Upload
abdelkhalik-mosa
View
484
Download
3
Tags:
Embed Size (px)
DESCRIPTION
This chapter starts with discussing the key elements of ethernet/802.3 networks such as CSMA/CD, communication using unicast, multicast, and broadcast, the ethernet frame, MAC address, duplex settings, half-duplex and full-duplex, switch port settings, auto-MDIX, and the switch MAC table. After that, there is a discussion about the design considerations for Ethernet networks such as bandwidth, throughput, goodput, collision domains, broadcast domains, LAN segmentation, and network latency. Switch forwarding modes: store and forward and cut-through and the difference between symmetric and asymmetric switching. Memory Buffering: port-based memory and shared memory. The difference between layer 3 switches and routers. Cisco switch CLI commands, accessing the history, switch boot sequence and recovering from system crash. Managing the MAC address table, dynamic MAC addresses and static MAC addresses and backing configuration files to a TFTP server. Configuring switch passwords and password recovery, configuring telnet and SSH. Common Security Attacks such as MAC address flooding, spoofing attacks, CDP attacks and telnet attacks. Switch port security, sticky port security and security violation modes: protect, restrict and shutdown and verifying poert security
Citation preview
LAN Switching and Wireless
Ch2: Basic Switch Concepts and Configuration
Abdelkhalik Mosa
If you found any mistake’s’ on these slides or if
you have any other questions or comments,
please feel free to contact me at:
Linkedin : https://www.linkedin.com/in/AbdelkhalikMosaTwitter : https://twitter.com/AbdelkhalikMosaFacebook: https://www.facebook.com/Abdelkhalik.Mosa
Thanks, Abdelkhalik Elsaid Mosa
Suez Canal University Faculty of Computers and Informatics - Ismailia - Egypt
Remember!
Key Elements of Ethernet/802.3 Networks: CSMA/CD
Carrier Sense
Multiple Access
Collision Detection
JAM Signal
Random Backoff
Key Elements of Ethernet/802.3 Networks: Communication
Key Elements of Ethernet/802.3 Networks: Ethernet Frame
MAC Address
Ethernet Frame
Key Elements of Ethernet/802.3 Networks: Duplex Settings
Half Duplex
Full Duplex
• Switch Port Settings: Ports on a Cisco Catalyst 2960 Series can be configured as follows:– auto : allows the two ports to communicate in order to decide the mode.– full : sets full-duplex mode.– half : sets half-duplex mode.
• auto-MDIX When the auto-MDIX feature is enabled, the switch detects the required
cable type for copper Ethernet connections and configures the interfaces accordingly.
Switch# conf tSwitch(config)# interface f0/1 Switch(config-if)# speed auto Switch(config-if)# duplex auto Switch(config-if)# mdix auto Switch(config-if)# end
Key Elements of Ethernet/802.3 Networks: Switch Port Settings
12
3 4
5 6
Key Elements of Ethernet/802.3 Networks: Switch MAC Table
The initial MAC address table is empty
Design Considerations for Ethernet networks: Transfer Capacity
• Differences between bandwidth, throughput and goodput:1. Bandwidth (Theoretical): The capacity of a medium to carry
data in a given amount of time. Usually measured in kbps or Mbps.
2. Throughput (Practical): is the measure of the transfer of bits across the media over a given period of time.Throughput <= Bandwidth. Number of devices affect the throughput.
3. Goodput (Qualitative): is the measure of usable data transferred over a given period of time.Application level throughput.Goodput = Throughput - traffic overhead for establishing sessions,
acknowledgements, and encapsulation.
• Broadcast and Collision domains – Each switch reduces the size of the collision domain on the LAN to a
single link.– Each router reduces the size of the broadcast domain on the LAN.
• LAN Segmentation
Design Considerations for Ethernet networks
• Network Latency: is the time a frame or a packet takes to travel from the source station to the final destination.
Design Considerations for Ethernet networks: Network Latency
1. Store and Forward
2. Cut-Through (Fast-forward switching or Fragment-free switching)
Switch Forwarding Methods
Switch Forwarding Methods
Symmetric and Asymmetric Switching
• Switching may be classified as symmetric or asymmetric based on the way in which bandwidth is allocated to the switch ports.
Symmetric and Asymmetric Switching
Memory Buffering
• The switch uses a buffering technique to store and forward frames and when the destination port is busy.
• The switch stores the data in the memory buffer. • The memory buffer can port-based memory or shared memory.
Layer 3 Switching
• Layer 3 switches are superfast routers that do Layer 3 forwarding in hardware.
Just Refresh
The Command Line Interface Modes
GUI-based Alternatives to the CLI• Cisco Network Assistant CiscoView
• Security Device Manager SNMP Network Managementhttp://www.cisco.com/go/networkassistant .
http://www.cisco.com/en/US/products/sw/cscowork/ps4565/prod_bulletin0900aecd802948b0.html
http://h20229.www2.hp.com/news/about/index.html
Accessing the Command History
Describe the Boot Sequence
CISCO SWITCH BOOT SEQUENCE
RECOVERING FROM A SYSTEM CRASH
Prepare to configure the switch
Switch Management Configuration• To be able to telnet to or from the switch you should set an IP address and
the default gateway on the switch.
a L
ay
er 2 s
witc
h, su
ch
as 2
960
, on
ly P
erm
its a
sin
gle
VL
AN
inte
rface
to b
e a
ctiv
e a
t a tim
e.
Switch Management Configuration
• Configure Duplex and Speed
Switch Management Configuration
• Configure a Web Interface
• Managing the MAC Address Table show mac-address-table The MAC address table was previously referred to as Content
Addressable Memory (CAM) or as the CAM table.• Dynamic Mac addresses: are source MAC addresses that the switch
learns and then ages when they are not in use. The default time is 300 seconds.
• Static Mac addresses: MAC addresses assigned to certain ports by the network admin. Static addresses are not aged out.mac-address-table static <MAC address> vlan {1-4096, ALL}
interface interface-id. The maximum size of the MAC table varies, but 8192 in Catalyst 2960
Switch Management Configuration
: الكبير على يشقى العلم طلب فان ، Kصغيرا العلم اطلب يابنى البنه لقمان قال
Using the Show Commands
Back up and Restore Switch Configurations
No
te: cop
y start run
Back up Configuration Files to a TFTP Server
• Backing Up Configuration1.switch#copy system:running-config
tftp:[[[//location]/directory]/filename] 2.or switch#copy nvram:startup-config
tftp:[[[//location]/directory]/filename].
• Restoring Configuration1.Switch#copy tftp:[[[//location]/directory]/filename]
system:running-config 2.or switch#copy tftp:[[[//location]/directory]/filename]
nvram:startup-config.
Ex: S1# copy running-config tftp://192.168.1.1/abdo-config
Configuring Passwords
• Enable FCI(config)# enable password cisco FCI(config-line)# enable secret cisco
• Console FCI(config)# line console 0 FCI(config-line)# password cisco FCI(config-line)# login
• Telnet FCI(config)# line vty 0 14 FCI(config-line)# password cisco FCI(config-line)# login
FCI(config)# Service password-encryption
The
Nocommand
Password Recovery
• Password Recovery Steps:1. Press the Mode button for awhile //load the boot loader2. Flash-init //Initialize the Flash file system3. Rename flash:config.text flash:config.text.old // rename 4. Boot // Boot the system5. Rename flash:config.text.old flash:config.text6. Copy flash:config.text system:running-config7. Change the passwords8. Save Changes9. Reload
dir flash: Display the contents of Flash memory
Banner and Clearing Configuration
• Banner Commands1.FCI(config)# banner MOTD “Device maintenance on Friday!”2.FCI(config)# banner LOGIN “Authorized Personnel Only!”
• Clearing Configuration InformationSwitch#erase nvram: or the erase startup-config
• Deleting a Stored Configuration File Switch#delete flash:filename
Configuring Telnet and SSH
FCI(config)#crypto key zeroize rsa // To delete the RSA key pair After the RSA key pair is deleted, the SSH server is automatically disabled.
• Time-out: the amount of time the switch allows for a connection to be established.
• FCI(config)#ip ssh {timeout seconds | authentication-retries number}
Common Security Attacks (MAC Address Flooding)
Common Security Attacks (MAC Address Flooding)
Common Security Attacks (MAC Address Flooding)
Common Security Attacks (MAC Address Flooding)
Common Security Attacks (MAC Address Flooding)
Common Security Attacks (Spoofing Attacks)
DHCP Starvation attack
DHCP Spoofing attack
Solving Spoofing Attacks using Snooping and Port Security
•DHCP snooping: is a Cisco Catalyst feature that determines which switch ports can respond to DHCP requests.
1. S(config)# ip dhcp snooping.2. ip dhcp snooping vlan number {number}.3. ip dhcp snooping trust.
4. (Optional) Limit the rate at which an attacker can continually send bogus DHCP requests through untrusted ports to the DHCP server using the ip dhcp snooping limit rate command.
Common Security Attacks (CDP Attacks)
• It is recommended that you disable the use of CDP on devices that do not need to use it.
Common Security Attacks (Telnet Attacks)
• Types of Telnet attacks1. Brute Force Password Attack: guesses password and uses a
program to establish a Telnet session using each guessed password. • Solution: Change your password frequently, use strong
passwords, and limit who can communicate with the vty lines.
2. DoS attack: the attacker exploits a flaw in the Telnet server software running on the switch that renders the Telnet service unavailable.• Solution: Update to the newest version of the cisco IOS.
Configuring Port Security
• Port security enables you to: Specify a group of valid MAC addresses allowed on a port. Allow only the specified MAC add. to access the port. Specify that the port will automatically shutdown if
unauthorized MAC addresses are detected. • Secure MAC Address Types
1. Static secure MAC addresses: MAC addresses are manually configured by using the switchport port-security mac-address mac-address.
2. Dynamic secure MAC addresses: MAC addresses are dynamically learned and stored only in the address table.
3. Sticky secure MAC addresses: You can configure a port to dynamically learn MAC addresses and then save these MAC addresses to the running configuration using switchport port-security mac-address sticky.
Security violation Modes
• Security violation when either of these situations occurs: The maximum number of secure MAC addresses have been added to the
address table, and a station whose MAC address is not in the address table attempts to access the interface.
An address learned or configured on one secure interface is seen on another secure interface in the same VLAN.
• Security Violation Modes
Security violation Modes
Configure Sticky Port Security
Verify Port Security
Thank You..