This chapter starts with discussing the key elements of ethernet/802.3 networks such as CSMA/CD, communication using unicast, multicast, and broadcast, the ethernet frame, MAC address, duplex settings, half-duplex and full-duplex, switch port settings, auto-MDIX, and the switch MAC table.
After that, there is a discussion about the design considerations for Ethernet networks such as bandwidth, throughput, goodput, collision domains, broadcast domains, LAN segmentation, and network latency.
Switch forwarding modes: store and forward and cut-through and the difference between symmetric and asymmetric switching.
Memory Buffering: port-based memory and shared memory.
The difference between layer 3 switches and routers.
Cisco switch CLI commands, accessing the history, switch boot sequence and recovering from system crash.
Managing the MAC address table, dynamic MAC addresses and static MAC addresses and backing configuration files to a TFTP server.
Configuring switch passwords and password recovery, configuring telnet and SSH.
Common Security Attacks such as MAC address flooding, spoofing attacks, CDP attacks and telnet attacks.
Switch port security, sticky port security and security violation modes: protect, restrict and shutdown and verifying poert security
2. If you found any mistake’s’ on these slides or if
you have any other questions or comments,
please feel free to contact me at:
abdu.elsaid@gmail.com or abdu.elsaid@yahoo.com
Linkedin : https://www.linkedin.com/in/AbdelkhalikMosa
Twitter : https://twitter.com/AbdelkhalikMosa
Facebook : https://www.facebook.com/Abdelkhalik.Mosa
Thanks,
Abdelkhalik Elsaid Mosa
Suez Canal University
Faculty of Computers and Informatics - Ismailia - Egypt
Remember !
3. Key Elements of Ethernet/802.3 Networks: CSMA/CD
Carrier Sense
Multiple Access
Collision Detection
JAM Signal
Random Backoff
5. Key Elements of Ethernet/802.3 Networks: Ethernet Frame
MAC Address
Ethernet Frame
6. Key Elements of Ethernet/802.3 Networks: Duplex Settings
Half Duplex
Full Duplex
7. • Switch Port Settings: Ports on a Cisco Catalyst 2960 Series can
be configured as follows:
– auto : allows the two ports to communicate in order to decide the mode.
– full : sets full-duplex mode.
– half : sets half-duplex mode.
• auto-MDIX
When the auto-MDIX feature is enabled, the switch detects the required
cable type for copper Ethernet connections and configures the interfaces
accordingly.
Switch# conf t
Switch(config)# interface f0/1
Switch(config-if)# speed auto
Switch(config-if)# duplex auto
Switch(config-if)# mdix auto
Switch(config-if)# end
Key Elements of Ethernet/802.3 Networks: Switch Port Settings
8. 1
2
3 4
5 6
Key Elements of Ethernet/802.3 Networks: Switch MAC Table
The initial MAC address table is empty
9. Design Considerations for Ethernet networks: Transfer Capacity
• Differences between bandwidth, throughput and goodput:
1. Bandwidth (Theoretical): The capacity of a medium to carry
data in a given amount of time.
Usually measured in kbps or Mbps.
2. Throughput (Practical): is the measure of the transfer of bits
across the media over a given period of time.
Throughput <= Bandwidth.
Number of devices affect the throughput.
3. Goodput (Qualitative): is the measure of usable data
transferred over a given period of time.
Application level throughput.
Goodput = Throughput - traffic overhead for establishing sessions,
acknowledgements, and encapsulation.
10. • Broadcast and Collision domains
– Each switch reduces the size of the collision domain on the LAN to a
single link.
– Each router reduces the size of the broadcast domain on the LAN.
• LAN Segmentation
Design Considerations for Ethernet networks
11. • Network Latency: is the time a frame or a packet takes to travel
from the source station to the final destination.
Design Considerations for Ethernet networks: Network Latency
12. 1. Store and Forward
2. Cut-Through (Fast-forward switching or Fragment-free switching)
Switch Forwarding Methods
14. Symmetric and Asymmetric Switching
• Switching may be classified as symmetric or asymmetric based
on the way in which bandwidth is allocated to the switch ports.
16. Memory Buffering
• The switch uses a buffering technique to store and forward
frames and when the destination port is busy.
• The switch stores the data in the memory buffer.
• The memory buffer can port-based memory or shared memory.
17. Layer 3 Switching
• Layer 3 switches are superfast routers that do Layer 3 forwarding
in hardware.
24. Switch Management Configuration
• To be able to telnet to or from the switch you should set an IP address and
the default gateway on the switch.
aLayer2switch,suchas2960,onlyPermits
asingleVLANinterfacetobeactiveatatime.
27. • Managing the MAC Address Table
show mac-address-table
The MAC address table was previously referred to as Content
Addressable Memory (CAM) or as the CAM table.
• Dynamic Mac addresses: are source MAC addresses that the switch
learns and then ages when they are not in use.
The default time is 300 seconds.
• Static Mac addresses: MAC addresses assigned to certain ports by
the network admin.
Static addresses are not aged out.
mac-address-table static <MAC address> vlan {1-4096, ALL}
interface interface-id.
The maximum size of the MAC table varies, but 8192 in Catalyst 2960
Switch Management Configuration
32. Password Recovery
• Password Recovery Steps:
1. Press the Mode button for awhile //load the boot loader
2. Flash-init //Initialize the Flash file system
3. Rename flash:config.text flash:config.text.old // rename
4. Boot // Boot the system
5. Rename flash:config.text.old flash:config.text
6. Copy flash:config.text system:running-config
7. Change the passwords
8. Save Changes
9. Reload
dir flash: Display the contents of Flash memory
33. Banner and Clearing Configuration
• Banner Commands
1.FCI(config)# banner MOTD “Device maintenance on Friday!”
2.FCI(config)# banner LOGIN “Authorized Personnel Only!”
• Clearing Configuration Information
Switch#erase nvram: or the erase startup-config
• Deleting a Stored Configuration File
Switch#delete flash:filename
34. Configuring Telnet and SSH
FCI(config)#crypto key zeroize rsa // To delete the RSA key pair
After the RSA key pair is deleted, the SSH server is automatically disabled.
• Time-out: the amount of time the switch allows for a connection to
be established.
• FCI(config)#ip ssh {timeout seconds | authentication-retries number}
41. Solving Spoofing Attacks using Snooping and Port Security
•DHCP snooping: is a Cisco Catalyst feature that determines which
switch ports can respond to DHCP requests.
1. S(config)# ip dhcp snooping.
2. ip dhcp snooping vlan number {number}.
3. ip dhcp snooping trust.
4. (Optional) Limit the rate at which an
attacker can continually send bogus
DHCP requests through untrusted ports
to the DHCP server using the ip dhcp
snooping limit rate command.
42. Common Security Attacks (CDP Attacks)
• It is recommended that you disable the use of CDP on devices
that do not need to use it.
43. Common Security Attacks (Telnet Attacks)
• Types of Telnet attacks
1. Brute Force Password Attack: guesses password and uses a
program to establish a Telnet session using each guessed
password.
• Solution: Change your password frequently, use strong
passwords, and limit who can communicate with the vty
lines.
2. DoS attack: the attacker exploits a flaw in the Telnet server
software running on the switch that renders the Telnet
service unavailable.
• Solution: Update to the newest version of the cisco IOS.
44. Configuring Port Security
• Port security enables you to:
Specify a group of valid MAC addresses allowed on a port.
Allow only the specified MAC add. to access the port.
Specify that the port will automatically shutdown if
unauthorized MAC addresses are detected.
• Secure MAC Address Types
1. Static secure MAC addresses: MAC addresses are manually configured by
using the switchport port-security mac-address mac-address.
2. Dynamic secure MAC addresses: MAC addresses are dynamically learned
and stored only in the address table.
3. Sticky secure MAC addresses: You can configure a port to dynamically
learn MAC addresses and then save these MAC addresses to the running
configuration using switchport port-security mac-address sticky.
45. Security violation Modes
• Security violation when either of these situations occurs:
The maximum number of secure MAC addresses have been added to the
address table, and a station whose MAC address is not in the address table
attempts to access the interface.
An address learned or configured on one secure interface is seen on
another secure interface in the same VLAN.
• Security Violation Modes