CCNA Exp3 - Chapter02 - Basic Switch Concepts and Configurations

Chapter 2: Basic switch concepts and configurations
CCNA Exploration 4.0
Please purchase a personal license.
Overview
H c vi n m ng Bach Khoa - Website: www.bkacad.com
Key elements of Ethernet/802.3 networks
Media Access Control (MAC)

Deterministic, Non-Deterministic
logical bus topology and physical star or extended star
logical ring topology and a physical star topology
logical ring topology and physical dual-ring topology
MAC refers to protocols that determine which computer on a shared-medium environment, or collision domain, is allowed to transmit the data. MAC, with LLC, comprises the IEEE version of the OSI Layer 2 There are two broad categories of Media Access Control, deterministic (taking turns) and non-deterministic (first come, first served)
CSMA/CD
CSMA/CD used with Ethernet performs three functions: 1. Transmitting and receiving data packets 2. Decoding data packets and checking them for valid addresses before passing them to the upper layers of the OSI model 3. Detecting errors within data packets or on the network
listen-before-transmit
Transmitting& listening.
CSMA/CD
Flow chart
Backoff
Randomly Backoff Time After a collision occurs and all stations allow the cable to become idle (each waits the full inter-frame spacing) The stations that collided must wait an additional and potentially progressively longer period of time before attempting to retransmit the collided frame The waiting period is intentionally designed to be random If the MAC layer is unable to send the frame after 16 attempts, it gives up and generates an error to the network layer
7
Extra: Backoff
The stations involved in transmitting frames at the time of the collision must then reschedule their frames for retransmission. The transmitting stations do this by generating a period of time to wait before retransmission, which is based on a random number chosen by each station and used in that station's backoff calculations.
k= min(n,10) ; n= the number of transmission attempts 0<= r <2^k The backoff delay= r* slot time
H c vi n m ng Bach Khoa - Website: www.bkacad.com 8
Ethernet Slot Time
Ethernet Slot Time
10
Ethernet Communications
11
Remind
12
Ethernet frame structure

At the data link layer the frame structure is nearly identical for all speeds of Ethernet from 10 Mbps to 10,000 Mbps At the physical layer almost all versions of Ethernet are substantially different from one another with each speed having a distinct set of architecture design rules The Ethernet II Type field is incorporated into the current 802.3 frame definition. The receiving node must determine which higher-layer protocol is present in an incoming frame by examining the Length/Type field

The Preamble is used for Synchronization, Address types timing synchronization in the asynchronous 10 Mbps and slower implementations of 10101011 Ethernet. Faster versions of Ethernet are synchronous, and this timing information is redundant but retained for compatibility The Destination Address field contains the MAC destination address. It can be unicast, multicast (group), or broadcast (all nodes) The source address is generally the unicast address of the transmitting Ethernet node (can be virtual entity group or multicast) H c vi n m ng Bach Khoa - Website: www.bkacad.com 14

The type value specifies the upper-layer protocol to Length if value < 1536 decimal, receive the data after (0x600) need LLC to identify Ethernet processing is upper protocol completed. The length indicates the number of bytes of data that follows this field. (so contents of the Data field are decoded per the protocol indicated) The maximum transmission unit (MTU) for Ethernet is 1500 octets, so the data should not exceed that size 4 bytes Ethernet requires that the CRC frame be not less than 46 Type if value => 1536 decimal, octets or more than 1518 (0x600) it identify upper octets (Pad is required if not protocol H c vi n m ng Bach Khoa - Website: www.bkacad.com 15 enough data)
Naming on Ethernet
MAC ADDRESS
Ethernet uses MAC addresses that are 48 bits in length and expressed as 12 hexadecimal digits Sometimes referred to as burned-in addresses (BIA) because they are burned into read-only memory (ROM) and are copied into random-access memory (RAM) when the NIC initializes
OUI
17
Ethernet in full duplex

duplex Full-duplex Full-duplex Collision occurs only in half-duplex Full-duplex
Full-duplex
If the attached station is operating in full duplex then the station may send and receive simultaneously and collisions should not occur. Full-duplex operation also changes the timing considerations and eliminates the concept of slot time In half-duplex, if no collision, the sending station will transmit 64 bits (timing synchronization) preamble, DA, SA, certain other header information, actual data payload, FCS
19
20
Extra: Half-duplex networks
21
Note

Fast Ethernet and 10/100/1000 ports: default is auto. 100BASE-FX ports: default is full. 10/100/1000 ports operate in either half- or full-duplex mode when they are set to 10 or 100 Mb/s, but when set to 1,000 Mb/s, they operate only in full-duplex mode. Default: when autonegotiation fails Catalyst switch sets the corresponding switch port to half-duplex mode. This type of failure happens when an attached device does not support autonegotiation.
22
auto-MDIX
auto-MDIX is enabled
switch auto detects cable type either a crossover or a straight-through
can use
The auto-MDIX feature is enabled by default on switches running Cisco

IOS Release 12.2(18)SE or later. For releases between Cisco IOS Release 12.1(14)EA1 and 12.2(18)SE, the auto-MDIX feature is disabled by default.
MAC Addressing and Switch MAC Address Tables
24
25
26
27
28
29
Design Considerations for Ethernet/802.3 Networks
30
Bandwidth and Throuhgput
Bandwidth is defined as the amount of information that can flow through a network connection in a given period of time. Throughput refers to actual measured bandwidth, at a specific time of day, using specific Internet routes, and while a specific set of data is transmitted on the network.
Collision Domains
32
Collision Domains
33
Broadcast Domains
The broadcast domain at Layer 2 is referred to as the MAC broadcast domain.
34
Broadcast Domains - Example
When a switch receives a broadcast frame, it forwards the frame to each of its ports, except the incoming port where the switch received the broadcast frame. Each attached device recognizes the broadcast frame and processes it.
35
Broadcast Domains - Example
36
Network Latency
37
Network Congestion
The primary reason for segmenting a LAN into smaller parts is to

isolate traffic and to achieve better use of bandwidth per user. Without segmentation, a LAN quickly becomes clogged with traffic and collisions. Causes of network congestion: Increasingly powerful computer and network technologies. Increasing volume of network traffic. High-bandwidth applications.
38
LAN Segmentation
LANs are segmented into a number of smaller collision and broadcast

domains using routers and switches.
LAN Segmentation
40
LAN Segmentation
41
LAN Segmentation
42
Controlling Network Latency
43
Removing Network Bottlenecks
44
Activity 2.1.3.2
45
Forwarding Frames Using a Switch
46
Switch Forwarding Methods
47
Store- and- Forward Switching
Store-and-forward switching is required for Quality of Service (QoS)
analysis on converged networks where frame classification for traffic prioritization is necessary.
Cut- Through Switching
There are 2 variants of cut-through switching:

Fast-forward switching - immediately forwards a packet after reading the destination address. Fragment-free switching - reads the first 64 bytes of an Ethernet frame and then begins forwarding it to the appropriate port or ports
Extra: Adaptive Cut- Through
Some switches are configured to perform cut-through switching on a

per-port basis until a user-defined error threshold is reached and then they automatically change to store-and-forward. When the error rate falls below the threshold, the port automatically changes back to cut-through switching.
Symmetric and Asymmetric Switching
Most current switches are asymmetric switches because this type of switch offers the greatest flexibility.
Memory Buffering
Port-based Memory Buffering A frame is transmitted to the outgoing port only when all the frames ahead of it in the queue have been successfully transmitted. Shared Memory Buffering The frames in the buffer are linked dynamically to the destination port. This allows the packet to be received on one port and then transmitted on another port, without moving it to a different queue.
52
Layer 2 and Layer 3 Switching
53
Layer 3 Switch and Router Comparison
54
Review your understanding
55
56
57
Switch Management Configuration
58
The Command Line Interface Modes
59
The Command Line Interface Modes
60
GUI-based Alternatives to the CLI
61
62
63
64
65
66
Context Sensitive Help
67
Console Error Messages
68
The Command History Buffer
69
Configure the Command History Buffer
70
Describe the Boot Sequence
71
Extra: Boot Loader Command Line

During normal boot loader operation, you are not presented with the
boot loader command-line prompt. You gain access to the boot loader command line if: the switch is set to manually boot an error occurs during power-on self test (POST) DRAM testing an error occurs while loading the operating system (a corrupted IOS image). You can also access the boot loader if you have lost or forgotten the switch password. You can access the boot loader through a switch console connection at 9600 bps: unplug the switch power cord press the switch Mode button while reconnecting the power cord. You can release the Mode button a second or two after the LED above port 1 goes off. You should then see the boot loader Switch: prompt. The boot loader performs low-level CPU initialization, performs POST, and loads a default operating system image into memory.
Prepare to Configure the Switch
Step 1
73
Step 2
74
Step 3
75
Basic Switch Configuration
76
Management Interface Considerations
77
78
79
80
Configure Duplex and Speed
81
Configure a Web Interface
82
Managing the MAC Address Table
show mac-address-table
The MAC address entry is automatically discarded or aged out after 300 seconds.
84
The 0x0100.0cdd.dddd is multicast MAC address that used by Cisco Group Management Protocol (CGMP)
Extra: Managing the MAC Address Table
sw(config)#mac-address-table ?
aging-time Set MAC address table entry maximum age notification Enable/Disable MAC Notification on the switch static static keyword sw(config)#mac-address-table aging-time ? <0-0> Enter 0 to disable aging <10-1000000> Aging time in seconds Rather than wait for a dynamic entry to age out, the administrator has the option to use the privileged EXEC command: sw# clear mac-address-table dynamic
86
Extra: Configuring static MAC addresses
The reasons for assigning a permanent MAC address to an interface
include: The MAC address will not be aged out automatically by the switch. A specific server or user workstation must be attached to the port and the MAC address is known. Security is enhanced. To set a static MAC address entry for a switch: sw(config)#mac-address-table static <mac-address of host> interface FastEthernet <Ethernet numer> vlan <vlan-id>
Show Commands
88
Show running-config
89
Show interfaces
90
Backing Up the Configuration
91
Restoring the Configuration
92
Back up Configuration Files to a TFTP Server
93
Clearing Configuration Information
94
Extra: Reset Default Switch Configurations
The following steps will ensure that a new configuration will completely overwrite any existing configuration: 1. Remove any existing VLAN information by deleting the VLAN database file vlan.dat from the flash directory 2. Erase the back up configuration file startup-config 3. Reload the switch
Configure Password Options
96
Configure Console Access
97
Secure the vty Ports
98
Configure EXEC Mode Passwords
Clear text password Encrypted, Priority than enable password
99
Configure Encrypted Passwords

After
Before
100
Enable Password Recovery
101
Extra: Switch LED indicators
utilization
102
Password Recovery
Step 1. Connect a terminal or PC with terminal-emulation software to
the switch console port.
Step 2. Set the line speed on the emulation software to 9600 baud. Step 3. Power off the switch. Reconnect the power cord to the switch
and within 15 seconds, press the Mode button while the System LED is still flashing green. Continue pressing the Mode button until the System LED turns briefly amber and then solid green. Then release the Mode button. OR: enter reload command and then to press the Mode button until the System LED turns briefly amber and then solid green. Step 4. Initialize the Flash file system using the flash_init command.
Step 5. Load any helper files using the load_helper command.
103
Password Recovery
Step 6. Display the contents of Flash memory using the dir flash
command:
The switch file system appears:

Directory of flash: 13 drwx 192 Mar 01 1993 22:30:48 c2960-lanbase-mz.122-25.FX 11 -rwx 5825 Mar 01 1993 22:31:59 config.text 18 -rwx 720 Mar 01 1993 02:21:30 vlan.dat 16128000 bytes total (10003456 bytes free)
Step 7. Rename the configuration file to config.text.old, which
contains the password definition, using the rename flash:config.text flash:config.text.old command.
Step 8. Boot the system with the boot command.
104
Password Recovery

Step 9. You are prompted to start the setup program. Enter N at the prompt, and then when the system prompts whether to continue with the configuration dialog, enter N. Step 10. At the switch prompt, enter privileged EXEC mode using the enable command. Step 11. Rename the configuration file to its original name using the rename flash:config.text.old flash:config.text command. Step 12. Copy the configuration file into memory using the copy flash:config.text system:running-config command. After this command has been entered, the follow is displayed on the console: Source filename [config.text]? Destination filename [running-config]? Press Return in response to the confirmation prompts. The configuration file is now reloaded, and you can change the password.
105
Password Recovery
Step 13. Enter global configuration mode using the configure terminal
command.
Step 14. Change the password using the enable secret password
command.
Step 15. Return to privileged EXEC mode using the exit command. Step 16. Write the running configuration to the startup configuration file
using the copy running-config startup-config command.
Step 17. Reload the switch using the reload command. Note: The password recovery procedure can be different depending on
the Cisco switch series, so you should refer to the product documentation before you attempt a password recovery.
Configure a Login Banner
Create the local database: sw(config)# username student password student Enable authentication for the console line: sw(config)# line console 0 sw(config-line)# login local sw(config)# banner login "Authorized Personnel Only ! sw# exit
107
Configure a MOTD Banner
sw(config)# banner motd This is a security system ! sw#exit
108
Telnet and SSH
Remote control tool of

switch and router SSH encrypt data before transmit
109
Configuring Telnet
110
Configuring SSH
111
Configuring SSH

The switch supports SSHv1 or SSHv2 for the server component. The switch supports only SSHv1 for the client component. To implement SSH, you need to generate RSA keys. Step 1. Enter global configuration mode using the configure terminal command. Step 2. Configure a hostname for your switch using the hostname hostname command. Step 3. Configure a host domain for your switch using the ip domainname domain_name command. Step 4. Enable the SSH server for local and remote authentication on the switch and generate an RSA key pair using the crypto key generate rsa command. Step 5. Return to privileged EXEC mode using the end command. Step 6. Show the status of the SSH server on the switch using the show ip ssh or show ssh command. To delete the RSA key pair, use the crypto key zeroize rsa global configuration command. After the RSA key pair is deleted, the SSH server is automatically disabled.
112
Configuring the SSH Server

Step 1. Enter global configuration mode using the configure terminal
command. Step 2. (Optional) Configure the switch to run SSHv1 or SSHv2 using the ip ssh version [1 | 2] command.
If you do not enter this command or do not specify a keyword, the SSH server selects the latest SSH version supported by the SSH client. For example, if the SSH client supports SSHv1 and SSHv2, the SSH server selects SSHv2.
Step 3. Configure the SSH control parameters:

Specify the time-out value in seconds: default of 10 minutes. Specify the number of times that a client can re-authenticate to the server. The default is 3; the range is 0 to 5 Command: ip ssh {timeoutseconds | authenticationretriesnumber}
113
Configuring the SSH Server

Step 4. Return to privileged EXEC mode using the end command. Step 5. Display the status of the SSH server connections on the switch using the show ip ssh or the show ssh command. Step 6. (Optional) Save your entries in the configuration file using the copy running-config startup-config command.
114
Layer 2 common security attacks
115
MAC Address Flooding
116
117
118
119
120
Spoofing Attacks
121
Solution:

Cisco Catalyst DHCP Snooping Port Security Features (later in this module)
122
Solution: Cisco Catalyst DHCP Snooping
123
Config DHCP Snooping

Step 1. Enable DHCP snooping using the ip dhcp snooping global
configuration command.
Step 2. Enable DHCP snooping for specific VLANs using the ip dhcp
snooping vlan number [number] command.
Step 3. Define ports as trusted or untrusted at the interface level by

defining the trusted ports using the ip dhcp snooping trust command.
Step 4. (Optional) Limit the rate at which an attacker can continually

send bogus DHCP requests through untrusted ports to the DHCP server using the ip dhcp snooping limit rate rate command.
124
CDP Attacks
Solution: Disable the use of CDP on devices that do not need to use
it. (config)# no cdp run (config-if)# no cdp enable
Telnet Attacks
126
Other: Working with Passwords
Passwords should be as long and as complicated as possible. Most security experts believe a password of 10 characters is the minimum that should be used if security is a real concern. use only the lowercase letters of the alphabet: have 26 characters. add the numeric values (0 9): get another 10 characters. add the uppercase letters: have an additional 26 characters giving you a total of 62 characters with which to construct a password. If you used a 4 character password, this would be 626262 62, or approximately 14 million password possibilities. If you used 5 characters in your password, this would give you 62 to the fifth power, or approximately 92 million password possibilities. If you used a 10-character password, this would give you 64 to the tenth power (a very big number) possibilities. The 4 digit password could probably be broken in a day, while the 10 digit password would take a millennium to break given current processing power.
Extra: Other Attacks
This attack can also be mitigated using port security.

129
130
Extra: Cisco CatOS Telnet, HTTP and SSH Vulnerability
Cisco CatOS is susceptible to a TCP-ACK Denial of Service (DoS) attack on the Telnet, HTTP and SSH service. If exploited, the vulnerability causes the Cisco CatOS running device to stop functioning and reload.
131
Security tools
132
Network Security Tools Features
133
Using Port Security to Mitigate Attacks
134
Type of security mac address
switchport port-security mac-address switchport port-security mac-address sticky
135
Violation types
136
Extra: Violation types
137
Port security default
138
Config dynamic port security
139
Config port security sticky
140
Verify
141
Verify
142
Should be Disable Unused Ports
143
Chapter summary
144

CCNA Exp3 - Chapter02 - Basic Switch Concepts and Configurations

Uploaded by

Copyright:

Available Formats

CCNA Exp3 - Chapter02 - Basic Switch Concepts and Configurations

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CCNA Exp3 - Chapter02 - Basic Switch Concepts and Configurations

Uploaded by

Copyright:

Available Formats

Chapter 2: Basic switch concepts and configurations

CCNA Exploration 4.0

Please purchase a personal license.

H c vi n m ng Bach Khoa - Website: www.bkacad.com

Key elements of Ethernet/802.3 networks

H c vi n m ng Bach Khoa - Website: www.bkacad.com

Media Access Control (MAC)

logical ring topology and a physical star topology

logical ring topology and physical dual-ring topology

H c vi n m ng Bach Khoa - Website: www.bkacad.com

H c vi n m ng Bach Khoa - Website: www.bkacad.com

H c vi n m ng Bach Khoa - Website: www.bkacad.com

H c vi n m ng Bach Khoa - Website: www.bkacad.com

Ethernet Slot Time

H c vi n m ng Bach Khoa - Website: www.bkacad.com

Ethernet Slot Time

H c vi n m ng Bach Khoa - Website: www.bkacad.com

H c vi n m ng Bach Khoa - Website: www.bkacad.com

H c vi n m ng Bach Khoa - Website: www.bkacad.com

Ethernet frame structure

Ethernet frame structure

Ethernet frame structure

H c vi n m ng Bach Khoa - Website: www.bkacad.com

Ethernet in full duplex

Ethernet in full duplex

H c vi n m ng Bach Khoa - Website: www.bkacad.com

Ethernet in full duplex

H c vi n m ng Bach Khoa - Website: www.bkacad.com

Extra: Half-duplex networks

H c vi n m ng Bach Khoa - Website: www.bkacad.com

H c vi n m ng Bach Khoa - Website: www.bkacad.com

switch auto detects cable type either a crossover or a straight-through

The auto-MDIX feature is enabled by default on switches running Cisco

MAC Addressing and Switch MAC Address Tables

H c vi n m ng Bach Khoa - Website: www.bkacad.com

MAC Addressing and Switch MAC Address Tables

H c vi n m ng Bach Khoa - Website: www.bkacad.com

MAC Addressing and Switch MAC Address Tables

H c vi n m ng Bach Khoa - Website: www.bkacad.com

MAC Addressing and Switch MAC Address Tables

H c vi n m ng Bach Khoa - Website: www.bkacad.com

MAC Addressing and Switch MAC Address Tables

H c vi n m ng Bach Khoa - Website: www.bkacad.com

MAC Addressing and Switch MAC Address Tables

H c vi n m ng Bach Khoa - Website: www.bkacad.com

Design Considerations for Ethernet/802.3 Networks

H c vi n m ng Bach Khoa - Website: www.bkacad.com

Bandwidth and Throuhgput

H c vi n m ng Bach Khoa - Website: www.bkacad.com

H c vi n m ng Bach Khoa - Website: www.bkacad.com

The broadcast domain at Layer 2 is referred to as the MAC broadcast domain.

H c vi n m ng Bach Khoa - Website: www.bkacad.com

Broadcast Domains - Example

H c vi n m ng Bach Khoa - Website: www.bkacad.com

Broadcast Domains - Example

H c vi n m ng Bach Khoa - Website: www.bkacad.com

H c vi n m ng Bach Khoa - Website: www.bkacad.com

The primary reason for segmenting a LAN into smaller parts is to

H c vi n m ng Bach Khoa - Website: www.bkacad.com