Switches - Faculty - Genesee Community College
Download
Report
Transcript Switches - Faculty - Genesee Community College
Switches- Chapter 2
CCNA Exploration Semester 3
Modified by Profs. Ward
and Cappellino
1
Topics
Operation of 100/1000 Mbps Ethernet
Switches and how they forward frames
Configure a switch
Basic security on a switch
2
LAN Switching and Wireless
LAN Design
Basic Switch
Concepts- Chp. 2
Wireless
VLANs
STP
VTP
Inter-VLAN
routing
3
CSMA/CD reminder
Shared mediumPhysical shared
cable or hub.
Ethernet was
designed to work
________________
Using _________________________________
____________________________
4
CSMA/CD review…
Device needs to transmit.
It “__________” for signals on the medium.
If it finds signals – ______. If clear – __________.
If the signals of one device are not detected by a
second device, the second device may also start to
transmit causing a ____________________.
Stop sending frame, send ____________
Wait for random time (_____________)
______________ – listen for signals etc.
5
No collisions
______________________ with _________
operation = __________ collisions.
Higher bandwidth Ethernet does not define
collisions – must be fully switched.
Cable length limited if CSMA/CD needed.
________ – always fully switched, full duplex.
(Shared medium must use half duplex in order
to detect collisions.)
6
Switch Port Settings
Auto (default for UTP) - ____________________
with connected device.
Full – sets full-duplex mode
Half - sets half-duplex mode
Auto is fine if _______ types of devices are using it.
Two ports communicate to decide the best mode of operation
Potential problem- if switch uses auto and other device
does not. Switch defaults to half.
Manually setting full-duplex on one end and half on
the other __________________________
7
MDIX auto Interface config command
_________________ whether cable is
straight through or crossover and configures
the interface accordingly
Either cable type can be used in the connection
Depends on IOS version
Enabled by default from 12.2(18)SE or later
Disabled from 12.1(14)EA1 to 12.2(18)SE
_________________ in earlier versions
Switch# configure terminal
EXAMPLE…
Switch(config)# interface
gigabitethernet0/1
Switch(config-if)# speed auto
Switch(config-if)# duplex auto
Switch(config-if)# mdix auto
Switch(config-if)# end
8
Communication types review…
_________ – one sender to one receiver
________________ – one sender, but the
information is sent to all connected receivers.
most user traffic: http, ftp, smtp etc.
Ex: ARP requests
___________ – a frame is sent from one
sender to a specific group of devices
Ex: Group of hosts using videoconferencing.
IP addresses have first octet in range 224 – 239
9
Ethernet frame review…
IEEE 802.3 (Data link layer, MAC sublayer)
7 bytes
1
6
6
2
46 to
1500
4
Preamble Start of Destination Source Length 802.2
Frame
frame
address
address /type
header
check
delimiter
and data sequence
Frame header
data
trailer
802.2 is data link layer LLC sublayer
10
MAC address review…
___________written as _________ hexadecimal
digits. Format varies: 00-05-9A-3C-78-00,
00:05:9A:3C:78:00, or 0005.9A3C.7800.
MAC address __________________ into a ROM
chip on a NIC
Referred to as a burned in address (BIA).
Some manufacturers allow the MAC address to be
_________________.
What is the purpose of MAC address?
11
MAC address review…
Two parts: Organizational Unique Identifier
(___) and number _____________________
MAC address
OUI
1 bit
1 bit
Broadcast Local
Vendor number
22 bits
24 bits
OUI number
Vendor assigns
On the destination MAC address, bit is set if
frame’s address is a ____________________
12
MAC address
Two parts: Organizational Unique Identifier
(OUI) and number assigned by manufacturer.
MAC address
OUI
1 bit
1 bit
Broadcast Local
Vendor number
22 bits
24 bits
OUI number
Vendor assigns
Set if vendor assigned MAC address can be
____________________
13
MAC address
Two parts: Organizational Unique Identifier
(OUI) and number assigned by manufacturer.
MAC address
OUI
1 bit
1 bit
Broadcast Local
Vendor number
22 bits
24 bits
OUI number
Vendor assigns
Assigned to vendor by ________
14
MAC address
Two parts: Organizational Unique Identifier
(OUI) and number assigned by manufacturer.
MAC address
OUI
1 bit
1 bit
Broadcast Local
Vendor number
22 bits
24 bits
OUI number
Vendor assigns
_______________ for the Ethernet device
15
Switch MAC Address Table review…
Table created by mapping the switch port to
MAC address of attached device
Built by inspecting _____________ address
of incoming frames
________________ address checked against
table
Frame sent through correct port
If not in table, frame __________________ on
which it was received
Broadcasts flooded
16
Bandwidth and Throughput review..
What is Bandwidth?
What is Throughput?
Bandwidth is affected by _____________
Full bandwidth for transmission is available
only after any collisions have been
resolved.
Number of nodes sharing the Ethernet
network will have effect on the ___________
17
Collision domain review…
Collision Domain-- __________________________
___________________________________
Collisions ___________ throughput
Shared medium – same collision domain
The more devices – the more collisions
Hub – an average of 60% of bandwidth available
Switch (+ full duplex)
Microsegmentation- connection created by ________
between sending and receiving hosts
Full duplex- dedicated link each way
100% bandwidth in each direction
Link regarded as an individual collision domain if you are
asked to count them.
18
How many collision domains?
19
Broadcast domain review…
Layer 2 switches ________________ broadcasts
Devices linked by switches are ______________
broadcast domain.
We ignore VLANs here – they come later
A _______________________, splits up broadcast
domains
Do not filter broadcast frames
Does not forward broadcasts
Destination MAC address for broadcast is
all 1s, that is FF:FF:FF:FF:FF:FF
20
How many broadcast domains?
No VLANs
21
Network Latency
Latency- ____________________ from the
source to the final destination
Three sources:
___________ – time taken to put signal on
medium and to interpret it on receipt.
____________________ – time spent travelling
on medium
Latency from _______________________
These are either Layer 1, 2, or 3 devices
Depends on number and type of devices.
Routers add more latency than switches.
22
Network congestion
Common causes of congestion:
More powerful PCs that can send and process more
data through the network at higher rates.
Increasing use of remote resources (servers,
Internet) generates more traffic volume.
High-bandwidth applications make more use of
advanced graphics, video etc.
More broadcasts, more congestion.
Need more bandwidth.
________________________________ helps.
23
Control latency
Choose switches that can process data fast
enough for all ports to work simultaneously at
full bandwidth.
Use _______________ rather than ________
where possible.
Switches that lack sufficient processing power can
introduce latency
Routers increase latency on a network
But – balance this against need to split up
broadcast domains
Which is done by routers
24
Remove bottlenecks
Bottlenecks- places on the network where
_____________________________________
Reduce bottlenecks by having several links
Use _______________ so they act as one link with
the combined bandwidth.
Use higher capacity links
25
Switch Forwarding Methods
Current models of Cisco switches now use
only __________________________ of
switching data between ports
Some older switches used Cut Through – it
had two variants: Fast Forward and Fragment
Free
26
Store and forward
_____________________________
Discard any frames that are too short/long
Perform cyclic redundancy check (CRC) and
___________________________
Find correct port and forward frame out that
port
Required for ______________ checks on
converged networks
Allows entry and exit at _________________
27
Cut Through - Fast forward
Read _____________________, through to
the ____________________________ (first 6
bytes after start delimiter)
Look up port and ______________ while
_______________ of frame is still _____________
No error checking or discarding of bad frames
Entry and exit must be same bandwidth
________________________
Corrupt frames could be sent throughout the
network
28
Cut Through – Fragment Free
__________________________________________
______________________________________
Look up port and start forwarding while remainder of
frame (if any) is still coming in.
Most network errors and collisions occur during the first 64
bytes.
Discards collision fragments (too short) but other
bad frames are forwarded
Entry and exit must be ________________
Compromise between Store and forward and Fast
forward methods
29
Symmetric and Asymmetric
Switching
______________ – all ports operate at
___________ bandwidth
__________ – __________ bandwidths may
be used
Ex: greater bandwidth dedicated to a server or
uplink port to prevent bottlenecks
Requires store and forward operation with
memory buffering
Most switches now use _____________
switching to allow ________________
30
Port Based Buffering
Each incoming port has ________________
Frames ________________ until _________
port is free.
Frame destined for busy outgoing port can hold
up all the frames in queue even if their outgoing
ports are free.
Each incoming port has a ______________
amount of memory.
31
Shared Memory Buffering
All incoming frames go in a __________
___________________________________
Switch __________________________ and
forwards it when port is free
Frames do not hold each other up
Flexible use of memory allows larger frames
Important for asymmetric switching where
some ports work at a faster rate than others
32
Layer 2 and Layer 3 Switching
Traditional Ethernet
switches work at ______
They use ___________
___________to make
filtering and forwarding
decisions.
They do not look at layer
3 information.
33
Layer 2 and Layer 3 Switching
______________ can
carry out the same
functions as layer 2
switches.
They can also use
___________________
___________ between
networks.
The can control the
spread of broadcasts.
34
L 3 Switch & Router Comparison
Routers perform __________________________
L3 Switches provide _________ routing functions in
a LAN and reduce the need for dedicated routers
35
Switch CLI is similar to router
Switch>enable
Switch#config t
Switch(config)#int fa 0/1
Switch(config-if)#exit
Switch(config)#line con 0
Switch(config-line)#end
Switch#disable
Switch>
36
Cisco Device manager
____________________
for managing switch.
Access via browser on
PC.
Other GUI options
available but need to be
downloaded/bought.
37
Help, history etc.
Help with_________is similar to router.
Error messages for bad commands – same
as for a router
Command history – same as for router.
Up arrow or Ctrl + P for previous
Down arrow or Ctrl + N for next
Each mode has its own buffer holding 10
commands by default.
38
Storage and start-up
ROM, Flash, NVRAM, RAM generally similar to router.
Boot loader (similar process to router)
Performs low-level _________________
Performs ____________________________
During POST, LEDs blink while a series of tests determine that the
switch is functioning properly- green is good!
If the switch fails POST, the SYST LED turns amber.
________________________________
Loads a ______________ software image into memory and
______________ the switch.
___________________________________ as found in the
config file or alternate location
Boot loader lets you re-install IOS or recover from password
loss.
39
IP address
A switch works “out-of-the-box” without an IP
address (it’s a L2 device) or any other
configuration
IP address lets you access/program the
switch remotely by Telnet, SSH or browser.
Switch needs _______________ IP address.
Programmed on an interface within a VLAN
VLAN ________ is the __________ but is not
very secure for management so best practices
states ______________________________
40
IP address assignment example
First- create a VLAN and assign an IP
address…
S1(config)#int vlan 99 ( or another VLAN)
S1(config-if)#ip address 192.168.1.2
255.255.255.0
S1(config-if)#no shutdown
S1(config-if)#exit
41
IP address assignment
example cont…
Second- assign the appropriate port the switch to
VLAN 99 …
S1(config)#int fa 0/18 (or other interface)
S1(config-if)#switchport mode access
S1(config-if)#switchport access vlan 99
S1(config-if)#exit
S1(config)#
Management information to and from the switch can
now pass via port fa 0/18.
Other ports could be added to VLAN 99 if necessary.
42
Default gateway
S1(config)#ip default-gateway 192.168.1.1
Just like a PC, the switch needs to _______
______________________________ to
exchange switch management traffic
destinations outside its local network
Note _______________________ mode.
43
Configuring a switch as an HTTP server…
Required by a number of web-based
configuration tools available on switches
SW1(config)#ip http server
SW1(config)#ip http authentication enable
(uses enable secret/password for access)
SW1(config)#ip http authentication local
SW1(config)#username admin password
cisco
(log in using this username and password)
44
MAC address table (CAM)
What is the MAC address table used for?
Static MAC addresses:
Inbuilt or configured, _____________
Dynamic MAC addresses:
Learned, __________________________
Note that VLAN number is included in table.
45
Set a static MAC address
example…
SW1(config)#mac-address-table static
000c.7671.10b4 vlan 2 interface fa0/6
46
Save configuration
Copy running-config startup-config
Copy run start- shortened version of command
This assumes that running-config is coming
from RAM and startup-config is going in
NVRAM (file is actually in flash).
Full (formal) version of command would be:
Copy system:running-config flash:startup-config
47
Back up
____________________ can be _________ in
different _____________ using the following
command..
copy startup-config flash:backupJan08
You could go back to this version later if necessary.
Backing up to a TFTP server (same process as for a
router)…
copy system:running-config
tftp://192.168.1.8/sw1config
or try copy run tftp and wait for prompts
copy nvram:startup-config
tftp://192.168.1.8/sw1config
48
Restoring
Coping a saved configuration over the current
configuration
As with a router, you can swap the copy
commands listed previously with the
destination being the startup-config
then issue the _____________ command
Could we use the “copy startup-config
running-config” command?
49
Login Passwords- Review…
The process of securing and removing
passwords is the ______________ for
routers and switches.
What are the different password that can be
set (on a router and switch) ?
50
Configure Encrypted Passwords
By default in the Cisco IOS all passwords,
except for the enable secret password, are
stored in _______________________
Best practice dictate that all passwords
should _____________________
In the Cisco IOS this is done using service
_____________________ command is entered
from global configuration
51
Banners- review…
Banners allow configuration of messages that
______________________________
banner motd “Shut down 5pm Friday”
banner login “No unauthorised access”
Motd will show first if both are configured
Delimiter can be “ or # or any character not in
message.
52
Secure Shell SSH
Similar interface to ______________.
___________ data for transmission.
SW1(config)#line vty 0 15
SW1(config-line)#transport input SSH
Use SSH or telnet or all if you want both enabled
Default is telnet.
To implement SSH you must configure host
domain and _____________________.
53
Common security attacks
____________________: huge numbers of frames
are sent with fake source MAC addresses and fill
up switch’s MAC address table.
_____________: intruder’s DHCP server offers a
replying IP address and supporting information that
designates the intruder as the default gateway
Switch then floods all frames- acting more like a hub
All remote traffic sent to attacker.
________________: attacker PC continually
requests IP addresses from a real DHCP server
Causes all of the leases on the real DHCP server to be
allocated so legitimate requests can not be fulfilled
Type of _____________________________54
DHCP Snooping & Port Security feature
Used to _______________________________
Ports are identified as ___________________.
Trusted ports can __________________________
_________________________________ from a DHCP
If a device on an untrusted port attempts to send a DHCP
response packet into the network, the port is shut down.
Curriculum goes through steps to configure
DHCP snooping on a switch
55
Cisco Discovery Protocol
CDP is _____________ by default.
CDP discovers ________________________
_______________________
CDP traffic is ______________ and could
pose a security risk.
Frames could be captured using Wireshark
showing detailed information which could be used
in an attack
Best practice: _______ unless it is really needed.
56
Common security attacks cont…
_____________ can be used to gain ______
_______________ to a switch
Brute Force Password Attack can be used to
____________________________
DoS Attack can be used to render the Telnet
______________________
57
Ways to Enhance Security
Use ________________________
Even these can be found in time so change them
regularly.
Using ________________ (more to come in
CCNA 4) you can control which devices are
able to access vty lines.
Network security tools for ___________ and
____________________________
A secure network really is a process not a
product
58
Port security
Port security _______________________________
___________________________________
Configure each port to accept
Frames ___________________________________
_________________________________
By default, the port will shut down if the wrong
device connects.
One MAC address only
A small group of MAC addresses
must be brought up again manually
Three ways to configure port security as seen on the
following slides…
59
Static secure MAC address
________________ in interface config mode
Ex: switchport port-security mac-address
000c.7259.0a63 interface fa 0/4
Stored in MAC address table
Shown in running configuration and can be
saved with the rest of the configuration.
60
Dynamic secure MAC address
_____________________
Placed in MAC address table
_____________ in running configuration
Not saved- __________________________
For saving you need Sticky secure MAC
addresses- more to come…
SW1(config-if)#switchport mode access
SW1(config-if)#switchport port-security
61
Sticky secure MAC address
_____________________
Choose how many can be learned, default 1.
Added to the running configuration
_______________________________ and
still there when switch restarts.
Existing dynamic address(es) will convert to
sticky if sticky learning is enabled
62
Sticky secure MAC address
SW1(config-if)#switchport mode access
SW1(config-if)#switchport port-security
SW1(config-if)#switchport port-security
maximum 4
SW1(config-if)#switchport port-security
mac-address sticky
63
Violation modes
Violation occurs if
A _____________________________________________
attempts to connect.
An address learned or configured on one secure interface
is ______________________________
Violation modes: protect, restrict, or shutdown
__________ mode causes the ____________________
______________ in the case of a port security violation
The default
___________________________________________
____________________________ until the number of
max. allowable addresses is increased.
Protect mode
of a security violation
Restrict mode
of a security violation
64
Check port security
_____________ commands are popular in
the switch just as they are in routers
Use show port-security int fa 0/4
to see settings on a particular port
Use the show port-security address
command to see the table of secure MAC
addresses
If you don’t need to use a port:
______________________
65
Interface range
A useful command if you want to put the
_________________________________ is:
Switch(config)#interface range fa0/1 - 20
Switch(config-if-range)#
Use this command to disable a range of ports
Good security practice
66