Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Switching vla ns_secugenius_harksh_mikemclain_secugenius security solutions


Published on

  • Be the first to comment

  • Be the first to like this

Switching vla ns_secugenius_harksh_mikemclain_secugenius security solutions

  1. 1. Switching & VLANs
  2. 2.    Switch act as a multiport bridge and its basic duty is to break collision domain. Layer 2 switches and bridges are faster than routers because they don’t take up time looking at the Network layer header information. Switches look at frame’s hardware addresses before deciding to either forward the frame or drop it. Switching Basics
  3. 3. Switching Basics    Switches create private dedicated collision domain. They provide independent bandwidth on each port. Layer 2 switching provide the following:     Hardware based bridging (Application Specific Integrated Circuit – ASIC) Wire Speed Low latency Low cost.
  4. 4. Switching Basics    Switches do not do any modification to the data packet. They only read the frame encapsulating the packet. This makes the switching process considerably faster and less error-pron than routing process.
  5. 5. Switches create private domain
  6. 6. Bridging Vs. LAN Switching     Bridges are software based, while switches are hardware based because switches use ASIC chips to help make filtering decisions. A switch is basically a multiport bridge. Bridges can only have one spanning tree instance per bridge, while switches can have many. Switches have more number of ports.
  7. 7. Bridges and Switches    Both poses multiple COLLISION DOMAIN but one BROADCAST DOMAIN. Both learn MAC addresses by examining the source address of each frame received. Both make forwarding decisions based on layer 2 addresses.
  8. 8. Functions of Switch  Address Learning:    Layer 2 switches remember the source hardware address of each frame received on an interface . Switches enter this information into a MAC database called a forward/filter table. Forward/Filter Decision:   When a frame is received on an interface, the switch looks at the destination hardware address and fields the exit interface in the MAC database. The frame is only forwarded out the specified destination port.
  9. 9. Functions of Switch  Loop Avoidance:   If multiple connections between switches are created for redundancy purpose, network loops can occur. Spanning Tree Protocol (STP) is used to stop network loops while still permitting redundancy.
  10. 10.    When switch is first powered on, the MAC forward/filter table is empty. When an interface receives a frame, the switch places the frame’s source address in MAC forward/filter table, allowing it to remember which interface the sending device is located on. Switch then floods the network with this frame out of every port except the source port because it has no idea where the destination device actually located. Address Learning
  11. 11. Address Learning  If a device answers this flooded frame and sends a frame back, then:    Switch takes the source address from that frame and place the mac address in the database as well. Switch associates this address with the interface that received the frame. Since the switch now has both the relevant MAC address in its filtering table, the two devices can now make a point-t0-pont connection
  12. 12. Forward/Filter Decisions    When a frame arrives at a switch interface, the destination hardware address in compared to the MAC forward/filter table. If the destination hardware is known and listed in the database, the frame is only sent out the correct exit interface. This preserves bandwidth and is called as frame filtering.
  13. 13. Forward/Filter Decisions   If destination hardware address is not listed in the MAC database, then the frame is flooded out all active interfaces except the interface the frame was received on. If a device answers the flooded frame, the MAC database is updated with the device interface.
  14. 14. Loop Avoidance  Redundant links between switches are a good idea because they help prevent complete network failure in the event one link stops working.  But in a redundant link frames can be flooded down all redundant links simultaneously, resulting in network loops.
  15. 15. Redundant links may invite following set of problems:  If no loop avoidance schemes are put in place, the switches will flood broadcast endlessly. Following figure illustrates it: Broadcast Storm
  16. 16. A device can receive multiple copies of the same frame, since that frame can arrive from multiple segments simultaneously. Following figure demonstrates it best.  The server in this figure sends a unicast frame to router C.  Since it’s a unicast frame, switch A forwards the frame and switch B provides the same service – it forwards the broadcast.  This is not good because now route C will receive unicast frame twice, causing additional overhead on 
  17. 17.  The MAC address filter table will be totally confused about the devices location because the switch can receive the frame from more than one links.  Multiple loops could be generated. This mean a loop can occur within other loop.
  18. 18. Spanning Tree Protocol     Its main task is to stop routing loops from occurring on layer 2. (Bridges or Switches) It monitors the network to find all links making sure that no loops occur by shutting down the redundant link. It uses Spanning Tree Algorithm (STA), to first create a topology database, then search out and destroy redundant links. With STP running, frames are only forwarded on the STP, picked links.
  19. 19. LAN Switch Types    LAN Switch Types decide how a frame is handled when it’s received on a switch port. Latency: The time switch takes for a frame to be sent out an exit port once the switch receives the frame. There are three switching modes:    Cut – through (Fast Forward) Fragment Free (Modified cut-through) Store-and-forward
  20. 20.  Cut-through (Fast Forward):   Fragment Free (Modified cut-through):    In this mode, the switch only waits for the destination hardware address to be received before it looks up the destination address in the MAC filter table. In this mode, the switch checks the first 64 bytes of a frame before forwarding it for fragmentation. This is the default mode for catalyst 1900 series switch. Store-and-forward:  In this mode, the complete frame is received on the switch’s buffer, a CRC is run and then the switch looks up the destination address in the MAC forward/filter table.
  21. 21. Different switching modes within a frame
  22. 22. Cut - Through With cut-through switching method, the LAN switch reads only the destination.  That is it looks at the first six bytes following the preamble.  It then:      Looks up the hardware destination address in the MAC switching table. Determines the outgoing interface. Proceeds to forward the frame towards its destination. A cut-through switch helps in reducing latency, because its begins to forward the frame as soon as it reads the destination address and determines the outgoing interface.
  23. 23. Fragment Free Through) (Modified Cut – It is a modified form of cut-through switching in which the switch waits for the collision window (64 bytes) to pass before forwarding.  This is because if a packet has a collision error, it almost always occurs within the first 64 bytes.  This means each frame will be checked into the data field to make sure no fragmentation has occurred.  Fragment Free mode provides better error checking than the cut-through mode with practically no increase in latency.  It is the default switching mode for 1900 switches. 
  24. 24. Store – and – Forward It is CISCO’s primary LAN switching method.  In this method, the LAN switch copies the entire frame onto its onboard buffers and then computes the CRC (Cyclic Redundancy Check).  Since it copies the entire frame, latency through the switch varies with frame length.  The frame is discarded if it contains a CRC error:     If it is too short (Less then 64 bytes including the CRC) If it is too long (More than 1518 bytes, including the CRC) If the frame doesn’t contain any error, the LAN switch looks up the destination hardware address in its MAC forward/filter table to find the correct outgoing interface.
  25. 25. Spanning Tree Terms  STP:    It is a bridge protocol that uses the STA to find redundant links dynamically. It creates a spanning tree topology database. Bridges exchange BPDU messages with other bridges
  26. 26. Configuring 1900 & 2950 catalyst switches  We will cover following list of tasks:          Setting the password Setting the hostname Configuring the ip address and subnet masks Setting a description on the interface Erasing the switch configuration Configuring VLANs Adding VLAN membership to switch port. Creating VTP domain. Configuring trunking.
  27. 27. Setting the password  1900 Series:     It uses same command to set both user level password as well as privileged password, but with different level numbers. Level is 1 for user level and 15 for privilege level. Password length should be from 4 to 8 characters. Setting user password:   switch(config)# enable password level 1 cisco Setting privileged level password  switch(config)# enable password level 15 cisco
  28. 28. Setting the password  2950 Series:   To set user mode password for the 2950 switch, we configure the line just as we would do on a router. Console:   Telnet:   switch(config)# line console 0 switch(config-line)# password cisco switch(config-line)# login switch(config)# line vty 0 15 switch(config-line)# password cisco switch(config-line)# login Enable secret password is set in the same way as we would do for a router.  switch(config)# enable secret cisco
  29. 29. Setting hostname    The hostname on a switch is only locally significant. This means it doesn’t have any function on the network or with the name resolution. (Though it has an exception with PPP authentication) 1900 Series:   switch(config)# hostname LAN1 2950 Series:  switch(config)# hostname LAN1
  30. 30. Setting IP information    Generally a switch doesn’t need any ip address at all to manager a LAN. There are exceptions though. We have got two reasons where we probably do want to set IP address information on the switch.   To manage the switch via TELNET or other management software. To configure the switch with different VLANs and other network functions.
  31. 31. Setting IP information  1900 Switch:   By default no ip address or default gateway information is set. We can verify this by using the command sh ip at privileged mode.   Switch#sh ip IP address and default gateway are set through GCM.  Switch(config)# ip address Switch(config)# ip default-gateway
  32. 32. Setting IP information  2950 Switch :     In 2950 switch , we consider a default VLAN with the switch. This VLAN is called as VLAN1. Every port on switch is a member of VLAN1 by default. We always set ip address for VLAN1.  Switch(config)# interface vlan1 Switch(config-if)# ip address Switch(config-if)#exit Switch(config)# ip default-gateway
  33. 33. Configuring Interface Description    We can administratively set a name for each interface on the switches. These descriptions are only locally significant. 1900 Switch:    Description command is used from interface configuration mode. Spaces can't be used within description. Switch(config)# int e0/1 Switch(config-if)# description Finance_VLAN Switch(config)# int f0/26 Switch(config-if)# description trunk_to_building_4
  34. 34. Configuring Interface Description  2950 Switch:    Description command is used from interface configuration mode. Spaces can be used within description. Switch(config)# int fastEthernet 0/1 Switch(config-if)# description Sales Printer Switch(config)# int f0/12 Switch(config-if)# description trunk_to_building_4
  35. 35. Erasing the Switch Configuration  1900 Switch:     We can’t see the content of NVRAM. We can only view RAM’s content. When we make changes to switch’s running configuration, it automatically copies it to the NV RAM. Following syntax helps us in deleting NVRAM’s contents.  Switch# delete nvram
  36. 36. Erasing the Switch Configuration  2950 Switch:   Concepts of startup config and running config holds exactly same as they do with routers over here. Following syntax helps us in deleting NVRAM’s contents.  Switch# erase startup-config
  37. 37. Virtual LANs (VLANs)    A VLAN is a logical grouping of network users and resources connected to administratively defined ports on a switch. VLANs allow us to break broadcast domain in a pure switched internetwork. VLANs allow us to create smaller broadcast domains within a layer 2 switched based internetwork.
  38. 38. How VLANs simplify management? network Network adds, moves and changes are achieved by configuring a port into the appropriate VLAN.  A group of users needing high security can be put into a VLAN so that no users outside of the VLAN can communicate with them.  VLANs are independent from their physical or logical locations.  VLANs can enhance network security.  VLANs increase no. of broadcast domains and decrease the size of each broadcast domain. 
  39. 39. Broadcast Control    All devices in a VLAN are member of same broadcast domain and receive all broadcasts. The broadcasts, by default, are filtered from all ports on a switch that are not member of the same VLAN. This is one of the prime benefit that we get with a VLAN based switched network, otherwise we would have faced serious problem if all our users were in same broadcast domain.
  40. 40. Security       In a flat network anyone connecting to the physical network could access the network resources located that physical LAN. In order to observe any/all traffic happening in that network one has to simply plug a network analyzer into the hub. Users can join any workgroup by just plugging their workstations into the existing hub. By building VLANs and creating multiple broadcast groups, administrators can now have control over each port and user. Since VLANs can be created in accordance with the network resources a user requires, a switch can be configured to inform a network management station of any unauthorized access to network resources. During inter VLAN communication, we can implement restrictions on a router to achieve it.
  41. 41. Flexibility and Scalability  By assigning switch ports or users to VLAN groups on a switch or group of switches, we gain flexibility to add only the users we want into that broadcast domain regardless of their physical location.  When a VLAN becomes to big, we can create more VLANs to keep broadcasts from consuming too much bandwidth.
  42. 42. Physical LAN connected to a Router
  43. 43. Switches removing physical boundary
  44. 44. Static VLAN    These VLANs are created by administrators. An administrator creates static VLANs and then assigns switch port to each VLAN. Static VLANs are:     Most secure Comparatively easy to set up and monitor. Works well in a network where the movement of users within the network is controlled. Switch port that is assigned a VLAN association to always maintains the association until an administrator changes that port assignment.
  45. 45. Dynamic VLAN When network administrator assigns, all the host device's hardware addresses into a database, the switches can be configured to assign VLANs dynamically whenever a host is plugged into a switch.  These are called as dynamic VLANs. A dynamic VLAN determines node’s VLAN assignment automatically.  Using intelligent management software, we can base VLAN assignment on hardware address (MAC address), protocols, or even applications to create dynamic VLANs. 
  46. 46. Dynamic VLAN Suppose MAC addresses have been entered into centralized VLAN management application.  If a node is then attached to an unassigned switch port, the VLAN management database can look up the hardware address and assign and configure the switch port to the correct VLAN.  Its make management and configuration easier because if a user moves, the switch will assign them to the correct VLAN automatically.  CISCO allows us to use the VLAN Management Policy Server (VMPS) service to set up a database of MAC addresses that can be used for dynamic addressing of VLANs.  A VMPS database maps MAC addresses to VLANs. 
  47. 47. VLAN links   Frames are handled differently according to the type of link they are traversing in a switch. Following two links are available in a switched network:   Access Link Trunk Link
  48. 48. Access Link This type of link is only part of one VLAN, and it’s referred to as the native VLAN of the port.  Any device attached to an access link is unaware of a VLAN membership. The device just assumes it’s part of a broadcast domain, but it has no understanding of the physical network.  Switches remove any VLAN information from the frame before it’s sent to an access-link device.  Access-link devices cannot communicate with devices outside their VLAN unless the packet is routed. 
  49. 49. Trunk Link  A trunk line is a 100 or 1000 Mbps point-to-point link between:         Two switches A switch and a router A switch and a server Trunk lines carry traffic of VLANs from 1 to 1005 at a time. Trunking allows us to make a single port part of multiple VLANs at the same time. We can actually set things up to have a server in two broadcast domains simultaneously, so that users don’t have to cross the router to log in and access it. Another advantage of trunking is when we are connecting switches. Trunk links can carry some or all VLAN information across the link, but if the links between switches aren’t trunked, only VLAN 1 information will be switched across the link by default.
  50. 50. Access and Trunk Links in a switched network
  51. 51. Creating & Verifying VLANs switch  Creating VLANs:    Mode: GCM Syntax: Switch(config)# VLAN VLAN number name VLAN name E.g. switch(config)# VLAN 2 name sales Verifying VLANs:   Mode: Privileged Syntax: Switch# show VLAN 1900
  52. 52. Creating & Verifying VLANs 2950 switch  Creating VLANs: Mode: Privileged and switch config  Syntax: Switch# VLAN database Switch(VLAN)# VLAN VLAN number name VLAN name Switch(VLAN)# apply E.g. Switch(VLAN)# VLAN 2 name sales Switch(VLAN)# VLAN 3 name mkt Switch(VLAN)# apply   Verifying VLANs:   Mode privileged Syntax: Switch# show VLAN brief
  53. 53. Assigning switch ports to VLANs 1900 switch Mode: Interface Specific  Syntax: Switch(config)# int interface no. Switch(config – if)# VLAN-membership static VLAN no. Example 1: Switch(config)# int e0/2 Switch(config – if)# VLAN-membership static 2 Example 2: Switch(config)# int e0/3 Switch(config – if)# VLAN-membership static 3 Example 3: Switch(config)# int e0/4 Switch(config – if)# VLAN-membership static 2 
  54. 54. Assigning switch ports to VLANs 2950 switch Mode: Interface Specific  Syntax: Switch(config)# int interface no. Switch(config – if)#switchport access VLAN VLAN no. Example 1: Switch(config)# int f0/2 Switch(config – if)# switchport access VLAN 2 Example 2: Switch(config)# int f0/3 Switch(config – if)# switchport access VLAN 3 Example 3: Switch(config)# int f0/4 Switch(config – if)# switchport access VLAN 2 
  55. 55. Frame Tagging Switch fabric: It is a group of switches sharing the same VLAN information.  Frame tagging is a frame identification method, which uniquely assigns a user-defined ID to each frame.  It is also called as VLAN id or color.  How does it work?      Each switch that the frame reaches must first identify the VLAN ID from the frame tag. Then it finds out what to do with the frame by looking at the information in the filter table. If the frame reaches a switch that has another trunked link, the frame will be forwarded out the trunk-link port. Once the frame reaches an exit to an access link matching the frames VLAN ID, the switch removes the VLAN identifier so that the destination device receive the frames without having to understand their VLAN identification.