Basic Switching concepts and configuration
Trang 1UNIVERSITY OF SCIENCE, HOCHIMINH CITY, VIETNAM ELECTRONICS AND TELECOMMUNICATION FACULTY
Trang 2
1 Basic Switch Configuration
2 Switch Security: Management and Implementation
ICisco Networking Academy, Electronics and Telecommunications Faculty, University of Science, Ho Chi Minh City, Vietnam Zi
Trang 3Objectives
After completing this chapter, you will be able to:
Configure initial settings on a Cisco switch
Configure switch ports to meet network requirements
Configure the management switch virtual interface
Describe basic security attacks in a switched environment
Describe security best practices in a switched environment
Configure the port security feature to restrict network access
|Cisco Networking Academy, Electronics and Telecommunications Faculty, University of Science, Ho Chi Minh City, Vietnam
Trang 41 Basic Switch Configuration
Configure a Switch with Initial Settings
Trang 5
Su Loads a power-on self-test (POST) program stored in ROM
The switch loads the boot loader software (in ROM)
Boot loader performs low-level CPU initialization
Boot loader initializes the flash file system
Boot loader locates and loads a default IOS operating system software image
|Cisco Networking Academy, Electronics and Telecommunications Faculty, University of Science, Ho Chi Minh City, Vietnam
Trang 6
Switch Boot Sequence
To find a suitable Cisco IOS image, the switch goes:
Step 1 It attempts to automatically boot by using
information in the BOOT environment variable
Note: The boot system command can be used to set the BOOT environment variable
Trang 7
To find a suitable Cisco IOS image, the switch goes:
information in the BOOT environment variable
Step 2 If this variable is not set, the switch search through the flash file system
Step 3 The IOS software then initializes the interfaces using the Cisco IOS commands found in the configuration file and startup configuration
|Cisco Networking Academy, Electronics and Telecommunications Faculty, University of Science, Ho Chi Minh City, Vietnam
Trang 8ca Recovering from a System Crash
2 Unplug the switch power cord
3 Reconnecting the power cord to the switch and press and
hold the Mode button
4 The System LED turns briefly amber and then solid green
Release the Mode button
5 The boot loader switch: prompt appears in the
terminal emulation software on the PC
Trang 9Crash
The boot loader command line supports commands to format the flash file system, reinstall the operating system
software, and recover from a lost or forgotten password
Trang 12ca Preparing for Basic Switch Management
+ _ A console cable is used to connect a PC to the console port of a switch for configuration
+ To remotely manage the switch, the switch must be initially configured through the console port
“+ If managing the switch from a remote network, a default gateway must also be configured
ICisco Networking Academy, Electronics and Telecommunications Faculty, University of Science, Ho Chi Minh City, Vietnam 12
Trang 13Default Gateway
172.17.99.1
Cisco Switch IOS Commands
Enter global configuration Sl# configure terminal
mode
Enter interface configuration Sl(config)# interface vlan 99
mode for the SVI
Configure the management Sl(config-if)# ip address 172.17.99.11
interface IP address 255.255.0.0 Enable the management 81 (config-if)# no shutdown interface
Return to the privileged EXEC | S1(config-if)# end
Trang 155] Configure a Switch wïi ial Settings
<output omitted>
Sl# show ip interface brief
Interface IP-Address OK? Method Status Protocol Vian99 172.17.99.11 YES manual up up
FastEthernet0/18 unassigned YES unset up up
Trang 16
1 Basic Switch Configuration
Configure Switch Ports
Trang 17
Duplex Communication
s Full-duplex communication increases effective bandwidth
by allowing both ends of a connection to transmit and receive
data simultaneously > collision free (Gigabit Ethernet and
10Gb NICs)
—_—————
send AND receive, simultaneously
“+ Half-duplex communication is unidirectional Sending and
receiving data does not occur at the same time > collision
— send OR receive 1e -
Trang 18Cisco Switch IOS Commands
Enter global configuration mode — SI# configure terminal
Enter interface configuration mode Sl(config)# interface
FastEthernet 0/1
Configure the interface duplex Sl(config-if)# duplex full
Configure the interface speed “Si(config-if)# speed 100
Return to the privileged EXEC mode “S1(config-if)# end Save the running config to the startup Sl# copy running-config
|Gsco Networking Academy, Electronics and Telecommunicatons Faculty, Unlversty of Sclence, Ho Chỉ Minh Cty, Vietnam 18
Trang 19
“Certain cable types (straight-through or crossover) were
historically required when connecting devices
“* The automatic medium-dependent interface crossover (auto- MDIX) feature eliminates this problem
“When auto-MDIX is enabled, the interface automatically detects and appropriately configures the connection
“+ When using auto-MDIX on an interface, the interface speed and duplex must be set to auto
Trang 20Enter global configuration mode
Enter interface configuration mode
Enable auto-MDIX on the interface
Return to the privileged EXEC mode
Save the running config to the startup ˆ config
Auto-MDIX Auto-MDIX On
Sl(config-if)# duplex auto
“S1(config-if)# speed auto
[sl (config-it)# “mdix auto S1(config-if)# end
S1# copy running-config startup-config
Trang 21Verifying Switch Port Configurat
Sli# show mac address-table
|Cisco Networking Academy, Electronics and Telecommunications Faculty, University of Science, Ho Chi Minh City, Vietnam
Trang 22
serial x is up, line protocol is up
> Proper status for the link
>A cable is not attached
> Interface problem exists
|Cisco Networking Academy, Electronics and Telecommunications Faculty, University of Science, Ho Chi Minh City, Vietnam
Trang 23
serial x is up, line protocol is down
> Possible Causes:
>An encapsulation type mismatch,
>The interface on the other end could be error- disabled
>A hardware problem
Trang 24
serial x is administratively down,
line protocol is down
> Possible Causes:
= Duplicate IP Address exists
= The no shutdown command has not been entered
|Cisco Networking Academy, Electronics and Telecommunications Faculty, University of Science, Ho Chi Minh City, Vietnam
Trang 25Network Access Layer Issues
Input Total number of errors It includes runts, giants, no buffer, CRC,
Errors frame, overrun, and ignored counts
Runts Packets that are discarded because they are smaller than the
minimum packet size for the medium For instance, any Ethernet
packet that is less than 64 bytes is considered a runt
Giants Packets that are discarded because they exceed the maximum
packet size for the medium For example, any Ethernet packet that is
greater than 1,518 bytes is considered a giant
CRC CRC errors are generated when the calculated checksum is not the
same as the checksum received
Output Sum of all errors that prevented the final transmission of datagrams
Errors out of the interface that is being examined
Collisions Number of messages retransmitted because of an Ethernet collision
Late A collison that occurs after 512 bits of the frame have been
ICisco Networking Academy, Electronics and Telecommunications Faculty, University of Science, Ho Chi Minh City, Vietnam sy
Trang 26Em Troubleshooting Network Access Layer Issues
Perform a show interface
Is the interface
up?
Verify proper cables
Check cables and connectors for damage
Verify speed is properly set on both ends
Are there indications of EMl/noise? If yes, remove sources
Verify the duplex setting is properly set
Trang 272 Switch Security: Management and Implementation
Secure Remote Access
Trang 28
“ Telnet:
> Most common method
> Virtual Terminal application
> Send in clear text
> Not secure
> Telnet uses TCP port 23
“+ Secure Shell (SSH):
> Virtual Terminal application
» Sends an encrypted data stream
> Is secure
ICisco Networking Academy, Electronics and Telecommunications Faculty, University of Science, Ho Chi Minh City, Vietnam 28
Trang 29
SSH Operation
S1> show version
Cisco 10S Software, C2960 Software (C2960-LANBASEK9-M) ,
Version 15.0(2)SE, RELEASE SOFTWARE (fcl)
Trang 30
Configuring SSH
s» To enable SSH, the following parameters must be configured:
= Step 1: Hostname:
Router (config) #hostname R2
= Step 2: Domain Name:
>» Required for SSH
|Cisco Networking Academy, Electronics and Telecommunications Faculty, University of Science, Ho Chi Minh City, Vietnam
Trang 31
s* To enable SSH, the following parameters must be configured:
= Step 3: Generate the RSA key:
>This step creates an asymmetrical key that router uses to encrypt the SSH management traffic
The name for the keys will be: R2.scccs.ca
Choose the size of the key modulus in the range of 360 to 2048
for your General Purpose Keys Choosing a key modulus greater
than 512 may take a few minutes
How many bits in the modulus [512]: 1024 ques
% Generating 1024 bit RSA keys, keys will be non-exportable [OK]
Trang 32
Configuring SSH
* To enable SSH, the following parameters must be configured:
= Step 4: Configure local authentication and vty:
>You must define a local user
R2 (config) #username student password
*Mar 1 0 SBWEIBI %s§ss ENABLED: SSH 1.99 has been enabled
>Use the login local command to search the local database and assign ssh to the vty lines
R2 (config) #line vty 0 4 Makes SSH the
R2 (config-line) #transport inp only method
R2 (config-line) #login local NO TELNET
|Cisco Networking Academy, Electronics and Telecommunications Faculty, University of Science, Ho Chi Minh City, Vietnam
Trang 33
Configuring SSH
* To enable SSH, the following parameters must be configured:
= Step 5: Configure SSH timeouts:
> Not absolutely necessary for SSH but probably a good idea
R2 (config) #
Trang 34
Test SSH Security
“+ To connect to a router configured with SSH, you have to use
an SSH client application such as PuTTY or TeraTerm
Contig
Sam tuyen lơ jeự PVTTYsesen
xứ Soucy he cestraton you wart caret to
An Hos Name Paes) Pot
= 12178811 2
Features Comesennpe
Wese Re Tebet © Rogen @ SSH © Sete
xen Lend, ave ert store ean
Teayee Saved Sessons
= (lod Seg “teed
Ova Prony Swe
ICisco Networking Academy, Electronics and Telecommunications Faculty, University of Science, Ho Chi Minh City, Vietnam
= Choose the SSH option and use TCP port 22
S1# show ip ssh SSH Enabled - version 2.0 Authentication timeout: 90 secs; Authentication retries: 2 Minimum expected Diffie Hellman key size : 1024 bits
TOS Keys in SECSH format (ssh-rsa, base64 encoded) : ssh-rsa
ARAAB3NzaC1yc2EAAAADAQABAAAAgOCGLKsV2201REsoZt2£2scJHbW3aMDM8 /83g/srGENL,
+£+q0Wwxt26BWmy694+6710/ j77wU£TVN1QhT8GUOVTuKNgVMOMtLg8Ud4gài1LbG7£fAa P3£yrEnViPpO
eOZof 6tnKgKKvJz18Mz22XA£2u/7q20nEFXycGMO88OU201.30==
S1‡ show ssh Connection Version Mode Encryption Hmac state
° 2.0 IN aes256-cbc hmac-shal Session started admin
9 2.0 OUT aes256-cbc hmac-shal Session started admin
$No SSHV1 server connections running
sit
Username
Trang 35|Cisco Networking Academy, Electronics and Telecommunications Facui
Trang 362 Switch Security: Management and Implementation
Security Concerns in LANs
Trang 37
MAC Address Flooding
“+ MAC Address Flooding:
= Recall that the MAC address table in a switch:
»Contains the MAC addresses available on a given physical port of a switch
>Contains the associated VLAN parameters for each
»Is searched for the destination address of a frame
olf it IS in the table, it is forwarded out the proper port
olf it IS NOT in the table, the frame is forwarded out
all ports of the switch except the port that received
the frame
Trang 38
MAC Address Flooding
“+ MAC Address Flooding:
> The MAC address table is limited in size
> Step 1: An intruder will use a network attack tool that continually sends bogus MAC addresses to the switch (e.g 155,000 MAC addresses per minute)
>The switch learns each bogus address and in a short span of time, the table becomes full
> Step 2: When a switch MAC table becomes full and stays full, it has no choice but to forward each frame it receives out of every port — just like a hub
>The intruder can now see all the traffic on the switch
|Cisco Networking Academy, Electronics and Telecommunications Faculty, University of Science, Ho Chi Minh City, Vietnam
Trang 39
Source MAC: XXXX XK XOX
—Source MAC: YYYY.YYYY.YYYY-> Fas0/2 PCA
Trang 40\Cisco Networking Academy, Electronics and Telecommunications Faculty, University of Science, Ho Chi Minh City, Vietnam 40
Trang 42
“+ DHCP Spoofing:
o An attacker configures a fake DHCP server on the network
to issue DHCP addresses to clients
o The normal reason for this attack is to force the clients to use false Domain Name System (DNS) or Windows Internet Naming Service (WINS) servers
o DHCP starvation is often used before a DHCP spoofing attack
o To mitigate DHCP attacks, use the DHCP snooping and port security features
|Cisco Networking Academy, Electronics and Telecommunications Faculty, University of Science, Ho Chi Minh City, Vietnam
42
Trang 43o Eventually the pool of addresses is used up and actual users cannot access the network > a denial-of-service (DoS) attack
Trang 44
Leveraging Cisco Discovery Protocol
“The Cisco Discovery Protocol is a Layer 2 Cisco proprietary protocol used to discover other directly
connected Cisco devices
s*The Cisco Discovery Protocol is designed to allow the devices
to auto-configure their connections
“*By default, most Cisco routers and switches have CDP- enabled on all ports
*“*CDP contains information about the
native VLAN ~> an attacker to find
Note: Cisco recommends disabling
CDP when not in use
ICisco Networking Academy, Electronics and Telecommunications Faculty, University of Science, Ho Chi Minh City, Vietnam ad