Switches module 2

649 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
649
On SlideShare
0
From Embeds
0
Number of Embeds
10
Actions
Shares
0
Downloads
40
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Switches.ppt 30/09/12 S Ward Abingdon and Witney College
  • Switches module 2

    1. 1. Switches CCNA Exploration Semester 3 Chapter 2 Warning – horribly long!30 Sep 2012 1
    2. 2. Topics Operation of 100/1000 Mbps Ethernet Switches and how they forward frames Configure a switch Basic security on a switch 30 Sep 2012 2
    3. 3. Semester 3 LAN Design Basic Switch Wireless ConceptsVLANs STPVTP Inter-VLAN routing30 Sep 2012 3
    4. 4. CSMA/CD reminder Shared medium Physical shared cable or hub. Ethernet was designed to work with collisions. Uses carrier sense multiple access collision detection. Used only with half duplex communication 30 Sep 2012 4
    5. 5. CSMA/CD reminderIf a device needs to transmit; It “listens” for signals on the medium. If finds signals – it waits. If clear – it sends. While transmitting Carry on listening for traffic or collision. If transmitting devices was not able to detect signals due to latency then collision occur.  Stop sending frame if collision detected,  send out jam signal that notifies collision to other devices.  Wait for random time (backoff algorithim)  Try again – listen for signals etc. 30 Sep 2012 5
    6. 6. No collisions Fully switched network with full duplex operation = no collisions. Higher bandwidth Ethernet does not define collisions – must be fully switched. Cable length limited if CSMA/CD needed. Fibre optic – always fully switched, full duplex. (Shared medium must use half duplex in order to detect collisions.) 30 Sep 2012 6
    7. 7. Switch Port Settings Auto (default for UTP) - negotiates half/full duplex with connected device. Full – sets full-duplex mode Half - sets half-duplex mode Auto is fine if both devices are using it. Potential problem if switch uses it and other device does not. Switch defaults to half. Full one end and half the other – errors. Command to set duplex mode: (config-if)#duplex [auto|full|half] 30 Sep 2012 7
    8. 8. mdix auto Command makes switch detect whether cable is straight through or crossover and compensate so you can use either. Depends on IOS version Enabled by default from 12.2(18)SE on Disabled from 12.1(14)EA1 to 12.2(18)SE Not available in earlier versions 30 Sep 2012 8
    9. 9. Communication types reminder Unicast – one sender to one recievier e.g. most user traffic: http, ftp, smtp etc. Broadcast – one sender to all hosts on the network e.g. ARP requests. Multicast – one sender to a group of devices e.g. routers running EIGRP, group of hosts using videoconferencing. IP addresses have first octet in range 224 – 239. 30 Sep 2012 9
    10. 10. Ethernet frame reminderIEEE 802.3 (Data link layer, MAC sublayer) 7 bytes 1 6 6 2 46 to 4 1500Preamble Start of Destination Source Length / 802.2 Frame frame address address type header check delimiter and data sequence Frame header data trailer  802.2 is data link layer LLC sublayer 30 Sep 2012 10
    11. 11. ETHERNET Frame From layer3 PDU to layer 2 which adds header and trailer uysed by the ethernet protocol  Preamble : for synchronization bet. Sending and receiving device  Destination MAC: identifier for intended recepient  Source MAC: frames forma originating NIC or interface, used by switch to add to their look up table  Length/packet type : exact length of frame data field and type of protocol implemented  Data and PAD field: encapsulated data from higher layer  FCS: uses CRC to check data error 30 Sep 2012 11
    12. 12. MAC address 48-bits written as 12 hexadecimal digits. Format varies: 00-05-9A-3C-78-00, 00:05:9A:3C:78:00, or 0005.9A3C.7800. MAC address can be permanently encoded into a ROM chip on a NIC - burned in address (BIA). Some manufacturers allow the MAC address to be modified locally. 30 Sep 2012 12
    13. 13. MAC address Two parts: Organizational Unique Identifier (OUI) and number assigned by manufacturer. MAC address OUI Vendor number 1 bit 1 bit 22 bits 24 bits Broadcast Local OUI number Vendor assigns Set if broadcast or multicast 30 Sep 2012 13
    14. 14. MAC address Two parts: Organizational Unique Identifier (OUI) and number assigned by manufacturer. MAC address OUI Vendor number 1 bit 1 bit 22 bits 24 bits Broadcast Local OUI number Vendor assigns Set if vendor number can be changed 30 Sep 2012 14
    15. 15. MAC address Two parts: Organizational Unique Identifier (OUI) and number assigned by manufacturer. MAC address OUI Vendor number 1 bit 1 bit 22 bits 24 bits Broadcast Local OUI number Vendor assigns Allocated to vendor by IEEE 30 Sep 2012 15
    16. 16. MAC address Two parts: Organizational Unique Identifier (OUI) and number assigned by manufacturer. MAC address OUI Vendor number 1 bit 1 bit 22 bits 24 bits Broadcast Local OUI number Vendor assigns Unique identifier for port on device 30 Sep 2012 16
    17. 17. Switch MAC Address Table Switch uses MAC address to direct network communications to the appropriate port Switch builds its MAC address of nodes connected to each port command: #show mac-address-tableProcess: Table matches switch port with MAC address of attached device Built by inspecting source MAC address of incoming frames Destination MAC address checked against table, frame sent through correct port If not in table, frame flooded Broadcasts flooded 30 Sep 2012 17
    18. 18. Collision domain Shared medium – same collision domain. Collisions reduce throughput (average data that is transmitted effectively) The more devices – the more collisions Hub – maybe 60% of bandwidth available Switch (+ full duplex) dedicated link each way 100% bandwidth in each direction Collision = bandwidth reduced = affects throughput 30 Sep 2012 18
    19. 19. How many collision domains?30 Sep 2012 19
    20. 20. How many collision domains? 1130 Sep 2012 20
    21. 21. Broadcast domains Layer 2 switches flood broadcasts. Devices linked by switches are in the same broadcast domain. (We ignore VLANs here – they come later.) A layer 3 device (router) splits up broadcast domains, does not forward broadcasts Destination MAC address for broadcast is all 1s, that is FF:FF:FF:FF:FF:FF 30 Sep 2012 21
    22. 22. How many broadcast domains? No VLANs30 Sep 2012 22
    23. 23. How many broadcast domains?30 Sep 2012 23
    24. 24. Network Latency Refers to the time that a packet takes to travel form source to destinationSources of latency  NIC delay – time taken to put signal on medium and to interpret it on receipt.  Propagation delay – time spent travelling on medium  Latency from intermediate devices e.g. switch or router. Depends on number and type of devices. **** Routers add more latency than switches. 30 Sep 2012 24
    25. 25. Network congestionCauses: More powerful PCs can send and process more data at higher rates. Increasing use of remote resources (servers, Internet) generates more traffic. More broadcasts, more congestion. Applications make more use of advanced graphics, video etc. Need more bandwidth. Splitting collision and broadcast domains helps. 30 Sep 2012 25
    26. 26. Control latency Choose switches that can process data fast enough for all ports to work simultaneously at full bandwidth. Use switches rather than routers where possible. But – balance this against need to split up broadcast domains. 30 Sep 2012 26
    27. 27. Remove bottlenecks Use a faster link. Have several links and use link aggregation so that they act as one link with the combined bandwidth. 30 Sep 2012 27
    28. 28. Switch Forwarding Methods Cisco switches now all use Store and Forward Some older switches used Cut Through – it had two variants: Fast Forward and Fragment Free  Cut thourgh switching acts upon data as soon as it is recieved  Store and forward stores data in buffer until complete frames has been received. 30 Sep 2012 28
    29. 29. Store and forward Read whole frame into buffer Discard any frames that are too short/long Perform cyclic redundancy check (CRC) and discard any frames with errors Find correct port and forward frame. Allows QoS checks Allows entry and exit at different bandwidths 30 Sep 2012 29
    30. 30. Cut Through - Fast forward Read start of frame as it comes in, as far as end of destination MAC address (first 6 bytes after start delimiter) Look up port and start forwarding while remainder of frame is still coming in. No checks or discarding of bad frames Entry and exit must be same bandwidth Lowest latency 30 Sep 2012 30
    31. 31. Cut Through – Fragment Free Read start of frame as it comes in, as far as end of byte 64 Look up port and start forwarding while remainder of frame (if any) is still coming in. May forward corrupt frames Does not perform error checking Entry and exit must be same bandwidth Compromise between store and forward and cut through 30 Sep 2012 31
    32. 32. Symmetric and AsymmetricSwitching Symmetric – all ports operate at same bandwidth Asymmetric – different bandwidths used, e.g. server or uplink has greater bandwidth  Requires store and forward operation with buffering.  Most switches now are asymmetric to allow flexibility. 30 Sep 2012 32
    33. 33. Memory buffering Used when destination port is busy due to congestion and switch stores frame until it can be transmitted 2 types:  Port based  Shared memory 30 Sep 2012 33
    34. 34. Port Based Buffering Each incoming port has its own queue. Frames stay in buffer until outgoing port is free. Frame destined for busy outgoing port can hold up all the others even if their outgoing ports are free. Each incoming port has a fixed and limited amount of memory. 30 Sep 2012 34
    35. 35. Shared Memory Buffering Allincoming frames go in a common buffer. Switch maps frame to destination port and forwards it when port is free. Frames do not hold each other up. Flexible use of memory allows larger frames. Important for asymmetric switching where some ports work faster than others. 30 Sep 2012 35
    36. 36. Layer 2 and Layer 3 Switching Traditional Ethernet switches work at layer 2. They use MAC addresses to make forwarding decisions. They do not look at layer 3 information.30 Sep 2012 36
    37. 37. Layer 2 and Layer 3 SwitchingLayer 3 switches cancarry out the samefunctions as layer 2switches.They can also use layer3 IP addresses to routebetween networks.The can control thespread of broadcasts. 30 Sep 2012 37
    38. 38. Switch CLI is similar to router Switch>enable Switch#config t Switch(config)#int fa 0/1 Switch(config-if)#exit Switch(config)#line con 0 Switch(config-line)#end Switch#disable Switch> 30 Sep 2012 38
    39. 39. Cisco Device manager- alternative to CLI Builtin web based GUI for managing switch. Access via browser on PC. Other GUI options available but need to be downloaded/bought. 30 Sep 2012 39
    40. 40. Help, history etc. Help with ? Is similar to router. Error messages for bad commands – same. Command history – as for router. Up arrow or Ctrl + P for previous Down arrow or Ctrl + N for next Each mode has its own buffer holding 10 commands by default. 30 Sep 2012 40
    41. 41. CISCO IOS History buffercommands Show history – display the contents of the command buffer To enable either in Privileged or user exec mode: # terminal history #terminal history size 50 to store or maintain 0 to 256 command lines #terminal no history size – reset history size to default value #terminal no history – disable 30 Sep 2012 41
    42. 42. Storage and start-up ROM, Flash, NVRAM, RAM generally similar to router. Boot loader, POST, load IOS from flash, load configuration file. Similar idea to router. Some difference in detail. Boot loader lets you re-install IOS or recover from password loss. 30 Sep 2012 42
    43. 43. Password recovery (2950) Hold down mode switch during start-up flash_init load_helper dir flash: rename flash:config.text flash:config.old boot Continue with the configuration dialog? [yes/no] : N rename flash:config.old flash:config.text copy flash:config.text system:running-config Configure new passwords 30 Sep 2012 S Ward Abingdon and Witney College 43
    44. 44. IP addressA switch works without an IP address or any other configuration that you give it. IP address lets you access the switch remotely by Telnet, SSH or browser. Switch needs only one IP address. It goes on a virtual (VLAN) interface. VLAN 1 is the default but is not very secure for management. 30 Sep 2012 44
    45. 45. IP address S1(config)#int vlan 99 ( or another VLAN) S1(config-if)#ip address 192.168.1.2 255.255.255.0 S1(config-if)#no shutdown S1(config-if)#exit All very well, but by default all the ports are associated with VLAN 1. VLAN 99 needs to have a port to use. 30 Sep 2012 45
    46. 46. IP address S1(config)#int fa 0/18 (or other interface) S1(config-if)#switchport mode access S1(config-if)#switchport access vlan 99 S1(config-if)#exit S1(config)# Messages to and from the switch IP address can pass via port fa 0/18. Other ports could be added if necessary. 30 Sep 2012 46
    47. 47. Default gateway S1(config)#ip default-gateway 192.168.1.1 Justlike a PC, the switch needs to know the address of its local router to exchange messages with other networks. Note global configuration mode. 30 Sep 2012 47
    48. 48. Web based GUI Includes cisco web browser user interface, cisco router, SDM, IPphone and cisco ip telephony service application required switch to be configured as http server  SW1(config)#ip http server  SW1(config)#ip http authentication enable (uses enable secret/password for access)  SW1(config)#ip http authentication local  SW1(config)#username admin password cisco (log in using this username and password) 30 Sep 2012 48
    49. 49. MAC address table (CAM) Static: built-in or configured, do not time out. Dynamic: Learned, Time out 300 sec. Note that VLAN is included in table. 30 Sep 2012 S Ward Abingdon and Witney College 49
    50. 50. Set a static address SW1(config)#mac-address-table static 000c.7671.10b4 vlan 2 interface fa0/6 30 Sep 2012 S Ward Abingdon and Witney College 50
    51. 51. Save configuration Copy run start Copy running-config startup-config This assumes that running-config is coming from RAM and startup-config is going in NVRAM (file is actually in flash). Full version gives path. Copy system:running-config flash:startup- config 30 Sep 2012 S Ward Abingdon and Witney College 51
    52. 52. Back up copy startup-config flash:backupJan08 You could go back to this version later if necessary. copy system:running-config tftp://192.168.1.8/sw1config copy nvram:startup-config tftp://192.168.1.8/sw1config (or try copy run tftp and wait for prompts) 30 Sep 2012 S Ward Abingdon and Witney College 52
    53. 53. Login PasswordsLine con 0 Service password-encryptionPassword cisco Line con 0Login Password 7 030752180500Line vty 0 15 Login Line vty 0 15Password cisco Password 7 1511021f0725Login Login 30 Sep 2012 S Ward Abingdon and Witney College 53
    54. 54. Banners banner motd “Shut down 5pm Friday” banner login “No unauthorised access” Motd will show first. Delimiter can be “ or # or any character not in message. 30 Sep 2012 S Ward Abingdon and Witney College 54
    55. 55. Secure Shell SSH Similar interface to Telnet. Encrypts data for transmission. SW1(config)#line vty 0 15 SW1(config-line)#transport input SSH Use SSH or telnet or all if you want both. Default is telnet. For SSH you must configure host domain and generate RSA key pair. 30 Sep 2012 S Ward Abingdon and Witney College 55
    56. 56. Common security attacks MAC Address Flooding: send huge numbers of frames with fake source MAC addresses and fill up MAC address table. Switch then floods all frames. DHCP spoofing: rogue server allocates fake IP address and default gateway, all remote traffic sent to attacker. (Use DHCP snooping feature to mark ports as trustworthy or not.)  DHCP STARVATION ATTACK attacker PC continually request IP from real DHCP server.  Causes all leases on real DHCP to be allocated preventing real users from obtaining an IP address.  Can be prevented with the use of DHCP snooping and port security 30 Sep 2012 56
    57. 57. DHCP snooping Cisco catalyst feature that determines which switchports can respond to DHCP request. Ports are identified as trusted and untrusted. Commands:  Ip dhcp snooping-enable dhcp in global config  Ip dhcp snooping vlannumber[number] – define dhcp fo specific vlan  Ip dhcp snooping trust – define ports as trusted or untrusted at the interface level 30 Sep 2012 57
    58. 58. Cisco Discovery Protocol CDP is enabled by default. Switch it off unless it is really needed.  CDP attacks – cdp unauthenticated attacker could craft bogus packets Itis a security risk. Frames could be captured using Wireshark (or the older Ethereal). TELNET attacks  Configure it with secure password 30 Sep 2012 58
    59. 59. More security Use strong passwords. Even these can be found in time so change them regularly. Using access control lists (semester 4) you can control which devices are able to access vty lines. Network security tools for audits and penetration testing. 30 Sep 2012 59
    60. 60. Port security Configure each port to accept  One MAC address only  A small group of MAC addresses Frames from other MAC addresses are not forwarded. By default, the port will shut down if the wrong device connects. It has to be brought up again manually. 30 Sep 2012 60
    61. 61. Static secure MAC address Staticsecure MAC addresses: Manually configured in interface config mode switchport port-security mac-address 000c.7259.0a63 interface fa 0/4 Stored in MAC address table In running configuration Can be saved with the rest of the configuration. 30 Sep 2012 61
    62. 62. Dynamic secure MAC address Learned dynamically Default – learn one address. Put in MAC address table Not in running configuration Not saved, not there when switch restarts. SW1(config-if)#switchport mode access SW1(config-if)#switchport port-security 30 Sep 2012 62
    63. 63. Sticky secure MAC address Dynamically learned Choose how many can be learned, default 1. Put in running configuration Saved if you save running configuration and still there when switch restarts. Existing dynamic address(es) will convert to sticky if you enable sticky learning. 30 Sep 2012 63
    64. 64. Sticky secure MAC address SW1(config-if)#switchport mode access SW1(config-if)#switchport port-security SW1(config-if)#switchport port-security maximum 4 SW1(config-if)#switchport port-security mac-address sticky 30 Sep 2012 64
    65. 65. Violation modes Violation occurs if a device with the wrong MAC address attempts to connect. Shutdown mode is default. Protect mode just prevents traffic. Restrict mode sends error message to network management software. 30 Sep 2012 65
    66. 66. Check port security show port-security int fa 0/4 to see settings on a particular port Show port-security address to see the table of secure MAC addresses Ifyou don’t need to use a port: shutdown 30 Sep 2012 66
    67. 67. Interface range Switch(config)#interface range fa0/1 - 20 Switch(config-if-range)#A useful command if you want to put the same configuration on several interfaces. 30 Sep 2012 67
    68. 68. The End30 Sep 2012 S Ward Abingdon and Witney College 68

    ×