CCNA Exploration-3 LAN Switching And Wireless

CHAPTER-1 LAN DESIGN

1.1 Switched LAN Arhitecture

1.1.1 The Hierarchical Network Model

A hierarchical network is easier to manage and expand, and problems are solved more
quickly.

Dividing the network into discrete layers. Each layer provides specific functions that define its
role within the overall network.
Typical hierarchical design model is broken up in to three layers:
 access,
 distribution
 core

Access layer
 interfaces with the end devices (PCs, printers, switches, IP telephones, etc).
 Controlls which devices are allowed to communicate over the network.

Distribution Layer
 Aggregates the traffic coming from the access layer,
 Controls the traffic flow according to the policies (ACLs).
 Devides the network into multiple segments by VLANs,
 Routes traffic between VLANs.
 Typically high performance switches
 Uses redundant links

Core Layer
 High speed backbone of the network.
 Allows interconnectivity of the distribution layer switches.
 High availability (redundant links)
 Usually connects to the Internet

In smaller networks distribution layer and core may be combined.

Benefits of a Hierarchical Network

 Scalability: Can be expanded quickly
 Redundancy : Redundant links
 Performance : Link aggregation between layers
 Security : Port security at the access layer and policies at the distribution layer
 Manageability : Consistant configuration of switches at each layer.
 Maintainability: Modular design allows easy maintainability. Switch selection is easy.

1.1.2 Principles of Hierarchical Network Model

1
 Just because a network seems to have a hierarchical design does not mean that the network
is well designed.

Hierarchical Network Design Principles:

 Network Diameter: the number of devices that a packet has to cross before it
reaches its destination. Should be kept small to have low latency (each switch
process the frame). In a hierarchical network, network diameter is always going to
be a predictable number of hops between the source and destination devices.
 Bandwidth aggregation: Allows multiple switch port links to be combined to achieve
higher throughput between switches.
 Redundant Links: Adding redundant links between the switches to increase
availability.

Design requirements, such as the level of performance or redundancy necessary, are

determined by the business goals of the organization.
1. Determine the number of access layer switches,
2. Determine the number of distribution layer switches and redundancy,
3. Determine the number of core layer switches.

1.1.3 What is a Converged Network?

Convergence is the process of combining voice and video communications on a data

network.

Converged networks were only feasible in large enterprise organizations.

 Expensive hardware
 Extensive management (Quality of Service – Classification and prioritization of data)
 Still analog equipment is used

With the advanced technology, converged networks are now

 Easier to implement and manage
 Less expensive
 So becoming popular in small and medium sized businesses.

Benefits of using a converged network

 there is just one network to manage => less management costs.
 No need for three sets of expensive wiring.
 Allows telephone and video conferencing integrated on a PC.

1.2 Matching Switches to Specific LAN Functions

1.2.1 Considerations for Hierarchical Network Switches

Traffic Flow Analysis

Traffic Flow Analysis Tools
User Communities Analysis affects port density and traffic flow
End users are grouped according to their job function, because they require similar
access to resources and applications.
Future Growth
Addition of new users => Scalable and modular switches
2
 Data Stores and Data Servers Analysis
 Client-server traffic => Locating the data storage and servers close to the users (small
network diameter)
 Server-server traffic = Locating the servers close to each other typically in a
datacenter and choosing high performance switches.

Topology Diagrams : Graphical representation of a network infrastructure.

 Shows how all switches are interconnected.
 Displays any redundant paths or aggregated ports
 Allows visually identify possible bottlenecks
 It should be documented during the design of a network.

1.2.2 Switch Features

Fixed Configuration Switches :

 The ports are fixed, cannot be changed.

Modular Switches :
 Allows installation of modular line cards (interfaces)
 Different sized chassis options
 The larger the chassis, the more modules it can support.

Stackable Switches
 Allows interconnection with a special backplane cable.
 All operate as a single switch
 Used where fault tolerance and bandwidth availability are critical

When selecting a switch consider:

 Port Density : Number of ports
o Fixed configuration switches have upto 48 ports.
o Modular switches can support 1000+ ports on a single device (saves space
and performance)
 Forwarding Rates : How much data the switch can process per second.
o Switches with low forwarding rates may not operate at full wire speed at all
ports simultaneously.
o At the distribution and core layers, forwarding rate is more important.
 Link Aggregation
o A single uplink port may not be sufficient to handle uplink traffic resulting in a
bottleneck.
o Up to eight switch ports can be bound together (EtherChannel)
 Power over Ethernet (PoE)
o Deliver power over existing Ethernet cabling.
o No need for external power
o Usefull for wireless Access Points and Ip Phones.
 Layer 3 Functions (Multi layer switches)
o Switches normally operate at OSI Layer-2
o Some switches have some layer 3 functionality.
o Security policies can be implemented
o Layer 3 routing can be implemented
3
1.2.3 Switch Features in a Hierarchical Network

Access Layer Switch Features

Used for connection of the end devices to the network.
Need to support features:
 Port security : How many/what devices are allowed to connect
 VLANs : Traffic may need to be seperated into different VLANs
 Fast/Gigabit Ethernet : Port speed need to be decided
 PoE : Power may need to be carried over Ethernet cabling
 Link Aggregation : Uplink bandwidth may need to be increased
 Quality of Service (QoS) : Different types of traffic may need to be prioritized.

Distribution Layer Switch Features

They collect the data from all the access layer switches and forward it to the core layer switches.
 Layer-3 support : Inter-VLAN routing (traffic coming from a VLAN may need to access to
other VLANs).
 High forwarding rate
 Gigabit/10Gigabit Ethernet support
 Redundant Components : Usually installed in pairs. Hot swappable power supplies,
modules, etc.
 Security Policies/Access Control Lists : Instead of using ACLs for every access layer switch
in the network, they are defined on the fewer distribution layer switches, making
management of the ACLs much easier.
 Link Aggregation :
 Quality of Service (QoS) : Prioritization of traffic coming from the access layer. All
devices on the path must support QoS.

Core Layer Switch Features

 Layer-3 support
 Very High forwarding rate
 Gigabit/10G Ethernet support
 Redundant components
 Link Aggregation
 Quality of Service (QoS)

1.2.4 Switches for Small and Medium Sized Businesses (SMB)

The features of Cisco Catalyst Switches
Catalyst Express 500
Catalyst 2960
Catalyst 3560
Catalyst 3750
Catalyst 4500
Catalyst 4900
Catalyst 6500

1.3 Chapter Labs

4
 CCNA Exploration-3 LAN Switching And Wireless

CHAPTER-2 Basic Switch Concepts And Configuration

2.1 Introduction to Ethernet/802.3 LANs

2.1.1 Key Elements of Ethernet/802.3 Networks
CSMA/CD
 Carrier Sense
 Multi-access
 Collision Detection
 Jam Signal and Random Backoff

Ethernet Communications
 Unicast
 Broadcast
 Multicast

Ethernet Frame (The figure)

MAC Address (The figure)

Duplex Setting
 Half Duplex
 Full Duplex

Switch Port Settings

 Auto
 Half
 Full

auto-MDIX (automatic medium-dependent interface crossover)

Enabled by default on IOS 12.2(18)
Disabled on earlier versions

MAC Addressing and Switch MAC Address Tables

1. When a switch receives a frame, it records the source MAC address in its MAC table with the port number
where it received the frame.
2. When it finds the dest MAC in its table, it forwards the frame from the port only.
3. When the dest MAC address is not found in the table, it floods the frame out to all ports except the one it
received it from.

2.1.2 Design Considerations for Ethernet/802.3 Networks

Bandwidth and Throughput

 A major disadvantage of Ethernet 802.3 networks is collisions.
 Full bandwidth is available only after any collisions have been resolved.
 The net throughput of the port (the average data that is effectively transmitted) will be considerably reduced
as a function of how many other nodes want to use the network.

1
Collision Domains
 Creating more collision domains increases the throughput.

Broadcast Domains
 Switches always forward broadcast frames.
 A collection of interconnected switches forms a single broadcast domain.
 Routers and VLANs are used to segment both collision and broadcast domains.

Network Latency
Latency is the time a frame or a packet takes to travel from the source station to the final destination.
1. NIC delay : The time it takes the source NIC to place voltage pulses on the wire,
2. Propagation delay : The time it takes a signal to travel through the cable.
3. Networking device delay : Each networking device adds to the total latency.

Network Congestion
The primary reason for segmenting a LAN into smaller parts is to isolate traffic and to achieve better use of
bandwidth per user. The following contribute to the network congestion.
 Increasingly powerful computer and network technologies.
 Increasing volume of network traffic
 High-bandwidth applications

LAN Segmentation
 Using bridges and switches
 Using routers

2.1.3 LAN Design Considerations

Controlling Network Latency

 Consider the latency caused by each device on the network.
 The use of higher layer devices can also increase latency on a network.

Removing Bottlenecks
 Increasing bandwidth
 Adding more connections
 Link aggregation

2.2 Forwarding Frames using a Switch

2.2.1 Switch Forwarding Methods

Store-and-Forward Switching
1. Stores the entire frame in its buffers
2. Checks the CRC
3. If no error detected, searches the MAC table, and
4. forwards the frame
5. QoS mechanisms require store-and-forward switching.
6. Slow (high latency) and high integrity

Cut-through Switching

Fast-Forward switching:
1. As soon as the destination MAC address is read, the switch
2
 2. Looks up the destination MAC in the table,
3. Starts forwarding the frame
4. No error checking can be performed
5. Fast (low latency) and low integrity

Fragment-free switching:
1. Switch reads the first 64 bytes of a frame (collision?)
2. Then forwards the frame.
3. Compromise between store-and-forward and cut-through.

2.2.2 Symmetric And Asymmetric Switching

LAN switching may be classified as:

Asymmetric Switching
 Switch ports have different bandwidth connections.
 Memory buffering is required
 Uses store-and-forward switching

Symmetric Switching
 Switch ports have all same bandwidth connections.

2.2.3 Memory Buffering

 To store frames before forwarding them.
 When the destination port is busy

Port-based Memory Buffering

 Frames are stored in queues that are linked to specific incoming ports.
 A frame is transmitted to the outgoing port only when all the frames ahead of it in the queue have been
successfully transmitted.
 A single frame may delay all other frames.

Shared Memory Buffering

 All frames are stored into a shared memory buffer.
 The amount of memory required by a specific port is dynamically allocated.

2.2.4 Layer-2 and Layer-3 Switching

Layer-2 LAN Switching

 Performs switching and filtering based only on the OSI Data Link layer (Layer 2) MAC address only.

Layer-3 LAN Switching

 May also use IP addresses to filter and forward traffic.
 Also can learn which IP addresses are associated to which ports.
 Can also perform routing

2.3 Switch Management Configuration

2.3.1 Navigating Command-Line Interface Modes

The Command Line Interface Modes

3
  User EXEC: Limited number of basic monitoring commands
 Priviledged EXEC: All device commands including configuration and management. Can be password
protected.

Navigating Configuration Modes

Switch> enable (to enter priviledged mode from user EXEC)
Switch#
Switch# disable (to return to the user EXEC mode)

Global Configuration Mode

To configure global switch parameters
Switch# config t
Switch(config)#

Interface Configuration Mode

Switch(config)# interface <interface name>
Switch(config-if)#
Switch(config-if)# exit
Switch(config)#

GUI-based Alternatives to the CLI

Simplified switch configuration and management
 Cisco Network Assistant
 CiscoView Application
 Cisco Device Manager
 SNMP Network Management

2.3.2 Using The Help Facility

Context Sensitive Help
The figure

Console Error Messages

The figure

2.3.3 Accessing the Command History

The Command History Buffer

switch# show history

Configure the Command History Buffer

switch# terminal history (to enable history)
switch# terminal history size <size>
switch# terminal no history (to disable history)

2.3.4 The Switch Boot Sequence

After s Cisco switch is turned on:

1. Switch first loads the Boot Loader from NVRAM
2. The boot loader:
a. Performs low level CPU initialization
b. Performs power-on-self-test (POST)
c. Initializes the flash file system on the system board
d. Loads a default OS image and boots the switch
4
 3. The OS then initializes the interfaces using the IOS commands found in config.text stored in the switch flash
memory.

Recovering from a System Crash

The boot loader:
 Provides access to the switch files if the OS crashes.
 Has its own command line facility
 Can be used to initialize the flash file system and reinstall the OS
 Recover a lost or forgotten password

2.3.5 Prepare to Configure the Switch

 Connect to Switch
 Configure hyperterminal
 Observe the boot sequence

2.3.6 Basic Switch Configuration

Management Interface Considerations

To manage a switch remotely using TCP/IP, it needs to be configured with:
 An IP address
 A subnet mask
 A default gateway

Assigning an IP address:
1. IP address is assigned to a virtual interface that is a part of a virtual LAN (VLAN).
2. VLAN 1 is the default management VLAN (it should be changed).
3. Then the management VLAN must be assigned to one (or more) physical interface.

switch(config)# int vlan <vlan_no>

switch(config-if)# ip address <IP_Addr> <subnet_mask>
switch(config)# int <physical interface name>
switch(config-if)# switchport mode access
switch(config-if)# switchport access vlan <vlan_no>

Configure a Default Gateway

Switch# ip default-gateway <IP_Address>
Verify Configuration
switch# show running-config
switch# show ip interface brief

Configure Duplex and Speed

Show figure

Configure a Web Interface

If a web based configuration tool will be used, then the switch must be configured as a HTTP server.
Authentication methods (optional):
 Enable (using enable password to access the web interface)
 Local (using local username-password pair configured on the local switch)
 TACACS (using a separate authentication server)

S1(config)# ip http authentication <auth_method>

S1(config)# ip http server

5
Managing the MAC Address Table
 Switch# show mac_address-table
 Dynamic addresses
o Learned by the switch by recording the source MAC addresses and their ports.
o Ages out (dropped) after 300sec (default)
 Static Addresses
o Entered by the NA
o Switch(config)# mac_address-table static <MAC_Addr> vlan <vlan_no>
interface <int_id>

2.3.7 Verifying Switch Configuration

Using the show Commands:
show running-config
show startup-config
show interfaces

2.3.8 Basic Switch Management

Backing up a Configuration
copy system:running-config flash:startup-config
copy startup-config flash:config.bak1 (saving the config to another file)

Restoring a Configuration
copy flash:config.bak1 startup-config
reload

Back up Configuration Files to a TFTP Server

Make sure a TFTP server is running on your network and accessible.

switch#copy nvram:startup-config tftp:[[[//location]/directory]/filename]

Restoring Configuration Files from a TFTP Server

switch#copy tftp:[[[//location]/directory]/filename] nvram:startup-config

Clearing Configuration Information

switch#erase nvram

To delete any configuration file:

switch#delete flash:filename

2.4 Configuring Switch Security

2.4.1 Configure Password Options

Secure the Console

Secure the vty Ports
Configure EXEC Mode Passwords
Configure Encrypted Passwords
Enable Password Recovery

2.4.2 Login Banners

switch#conf t
6
switch(config)#banner login “Authorized Personnel Only”

7
2.4.3 Configure Telnet and SSH
Two choices that can be used to remotely access to Cisco switches:

Telnet
 Default vty-supported protocol on Cisco switches
 Supported also on older Cisco switches
 Sends the communication in clear text => not secure

SSH
 Sends the communication in encrypted form => is secure
 ssh client on the client computers, ssh server on the switch must be running.
 ssh supports different encryption standards such as DES, 3DES and RSA.
 To configure ssh, the encryption keys must be generated on the switch (server).

Configuring Telnet
switch(config)# line vty 0 15
switch(config-line)# transport input telnet

Configuring SSH
switch(config)# ip domain-name <domain-name>
switch(config)# crypto key generate rsa
switch(config)# ip ssh ver 2
switch(config)# line vty 0 15
switch(config-line)# transport input SSH

2.4.4 Common Security Attacks

MAC Address Flooding
Filling the MAC address table by bombarding the switch with many MAC-IP addresses pairs. The switch then starts
to act like a hub, flooding all frames.
Show figure

Spoofing Attacks
Using a fake DHCP server, an attacker can redirect all traffic to a specific host, obtaining and possibly altering the
information in the packets.

DHCP Snooping
Is a Cisco feature to avoid spoofing attacks. All ports can request a DHCP service, however only the trusted ports can
reply to DHCP requests.

switch(config)# ip dhcp snooping vlan number <vlan_no>

switch(config-if)# ip dhcp snooping trust
switch(config-if)# ip dhcp snooping limit rate <rate>

CDP Attacks
Cisco Discovery Protocol is used to discover directly connected Cisco devices and share information such as:
 IOS version
 IP addresses
 VLAN information

CDP is enabled by default, however CDP should be turned off when not needed.

Telnet Attacks
 Brute Force Password Attack
o An attacker tries to guess the password with some software.
8
 o Choosing a strong password and changing it frequently may make it difficult.

 DoS Attack
o An attacker may use a flaw in the Telnet server to make the service unavailable.
o Security patches are available to avoid this.

2.4.5 Security Tools

Network security tools help you test your network for various weaknesses.
They are tools that allow you to play the roles of a hacker and a network security analyst.

Network Security Audit

 After a MAC table attack,
 A security audit reveals what sort of information an attacker can gather simply by monitoring network traffic.

Network Penetration Testing

 This allows you to identify weaknesses within the configuration of your networking devices.

Network Security Tools Features

2.4.6 Configuring Port Security

Secure MAC Address Types:

 Static secure MAC addresses:
o The addresses are entered in the MAC table and added to the running-config
o switchport port-security mac-address mac-address
 Dynamic secure MAC addresses:
o MAC addresses are dynamically learned and stored only in the MAC table.
o switchport port-security
 Sticky secure MAC addresses:
o Dynamically learned and added to the running config.
o switchport port-security mac-address sticky

Security Violation Modes

When the number of secure MAC addresses reaches the limit allowed on the port,
 Protect : drops the packets with unknown source addresses until the violation ends.
 Restrict : drops the packets with unknown source addresses, until the violation ends. A SNMP trap is sent, a
syslog message is logged, and the violation counter increments.
 Shutdown : the interface immediately becomes error-disabled and turns off the port. It also sends an SNMP
trap, logs a syslog message, and increments the violation counter.

Default Port Security Configuration

 Port security = Disabled on a port
 Max number of secure addresses = 1
 violation mode = shutdown
 sticky = disabled

Verify Port Security Settings

show port-security [interface int-id]
show port-security address

2.4.7 Securing Unused Ports

Disable Unused Ports

shutdown
9
2.5 Chapter Labs

10
 CCNA Exploration-3 LAN Switching And Wireless

CHAPTER-3 VLANs

3.1 Introducing VLANs

3.1.1 Introducing VLANs
Before VLANs
 All computers are in the same LAN.
 Computers that belong to the same group can be seperated into multiple buildings,
 These computers share the same security and resource needs.

VLAN Overview
A VLAN allows a NA to create groups of logically networked devices that act as if they are on their
own independent network, even if they share a common infrastructure with other VLANs.

VLAN Details
 A VLAN is a seperate IP subnet.
 Each computer on the same VLAN must be assigned an IP address within the same subnet.
 By using VLANs, more than one subnet can be used on a single switch.
 First the VLANs must be configured on the switch,
 Then the ports must be added to the VLANs.

Benefits of a VLAN
 Security
 Cost Reduction
 Higher Performance
 Broadcast storm mitigation
 Improved IT staff efficiency
 Simpler project or application management

VLAN ID Ranges
 Normal Range VLANs : Used by small to medium organizations
o 1 to 1005
o 1002 – 1005 reserved for token ring and FDDI networks
o VLAN 1, 1002 – 1005 are automatically created and cannot be removed.
o Stored in vlan.dat file in flash memory
 Extended Range VLANs : Designed for service providers
o 1006 to 4096
o Have fewer features than normal range VLANs.
o Stored in the running configuration file
 A Cisco Catalyst switch can support up to 255 VLANs.

3.1.2 Types of VLANs

There are a number of terms for VLANs. Some terms define the type of network traffic they carry
and others define a specific function a VLAN performs.

1
Data VLAN
 A VLAN that carries only user generated traffic
 A VLAN carrying voice or management traffic is NOT a data VLAN.

Default VLAN
 All interfaces of a switch becomes a part of the default VLAN after the initial bootup process
(same broadcast domain)
 VLAN 1 is the default VLAN
 VLAN 1 cannot be renamed or deleted
 CDP and STP uses VLAN 1

Native VLAN
 A native VLAN is assigned to a 802.1Q trunk port.
 A trunk port supports both tagged traffic (coming from VLANs) and untagged (non VLAN)
traffic .
 The trunk port places untagged traffic on the native VLAN.
 Default native VLAN is VLAN 1 (should be changed).

Management VLAN
 Any VLAN you configure to access the management capabilities of a switch.
 Default management VLAN is VLAN 1.
 Assign an IP address and subnet mask for this VLAN.

Voice VLAN
 A seperate VLAN assigned for voice traffic only.

Network Traffic Types

 Network Management and Control Traffic : CDP, SNMP, etc.
 IP Telephony :
o Signalling
o Voice
 IP Multicast : IP TV, radio, etc.
 Normal Data : E-mail, database transactions, print services, etc.
 Scavenger Class : P2P applications, gaming, etc.

3.1.3 Switch Port Membership Modes

Switch Ports belong to one or more VLANs.

A port can be configured to support these VLAN types:

 Static VLAN : Switch ports are manually configured to be a member of a VLAN.
 Dynamic VLAN: VLAN membership is configured dynamically based on the MAC address of
the device, using a special server called a VLAN Membership Policy Server (VMPS).
 Voice VLAN: A port is configured to be in voice mode so that it can support an IP phone
attached to it.
o Both a voice VLAN and data VLAN need to be configured.
o S3(config-if)# mls qos trust cos
o S3(config-if)# switchport voice vlan <vlan_id>

3.1.4 Controlling Broadcast Domains with VLANs

2
Network Without VLANS : One broadcast domain

Network with VLANs :

Intra-VLAN Communication :
Communication within a VLAN. (Show the animation)

Inter-VLAN Communication :
Communication between VLANs. (Show the animation)

Controlling Broadcast Domains with VLANs and Layer 3 Forwarding

Switches that support layer-3 routing are called layer-3 switches.

SVI (Switch Virtual Interface)

 A logical interface configured for a specific VLAN.
 By default a SVI is created for default VLAN (VLAN 1).

Layer 3 Forwarding
Show the animation: PC1 on VLAN 10 communicates with PC5 on VLAN 20.

3.2 VLAN Trunking

3.2.1 VLAN Trunks

Definition of a VLAN Trunk:

 A VLAN trunk is a point-to-point link between two network devices that carries more than
one VLAN.
 It allows you to extend the VLANs across an entire network.
 Cisco supports IEEE 802.1Q for coordinating trunks on Fast Ethernet and Gigabit Ethernet
interfaces.

802.1Q Frame Tagging

 The original Ethernet frame header does not contain VLAN information.
 A 801.1Q VLAN header, adds a tag to the original Ethernet frame specifying the VLAN for
which the frame belongs to.

Tagged Frames on the Native VLAN

 When a switch trunk port receives a tagged frame, it is dropped.
 Devices should not tag control traffic destined for the native VLAN.

Untagged Frames on the Native VLAN

 When a Cisco switch trunk port receives untagged frames, it forwards those frames to the
native VLAN.

3.2.2 Trunking Operation

Show the animation

3.2.3 Trunking Modes

3
Two types of trunks:

 IEEE 802.1Q (Used today)

o Both tagged and untagged frames are supported
 ISL (Cisco Inter-switch link )
o All frames must be tagged with ISL header. Non-tagged frames are dropped.

DTP (Dynamic Trunking Protocol)

 Cisco proprietary trunking negotiation protocol
 Enabled by default on Cisco switches that support DTP.
 Sends periodic advertisements to the remote port to establish a trunk.

Trunking Modes:
 On (default)
o The command used is switchport mode trunk
o DTP advertisements are sent to the remote, the immediately the local port is set as
the trunk port.
 Dynamic auto
o The command used is switchport mode dynamic auto.
o The local port ends up in trunking state only if the remote port trunk mode has been
configured to be on or desirable.
 Dynamic desirable
o The command used is switchport mode dynamic desirable.
o If the remote has been configured in on, desirable, or auto mode, the local port ends
up in trunking state.
 Nonegotiate (DTP turned off)
o The command is switchport nonegotiate.
o No DTP advertisements are sent.
o The local port is then considered to be in an unconditional trunking state.

3.3 Configure VLANs and Trunks

3.3.1 Configuring VLANs and Trunks Overview

Use the following steps to configure and verify VLANs and trunks on a switched network:
1. Create the VLANs
2. Assign switch ports to the VLANs statically
3. Verify VLAN configuration
4. Enable trunking on the inter-switch connections
5. Verify trunk configuration

3.3.2 Configure a VLAN

Add a vlan:
S1(config)# vlan <vlan_id>
S1(config-vlan)# vlan name <vlan_name>
S1(config-vlan)# end
4
To verify:
S1# show vlan brief

Assign a Switch Port:

S1(config)# interface <int_id>
S1(config-int)# switchport mode access
S1(config-int)# switchport access vlan <vlan_id>
S1(config-int)# end

3.3.3 Managing VLANs

Verify VLANs and Port Memberships

S1# show vlan brief

S1# show interfaces vlan <vlan_id>

To see the vlan type and native VLAN information:

S1# show interfaces <int_id> switchport

Manage Port Memberships

S1(config)# interface <int_id>
S1(config-int)# no switchport access vlan

Delete VLANs
S1(config)# no vlan <vlan_id>

Removing all vlan configuration:

S1(config)#delete flash:vlan.dat

3.3.4 Configure a Trunk

Configure an 802.1Q Trunk
S1(config)# interface <int_id>
S1(config-int)# switchport mode trunk
S1(config-int)# switchport trunk native vlan <vlan_id>
S1(config-int)# end

Verify Trunk Configuration:

S1# show interfaces <int_id> switchport

Managing a Trunk Configuration

To reset all allowed vlans on the trunk port
S1(config-int)# no switchport trunk allowed vlan

To reset the native vlan back to the default vlan:

S1(config-int)# no switchport trunk native vlan

To reset the trunk port back to the access mode:

S1(config-int)# switchport mode access

5
3.4 Troubleshooting VLANs and Trunks
3.4.1 Common Problems with Trunks
 Native VLAN mismatches : Both ends of a trunk link must be configured with the same native
vlan.
 Trunk mode mismatches : Both ends of a trunk link must be configured with the appropriate
trunk mode so that they can form the trunk link successfully.
 VLANs and IP Subnets : Each vlan uses a different subnet, and all devices in the same subnet
must be configured with the correct IP addresses.
 Allowed VLANs on trunks : Both ends of a vlan trunk must be configured to allow the same
vlans to be transmitted.

3.4.2 A Common Problem with VLAN Configurations

3.5 Chapter Labs

6
 CCNA Exploration-3 LAN Switching And Wireless

CHAPTER-4 VTP

4.1 VTP Concepts

4.1.1 What is VTP

The VLAN Management Challenge:

When a new VLAN is created,
 it needs to be added to all switches manually,
 it needs to be added in the allowed list of all trunks manually.
 In a large network this is a difficult task and prone to configuration errors.

What is VTP?
VTP allows a network manager to configure a switch so that it will propagate VLAN configurations to
other switches in the network.
 VTP enabled switches exchange vlan information over an active trunk.
 Switches have VTP roles: server or client
 Only the vlans within the normal range are supported
 VTP stores the VLAN configurations in the vlan.dat file.

Benefits of VTP
 VLAN configuration consistency
 Accurate tracking and monitoring of VLANs.
 Dynamic reporting of added VLANs across a network.
 Dynamic trunk configuration when VLANs are added to the network.

VTP Components:

VTP Domain: The switches in the same domain can exchange VLAN info. Layer-3 device is the
boundary.
VTP Advertisements: The VTP messages exchanged
VTP Modes: A switch can be configured in one of the three VTP modes:
 VTP Server : VLANs can be created, deleted or renamed. Stores in the vlan.dat file.
 VTP Client : VLAN information is stored but cannot be changed. Does not store VLAN info in
the NVRAM.
 VTP Transparent : Only passes VLAN info to the other switches, however do not participate
in VTP. All VLAN config must be made manually in this mode.
VTP Pruning : Restricts broadcast, multicast traffic on some trunks.

4.2 VTP Operation

4.2.1 Default VTP Configuration

VTP version = 1
VTP Domain name = null

1
 VTP mode = server
Config Revision = 0
VLANs = 1

VTP versions: 1, 2, 3
Only one VTP version is allowed in a VTP domain.

Displaying the VTP Status:

switch# show vtp status

4.2.2 VTP Domains

 A VTP domain consists of one switch or several interconnected switches sharing the same
VTP domain name.
 A switch can be a member of only one VTP domain at a time.
 Until the VTP domain name is specified you cannot create or modify VLANs on a VTP server,
and VLAN information is not propagated over the network.

4.2.3 VTP Advertising

A VTP message is inserted in the data field of an Ethernet frame.

The Ethernet frame is then encapsulated as a 802.1Q trunk frame.

VTP Frame Details

 Destination MAC Address: 01-00-0C-CC-CC-CC (Reserved multicast for all VTP
advertisements)
 LLC field : AA AA (means a type field follows)
 SNAP field : 00-00-0C (OUI for Cisco) and type value 2003 for VTP.
 VTP Header field
o VTP domain name
o Domain name-lenght,
o version, message type,
o Config revision number
 VTP Message field (varies depending on the VTP message type)
o Global domain information:
 VTP Domain name
 The IP address of the sending switch, time and date
 MD5 digest (Carries the VTP password when MD5 is configured)
 Frame format : ISL or 802.1Q
o VLAN information (for each VLAN)
 VLAN ID
 VLAN name
 VLAN type
 VLAN state
 Additional VLAN config info.

VTP Configuration Revision Number

 Each time a VLAN is added or deleted, this number is incremented.
 32-bit number
 Default is 0.

2
  A VTP domain name change resets this number to zero (0).
 The higher the config number, the more recent the config is.

VTP Advertisements
 Summary:
o Sent every 5 min by a server or client.
o Sent immediately after a config change.
o Contains VTP domain name and config revision number.
 Subset :
o Contains VLAN information
o Changes that trigger a subset advertisement:
 Creating or deleting a VLAN
 Suspending or activating a VLAN
 Changing the name of a VLAN
 Changing the MTU of a VLAN
 Request :
o When a request advertisement is sent to a server in the same VTP domain, the VTP
server responds by sending a summary ad and a subset ad.
o Sent if:
 The VTP domain name has been changed
 The switch receives a summary ad with a higher config rev. No.
 A subset ad is missed
 The switch has been reset

VTP Advertisements Details

(Show the figures)

4.2.4 VTP Modes

Server Mode
Client Mode
Transparent Mode
(Show the comparison table)

4.2.5 VTP Pruning

 If there are no switch ports configured for a specific VLAN, then the broadcast frames should
not be sent to that switch over the trunk links.
 When VTP pruning is enabled, switches negotiate and block the unnecessary broadcast
traffic.

4.3 Configure VTP

4.3.1 Configuring VTP

Configure a switch in VTP server mode:

1. Make sure the switch is in default settings.
2. Reset the config revison number
3. Configure at least two VTP servers.
4. Configure a VTP domain on the server.
a. switch(config)#vtp domain domain-name
5. If there is an existing VTP domain, make sure to set exactly the same domain name.
3
 6. If you will use password authentication, make sure you use the same password in all
switches.
7. All switches must be configured with the same VTP version.
a. switch(config)#vtp version 1
8. Create VLANs after you have enabled VTP on the VTP server.

Configure a switch in VTP client mode:

1. Start with the default settings
2. Set the switch to client mode.
a. switch(config)#vtp mode client
3. Configure trunks
4. Connect to a VTP server.
5. Verify VTP status
6. Configure access ports.

4.3.2 Troubleshooting VTP Configurations

switch# show vtp status
switch# show vtp counters

4.3.3 Managing VLANs on a VTP Server

4.4 Chapter Labs

4
 CCNA Exploration-3 LAN Switching And Wireless

CHAPTER-5 STP

5.1 Redundant Layer 2 Topologies

5.1.1 Redundancy

5.1.2 Issues with Redundancy

5.1.3 Real-world Redundancy Issues

5.2 Introduction to STP

5.2.1 The Spanning Tree Algorithm

STP ensures that there is only one logical path between all destinations on the network;
 Blocks redundant paths that could cause a loop.
 A blocked port does not forward frames in any direction.
 BPDUs used by STP are always forwarded.
 If the link fails, STP unblocks the necessary ports to allow the redundant path to become
active.

STP Algorithm
1. A single switch (with the lowest BID) is selected as the root bridge.
2. STA calculates the shortest paths to the root bridge.
a. Uses path costs (associated with the port speed) to calculate the shortest path.
b. Least cost path becomes the shortest path.
3. Each switch uses STA to decide which ports to block to prevent loops.
4. Blocked ports are called non-designated ports.
5. Non blocked ports are:
a. Ports closest to the root bridge are called root ports.
b. Other non-root forwarding ports are called designated ports.

The Root Bridge Election

 The switch with the lowest BID is elected as the root bridge.
 Bridge ID consists of:
o Bridge priority
o Extended system id
o MAC address
 Switches send periodic BPDUs to each other every two seconds, that contains:
o Local BID (BID of itself)
o BID of the root.
 If a switch receives a root BID lower than the known root BID, it updates the root BID and its
path cost.
 Sends the updated root BID and path cost to neighbors.
1
 Best Paths to the Root Bridge
Cost of links along the path to the root bridge is added to calculate the path cost.
Default port link costs:
 10Mb/s 100
 100Mb/s 19
 1Gb/s 4
 10Gb/s 2

Port costs are configurable with the command:

switch(config-if)# spanning-tree cost <cost>
switch# show spanning-tree command is used to verify port costs.

5.2.2 STP BPDU

The BPDU Fields (12 fields):
 First four fields: Protocol (2), Version (1), Message Type (1), Status (1)
 Next four fields: Root ID (8), Cost of path(4), BID (8), Port ID (2)
 Last four fields: Message age (2), Max age (2), Hello time (2), Forward delay (2)

The BPDU Process

Show step-by-step example

5.2.3 Bridge ID

BID Fields:
 Bridge Priority (4 bits) Priority value, increments by 4096. Default 32768.
 Extended System ID (12 bits) : VLAN ID of the STP
 MAC address (48 bits)

Configure and Verify the BID

To ensure that the switch has the lowest bridge priority value, use the command:
spanning-tree vlan <vlan-id> root primary (sets the priority value to
24576)

For an alternate root switch, use the command:

spanning-tree vlan <vlan-id> root secondary (sets the priority value to
28672)

Another method for configuring the bridge priority value is using the command:
spanning-tree vlan <vlan-id> priority <value>

To verify:
show spanning-tree

5.2.4 Port Roles

2
 Root Port
 Exists on non-root switches.
 Switch port with the best path to the root switch.
 Only one root port is allowed per switch.
 Can populate the MAC table with the incoming source MAC addresses.

Designated Port
 Exists on both root and non-root switches.
 Receives and forwards frames towards the root.
 Only one designated port is allowed per segment.
 Can populate the MAC table with the incoming source MAC addresses.

Non-designated Port
 A blocked switch port. Does not receive or forward frames.
 Does not populate the MAC table.

The Root port election:

 All switches that are using spanning tree, except for the root bridge, have a single root port
defined.
 The switch port with the lowest overall path cost to the root switch is automatically assigned
the root port role.
 If more than one port have the same lowest cost path,
o Port with the lowest port priority is selected.
o If all port priorities are the same, then the lowest port ID is selected.
 When one root port is defined, the other ports to the root switch are defined as non-
designated ports.

Configuring Port Priority:

 Port priority values range from 0 to 240 in increments of 16.
 Default is 128.
 switch(config-if)# spanning-tree port-priority <pri_value>

Other Port Role Decisions:

1. The root switch automatically configures all of its switch ports in the designated role.
2. Other switches define all non-root ports as either designated or non-designated ports.
3. If two non-root ports of two switches connect to the same LAN segment, the switch ports
with the lowest BID becomes designated, the other becomes non-designated.

Show the seven step figure.

Verifying Port Roles and Port Priority

switch# show spanning-tree
5.2.5 STP Port States and BPDU Timers
Switch ports do not change modes immediately to prevent temporary loops and facilitate the
learning of the logical spanning-tree.

Blocking : Non-designated port. Receives and processes BPDUs, no data forwarding, no MAC
learning.

3
 Listening : Receives, forwards and processes BPDUs, no data forwarding, preparing to forward
data.
Learning : Receives, forwards and processes BPDUs, no data forwarding, populates MAC address
table.
Forwarding : Receives, forwards and processes BPDUs, forwards data normally.
Disabled : No forwarding, administratively shutdown.

BPDU Timers: The amount of time that a port stays in the various port states depends on the BPDU
timers.
 Hello timer : The period of BPDUs transmitted. Default is 2 secs, but can be configured
between 1 to 10 secs.
 Forward delay : The time spent in listening and learning states. Default is 15 sec. Can be
configured between 4 to 30 secs.
 Maximum Age : The max amount of time a switch save the BPDU config data. Default is 20
secs, but can be configured between 6 to 40 secs.
 The default values are optimized for network diameter of 7.
 The following command can be used on the root switch to adjust the timers automatically.
spanning-tree vlan <vlan id> root primary diameter <value>

Cisco PortFast Technology

 Allows an access port transition from blocking state to forwarding state immediately,
bypassing the listening and learning states.
 Minimizes the delay that access ports must wait for the network to converge.
 Should be used only on the access ports.
 Switch(config-if)# spanning-tree portfast

5.3 STP Convergence

5.3.1 STP Convergence

Convergence is the time it takes for :

1. The network to determine which switch is going to assume the role of the root bridge,
2. Go through all the different port states, and set all switch ports to their final spanning-tree
port roles where all potential loops are eliminated.

STP Convergence Steps

1. Elect a root bridge
2. Elect root ports
3. Elect designated and non-designated ports.

5.3.2 Step 1. Electing A Root Bridge

Immediately after the switches finished booting up, they start sending BPDU frames advertising their
BID in an attempt to become the root bridge.
 The switches send their own BID and the root BID to their neighbors.
 Initially all switches think that they are the root bridge.
 When a switch receives a lower root BID than the root BID known to itself, it updates the
root BID, and starts to advertise the new root BID.
 Eventually all switches receive the lowest BID, which becomes the root bridge.
4
  If a switch does not receive a BPDU in 20 sec (default max age), the election process restarts.

5.3.3 Step 2. Elect Root Ports

Every switch in an ST topology, except for the root bridge, has a single root port defined.
 A port having the lowest path cost to the root bridge becomes the root port.
 If path costs are same, then the lowest port priority becomes the root port.
 If root priorities are the same, then the lowest port id is elected as the root port.

5.3.4 Step 3 Electing Designated Ports and Non-designated Ports

After a switch determines the root port, the remaining ports must be configured as either a
designated port or a non-designated port.
 Root switch configures all of its ports as the designated ports.
 Lowest path cost the the root switch is elected as the designated port,
 If path costs are same, then lowest BID determines the designated port, the losing port
becomes the non-designated (blocking state) port.

5.3.5 STP Topology Change

 A switch detecting a topology change, sends a special notification BPDU called topology
change notification (TCN) from the root port toward the root bridge.
 The receiving switch responds with topology change acknowledgement (TCA) message.
 This exchange continues until the root bridge receives TCN and responds with TCA.
 Once the root bridge is aware that there has been a topology change event in the network, it
starts to send out BPDU with TC bit set,
 All switches receving the BPDU with TC bit set, reduce their aging time to forward delay.

5.4 PVST+, RSTP and Rapid-PVST+

There are many variants of STP:
 Cisco Proprietary
o Per-VLAN Spanning Tree Protocol (PVST) :
 Maintains a spanning-tree instance for each VLAN configured in the network.
 Uses Cisco ISL trunking.
 Supports Cisco STP extensions Portfast, Uplinkfast, BackboneFast.
 Ability to load balance over the trunks.
o Per-VLAN Spanning Tree Protocol Plus (PVST+) :
 Same functionality as PVST
 Supports both Cisco ISL and IEEE 802.1Q trunking.
 Supports Cisco proprietary STP extensions including BPDU guard.
 Only supported on Cisco switches.
o Rapid PVST+ :
 Based on 802.1w
 Faster convergence than standard STP (802.1D).
 IEEE Standards
o Rapid Spanning Tree Protocol (RSTP) (802.1w) :
 An evolution of 802.1D standard.
 Provides faster ST convergence
5
  Supports Cisco STP extensions into the public standard.
 IEEE has incorporated RSTP into 802.1D as 802.1D-2004.
o Multiple STP (MSTP) :
 Enables multiple VLANs to be mapped to the same spanning-tree instance,
reducing the number of instances needed to support a large number of
VLANs.
 Inspired by Cisco MISTP
 An evolution of STP and RSTP

5.4.1 Cisco and STP Variants

5.4.2 PVST+
 A seperate STP instance is created for each VLAN.
 Seperate root bridges can be elected for different STP instances
 Load balancing per VLAN can be performed on the trunks
 The two byte bridge priority is modified as 4 bit bridge priority + 12 bit VLAN ID.
 Default spanning-tree mode is PVST+.

Configure PVST+
Select and configure one switch as primary root, and one other as secondary roor for each VLAN.
switch(config)#spanning-tree vlan <vlan-id> root primary | secondary
switch(config)#spanning-tree vlan <vlan-id> root 4096

5.4.3 RSTP
 802.1w (based on 802.1D)
 Faster convergenge than 802.1D
 Preferred protocol to prevent loops.
 Not compatible with some Cisco enhancements such as UplinkFast, BackboneFast
 Port states are : discarding, learning or forwarding.
 BPDU format is the same as 802.1D
 Backward compatible with 802.1D.
 Does not need 802.1D timers.
 Protocol information ages out on a port if 3 consecutive Hello messages are missed (6 sec)
 RSTP Flag field.

5.4.4 Edge Ports

 Ports that will never be connected to another switch are called.
 Immediately transitions to forwarding state when enabled.
 Similar to Cisco PortFast technology.
 If recieves a BPDU, becomes a normal STP port.
 spanning-tree portfast command is used at the interface.

5.4.5 Link Types

 Edge ports : Transitions to the forwarding state immediately.
 Non-edge ports
6
 o Point-to-point : Full duplex (Transitions to the forwarding state immediately)
o Shared : Half duplex

5.4.6 RSTP Port States and Port Roles

RSTP Port States

RSTP provides rapid convergence following a failure or during re-establishment of a switch, switch
port, or link.
STP port states – RSTP port states:
 Blocking – Discarding
 Listenning – discarding
 Learning – learning
 Forwarding – forwarding
 Disabled – discarding

RSTP Port Roles

The port role defines the ultimate purpose of a switch port and how it handles data frames.
 Root
 Designated
 Backup (discarding state in active topology)
 Alternate (discarding state in active topology)

RSTP Proposal or Agreement Process

 RSTP significantly speeds up the recalculation process after a topology change, because
o it converges on a link-by-link basis and
o does not rely on timers expiring before ports can transition.
o Rapid transition to the forwarding state on edge ports and point-to-point ports.

5.4.7 Configuring Rapid-PVST+

Rapid-PVST+ is a Cisco implementation of RSTP.
 It supports ST for each VLAN and is the rapid STP variant to use in Cisco-based networks.
 A ST instance is created when an interface is assigned to a VLAN
 And is removed when the last interface is moved to another VLAN.
 Cisco 2960 switch supports PVST+, Rapid-PVST+, and MSTP, however only one version can be
active at any time.
 switch(config)# spanning-tree mode rapid-pvst
 switch(config-if)# spanning-tree link-type point-to-point
 switch# clear spanning-tree detected-protocols
 switch# show spanning-tree vlan <vlan-id>

5.4.8 Design STP for Trouble Avoidance

7
Know Where the Root Is
 Do not leave it up to the STP to decide which bridge is root.
 For each VLAN, you can usually identify which switch can best serve as root.
 Generally, choose a powerful bridge in the middle of the network, with a direct connection
to the servers and routers.
 For each VLAN, configure the root bridge and the backup root bridge using lower priorities.

Minimize the Number of Blocked Ports

 For each VLAN, know which ports should be blocking in the stable network.
 Have a network diagram that clearly shows each physical loop in the network and which
blocked ports break the loops.

VTP Pruning
 Prune any VLAN that you do not need off your trunks.
 Use Layer 3 switching. Layer-3 switches route approximately at the speed of switching.

Final Points:
 Keep STP even if it is unnecessary
 Keep traffic off the administrative VLAN. A high rate of broadcast or multicast traffic on the
administrative VLAN can adversely impact the CPU and its ability to process vital BPDUs.
 Do not have a single VLAN span the entire network.

5.4.9 Troubleshoot STP Operation

PortFast Configuration Error

Do not use PortFast on switch ports or interfaces that connect to other switches, hubs, or routers.
Otherwise, you may create a network loop.

Network Diameter Issues

Switches discard the BPDUs that have age field more than 7.
Take special care if you plan to change STP timers from the default value.

5.5 Chapter Labs

8
 CCNA Exploration-3 LAN Switching And Wireless

CHAPTER-6 INTER-VLAN ROUTING

6.1 Inter-VLAN Routing

6.1.1 Introducing Inter-VLAN Routing

Inter-VLAN routing is a process of forwarding network traffic from one VLAN to another.
Two implementations:
1. Using a router
a. Traditional (Using a seperate link for each VLAN)
b. Router-on-a-stick (Using a trunk link)
2. Using a layer-3 switch

Traditional Inter-VLAN routing:

1. Each VLAN uses a seperate physical link to the router.
2. The switch ports that connect to the router are configured in access mode.
3. The router interfaces are also configured to belong to individual VLANs.
4. The router receives frames from one interface (a VLAN) and forwards them to another
interface (another VLAN)
5. If many VLANs are used, then the router may not have enough physical interfaces.

Router-On-A-Stick:
1. A single link is used between the switch and the router.
2. This link is configured as a trunk link to carry all traffic belonging to different VLANs (tagged
traffic).
3. Subinterfaces (logical-virtual interfaces) are used at the router interface. Multiple virtual
interfaces are assigned to a single physical interface.
4. Each subinterface belongs to a different VLAN.
5. Router receives frames from one subinterface and forwards from another subinterface out
from the same physical interface.

6.1.2 Interfaces and Subinterfaces

Using the Router as a Gateway
 Router interfaces are assigned IP addresses from their own VLAN subnet.
 The devices that belong to a VLAN must be configured with a Default Gateway address.
 The Default Gateway Address is the router interface IP address that belongs to a specific
VLAN.

Subinterface Configuration
1
R1(config)# interface fa0/0.10 (subinterface created)
R1(config-subif)# encapsulation dot1q 10
R1(config-subif)# ip address <IP-Address> <subnet-mask>
..
R1(config)# interface fa0/0
R1(config-if)# no shutdown

Subinterfaces cannot be enabled or disabled individually.

 When the physical interface is enabled, all subinterfaces are enabled.
 When it is shutdown, all subinterfaces interfaces are shutdown.

Advantages of using subinterfaces:

 Cost
 There is no physical port limit.
 A single trunk connection to the router.

Disadvantages:
 Performance
 More complex configuration

6.2 Configuring Inter-VLAN Routing

6.2.1 Configure Inter-VLAN Routing

6.2.2 Configure Router on a Stick Inter-VLAN Routing

6.3 Troubleshooting Inter-VLAN Routing

6.3.1 Switch Configuration Issues

6.3.2 Router Configuration Issues

6.3.3 IP Addressing Issues

6.4 Chapter Labs

2
 CCNA Exploration-3 LAN Switching And Wireless

CHAPTER-7 BASIC WIRELESS CONCEPTS AND CONFIGURATION

7.1 The Wireless LAN

7.1.1 Why Use Wireless

Why have Wireless LANs Become so Popular?
 Mobility and flexibility at work and at home.
 Reduced costs
o When moving a person within a building, reorganizing a lab, etc.
o When installing a LAN in a new buildng

Wireless Technologies (The figure)

 PAN (802.15 - Bluetooth)
 LAN (802.11 – WLAN)
 MAN (802.16 – Wimax)
 WAN ( GSM )

Wireless LANs (WLAN) is an extension of Ethernet LAN.

Comparing a WLAN to a LAN

WLANs use radio frequencies (RF) instead of cables at the Physical layer and MAC sub-layer of the
Data Link layer. RF characteristics:
 No boundaries
 Uses collision avoidance mechanism
 Unprotected from outside signals
 RF bands are regulated differently in various countries.

Wireless LAN components

 Wireless router or access point
 Wireless NIC on client devices

7.1.2 Wireless LAN Standards

Two modulation techniques :
 Direct Sequence Spread Spectrum (DSSS) : Slower transmission rates
 Ortogonal Frequency Division Multiplexing (OFDM) : Faster transmission rates

Unlicensed ISM (Industrial, Scientific, Medical) bands :

 900Mhz, 2.4Ghz, 5.0Ghz
 No need for a licence

1
  Subject to local regulations
 RF bands are allocated by ITU

IEEE WLAN Standards:

 802.11a : 5Ghz . Upto 54Mbps. Shorter range. Signal is more absorbed by walls, etc,. Less
interference, OFDM
 802.11b : 2.4Ghz. Upto 11Mbps. Longer range. Uses DSSS. more prone to interference
 802.11g : 2.4Ghz. Upto 54Mbps. Longer range, uses OFDM, but also compatible with DSSS.
More prone to interference.
 802.11n (Draft) : 2.4 or 5 Ghz. Upto 600Mbps. Uses multiple radios and antennas at
endpoints to achieve higher rates. Uses MIMO-OFDM.

Wi-Fi Certification
Standards ensure interoperability between devices made by different manufacturers. Internationally,
the three key organizations influencing WLAN standards are:
 ITU-R : Regulates the allocation of RF bands.
 IEEE : Specifies how RF is modulated to carry information.
 Wi-Fi Alliance : (www.wi-fi.org) A non-profit global organization devoted to promote WLAN
technologies and products. Provides Wi-fi certification.

7.1.3 Wireless Infrastructure Components

Wireless NICs
The wireless NIC, using the modulation technique it is configured to use, encodes a data stream onto
an RF signal.

Wireless Access Points

An access point connects wireless clients (or stations) to the wired LAN.
 Clients must associate (join) with an access point to obtain network services.
 An ap is a layer-2 device just like an Ethernet hub.
 RF is the shared medium.
 Uses CSMA/CA

Hidden Nodes Problem:

 When two stations at opposite ends of the range and cannot see each other collisions may
occur.
 Solution: Request-to-send/Clear-to-send (RTS/CTS) messages are used to allocate the
medium to the requesting station.

Wireless Routers:
Perform the role of an access-point, an Ethernet switch, and a router.

7.1.4 Wireless Operation

Configurable Parameters for Wireless Endpoints

2
  The wireless network mode:WLAN protocols: 802.11a, b, g, n.
o Mixed mode is possible between b and g with a single radio.
o Other mixed modes will require multiple radios.
 SSID : Shared Service Set Identifier : A unique case-sensitive name identifies a wireless
network.
o Several access points can share an SSID.
 Channel: 2.4Ghz bandwidth is broken down into 11 channels for North America, 13 channels
for Europe.
o Each channel bandwidth is 22 Mhz.
o Center frequency seperation is 5 Mhz. There is an overlap between the successive
channels.
o Any two channels that are 5 apart do not overlap.
o WLANs requiring multiple access points should use non-overlapping channels.
o Many access points can automatically select a channel based on adjacent channel
use.

802.11 Topologies:
Basic Service Set (BSS) : A group of stations that communicate with each other.

Ad hoc Networks:
 Devices communicate with each other without an access point.
 Independent BSS (IBSS)

Basic Service Set (BSS)

 A single access point in infrastructure mode manages the wireless parameters.
 The coverage area for both IBSS and BSS is the basic service area (BSA).

Extended Service Sets (ESS)

 If a single BSS is not sufficient to cover an area, multiple can be joined to form an ESS.
 One BSS is differentiated from another by the BSS Identifier (BSSID) : MAC address of the
access point.
 The coverage area is the extended service area (ESA).

Common Distribution System

 Multiple access points appear to be a single BSS.
 Generally includes a common SSID to allow a user to roam from access point to access point.
 10-15 percent overlap between cells
 Non overlapping channels

Client and Access Point Association

Beacons – Sent by access points periodically to advertise the WLAN. Includes:

 SSID

3
  Supported rates
 Security implementation

The 802.11 Join Process (Association)

 Stage-1: Probing – Sending a probe request to find a WLAN. Includes:
o SSID (If no SSID is specified, then all WLANs configured to reply, responds)
o Bit rates
 Stage-2 : Authentication
o Open authentication
o Wired Equivalency Protection (WEP)
 Stage-3 : Association – Establishing the data-link between an access-point and a WLAN client.
o Finalizes the security and bit rate options
o Establishes the data-link between the WLAN client and the access-point.
o The client learns the BSSID (MAC address of the AP)
o AP maps a logical port known as the association identifier (AID) to the WLAN client.

Planning the Wireless LAN

Considerations:
 The estimated number of users (RF is a shared medium)
 The expected data rates per user.
 The use of non-overlapping channels by multiple access-points.
 The transmit power settings and limitations.
 Position access points above obstructions
 Position access points vertically near the ceiling in the center of each coverage area, if
possible.
 Position access points in locations where users are expected to be.
 Calculate the coverage area, and place access points so that coverage circles overlap. (The
Example)

7.2 The Wireless LAN Security

7.2.1 Threats to Wireless Security

There are three major categories of threat that lead to unauthorized access:
 War drivers
 Hackers (Crackers)
 Employees

Man-in-the-Middle Attacks (MITM)

 Normally each NIC in a BSS hears all the traffic. However they discard any traffic not
addressed to it.
 A hacker located between an access point and a client host, uses a packet sniffer software to
receive all frames and obtain all information such as, usernames, passwords, server name, IP
addresses.

4
Denial of Service
Attachers :
 can create noise in the 2.4Ghz ISM band by other wireless consumer devices (microwave
oven, cordless phones, baby phones, etc.)
 using a PC as an access point, can flood the BSS with clear-to-send (CTS) messages, which
defeat the CSMA/CA function used by the stations.
 Can send disassociate messages, causing all stations to disconnect, and try to reassociate
again.

7.2.2 Wireless Security Protocols

Two types of authentication were introduced by the original 802.11 standard:
 Open authentication (No authentication)
 Shared WEP key authentication : Flaws:
o Weak WEP key algorithm (can be cracked easily)
o Manual entry of keys (often incorrectly entered by users)
 Not broadcasting the SSID and MAC filtering were used as additional security.
o However it is not difficult to sniff and modify MAC addresses.
o Also SSID can be obtained from the traffic between the client and ap.

Cisco developed Temporal Key Intergrity Protocol (TKIP) to improve security.

TKIP later linked to the Wifi Alliance Wifi Protected Access (WPA) security.

The latest standard is the 802.11i (similar to the WPA2 by Wifi Alliance).
WPA2 also includes a connection to a Remote Authentication Dial In User Service (RADIUS) database.

Authenticating to the Wireless LAN

Extensible Authentication Protocol (EAP) : Universal authentication framework used by wireless

networks. IEEE developed a 802.1x standard for WLAN authentication and authorization that uses
EAP.

Enterprise WLAN authentication process:

 Association : Creating a virtual port at the access point for each client.
 The ap blocks all traffic except 802.1x traffic.
 802.1x frames carry EAP packets via the ap to the AAA server (running RADIUS protocol).
 If the EAP authentication is successful, the AAA server sends and EAP success message to the
ap.
 Before openning the virtual port, data-link encryption between the ap and the client is
established.

Encryption
Two enterprise-level encryption mechanisms specified by 802.11i :

5
  Temporal Key Intergrity Protocol (TKIP)
 Advanced Encryption Standard (AES)

TKIP (WPA) addresses the weaknesses of WEP, however AES (WPA2) is the preferred method.

In some access points you may not see WPA or WPA2 options. Instead,
 PSK (Pre-shared-key) or PSK2 with TKIP is the same as WPA
 PSK or PSK2 with AES is the same as WPA2
 PSK2 without an encryption is the same as WPA2.

7.2.3 Securing a Wireless LAN

Controlling Access to the Wireless LAN
If you want to do something extra to secure access to your WLAN, you can add depth, as shown in
the figure, by implementing this three-step approach:
 SSID cloaking - Disable SSID broadcasts from access points
 MAC address filtering - Tables are manually constructed on the access point to allow or
disallow clients based on their physical hardware address
 WLAN security implementation - WPA or WPA2

7.3 Configure Wireless LAN Access

7.3.1 Configuring the Wireless Access Point

7.3.2 Configuring the Wireless NIC

7.4 Troubleshooting Simple WLAN Problems

7.4.1 Solve Access Point Radio and Firmware Issues

7.4.2 Incorrect Channel Settings

7.4.3 Solve Access Point Radio and Firmware Issues

7.4.4 Solve Access Point Radio and Firmware Issues

7.4.5 Problems with Authentication and Encryption

7.5 Chapter Labs

6