers
ITE PC v4.0Chapter 1 16© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Introduction to Ethernet 803.2 LAN’s Design Considerations for Ethernet/802.3 Networks
–LAN Segmentation
•segmented into a number of smaller collisions domains by switches
•segmented into a number of smaller broadcast domains by routers
ITE PC v4.0Chapter 1 17© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
LAN switch operation
ITE PC v4.0Chapter 1 18© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
LAN switch operation
ITE PC v4.0Chapter 1 19© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Introduction to Ethernet 803.2 LAN’s LAN Design Considerations
–Controlling Network Latency
–Removing Bottlenecks
ITE PC v4.0Chapter 1 20© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Forwarding Frames using a Switch Switch Packet Forwarding
Methods–Store-and-Forward Switching
•Switch receives the frame
•Stores the data of the complete frame in the buffer
•Switch looks at destination and does CRC
•Switch sends frame to destination
•High latency and error-check
–Cut-through Switching has two variants
•Fast-forwarding switching
•Fragment-free switching
ITE PC v4.0Chapter 1 21© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Forwarding Frames using a Switch Switch Packet Forwarding Methods
–Cut-through Switching has two variants
•Fast-forwarding switching
–Switch send frame to destination after the destination MAC-address is received
–Low latency
–No error-check
•Fragment-free switching
–Switch sends the frame to the destination after the first 64 bytes of the frame are received.
–A compromise between fast-forwarding and store and forward
ITE PC v4.0Chapter 1 22© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Forwarding Frames using a Switch
There are three main frame transmission modes
Store-and-forward Cut-through Fast-forward Fragment-free
Adaptive cut-through: checks for errors and senses the best forwarding mode.
ITE PC v4.0Chapter 1 23© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Forwarding Frames using a Switch Symmetric and Asymmetric Switching
–Asymmetric•enables more bandwidth to be dedicated to a server switch port to prevent a bottleneck•Memory buffering is required
–Symmetric
•On a symmetric switch all ports are of the same bandwidth
ITE PC v4.0Chapter 1 24© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Forwarding Frames using a Switch Memory Buffering
–Port-based Memory Buffering•Frames stored in queues that are linked to specific incoming and outgoing ports•transmitted to the outgoing port only when all the frames ahead of it in the queue have been successfully transmitted
–Shared Memory Buffering•all frames into a common memory buffer that all the ports on the switch share•allows the packet to be received on one port and then transmitted on another port, without moving it to a different queue
ITE PC v4.0Chapter 1 25© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Forwarding Frames using a Switch Layer 2 and Layer 3 Switching
–Layer 2 LAN switch
•only on the OSI Data Link layer (Layer 2)
•Works with MAC address
–A Layer 3 switch
•can learn MAC-addresses but also which IP-addresses are associated with its interfaces
•Are capable of performing Layer 3 routing functions
Layer 3 Switch and Router Comparison
ITE PC v4.0Chapter 1 26© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Switch Management Configuration Navigating Command-Line Interface Modes
–User Exec Mode
•basic monitoring commands
•identified by the > prompt
–Privileged Exec Mode
•to access all device commands
•can be password-protected
•identified by the # prompt
–Change from User EXEC to Privileged EXEC
•Command enable
ITE PC v4.0Chapter 1 27© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Switch Management Configuration Navigating Command-Line
Interface Modes
–Global configuration Mode
•To configure global switch parameters
•Via configure terminal command in privileged EXEC mode
–Interface Configuration Mode
•Configuring interface-specific parameters
•from global configuration mode, enter the interface<interface name> command
ITE PC v4.0Chapter 1 28© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Switch Management Configuration Navigating Command-Line Interface Modes
ITE PC v4.0Chapter 1 29© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Switch Management Configuration GUI-based Alternatives to the CLI
–Cisco Network Assistant
–CiscoView Application
–Cisco Device Manager
–Network Management
ITE PC v4.0Chapter 1 30© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Switch Management Configuration Using the Help Facility
–sh?: command which start with sh
–?: shows all commands in your current CLI
–show ?: a list of options with the show command
Console error message
ITE PC v4.0Chapter 1 31© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Switch Management Configuration Accessing the Command History
–The Command History Buffer
•by default, command history is enabled
•records the last 10 command lines
•to view recently entered EXEC commands: show history
–Configure the Command History Buffer
ITE PC v4.0Chapter 1 32© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
The Switch Boot Sequence Describe the Boot Sequence
–Switch loads boot loader from NVRAM
–The boot loader:
•Performs low-level CPU initialization
•Performs POST for the CPU subsystem
•Initializes the flash file system on the system board
•Loads a default operating system software image into memory and boots the switch
Recovering from a System Crash–provides access into the switch if the operating system cannot be used
–provides access to the files stored on Flash memory before the operating system is loaded
–Use the boot loader command line to perform recovery operations
ITE PC v4.0Chapter 1 33© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Basic Switch Configuration Management Interface
Considerations–To manage a switch remotely using TCP/IP, you need to assign the switch an IP address
–This IP address is assigned to a virtual interface called a virtual LAN (VLAN)
–Default configuration on the switch is to have the management of the switch controlled through VLAN
–Configure Management Interface
S1(config)#interface vlan 1
S1(config)# ip address <ip-address> <subnetmask>
S1(config)# no shutdown
ITE PC v4.0Chapter 1 34© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Basic Switch Configuration
Configure Default Gateway –You need to configure the switch so that it can forward IP packets to distant networks
–Configure default gateway
S1(config)# ip default gateway <default-gateway>
ITE PC v4.0Chapter 1 35© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Basic Switch Configuration View configuration
S1(config)#show ip interface brief
S1(config)# show running-config
ITE PC v4.0Chapter 1 36© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Basic Switch Configuration Configure Duplex and Speed
ITE PC v4.0Chapter 1 37© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Basic Switch Configuration Configure a Web Interface
–Modern Cisco switches have a number of web-based configuration tools that require that the switch is configured as an HTTP server
–To control who can access the HTTP services on the switch, you can optionally configure authentication.
•AAA
•TACACS
ITE PC v4.0Chapter 1 38© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Basic Switch Configuration Managing the MAC Address Table
–MAC tables include dynamic and static addresses
–Dynamic addresses are source MAC addresses that the switch learns and then ages when they are not in use
–Static addresses are not aged out
–View mac address tabel
show mac-address-table
–create a static mapping in the MAC address table
mac-address-table static <MAC address> vlan {1-4096, ALL} interface interface-id command
–remove a static mapping in the MAC address table
no mac-address-table static <MAC address> vlan {1-4096, ALL} interface interface-id command
ITE PC v4.0Chapter 1 39© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Basic Switch Configuration Verifying Switch Configuration
ITE PC v4.0Chapter 1 40© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Verifying Switch Configuration: flash
The flash directory by default, has a file that contains the IOS image, a file called env_vars, and a sub-directory called html. After configuring the switch, it may contain a config.text file, and a VLAN database.
ITE PC v4.0Chapter 1 41© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Basic Switch Management Backing Up the Configuration
–Copy running-config in DRAM to start-up config in NVRAM or flash
copy running-config startup-config
–maintain multiple different startup-config files on the device
copy startup-config flash:filename
ITE PC v4.0Chapter 1 42© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Basic Switch Management Restoring the Configuration
–Restore a saved configuration from flash
copy flash:filename startup-config
after restoring, restart the switch with reload
ITE PC v4.0Chapter 1 43© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Basic Switch Management Back up Configuration Files to a TFTP Server
–back up the configuration on the network
–It can be archived for a long time
–Backing up the ConfigurationStep 1Verify that the TFTP server is running on your network.Step 2 Log in to the switch through the console port or a Telnet session. Enable
the switch and then ping the TFTP server.Step 3Upload the switch configuration to the TFTP server. Specify the IP address
or hostname of the TFTP server and the destination filename. The Cisco IOS command is:copy system:running-config tftp:[[[//location]/directory]/filename] copy nvram:startup-config tftp:[[[//location]/directory]/filename]
ITE PC v4.0Chapter 1 44© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Basic Switch Management Back up Configuration Files to a TFTP Server
–back up the configuration on the network
–It can be archived for a long time
–Restoring the ConfigurationStep 1Copy the configuration file to the appropriate TFTP directory on the
TFTP server if it is not already there.Step 2Verify that the TFTP server is running on your network.Step 3Log in to the switch through the console port or a Telnet session.
Enable the switch and then ping the TFTP server.Step 4Download the configuration file from the TFTP server to configure the
switch. Specify the IP address or hostname of the TFTP server and the name of the f ile to download. The Cisco IOS command is:
copy tftp:[[[//location]/directory]/filename] system:running-config copy tftp:[[[//location]/directory]/filename] nvram:startup-config
ITE PC v4.0Chapter 1 45© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Basic Switch Management Clearing Configuration Information
– clear the contents of your startup configuration• erase nvram:• erase startup-config
Clear the switch:– Switch#delete flash:vlan.dat– Delete filename [vlan.dat]?[Enter]– Delete flash:vlan.dat? [confirm] [Enter]– Switch#erase startup-config– Switch#reload
– deleting a Stored Configuration File•delete a file from Flash •delete flash:filename •WARNING: be sure you delete a file from flash and not flash itself!
ITE PC v4.0Chapter 1 46© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Configuring Switch Security Configure Password Options
–Secure the Console
•Set console password
•Remove Console Password S1(config)#line con 0
S1(config)#no password S1(config)#no login
ITE PC v4.0Chapter 1 47© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Configuring Switch Security Configure Password Options
–Secure the vty Ports
•Set security
•Remove security S1(config)#line vty 0 4
S1(config)#no password S1(config)#no login
ITE PC v4.0Chapter 1 48© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Configuring Switch Security Configure Password Options
–Configure EXEC Mode Passwords
•Set security
•Remove security
no enable password
no enable secret
encryptednot encrypted
ITE PC v4.0Chapter 1 49© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Configuring Switch Security Configure Password Options
–Configure Encrypted Passwords
•command service password-encryption in global configuration mode
•all system passwords are stored in an encrypted form
ITE PC v4.0Chapter 1 50© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Configuring Switch SecurityPassword recovery switch (short briefing)
Power onPush mode buttom until led port1 goes out
Switch: flash_initSwitch: dir flash: (don’t forget :)Switch: rename flash:config.text flash:config.old(Config.text contains password definition)Switch: bootEnter ‘n’EnableSwitch# rename flash:config.old flash:config.textSwitch# copy flash:config.text system:running-configConf tNo enable secretEnable password ciscoCtrl ZCopy run startreload
ITE PC v4.0Chapter 1 51© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Configuring Switch SecurityEnable Password Recovery Step 1. Connect a terminal or PC with terminal-emulation software to the switch
console portStep 2. Set the line speed on the emulation software to 9600 baud.Step 3. Power off the switch. Reconnect the power cord to the switch and within 15 seconds, press the Mode button while the System LED is still flashing green. Continue pressing the Mode button until the System LED turns briefly amber and then solid green. Then release the Mode button.Step 4. Initialize the Flash file system using the flash_init command.Step 5. Load any helper files using the load_helper command.Step 6. Display the contents of Flash memory using the dir flash command:The switch file system appears: Directory of flash:13 drwx 192 Mar 01 1993 22:30:48 c2960-lanbase-mz.122-25.FX11 -rwx 5825 Mar 01 1993 22:31:59 config.text18 -rwx 720 Mar 01 1993 02:21:30 vlan.dat16128000 bytes total (10003456 bytes free)
ITE PC v4.0Chapter 1 52© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Configuring Switch SecurityEnable Password Recovery
Step 7. Rename the configuration file to config.text.old, which contains the password definition, using the rename flash:config.text flash:config.text.old command.Step 8. Boot the system with the boot command. Step 9. You are prompted to start the setup program. Enter N at the prompt, and then when the system prompts whether to continue with the configuration dialog, enter N.Step 10. At the switch prompt, enter privileged EXEC mode using the enable command.Step 11. Rename the configuration file to its original name using the rename flash:config.text.old flash:config.text command.Step 12. Copy the configuration file into memory using the copy flash:config.text system:running-config command. After this command has been entered, the follow is displayed on the console:Source filename [config.text]? -Destination filename [running-config]?Press Return in response to the confirmation prompts. The configuration file is now reloaded, and you can change the password.
ITE PC v4.0Chapter 1 53© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Configuring Switch SecurityEnable Password Recovery
Step 13. Enter global configuration mode using the configure terminal command.Step 14. Change the password using the enable secret password command.Step 15. Return to privileged EXEC mode using the exit command.Step 16. Write the running configuration to the startup configuration file using the copy running-config startup-config command.Step 17. Reload the switch using the reload command.
ITE PC v4.0Chapter 1 54© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Configuring Switch SecurityFlash update
Sh version :to see the actuale .bin file orDir flash: if the switch has enough flash memory, rename the existing .bin file#rename flash: c2900…bin flash c2900…old
Interface vlan1Ip addr 10.67.200.205 255.255.0.0No shut
Configure the host pc ip addres in the same network range
Ping to hostStart tftp server on hostCopy tftp flash: newname.binDelete flash: c2900…old (eventually)
Probem: can’t find flash fileswitch: set BOOT flash:c2900xl-c3h2s-mz.120-5.WC8.bin (BOOT uppercase!!)OrSwitch(config)#boot system flash:c2900xl-c3h2s-mz.120-5.WC8.bin
ITE PC v4.0Chapter 1 55© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Configuring Switch SecurityXMODEM
1 Setup your PC to do X-modem:On the Hyper Terminal Menu bar, Click on Transfer and choose
Send File. This will bring up a "Send File" popup window.Select the Protocol to be X-modem from the pull down button. Click Close.
2 Set up the switch so it is ready to receive the image: Run the copy xmodem:new_file.bin flash:new_file.bin command on
the switch to copy the image to the Flash using X-modem, where new_file.bin is the file that you downloaded from the Cisco.com on your PC or workstation in Step 1.
For Example: switch: copy xmodem:c2900xl-c3h2s-mz-120-5.WC8.bin
flash:c2900xl-c3h2s-mz-120-5.WC8.binBegin the Xmodem or Xmodem-1K transfer now.. Substitute your
particular Cisco IOS image name for the name used above.
ITE PC v4.0Chapter 1 56© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Configuring Switch Security
XMODEM
3 Start the transfer of the file by performing the following steps on the PC: On the Hyper Terminal Menu bar, Click Transfer and choose Send File.This will bring up a "Send File" popup window Fill in the Filename by using the Browse button.Verify the Protocol to be X-modem. If it is other than X-modem, select X-
modem from the pull down button. Click Send and this will start the transfer of the file.
Note: Make sure that you start the transfer of the file immediately after receiving the "Begin the Xmodem or Xmodem-1K transfer now.." message (approximately within 3 to 5 seconds), otherwise the switch will timeout the XMODEM copy.
ITE PC v4.0Chapter 1 57© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
XMODEM Note: X-modem transfer can take between 25 to 35 minutes, depending
upon the switch and the size of the image.
Verify the successful copy of the file to the Flash by issuing the dir flash: command:
switch: dir flash:Directory of flash:/ -rwx 1803565 Mar 01 1993 01:17:06 c2900xl-c3h2s-mz.120-5.WC8.bin1965568 bytes available (1647104 bytes used)
Set the BOOT parameters so that the switch boots up with the downloaded image when reloaded:
For Example:
(a) switch: set BOOT flash:c2900xl-c3h2s-mz.120-5.WC8.bin (b) Substitute the image name above for the Cisco IOS name you loaded to
flash.Note: BOOT must be in capital letters.
ITE PC v4.0Chapter 1 58© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Configuring Switch Security Login Banners
–Configure a Login Banner
–Configure a MOTD Banner
ITE PC v4.0Chapter 1 59© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Configuring Switch Security Configure Telnet and SSH
Telnet
–popular protocol used for terminal access
–is an insecure way of accessing a network device
–it sends all communications across the network in clear text
SSH
–the same type of access as Telnet
–benefit of security
–Communication between the SSH client and SSH server is encrypted
ITE PC v4.0Chapter 1 60© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Configuring Switch Security Configure Telnet
–the default vty-supported
–re-enable the Telnet protocol
(config-line)#transport input telnet
(config-line)#transport input all
ITE PC v4.0Chapter 1 61© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Configuring Switch Security Configure SSH
–is a cryptographic security feature
–The SSH feature has an SSH server and an SSH integrated client
–switch supports SSHv1 or SSHv2 for the server component and only SSHv1 for the client component
–SSH uses DES, 3DES and password-based user authentication
–To implement SSH, you need to generate RSA keys
•A public key
–on a public RSA server
–Used to encrypt messages
•A private key
–kept by the sender and the receiver
–Used to decrypt messages
ITE PC v4.0Chapter 1 62© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Configuring Switch Security Configure SSH
Generate RSA keysStep 1. Enter global configuration mode using the configure terminal command.Step 2. Configure a hostname for your switch using the hostname hostname command.Step 3. Configure a host domain for your switch using the ip domain-name domain_name command.Step 4. Enable the SSH server for local and remote authentication on the switch and generate an RSA key pair using the crypto key generate rsa command. When you generate RSA keys, you are prompted to enter a modulus length. Cisco recommends using a modulus size of 1024 bits. A longer modulus length might be more secure, but it takes longer to generate and to use.Step 5. Return to privileged EXEC mode using the end command.Step 6. Show the status of the SSH server on the switch using the show ip ssh or show ssh command.
To delete the RSA key pair, use crypto key zeroize rsa
ITE PC v4.0Chapter 1 63© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Configuring Switch Security Configure SSH
Configuring the SSH ServerStep 1. Enter global configuration mode using the configure terminal command.
Step 2. (Optional) Configure the switch to run SSHv1 or SSHv2 using the ip ssh version [1 | 2] command. If you do not enter this command or do not specify a keyword, the SSH server selects the latest SSH version supported by the SSH client. For example, if the SSH client supports SSHv1 and SSHv2, the SSH server selects SSHv2.
Step 3. Configure the SSH control parameters:Specify the time-out value in seconds; the default is 120 seconds. The range is 0 to 120 seconds. For a SSH connect to be established, a number of phases must be completed, such as connection, protocol negotiation, and parameter negation. The time-out value applies to the amount of time the switch allows for a connection to be established. By default, up to five simultaneous, encrypted SSH connections for multiple CLI-based sessions over the network are available (session 0 to session 4). After the execution shell starts, the CLI-based session time-out value returns to the default of 10 minutes.
ITE PC v4.0Chapter 1 64© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Configuring Switch Security Configure SSH
Configuring the SSH ServerSpecify the number of times that a client can re-authenticate to the server. The default is 3; the range is 0 to 5. For example, a user can allow the SSH session to sit for more than 10 minutes three times before the SSH session is terminated.Repeat this step when configuring both parameters. To configure both parameters use the ip ssh {timeout seconds | authentication-retries number} command.
Step 4. Return to privileged EXEC mode using the end command.
Step 5. Display the status of the SSH server connections on the switch using the show ip ssh or the show ssh command.
Step 6. (Optional) Save your entries in the configuration file using the copy running-config startup-config command
ITE PC v4.0Chapter 1 65© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Common Security Attacks Security Attacks
–MAC Address Flooding
ITE PC v4.0Chapter 1 66© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Common Security Attacks Security Attacks
–Spoofing Attacks
ITE PC v4.0Chapter 1 67© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Common Security Attacks Security Attacks
–DHCP Snooping
•feature that determines which switch ports can respond to DHCP requests
•Trusted ports
–can source all DHCP messages
–host a DHCP server or can be an uplink toward the DHCP server
–If a rogue device on an untrusted port attempts to send a DHCP response packet into the network, the port is shut down.
•untrusted ports
–can source requests only
–Not explicitly configured as trusted
ITE PC v4.0Chapter 1 68© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Common Security Attacks Security Attacks
–DHCP Snooping
–configure DHCP snooping
•Enable DHCP snooping using the ip dhcp snooping global configuration command
•Enable DHCP snooping for specific VLANs using the ip dhcp snooping vlan number [number] command
•Limit the rate at which an attacker can continually send bogus DHCP requests through untrusted ports to the DHCP server using the ip dhcp snooping limit raterate command.
ITE PC v4.0Chapter 1 69© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Common Security Attacks Security Attacks
–CDP Attacks
•CDP packerts are sent unencrypted
•An attacker can capture the information sent via CDP
ITE PC v4.0Chapter 1 70© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Common Security Attacks Security Attacks
–Telnet Attacks
•Brute Force Password Attack
–Change password frequently
–Use strong passwords
–Limit who can communictae via the vty lines
•DoS attacks
–Makes the telnet service unavailable
–Update the newest version of IOS
ITE PC v4.0Chapter 1 71© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Security Tools Network Security Audit
–reveals what sort of information an attacker can gather
–by monitoring network traffic
Monitoring network traffic
–testing against your network
–allows you to identify weaknesses
Network Security Tools Features–Service identification
–Support of SSL services
–Non-destructive and destructive testing
–Database of vulnerabilities
ITE PC v4.0Chapter 1 72© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Configuring Port Security Using Port Security to Mitigate Attacks
–limits the number of valid MAC addresses allowed on a port
–limit the number of secure MAC addresses to one only that workstation with that particular secure MAC address can successfully connect to that switch port.
–the maximum number of secure MAC addresses is reached a security violation occurs
Secure MAC Address Types–Static secure MAC addresses
–Dynamic secure MAC addresses
–Sticky secure MAC addresses
ITE PC v4.0Chapter 1 73© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Configuring Port Security Sticky MAC Addresses
–Enable sticky learning via command switchport port-security mac-address sticky (on interface level)
•converts all the dynamic secure MAC addresses to sticky MAC addresses
•Addresses are added to the running config
–disable sticky learning by using the no switchport port-security mac-address sticky (on interface level)
•sticky secure MAC addresses remain part of the address table
•Addresses are removed from the running configuration.
–configure sticky secure MAC addresses by using the switchport port-security mac-address sticky mac-address (on interface level)
•addresses are added to the address table
•addresses are added to the running configuration
–save the sticky secure MAC addresses in the configuration file
•interface does not need to relearn these addresses
ITE PC v4.0Chapter 1 74© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Configuring Port Security Security Violation Modes
–Occurs in the following situations•The maximum number of secure MAC addresses have been added to the address table, and a station whose MAC address is not in the address table attempts to access the interface.
•An address learned or configured on one secure interface is seen on another secure interface in the same VLAN.
–Modes which can occur•Protect
–packets with unknown source addresses are dropped
–You are not notified that a security violation has occurred
•Restrict–packets with unknown source addresses are dropped
–you are notified that a security violation has occurred
•Shutdown–port security violation causes the interface to immediately become error-disabled and turns off the port LED
ITE PC v4.0Chapter 1 75© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Configuring Port Security
ITE PC v4.0Chapter 1 76© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Configuring Port Security
ITE PC v4.0Chapter 1 77© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Configuring Port Security
ITE PC v4.0Chapter 1 78© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Configuring Port Security Verify Port Security
ITE PC v4.0Chapter 1 79© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public
Configuring Port Security Securing Unused Ports
–Navigate to each unused port and issue this Cisco IOS shutdown command
–alternate way to shutdown multiple ports is to use the interface range command
ITE PC v4.0Chapter 1 80© 2007 Cisco Systems, Inc. All rights reserved. Cisco Public