Академический Документы
Профессиональный Документы
Культура Документы
Dividing the network into discrete layers. Each layer provides specific functions that define its
role within the overall network.
Typical hierarchical design model is broken up in to three layers:
access,
distribution
core
Access layer
interfaces with the end devices (PCs, printers, switches, IP telephones, etc).
Controlls which devices are allowed to communicate over the network.
Distribution Layer
Aggregates the traffic coming from the access layer,
Controls the traffic flow according to the policies (ACLs).
Devides the network into multiple segments by VLANs,
Routes traffic between VLANs.
Typically high performance switches
Uses redundant links
Core Layer
High speed backbone of the network.
Allows interconnectivity of the distribution layer switches.
High availability (redundant links)
Usually connects to the Internet
1
Just because a network seems to have a hierarchical design does not mean that the network
is well designed.
Modular Switches :
Allows installation of modular line cards (interfaces)
Different sized chassis options
The larger the chassis, the more modules it can support.
Stackable Switches
Allows interconnection with a special backplane cable.
All operate as a single switch
Used where fault tolerance and bandwidth availability are critical
4
CCNA Exploration-3 LAN Switching And Wireless
Ethernet Communications
Unicast
Broadcast
Multicast
Duplex Setting
Half Duplex
Full Duplex
1
Collision Domains
Creating more collision domains increases the throughput.
Broadcast Domains
Switches always forward broadcast frames.
A collection of interconnected switches forms a single broadcast domain.
Routers and VLANs are used to segment both collision and broadcast domains.
Network Latency
Latency is the time a frame or a packet takes to travel from the source station to the final destination.
1. NIC delay : The time it takes the source NIC to place voltage pulses on the wire,
2. Propagation delay : The time it takes a signal to travel through the cable.
3. Networking device delay : Each networking device adds to the total latency.
Network Congestion
The primary reason for segmenting a LAN into smaller parts is to isolate traffic and to achieve better use of
bandwidth per user. The following contribute to the network congestion.
Increasingly powerful computer and network technologies.
Increasing volume of network traffic
High-bandwidth applications
LAN Segmentation
Using bridges and switches
Using routers
Removing Bottlenecks
Increasing bandwidth
Adding more connections
Link aggregation
Store-and-Forward Switching
1. Stores the entire frame in its buffers
2. Checks the CRC
3. If no error detected, searches the MAC table, and
4. forwards the frame
5. QoS mechanisms require store-and-forward switching.
6. Slow (high latency) and high integrity
Cut-through Switching
Fast-Forward switching:
1. As soon as the destination MAC address is read, the switch
2
2. Looks up the destination MAC in the table,
3. Starts forwarding the frame
4. No error checking can be performed
5. Fast (low latency) and low integrity
Fragment-free switching:
1. Switch reads the first 64 bytes of a frame (collision?)
2. Then forwards the frame.
3. Compromise between store-and-forward and cut-through.
Asymmetric Switching
Switch ports have different bandwidth connections.
Memory buffering is required
Uses store-and-forward switching
Symmetric Switching
Switch ports have all same bandwidth connections.
Assigning an IP address:
1. IP address is assigned to a virtual interface that is a part of a virtual LAN (VLAN).
2. VLAN 1 is the default management VLAN (it should be changed).
3. Then the management VLAN must be assigned to one (or more) physical interface.
5
Managing the MAC Address Table
Switch# show mac_address-table
Dynamic addresses
o Learned by the switch by recording the source MAC addresses and their ports.
o Ages out (dropped) after 300sec (default)
Static Addresses
o Entered by the NA
o Switch(config)# mac_address-table static <MAC_Addr> vlan <vlan_no>
interface <int_id>
Backing up a Configuration
copy system:running-config flash:startup-config
copy startup-config flash:config.bak1 (saving the config to another file)
Restoring a Configuration
copy flash:config.bak1 startup-config
reload
7
2.4.3 Configure Telnet and SSH
Two choices that can be used to remotely access to Cisco switches:
Telnet
Default vty-supported protocol on Cisco switches
Supported also on older Cisco switches
Sends the communication in clear text => not secure
SSH
Sends the communication in encrypted form => is secure
ssh client on the client computers, ssh server on the switch must be running.
ssh supports different encryption standards such as DES, 3DES and RSA.
To configure ssh, the encryption keys must be generated on the switch (server).
Configuring Telnet
switch(config)# line vty 0 15
switch(config-line)# transport input telnet
Configuring SSH
switch(config)# ip domain-name <domain-name>
switch(config)# crypto key generate rsa
switch(config)# ip ssh ver 2
switch(config)# line vty 0 15
switch(config-line)# transport input SSH
Spoofing Attacks
Using a fake DHCP server, an attacker can redirect all traffic to a specific host, obtaining and possibly altering the
information in the packets.
DHCP Snooping
Is a Cisco feature to avoid spoofing attacks. All ports can request a DHCP service, however only the trusted ports can
reply to DHCP requests.
CDP Attacks
Cisco Discovery Protocol is used to discover directly connected Cisco devices and share information such as:
IOS version
IP addresses
VLAN information
CDP is enabled by default, however CDP should be turned off when not needed.
Telnet Attacks
Brute Force Password Attack
o An attacker tries to guess the password with some software.
8
o Choosing a strong password and changing it frequently may make it difficult.
DoS Attack
o An attacker may use a flaw in the Telnet server to make the service unavailable.
o Security patches are available to avoid this.
10
CCNA Exploration-3 LAN Switching And Wireless
CHAPTER-3 VLANs
VLAN Overview
A VLAN allows a NA to create groups of logically networked devices that act as if they are on their
own independent network, even if they share a common infrastructure with other VLANs.
VLAN Details
A VLAN is a seperate IP subnet.
Each computer on the same VLAN must be assigned an IP address within the same subnet.
By using VLANs, more than one subnet can be used on a single switch.
First the VLANs must be configured on the switch,
Then the ports must be added to the VLANs.
Benefits of a VLAN
Security
Cost Reduction
Higher Performance
Broadcast storm mitigation
Improved IT staff efficiency
Simpler project or application management
VLAN ID Ranges
Normal Range VLANs : Used by small to medium organizations
o 1 to 1005
o 1002 – 1005 reserved for token ring and FDDI networks
o VLAN 1, 1002 – 1005 are automatically created and cannot be removed.
o Stored in vlan.dat file in flash memory
Extended Range VLANs : Designed for service providers
o 1006 to 4096
o Have fewer features than normal range VLANs.
o Stored in the running configuration file
A Cisco Catalyst switch can support up to 255 VLANs.
There are a number of terms for VLANs. Some terms define the type of network traffic they carry
and others define a specific function a VLAN performs.
1
Data VLAN
A VLAN that carries only user generated traffic
A VLAN carrying voice or management traffic is NOT a data VLAN.
Default VLAN
All interfaces of a switch becomes a part of the default VLAN after the initial bootup process
(same broadcast domain)
VLAN 1 is the default VLAN
VLAN 1 cannot be renamed or deleted
CDP and STP uses VLAN 1
Native VLAN
A native VLAN is assigned to a 802.1Q trunk port.
A trunk port supports both tagged traffic (coming from VLANs) and untagged (non VLAN)
traffic .
The trunk port places untagged traffic on the native VLAN.
Default native VLAN is VLAN 1 (should be changed).
Management VLAN
Any VLAN you configure to access the management capabilities of a switch.
Default management VLAN is VLAN 1.
Assign an IP address and subnet mask for this VLAN.
Voice VLAN
A seperate VLAN assigned for voice traffic only.
2
Network Without VLANS : One broadcast domain
Inter-VLAN Communication :
Communication between VLANs. (Show the animation)
Layer 3 Forwarding
Show the animation: PC1 on VLAN 10 communicates with PC5 on VLAN 20.
3
Two types of trunks:
Trunking Modes:
On (default)
o The command used is switchport mode trunk
o DTP advertisements are sent to the remote, the immediately the local port is set as
the trunk port.
Dynamic auto
o The command used is switchport mode dynamic auto.
o The local port ends up in trunking state only if the remote port trunk mode has been
configured to be on or desirable.
Dynamic desirable
o The command used is switchport mode dynamic desirable.
o If the remote has been configured in on, desirable, or auto mode, the local port ends
up in trunking state.
Nonegotiate (DTP turned off)
o The command is switchport nonegotiate.
o No DTP advertisements are sent.
o The local port is then considered to be in an unconditional trunking state.
Use the following steps to configure and verify VLANs and trunks on a switched network:
1. Create the VLANs
2. Assign switch ports to the VLANs statically
3. Verify VLAN configuration
4. Enable trunking on the inter-switch connections
5. Verify trunk configuration
Add a vlan:
S1(config)# vlan <vlan_id>
S1(config-vlan)# vlan name <vlan_name>
S1(config-vlan)# end
4
To verify:
S1# show vlan brief
Delete VLANs
S1(config)# no vlan <vlan_id>
5
3.4 Troubleshooting VLANs and Trunks
3.4.1 Common Problems with Trunks
Native VLAN mismatches : Both ends of a trunk link must be configured with the same native
vlan.
Trunk mode mismatches : Both ends of a trunk link must be configured with the appropriate
trunk mode so that they can form the trunk link successfully.
VLANs and IP Subnets : Each vlan uses a different subnet, and all devices in the same subnet
must be configured with the correct IP addresses.
Allowed VLANs on trunks : Both ends of a vlan trunk must be configured to allow the same
vlans to be transmitted.
6
CCNA Exploration-3 LAN Switching And Wireless
CHAPTER-4 VTP
What is VTP?
VTP allows a network manager to configure a switch so that it will propagate VLAN configurations to
other switches in the network.
VTP enabled switches exchange vlan information over an active trunk.
Switches have VTP roles: server or client
Only the vlans within the normal range are supported
VTP stores the VLAN configurations in the vlan.dat file.
Benefits of VTP
VLAN configuration consistency
Accurate tracking and monitoring of VLANs.
Dynamic reporting of added VLANs across a network.
Dynamic trunk configuration when VLANs are added to the network.
VTP Components:
VTP Domain: The switches in the same domain can exchange VLAN info. Layer-3 device is the
boundary.
VTP Advertisements: The VTP messages exchanged
VTP Modes: A switch can be configured in one of the three VTP modes:
VTP Server : VLANs can be created, deleted or renamed. Stores in the vlan.dat file.
VTP Client : VLAN information is stored but cannot be changed. Does not store VLAN info in
the NVRAM.
VTP Transparent : Only passes VLAN info to the other switches, however do not participate
in VTP. All VLAN config must be made manually in this mode.
VTP Pruning : Restricts broadcast, multicast traffic on some trunks.
VTP version = 1
VTP Domain name = null
1
VTP mode = server
Config Revision = 0
VLANs = 1
VTP versions: 1, 2, 3
Only one VTP version is allowed in a VTP domain.
2
A VTP domain name change resets this number to zero (0).
The higher the config number, the more recent the config is.
VTP Advertisements
Summary:
o Sent every 5 min by a server or client.
o Sent immediately after a config change.
o Contains VTP domain name and config revision number.
Subset :
o Contains VLAN information
o Changes that trigger a subset advertisement:
Creating or deleting a VLAN
Suspending or activating a VLAN
Changing the name of a VLAN
Changing the MTU of a VLAN
Request :
o When a request advertisement is sent to a server in the same VTP domain, the VTP
server responds by sending a summary ad and a subset ad.
o Sent if:
The VTP domain name has been changed
The switch receives a summary ad with a higher config rev. No.
A subset ad is missed
The switch has been reset
Server Mode
Client Mode
Transparent Mode
(Show the comparison table)
4
CCNA Exploration-3 LAN Switching And Wireless
CHAPTER-5 STP
5.1.1 Redundancy
STP Algorithm
1. A single switch (with the lowest BID) is selected as the root bridge.
2. STA calculates the shortest paths to the root bridge.
a. Uses path costs (associated with the port speed) to calculate the shortest path.
b. Least cost path becomes the shortest path.
3. Each switch uses STA to decide which ports to block to prevent loops.
4. Blocked ports are called non-designated ports.
5. Non blocked ports are:
a. Ports closest to the root bridge are called root ports.
b. Other non-root forwarding ports are called designated ports.
5.2.3 Bridge ID
BID Fields:
Bridge Priority (4 bits) Priority value, increments by 4096. Default 32768.
Extended System ID (12 bits) : VLAN ID of the STP
MAC address (48 bits)
Another method for configuring the bridge priority value is using the command:
spanning-tree vlan <vlan-id> priority <value>
To verify:
show spanning-tree
2
Root Port
Exists on non-root switches.
Switch port with the best path to the root switch.
Only one root port is allowed per switch.
Can populate the MAC table with the incoming source MAC addresses.
Designated Port
Exists on both root and non-root switches.
Receives and forwards frames towards the root.
Only one designated port is allowed per segment.
Can populate the MAC table with the incoming source MAC addresses.
Non-designated Port
A blocked switch port. Does not receive or forward frames.
Does not populate the MAC table.
Blocking : Non-designated port. Receives and processes BPDUs, no data forwarding, no MAC
learning.
3
Listening : Receives, forwards and processes BPDUs, no data forwarding, preparing to forward
data.
Learning : Receives, forwards and processes BPDUs, no data forwarding, populates MAC address
table.
Forwarding : Receives, forwards and processes BPDUs, forwards data normally.
Disabled : No forwarding, administratively shutdown.
BPDU Timers: The amount of time that a port stays in the various port states depends on the BPDU
timers.
Hello timer : The period of BPDUs transmitted. Default is 2 secs, but can be configured
between 1 to 10 secs.
Forward delay : The time spent in listening and learning states. Default is 15 sec. Can be
configured between 4 to 30 secs.
Maximum Age : The max amount of time a switch save the BPDU config data. Default is 20
secs, but can be configured between 6 to 40 secs.
The default values are optimized for network diameter of 7.
The following command can be used on the root switch to adjust the timers automatically.
spanning-tree vlan <vlan id> root primary diameter <value>
Configure PVST+
Select and configure one switch as primary root, and one other as secondary roor for each VLAN.
switch(config)#spanning-tree vlan <vlan-id> root primary | secondary
switch(config)#spanning-tree vlan <vlan-id> root 4096
5.4.3 RSTP
802.1w (based on 802.1D)
Faster convergenge than 802.1D
Preferred protocol to prevent loops.
Not compatible with some Cisco enhancements such as UplinkFast, BackboneFast
Port states are : discarding, learning or forwarding.
BPDU format is the same as 802.1D
Backward compatible with 802.1D.
Does not need 802.1D timers.
Protocol information ages out on a port if 3 consecutive Hello messages are missed (6 sec)
RSTP Flag field.
The port role defines the ultimate purpose of a switch port and how it handles data frames.
Root
Designated
Backup (discarding state in active topology)
Alternate (discarding state in active topology)
7
Know Where the Root Is
Do not leave it up to the STP to decide which bridge is root.
For each VLAN, you can usually identify which switch can best serve as root.
Generally, choose a powerful bridge in the middle of the network, with a direct connection
to the servers and routers.
For each VLAN, configure the root bridge and the backup root bridge using lower priorities.
VTP Pruning
Prune any VLAN that you do not need off your trunks.
Use Layer 3 switching. Layer-3 switches route approximately at the speed of switching.
Final Points:
Keep STP even if it is unnecessary
Keep traffic off the administrative VLAN. A high rate of broadcast or multicast traffic on the
administrative VLAN can adversely impact the CPU and its ability to process vital BPDUs.
Do not have a single VLAN span the entire network.
8
CCNA Exploration-3 LAN Switching And Wireless
Router-On-A-Stick:
1. A single link is used between the switch and the router.
2. This link is configured as a trunk link to carry all traffic belonging to different VLANs (tagged
traffic).
3. Subinterfaces (logical-virtual interfaces) are used at the router interface. Multiple virtual
interfaces are assigned to a single physical interface.
4. Each subinterface belongs to a different VLAN.
5. Router receives frames from one subinterface and forwards from another subinterface out
from the same physical interface.
Subinterface Configuration
1
R1(config)# interface fa0/0.10 (subinterface created)
R1(config-subif)# encapsulation dot1q 10
R1(config-subif)# ip address <IP-Address> <subnet-mask>
..
R1(config)# interface fa0/0
R1(config-if)# no shutdown
Disadvantages:
Performance
More complex configuration
2
CCNA Exploration-3 LAN Switching And Wireless
1
Subject to local regulations
RF bands are allocated by ITU
Wi-Fi Certification
Standards ensure interoperability between devices made by different manufacturers. Internationally,
the three key organizations influencing WLAN standards are:
ITU-R : Regulates the allocation of RF bands.
IEEE : Specifies how RF is modulated to carry information.
Wi-Fi Alliance : (www.wi-fi.org) A non-profit global organization devoted to promote WLAN
technologies and products. Provides Wi-fi certification.
Wireless Routers:
Perform the role of an access-point, an Ethernet switch, and a router.
2
The wireless network mode:WLAN protocols: 802.11a, b, g, n.
o Mixed mode is possible between b and g with a single radio.
o Other mixed modes will require multiple radios.
SSID : Shared Service Set Identifier : A unique case-sensitive name identifies a wireless
network.
o Several access points can share an SSID.
Channel: 2.4Ghz bandwidth is broken down into 11 channels for North America, 13 channels
for Europe.
o Each channel bandwidth is 22 Mhz.
o Center frequency seperation is 5 Mhz. There is an overlap between the successive
channels.
o Any two channels that are 5 apart do not overlap.
o WLANs requiring multiple access points should use non-overlapping channels.
o Many access points can automatically select a channel based on adjacent channel
use.
802.11 Topologies:
Basic Service Set (BSS) : A group of stations that communicate with each other.
Ad hoc Networks:
Devices communicate with each other without an access point.
Independent BSS (IBSS)
3
Supported rates
Security implementation
4
Denial of Service
Attachers :
can create noise in the 2.4Ghz ISM band by other wireless consumer devices (microwave
oven, cordless phones, baby phones, etc.)
using a PC as an access point, can flood the BSS with clear-to-send (CTS) messages, which
defeat the CSMA/CA function used by the stations.
Can send disassociate messages, causing all stations to disconnect, and try to reassociate
again.
The latest standard is the 802.11i (similar to the WPA2 by Wifi Alliance).
WPA2 also includes a connection to a Remote Authentication Dial In User Service (RADIUS) database.
Encryption
Two enterprise-level encryption mechanisms specified by 802.11i :
5
Temporal Key Intergrity Protocol (TKIP)
Advanced Encryption Standard (AES)
TKIP (WPA) addresses the weaknesses of WEP, however AES (WPA2) is the preferred method.
In some access points you may not see WPA or WPA2 options. Instead,
PSK (Pre-shared-key) or PSK2 with TKIP is the same as WPA
PSK or PSK2 with AES is the same as WPA2
PSK2 without an encryption is the same as WPA2.