LAN Switching and Wireless

Ch2: Basic Switch Concepts and Configuration

Abdelkhalik Mosa

If you found any mistake’s’ on these slides or if

you have any other questions or comments,

please feel free to contact me at:

abdu.elsaid@gmail.com or

abdu.elsaid@yahoo.com

Linkedin : https://www.linkedin.com/in/AbdelkhalikMosaTwitter : https://twitter.com/AbdelkhalikMosaFacebook: https://www.facebook.com/Abdelkhalik.Mosa

Thanks, Abdelkhalik Elsaid Mosa

Suez Canal University Faculty of Computers and Informatics - Ismailia - Egypt

Remember!

Key Elements of Ethernet/802.3 Networks: CSMA/CD

Carrier Sense

Multiple Access

Collision Detection

JAM Signal

Random Backoff

Key Elements of Ethernet/802.3 Networks: Communication

Key Elements of Ethernet/802.3 Networks: Ethernet Frame

MAC Address

Ethernet Frame

Key Elements of Ethernet/802.3 Networks: Duplex Settings

Half Duplex

Full Duplex

• Switch Port Settings: Ports on a Cisco Catalyst 2960 Series can be configured as follows:– auto : allows the two ports to communicate in order to decide the mode.– full : sets full-duplex mode.– half : sets half-duplex mode.

• auto-MDIX When the auto-MDIX feature is enabled, the switch detects the required

cable type for copper Ethernet connections and configures the interfaces accordingly.

Switch# conf tSwitch(config)# interface f0/1 Switch(config-if)# speed auto Switch(config-if)# duplex auto Switch(config-if)# mdix auto Switch(config-if)# end

Key Elements of Ethernet/802.3 Networks: Switch Port Settings

12

3 4

5 6

Key Elements of Ethernet/802.3 Networks: Switch MAC Table

The initial MAC address table is empty

Design Considerations for Ethernet networks: Transfer Capacity

• Differences between bandwidth, throughput and goodput:1. Bandwidth (Theoretical): The capacity of a medium to carry

data in a given amount of time. Usually measured in kbps or Mbps.

2. Throughput (Practical): is the measure of the transfer of bits across the media over a given period of time.Throughput <= Bandwidth. Number of devices affect the throughput.

3. Goodput (Qualitative): is the measure of usable data transferred over a given period of time.Application level throughput.Goodput = Throughput - traffic overhead for establishing sessions,

acknowledgements, and encapsulation.

• Broadcast and Collision domains – Each switch reduces the size of the collision domain on the LAN to a

single link.– Each router reduces the size of the broadcast domain on the LAN.

• LAN Segmentation

Design Considerations for Ethernet networks

• Network Latency: is the time a frame or a packet takes to travel from the source station to the final destination.

Design Considerations for Ethernet networks: Network Latency

1. Store and Forward

2. Cut-Through (Fast-forward switching or Fragment-free switching)

Switch Forwarding Methods

Switch Forwarding Methods

Symmetric and Asymmetric Switching

• Switching may be classified as symmetric or asymmetric based on the way in which bandwidth is allocated to the switch ports.

Symmetric and Asymmetric Switching

Memory Buffering

• The switch uses a buffering technique to store and forward frames and when the destination port is busy.

• The switch stores the data in the memory buffer. • The memory buffer can port-based memory or shared memory.

Layer 3 Switching

• Layer 3 switches are superfast routers that do Layer 3 forwarding in hardware.

Just Refresh

The Command Line Interface Modes

GUI-based Alternatives to the CLI• Cisco Network Assistant CiscoView

• Security Device Manager SNMP Network Managementhttp://www.cisco.com/go/networkassistant .

http://www.cisco.com/en/US/products/sw/cscowork/ps4565/prod_bulletin0900aecd802948b0.html

http://h20229.www2.hp.com/news/about/index.html

Accessing the Command History

Describe the Boot Sequence

CISCO SWITCH BOOT SEQUENCE

RECOVERING FROM A SYSTEM CRASH

Prepare to configure the switch

Switch Management Configuration• To be able to telnet to or from the switch you should set an IP address and

the default gateway on the switch.

a L

ay

er 2 s

witc

h, su

ch

as 2

960

, on

ly P

erm

its a

sin

gle

VL

AN

inte

rface

to b

e a

ctiv

e a

t a tim

e.

Switch Management Configuration

• Configure Duplex and Speed

Switch Management Configuration

• Configure a Web Interface

• Managing the MAC Address Table show mac-address-table The MAC address table was previously referred to as Content

Addressable Memory (CAM) or as the CAM table.• Dynamic Mac addresses: are source MAC addresses that the switch

learns and then ages when they are not in use. The default time is 300 seconds.

• Static Mac addresses: MAC addresses assigned to certain ports by the network admin. Static addresses are not aged out.mac-address-table static <MAC address> vlan {1-4096, ALL}

interface interface-id. The maximum size of the MAC table varies, but 8192 in Catalyst 2960

Switch Management Configuration

: الكبير على يشقى العلم طلب فان ، Kصغيرا العلم اطلب يابنى البنه لقمان قال

Using the Show Commands

Back up and Restore Switch Configurations

No

te: cop

y start run

Back up Configuration Files to a TFTP Server

• Backing Up Configuration1.switch#copy system:running-config

tftp:[[[//location]/directory]/filename] 2.or switch#copy nvram:startup-config

tftp:[[[//location]/directory]/filename].

• Restoring Configuration1.Switch#copy tftp:[[[//location]/directory]/filename]

system:running-config 2.or switch#copy tftp:[[[//location]/directory]/filename]

nvram:startup-config.

Ex: S1# copy running-config tftp://192.168.1.1/abdo-config

Configuring Passwords

• Enable FCI(config)# enable password cisco FCI(config-line)# enable secret cisco

• Console FCI(config)# line console 0 FCI(config-line)# password cisco FCI(config-line)# login

• Telnet FCI(config)# line vty 0 14 FCI(config-line)# password cisco FCI(config-line)# login

FCI(config)# Service password-encryption

The

Nocommand

Password Recovery

• Password Recovery Steps:1. Press the Mode button for awhile //load the boot loader2. Flash-init //Initialize the Flash file system3. Rename flash:config.text flash:config.text.old // rename 4. Boot // Boot the system5. Rename flash:config.text.old flash:config.text6. Copy flash:config.text system:running-config7. Change the passwords8. Save Changes9. Reload

dir flash: Display the contents of Flash memory

Banner and Clearing Configuration

• Banner Commands1.FCI(config)# banner MOTD “Device maintenance on Friday!”2.FCI(config)# banner LOGIN “Authorized Personnel Only!”

• Clearing Configuration InformationSwitch#erase nvram: or the erase startup-config

• Deleting a Stored Configuration File Switch#delete flash:filename

Configuring Telnet and SSH

FCI(config)#crypto key zeroize rsa // To delete the RSA key pair After the RSA key pair is deleted, the SSH server is automatically disabled.

• Time-out: the amount of time the switch allows for a connection to be established.

• FCI(config)#ip ssh {timeout seconds | authentication-retries number}

Common Security Attacks (MAC Address Flooding)

Common Security Attacks (MAC Address Flooding)

Common Security Attacks (MAC Address Flooding)

Common Security Attacks (MAC Address Flooding)

Common Security Attacks (MAC Address Flooding)

Common Security Attacks (Spoofing Attacks)

DHCP Starvation attack

DHCP Spoofing attack

Solving Spoofing Attacks using Snooping and Port Security

•DHCP snooping: is a Cisco Catalyst feature that determines which switch ports can respond to DHCP requests.

1. S(config)# ip dhcp snooping.2. ip dhcp snooping vlan number {number}.3. ip dhcp snooping trust.

4. (Optional) Limit the rate at which an attacker can continually send bogus DHCP requests through untrusted ports to the DHCP server using the ip dhcp snooping limit rate command.

Common Security Attacks (CDP Attacks)

• It is recommended that you disable the use of CDP on devices that do not need to use it.

Common Security Attacks (Telnet Attacks)

• Types of Telnet attacks1. Brute Force Password Attack: guesses password and uses a

program to establish a Telnet session using each guessed password. • Solution: Change your password frequently, use strong

passwords, and limit who can communicate with the vty lines.

2. DoS attack: the attacker exploits a flaw in the Telnet server software running on the switch that renders the Telnet service unavailable.• Solution: Update to the newest version of the cisco IOS.

Configuring Port Security

• Port security enables you to: Specify a group of valid MAC addresses allowed on a port. Allow only the specified MAC add. to access the port. Specify that the port will automatically shutdown if

unauthorized MAC addresses are detected. • Secure MAC Address Types

1. Static secure MAC addresses: MAC addresses are manually configured by using the switchport port-security mac-address mac-address.

2. Dynamic secure MAC addresses: MAC addresses are dynamically learned and stored only in the address table.

3. Sticky secure MAC addresses: You can configure a port to dynamically learn MAC addresses and then save these MAC addresses to the running configuration using switchport port-security mac-address sticky.

Security violation Modes

• Security violation when either of these situations occurs: The maximum number of secure MAC addresses have been added to the

address table, and a station whose MAC address is not in the address table attempts to access the interface.

An address learned or configured on one secure interface is seen on another secure interface in the same VLAN.

• Security Violation Modes

Security violation Modes

Configure Sticky Port Security

Verify Port Security

Thank You..