Вы находитесь на странице: 1из 159

Chapter 2: Basic switch concepts and configurations

CCNA Exploration 4.0

Overview

H c vi n m ng Bach Khoa - Website: www.bkacad.com

Key elements of Ethernet/802.3 networks

H c vi n m ng Bach Khoa - Website: www.bkacad.com

Media Access Control (MAC)


Deterministic, Non-Deterministic
logical bus topology and physical star or extended star

logical ring topology and a physical star topology

logical ring topology and physical dual-ring topology

MAC refers to protocols that determine which computer on a shared-medium environment, or collision domain, is allowed to transmit the data. MAC, with LLC, comprises the IEEE version of the OSI Layer 2 There are two broad categories of Media Access Control, deterministic (taking turns) and non-deterministic (first come, first served)

H c vi n m ng Bach Khoa - Website: www.bkacad.com

CSMA/CD
CSMA/CD used with Ethernet performs three functions: 1. Transmitting and receiving data packets 2. Decoding data packets and checking them for valid addresses before passing them to the upper layers of the OSI model 3. Detecting errors within data packets or on the network

listen-before-transmit

Transmitting& listening.

H c vi n m ng Bach Khoa - Website: www.bkacad.com

CSMA/CD

H c vi n m ng Bach Khoa - Website: www.bkacad.com

Backoff
After a collision occurs and all stations allow the cable to become idle (each waits the full inter-frame spacing) The stations that collided must wait an additional and potentially progressively longer period of time before attempting to retransmit the collided frame The waiting period is intentionally designed to be random If the MAC layer is unable to send the frame after 16 attempts, it gives up and generates an error to the network layer
H c vi n m ng Bach Khoa - Website: www.bkacad.com 7

Extra: Backoff

The stations involved in transmitting frames at the time of the collision must then reschedule their frames for retransmission. The transmitting stations do this by generating a period of time to wait before retransmission, which is based on a random number chosen by each station and used in that station's backoff calculations.

k= min(n,10) ; n= the number of transmission attempts 0<= r <2^k The backoff delay= r* slot time
H c vi n m ng Bach Khoa - Website: www.bkacad.com 8

Ethernet Slot Time

H c vi n m ng Bach Khoa - Website: www.bkacad.com

Ethernet Slot Time

H c vi n m ng Bach Khoa - Website: www.bkacad.com

10

Ethernet Communications

H c vi n m ng Bach Khoa - Website: www.bkacad.com

11

Remind

H c vi n m ng Bach Khoa - Website: www.bkacad.com

12

Ethernet frame structure


At the data link layer the frame structure is nearly identical for all speeds of Ethernet from 10 Mbps to 10,000 Mbps At the physical layer almost all versions of Ethernet are substantially different from one another with each speed having a distinct set of architecture design rules The Ethernet II Type field is incorporated into the current 802.3 frame definition. The receiving node must determine which higher-layer protocol is present in an incoming frame by examining the Length/Type field
H c vi n m ng Bach Khoa - Website: www.bkacad.com 13

Ethernet frame structure


The Preamble is used for Synchronization, Address types timing synchronization in the asynchronous 10 Mbps and slower implementations of 10101011 Ethernet. Faster versions of Ethernet are synchronous, and this timing information is redundant but retained for compatibility The Destination Address field contains the MAC destination address. It can be unicast, multicast (group), or broadcast (all nodes) The source address is generally the unicast address of the transmitting Ethernet node (can be virtual entity group or multicast) H c vi n m ng Bach Khoa - Website: www.bkacad.com 14

Ethernet frame structure


The type value specifies the upper-layer protocol to Length if value < 1536 decimal, receive the data after (0x600) need LLC to identify Ethernet processing is upper protocol completed. The length indicates the number of bytes of data that follows this field. (so contents of the Data field are decoded per the protocol indicated) The maximum transmission unit (MTU) for Ethernet is 1500 octets, so the data should not exceed that size 4 bytes Ethernet requires that the CRC frame be not less than 46 Type if value => 1536 decimal, octets or more than 1518 (0x600) it identify upper octets (Pad is required if not protocol H c vi n m ng Bach Khoa - Website: www.bkacad.com 15 enough data)

Naming on Ethernet
MAC ADDRESS

Ethernet uses MAC addresses that are 48 bits in length and expressed as 12 hexadecimal digits Sometimes referred to as burned-in addresses (BIA) because they are burned into read-only memory (ROM) and are copied into random-access memory (RAM) when the NIC initializes
H c vi n m ng Bach Khoa - Website: www.bkacad.com 16

OUI

H c vi n m ng Bach Khoa - Website: www.bkacad.com

17

Ethernet in full duplex


duplex Full-duplex Full-duplex Collision occurs only in half-duplex Full-duplex

Full-duplex

If the attached station is operating in full duplex then the station may send and receive simultaneously and collisions should not occur. Full-duplex operation also changes the timing considerations and eliminates the concept of slot time In half-duplex, if no collision, the sending station will transmit 64 bits (timing synchronization) preamble, DA, SA, certain other header information, actual data payload, FCS
H c vi n m ng Bach Khoa - Website: www.bkacad.com 18

Ethernet in full duplex

H c vi n m ng Bach Khoa - Website: www.bkacad.com

19

Ethernet in full duplex

H c vi n m ng Bach Khoa - Website: www.bkacad.com

20

Extra: Half-duplex networks

H c vi n m ng Bach Khoa - Website: www.bkacad.com

21

Note

Fast Ethernet and 10/100/1000 ports: default is auto. 100BASE-FX ports: default is full. 10/100/1000 ports operate in either half- or full-duplex mode when they are set to 10 or 100 Mb/s, but when set to 1,000 Mb/s, they operate only in full-duplex mode. Default: when autonegotiation fails Catalyst switch sets the corresponding switch port to half-duplex mode. This type of failure happens when an attached device does not support autonegotiation.

H c vi n m ng Bach Khoa - Website: www.bkacad.com

22

auto-MDIX

auto-MDIX is enabled

switch auto detects cable type either a crossover or a straight-through

can use

The auto-MDIX feature is enabled by default on switches running Cisco


IOS Release 12.2(18)SE or later. For releases between Cisco IOS Release 12.1(14)EA1 and 12.2(18)SE, the auto-MDIX feature is disabled by default.
H c vi n m ng Bach Khoa - Website: www.bkacad.com 23

MAC Addressing and Switch MAC Address Tables

H c vi n m ng Bach Khoa - Website: www.bkacad.com

24

MAC Addressing and Switch MAC Address Tables

H c vi n m ng Bach Khoa - Website: www.bkacad.com

25

MAC Addressing and Switch MAC Address Tables

H c vi n m ng Bach Khoa - Website: www.bkacad.com

26

MAC Addressing and Switch MAC Address Tables

H c vi n m ng Bach Khoa - Website: www.bkacad.com

27

MAC Addressing and Switch MAC Address Tables

H c vi n m ng Bach Khoa - Website: www.bkacad.com

28

MAC Addressing and Switch MAC Address Tables

H c vi n m ng Bach Khoa - Website: www.bkacad.com

29

Design Considerations for Ethernet/802.3 Networks

H c vi n m ng Bach Khoa - Website: www.bkacad.com

30

Bandwidth and Throuhgput

Bandwidth is defined as the amount of information that can flow through a network connection in a given period of time. Throughput refers to actual measured bandwidth, at a specific time of day, using specific Internet routes, and while a specific set of data is transmitted on the network.
H c vi n m ng Bach Khoa - Website: www.bkacad.com 31

Collision Domains

H c vi n m ng Bach Khoa - Website: www.bkacad.com

32

Collision Domains

H c vi n m ng Bach Khoa - Website: www.bkacad.com

33

Broadcast Domains

The broadcast domain at Layer 2 is referred to as the MAC broadcast domain.

H c vi n m ng Bach Khoa - Website: www.bkacad.com

34

Broadcast Domains - Example

When a switch receives a broadcast frame, it forwards the frame to each of its ports, except the incoming port where the switch received the broadcast frame. Each attached device recognizes the broadcast frame and processes it.

H c vi n m ng Bach Khoa - Website: www.bkacad.com

35

Broadcast Domains - Example

H c vi n m ng Bach Khoa - Website: www.bkacad.com

36

Network Latency

H c vi n m ng Bach Khoa - Website: www.bkacad.com

37

Network Congestion

The primary reason for segmenting a LAN into smaller parts is to


isolate traffic and to achieve better use of bandwidth per user. Without segmentation, a LAN quickly becomes clogged with traffic and collisions. Causes of network congestion: Increasingly powerful computer and network technologies. Increasing volume of network traffic. High-bandwidth applications.

H c vi n m ng Bach Khoa - Website: www.bkacad.com

38

LAN Segmentation

LANs are segmented into a number of smaller collision and broadcast


domains using routers and switches.
H c vi n m ng Bach Khoa - Website: www.bkacad.com 39

LAN Segmentation

H c vi n m ng Bach Khoa - Website: www.bkacad.com

40

LAN Segmentation

H c vi n m ng Bach Khoa - Website: www.bkacad.com

41

LAN Segmentation

H c vi n m ng Bach Khoa - Website: www.bkacad.com

42

Controlling Network Latency

H c vi n m ng Bach Khoa - Website: www.bkacad.com

43

Removing Network Bottlenecks

H c vi n m ng Bach Khoa - Website: www.bkacad.com

44

Activity 2.1.3.2

H c vi n m ng Bach Khoa - Website: www.bkacad.com

45

Forwarding Frames Using a Switch

H c vi n m ng Bach Khoa - Website: www.bkacad.com

46

Switch Forwarding Methods

H c vi n m ng Bach Khoa - Website: www.bkacad.com

47

Store- and- Forward Switching

Store-and-forward switching is required for Quality of Service (QoS)

analysis on converged networks where frame classification for traffic prioritization is necessary.
H c vi n m ng Bach Khoa - Website: www.bkacad.com 48

Cut- Through Switching

There are 2 variants of cut-through switching:


Fast-forward switching - immediately forwards a packet after reading the destination address. Fragment-free switching - reads the first 64 bytes of an Ethernet frame and then begins forwarding it to the appropriate port or ports
H c vi n m ng Bach Khoa - Website: www.bkacad.com 49

Extra: Adaptive Cut- Through

Some switches are configured to perform cut-through switching on a


per-port basis until a user-defined error threshold is reached and then they automatically change to store-and-forward. When the error rate falls below the threshold, the port automatically changes back to cut-through switching.
H c vi n m ng Bach Khoa - Website: www.bkacad.com 50

Symmetric and Asymmetric Switching

Most current switches are asymmetric switches because this type of switch offers the greatest flexibility.
H c vi n m ng Bach Khoa - Website: www.bkacad.com 51

Memory Buffering

Port-based Memory Buffering A frame is transmitted to the outgoing port only when all the frames ahead of it in the queue have been successfully transmitted. Shared Memory Buffering The frames in the buffer are linked dynamically to the destination port. This allows the packet to be received on one port and then transmitted on another port, without moving it to a different queue.

H c vi n m ng Bach Khoa - Website: www.bkacad.com

52

Layer 2 and Layer 3 Switching

H c vi n m ng Bach Khoa - Website: www.bkacad.com

53

Layer 3 Switch and Router Comparison

H c vi n m ng Bach Khoa - Website: www.bkacad.com

54

Review your understanding

H c vi n m ng Bach Khoa - Website: www.bkacad.com

55

Review your understanding

H c vi n m ng Bach Khoa - Website: www.bkacad.com

56

Review your understanding

H c vi n m ng Bach Khoa - Website: www.bkacad.com

57

Switch Management Configuration

H c vi n m ng Bach Khoa - Website: www.bkacad.com

58

The Command Line Interface Modes

H c vi n m ng Bach Khoa - Website: www.bkacad.com

59

The Command Line Interface Modes

H c vi n m ng Bach Khoa - Website: www.bkacad.com

60

GUI-based Alternatives to the CLI

H c vi n m ng Bach Khoa - Website: www.bkacad.com

61

GUI-based Alternatives to the CLI

H c vi n m ng Bach Khoa - Website: www.bkacad.com

62

GUI-based Alternatives to the CLI

H c vi n m ng Bach Khoa - Website: www.bkacad.com

63

GUI-based Alternatives to the CLI

H c vi n m ng Bach Khoa - Website: www.bkacad.com

64

GUI-based Alternatives to the CLI

H c vi n m ng Bach Khoa - Website: www.bkacad.com

65

GUI-based Alternatives to the CLI

H c vi n m ng Bach Khoa - Website: www.bkacad.com

66

Context Sensitive Help

H c vi n m ng Bach Khoa - Website: www.bkacad.com

67

Console Error Messages

H c vi n m ng Bach Khoa - Website: www.bkacad.com

68

The Command History Buffer

H c vi n m ng Bach Khoa - Website: www.bkacad.com

69

Configure the Command History Buffer

H c vi n m ng Bach Khoa - Website: www.bkacad.com

70

Describe the Boot Sequence

H c vi n m ng Bach Khoa - Website: www.bkacad.com

71

Extra: Boot Loader Command Line


During normal boot loader operation, you are not presented with the
boot loader command-line prompt. You gain access to the boot loader command line if: the switch is set to manually boot an error occurs during power-on self test (POST) DRAM testing an error occurs while loading the operating system (a corrupted IOS image). You can also access the boot loader if you have lost or forgotten the switch password. You can access the boot loader through a switch console connection at 9600 bps: unplug the switch power cord press the switch Mode button while reconnecting the power cord. You can release the Mode button a second or two after the LED above port 1 goes off. You should then see the boot loader Switch: prompt. The boot loader performs low-level CPU initialization, performs POST, and loads a default operating system image into memory.
H c vi n m ng Bach Khoa - Website: www.bkacad.com 72

Prepare to Configure the Switch

Step 1

H c vi n m ng Bach Khoa - Website: www.bkacad.com

73

Prepare to Configure the Switch

Step 2

H c vi n m ng Bach Khoa - Website: www.bkacad.com

74

Prepare to Configure the Switch

Step 3

H c vi n m ng Bach Khoa - Website: www.bkacad.com

75

config.text

show version

H c vi n m ng Bach Khoa - Website: www.bkacad.com

76

config.text

copy running-config startup-config

H c vi n m ng Bach Khoa - Website: www.bkacad.com

77

config.text

Change the size of NVRAM Change the name of config.text

boot buffersize 40000 boot config-file flash:mr.bon

H c vi n m ng Bach Khoa - Website: www.bkacad.com

78

Basic Switch Configuration

H c vi n m ng Bach Khoa - Website: www.bkacad.com

79

Management Interface Considerations

H c vi n m ng Bach Khoa - Website: www.bkacad.com

80

Management Interface Considerations

H c vi n m ng Bach Khoa - Website: www.bkacad.com

81

Basic switch configuration

1. Assign an IP address
SW(config)# interface vlan 1 ip address A.B.C.D subnetmask no shutdown 2. SW(config)# line vty 0 4 password cisco login 3. SW(config)# enable secret class 4. Configure the default gateway: SW(config)#ip default-gateway A.B.C.D
H c vi n m ng Bach Khoa - Website: www.bkacad.com 82

Management Interface Considerations

H c vi n m ng Bach Khoa - Website: www.bkacad.com

83

Management Interface Considerations

H c vi n m ng Bach Khoa - Website: www.bkacad.com

84

Configure Duplex and Speed

H c vi n m ng Bach Khoa - Website: www.bkacad.com

85

Configure a Web Interface

H c vi n m ng Bach Khoa - Website: www.bkacad.com

86

username student privilege 15 password cisco Ip http server Ip http authentication local

H c vi n m ng Bach Khoa - Website: www.bkacad.com

87

Managing the MAC Address Table

show mac-address-table

The MAC address entry is automatically discarded or aged out after 300 seconds.
H c vi n m ng Bach Khoa - Website: www.bkacad.com 88

Managing the MAC Address Table

H c vi n m ng Bach Khoa - Website: www.bkacad.com

89

Managing the MAC Address Table

The 0x0100.0cdd.dddd is multicast MAC address that used by Cisco Group Management Protocol (CGMP)
H c vi n m ng Bach Khoa - Website: www.bkacad.com 90

Extra: Managing the MAC Address Table

sw(config)#mac-address-table ?
aging-time Set MAC address table entry maximum age notification Enable/Disable MAC Notification on the switch static static keyword sw(config)#mac-address-table aging-time ? <0-0> Enter 0 to disable aging <10-1000000> Aging time in seconds Rather than wait for a dynamic entry to age out, the administrator has the option to use the privileged EXEC command:

sw# clear mac-address-table dynamic


H c vi n m ng Bach Khoa - Website: www.bkacad.com 91

Extra: Configuring static MAC addresses

sw(config)#mac-address-table static <macaddress of host> interface FastEthernet <Ethernet numer> vlan <vlan-id>

H c vi n m ng Bach Khoa - Website: www.bkacad.com

92

Show Commands

H c vi n m ng Bach Khoa - Website: www.bkacad.com

93

Show running-config

H c vi n m ng Bach Khoa - Website: www.bkacad.com

94

Show interfaces

H c vi n m ng Bach Khoa - Website: www.bkacad.com

95

Backing Up the Configuration

H c vi n m ng Bach Khoa - Website: www.bkacad.com

96

Restoring the Configuration

H c vi n m ng Bach Khoa - Website: www.bkacad.com

97

Back up Configuration Files to a TFTP Server

H c vi n m ng Bach Khoa - Website: www.bkacad.com

98

Clearing Configuration Information

H c vi n m ng Bach Khoa - Website: www.bkacad.com

99

Extra: Reset Default Switch Configurations

The following steps will ensure that a new configuration will completely overwrite any existing configuration: 1. Remove any existing VLAN information by deleting the VLAN database file vlan.dat from the flash directory 2. Erase the back up configuration file startup-config 3. Reload the switch
H c vi n m ng Bach Khoa - Website: www.bkacad.com 100

Configure Password Options

H c vi n m ng Bach Khoa - Website: www.bkacad.com

101

Configure Console Access

H c vi n m ng Bach Khoa - Website: www.bkacad.com

102

Secure the vty Ports

H c vi n m ng Bach Khoa - Website: www.bkacad.com

103

Configure EXEC Mode Passwords

Clear text password Encrypted, Priority than enable password

H c vi n m ng Bach Khoa - Website: www.bkacad.com

104

Configure Encrypted Passwords


After

Before

H c vi n m ng Bach Khoa - Website: www.bkacad.com

105

Enable Password Recovery

H c vi n m ng Bach Khoa - Website: www.bkacad.com

106

Extra: Switch LED indicators

utilization

H c vi n m ng Bach Khoa - Website: www.bkacad.com

107

Extra: Switch LED indicators

H c vi n m ng Bach Khoa - Website: www.bkacad.com

108

Password Recovery
Step 1. Connect a terminal or PC with terminal-emulation software to
the switch console port.

Step 2. Set the line speed on the emulation software to 9600 baud. Step 3. Power off the switch. Reconnect the power cord to the switch
and within 15 seconds, press the Mode button while the System LED is still flashing green. Continue pressing the Mode button until the System LED turns briefly amber and then solid green. Then release the Mode button. OR: enter reload command and then to press the Mode button until the System LED turns briefly amber and then solid green. Step 4. Initialize the Flash file system using the flash_init command.

Step 5. Load any helper files using the load_helper command.

H c vi n m ng Bach Khoa - Website: www.bkacad.com

109

Password Recovery
Step 6. Display the contents of Flash memory using the dir flash:
command:

The switch file system appears:


Directory of flash: 13 drwx 192 Mar 01 1993 22:30:48 c2960-lanbase-mz.122-25.FX 11 -rwx 5825 Mar 01 1993 22:31:59 config.text 18 -rwx 720 Mar 01 1993 02:21:30 vlan.dat 16128000 bytes total (10003456 bytes free)

Step 7. Rename the configuration file to config.text.old, which

contains the password definition, using the rename flash:config.text flash:config.text.old command.

Step 8. Boot the system with the boot command.

H c vi n m ng Bach Khoa - Website: www.bkacad.com

110

Password Recovery

Step 9. You are prompted to start the setup program. Enter N at the prompt, and then when the system prompts whether to continue with the configuration dialog, enter N. Step 10. At the switch prompt, enter privileged EXEC mode using the enable command. Step 11. Rename the configuration file to its original name using the rename flash:config.text.old flash:config.text command. Step 12. Copy the configuration file into memory using the copy flash:config.text system:running-config command. After this command has been entered, the follow is displayed on the console: Source filename [config.text]? Destination filename [running-config]? Press Return in response to the confirmation prompts. The configuration file is now reloaded, and you can change the password.

H c vi n m ng Bach Khoa - Website: www.bkacad.com

111

Password Recovery
Step 13. Enter global configuration mode using the configure terminal
command.

Step 14. Change the password using the enable secret password
command.

Step 15. Return to privileged EXEC mode using the exit command. Step 16. Write the running configuration to the startup configuration file
using the copy running-config startup-config command.

Step 17. Reload the switch using the reload command. Note: The password recovery procedure can be different depending on
the Cisco switch series, so you should refer to the product documentation before you attempt a password recovery.
H c vi n m ng Bach Khoa - Website: www.bkacad.com 112

Configure a Login Banner

Create the local database: sw(config)# username student password student Enable authentication for the console line: sw(config)# line console 0 sw(config-line)# login local sw(config)# banner login "Authorized Personnel Only ! sw# exit

H c vi n m ng Bach Khoa - Website: www.bkacad.com

113

Login Banner

Create the local database: sw(config)# username student password student Enable authentication for the console line: sw(config)# line console 0 sw(config-line)# login local sw(config)# banner login "Authorized Personnel Only ! Sw# exit

H c vi n m ng Bach Khoa - Website: www.bkacad.com

114

Login Banner

Create the local database: sw(config)# username student password student Enable authentication for the VTY line: sw(config)# line vty 0 4 sw(config-line)# login local sw(config)# banner login "Authorized Personnel Only ! Sw# exit
H c vi n m ng Bach Khoa - Website: www.bkacad.com 115

Configure a MOTD Banner

sw(config)# banner motd This is a security system ! sw#exit

H c vi n m ng Bach Khoa - Website: www.bkacad.com

116

Telnet and SSH

Remote control tool of


switch and router SSH encrypt data before transmit
117

H c vi n m ng Bach Khoa - Website: www.bkacad.com

Configuring Telnet

H c vi n m ng Bach Khoa - Website: www.bkacad.com

118

Configuring SSH

H c vi n m ng Bach Khoa - Website: www.bkacad.com

119

Configuring SSH

The switch supports SSHv1 or SSHv2 for the server component. The switch supports only SSHv1 for the client component. To implement SSH, you need to generate RSA keys. Step 1. Enter global configuration mode using the configure terminal command. Step 2. Configure a hostname for your switch using the hostname hostname command. Step 3. Configure a host domain for your switch using the ip domainname domain_name command. Step 4. Enable the SSH server for local and remote authentication on the switch and generate an RSA key pair using the crypto key generate rsa command. Step 5. Return to privileged EXEC mode using the end command. Step 6. Show the status of the SSH server on the switch using the show ip ssh or show ssh command. To delete the RSA key pair, use the crypto key zeroize rsa global configuration command. After the RSA key pair is deleted, the SSH server is automatically disabled.

H c vi n m ng Bach Khoa - Website: www.bkacad.com

120

Configuring the SSH Server


Step 1. Enter global configuration mode using the configure terminal
command. Step 2. (Optional) Configure the switch to run SSHv1 or SSHv2 using the ip ssh version [1 | 2] command.

If you do not enter this command or do not specify a keyword, the SSH server selects the latest SSH version supported by the SSH client. For example, if the SSH client supports SSHv1 and SSHv2, the SSH server selects SSHv2.

Step 3. Configure the SSH control parameters:


Specify the time-out value in seconds: default of 10 minutes. Specify the number of times that a client can re-authenticate to the server. The default is 3; the range is 0 to 5 Command: ip ssh {timeoutseconds | authenticationretriesnumber}

H c vi n m ng Bach Khoa - Website: www.bkacad.com

121

Configuring the SSH Server



Step 4. Return to privileged EXEC mode using the end command. Step 5. Display the status of the SSH server connections on the switch using the show ip ssh or the show ssh command. Step 6. (Optional) Save your entries in the configuration file using the copy running-config startup-config command.

H c vi n m ng Bach Khoa - Website: www.bkacad.com

122

Example: Enable SSH on a Switch



Hostname SSH-Server Enable secret class Username student password cisco Ip domain-name cisco.com Crypto key generate rsa Ip ssh version 2 Line vty 0 4 Login local Transport input ssh Interface vlan 1 Ip address 1.1.1.2 255.255.255.0 No shutdown PC C:\> ssh l {username} {ip address}

show ip ssh show ssh show crypto key mypubkey rsa

H c vi n m ng Bach Khoa - Website: www.bkacad.com

123

Example: Enable SSH on a Switch



Hostname SSH-Client Ip domain-name microsoft.com Crypto key generate rsa Ip ssh version 2 Interface vlan 1 Ip address 1.1.1.1 255.255.255.0 No shutdown Hostname SSH-Server Enable secret class Username student password cisco Ip domain-name cisco.com Crypto key generate rsa Ip ssh version 2 Line vty 0 4 Login local Transport input ssh Interface vlan 1 Ip address 1.1.1.2 255.255.255.0 No shutdown

SSH-Client# ssh l student 1.1.1.2

H c vi n m ng Bach Khoa - Website: www.bkacad.com

124

PC C:\> ssh l {username} {ip


address} show crypto key mypubkey rsa

H c vi n m ng Bach Khoa - Website: www.bkacad.com

125

show crypto key mypubkey rsa

H c vi n m ng Bach Khoa - Website: www.bkacad.com

126

show ssh

H c vi n m ng Bach Khoa - Website: www.bkacad.com

127

Layer 2 common security attacks

H c vi n m ng Bach Khoa - Website: www.bkacad.com

128

MAC Address Flooding

H c vi n m ng Bach Khoa - Website: www.bkacad.com

129

MAC Address Flooding

H c vi n m ng Bach Khoa - Website: www.bkacad.com

130

MAC Address Flooding

H c vi n m ng Bach Khoa - Website: www.bkacad.com

131

MAC Address Flooding

H c vi n m ng Bach Khoa - Website: www.bkacad.com

132

MAC Address Flooding

H c vi n m ng Bach Khoa - Website: www.bkacad.com

133

Spoofing Attacks

H c vi n m ng Bach Khoa - Website: www.bkacad.com

134

Extra: DHCP starvation attacks

H c vi n m ng Bch khoa - www.bkacad.com

Solution:

Cisco Catalyst DHCP Snooping Port Security Features (later in this module)

H c vi n m ng Bach Khoa - Website: www.bkacad.com

136

Solution: Cisco Catalyst DHCP Snooping

H c vi n m ng Bach Khoa - Website: www.bkacad.com

137

Config DHCP Snooping


Step 1. Enable DHCP snooping using the ip dhcp snooping global
configuration command.

Step 2. Enable DHCP snooping for specific VLANs using the ip dhcp
snooping vlan number [number] command.

Step 3. Define ports as trusted or untrusted at the interface level by


defining the trusted ports using the ip dhcp snooping trust command.

Step 4. (Optional) Limit the rate at which an attacker can continually


send bogus DHCP requests through untrusted ports to the DHCP server using the ip dhcp snooping limit rate rate command.

H c vi n m ng Bach Khoa - Website: www.bkacad.com

138

CDP Attacks

Solution: Disable the use of CDP on devices that do not need to use
it. (config)# no cdp run (config-if)# no cdp enable
H c vi n m ng Bach Khoa - Website: www.bkacad.com 139

Telnet Attacks

H c vi n m ng Bach Khoa - Website: www.bkacad.com

140

Other: Working with Passwords

Passwords should be as long and as complicated as possible. Most security experts believe a password of 10 characters is the minimum that should be used if security is a real concern. use only the lowercase letters of the alphabet: have 26 characters. add the numeric values (0 9): get another 10 characters. add the uppercase letters: have an additional 26 characters giving you a total of 62 characters with which to construct a password. If you used a 4 character password, this would be 626262 62, or approximately 14 million password possibilities. If you used 5 characters in your password, this would give you 62 to the fifth power, or approximately 92 million password possibilities. If you used a 10-character password, this would give you 64 to the tenth power (a very big number) possibilities. The 4 digit password could probably be broken in a day, while the 10 digit password would take a millennium to break given current processing power.
H c vi n m ng Bach Khoa - Website: www.bkacad.com 141

Extra: Other Attacks

This attack can also be mitigated using port security.


H c vi n m ng Bach Khoa - Website: www.bkacad.com 142

Extra: Other Attacks

H c vi n m ng Bach Khoa - Website: www.bkacad.com

143

Extra: Other Attacks

H c vi n m ng Bach Khoa - Website: www.bkacad.com

144

Extra: Cisco CatOS Telnet, HTTP and SSH Vulnerability

Cisco CatOS is susceptible to a TCP-ACK Denial of Service (DoS) attack on the Telnet, HTTP and SSH service. If exploited, the vulnerability causes the Cisco CatOS running device to stop functioning and reload.

H c vi n m ng Bach Khoa - Website: www.bkacad.com

145

Security tools

H c vi n m ng Bach Khoa - Website: www.bkacad.com

146

Network Security Tools Features

H c vi n m ng Bach Khoa - Website: www.bkacad.com

147

Using Port Security to Mitigate Attacks

H c vi n m ng Bach Khoa - Website: www.bkacad.com

148

Type of security mac address

switchport port-security mac-address switchport port-security mac-address sticky

H c vi n m ng Bach Khoa - Website: www.bkacad.com

149

Violation types

H c vi n m ng Bach Khoa - Website: www.bkacad.com

150

Extra: Violation types

H c vi n m ng Bach Khoa - Website: www.bkacad.com

151

Port security default

H c vi n m ng Bach Khoa - Website: www.bkacad.com

152

Config dynamic port security

H c vi n m ng Bach Khoa - Website: www.bkacad.com

153

Config port security sticky

H c vi n m ng Bach Khoa - Website: www.bkacad.com

154

Interface f0/1 Switchport mode access Switchport port-security Switchport port-security maximum 2 Switchport port-security mac-address sticky switchport port-security violation {restrict| protect | shutdown} Show port-security interface f0/1 Show port-security address
H c vi n m ng Bach Khoa - Website: www.bkacad.com 155

Verify

H c vi n m ng Bach Khoa - Website: www.bkacad.com

156

Verify

H c vi n m ng Bach Khoa - Website: www.bkacad.com

157

Should be Disable Unused Ports

H c vi n m ng Bach Khoa - Website: www.bkacad.com

158

Chapter summary

H c vi n m ng Bach Khoa - Website: www.bkacad.com

159