Recent Changes - Search:

Welcome to CAVI, the Cisco Academy for the Vision Impaired.

Course Fees Linux Wiki HTML Wiki Documentation Index PmWiki FAQ

Edit SideBar

RoutingAndSwitchingEssentials

Chapter 1: Introduction to Switched Networks

1.0 Introduction

1.0.1 Introduction

1.0.1.1 Introduction

(image1): Lists some points about the learning outcome of this chapter.

• Describe convergence of data, voice, and video in the context of switched networks.

• Describe a switched network in a small to medium-sized business.

• Explain the process of frame forwarding in a switched network.

• Compare a collision domain to a broadcast domain.

1.0.1.2 Sent or received instruction

(image1): Functions that are provided by switches: • Quality of service

• Voice & video data transfer

• Security

1.1 LAN Design

1.1.1 Converged Networks

1.1.1.1 Growing Complexity of Networks

(image1): Adequately described in the written information. (image2): Adequately described in the written information. (image3): Adequately described in the written information.

1.1.1.2 Elements of a Converged Network

(image1): Shows different traffic (data, voice, video) passing through the same network. (image2): A video showing a typical work day transformed with people-centric collaboration. It gives an idea how people are working together using same resources being in different states or countries, how daily business is working across the locations by communicating through voice calls, video calls and online team meetings. It shows how using data and video conversation it is possible to communicate anywhere, anytime, and on any device securely, bringing new ideas, expert opinion and coming to a solution altogether.

1.1.1.3 Borderless Switched Networks

(image1): Illustrates a borderless switched network comprised of large, medium and small campus networks. All the three networks have a Data Center and Services Block. And they are connected through WAN and PSTN. The large campus network has a separate Internet Edge connected to internet cloud. (image2): Youtube link: https://www.youtube.com/watch?v=lCg2HctgvJE#t=18

1.1.1.4 Hierarchy in the Borderless Switched Networks

(image1): Three-Tier LAN design and Two-Tier LAN design. Three-Tier LAN design has three layers – Core, Distribution and Access. Two-Tier LAN design has two layers – Collapsed Core or Distribution and Access.

1.1.1.5 Core Distribution Access

(image1): Shows a three-tier campus network design where the access, distribution, and core are each separate layers for every faculty in different buildings. It is an extended-star physical network topology from a centralized building location to all other buildings on the same campus.

 (image2): Shows a two-tier campus network design where the distribution and core layers are collapsed into a single layer. And every faculty in the different floors of the same building is connected with the collapsed distribution/core layer through an access switch. The distribution/core layer is connected with a PSTN and WAN.

1.1.1.6 Activity - Identify Switched Network Terminology

(image1): Shows an activity to match the hierarchical switch characteristics to their term. Below is the table which has five columns. The first column lists the switch characteristics and the next four columns are for matching the terms hierarchical, modularity, resiliency and flexibility.

 HierarchicalModularityResiliencyFlexibility
Provides a way for the network to always be accessible.    
Allows networks to expand and provide on-demand services.    
Helps for every device on every tier to employ a specific role.    
Uses all network resources available to provide data traffic load sharing.    

(image2): Shows an activity to identify hierarchical switched network platform. Below is the table which has four columns. The first column lists the tasks of every switch platform and the next three columns are for matching the tasks with access, distribution and core layers.

 Access LayerDistribution LayerCore Layer
Provides direct, switched network connectivity to the user.   
Includes redundancy as an important feature for switched network access.   
Allows data to flow on equal-cost switching paths to the backbone.   
Provides fault isolation and high-speed backbone switch connectivity.   
Helps applications to operate on the switched network more safely and securely.   
The network backbone area for switching.   
Interfaces with the backbone and users to provide intelligent switching, routing and security.   
Can be combined with the distribution layer to provide for a collapsed design.   
Supports layer 2 broadcast domains and layer 3 routing boundaries.   

1.1.2 Switched Networks

1.1.2.1 Role of Switched Networks

(image1): Shows switched LANs in a hierarchical network. It shows PCs, IP phones, printers are connected to layer 1 access switches, layer 1 switches connected to layer 2 distribution switches and layer 2 switches connected to layer 3 core switches. The core switches are connected to each other and there is one router connected to each core switch.

(image2): Illustrates a borderless switched network comprised of large, medium and small campus networks. All the three networks have a Data Center and Services Block. And they are connected through WAN and PSTN. The large campus network has a separate Internet Edge connected to internet cloud.

1.1.2.2 Form Factors

(image1): Lists some common business considerations when selecting switch equipment. • Cost - The cost of a switch will depend on the number and speed of the interfaces, supported features, and expansion capability.

• Port Density - Network switches must support the appropriate number of devices on the network.

• Power - It is now common to power access points, IP phones, and even compact switches using Power over Ethernet (PoE). In addition to PoE considerations, some chassis-based switches support redundant power supplies.

• Reliability - The switch should provide continuous access to the network.

• Port Speed - The speed of the network connection is of primary concern to end users.

• Frame Buffers - The ability of the switch to store frames is important in a network where there may be congested ports to servers or other areas of the network.

• Scalability - The number of users on a network typically grows over time; therefore, the switch should provide the opportunity for growth.

(image2): Shows an image of fixed configuration switches. Features and options of fixed configuration switches are limited to those that originally come with the switch.

(image3): Shows an image of modular configuration switches. The chassis of this type of switches accepts line cards that contain the ports.

(image4): Shows an image of stackable configuration switches. Stackable switches are connected by a special cable and effectively operate as one large switch.

1.1.2.3 Activity-Identify Switch Hardware

(image1): Shows an activity to match switch category names with the switch selection criteria. Activity – Choose the switch category from the list and match in the table below with the selection criteria. The list for switch category is given below the table.

Category NameSwitch Selection Criteria
 Affected by the number of network devices to support
 Redundancy through PoE
 How fast the interfaces will process network data
 Continuous access to the network
 Affected by the number of interfaces, features and expandability
 The capacity to store frames in the cache
 Ability to adjust to growth of network users
 Switches with adjustable switching line/port cards
 Switches with pre-set features or options
 Daisy-chain switches with high-bandwidth throughput

List of Switch Categories:

1. Stackable

2. Price

3. Power

4. Modular

5. Reliability

6. Port Speed

7. Scalability

8. Frame Buffers

9. Port Density

10. Fixed Configuration

1.1 The Switched Environment

1.2.1 Frame Forwarding

1.2.1.1 Switching as a General Concept in Networking and Telecommunications

(image1): Adequately described in the written information.

1.2.1.2 Dynamically Populating a Switch MAC Address Table

(image): Shows the process of building the MAC address table using six figures. The network topology is built with three PCs and a switch. All the PCs are connected with the switch. PC1 is connected with port 1 of the switch; PC2 is connected with port 2 of the switch and PC3 is connected with port 3 of the switch. The process of switching frames and building MAC address table is adequately described in the written information.

1.2.1.3 Switch Forwarding Methods

(image1): Shows the store-and-forward method switching. The topology includes two PCs, one server and a switch. The PCs and the server are connected to the switch in three different ports. One PC is considered as the source and another is considered as the destination. The store-and-forward switch receives the entire frame with destination address, source address, data and CRC from the source PC and computes the CRC. If the CRC is valid, the switch looks up for the destination address, which determines the outgoing interface. The frame is then forwarded out to the correct port.

(image2): Shows the cut-through switching. The topology includes two PCs, one server and a switch. The PCs and the server are connected to the switch in three different ports. One PC is considered as the source and another is considered as the destination. The cut through switch forwards the frame before it is entirely received. It reads the destination address of the frame and forwards it to the desired port.

1.2.1.4 Store-and-Forwarding Switching

(image1): Shows a frame is divided into five parts i.e. Frame Header, Network Header, Transport Header, Data and frame-check-sequence (FCS). The Frame Header is 22 Bytes which contains Preamble which is 8 Bytes, Destination MAC Address which is 6 Bytes, Source MAC Address which is 6 Bytes and Type which is 2 Bytes. The FCS Checksum (CRC) is of 4 Bytes. It is given that Store-and -forward switching entails receipt of the entire frame (up to about 9,200 bytes for jumbo frames) before a forwarding decision is made.

1.2.1.5 Cut-Through Switching

(image1): Shows a frame is divided into five parts i.e. Frame Header, Network Header, Transport Header, Data and frame-check-sequence (FCS). The Frame Header is 22 Bytes which contains Preamble which is 8 Bytes, Destination MAC Address which is 6 Bytes, Source MAC Address which is 6 Bytes and Type which is 2 Bytes. The FCS Checksum (CRC) is of 4 Bytes. It is given that frames can begin to be forwarded as soon as the Destination MAC Address is received.

1.2.1.6 Activity - Frame Forwarding Method

(image1): Activity – Descriptions of switch frame forwarding methods are provided in the table. Tick in the Store-and –Forward or Cut-Through fields to match the methods to the descriptions.

DescriptionsStore-and –ForwardCut-Through
Buffers frames until the full frame has been received by the switch  
Checks the frames for errors before releasing it out of its switch ports if the full frame was not received, the switch discards it  
No error checking on frames is performed by the switch before releasing the frame out of its ports  
A great method to use to conserve bandwidth on your network  
The destination Network Interface Card (NIC) discards any incomplete frames using this frame forwarding method  
The faster switching method, but may produce more errors in data integrity therefore, more bandwidth may be consumed  

1.2.1.7 Activity – Switch it!

(image1): Activity – Determine how the switch forwards a frame based on the Source and Destination MAC addresses and information in the switch MAC table. An image of the switch is given which has twelve ports Fa1 to Fa12. Fa1 is connected to PC 0A, Fa3 is connected to PC 0B, Fa5 is connected to 0C, Fa7 is connected to PC 0D, Fa9 is connected to a Hub which is connected to two PCS 0E and 0F. The frame has six segments: Preamble, Destination MAC, Source MAC, Length Type, Encapsulated Data and End of Frame. Among these six segments Destination MAC and Source MAC contains information. Given, Destination MAC is 0C and Source MAC is 0A. The MAC table given has twelve segments as the switch has twelve ports. As the port Fa09 is connected to a hub which is connected to two PCs, information for port Fa09 has two segments as well. Information given in the MAC table states, segment Fa01 contains 0A, Fa07 contains 0D and second segment of Fa09 contains 0F. The Frame and the MAC table are given below:

Frame:

PreambleDestination MACSource MACLength TypeEncapsulated DataEnd of Frame
 0C0A   

MAC Table:

Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fa10Fa11Fa12
0A     0D ___|0F   

There are two questions given:

Question 1: Where will the switch forward the frame?

Question 2: When the switch forwards the frame, which statement(s) are true?

Options given are below:

• Switch adds the source MAC address to the MAC table.

• Frame is a broadcast frame and will be forwarded to all ports.

• Frame is a unicast frame and will be sent to specific port only.

• Frame is a unicast frame and will be flooded to all ports.

• Frame is a unicast frame but it will be dropped at the switch.

The information given for both frame and MAC table can be manipulated according to the image given to create new problems for more practice.

1.2.2 Switching Domains

1.2.2.1 Collision Domains

(image1): Shows a broadcast domain where a switch has three ports. Port 1 is connected to PC 1 and represents collision domain 1. Port 2 is connected to a server and represents collision domain 2. Port 3 is connected to PC 2 and represents collision domain 2.

1.2.2.2 Broadcast Domains

(image1): Shows an animation which is adequately described in the written information.

1.2.2.3 Alleviating Network Congestion

(image1): Shows images of LAN switches.

1.2.2.4 Activity – Circle the Domain

The activity shows nine different images. Each broadcast domain in the images needs to be identified. (image1): Shows Hub 1 is connected to Hub 2 and Hub 3. Hub 2 is connected to PC 1 and Hub 3 is connected to PC 2 and PC 3.

(image2): Shows Hub 1 is connected to Router 1, Hub 2 and Hub 3. Hub 2 is connected to PC 1, PC 2 and PC 3. Hub 3 is connected to PC 4, PC 5 and PC 6.

(image3): Shows Hub 1 is connected to Router 1, Hub 2 and Hub 3. Hub 2 is connected to PC 1, PC 2 and PC 3. Hub 3 is connected to PC 4, PC 5 and PC 6.

(image4): Shows Switch 1 is connected to Router 1, Hub 1 and Hub 2. Hub 1 is connected to PC 1, PC 2 and PC 3. Hub 2 is connected to PC 4, PC 5 and PC 6.

(image5): Shows Switch 1 is connected to Router 1, Switch 2 and Switch 3. Switch 2 is connected to PC 1 and PC 2. Switch 3 is connected to PC 4 and PC 5.

(image6): Shows Switch 1, Switch 2 and Router 1 are connected. Switch 1 is connected to Hub 1 and Hub 1 is connected to PC 1 and PC 2. Switch 2 is connected to Server 1 and PC 3. Router 1 is connected to Server 2.

(image7): Shows Switch 1, Switch 2 and Router 1 are connected. Switch 1 is connected to Hub 1 and Hub 1 is connected to PC 1 and PC 2. Switch 2 is connected to Server 1 and PC 3. Router 1 is connected to Server 2.

(image8): Shows Switch 1, Switch 2 and Hub 1 are connected. Switch 1 is connected to Hub 2 and Hub 2 is connected to PC 1 and PC 2. Hub 1 is connected to Server 1 and PC 3. Switch 2 is connected to Server 2.

(image9): Shows Switch 1, Switch 2 and Hub 1 are connected. Switch 1 is connected to Hub 2 and Hub 2 is connected to PC 1 and PC 2. Hub 1 is connected to Server 1 and PC 3. Switch 2 is connected to Server 2.

1.3 Summary

1.3.1 Summary

1.3.1.1 Its Network Access Time

(image1): Shows how switching technology helps disseminate voice and video data streams.

1.3.1.2 Basic Switch Configurations

(image1): Shows a Syntax Checker Activity which reviews basic switch configurations

Activity:

1. Configure the switch hostname to be ‘HQSw1’

2. Configure the encrypted privileged EXEC password to ‘class’

3. Set all line passwords to ‘cisco’ and require a login, starting with the console. Set vty line 0 through 15

4. Enter the command to encrypt the plain text passwords

5. Configure vlan1 with the IP address 192.168.10.2/24 and activate the interface

6. Return directly to the privileged EXEC mode and display the current configuration

1.3.1.3 Packet Tracer – Skills Integration Challenge

(image1): Adequately described in the written information.

1.3.1.4 Summary

(image1): Illustrates a borderless switched network comprised of large, medium and small campus networks. All the three networks have a Data Centre and Services Block. And they are connected through WAN and PSTN. The large campus network has a separate Internet Edge connected to internet cloud.

Chapter 2: Basic Switching Concepts and Configuration

2.0 Introduction

2.0.1 Introduction

2.0.1.1 Introduction

(image1): Lists some points about the learning outcome of this chapter.

• Configure initial settings on a Cisco switch.

• Configure switch ports to meet network requirements.

• Configure the management switch virtual interface.

• Describe the basic security attacks in a switched environment.

• Describe security best practices in a switched environment.

• Configure the port security feature to restrict network access.

2.0.1.2 Activity - Stand by Me

(image1): Lists some functions of switch.

• Identify connected hosts, port locations, and unique MAC addresses.

• Record unique host addresses to a MAC address table.

• Send and receive data traffic using unicasts, multicasts, and broadcasts.

2.1 Basic Switch Configuration

2.1.1 Configure a Switch with Initial Settings

2.1.1.1 Switch Boot Sequence

(image1): Shows PC 1 is connected to Switch 1. The BOOT environment variable is set using the boot system global configuration mode command. The command is below:

“boot system flash:/ c2960-lanbasek9-mz.150-2.SE/ c2960-lanbasek9-mz.150-2.SE.bin”

There are four parts of this command. Such as,

Command: boot system

Storage Device: flash:

Path to Location in the File System: / c2960-lanbasek9-mz.150-2.SE/

Filename of IOS: c2960-lanbasek9-mz.150-2.SE.bin

2.1.1.2 Recovering from a System Crash

(image1): Shows directory listing in boot loader. Open a terminal window while the console is connected to the switch and write the command dir flash: . This command will show the list of files in the flash directory.

2.1.1.3 Switch LED Indicators

(image1): Adequately described in the written information.

2.1.1.4 Preparing for Basic Switch Management

(image1): Shows PC1 is connected to Switch 1 through a console cable. And Switch 1 is connected to a router. A console cable is used to connect a PC to the console port of a switch for configuration. To remotely manage the switch, the switch must be initially configured through the console port.

2.1.1.5 Configuring Basic Switch Management Access with IPv4

(image1): Adequately described in the written information. (image2): Adequately described in the written information. (image3): Adequately described in the written information.

2.1.1.6 Lab – Basic Switch Configuration

(image1): Adequately described in the written information.

2.1.2 Configure Switch Ports

2.1.2.1 Duplex Communication

(image1): Shows two full-duplex switches are connected and both of them can send and receive data simultaneously. It also shows a full-duplex switch is connected to a half-duplex switch and they can only send or receive data at a time.

2.1.2.2 Configure Switch Ports at the Physical Layer

(image1): Shows PC1 is connected to Switch1 through port F0/18 and PC2 is connected to Switch2. Switch1 and Switch2 are interconnected through port F0/01. For both switches port F0/01 is configured as full-duplex mode and 100 Mb/s speed. The Cisco Switch IOS commands for manual configuration of duplex and speed settings are below:

Enter global configuration modeS1# configure terminal
Enter interface configuration modeS1(config)# interface FastEthernet 0/1
Configure the interface duplexS1(config-if)# duplex full
Configure the interface speedS1(config-if)# speed 100
Return to the privileged EXEC modeS1(config-if)# end
Save the running config to the startup configS1# copy running-config startup-config

(image2): Shows an activity for manual configuration of duplex and speed settings. Activity: Enter configuration mode and set FastEthernet0/1 duplex to full and speed 100

	S1# configure terminal
	S1(config)# interface fastethernet 0/1
	S1(config-if)# duplex full
	S1(config-if)# speed 100

Activity: End out of configuration mode and save the configuration to NVRAM

	S1(config-if)# end
	S1# copy running-config startup-config

You have successfully configured the switch port duplex and speed settings.

2.1.2.3 Auto-MDIX

(image1): Shows PC1 is connected to Switch1 through port F0/18 and PC2 is connected to Switch2. Switch1 and Switch2 are interconnected through port F0/01.

The Cisco Switch IOS commands to enable auto-MDIX are below:

Enter global configuration modeS1# configure terminal
Enter interface configuration modeS1(config)# interface FastEthernet 0/1
Configure the interface to auto-negotiate duplex with the connected deviceS1(config-if)# duplex auto
Configure the interface to auto-negotiate speed with the connected deviceS1(config-if)# speed auto
Enable auto-MDIX on the interfaceS1(config-if)# mdix auto
Return to the privileged EXEC modeS1(config-if)# end
Save the running config to the startup configS1# copy running-config startup-config

(image2): Shows PC1 is connected to Switch1 through port F0/18 and PC2 is connected to Switch2. Switch1 and Switch2 are interconnected through port F0/01.

The Cisco Switch IOS command to examine auto-MDIX setting for a specific interface is below:

S1# show controllers ethernet-controller fa0/1 phy | include Auto-MDIX

The result displayed is below:

Auto-MDIX: on [AdminState=1 Flags=0x000562481]

S1#

(image3): Shows PC1 is connected to Switch1 through port F0/18 and PC2 is connected to Switch2. Switch1 and Switch2 are interconnected through port F0/01. An activity to enable auto-MDIX. Activity: Enter configuration mode and set FastEthernet0/1 duplex, speed and MDIX to auto

	S2# configure terminal

	S2(config)# interface fastethernet 0/1

	S2(config-if)# duplex auto

	S2(config-if)# speed auto

	S2(config-if)# mdix auto

Activity: End out of configuration mode and save the configuration to NVRAM

	S2(config-if)# end

	S2# copy running-config startup-config

You have successfully configured the MDIX auto feature.

2.1.2.4 Verifying Switch Port Configuration

(image1): Shows Cisco Switch IOS Verification Commands:

Display interface status and configurationS1# show interfaces [interface-id]
Display current startup configurationS1# show startup-config
Display current operating configurationS1# show running-config
Display information about flash file systemS1# show flash
Display system hardware and software statusS1# show version
Display history of commands enteredS1# show history
Display IP information about an interfaceS1# show ip [interface-id]
Display the MAC address tableS1# show mac-address-table or show mac address-table

(image2): Shows PC1 is connected to Switch1 through fa0/18. The command for showing running configuration for Switch1 is: S1# show running-config

The output for this command is adequately described in the text.

(image3): Shows PC1 is connected to Switch1 through fa0/18. The command for showing interface status for fa0/18 is: S1# show interfaces fastethernet0/18

The output for this command is adequately described in the written information.

2.1.2.5 Network Access Layer Issues

(image1): Adequately described in the written information.

(image2): Adequately described in the written information.

(image3): Illustrates some network access layer issues.

Error TypeDescription
Input ErrorsTotal number of errors. It includes runts, giants, no buffer, CRC, frame, overrun, and ignore counts.
RuntPackets that are discarded because they are smaller than the minimum packet size for the medium. For instance, any Ethernet packet that is less than 64 bytes is considered a runt.
GiantsPackets that are discarded because they exceed the maximum packet size for the medium. For example, any Ethernet packet that is less than 1518 bytes is considered a runt.
CRCCRC errors are generated when the calculated checksum is not the same as the checksum received.
Output ErrorsSum of all errors that prevented the final transmission of datagrams out of the interface that is being examined.
CollisionsNumber of messages retransmitted because of an Ethernet collision.
Late CollisionsA collision that occurs after 512 bits of the frame has been transmitted.

2.1.2.5 Troubleshooting Network Access Layer Issues

(image1): Shows a flow-chart on Troubleshooting Switch Media Issues

Step 1: Perform a show interface

Step 2: Is the interface up? If YES, and there are indications of EMI/noise, remove sources. Also verify the duplex setting is properly set on both ends. If NO, verify proper cables, check cables and connectors for damage and verify speed is properly set on both ends.

Step 3: Is the problem solved? If YES, troubleshooting is successfully done. If NO, document the work done and escalate the issue.

2.2 Switch Security: Management and implementation

2.2.1 Secure Remote Access

2.2.1.1 SSH Operation

(image1): Adequately described in the written information.

(image2): Adequately described in the written information.

(image3): Adequately described in the written information.

(image4): Adequately described in the written information.

(image5): Adequately described in the written information.

2.2.1.2 Configuring SSH

(image1): Illustrates commands for configuring SSH for Remote Management

S1# configure terminal

S1(config)# ip domain-name cisco.com

S1(config)# crypto key generate rsa

S1(config)# username admin secret ccna

S1(config-line)# line vty 0 15

S1(config-line)# transport input ssh

S1(config-line)# login local

S1(config-line)# exit

S1(config)# ip ssh version 2

S1(config)# exit

S1#

(image2): Syntax checker activity for configuring SSH

1. Set the domain name to cisco.com and generate the 1024 bit rsa key

2. Create a local user ‘admin’ with an encrypted password ‘ccna’. Set all vty lines to use ssh and local login for remote connections. End out of configuration mode.

3. Configure S1 to use SSH 2.0

SSH will be configured on all vty lines, after successful implementation of the above steps.

2.2.1.3 Verifying SSH

(image1): Adequately described in the written information.

(image2): Adequately described in the written information.

(image3): Adequately described in the written information.

2.2.1.4 Packet Tracer – Configuring SSH

(image1): Adequately described in the written information.

2.2.2 Security Concerns in LANs

2.2.2.1 Common Security Attacks: MAC Address Flooding

(image1): Adequately described in the written information. (image2): Adequately described in the written information. (image3): Adequately described in the written information. (image4): Adequately described in the written information. (image5): Adequately described in the written information.

2.2.2.2 Common Security Attacks: DHCP Spoofing

(image1): PC 1 is connected to Switch 1 and PC 2 is connected to Switch 2. Switch1 and Switch2 are inter-connected. A legitimate DHCP server is connected to Switch 2 through a firewall. The DHCP spoofing and starvation attacker attacks the DHCP server using PC 2 and gets information about the packets from PC 1.

2.2.2.3 Common Security Attacks: Leveraging CDP

(image1): The figure shows a portion of Wireshark capture which displays the software version from CDP frame.

2.2.2.4 Activity – Identify Common Security Attacks

(image1):

Match the name of the common security attack given below to the description:

Security Attack TypeCommon Security Attack Description
 Allows the attacker to see surrounding IP addresses, software versions, and native VLAN information to enact a DoS attack.
 Floods the DHCP server with DHCP requests to use all the available addresses – simulates a DoS on the switch.
 Uses a ‘dictionary’ to find common passwords – tries to initiate a Telnet session using what the ‘dictionary’ suggests for the passwords.
 Uses fake MAC addresses to overflow the MAC address table.
 Allows an attacker to configure a fake DHCP server on the network to issue DHCP addresses to clients.

Name of the common security attacks:

MAC flooding, DHCP Snooping, CDP, DHCP Starvation, Brute Force

2.2.3 Security Best Practices

2.2.3.1 Best Practices

(image1): Displays images of some considerations:

• Firewall

• Control Physical Access

• Patches and Updates

• Develop a Security Policy

• Password Protect Sensitive Data

• Antivirus

2.2.3.2 Network Security Tools and Testing

(image1): Adequately described in the written information.

2.2.3.3 Network Security Audits

(image1): Adequately described in the written information.

2.2.4 Switch Port Security

2.2.4.1 Secure Unused Ports

(image1): The image displays output of the ‘show run’ command when unused switch ports are disables using ‘shutdown’ command. It shows the Fast Ethernet interfaces from 4 to 24 are shutdown.

2.2.4.2 DHCP Snooping

(image1): The image illustrates DHCP snooping operation. PC1 and PC2 are connected to Switch2 through untrusted ports. PC 1 is the attacker Rouge DHCP and PC2 is the DHCP client. Switch 2 is connected to Switch 1 through interface F0/2. A DHCP server is connected to switch1 through a trusted interface F0/1.

Features of DHCP Snooping:

• DHCP snooping allows the configuration of ports as trusted or untrusted:

	- Trusted ports can send DHCP requests and acknowledgements

	- Untrusted ports can forward only DHCP requests

• DHCP snooping enables the switch to build a DHCP binding table that maps a client MAC address, IP address, VLAN and Port ID.

(image2): The image shows DHCP snooping configuration. The configuration is below:

S1(config)# ip dhcp snooping

S1(config)# ip dhcp snooping vlan 10,20

S1(config)# interface fastethernet 0/1

S1(config-if)# ip dhcp snooping trust

S1(config)# interface fastethernet 0/2

S1(config-if)# ip dhcp snooping limit rate 5

2.2.4.3 Port Security: Operation

(image1): The image summarizes the purpose for implementing port security on all switch ports.

	- Specify a single MAC address or a group of valid MAC addresses allowed on a port.

	- Specify that a port automatically shuts down if unauthorized MAC addresses are detected.

(image2): The image shows features of Sticky Secure.

- Learned dynamically, converted to sticky secure MAC addresses stored in the running config.

- Removed from the running-config if port security is disabled.

- Lost when the switch reboots (power cycled)

- Saving sticky secure MAC addresses in the startup-config makes them permanent and the switch retains them after a reboot.

- Disabling sticky learning converts sticky MAC addresses to dynamic secure addresses and removes them from the running-config.

2.2.4.4 Port Security: Violation Modes

(image1): The image lists the situations when violation occurs:

- A station with MAC address that is not in the address table attempts to access the interface when the table is full.

- An address is being used on two secure interfaces in the same VLAN.

The image also illustrates security violation modes in the below table. Security violation modes include: Protect, Restrict and Shutdown.

Security Violation Modes
Violation ModeForwards TrafficSends Syslog MessageDisplays Error MessageIncreases Violation CounterShuts Down Port
ProtectNoNoNoNoNo
RestrictNoYesNoYesNo
ShutdownNoNoNoYesYes

2.2.4.5 Port Security: Configuring

(image1): The image displays port security defaults in the table below:

FeatureDefault Setting
Port SecurityDisabled on a port
Maximum number of secure MAC addresses1
Violation modeShutdown. The port shuts down when the maximum number of secure MAC addresses is exceeded.
Sticky address learningDisabled

(image2): The image shows PC1 is connected to Switch1 through F0/18 and PC2 is connected to Switch1 through F0/19. MAC address of PC1 is 0025.83e6.4b01. MAC address of PC2 is 0025.83e6.4b02.

Cisco IOS CLI commands for configuring dynamic port security are in the table below:

Specify the interface to be configured for port securityS1 (config) # interface fastethernet 0/18
Set the interface mode to accessS1 (config-if) # switchport mode access
Enable port security on the interfaceS1 (config-if) # switchport port-security

(image3): The image shows PC1 is connected to Switch1 through F0/18 and PC2 is connected to Switch1 through F0/19. MAC address of PC1 is 0025.83e6.4b01. MAC address of PC2 is 0025.83e6.4b02.

Cisco IOS CLI commands for configuring sticky port security are in the table below:

Specify the interface to be configured for port securityS1 (config) # interface fastethernet 0/19
Set the interface mode to accessS1 (config-if) # switchport mode access
Enable port security on the interfaceS1 (config-if) # switchport port-security
Set the maximum number of secure addresses allowed on the portS1 (config-if) # switchport port-security maximum 50
Enable sticky learningS1 (config-if) # switchport port-security mac address sticky

2.2.4.6 Port Security: Verifying

(image1): The image shows the command and the output to verify dynamic MAC address. The command is below:

S1# show port-security interface fastethernet 0/18

    --output omitted--

Maximum MAC Addresses: 1

    --output omitted--

(image2): The image shows the command and the output to verify sticky MAC address. The command is below:

S1# show port-security interface fastethernet 0/19

    --output omitted--

Maximum MAC Addresses: 50

    --output omitted--

Sticky MAC Addresses: 1

    --output omitted--

(image3): The image shows the command and the output to verify sticky MAC address running configuration. The command is below:

S1# show run | begin FastEthernet 0/19

    --output omitted--

Switchport port-security mac-address sticky 0025.83e6.4b02

    --output omitted--

(image4): The image shows the command and the output to verify secure MAC addresses. The command is below:

S1# show port-security address

Output:

Secure MAC Address Table
VlanMAC AddressTypePorts RemainingAge(mins)
10025.83e6.4b01SecureDynamicFa0/18-
10025.83e6.4b02SecureStickyFa0/19-

2.2.4.7 Ports in Error Disabled State

(image1): The image displays port security violation messages on the console. The messages appear same as below:

Sep 20 06:44:54.966: %PM-4-ERR_DISABLE: psecure-violation

Error detected on Fa0/18, putting Fa0/18 in err-disable state

Sep 20 06:44:54.966: %PORT_SECURITY-2-PSECURE_VIOLATION:

Security violation occurred, caused by MAC address

000c.292b.4c75 on port FastEthernet0/18.

Sep 20 06:44:54.966: %LINEPROTO-5-PPDOWN: Line protocol on interface

FastEthernet0/18, changed state to down

Sep 20 06:44:54.966: %LINK-3-UPDOWN: Interface

FastEthernet0/18, changed state to down

Edit - History - Print - Recent Changes - Search
Page last modified on April 09, 2014, at 05:46 PM