Quản trị mạng - Chapter 2: Basic switch concepts and configurations
Interface f0/1
• Switchport mode access
• Switchport port-security
• Switchport port-security maximum 2
• Switchport port-security mac-address sticky
• switchport port-security violation {restrict|
protect | shutdown}
• Show port-security interface f0/1
• Show port-security address
163 trang |
Chia sẻ: nguyenlam99 | Lượt xem: 901 | Lượt tải: 0
Bạn đang xem trước 20 trang tài liệu Quản trị mạng - Chapter 2: Basic switch concepts and configurations, để xem tài liệu hoàn chỉnh bạn click vào nút DOWNLOAD ở trên
1Chapter 2: Basic switch concepts
and configurations
CCNA Exploration 4.0
Học viện mạng Bach Khoa - Website: www.bkacad.com 2
Overview
Học viện mạng Bach Khoa - Website: www.bkacad.com 3
Key elements of Ethernet/802.3
networks
Học viện mạng Bach Khoa - Website: www.bkacad.com 4
Media Access Control (MAC)
•MAC refers to protocols that
determine which computer
on a shared-medium
environment, or collision
domain, is allowed to
transmit the data.
•MAC, with LLC, comprises
the IEEE version of the OSI
Layer 2
•There are two broad
categories of Media Access
Control, deterministic (taking
turns) and non-deterministic
(first come, first served)
logical bus
topology and
physical star or
extended star
logical ring
topology and a
physical star
topology
logical ring
topology and
physical dual-ring
topology
Deterministic, Non-Deterministic
Học viện mạng Bach Khoa - Website: www.bkacad.com 5
CSMA/CD
• CSMA/CD used with
Ethernet performs three
functions:
1. Transmitting and receiving
data packets
2. Decoding data packets
and checking them for
valid addresses before
passing them to the upper
layers of the OSI model
3. Detecting errors within
data packets or on the
network
listen-before-transmit
Transmitting&
listening.
Học viện mạng Bach Khoa - Website: www.bkacad.com 6
CSMA/CD
Học viện mạng Bach Khoa - Website: www.bkacad.com 7
•After a collision occurs and all stations allow the
cable to become idle (each waits the full inter-frame
spacing)
•The stations that collided must wait an additional
and potentially progressively longer period of time
before attempting to retransmit the collided frame
•The waiting period is intentionally designed to be
random
•If the MAC layer is unable to send the frame after
16 attempts, it gives up and generates an error to
the network layer
Backoff
Học viện mạng Bach Khoa - Website: www.bkacad.com 8
Extra: Backoff
• The stations involved in transmitting frames at the time of the collision must
then reschedule their frames for retransmission. The transmitting stations do
this by generating a period of time to wait before retransmission, which is
based on a random number chosen by each station and used in that station's
backoff calculations.
• k= min(n,10) ; n= the number of transmission attempts
• 0<= r <2^k
• The backoff delay= r* slot time
Học viện mạng Bach Khoa - Website: www.bkacad.com 9
Ethernet Slot Time
Học viện mạng Bach Khoa - Website: www.bkacad.com 10
Ethernet Slot Time
Học viện mạng Bach Khoa - Website: www.bkacad.com 11
Ethernet Communications
Học viện mạng Bach Khoa - Website: www.bkacad.com 12
Remind
Học viện mạng Bach Khoa - Website: www.bkacad.com 13
Ethernet frame structure
•At the data link layer the frame
structure is nearly identical for
all speeds of Ethernet from 10
Mbps to 10,000 Mbps
•At the physical layer almost all
versions of Ethernet are
substantially different from
one another with each speed
having a distinct set of
architecture design rules
•The Ethernet II Type field is
incorporated into the current
802.3 frame definition. The
receiving node must determine
which higher-layer protocol is
present in an incoming frame
by examining the Length/Type
field
Học viện mạng Bach Khoa - Website: www.bkacad.com 14
Ethernet frame structure
•The Preamble is used for
timing synchronization in the
asynchronous 10 Mbps and
slower implementations of
Ethernet. Faster versions of
Ethernet are synchronous, and
this timing information is
redundant but retained for
compatibility
•The Destination Address field
contains the MAC destination
address. It can be unicast,
multicast (group), or broadcast
(all nodes)
•The source address is
generally the unicast address
of the transmitting Ethernet
node (can be virtual entity –
group or multicast)
10101011
Synchronization, Address types
Học viện mạng Bach Khoa - Website: www.bkacad.com 15
Ethernet frame structure
•The type value specifies the
upper-layer protocol to
receive the data after
Ethernet processing is
completed.
•The length indicates the
number of bytes of data that
follows this field. (so contents
of the Data field are decoded
per the protocol indicated)
•The maximum transmission
unit (MTU) for Ethernet is
1500 octets, so the data
should not exceed that size
•Ethernet requires that the
frame be not less than 46
octets or more than 1518
octets (Pad is required if not
enough data)
Length if value < 1536 decimal,
(0x600) need LLC to identify
upper protocol
Type if value => 1536 decimal,
(0x600) it identify upper
protocol
4
bytes
CRC
Học viện mạng Bach Khoa - Website: www.bkacad.com 16
•Ethernet uses MAC addresses that are 48 bits in length and expressed as
12 hexadecimal digits
•Sometimes referred to as burned-in addresses (BIA) because they are
burned into read-only memory (ROM) and are copied into random-access
memory (RAM) when the NIC initializes
Naming on Ethernet
MAC ADDRESS
Học viện mạng Bach Khoa - Website: www.bkacad.com 17
OUI
Học viện mạng Bach Khoa - Website: www.bkacad.com 18
• If the attached station is operating in full duplex then the station may
send and receive simultaneously and collisions should not occur.
• Full-duplex operation also changes the timing considerations and
eliminates the concept of slot time
• In half-duplex, if no collision, the sending station will transmit 64 bits
(timing synchronization) preamble, DA, SA, certain other header
information, actual data payload, FCS
Ethernet in full duplex
Full-duplexFull-duplex
F
ull
-d
uple
x
F
ull
-d
uple
x
Collision occurs only in half-duplex
Học viện mạng Bach Khoa - Website: www.bkacad.com 19
Ethernet in full duplex
Học viện mạng Bach Khoa - Website: www.bkacad.com 20
Ethernet in full duplex
Học viện mạng Bach Khoa - Website: www.bkacad.com 21
Extra: Half-duplex networks
Học viện mạng Bach Khoa - Website: www.bkacad.com 22
Note
• Fast Ethernet and 10/100/1000 ports: default is auto.
• 100BASE-FX ports: default is full.
• 10/100/1000 ports operate in either half- or full-duplex
mode when they are set to 10 or 100 Mb/s, but when set to
1,000 Mb/s, they operate only in full-duplex mode.
• Default: when autonegotiation failsCatalyst switch sets
the corresponding switch port to half-duplex mode. This
type of failure happens when an attached device does not
support autonegotiation.
Học viện mạng Bach Khoa - Website: www.bkacad.com 23
auto-MDIX
• auto-MDIX is enabled switch auto detects cable type can use
either a crossover or a straight-through
• The auto-MDIX feature is enabled by default on switches running Cisco
IOS Release 12.2(18)SE or later. For releases between Cisco IOS
Release 12.1(14)EA1 and 12.2(18)SE, the auto-MDIX feature is
disabled by default.
Học viện mạng Bach Khoa - Website: www.bkacad.com 24
MAC Addressing and Switch MAC Address Tables
Học viện mạng Bach Khoa - Website: www.bkacad.com 25
MAC Addressing and Switch MAC Address Tables
Học viện mạng Bach Khoa - Website: www.bkacad.com 26
MAC Addressing and Switch MAC Address Tables
Học viện mạng Bach Khoa - Website: www.bkacad.com 27
MAC Addressing and Switch MAC Address Tables
Học viện mạng Bach Khoa - Website: www.bkacad.com 28
MAC Addressing and Switch MAC Address Tables
Học viện mạng Bach Khoa - Website: www.bkacad.com 29
MAC Addressing and Switch MAC Address Tables
Học viện mạng Bach Khoa - Website: www.bkacad.com 30
Design Considerations for Ethernet/802.3
Networks
Học viện mạng Bach Khoa - Website: www.bkacad.com 31
Bandwidth and Throuhgput
• Bandwidth is defined as the amount of information that can flow through a
network connection in a given period of time.
• Throughput refers to actual measured bandwidth, at a specific time of day,
using specific Internet routes, and while a specific set of data is transmitted on
the network.
Học viện mạng Bach Khoa - Website: www.bkacad.com 32
Collision Domains
Học viện mạng Bach Khoa - Website: www.bkacad.com 33
Collision Domains
Học viện mạng Bach Khoa - Website: www.bkacad.com 34
Broadcast Domains
• The broadcast domain at Layer 2 is referred to as the MAC
broadcast domain.
Học viện mạng Bach Khoa - Website: www.bkacad.com 35
Broadcast Domains - Example
When a switch receives a broadcast frame, it forwards the frame to each of
its ports, except the incoming port where the switch received the broadcast
frame. Each attached device recognizes the broadcast frame and processes
it.
Học viện mạng Bach Khoa - Website: www.bkacad.com 36
Broadcast Domains - Example
Học viện mạng Bach Khoa - Website: www.bkacad.com 37
Network Latency
Học viện mạng Bach Khoa - Website: www.bkacad.com 38
Network Congestion
• The primary reason for segmenting a LAN into smaller parts is to
isolate traffic and to achieve better use of bandwidth per user.
– Without segmentation, a LAN quickly becomes clogged with traffic
and collisions.
• Causes of network congestion:
– Increasingly powerful computer and network technologies.
– Increasing volume of network traffic.
– High-bandwidth applications.
Học viện mạng Bach Khoa - Website: www.bkacad.com 39
LAN Segmentation
• LANs are segmented into a number of smaller collision and broadcast
domains using routers and switches.
Học viện mạng Bach Khoa - Website: www.bkacad.com 40
LAN Segmentation
Học viện mạng Bach Khoa - Website: www.bkacad.com 41
LAN Segmentation
Học viện mạng Bach Khoa - Website: www.bkacad.com 42
LAN Segmentation
Học viện mạng Bach Khoa - Website: www.bkacad.com 43
Controlling Network Latency
Học viện mạng Bach Khoa - Website: www.bkacad.com 44
Removing Network Bottlenecks
EtherChannel NIC
Học viện mạng Bach Khoa - Website: www.bkacad.com 45
Học viện mạng Bach Khoa - Website: www.bkacad.com 46
Activity 2.1.3.2
Học viện mạng Bach Khoa - Website: www.bkacad.com 47
Forwarding Frames Using a Switch
Học viện mạng Bach Khoa - Website: www.bkacad.com 48
Switch Forwarding Methods
Học viện mạng Bach Khoa - Website: www.bkacad.com 49
Store- and- Forward Switching
• Store-and-forward switching is required for Quality of Service (QoS)
analysis on converged networks where frame classification for traffic
prioritization is necessary.
Học viện mạng Bach Khoa - Website: www.bkacad.com 50
Cut- Through Switching
• There are 2 variants of cut-through switching:
– Fast-forward switching - immediately forwards a packet after
reading the destination address.
– Fragment-free switching - reads the first 64 bytes of an Ethernet
frame and then begins forwarding it to the appropriate port or ports
Học viện mạng Bach Khoa - Website: www.bkacad.com 51
Extra: Adaptive Cut- Through
• Some switches are configured to perform cut-through switching on a
per-port basis until a user-defined error threshold is reached and then
they automatically change to store-and-forward.
• When the error rate falls below the threshold, the port automatically
changes back to cut-through switching.
Học viện mạng Bach Khoa - Website: www.bkacad.com 52
Symmetric and Asymmetric Switching
Most current switches are asymmetric switches
because this type of switch offers the greatest flexibility.
Học viện mạng Bach Khoa - Website: www.bkacad.com 53
Memory Buffering
• Port-based Memory Buffering
– A frame is transmitted to the outgoing port only when all the frames ahead
of it in the queue have been successfully transmitted.
• Shared Memory Buffering
– The frames in the buffer are linked dynamically to the destination port. This
allows the packet to be received on one port and then transmitted on
another port, without moving it to a different queue.
Học viện mạng Bach Khoa - Website: www.bkacad.com 54
Layer 2 and Layer 3 Switching
Học viện mạng Bach Khoa - Website: www.bkacad.com 55
Layer 3 Switch and Router Comparison
Wire Speed
• Wire speed is the data rate that each
port on the switch is capable of
attaining, either 100 Mb/s Fast
Ethernet or 1000 Mb/s Gigabit
Ethernet.
Học viện mạng Bach Khoa - Website: www.bkacad.com 56
Học viện mạng Bach Khoa - Website: www.bkacad.com 57
Review your understanding
Học viện mạng Bach Khoa - Website: www.bkacad.com 58
Review your understanding
Học viện mạng Bach Khoa - Website: www.bkacad.com 59
Review your understanding
Học viện mạng Bach Khoa - Website: www.bkacad.com 60
Switch Management Configuration
Học viện mạng Bach Khoa - Website: www.bkacad.com 61
The Command Line Interface Modes
Học viện mạng Bach Khoa - Website: www.bkacad.com 62
The Command Line Interface Modes
Học viện mạng Bach Khoa - Website: www.bkacad.com 63
GUI-based Alternatives to the CLI
Học viện mạng Bach Khoa - Website: www.bkacad.com 64
GUI-based Alternatives to the CLI
Học viện mạng Bach Khoa - Website: www.bkacad.com 65
GUI-based Alternatives to the CLI
Học viện mạng Bach Khoa - Website: www.bkacad.com 66
GUI-based Alternatives to the CLI
Học viện mạng Bach Khoa - Website: www.bkacad.com 67
GUI-based Alternatives to the CLI
Học viện mạng Bach Khoa - Website: www.bkacad.com 68
GUI-based Alternatives to the CLI
Học viện mạng Bach Khoa - Website: www.bkacad.com 69
Context Sensitive Help
Học viện mạng Bach Khoa - Website: www.bkacad.com 70
Console Error Messages
Học viện mạng Bach Khoa - Website: www.bkacad.com 71
The Command History Buffer
Học viện mạng Bach Khoa - Website: www.bkacad.com 72
Configure the Command History Buffer
Học viện mạng Bach Khoa - Website: www.bkacad.com 73
Describe the Boot Sequence
Học viện mạng Bach Khoa - Website: www.bkacad.com 74
Extra: Boot Loader Command Line
• During normal boot loader operation, you are not presented with the
boot loader command-line prompt. You gain access to the boot loader
command line if:
– the switch is set to manually boot
– an error occurs during power-on self test (POST) DRAM testing
– an error occurs while loading the operating system (a corrupted
IOS image).
• You can also access the boot loader if you have lost or forgotten the
switch password.
• You can access the boot loader through a switch console connection at
9600 bps:
– unplug the switch power cord
– press the switch Mode button while reconnecting the power cord.
– You can release the Mode button a second or two after the LED
above port 1 goes off.
– You should then see the boot loader Switch: prompt.
• The boot loader performs low-level CPU initialization, performs POST,
and loads a default operating system image into memory.
Học viện mạng Bach Khoa - Website: www.bkacad.com 75
Prepare to Configure the Switch
Step 1
Học viện mạng Bach Khoa - Website: www.bkacad.com 76
Prepare to Configure the Switch
Step 2
Học viện mạng Bach Khoa - Website: www.bkacad.com 77
Prepare to Configure the Switch
Step 3
config.text
• show version
Học viện mạng Bach Khoa - Website: www.bkacad.com 78
config.text
• copy running-config startup-config
Học viện mạng Bach Khoa - Website: www.bkacad.com 79
config.text
• Change the size of NVRAM
• Change the name of config.text
• boot buffersize 40000
• boot config-file flash:mr.bon
Học viện mạng Bach Khoa - Website: www.bkacad.com 80
Học viện mạng Bach Khoa - Website: www.bkacad.com 81
Basic Switch Configuration
Học viện mạng Bach Khoa - Website: www.bkacad.com 82
Management Interface Considerations
Học viện mạng Bach Khoa - Website: www.bkacad.com 83
Management Interface Considerations
Basic switch configuration
1. Assign an IP address
SW(config)# interface vlan 1
ip address A.B.C.D subnetmask
no shutdown
2. SW(config)# line vty 0 4
password cisco
login
3. SW(config)# enable secret class
4. Configure the default gateway:
SW(config)#ip default-gateway A.B.C.D
Học viện mạng Bach Khoa - Website: www.bkacad.com 84
Học viện mạng Bach Khoa - Website: www.bkacad.com 85
Management Interface Considerations
Học viện mạng Bach Khoa - Website: www.bkacad.com 86
Management Interface Considerations
Học viện mạng Bach Khoa - Website: www.bkacad.com 87
Configure Duplex and Speed
Học viện mạng Bach Khoa - Website: www.bkacad.com 88
Configure a Web Interface
• username student privilege 15 password cisco
• Ip http server
• Ip http authentication local
Học viện mạng Bach Khoa - Website: www.bkacad.com 89
Học viện mạng Bach Khoa - Website: www.bkacad.com 90
Managing the MAC Address Table
show mac-address-table
The MAC address entry is automatically discarded or aged out after 300 seconds.
Học viện mạng Bach Khoa - Website: www.bkacad.com 91
Managing the MAC Address Table
Học viện mạng Bach Khoa - Website: www.bkacad.com 92
Managing the MAC Address Table
The 0x0100.0cdd.dddd is multicast
MAC address that used by Cisco
Group Management Protocol
(CGMP)
Học viện mạng Bach Khoa - Website: www.bkacad.com 93
Extra: Managing the MAC Address Table
• sw(config)#mac-address-table ?
aging-time Set MAC address table entry maximum age
notification Enable/Disable MAC Notification on the switch
static static keyword
• sw(config)#mac-address-table aging-time ?
Enter 0 to disable aging
Aging time in seconds
• Rather than wait for a dynamic entry to age out, the administrator has
the option to use the privileged EXEC command:
–sw# clear mac-address-table dynamic
Học viện mạng Bach Khoa - Website: www.bkacad.com 94
Extra: Configuring static MAC addresses
sw(config)#mac-address-table static <mac-
address of host> interface FastEthernet
vlan
Học viện mạng Bach Khoa - Website: www.bkacad.com 95
Show Commands
Học viện mạng Bach Khoa - Website: www.bkacad.com 96
Show running-config
Học viện mạng Bach Khoa - Website: www.bkacad.com 97
Show interfaces
Học viện mạng Bach Khoa - Website: www.bkacad.com 98
Backing Up the Configuration
Học viện mạng Bach Khoa - Website: www.bkacad.com 99
Restoring the Configuration
Học viện mạng Bach Khoa - Website: www.bkacad.com 100
Back up Configuration Files to a TFTP Server
Học viện mạng Bach Khoa - Website: www.bkacad.com 101
Clearing Configuration Information
Học viện mạng Bach Khoa - Website: www.bkacad.com 102
Extra: Reset Default Switch Configurations
• The following steps will ensure that a new configuration will
completely overwrite any existing configuration:
1. Remove any existing VLAN information by deleting the VLAN
database file vlan.dat from the flash directory
2. Erase the back up configuration file startup-config
3. Reload the switch
Học viện mạng Bach Khoa - Website: www.bkacad.com 103
Configure Password Options
Học viện mạng Bach Khoa - Website: www.bkacad.com 104
Configure Console Access
Học viện mạng Bach Khoa - Website: www.bkacad.com 105
Secure the vty Ports
Học viện mạng Bach Khoa - Website: www.bkacad.com 106
Configure EXEC Mode Passwords
Encrypted, Priority than enable password
Clear text password
Học viện mạng Bach Khoa - Website: www.bkacad.com 107
Configure Encrypted Passwords
After
Before
Học viện mạng Bach Khoa - Website: www.bkacad.com 108
Enable Password Recovery
Học viện mạng Bach Khoa - Website: www.bkacad.com 109
Extra: Switch LED indicators
utilization
Học viện mạng Bach Khoa - Website: www.bkacad.com 110
Extra: Switch LED indicators
Học viện mạng Bach Khoa - Website: www.bkacad.com 111
Password Recovery
• Step 1. Connect a terminal or PC with terminal-emulation software to
the switch console port.
• Step 2. Set the line speed on the emulation software to 9600 baud.
• Step 3. Power off the switch. Reconnect the power cord to the switch
and within 15 seconds, press the Mode button while the System LED is
still flashing green. Continue pressing the Mode button until the System
LED turns briefly amber and then solid green. Then release the Mode
button.
– OR: enter reload command and then to press the Mode button until
the System LED turns briefly amber and then solid green.
• Step 4. Initialize the Flash file system using the flash_init command.
• Step 5. Load any helper files using the load_helper command.
Học viện mạng Bach Khoa - Website: www.bkacad.com 112
Password Recovery
• Step 6. Display the contents of Flash memory using the dir flash:
command:
• The switch file system appears:
Directory of flash:
13 drwx 192 Mar 01 1993 22:30:48 c2960-lanbase-mz.122-25.FX
11 -rwx 5825 Mar 01 1993 22:31:59 config.text
18 -rwx 720 Mar 01 1993 02:21:30 vlan.dat
16128000 bytes total (10003456 bytes free)
• Step 7. Rename the configuration file to config.text.old, which
contains the password definition, using the rename flash:config.text
flash:config.text.old command.
• Step 8. Boot the system with the boot command.
Học viện mạng Bach Khoa - Website: www.bkacad.com 113
Password Recovery
• Step 9. You are prompted to start the setup program. Enter N at the prompt,
and then when the system prompts whether to continue with the configuration
dialog, enter N.
• Step 10. At the switch prompt, enter privileged EXEC mode using the enable
command.
• Step 11. Rename the configuration file to its original name using the rename
flash:config.text.old flash:config.text command.
• Step 12. Copy the configuration file into memory using the copy
flash:config.text system:running-config command. After this command has
been entered, the follow is displayed on the console:
Source filename [config.text]?
Destination filename [running-config]?
– Press Return in response to the confirmation prompts. The configuration
file is now reloaded, and you can change the password.
Học viện mạng Bach Khoa - Website: www.bkacad.com 114
Password Recovery
• Step 13. Enter global configuration mode using the configure terminal
command.
• Step 14. Change the password using the enable secret password
command.
• Step 15. Return to privileged EXEC mode using the exit command.
• Step 16. Write the running configuration to the startup configuration file
using the copy running-config startup-config command.
• Step 17. Reload the switch using the reload command.
• Note: The password recovery procedure can be different depending on
the Cisco switch series, so you should refer to the product
documentation before you attempt a password recovery.
Học viện mạng Bach Khoa - Website: www.bkacad.com 115
Configure a Login Banner
• Create the local database:
– sw(config)# username student password student
• Enable authentication for the console line:
– sw(config)# line console 0
– sw(config-line)# login local
• sw(config)# banner login "Authorized Personnel Only !“
• sw# exit
Login Banner
Học viện mạng Bach Khoa - Website: www.bkacad.com 116
• Create the local database:
– sw(config)# username student password
student
• Enable authentication for the console line:
– sw(config)# line console 0
– sw(config-line)# login local
• sw(config)# banner login "Authorized
Personnel Only !“
• Sw# exit
Login Banner
Học viện mạng Bach Khoa - Website: www.bkacad.com 117
• Create the local database:
– sw(config)# username student password
student
• Enable authentication for the VTY line:
– sw(config)# line vty 0 4
– sw(config-line)# login local
• sw(config)# banner login "Authorized
Personnel Only !“
• Sw# exit
Học viện mạng Bach Khoa - Website: www.bkacad.com 118
Configure a MOTD Banner
• sw(config)# banner motd “This is a security system !”
• sw#exit
Học viện mạng Bach Khoa - Website: www.bkacad.com 119
Telnet and SSH
• Remote control tool of
switch and router
• SSH encrypt data
before transmit
Học viện mạng Bach Khoa - Website: www.bkacad.com 120
Configuring Telnet
Học viện mạng Bach Khoa - Website: www.bkacad.com 121
Configuring SSH
Học viện mạng Bach Khoa - Website: www.bkacad.com 122
Configuring SSH
• The switch supports SSHv1 or SSHv2 for the server component. The
switch supports only SSHv1 for the client component.
• To implement SSH, you need to generate RSA keys.
– Step 1. Enter global configuration mode using the configure terminal
command.
– Step 2. Configure a hostname for your switch using the hostname
hostname command.
– Step 3. Configure a host domain for your switch using the ip domain-
name domain_name command.
– Step 4. Enable the SSH server for local and remote authentication on the
switch and generate an RSA key pair using the crypto key generate rsa
command.
– Step 5. Return to privileged EXEC mode using the end command.
– Step 6. Show the status of the SSH server on the switch using the show ip
ssh or show ssh command.
– To delete the RSA key pair, use the crypto key zeroize rsa global
configuration command. After the RSA key pair is deleted, the SSH server
is automatically disabled.
Học viện mạng Bach Khoa - Website: www.bkacad.com 123
Configuring the SSH Server
• Step 1. Enter global configuration mode using the configure terminal
command.
• Step 2. (Optional) Configure the switch to run SSHv1 or SSHv2 using
the ip ssh version [1 | 2] command.
– If you do not enter this command or do not specify a keyword, the
SSH server selects the latest SSH version supported by the SSH
client. For example, if the SSH client supports SSHv1 and SSHv2,
the SSH server selects SSHv2.
• Step 3. Configure the SSH control parameters:
– Specify the time-out value in seconds: default of 10 minutes.
– Specify the number of times that a client can re-authenticate to the
server. The default is 3; the range is 0 to 5
– Command: ip ssh {timeoutseconds | authentication-
retriesnumber}
Học viện mạng Bach Khoa - Website: www.bkacad.com 124
Configuring the SSH Server
• Step 4. Return to privileged EXEC mode using the end
command.
• Step 5. Display the status of the SSH server connections
on the switch using the show ip ssh or the show ssh
command.
• Step 6. (Optional) Save your entries in the configuration
file using the copy running-config startup-config
command.
Example: Enable SSH on a Switch
Học viện mạng Bach Khoa - Website: www.bkacad.com 125
• Interface vlan 1
– Ip address 1.1.1.1 255.255.255.0
– No shutdown
• Hostname MLS
• Ip domain-name cisco.com
• Crypto key generate rsa
• Ip ssh version 2
• Enable secret cisco
• Username admin privilege 15 secret admin123
• Line vty 0 4
– Login local
– Transport input ssh
• C:\> ssh –l admin 1.1.1.1
Example: Enable SSH on a Switch
Học viện mạng Bach Khoa - Website: www.bkacad.com 126
• Interface vlan 1
– Ip address 192.168.1.3 255.255.255.0
– No shutdown
• Hostname MLS
• Ip domain-name cisco.com
• Crypto key generate rsa
• Ip ssh version 2
• Enable secret class
• Username admin privilege 15 secret admin123
• Line vty 0 4
– Login local
– Transport input ssh
• C:\> ssh –l {username} {ip address}
Example: Enable SSH on a Switch
Học viện mạng Bach Khoa - Website: www.bkacad.com 127
• show ip ssh
• show ssh
• show crypto key mypubkey rsa
Example: Enable SSH on a Switch
Học viện mạng Bach Khoa - Website: www.bkacad.com 128
• Hostname SSH-Server
• Enable secret class
• Username student password
cisco
• Ip domain-name cisco.com
• Crypto key generate rsa
• Ip ssh version 2
• Line vty 0 4
– Login local
– Transport input ssh
• Interface vlan 1
– Ip address 1.1.1.2
255.255.255.0
– No shutdown
• Hostname SSH-Client
• Ip domain-name microsoft.com
• Crypto key generate rsa
• Ip ssh version 2
• Interface vlan 1
– Ip address 1.1.1.1
255.255.255.0
– No shutdown
SSH-Client# ssh –l student 1.1.1.2
•PC
•C:\> ssh –l {username} {ip
address}
• show crypto key mypubkey
rsa
Học viện mạng Bach Khoa - Website: www.bkacad.com 129
show crypto key mypubkey rsa
Học viện mạng Bach Khoa - Website: www.bkacad.com 130
show ssh
Học viện mạng Bach Khoa - Website: www.bkacad.com 131
Học viện mạng Bach Khoa - Website: www.bkacad.com 132
Layer 2 common security attacks
Học viện mạng Bach Khoa - Website: www.bkacad.com 133
MAC Address Flooding
Học viện mạng Bach Khoa - Website: www.bkacad.com 134
MAC Address Flooding
Học viện mạng Bach Khoa - Website: www.bkacad.com 135
MAC Address Flooding
Học viện mạng Bach Khoa - Website: www.bkacad.com 136
MAC Address Flooding
Học viện mạng Bach Khoa - Website: www.bkacad.com 137
MAC Address Flooding
Học viện mạng Bach Khoa - Website: www.bkacad.com 138
Spoofing Attacks
Học viện mạng Bách khoa - www.bkacad.com
Extra: DHCP starvation attacks
Học viện mạng Bach Khoa - Website: www.bkacad.com 140
Solution:
• Cisco Catalyst DHCP Snooping
• Port Security Features (later in this module)
Học viện mạng Bach Khoa - Website: www.bkacad.com 141
Solution: Cisco Catalyst DHCP Snooping
Học viện mạng Bach Khoa - Website: www.bkacad.com 142
Config DHCP Snooping
• Step 1. Enable DHCP snooping using the ip dhcp snooping global
configuration command.
• Step 2. Enable DHCP snooping for specific VLANs using the ip dhcp
snooping vlan number [number] command.
• Step 3. Define ports as trusted or untrusted at the interface level by
defining the trusted ports using the ip dhcp snooping trust command.
• Step 4. (Optional) Limit the rate at which an attacker can continually
send bogus DHCP requests through untrusted ports to the DHCP
server using the ip dhcp snooping limit rate rate command.
Học viện mạng Bach Khoa - Website: www.bkacad.com 143
CDP Attacks
• Solution: Disable the use of CDP on devices that do not need to use
it.
• (config)# no cdp run
• (config-if)# no cdp enable
Học viện mạng Bach Khoa - Website: www.bkacad.com 144
Telnet Attacks
Học viện mạng Bach Khoa - Website: www.bkacad.com 145
Other: Working with Passwords
• Passwords should be as long and as complicated as possible. Most security
experts believe a password of 10 characters is the minimum that should be
used if security is a real concern.
– use only the lowercase letters of the alphabet: have 26 characters.
– add the numeric values (0 – 9): get another 10 characters.
– add the uppercase letters: have an additional 26 characters
giving you a total of 62 characters with which to construct a password.
• If you used a 4 character password, this would be 62×62×62× 62, or
approximately 14 million password possibilities.
• If you used 5 characters in your password, this would give you 62 to the fifth
power, or approximately 92 million password possibilities.
• If you used a 10-character password, this would give you 64 to the tenth power
(a very big number) possibilities.
• The 4 digit password could probably be broken in a day, while the 10 digit
password would take a millennium to break given current processing power.
Học viện mạng Bach Khoa - Website: www.bkacad.com 146
Extra: Other Attacks
• This attack can also be mitigated using port security.
Học viện mạng Bach Khoa - Website: www.bkacad.com 147
Extra: Other Attacks
Học viện mạng Bach Khoa - Website: www.bkacad.com 148
Extra: Other Attacks
Học viện mạng Bach Khoa - Website: www.bkacad.com 149
Extra: Cisco CatOS Telnet, HTTP and SSH Vulnerability
• Cisco CatOS is susceptible to a TCP-ACK Denial of Service (DoS) attack on the Telnet, HTTP and
SSH service. If exploited, the vulnerability causes the Cisco CatOS running device to stop functioning
and reload.
Học viện mạng Bach Khoa - Website: www.bkacad.com 150
Security tools
Học viện mạng Bach Khoa - Website: www.bkacad.com 151
Network Security Tools Features
Học viện mạng Bach Khoa - Website: www.bkacad.com 152
Using Port Security to Mitigate Attacks
Học viện mạng Bach Khoa - Website: www.bkacad.com 153
Type of security mac address
switchport port-security mac-address
switchport port-security mac-address sticky
Học viện mạng Bach Khoa - Website: www.bkacad.com 154
Violation types
Học viện mạng Bach Khoa - Website: www.bkacad.com 155
Extra: Violation types
Học viện mạng Bach Khoa - Website: www.bkacad.com 156
Port security default
Học viện mạng Bach Khoa - Website: www.bkacad.com 157
Config dynamic port security
Học viện mạng Bach Khoa - Website: www.bkacad.com 158
Config port security sticky
• Interface f0/1
• Switchport mode access
• Switchport port-security
• Switchport port-security maximum 2
• Switchport port-security mac-address sticky
• switchport port-security violation {restrict|
protect | shutdown}
• Show port-security interface f0/1
• Show port-security address
Học viện mạng Bach Khoa - Website: www.bkacad.com 159
Học viện mạng Bach Khoa - Website: www.bkacad.com 160
Verify
Học viện mạng Bach Khoa - Website: www.bkacad.com 161
Verify
Học viện mạng Bach Khoa - Website: www.bkacad.com 162
Should be Disable Unused Ports
Học viện mạng Bach Khoa - Website: www.bkacad.com 163
Chapter summary
Các file đính kèm theo tài liệu này:
- ccna_exp3_chapter02_basic_switch_concepts_and_configurations_7663_7299.pdf