notes blog about

LAN Switching

Concepts

Switching logic

  1. forward or filter frame depending on the MAC address
  2. learn MAC addresses by seeing frames’ source MAC address
  3. avoid loops by using STP

Switch’s MAC address table = switching table = bridging table = CAM = forwarding table

Flooding

Inactivity timer

STP

Switch internal processing

Switch features

LAN design

VLANs

(LAN = all devices in the same broadcast domain)

Switch types

Ethernet LAN media

Cisco switches

Two types

  1. Catalyst – for Enterprises (core switch 6500 can run Cisco IOS or Cat OS)
  2. Linksys – for home use

CLI can be accessed via

CLI modes

.. user EXEC mode (user mode)

.. enable mode

> enable

.. configuration changes in enable mode affect the active config (RAM) after pressing Enter!

Configuration modes

.. global (hostname(config)#)

configure terminal

.. line (hostname(config-line)#)

line console 0
line vty 0 15

.. interface (hostname(config-if)#)

interface <type> <number>

Exiting modes

Configuration files

Config files storage

SW initialization

Managing config files

copy {tftp | runnning-config | startup-config} {tftp | running-config | startup-config}

.. file => NVRAM or file => TFTP – file replaces the original one

.. file => RAM – merge

.. save configuration changes

copy running-config startup-config

.. revert changes in running-config

copy startup-config running-config  # not 100% reliable
reload                              # 100% reliable

.. erase NVRAM

erase nvram:  # new, recommended
write erase
erase startup-config

.. erase running config – erase NVRAM + reload

IFS (IOS File System) alternative names

Setup mode – initial switch configuration via questions (System configuration dialog)

Switch configuration

Features in common with routers

Password + hostname

#configure terminal
(config)#enable secret cisco  # hide (via MD5 hashing) clear text passwords in running-config
(config)#hostname Emma
(config)#line console 0       # serial console 
(config-line)#password 123
(config-line)#login
(config-line)#exit
(config)#line vty 0 15        # telnet
(config-line)#password 123
(config-line)#login
(config-line)#exit
(config)#exit
#show running-config

.. with default seetings, telnet users are rejected

SSH

#configure terminal
(config)#line vty 0 15
(config-line)#login local                  # local users, no AAA
(config-line)#transport input telnet ssh   # to improve security, leave out telnet
(config-line)#exit
(config)#username foo password 123
(config)#ip domain-name example.com
(config)#crypto key generate rsa
(config)#^Z
#show crypto key mypubkey rsa

Password encryption

Banners

Logging and timeout

.. normally logs are emitted anytime, including right in the middle of a command - to improve this

logging synchronous

.. timeout (0 0 never times out)

exec-timeout <minutes> <seconds>

Switch configuration and operation

default (factory) switch configuration

IP Address

.. Static IP address

(config)#interface vlan 1
(config-ig)#ip address 192.168.1.200 255.255.255.0
(config-ig)#no shutdown
(config-ig)#exit
(config)#ip default-gateway 192.168.1.1

.. DHCP

(config)#interface vlan 1
(config-ig)#ip address dhcp
(config-ig)#no shutdown
(config-ig)#^Z
#show dhcp lease

Interfaces

(config)#interface FastEthernet 0/1
(config-if)#duplex full
(config-if)#speed 100
(config-if)#description Server1 connects here

Port security

.. if you know what devices are to be connected to particular interfaces

switchport mode access
switchport port security
switchport port-security maximum <number>  # defaults to 1
switchport port-security violation { protect | restrict | shutdown }  # default is shutdown

switchport port-security mac-address <mac-address>  # use multiple times to define more than one
    or
switchport port-security mac-address sticky  # dynamically learn MAC addresses

… actions on security violation

.. diagnostics

show running-config
show port-security interface fastEthernet 0/1

VLANs => vlans.md

Securing unused interfaces

.. Cisco interfaces are by default “plug and play” interfaces – enabled (no shutdown), automatically negotiate speed and duplex, assigned to VLAN 1, use VLAN trunking and VTP

.. security recommendations (only the first is really required):

Switch troubleshooting

Sample CCNA exam questions - http://www.cisco.com/web/learning/wwtraining/certprog/training/cert_exam_tutorial.html

Organized (formalized) troubleshooting:

  1. analyze/predict normal operation (documentation, show, debug)
  2. isolate problem (show, debug)
  3. root cause analysis – find the cause of the problems

CDP

.. proprietary protocol to learn about network topology – uses multicast frames (when supported) or sends CDP updates to all data-link addresses

.. commands:

.. shown info:

.. Cisco recommends to disable CDP where no needed:

L1 and L2

show interfaces, show interfaces description

    .--------------------------------------------------------------------------------------------------------.
    |                                LAN switch interface status codes                                       |
    +-----------------------+----------------------+------------------+--------------------------------------+
    | Line status (L1)      | Protocol status (L2) | Interface status | Typical root cause                   |
    +-----------------------+----------------------+------------------+--------------------------------------+
    | Administratively down | Down                 | disabled         | shutdown command                     |
    | Down                  | Down                 | notconnect       | cable problems, other device down    |
    | up                    | Down                 | notconnect       | up/down state not expected on switch |
    | Down                  | down (err-disabled)  | err-disabled     | port security disabled the interface |
    | Up                    | Up                   | connected        | interface working                    |
    '-----------------------+----------------------+------------------+--------------------------------------'

L1

show interfaces gi0/1 status:

show interfaces fa0/13 (Indicator column):

    .---------------------------------------------------------------------------------------------------------.
    | Problem         | Indicator                         | Root cause                                        |
    +-----------------+-----------------------------------+---------------------------------------------------+
    | Excessive noise | Many input errors, few collisions | Cable problem (category, damaged, EMI)            |
    | Collisions      | Collisions > .1% of all frames    | Duplex mismatch, jabber, DOS                      |
    | Late collisions | Increasing late collisions        | Collision domain, too long cable, duplex mismatch |
    '-----------------+-----------------------------------+---------------------------------------------------'

L2

.. comands

.. switch forwarding logic

  1. determine VLAN
  2. look for destination MAC address, but only in the VLAN
    1. found (unicast) – forward frame out of the matching interface
    2. not found (unicast) – flood the frame within the VLAN
    3. broadcast or multicast – flood the frame within the VLAN

.. port security filtering

WLANs

Sample WLAN

Concepts

WLAN

Standards:

    .---------------------------------------------------------------------.
    |                             | 802.11a | 802.11b | 802.11g | 802.11n |
    +-----------------------------+---------+---------+---------+---------+
    | Ratified                    | '99     | '99     | '03     | '09     |
    | Max. speed with DSSS (Mbps) | -       |      11 |      11 |      11 |
    | Max. speed with OFDM (Mbps) |      54 | -       |      54 |     150 |
    | Frequency band (GHz)        |       5 |     2.4 |     2.4 | Both    |
    | Non-overlapping channels    |      23 |       3 |       3 |       9 |
    '-----------------------------+---------+---------+---------+---------'

Modes

Service sets

L1

FCC (US) oversees the frequency ranges:

    .----------------------------------------------------------------------.
    |                      FCC unlicensed freq. bands                      |
    +-------------+-------+------------------------------------------------+
    | Freq. range | Name  | Sample devices                                 |
    +-------------+-------+------------------------------------------------+
    | 900 Mhz     | ISM   | Older cordless phones                          |
    | 2.4 Ghz     | ISM   | Newer cordless phones and 802.[11,11b,11g,11n] |
    | 5 Ghz       | U-NII | Newer cordless phones and 802.[11a,11n]        |
    '-------------+-------+------------------------------------------------'

Encodings:

  1. FHSS (802.11a) – uses all frequencies in the band, hopping to different ones hoping to avoid intereference
  2. DSSS (802.11[b, g]) – uses one of the 11 overlapping channels (or frequencies); has a bandwidth of 82 MHz (2.402 - 2.483 Ghz); 3 (1, 6, 11) out of 11 channels are non-overlapping, i.e. can be used in the same space for WLAN communication and they won’t interfere (important when designing ESS)
  3. OFDM (802.11[a, g, n]) – like DSSS, WLANs using OFDM can use multiple non-overlapping channels

802.11n – uses mutliple antennas (MIMO)

Wireless interference

Coverage – transmit power of the AP cannot exceed the FCC limits

Speeed

Capacity – non-overlapping channels multiply the WLAN capacity, as three devices can communicate with three APs at the same time

L2

Deployment

1) Verify the existing wired network

2) Install the AP and configure the wired IP details

3) Configure the wireless details

4) Install and configure one wireless client

5) Verify the WLAN works from the client

Security

Issues:

Counter-measures:

Security techniques

WEP

.. problems:

SSID cloaking, MAC filtering

WPA

WPA2 (802.11i) - AES

    .----------------------------------------------------------------------------------------------.
    |                                    WLAN security features                                    |
    +----------------+------------------+-----------------------+---------------------+------------+
    | Standard       | Key distribution | Device authentication | User authentication | Ecryption  |
    +----------------+------------------+-----------------------+---------------------+------------+
    | WEP            | Static           | Yes (weak)            | None                | Yes (weak) |
    | Cisco          | Dynamic          | Yes                   | Yes (802.1x)        | Yes (TKIP) |
    | WPA            | Both             | Yes                   | Yes (802.1x)        | Yes (TKIP) |
    | 802.11i (WPA2) | Both             | Yes                   | Yes (802.1x)        | Yes (AES)  |
    '----------------+------------------+-----------------------+---------------------+------------'

Source: