Upload
bikker
View
227
Download
0
Embed Size (px)
Citation preview
8/4/2019 Lan Switching and Security
1/13
LAN SwitchingEthernet switches are used in LAN to create Ethernet n/ws. Switches forward the trafficon the basis of MAC address. Switches maintain a Mac Addresse table in which mac
addresses and port no.s are used to perform switching decision. Working of bridge and
switch is similar to each other.
Classification of switchesSwitches are classified according to the following criteria: -
Types of switches based on working
(1) Store & Forward
This switch receives entire frame then perform error checking and start forwardingdata to the destination.
(2) Cut through
This switch starts forwarding frame as soon as first six bytes of the frame are
received.
(3) Fragment-freeThis switch receives 64 bytes of the frame, perform error checking and then start
forwarding data.
(4) Adaptive cut-through
It changes its mode according the condition. If it see there are errors in many frames
then it changes to Store & Forward mode from Cut through or Fragment-free.
Types of switches based on management
(1) Manageable switches(2) Non-Manageable switches(3) Semi-Manageable switches
Types of switches based on OSI layer
(1) Layer 2 switches (only switching)
(2) Layer 3 switches (switching & routing)
Types of switches based on command mode (only in Cisco)
(1) IOS based
(2) CLI based
Type of switches based on hierarchical model
(1) Core layer switches
(2) Distribution layer switches(3) Access layer switches
1
8/4/2019 Lan Switching and Security
2/13
Qualities of switch
- No. of ports
- Speed of ports- Type of media
- Switching or wire speed or throughput
Basic Switch AdministrationIOS based switches are similar to the routers. We can perform following function on
switches in a similar manner as performed on router.(1) Access switch using console
(2) Commands to enter & exit from different mode
(3) Commands to configure passwords
(4) Manage configuration(5) Backup IOS and configuration
(6) Configuring and resolving hostnames
(7) Managing telnet
(8) Configuring CDP(9) Configuring time clock
(10) Configuring Banners(11) Command line shortcuts and editing shortcuts
(12) Managing history
(13) Configure logging(14) Boot system commands
Following function and options are not similar in router and switch.
(1) Default hostname is Switch(2) Auxiliary port is not present
(3) VTY ports are mostly 0 to 15(4) By default interfaces are enabled(5) IP address cannot be assign to interfaces
(6) Routing configuration mode is not present
(7) Interface no. starts from 1(8) Web access is by default enabled
(9) Configuration registry is not present in similar manner
(10) Flash memory may contain multiple files and startup-configuration is also saved in
flash
Configuring IP and Gateway on switch
We can configure IP address on switch for web access or telnet IP address is required forthe administration of the switch. If we have to access switch from remote n/w then we
will configure default gateway in addition to IP address.
IP address is assigned to the logical interface of switch with following command:-Switch(config)#interface vlan 1
Switch(config)#IP address
Switch(config)#no shSwitch(config)#exit
2
8/4/2019 Lan Switching and Security
3/13
Old Switches
Switch(config)#ip address
Switch(config)#exit
Configuring Gateway
Switch(config)#ip default-gateway Switch(config)#exit
Breaking Switch Password
(1) Power off switch press mode button present in front of switch then power on the
switch.
(2) Keep mode button press until Switch: prompt appears on console.
(3) In switch monitor mode, type following commands: -flash_init
load_helper
rename flash:config.text flash:
dir flash:boot
(4) After booting switch will prompt to enter in initial configuration dialog. Enter nohere and type.
Switch>enable
Rename flash: Flash:config.text
Configure memory
Change password and save config. Then copy run start_config.
Cisco Hierarchal Model
When we want to create a large sized LAN network then we may face followingproblems if we are going design the network in flat model.(1) High latency
(2) Conjunction between switches
(3) Large broadcast domain
Cisco hierarchal model recommends three layer design of the network
(i) Core layer
(ii) Distribution layer(iii) Access layer
on each layer there are some rules which we have to follow(1) Highest performance devices are connected on Core layer
(2) Resources should be placed on Core layer
(3) Polices should not be applied on core layer(4) On distribution layer, we can implement policies
(5) Distribution and Core devices should be connected with high-speed links.
(6) Access layer devices are basic devices and may be non manageable.
3
8/4/2019 Lan Switching and Security
4/13
(Hierarchal model)
After using hierarchal model the most of LAN problem will be solve but one problem
still remain same that is all pc s will be in single broadcast domain. We have to
implement following solution for this problem.(1) Physical Segmentation
(2) Logical Segmentation
VLAN
TrunkingVTP
Inter VLAN
Pruning
Logical Segmentation of Network
To perform logical segmentation, we have to create VLAN in the network. With the helpof VLAN, we can logically divide the broadcast domain of the network
VLAN (Virtual LAN)
4
CORE LAYER
DISTRIBUTION
LAYER
ACCESS
LAYER
8/4/2019 Lan Switching and Security
5/13
VLAN provides Virtual Segmentation of Broadcast Domain in the network. The devices,
which are member of same Vlan, are able to communicate with each other. The devices
of different Vlan may communicate with each other with routing. So that different Vlandevices will use different n/w addresses. Vlan provides following advantages: -
(1) Logical Segmentation of network
(2) Enhance network security
Creating port based Vlan
In port based Vlan, first we have to create a Vlan on manageable switch then we have toadd ports to the Vlan.
Commands to create Vlan
Switch#config terSwitch(config)#vlan
[name ]
Switch(config)#exit optional
Or
Switch#vlan database
Switch(vlan)#vlan
[name ]
Switch(vlan)#exit
Commands to configure ports for a Vlan
By default, all ports are member of single vlan that is Vlan1. we can change vlanmembership according to our requirement.
Switch#conf terSwitch(config)#interface
Switch(config-if)#switchport access vlan
Switch(config-if)#exit
Commands to configure multiple ports in a vlan
Switch#conf ter
Switch(config)#interface range Switch(config-if)#switchport access vlan
Switch(config-if)#exit
Example: - Suppose we want to add interface fast Ethernet 0/10 to 0/18 in vlan5
Switch#config ter
Switch(config)#interface range fastethernet 0/10 18Switch(config-if)#switchport access vlan 5
Switchconfig-if#exit
5
8/4/2019 Lan Switching and Security
6/13
In 1900 & Compatible switches
Switch#config ter
Switch(config)#interface Switch(config-if)#vlan-membership static
Switch(config-if)#exit
To Disable web access in switch
Switch#config ter
Switch(config)#no ip http server
To display mac address table
Switch#sh mac-address-table
Vlan Mac address type ports
20 00-08-a16-ab-6a-7b dynamic fa0/7
To Display Vlan and port membershipSwitch#sh vlan
TrunkingWhen there are multiple switches then we have to use trunk links to connect one switch
with other. If we are not using trunk links then we have to connect one cable from eachvlan to the corresponding vlan of the other switch.
Normal: -
Vlan 1 7 3 1 3 7
6
In Trunking: - Vlan 1,3,7
1 7 3 1 3 7
Trunk Trunk
Switches will perform trunking with the help of frame tagging. The trunk port will send
data frames by adding a Vlan id information to the frame, at the receiving end vlan id
6
8/4/2019 Lan Switching and Security
7/13
information is removing from the end and according to the tag data is delivered to the
corresponding vlan. There are two protocols to perform frame tagging.
(1) Inter switch link (cisco prop)(2) IEEE 802.1 q
Configuring TrunkingIn cisco switches all switch ports may be configured in three modes
(1) Trunk desirable (default)
(2) Trunk on(3) Trunk off
Switch#conf ter
Switch(config)#interface Switch(config-if)#switchport mode
Switch(config-if)#exit on off desirable
To configure Vlans allowed on TrunkBy default all Vlans are allowed on Trunk port. We can add/remove a partucular Vlan
from trunk port with following commandSwitch#config ter
Switch(config)#interface
Switch(config-if)#switchport trunk allowed vlan all
Remove Add
Except
To display trunk interfaces
Switch#sh interface trunk
Switch#sh interface trunk
Vlan Trunking Protocol (VTP)With the help of VTP, we can simplify the process of creating Vlan. In multiple switches,we can configure one switch as VTP server and all other switches will be configured as
VTP client. We will create Vlans on VTP server switch. The server will send periodic
updates to VTP client switches. The clients will create Vlans from the update received
from the VTP server.
VTP server
VTP server is a switch in which we can create, delete or modify Vlans. The server willsend periodic updates for VTP clients.
VTP client
On VTP client, we are not able to create, modify or delete Vlans. The client will receive
and forward vtp updates. The client will create same Vlans as defined in vtp update.
7
8/4/2019 Lan Switching and Security
8/13
VTP Transparent
Transparent is a switch, which will receive and forward VTP update. It is able to create,
delete and modify Vlans locally. A transparent will not send its own VTP updates andwill not learn any information from received vtp update.
Commands
Switch#conf ter
Switch(config)#vtp domain Switch(config)#vtp password
Switch(config)#vtp mode
Switch(config)#exit
By default in cisco switches the VTP mode is set as VTP server with no domain and no
password.
To display VTP status
Switch#sh vtp status
VTP Pruning
Pruning is the VTP feature through which a trunk link can be automatically disable, for aparticular Vlan if neighbor switch does not contain ports in that Vlan. Vlan1 is not prun
eligible.
Command to configure VTP Pruning
We have to use only one command on VTP server for VTP Pruning.
Switch#conf ter
Switch(config)#vtp pruningSwitch(config)#exit
8
8/4/2019 Lan Switching and Security
9/13
Inter Vlan Communication
After creating Vlans, each Vlan has own broadcast domain. If we want communication
from one Vlan to another Vlan then we need to perform routing. There are three methodsfor inter vlan communication.
(1) Inter Vlan using multi-interface router
(2) Inter Vlan using router on a stick method(3) Inter Vlan using layer 3 switch
1751, 2621 routers supports Vlan
(1) Inter Vlan using multi-interface router
In this case, we have to connect one interface of router in each Vlan. This interface
will act as gateway for the corresponding vlan. Each Vlan has to use different n/w
addresses. Data from one Vlan to another Vlan will travel by router.
10.0.0.1 12.0.0.1
11.0.0.1
1, 3, 5
N/w 10.x.x.x 11.x.x.x 12.x.x.x
Gateway 10.0.0.1 11.0.0.1 12.0.0.1
(2) Inter Vlan using router on a stick method
In this method a special router is used for Inter Vlan. In this router, we can create one
interface for each Vlan. The physical interface of router will be connected on trunk portswitch. This router will route traffic on the same interface by swapping vlan id
information with the help of frame tagging protocol.
Fa 0/0.1 10.0.0.1 -> Vlan1
Fa 0/0.2 11.0.0.1 -> Vlan3Fa 0/0.3 12.0.0.1 -> Vlan5
9
Router
E0 E2
E1
Vlan1 Vlan3 Vlan5T T T
1 3 5 1 3 5 1 3 5
Router
Fa 0/0
8/4/2019 Lan Switching and Security
10/13
Vlan 1, 3, 5
T T T
N/w 10.x.x.x 11.x.x.x 12.x.x.xGateway 10.0.0.1 11.0.0.1 12.0.0.1
Configuration on RouterRouter#config ter
Router(config)#interface fastethernet 0/0
Router(config-if)#no ip address
Router(config-if)#no shRouter(config-if)#exit
Router(config)#interface fastethernet 0/0.1Router(config-if)#encapsulation dot1q 1
Router(config-if)#ip address 10.0.0.1 255.0.0.0
Router(config-if)#no sh
Router(config-if)#exit
Router(config)#interface fastethernet 0/0.2Router(config-if)#encapsulation dot1q 3
Router(config-if)#ip address 11.0.0.1 255.0.0.0
Router(config-if)#no sh
Router(config-if)#exit
Router(config)#interface fastethernet 0/0.3
Router(config-if)#encapsulation dot1q 5Router(config-if)#ip address 12.0.0.1 255.0.0.0
Router(config-if)#no shRouter(config-if)#exit
Configuration on Core switch
(1) Configure switch as VTP server
(2) Create Vlans(3) Configure interface connected to router as Trunk
(4) Configure interfaces connected to other switches as trunk (if required)
10
TrunkT T T
1 3 5 1 3 5 1 3 5
8/4/2019 Lan Switching and Security
11/13
Configuration on Distribution layer switches
(1) Configure switch as VTP client(2) Configure required interface as Trunk (optional)
(3) Add ports to Vlan
Configuration on Pc
Configure IP and Gateway
Spanning Tree ProtocolWhen we connect multiple switches with each other and multiple path exist from one
switch to another switch then it may lead to the switching loop in the network. Multiplepaths are used to create redundancy in the network. STP is only required when multiple
path exist then there is possibility of loop in n/w.
Packets
Problems the occur with redundancy path
(1) Multiple copies of the frame will be received by destination.(2) Frequent changes in the mac address table of switch.
(3) A mac address may appear at multiple ports in a switch.(4) Packets may enter in the endless loop.
Spanning Tree Protocol will solve this problem by blocking the redundancy interface. So
that only one path will remain active in the switches. If the primary path goes down then
disabled link will become enable and data will be transferred through that path.
Working of STP
The STP will create a topology database in which one switch will be elected as Routeswitch. Path cost is calculated on the basis of bandwidth. The lowest path cost link will
be enable mode and another path will be disable.
11
Switch Switch Switch
8/4/2019 Lan Switching and Security
12/13
1 Gb 1 Gb
100 Mb 100 Mb
100 Mb
Lowest cost
(Disable)
STP terminology(1) Bridge id
It is the combination of bridge priority and base mac address. In Cisco switches
default priority no. is 32768.
(2) Root BridgeThe Bridge/Switch with lowest Bridge id will become the Route Bridge. Route
Bridge is used as the center point for calculating path cost in topology.
(3) BPDU Bridging Protocol Data UnitsIt is the STP information, which is exchange between the switches to create topology
and path selection.
(4) STP port mode
An STP is enabled a port may be in one of the following mode.(i) Listening: - in this mode a port will send/receive BPD.
(ii) Learning: - a port will learn mac address table.(iii) Forwarding: - the port will forward data based on mac address table.
(iv) Blocking: - the port is block to send/receive data by Spanning Tree Protocol.
(v) Disable: - the port is administratively disabled.
Path cost calculation
The links in switches will be enable or disabled on the basis of path cost. The path cost
for each link is calculated according to following table.
Old IEEE New IEEE
Speed Cost Cost10 Mb 100 100100 Mb 10 19
1 Gb 1 4
10 Gb 1 2
12
Root Switch
Switch Switch
SwitchSwitch
8/4/2019 Lan Switching and Security
13/13
To configure ports for forwarding mode directly
Switch#config ter
Switch(config)#interface Switch(config-if)#switchport host
Configuring port securityIn manageable switches, we can restrict the no. of mac addresses that a port can learn.
Even we can specify the mac address statically with a command. With port security, we
can also specify the action to be perform if port security violation is detected.
Switch#conf ter
Switch(config)#interface
Switch(config-if)#switchport port-securitySwitch(config-if)#switchport port-security maximum
Switch(config-if)#switchport port-security violation
Switch(config-if)#switchport port-security mac-address sticky
Switch(config-if)#switchport port-security mac-address sticky Switch(config-if)#exit
13