CIS 82 Routing Protocols and Concepts Chapter 2 Switching Concepts and Configuration

CIS 82 Routing Protocols and Concepts
Chapter 2 Switching Concepts and

Configuration
Rick Graziani
Cabrillo College
[email protected]
Spring 2016
Chapter 2: Objectives
 Explain the basic concepts of a switched environment.

 Configure initial settings on a Cisco switch to meet
network requirements.
 Configure the management switch virtual interface.
 Describe basic security attacks in a switched
environment.
 Describe in a switched environment.
 Configure the port security feature to restrict network
access.
2
Review: Layer 2 switch
Ethernet
Destination Address Source Address Type DATA FCS

(MAC) (MAC) (Data?) (IP, etc.) (Errors?)
Ethernet
Layer 2 – Data Link Layer
NIC (Source MAC address) to NIC (Destination
MAC address) communications in the same
network
Source MAC address – Address of the
sender’s NIC
Destination MAC address
 Unicast: MAC address of destination NIC
on the same network
 Broadcast: All 1 bits (F’s)
4
Hubs
 Legacy
 Layer 1 devices
 Multi-port repeaters
 Shared bandwidth Collision
 Based on legacy
bus topology
 CSMA/CD
 Single collision
domain
Sending host
Receiving host 5
Switches
 Layer 2 devices
 Also operates at layer 1
 Full duplex
 Dedicated bandwidth
6
Mac Address Table
1.Learn – Examine Source MAC
Forwarding Frames address
In table: Reset 5 min timer
Unicast Not in table: Add Source MAC
address and port # to table
BBBB AAAA
2.Forward – Examine
Destination MAC address
In table: Forward out that port.
Mac Address Table Not in table: Flood out all ports
Port MAC Address except incoming port.
1 AAAA
Unknown Unicast
1 2
AAAA BBBB
7
Mac Address Table
AAAA BBBB
1 AAAA
2 BBBB
1 2
AAAA BBBB
8
Mac Address Table
BBBB AAAA
1 AAAA
2 BBBB
1 2
AAAA BBBB
9
Mac Address Table
Broadcast Not in table: Add Source MAC
FFFF AAAA
1 AAAA
2 BBBB
Broadcast
Domain
1 2
AAAA BBBB
10
5.2.1.4 - MAC
Address Tables
on Connected
Switches
S1 MAC Address Table S2 MAC Address Table
Port MAC Address Port MAC Address
Internet
S1 1 2 3 4 S2 1 2 3 4 1 Router
2
MAC
00-0D
A B C
MAC MAC MAC

00-0A 00-0B 00-0C
Destination MAC Source MAC

Type Data FCS
00-0B 00-0A
Internet
1 00-0A
S1 1 2 3 4 S2 1 2 3 4 1 Router
2
MAC
00-0D
A B C
MAC MAC MAC

00-0A 00-0B 00-0C

Type Data FCS
00-0B 00-0A
Internet
1 00-0A
S1 1 2 3 4 S2 1 2 3 4 1 Router
2
MAC
00-0D
A B C
MAC MAC MAC

00-0A 00-0B 00-0C

Type Data FCS
00-0B 00-0A
Internet
1 00-0A
S1 1 2 3 4 S2 1 2 3 4 1 Router
2
MAC
00-0D
A B C
MAC MAC MAC

00-0A 00-0B 00-0C

Type Data FCS
00-0B 00-0A
Internet
1 00-0A 1 00-0A
S1 1 2 3 4 S2 1 2 3 4 1 Router
2
MAC
00-0D
A B C
MAC MAC MAC

00-0A 00-0B 00-0C

Type Data FCS
00-0B 00-0A
Internet
1 00-0A 1 00-0A
S1 1 2 3 4 S2 1 2 3 4 1 Router
2
MAC
00-0D
A B C
MAC MAC MAC

00-0A 00-0B 00-0C

Type Data FCS
00-0B 00-0A
Internet
1 00-0A 1 00-0A
S1 1 2 3 4 S2 1 2 3 4 1 Router
2
A B C
X MAC
00-0D
MAC MAC MAC X

00-0A 00-0B 00-0C

Type Data FCS
00-0B 00-0A
Internet
1 00-0A 1 00-0A
S1 1 2 3 4 S2 1 2 3 4 1 Router
2
MAC
00-0D
A B C
MAC MAC MAC

00-0A 00-0B 00-0C

Type Data FCS
00-0A 00-0B
Internet
1 00-0A 1 00-0A
3 00-0B
S1 1 2 3 4 S2 1 2 3 4 1 Router
2
MAC
00-0D
A B C
MAC MAC MAC

00-0A 00-0B 00-0C

Type Data FCS
00-0A 00-0B
Internet
1 00-0A 1 00-0A
3 00-0B
S1 1 2 3 4 S2 1 2 3 4 1 Router
2
MAC
00-0D
A B C
MAC MAC MAC

00-0A 00-0B 00-0C

Type Data FCS
00-0A 00-0B
5.2.1.5 - Sending
a Frame to the
Default Gateway
1 00-0A 1 00-0A
3 00-0B
Internet
S1 1 2 3 4 S2 1 2 3 4 1 Router
2
MAC
00-0D
A B C
MAC MAC MAC

00-0A 00-0B 00-0C
Destination MAC Data

Source MAC
Type Destination IP address on a FCS
00-0D 00-0A remote network
1 00-0A 1 00-0A
3 00-0B
Internet
S1 1 2 3 4 S2 1 2 3 4 1 Router
2
MAC
00-0D
A B C
MAC MAC MAC

00-0A 00-0B 00-0C

Source MAC
1 00-0A 1 00-0A
3 00-0B
Internet
S1 1 2 3 4 S2 1 2 3 4 1 Router
2
MAC
00-0D
A B C
MAC MAC MAC

00-0A 00-0B 00-0C

Source MAC
1 00-0A 1 00-0A
3 00-0B
Internet
S1 1 2 3 4 S2 1 2 3 4 1 Router
2
MAC
00-0D
A B C
X
MAC MAC MAC
00-0A 00-0B 00-0C

Source MAC
1 00-0A 1 00-0A
3 00-0B
Internet
S1 1 2 3 4 S2 1 2 3 4 1 Router
2
MAC
00-0D
A B C
X
MAC MAC MAC
00-0A 00-0B 00-0C

Source MAC
1 00-0A 1 00-0A
3 00-0B
Internet
S1 1 2 3 4 S2 1 2 3 4 1 Router
2
MAC
00-0D
A B C
X
MAC MAC MAC
00-0A 00-0B 00-0C

Source MAC
1 00-0A 1 00-0A
3 00-0B
Internet
S1 1 2 3 4 S2 1 2 3 4 1 Router
2
MAC
00-0D
A B C
X X
MAC MAC MAC
00-0A 00-0B 00-0C

Source MAC
1 00-0A 1 00-0A
3 00-0B
Internet
S1 1 2 3 4 S2 1 2 3 4 1 Router
2
MAC
00-0D
A B C
MAC MAC MAC

00-0A 00-0B 00-0C

Source MAC
Type Source IP address on a FCS
00-0A 00-0D remote network
1 00-0A 1 00-0A
3 00-0B 4 00-0D
Internet
S1 1 2 3 4 S2 1 2 3 4 1 Router
2
MAC
00-0D
A B C
MAC MAC MAC

00-0A 00-0B 00-0C

Source MAC
1 00-0A 1 00-0A
3 00-0B 4 00-0D
Internet
4 00-0D
S1 1 2 3 4 S2 1 2 3 4 1 Router
2
MAC
00-0D
A B C
MAC MAC MAC

00-0A 00-0B 00-0C

Source MAC
1 00-0A 1 00-0A
3 00-0B 4 00-0D
Internet
4 00-0D
S1 1 2 3 4 S2 1 2 3 4 1 Router
2
MAC
00-0D
A B C
MAC MAC MAC

00-0A 00-0B 00-0C

Source MAC
1 00-0A 1 00-0A
3 00-0B 4 00-0D
Internet
4 00-0D
S1 1 2 3 4 S2 1 2 3 4 1 Router
2
MAC
00-0D
A B C
MAC MAC MAC

00-0A 00-0B 00-0C

Source MAC
5.3.2.3 - ARP
Operation - ARP
Request
192.168.1.120
B MAC 00-0B
A C
192.168.1.50
192.168.1.110
MAC 00-0C
MAC 00-0A 192.168.1.1
MAC 00-0D
Internet
R1
Ethernet Header IP Packet

Destination MAC Source MAC Source IP Destination IP
??? 00-0A 192.168.1.110 192.168.1.50
192.168.1.120
B MAC 00-0B
PC-A’s ARP Cache
IPv4 Address MAC Address
A C
192.168.1.50
192.168.1.110
MAC 00-0C
MAC 00-0A 192.168.1.1
MAC 00-0D
Internet
R1

??? 00-0A 192.168.1.110 192.168.1.50
192.168.1.120
B MAC 00-0B
PC-A’s ARP Cache
A C
192.168.1.50
192.168.1.110
MAC 00-0C
MAC 00-0A 192.168.1.1
MAC 00-0D
Internet
R1
Ethernet Header ARP Request
Destination MAC Source MAC Target IPv4 Target MAC
FF-FF 00-0A 192.168.1.50 ???
On Destination MAC Source MAC Source IP Destination IP
Hold ??? 00-0A 192.168.1.110 192.168.1.50
192.168.1.120
B MAC 00-0B
PC-A’s ARP Cache
A C
192.168.1.50
192.168.1.110
MAC 00-0C
MAC 00-0A 192.168.1.1
MAC 00-0D
Internet
R1
FF-FF 00-0A 192.168.1.50 ???
Hold ??? 00-0A 192.168.1.110 192.168.1.50
The target IPv4 is not me.
192.168.1.120
B MAC 00-0B
PC-A’s ARP Cache
A C
192.168.1.50
192.168.1.110
MAC 00-0C
MAC 00-0A 192.168.1.1
MAC 00-0D
Internet
R1
FF-FF 00-0A 192.168.1.50 ???
Hold ??? 00-0A 192.168.1.110 192.168.1.50
192.168.1.120
B MAC 00-0B
PC-A’s ARP Cache
A C
192.168.1.50
192.168.1.110
MAC 00-0C
MAC 00-0A 192.168.1.1
MAC 00-0D
The target IPv4 is not me. Internet

R1
FF-FF 00-0A 192.168.1.50 ???
Hold ??? 00-0A 192.168.1.110 192.168.1.50
192.168.1.120
B MAC 00-0B
PC-A’s ARP Cache The target IPv4 is me!
A C
192.168.1.50
192.168.1.110
MAC 00-0C
MAC 00-0A 192.168.1.1
MAC 00-0D
Internet
R1
FF-FF 00-0A 192.168.1.50 ???
Hold ??? 00-0A 192.168.1.110 192.168.1.50
5.3.2.4 - ARP
Operation - ARP
Reply
192.168.1.120
B MAC 00-0B
PC-A’s ARP Cache The target IPv4 is me!
A C
192.168.1.50
192.168.1.110
MAC 00-0C
MAC 00-0A 192.168.1.1
MAC 00-0D
Internet
R1
FF-FF 00-0A 192.168.1.50 ???
Hold ??? 00-0A 192.168.1.110 192.168.1.50
192.168.1.120
Here is my MAC
B MAC 00-0B address for the IPv4
PC-A’s ARP Cache address you were
IPv4 Address MAC Address looking for!
A C
192.168.1.50
192.168.1.110
MAC 00-0C
MAC 00-0A 192.168.1.1
MAC 00-0D
Internet
R1
Ethernet Header ARP Reply
Destination MAC Source MAC Sender IPv4 Sender MAC
00-0A 00-0C 192.168.1.50 00-0C
Hold ??? 00-0A 192.168.1.110 192.168.1.50
192.168.1.120
Here is my MAC
B MAC 00-0B address for the IPv4
PC-A’s ARP Cache address you were
IPv4 Address MAC Address looking for!
A C
192.168.1.50
192.168.1.110
MAC 00-0C
MAC 00-0A 192.168.1.1
MAC 00-0D
Internet
R1
00-0A 00-0C 192.168.1.50 00-0C
Hold ??? 00-0A 192.168.1.110 192.168.1.50
192.168.1.120
B MAC 00-0B
PC-A’s ARP Cache
192.168.1.50 00-0C
A C
192.168.1.50
192.168.1.110
MAC 00-0C
MAC 00-0A 192.168.1.1
MAC 00-0D
Internet
R1
00-0A 00-0C 192.168.1.50 00-0C
Hold ??? 00-0A 192.168.1.110 192.168.1.50
192.168.1.120
B MAC 00-0B
PC-A’s ARP Cache
192.168.1.50 00-0C
A C
192.168.1.50
192.168.1.110
MAC 00-0C
MAC 00-0A 192.168.1.1
MAC 00-0D
Internet
R1

??? 00-0A 192.168.1.110 192.168.1.50
192.168.1.120
B MAC 00-0B
PC-A’s ARP Cache
192.168.1.50 00-0C
A C
192.168.1.50
192.168.1.110
MAC 00-0C
MAC 00-0A 192.168.1.1
MAC 00-0D
Internet
R1

00-0C 00-0A 192.168.1.110 192.168.1.50
5.3.2.5 - ARP Role
in Remote
Communication
192.168.1.120
B MAC 00-0B
A C
192.168.1.50
192.168.1.110
MAC 00-0C
MAC 00-0A 192.168.1.1
Default Gateway: 192.168.1.1 MAC 00-0D
Internet
R1

??? 00-0A 192.168.1.110 10.1.1.10
192.168.1.120
B MAC 00-0B
PC-A’s ARP Cache
A C
192.168.1.50
192.168.1.110
MAC 00-0C
MAC 00-0A 192.168.1.1
Internet
R1

??? 00-0A 192.168.1.110 10.1.1.10
192.168.1.120
B MAC 00-0B
PC-A’s ARP Cache
A C
192.168.1.50
192.168.1.110
MAC 00-0C
MAC 00-0A 192.168.1.1
Internet
R1
FF-FF 00-0A 192.168.1.1 ???
Hold ??? 00-0A 192.168.1.110 10.1.1.10
192.168.1.120
B MAC 00-0B
PC-A’s ARP Cache
A C
192.168.1.50
192.168.1.110
MAC 00-0C
MAC 00-0A 192.168.1.1
Internet
R1
FF-FF 00-0A 192.168.1.1 ???
Hold ??? 00-0A 192.168.1.110 10.1.1.10
The target IPv4 is not me.
192.168.1.120
B MAC 00-0B
PC-A’s ARP Cache
A C
192.168.1.50
192.168.1.110
MAC 00-0C
MAC 00-0A 192.168.1.1
Internet
R1
FF-FF 00-0A 192.168.1.1 ???
Hold ??? 00-0A 192.168.1.110 10.1.1.10
192.168.1.120
B MAC 00-0B
PC-A’s ARP Cache
IPv4 Address MAC Address The target IPv4 is not me.
A C
192.168.1.50
192.168.1.110
MAC 00-0C
MAC 00-0A 192.168.1.1
Internet
R1
FF-FF 00-0A 192.168.1.1 ???
Hold ??? 00-0A 192.168.1.110 10.1.1.10
192.168.1.120
B MAC 00-0B
PC-A’s ARP Cache
A C
192.168.1.110 The target IPv4 is

192.168.1.50
for me! MAC 00-0C
MAC 00-0A 192.168.1.1
Internet
R1
FF-FF 00-0A 192.168.1.1 ???
Hold ??? 00-0A 192.168.1.110 10.1.1.10
192.168.1.120
B MAC 00-0B
PC-A’s ARP Cache
A C
192.168.1.50
192.168.1.110
MAC 00-0C
MAC 00-0A 192.168.1.1
Here is my MAC address for
the IPv4 address you were
looking for! Internet
R1
00-0A 00-0D 192.168.1.1 00-0D
Hold ??? 00-0A 192.168.1.110 10.1.1.10
192.168.1.120
B MAC 00-0B
PC-A’s ARP Cache
A C
192.168.1.50
192.168.1.110
MAC 00-0C
MAC 00-0A 192.168.1.1
Internet
R1
00-0A 00-0D 192.168.1.1 00-0D
Hold ??? 00-0A 192.168.1.110 10.1.1.10
192.168.1.120
B MAC 00-0B
PC-A’s ARP Cache
192.168.1.1 00-0D
A C
192.168.1.50
192.168.1.110
MAC 00-0C
MAC 00-0A 192.168.1.1
Internet
R1
00-00A 00-0D 192.168.1.1 00-0D
Hold ??? 00-0A 192.168.1.110 10.1.1.10
192.168.1.120
B MAC 00-0B
PC-A’s ARP Cache
192.168.1.1 00-0D
A C
192.168.1.50
192.168.1.110
MAC 00-0C
MAC 00-0A 192.168.1.1
Internet
R1

??? 00-0A 192.168.1.110 10.1.1.10
192.168.1.120
B MAC 00-0B
PC-A’s ARP Cache
192.168.1.1 00-0D
A C
192.168.1.50
192.168.1.110
MAC 00-0C
MAC 00-0A 192.168.1.1
Internet
R1

00-0D 00-0A 192.168.1.110 10.1.1.10
It’s all about the IP Address
Emmalia, you are in my Rick
neighborhood so I can Santa Cruz, Ca
take the letter to you!
Emmalia
Lucia, I see by your Santa Cruz, Ca
address that you are
somewhere else. So I Rick
have to take your letter Santa Cruz, Ca
to the Post Office.
Lucia
Capitola, Ca
Emmalia
Santa Cruz, Ca
 Even if two houses are on the same street, you only know the address
so must take it to the local post office 63
Understanding IP communications
192.168.10.0/24 A MAC MAC B 192.168.10.0/24
Subnet aa.aa bb.bb Subnet
192.168.10.10 192.168.10.11
255.255.255.0 255.255.255.0
Destination Address Source Address Type IP FCS

bb.bb aa.aa DA 192.168.10.11
 Devices can only communicate with other devices on the same subnet
 A knows that it is on the 192.168.10.0/24 subnet (AND operation with its IP address and
subnet mask). (Same subnet = Same subnet mask)
 A knows that B (192.168.1.11) is on its same subnet (AND operation with B’s IP address
and A’s subnet mask)
A 192.168.10.10 SAME Subnet B 192.168.10.11

AND 255.255.255.0 A can reach B AND 255.255.255.0
-------------------- directly without --------------------
192.168.10.0 going through a 192.168.10.0
router
192.168.10.0/24 A MAC MAC C 192.168.20.0/24
Subnet aa.aa cc.cc Subnet
192.168.10.10 192.168.20.12
255.255.255.0 255.255.255.0

DA 192.168.20.12
 A knows that it is on the 192.168.10.0/24 subnet (AND operation with its IP address and
subnet mask) (Same subnet = Same subnet mask)
 A knows that C (192.168.20.12) is on a different subnet (AND operation with B’s IP
address and A’s subnet mask) – Can’t get there directly!
DIFFERENT Subnets B 192.168.20.12

A 192.168.10.10
A can NOT reach B AND 255.255.255.0
AND 255.255.255.0
directly. Must go --------------------
--------------------
through a router 192.168.20.0
192.168.10.0
192.168.10.0/24 192.168.20.0/24
Subnet Subnet
A MAC MAC MAC MAC C

aa.aa 11.11 22.22 cc.cc
192.168.10.10 192.168.10.1 192.168.20.1 192.168.20.12
255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0

11.11 aa.aa DA 192.168.20.12

cc.cc 22.22 DA 192.168.20.12
 A sends packet to devices in a DIFFERENT subnet directly to a router which is on the
same subnet as A.
 The router will take care of it from there.
192.168.10.10 DIFFERENT Subnets 192.168.20.11

AND 255.255.255.0 A can NOT reach B AND 255.255.255.0
-------------------- directly. Must go --------------------
192.168.10.0 through a router 192.168.20.0
A B
192.168.10.10 192.168.10.11
255.255.255.0 255.255.255.0
A C
192.168.10.10 192.168.20.12
255.255.255.0 255.255.255.0
A C
192.168.10.10 192.168.10.1 192.168.20.1 192.168.20.12

255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0
 Otherwise, they must go through a router, that is on its same subnet
Switched Environment
Router/Switch Bootup Process
69
Bootup Process
running-config startup-config IOS Bootup program

IOS (running) ios (partial)
70
Switch Boot Sequence
S1(config)# boot system flash:/c2960-lanbasek9-mz.150-

2.SE/c2960-lanbasek9-mz.150-2.SE.bin
 By default, the the boot loader attempts to load and execute the first
executable file it can by searching the flash file system.
 If boot system commands in startup-config
a. Run boot system commands in order they appear in startup-config to
locate the IOS
b. If boot system commands fail, use default fallback sequence to locate
the IOS (Flash, TFTP, ROM)
 On Catalyst 2960 Series switches, the image file is normally contained

in a directory that has the same name as the image file.
71
Directory Listing in Book Loader
72
Switch LED Indicators
 Each port on the Cisco Catalyst switches have status LED indicator
lights.
 LED lights reflect port activity, but they can also provide other
information about the switch through the Mode button.
 The following modes are available on Catalyst 2960 switches:

1. System LED
2. Redundant Power System (RPS) LED
 If RPS is supported on the switch
3. Port Status LED (Default mode)
4. Port Duplex LED
5. Port speed LED
6. PoE Status (If supported)
7. Port LEDs
8. Mode button
74
Status LEDs LED is … Description
Off System is not powered
System LED Green System is operating normally
Amber System is receiving power but is not functioning properly
Off RPS is off or not properly connected
Green RPS is connected and ready to provide back-up
Redundant
Blinking Green RPS providing power to another device
Power
Amber RPS is in standby mode or in a fault condition.
Blinking Amber Internal power supply has failed, and the RPS is providing power.
Green A link is present.
Off There is no link, or the port was administratively shut down
Blinking green Activity and the port is sending or receiving data.
Port Status LED
Alternating Green-Amber There is a link fault.
Amber Port is blocked to ensure there is no STP loop
Blinking amber Port is blocked to prevent a possible loop in the forwarding domain.
Port Duplex Off Ports are in half-duplex mode.

LED Green Port is in full-duplex mode.
Off Port is operating at 10 Mb/s.
Port speed LED Green Port is operating at 100 Mb/s.
Blinking Green Port is operating at 1000 Mb/s.
Off LED is off, the PoE is off.
PoE Status Green LED is green, the PoE is on

(If supported) Alternating Green-Amber PoE is denied because it will exceed the switch power capacity
Blinking Amber LED is blinking amber, PoE is off due to a fault. 75
Amber PoE for the port has been disabled.
Configure Switch Management Interface
S1# conf t
Enter configuration commands, one per line. End with CNTL/Z.
S1(config)# interface vlan 99
S1(config-if)# ip address 172.17.99.11 255.255.255.0
S1(config-if)# no shutdown
S1(config-if)# end
S1# copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
S1#
77
Assign a Default Gateway
Default Gateway
172.17.99.11
172.17.99.1
172.17.99.100
Def Gw 172.17.99.1
S1(config)# ip default-gateway 172.17.99.1

S1(config)# end
S1#
78
Assign a Default Gateway
Default Gateway
172.17.99.11
172.17.99.1
172.17.99.100
Def Gw 172.17.99.1
S1# show ip interface brief
Interface IP-Address OK? Method Status Protocol

Vlan99 172.17.99.11 YES manual up up
79
Configure Switch Ports
Configure Duplex and Speed
 Duplex and speed settings on most switches are autosensed.

 Manual
Switch(config-if)# speed [10 | 100 | 1000 | auto]
Switch(config-if)# duplex [half | full | auto]
 When troubleshooting switch port issues, the duplex and speed
settings should be checked.
Mismatched settings for the duplex mode and speed of switch
ports can cause connectivity issues.
Auto-negotiation failure creates mismatched settings. 84
Real World Troubleshooting – Duplex Mismatch
I’m full-duplex so I I’m half-duplex and I

Internet keep seeing collisions
don’t see any
collisionsrouter Full Half
Duplex Duplex
A switch Port 8 Port 1 W switch
X
B C D X Y Z
switch switch switch switch switch switch
 The problem is that

 Switch A, Port 8 is in Full-duplex mode
 Switch W, Port 1 is in Half-duplex mode
 Switch A sends whenever it wants to without listening first to see if Switch W is
sending. 85
Real World Troubleshooting – Duplex Mismatch
Internet
router Full Full
Duplex Full Duplex Duplex
A switch Port 8 Transmissions Port 1 W switch
B C D X Y Z
switch switch switch switch switch switch
 Configure Switch W, Port 1 to be in full duplex, the same as Switch A, Port A.
86
Configure Duplex and Speed
 It’s best practice is to manually set the speed/duplex settings when

connecting to known devices (i.e., servers, dedicated workstations,
or network devices).
S1(config)# interface fastethernet 0/1 S2(config)# interface fastethernet 0/1
S1(config-if)# speed ? S2(config-if)# speed 100
10 Force 10 Mbps operation S2(config-if)# duplex full
100 Force 100 Mbps operation S2(config-if)# ^Z
auto Enable AUTO speed configuration S2#
S1(config-if)# speed 100
S1(config-if)# duplex ?
auto Enable AUTO duplex configuration
full Force full duplex operation
half Force half-duplex operation
S1(config-if)# duplex full
S1(config-if)# ^Z
S1# 88
Auto-MDIX Crossover
Straight-through
Straight-through
Crossover
 Connections between specific devices, such as switch-to-switch,

switch-to-router, switch-to-host, and router-to-host device, once
required the use of a specific cable types (crossover or straight-
through).
 Modern Cisco switches support the mdix auto interface
configuration command to enable the automatic medium-dependent
interface crossover (auto-MDIX) feature.
90
Configuring MDIX Setting
 mdix auto interface configuration

 Requires the commands speed auto and duplex auto
S1(config)# interface fa0/1 S1(config)# interface fa0/1

S1(config-if)# speed auto S1(config-if)# speed auto
S1(config-if)# duplex auto S1(config-if)# duplex auto
S1(config-if)# mdix auto S1(config-if)# mdix auto
S1(config-if)# S1(config-if)#
 Note:
 The auto-MDIX feature is enabled by default on Catalyst 2960 and
Catalyst 3560 switches, but is not available on the older Catalyst
2950 and Catalyst 3550 switches.
 Don’t depend on auto-mdix – use the correct cable in the lab. 91
Verify MDIX Setting
S1# show controllers ethernet-controller fa 0/1 phy | include Auto-MDIX

Auto-MDIX : On [AdminState=1 Flags=0x00056248]
S1#
92
Verifying Switch Port Configuration
Cisco Switch IOS Commands
Display interface status and configuration. S1# show interfaces [interface-id]
Display current startup configuration. S1# show startup-config
Display current operating config. S1# show running-config
Displays info about flash filesystem. S1# show flash
Displays system hardware & software status. S1# show version
Display history of commands entered. S1# show history
Display IP information about an interface. S1# show ip [interface-id]
S1# show mac-address-table

Display the MAC address table. or
S1# show mac address-table
93
Troubleshooting Access Layer Issues
S1# show interfaces fa 0/1
FastEthernet0/1 is up, line protocol is up (connected)
Hardware is Lance, address is 000d.bda1.5601 (bia 000d.bda1.5601)
BW 100000 Kbit, DLY 1000 usec,
Ifreliability 250/255,
the output is:txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
•up down:
Keepalive set (10 Encapsulation
sec) type mismatch, the interface on the other end
Full-duplex,
could be100Mb/s error-disabled, or there could be a hardware problem.
input flow-control is off, output flow-control is off
•down
ARP down:
type: ARPA, ARP ATimeout
cable 04:00:00
is not attached or some other interface problem exists.
Last input 00:00:08, output 00:00:05, output hang never
•administratively down: The shutdown command has been issued.
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue :0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
956 packets input, 193351 bytes, 0 no buffer
Received 956 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 watchdog, 0 multicast, 0 pause input
0 input packets with dribble condition detected
2357 packets output, 263570 bytes, 0 underruns
0 output errors, 0 collisions, 10 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out 94
S1#
reliability 255/255, txload 1/255, rxload 1/255
Keepalive set (10 sec)
Full-duplex, 100Mb/s
Runt Framesis off,
input flow-control - Ethernet frames
output flow-control that are shorter than the 64-byte minimum
is off
ARP type: ARPA, ARP Timeout 04:00:00
allowed lengthoutput
Last input 00:00:08, are 00:00:05,
called output
runts. hang never
Last clearing
Giants of "show interface"
- Ethernet frames counters
thatnever
are longer than the maximum allowed length
are called
Queueing giants.
strategy: fifo (Bad NIC)
Output queue
CRC errors :0/40- (size/max)
On Ethernet and serial interfaces, CRC errors usually
5 minute input rate 0 bits/sec, 0 packets/sec
indicate a media
5 minute output or cable
rate 0 bits/sec, error.
0 packets/sec
956 packets input, 193351 bytes, 0 no buffer
S1#
reliability 255/255, txload 1/255, rxload 1/255
Keepalive set (10 sec)
Full-duplex, 100Mb/s
Collisions
input flow-control–isOnly part
off, output of normal
flow-control is off operations if interface is operating in
ARP type: ARPA, ARP Timeout 04:00:00
half duplex
Last input – connected
00:00:08, to a hang
output 00:00:05, output hub. never
Last clearing of "show interface" counters never
Late Collisions – Operating in half duplex and excessive cable length.
Cause – Result
Queueing strategy: fifo of duplex mismatch
Output queue :0/40 (size/max)
 One input
5 minute sideratehalf duplex
0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
956
Otherpacketsside
input,full duplex
193351 bytes, 0 no buffer
S1#
Secure Remote Access
Wireshark Telnet Capture
98
Plaintext Username and Password Captured
99
Wireshark SSH Capture
100
Username and Password Encrypted
101
Secure Remote Access Using SSH
 Secure Shell (SSH) is a protocol that provides a secure (encrypted)

command-line based connection to a remote device.
 SSH is commonly used in UNIX/Linux-based systems.
 The IOS software also supports SSH.
 Because of its strong encryption features, SSH should replace Telnet
for management connections.
 Note:
 By default, SSH uses TCP port 22 and Telnet uses TCP port 23. 102
Secure Remote Access Using SSH
S1# show version
Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M),
Version 15.0(2)SE, RELEASE SOFTWARE (fc1)
<output omitted>
 Not all IOS support SSH.

 A version of the IOS software, including cryptographic (encrypted)
features and capabilities, is required to enable SSH on Catalyst
2960 switches.
 Use the show version command to verify the IOS version.
 “K9” indicates that the version supports SSH.
 Verify SSH support using the show ip ssh command
 The command is unrecognized if SSH is not supported. 103
Configuring SSH
S1(config)# ip domain-name cisco.com
S1(config)# crypto key generate rsa
1. Configure the IP domain using the ip domain-name domain-name global
The name for the keys will be: S1.cisco.com
config
Choose the sizecommand. (Theindomain
of the key modulus name
the range of 360 to and hostname
2048 for your are the parameters
used
General in order
Purpose to namea key
Keys. Choosing themodulus
key. Other
greater ways
than 512tomay
dotake
it.)
a few minutes.
How many bits in the modulus [512]: 1024

% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
*Mar 1 2:59:12.78: %SSH-5-ENABLED: SSH 1.99 has been enabled

S1(config)# username admin secret class
S1(config)# line vty 0 15
S1(config-line)# transport input ssh
S1(config-line)# login local
S1(config-line)# exit
S1(config)# ip ssh version 2
S1(config)#
106
Configuring SSH
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.

2. Generate
*Mar 1 2:59:12.78:RSA key pairs using
%SSH-5-ENABLED: SSHthe
1.99crypto
has beenkey generate rsa global
enabled
S1(config)# username
configuration mode admin secret class
command.
 Ciscotransport
S1(config-line)# recommendsinput ssha minimum modulus size of 1,024 bits.
 A longer
S1(config-line)# loginmodulus
local length is more secure, but it takes longer to generate
and to use.
 Generating an RSA key pair automatically enables SSH.
S1(config)#
107
Configuring SSH
a few minutes.


3. Configuretransport
S1(config-line)# user authentication
input ssh using the username in global configuration
mode command.
S1(config)#
108
Configuring SSH
a few minutes.


S1(config-line)# transport input ssh
4. Configure the vty lines.
S1(config)#
 Enable local login using the login local line configuration mode command
to require local authentication for SSH connections from the local
username database.
 Enable the SSH using the transport input ssh line configuration mode
109
command.
Verifying SSH
Operation
110
111
112
Security Concerns in LANs
Switch Vulnerabilities
 Switches are vulnerable to a variety of attacks including:

 Password attacks
 DoS attacks
 CDP attacks
 MAC address flooding
 DHCP attacks
 To mitigate against these attacks:

 Disable unused ports
 Disable CDP
 Configure Port Security
 Configure DHCP snooping
114
Disable Unused Ports and Assign to an
Unused (Garbage) VLAN
S1(config)#int range fa0/20 – 24
S1(config-if-range)# switchport access vlan 100
S1(config-if-range)# shutdown
%LINK-5-CHANGED: Interface FastEthernet0/20, changed state
to administratively down
S1(config-if-range)#
116
Leveraging the Cisco Discovery Protocol
 The Cisco Discovery Protocol is a Layer 2 Cisco proprietary

protocol used to discover other directly connected Cisco devices.
 It is designed to allow the devices to autoconfigure their
connections.
 If an attacker is listening to Cisco Discovery Protocol messages, it
could learn important information, such as the device model or the
117
running software version.
Leveraging the Cisco Discovery Protocol
Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(44)SE,

RELEASE SOFTWARE (fc1)…
Cisco recommends disabling CDP when it is not in use.
118
Disabling CDP
S1(config)# no cdp run
S1(config)#
S1(config)# interface range fa0/1 – 24

S1(config-if-range)# no cdp enable
S1(config-if-range)#exit
S1(config)#
119
Mac Address Table
Unicast Flooding address
BBBB AAAA
Not in table
Unknown Unicast
1 2
AAAA BBBB
123
MAC Flood Attack
 If the attack is launched before the beginning
of the day, the CAM table would be full as
the majority of devices are powered on.
 If the initial, malicious flood of invalid CAM
table entries is a one-time event:
 Can generate 155,000 MAC entries per
minute
 “Typical” switch can store 4,000 to 8,000
MAC entries
 Eventually, the switch will age out older,
invalid CAM table entries
 New, legitimate devices will be able to
create an entry in the CAM
 Traffic flooding will cease
 Intruder may never be detected (network
seems normal).
124
Mac Address Table
Unicast Flooding address
BBBB AAAA
Not in table or table is full
Unknown Unicast
1 2
AAAA BBBB
125
Configure Port Security
1 1 1 1
 Port security allows an administrator to limit the number of MAC
addresses learned on a port.
 If this is exceeded, a switch action can be configured.
 Configure each access port to accept 1 MAC address only or a
small group of MAC addresses.
 Frames from any other MAC addresses are not forwarded.
 By default, the port will shut down if the wrong device connects.
 It has to be brought up again manually. 126
Configuring Port Security
 Use the switchport port-security interface command to
enable port security on a port.
Switch(config-if)#
switchport port-security [max value] [violation {protect |
restrict | shutdown}] [mac-address mac-address [sticky]]
[aging time value]
 It is used to:
 Set a maximum number of MAC addresses.
 Define violation actions.
 MAC address(es) can be learned dynamically, entered
manually, or learned and retained dynamically.
 Set the aging time for dynamic and static secure address
entries.
 To verify port security status: show port-security
127
Port Security: Secure MAC Addresses
 The switch supports these types of secure MAC addresses:
 Static
 Configured using switchport port-security mac-address
mac-address
 Stored in the address table
 Added to running configuration.
 Dynamic
 These are dynamically configured
 Stored only in the address table
 Removed when the switch restarts
 Sticky
 These are dynamically configured
 Stored in the address table
 Added to the running configuration.
 If running-config saved to startup-config, when the switch restarts, the
interface does not need to dynamically reconfigure them.
 Note: When you enter this command, the interface converts all the
dynamic secure MAC addresses, including those that were dynamically
learned before sticky learning was enabled, to sticky secure MAC
addresses. The interface adds all the sticky secure MAC addresses to
the running configuration.
128
Port Security: Steps
129
Port Security Defaults
Feature Default setting
Port Security Disabled on a port
Maximum # of Secure MAC

1
Addresses
Shutdown
Violation •The port shuts down when the maximum number of secure MAC
addresses is exceeded, and an SNMP trap notification is sent.
Sticky Address Learning Disabled
 Secure MAC addresses can be configured as follows:

 Dynamically (learned but not retained after a reboot)
 Statically (prone to errors)
 Sticky (learned dynamically and retained)
130
Dynamic Secure MAC address
 Learned dynamically
 S1(config-if)# switchport mode access
 S1(config-if)# switchport port-security
 By default, only 1 address is learned.

 Put in MAC address table
 Not shown in running configuration
 It is not saved or in the configuration when switch restarts.

131
Static Secure MAC address
 Static secure MAC address is manually configured in interface

config mode
S1(config-if)# switchport mode access

S1(config-if)# switchport port-security mac-address
000c.7259.0a63
 MAC address is stored in MAC address table
 Shows in the running configuration
132
 Can be saved with the configuration.
Sticky Secure MAC address
 Dynamically learned and can be retained.

 S1(config-if)# switchport mode access
 S1(config-if)# switchport port-security mac-address sticky
 You can choose how many can be learned (default 1).

 Added to the running configuration
 Saved only if you save running configuration.
 Note:
 When you enter this command, the interface converts all the
dynamic secure MAC addresses, including those that were
dynamically learned before sticky learning was enabled, to sticky
secure MAC addresses.
 The interface adds all the sticky secure MAC addresses to the
running configuration. 133
interface FastEthernet0/2
switchport mode access
 Sets the interface mode as access; an interface in the default mode (dynamic
desirable) cannot be configured as a secure port.
switchport port-security
 Enables port security on the interface
switchport port-security maximum 6
 (Optional) Sets the maximum number of secure MAC addresses for the interface. The
range is 1 to 132; the default is 1.
switchport port-security aging time 5
 Learned addresses are not aged out by default but can be with this command. Value
from 1 to 1024 in minutes.
switchport port-security mac-address 0000.0000.000b
 (Optional) Enter a static secure MAC address for the interface, repeating the command
as many times as necessary. You can use this command to enter the maximum
number of secure MAC addresses. If you configure fewer secure MAC addresses than
the maximum, the remaining MAC addresses are dynamically learned.
switchport port-security mac-address sticky
 (Optional) Enable stick learning on the interface.
switchport port-security violation shutdown
 (Optional) Set the violation mode, the action to be taken when a security violation is
detected. (Next)
NOTE: switchport host command will disable channeling, and enable access/portfast
Switch(config-if)# switchport host
switchport mode will be set to access
spanning-tree portfast will be enabled
channel group will be disabled
134
X
Port Security: Static
Addresses
Switch(config)# interface fa 0/1

Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 3
Switch(config-if)# switchport port-security mac-address 0000.0000.000a
Switch(config-if)# switchport port-security mac-address 0000.0000.000b
Switch(config-if)# switchport port-security mac-address 0000.0000.000c
 Restricts input to an interface by limiting and identifying MAC

addresses of the stations allowed to access the port.
 The port does not forward packets with source addresses outside the
group of defined addresses.
137
Port Security: Violation
 Station attempting to access the
port is different from any of the
identified secure MAC addresses,
a security violation occurs.
138
Port Security: Violation
Switch(config-if)#switchport port-security violation
{protect | restrict | shutdown}
 By default, if the maximum number of connections is achieved and a

new MAC address attempts to access the port, the switch must take
one of the following actions:
 Protect: Frames from the nonallowed address are dropped, but there
is no log of the violation.
 Restrict: Frames from the nonallowed address are dropped, a log
message is created and Simple Network Management Protocol
(SNMP) trap sent.
 Shut down: If any frames are seen from a nonallowed address, the
interface is errdisabled, a log entry is made, SNMP trap sent and
manual intervention (no shutdown) or errdisable recovery must be
used to make the interface usable.
139
DHCP Attacks
 DHCP is a network protocol used to automatically assign IP

information.
 Two types of DHCP attacks are:

 DHCP spoofing: A fake DHCP server is placed in the network
to issue DHCP addresses to clients.
 DHCP starvation: DHCP starvation is often used before a
DHCP spoofing attack to deny service to the legitimate DHCP
server.
140
DHCP Review
141
DHCP Spoof Attacks
“Here you go, I
might be first!”
(Rouge) “I need an IP
address/mask, default
“I can now gateway, and DNS
forward these on server.”
to my leader.”
(Rouge) “Got it, thanks!”
“Already got the info.”

“Here you go.”
(Legitimate)
All default gateway
frames and DNS
requests sent to
Rogue.
142
Solution:
Configure
DHCP
Snooping
 DHCP snooping is a Cisco Catalyst feature that determines which

switch ports can respond to DHCP requests.
 Ports are identified as trusted and untrusted.
 Trusted ports: Host a DHCP server or can be an uplink toward
the DHCP server and can source all DHCP messages, including
DHCP offer and DHCP acknowledgement packets
143
 Untrusted ports: Can source requests only.
DHCP Snooping
By default all interfaces are untrusted.
Fa0/0
S1(config)# ip dhcp snooping
S1(config)# ip dhcp snooping vlan 10,20 S1
S1(config)# interface gig 0/1
S1(config-if)# ip dhcp snooping trust Gig0/1
S1(config)# interface fa 0/0

S1(config-if)# ip dhcp snooping limit rate 100

Fa0/0
144
DHCP Snooping
“Here you go, I
might be first!” “I need an IP
(Rouge) address/mask,
default gateway,
Switch: This is an and DNS server.”
untrusted port, I will
block this DHCP Offer”
“Thanks, got it.”
“Here you go.”

(Legitimate)
Switch: This is a trusted port, I

will allow this DHCP Offer”
145
Network Time Protocol
(NTP)
 Having the correct time within networks is important.

 Network Time Protocol (NTP) is a protocol that is used to
synchronize the clocks of computer systems over the network
 NTP allows network devices to synchronize their time settings
with an NTP server.
 Some administrator prefer to maintain their own time source for
increased security.
 However, public time sources are available on the Internet for
general use.
 A network device can be configured as either an NTP server or an
NTP client. 146
Network Time Protocol (NTP) (cont.)
 R2 is configured as a NTP client, receiving time updates from the

server, R1.
147
2.2.4.11 Demo and Homework
148
149
Managing Switch Configurations
TO CLEAR A SWITCH
 ALWAYS DO THE FOLLOWING TO CLEAR A SWITCH!!
S1# delete vlan.dat

Delete filename [vlan.dat]?
Delete flash:/vlan.dat? [confirm]
S1# erase startup-config

Erasing the nvram filesystem will remove all configuration files!
Continue? [confirm]
[OK]
Erase of nvram: complete
%SYS-7-NV_BLOCK_INIT: Initialized the geometry of nvram
S1# reload
Proceed with reload? [confirm]
156
Chapter 2 Switching Concepts and
Configuration
Rick Graziani
Cabrillo College
[email protected]

CIS 82 Routing Protocols and Concepts Chapter 2 Switching Concepts and Configuration

Uploaded by

Copyright:

Available Formats

CIS 82 Routing Protocols and Concepts Chapter 2 Switching Concepts and Configuration

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CIS 82 Routing Protocols and Concepts Chapter 2 Switching Concepts and Configuration

Uploaded by

Copyright:

Available Formats

CIS 82 Routing Protocols and Concepts

Chapter 2 Switching Concepts and

 Explain the basic concepts of a switched environment.

Destination Address Source Address Type DATA FCS

MAC MAC MAC

Destination MAC Source MAC

MAC MAC MAC

Destination MAC Source MAC

MAC MAC MAC

Destination MAC Source MAC

MAC MAC MAC

Destination MAC Source MAC

MAC MAC MAC

Destination MAC Source MAC

MAC MAC MAC

Destination MAC Source MAC

MAC MAC MAC X

Destination MAC Source MAC

MAC MAC MAC

Destination MAC Source MAC

MAC MAC MAC

Destination MAC Source MAC

MAC MAC MAC

Destination MAC Source MAC

MAC MAC MAC

Destination MAC Data

MAC MAC MAC

Destination MAC Data

MAC MAC MAC

Destination MAC Data

Destination MAC Data

Destination MAC Data

Destination MAC Data

Destination MAC Data

MAC MAC MAC

Destination MAC Data

MAC MAC MAC

Destination MAC Data

MAC MAC MAC

Destination MAC Data

MAC MAC MAC

Destination MAC Data

MAC MAC MAC

Destination MAC Data

Ethernet Header IP Packet

Ethernet Header IP Packet

The target IPv4 is not me. Internet

Ethernet Header IP Packet

Ethernet Header IP Packet

Ethernet Header IP Packet

Ethernet Header IP Packet

192.168.1.110 The target IPv4 is

Ethernet Header IP Packet

Ethernet Header IP Packet

Destination Address Source Address Type IP FCS

A 192.168.10.10 SAME Subnet B 192.168.10.11

Destination Address Source Address Type IP FCS

DIFFERENT Subnets B 192.168.20.12

A MAC MAC MAC MAC C