Quản trị mạng - Chapter 2: Basic switch concepts and configurations

1Chapter 2: Basic switch concepts and configurations CCNA Exploration 4.0 Học viện mạng Bach Khoa - Website: www.bkacad.com 2 Overview Học viện mạng Bach Khoa - Website: www.bkacad.com 3 Key elements of Ethernet/802.3 networks Học viện mạng Bach Khoa - Website: www.bkacad.com 4 Media Access Control (MAC) •MAC refers to protocols that determine which computer on a shared-medium environment, or collision domain, is allowed to transmit the data. •MAC, with LLC, comprises the IEEE version of the OSI Layer 2 •There are two broad categories of Media Access Control, deterministic (taking turns) and non-deterministic (first come, first served) logical bus topology and physical star or extended star logical ring topology and a physical star topology logical ring topology and physical dual-ring topology Deterministic, Non-Deterministic Học viện mạng Bach Khoa - Website: www.bkacad.com 5 CSMA/CD • CSMA/CD used with Ethernet performs three functions: 1. Transmitting and receiving data packets 2. Decoding data packets and checking them for valid addresses before passing them to the upper layers of the OSI model 3. Detecting errors within data packets or on the network listen-before-transmit Transmitting& listening. Học viện mạng Bach Khoa - Website: www.bkacad.com 6 CSMA/CD Học viện mạng Bach Khoa - Website: www.bkacad.com 7 •After a collision occurs and all stations allow the cable to become idle (each waits the full inter-frame spacing) •The stations that collided must wait an additional and potentially progressively longer period of time before attempting to retransmit the collided frame •The waiting period is intentionally designed to be random •If the MAC layer is unable to send the frame after 16 attempts, it gives up and generates an error to the network layer Backoff Học viện mạng Bach Khoa - Website: www.bkacad.com 8 Extra: Backoff • The stations involved in transmitting frames at the time of the collision must then reschedule their frames for retransmission. The transmitting stations do this by generating a period of time to wait before retransmission, which is based on a random number chosen by each station and used in that station's backoff calculations. • k= min(n,10) ; n= the number of transmission attempts • 0<= r <2^k • The backoff delay= r* slot time Học viện mạng Bach Khoa - Website: www.bkacad.com 9 Ethernet Slot Time Học viện mạng Bach Khoa - Website: www.bkacad.com 10 Ethernet Slot Time Học viện mạng Bach Khoa - Website: www.bkacad.com 11 Ethernet Communications Học viện mạng Bach Khoa - Website: www.bkacad.com 12 Remind Học viện mạng Bach Khoa - Website: www.bkacad.com 13 Ethernet frame structure •At the data link layer the frame structure is nearly identical for all speeds of Ethernet from 10 Mbps to 10,000 Mbps •At the physical layer almost all versions of Ethernet are substantially different from one another with each speed having a distinct set of architecture design rules •The Ethernet II Type field is incorporated into the current 802.3 frame definition. The receiving node must determine which higher-layer protocol is present in an incoming frame by examining the Length/Type field Học viện mạng Bach Khoa - Website: www.bkacad.com 14 Ethernet frame structure •The Preamble is used for timing synchronization in the asynchronous 10 Mbps and slower implementations of Ethernet. Faster versions of Ethernet are synchronous, and this timing information is redundant but retained for compatibility •The Destination Address field contains the MAC destination address. It can be unicast, multicast (group), or broadcast (all nodes) •The source address is generally the unicast address of the transmitting Ethernet node (can be virtual entity – group or multicast) 10101011 Synchronization, Address types Học viện mạng Bach Khoa - Website: www.bkacad.com 15 Ethernet frame structure •The type value specifies the upper-layer protocol to receive the data after Ethernet processing is completed. •The length indicates the number of bytes of data that follows this field. (so contents of the Data field are decoded per the protocol indicated) •The maximum transmission unit (MTU) for Ethernet is 1500 octets, so the data should not exceed that size •Ethernet requires that the frame be not less than 46 octets or more than 1518 octets (Pad is required if not enough data) Length if value < 1536 decimal, (0x600)
need LLC to identify upper protocol Type if value => 1536 decimal, (0x600)
it identify upper protocol 4 bytes CRC Học viện mạng Bach Khoa - Website: www.bkacad.com 16 •Ethernet uses MAC addresses that are 48 bits in length and expressed as 12 hexadecimal digits •Sometimes referred to as burned-in addresses (BIA) because they are burned into read-only memory (ROM) and are copied into random-access memory (RAM) when the NIC initializes Naming on Ethernet MAC ADDRESS Học viện mạng Bach Khoa - Website: www.bkacad.com 17 OUI Học viện mạng Bach Khoa - Website: www.bkacad.com 18 • If the attached station is operating in full duplex then the station may send and receive simultaneously and collisions should not occur. • Full-duplex operation also changes the timing considerations and eliminates the concept of slot time • In half-duplex, if no collision, the sending station will transmit 64 bits (timing synchronization) preamble, DA, SA, certain other header information, actual data payload, FCS Ethernet in full duplex Full-duplexFull-duplex F ull -d uple x F ull -d uple x Collision occurs only in half-duplex Học viện mạng Bach Khoa - Website: www.bkacad.com 19 Ethernet in full duplex Học viện mạng Bach Khoa - Website: www.bkacad.com 20 Ethernet in full duplex Học viện mạng Bach Khoa - Website: www.bkacad.com 21 Extra: Half-duplex networks Học viện mạng Bach Khoa - Website: www.bkacad.com 22 Note • Fast Ethernet and 10/100/1000 ports: default is auto. • 100BASE-FX ports: default is full. • 10/100/1000 ports operate in either half- or full-duplex mode when they are set to 10 or 100 Mb/s, but when set to 1,000 Mb/s, they operate only in full-duplex mode. • Default: when autonegotiation fails
Catalyst switch sets the corresponding switch port to half-duplex mode. This type of failure happens when an attached device does not support autonegotiation. Học viện mạng Bach Khoa - Website: www.bkacad.com 23 auto-MDIX • auto-MDIX is enabled switch auto detects cable type  can use either a crossover or a straight-through • The auto-MDIX feature is enabled by default on switches running Cisco IOS Release 12.2(18)SE or later. For releases between Cisco IOS Release 12.1(14)EA1 and 12.2(18)SE, the auto-MDIX feature is disabled by default. Học viện mạng Bach Khoa - Website: www.bkacad.com 24 MAC Addressing and Switch MAC Address Tables Học viện mạng Bach Khoa - Website: www.bkacad.com 25 MAC Addressing and Switch MAC Address Tables Học viện mạng Bach Khoa - Website: www.bkacad.com 26 MAC Addressing and Switch MAC Address Tables Học viện mạng Bach Khoa - Website: www.bkacad.com 27 MAC Addressing and Switch MAC Address Tables Học viện mạng Bach Khoa - Website: www.bkacad.com 28 MAC Addressing and Switch MAC Address Tables Học viện mạng Bach Khoa - Website: www.bkacad.com 29 MAC Addressing and Switch MAC Address Tables Học viện mạng Bach Khoa - Website: www.bkacad.com 30 Design Considerations for Ethernet/802.3 Networks Học viện mạng Bach Khoa - Website: www.bkacad.com 31 Bandwidth and Throuhgput • Bandwidth is defined as the amount of information that can flow through a network connection in a given period of time. • Throughput refers to actual measured bandwidth, at a specific time of day, using specific Internet routes, and while a specific set of data is transmitted on the network. Học viện mạng Bach Khoa - Website: www.bkacad.com 32 Collision Domains Học viện mạng Bach Khoa - Website: www.bkacad.com 33 Collision Domains Học viện mạng Bach Khoa - Website: www.bkacad.com 34 Broadcast Domains • The broadcast domain at Layer 2 is referred to as the MAC broadcast domain. Học viện mạng Bach Khoa - Website: www.bkacad.com 35 Broadcast Domains - Example When a switch receives a broadcast frame, it forwards the frame to each of its ports, except the incoming port where the switch received the broadcast frame. Each attached device recognizes the broadcast frame and processes it. Học viện mạng Bach Khoa - Website: www.bkacad.com 36 Broadcast Domains - Example Học viện mạng Bach Khoa - Website: www.bkacad.com 37 Network Latency Học viện mạng Bach Khoa - Website: www.bkacad.com 38 Network Congestion • The primary reason for segmenting a LAN into smaller parts is to isolate traffic and to achieve better use of bandwidth per user. – Without segmentation, a LAN quickly becomes clogged with traffic and collisions. • Causes of network congestion: – Increasingly powerful computer and network technologies. – Increasing volume of network traffic. – High-bandwidth applications. Học viện mạng Bach Khoa - Website: www.bkacad.com 39 LAN Segmentation • LANs are segmented into a number of smaller collision and broadcast domains using routers and switches. Học viện mạng Bach Khoa - Website: www.bkacad.com 40 LAN Segmentation Học viện mạng Bach Khoa - Website: www.bkacad.com 41 LAN Segmentation Học viện mạng Bach Khoa - Website: www.bkacad.com 42 LAN Segmentation Học viện mạng Bach Khoa - Website: www.bkacad.com 43 Controlling Network Latency Học viện mạng Bach Khoa - Website: www.bkacad.com 44 Removing Network Bottlenecks EtherChannel NIC Học viện mạng Bach Khoa - Website: www.bkacad.com 45 Học viện mạng Bach Khoa - Website: www.bkacad.com 46 Activity 2.1.3.2 Học viện mạng Bach Khoa - Website: www.bkacad.com 47 Forwarding Frames Using a Switch Học viện mạng Bach Khoa - Website: www.bkacad.com 48 Switch Forwarding Methods Học viện mạng Bach Khoa - Website: www.bkacad.com 49 Store- and- Forward Switching • Store-and-forward switching is required for Quality of Service (QoS) analysis on converged networks where frame classification for traffic prioritization is necessary. Học viện mạng Bach Khoa - Website: www.bkacad.com 50 Cut- Through Switching • There are 2 variants of cut-through switching: – Fast-forward switching - immediately forwards a packet after reading the destination address. – Fragment-free switching - reads the first 64 bytes of an Ethernet frame and then begins forwarding it to the appropriate port or ports Học viện mạng Bach Khoa - Website: www.bkacad.com 51 Extra: Adaptive Cut- Through • Some switches are configured to perform cut-through switching on a per-port basis until a user-defined error threshold is reached and then they automatically change to store-and-forward. • When the error rate falls below the threshold, the port automatically changes back to cut-through switching. Học viện mạng Bach Khoa - Website: www.bkacad.com 52 Symmetric and Asymmetric Switching Most current switches are asymmetric switches because this type of switch offers the greatest flexibility. Học viện mạng Bach Khoa - Website: www.bkacad.com 53 Memory Buffering • Port-based Memory Buffering – A frame is transmitted to the outgoing port only when all the frames ahead of it in the queue have been successfully transmitted. • Shared Memory Buffering – The frames in the buffer are linked dynamically to the destination port. This allows the packet to be received on one port and then transmitted on another port, without moving it to a different queue. Học viện mạng Bach Khoa - Website: www.bkacad.com 54 Layer 2 and Layer 3 Switching Học viện mạng Bach Khoa - Website: www.bkacad.com 55 Layer 3 Switch and Router Comparison Wire Speed • Wire speed is the data rate that each port on the switch is capable of attaining, either 100 Mb/s Fast Ethernet or 1000 Mb/s Gigabit Ethernet. Học viện mạng Bach Khoa - Website: www.bkacad.com 56 Học viện mạng Bach Khoa - Website: www.bkacad.com 57 Review your understanding Học viện mạng Bach Khoa - Website: www.bkacad.com 58 Review your understanding Học viện mạng Bach Khoa - Website: www.bkacad.com 59 Review your understanding Học viện mạng Bach Khoa - Website: www.bkacad.com 60 Switch Management Configuration Học viện mạng Bach Khoa - Website: www.bkacad.com 61 The Command Line Interface Modes Học viện mạng Bach Khoa - Website: www.bkacad.com 62 The Command Line Interface Modes Học viện mạng Bach Khoa - Website: www.bkacad.com 63 GUI-based Alternatives to the CLI Học viện mạng Bach Khoa - Website: www.bkacad.com 64 GUI-based Alternatives to the CLI Học viện mạng Bach Khoa - Website: www.bkacad.com 65 GUI-based Alternatives to the CLI Học viện mạng Bach Khoa - Website: www.bkacad.com 66 GUI-based Alternatives to the CLI Học viện mạng Bach Khoa - Website: www.bkacad.com 67 GUI-based Alternatives to the CLI Học viện mạng Bach Khoa - Website: www.bkacad.com 68 GUI-based Alternatives to the CLI Học viện mạng Bach Khoa - Website: www.bkacad.com 69 Context Sensitive Help Học viện mạng Bach Khoa - Website: www.bkacad.com 70 Console Error Messages Học viện mạng Bach Khoa - Website: www.bkacad.com 71 The Command History Buffer Học viện mạng Bach Khoa - Website: www.bkacad.com 72 Configure the Command History Buffer Học viện mạng Bach Khoa - Website: www.bkacad.com 73 Describe the Boot Sequence Học viện mạng Bach Khoa - Website: www.bkacad.com 74 Extra: Boot Loader Command Line • During normal boot loader operation, you are not presented with the boot loader command-line prompt. You gain access to the boot loader command line if: – the switch is set to manually boot – an error occurs during power-on self test (POST) DRAM testing – an error occurs while loading the operating system (a corrupted IOS image). • You can also access the boot loader if you have lost or forgotten the switch password. • You can access the boot loader through a switch console connection at 9600 bps: – unplug the switch power cord – press the switch Mode button while reconnecting the power cord. – You can release the Mode button a second or two after the LED above port 1 goes off. – You should then see the boot loader Switch: prompt. • The boot loader performs low-level CPU initialization, performs POST, and loads a default operating system image into memory. Học viện mạng Bach Khoa - Website: www.bkacad.com 75 Prepare to Configure the Switch Step 1 Học viện mạng Bach Khoa - Website: www.bkacad.com 76 Prepare to Configure the Switch Step 2 Học viện mạng Bach Khoa - Website: www.bkacad.com 77 Prepare to Configure the Switch Step 3 config.text • show version Học viện mạng Bach Khoa - Website: www.bkacad.com 78 config.text • copy running-config startup-config Học viện mạng Bach Khoa - Website: www.bkacad.com 79 config.text • Change the size of NVRAM • Change the name of config.text • boot buffersize 40000 • boot config-file flash:mr.bon Học viện mạng Bach Khoa - Website: www.bkacad.com 80 Học viện mạng Bach Khoa - Website: www.bkacad.com 81 Basic Switch Configuration Học viện mạng Bach Khoa - Website: www.bkacad.com 82 Management Interface Considerations Học viện mạng Bach Khoa - Website: www.bkacad.com 83 Management Interface Considerations Basic switch configuration 1. Assign an IP address SW(config)# interface vlan 1 ip address A.B.C.D subnetmask no shutdown 2. SW(config)# line vty 0 4 password cisco login 3. SW(config)# enable secret class 4. Configure the default gateway: SW(config)#ip default-gateway A.B.C.D Học viện mạng Bach Khoa - Website: www.bkacad.com 84 Học viện mạng Bach Khoa - Website: www.bkacad.com 85 Management Interface Considerations Học viện mạng Bach Khoa - Website: www.bkacad.com 86 Management Interface Considerations Học viện mạng Bach Khoa - Website: www.bkacad.com 87 Configure Duplex and Speed Học viện mạng Bach Khoa - Website: www.bkacad.com 88 Configure a Web Interface • username student privilege 15 password cisco • Ip http server • Ip http authentication local Học viện mạng Bach Khoa - Website: www.bkacad.com 89 Học viện mạng Bach Khoa - Website: www.bkacad.com 90 Managing the MAC Address Table show mac-address-table The MAC address entry is automatically discarded or aged out after 300 seconds. Học viện mạng Bach Khoa - Website: www.bkacad.com 91 Managing the MAC Address Table Học viện mạng Bach Khoa - Website: www.bkacad.com 92 Managing the MAC Address Table The 0x0100.0cdd.dddd is multicast MAC address that used by Cisco Group Management Protocol (CGMP) Học viện mạng Bach Khoa - Website: www.bkacad.com 93 Extra: Managing the MAC Address Table • sw(config)#mac-address-table ? aging-time Set MAC address table entry maximum age notification Enable/Disable MAC Notification on the switch static static keyword • sw(config)#mac-address-table aging-time ? Enter 0 to disable aging Aging time in seconds • Rather than wait for a dynamic entry to age out, the administrator has the option to use the privileged EXEC command: –sw# clear mac-address-table dynamic Học viện mạng Bach Khoa - Website: www.bkacad.com 94 Extra: Configuring static MAC addresses sw(config)#mac-address-table static <mac- address of host> interface FastEthernet vlan Học viện mạng Bach Khoa - Website: www.bkacad.com 95 Show Commands Học viện mạng Bach Khoa - Website: www.bkacad.com 96 Show running-config Học viện mạng Bach Khoa - Website: www.bkacad.com 97 Show interfaces Học viện mạng Bach Khoa - Website: www.bkacad.com 98 Backing Up the Configuration Học viện mạng Bach Khoa - Website: www.bkacad.com 99 Restoring the Configuration Học viện mạng Bach Khoa - Website: www.bkacad.com 100 Back up Configuration Files to a TFTP Server Học viện mạng Bach Khoa - Website: www.bkacad.com 101 Clearing Configuration Information Học viện mạng Bach Khoa - Website: www.bkacad.com 102 Extra: Reset Default Switch Configurations • The following steps will ensure that a new configuration will completely overwrite any existing configuration: 1. Remove any existing VLAN information by deleting the VLAN database file vlan.dat from the flash directory 2. Erase the back up configuration file startup-config 3. Reload the switch Học viện mạng Bach Khoa - Website: www.bkacad.com 103 Configure Password Options Học viện mạng Bach Khoa - Website: www.bkacad.com 104 Configure Console Access Học viện mạng Bach Khoa - Website: www.bkacad.com 105 Secure the vty Ports Học viện mạng Bach Khoa - Website: www.bkacad.com 106 Configure EXEC Mode Passwords Encrypted, Priority than enable password Clear text password Học viện mạng Bach Khoa - Website: www.bkacad.com 107 Configure Encrypted Passwords After Before Học viện mạng Bach Khoa - Website: www.bkacad.com 108 Enable Password Recovery Học viện mạng Bach Khoa - Website: www.bkacad.com 109 Extra: Switch LED indicators utilization Học viện mạng Bach Khoa - Website: www.bkacad.com 110 Extra: Switch LED indicators Học viện mạng Bach Khoa - Website: www.bkacad.com 111 Password Recovery • Step 1. Connect a terminal or PC with terminal-emulation software to the switch console port. • Step 2. Set the line speed on the emulation software to 9600 baud. • Step 3. Power off the switch. Reconnect the power cord to the switch and within 15 seconds, press the Mode button while the System LED is still flashing green. Continue pressing the Mode button until the System LED turns briefly amber and then solid green. Then release the Mode button. – OR: enter reload command and then to press the Mode button until the System LED turns briefly amber and then solid green. • Step 4. Initialize the Flash file system using the flash_init command. • Step 5. Load any helper files using the load_helper command. Học viện mạng Bach Khoa - Website: www.bkacad.com 112 Password Recovery • Step 6. Display the contents of Flash memory using the dir flash: command: • The switch file system appears: Directory of flash: 13 drwx 192 Mar 01 1993 22:30:48 c2960-lanbase-mz.122-25.FX 11 -rwx 5825 Mar 01 1993 22:31:59 config.text 18 -rwx 720 Mar 01 1993 02:21:30 vlan.dat 16128000 bytes total (10003456 bytes free) • Step 7. Rename the configuration file to config.text.old, which contains the password definition, using the rename flash:config.text flash:config.text.old command. • Step 8. Boot the system with the boot command. Học viện mạng Bach Khoa - Website: www.bkacad.com 113 Password Recovery • Step 9. You are prompted to start the setup program. Enter N at the prompt, and then when the system prompts whether to continue with the configuration dialog, enter N. • Step 10. At the switch prompt, enter privileged EXEC mode using the enable command. • Step 11. Rename the configuration file to its original name using the rename flash:config.text.old flash:config.text command. • Step 12. Copy the configuration file into memory using the copy flash:config.text system:running-config command. After this command has been entered, the follow is displayed on the console: Source filename [config.text]? Destination filename [running-config]? – Press Return in response to the confirmation prompts. The configuration file is now reloaded, and you can change the password. Học viện mạng Bach Khoa - Website: www.bkacad.com 114 Password Recovery • Step 13. Enter global configuration mode using the configure terminal command. • Step 14. Change the password using the enable secret password command. • Step 15. Return to privileged EXEC mode using the exit command. • Step 16. Write the running configuration to the startup configuration file using the copy running-config startup-config command. • Step 17. Reload the switch using the reload command. • Note: The password recovery procedure can be different depending on the Cisco switch series, so you should refer to the product documentation before you attempt a password recovery. Học viện mạng Bach Khoa - Website: www.bkacad.com 115 Configure a Login Banner • Create the local database: – sw(config)# username student password student • Enable authentication for the console line: – sw(config)# line console 0 – sw(config-line)# login local • sw(config)# banner login "Authorized Personnel Only !“ • sw# exit Login Banner Học viện mạng Bach Khoa - Website: www.bkacad.com 116 • Create the local database: – sw(config)# username student password student • Enable authentication for the console line: – sw(config)# line console 0 – sw(config-line)# login local • sw(config)# banner login "Authorized Personnel Only !“ • Sw# exit Login Banner Học viện mạng Bach Khoa - Website: www.bkacad.com 117 • Create the local database: – sw(config)# username student password student • Enable authentication for the VTY line: – sw(config)# line vty 0 4 – sw(config-line)# login local • sw(config)# banner login "Authorized Personnel Only !“ • Sw# exit Học viện mạng Bach Khoa - Website: www.bkacad.com 118 Configure a MOTD Banner • sw(config)# banner motd “This is a security system !” • sw#exit Học viện mạng Bach Khoa - Website: www.bkacad.com 119 Telnet and SSH • Remote control tool of switch and router • SSH encrypt data before transmit Học viện mạng Bach Khoa - Website: www.bkacad.com 120 Configuring Telnet Học viện mạng Bach Khoa - Website: www.bkacad.com 121 Configuring SSH Học viện mạng Bach Khoa - Website: www.bkacad.com 122 Configuring SSH • The switch supports SSHv1 or SSHv2 for the server component. The switch supports only SSHv1 for the client component. • To implement SSH, you need to generate RSA keys. – Step 1. Enter global configuration mode using the configure terminal command. – Step 2. Configure a hostname for your switch using the hostname hostname command. – Step 3. Configure a host domain for your switch using the ip domain- name domain_name command. – Step 4. Enable the SSH server for local and remote authentication on the switch and generate an RSA key pair using the crypto key generate rsa command. – Step 5. Return to privileged EXEC mode using the end command. – Step 6. Show the status of the SSH server on the switch using the show ip ssh or show ssh command. – To delete the RSA key pair, use the crypto key zeroize rsa global configuration command. After the RSA key pair is deleted, the SSH server is automatically disabled. Học viện mạng Bach Khoa - Website: www.bkacad.com 123 Configuring the SSH Server • Step 1. Enter global configuration mode using the configure terminal command. • Step 2. (Optional) Configure the switch to run SSHv1 or SSHv2 using the ip ssh version [1 | 2] command. – If you do not enter this command or do not specify a keyword, the SSH server selects the latest SSH version supported by the SSH client. For example, if the SSH client supports SSHv1 and SSHv2, the SSH server selects SSHv2. • Step 3. Configure the SSH control parameters: – Specify the time-out value in seconds: default of 10 minutes. – Specify the number of times that a client can re-authenticate to the server. The default is 3; the range is 0 to 5 – Command: ip ssh {timeoutseconds | authentication- retriesnumber} Học viện mạng Bach Khoa - Website: www.bkacad.com 124 Configuring the SSH Server • Step 4. Return to privileged EXEC mode using the end command. • Step 5. Display the status of the SSH server connections on the switch using the show ip ssh or the show ssh command. • Step 6. (Optional) Save your entries in the configuration file using the copy running-config startup-config command. Example: Enable SSH on a Switch Học viện mạng Bach Khoa - Website: www.bkacad.com 125 • Interface vlan 1 – Ip address 1.1.1.1 255.255.255.0 – No shutdown • Hostname MLS • Ip domain-name cisco.com • Crypto key generate rsa • Ip ssh version 2 • Enable secret cisco • Username admin privilege 15 secret admin123 • Line vty 0 4 – Login local – Transport input ssh • C:\> ssh –l admin 1.1.1.1 Example: Enable SSH on a Switch Học viện mạng Bach Khoa - Website: www.bkacad.com 126 • Interface vlan 1 – Ip address 192.168.1.3 255.255.255.0 – No shutdown • Hostname MLS • Ip domain-name cisco.com • Crypto key generate rsa • Ip ssh version 2 • Enable secret class • Username admin privilege 15 secret admin123 • Line vty 0 4 – Login local – Transport input ssh • C:\> ssh –l {username} {ip address} Example: Enable SSH on a Switch Học viện mạng Bach Khoa - Website: www.bkacad.com 127 • show ip ssh • show ssh • show crypto key mypubkey rsa Example: Enable SSH on a Switch Học viện mạng Bach Khoa - Website: www.bkacad.com 128 • Hostname SSH-Server • Enable secret class • Username student password cisco • Ip domain-name cisco.com • Crypto key generate rsa • Ip ssh version 2 • Line vty 0 4 – Login local – Transport input ssh • Interface vlan 1 – Ip address 1.1.1.2 255.255.255.0 – No shutdown • Hostname SSH-Client • Ip domain-name microsoft.com • Crypto key generate rsa • Ip ssh version 2 • Interface vlan 1 – Ip address 1.1.1.1 255.255.255.0 – No shutdown SSH-Client# ssh –l student 1.1.1.2 •PC •C:\> ssh –l {username} {ip address} • show crypto key mypubkey rsa Học viện mạng Bach Khoa - Website: www.bkacad.com 129 show crypto key mypubkey rsa Học viện mạng Bach Khoa - Website: www.bkacad.com 130 show ssh Học viện mạng Bach Khoa - Website: www.bkacad.com 131 Học viện mạng Bach Khoa - Website: www.bkacad.com 132 Layer 2 common security attacks Học viện mạng Bach Khoa - Website: www.bkacad.com 133 MAC Address Flooding Học viện mạng Bach Khoa - Website: www.bkacad.com 134 MAC Address Flooding Học viện mạng Bach Khoa - Website: www.bkacad.com 135 MAC Address Flooding Học viện mạng Bach Khoa - Website: www.bkacad.com 136 MAC Address Flooding Học viện mạng Bach Khoa - Website: www.bkacad.com 137 MAC Address Flooding Học viện mạng Bach Khoa - Website: www.bkacad.com 138 Spoofing Attacks Học viện mạng Bách khoa - www.bkacad.com Extra: DHCP starvation attacks Học viện mạng Bach Khoa - Website: www.bkacad.com 140 Solution: • Cisco Catalyst DHCP Snooping • Port Security Features (later in this module) Học viện mạng Bach Khoa - Website: www.bkacad.com 141 Solution: Cisco Catalyst DHCP Snooping Học viện mạng Bach Khoa - Website: www.bkacad.com 142 Config DHCP Snooping • Step 1. Enable DHCP snooping using the ip dhcp snooping global configuration command. • Step 2. Enable DHCP snooping for specific VLANs using the ip dhcp snooping vlan number [number] command. • Step 3. Define ports as trusted or untrusted at the interface level by defining the trusted ports using the ip dhcp snooping trust command. • Step 4. (Optional) Limit the rate at which an attacker can continually send bogus DHCP requests through untrusted ports to the DHCP server using the ip dhcp snooping limit rate rate command. Học viện mạng Bach Khoa - Website: www.bkacad.com 143 CDP Attacks • Solution: Disable the use of CDP on devices that do not need to use it. • (config)# no cdp run • (config-if)# no cdp enable Học viện mạng Bach Khoa - Website: www.bkacad.com 144 Telnet Attacks Học viện mạng Bach Khoa - Website: www.bkacad.com 145 Other: Working with Passwords • Passwords should be as long and as complicated as possible. Most security experts believe a password of 10 characters is the minimum that should be used if security is a real concern. – use only the lowercase letters of the alphabet: have 26 characters. – add the numeric values (0 – 9): get another 10 characters. – add the uppercase letters: have an additional 26 characters giving you a total of 62 characters with which to construct a password. • If you used a 4 character password, this would be 62×62×62× 62, or approximately 14 million password possibilities. • If you used 5 characters in your password, this would give you 62 to the fifth power, or approximately 92 million password possibilities. • If you used a 10-character password, this would give you 64 to the tenth power (a very big number) possibilities. • The 4 digit password could probably be broken in a day, while the 10 digit password would take a millennium to break given current processing power. Học viện mạng Bach Khoa - Website: www.bkacad.com 146 Extra: Other Attacks • This attack can also be mitigated using port security. Học viện mạng Bach Khoa - Website: www.bkacad.com 147 Extra: Other Attacks Học viện mạng Bach Khoa - Website: www.bkacad.com 148 Extra: Other Attacks Học viện mạng Bach Khoa - Website: www.bkacad.com 149 Extra: Cisco CatOS Telnet, HTTP and SSH Vulnerability • Cisco CatOS is susceptible to a TCP-ACK Denial of Service (DoS) attack on the Telnet, HTTP and SSH service. If exploited, the vulnerability causes the Cisco CatOS running device to stop functioning and reload. Học viện mạng Bach Khoa - Website: www.bkacad.com 150 Security tools Học viện mạng Bach Khoa - Website: www.bkacad.com 151 Network Security Tools Features Học viện mạng Bach Khoa - Website: www.bkacad.com 152 Using Port Security to Mitigate Attacks Học viện mạng Bach Khoa - Website: www.bkacad.com 153 Type of security mac address switchport port-security mac-address switchport port-security mac-address sticky Học viện mạng Bach Khoa - Website: www.bkacad.com 154 Violation types Học viện mạng Bach Khoa - Website: www.bkacad.com 155 Extra: Violation types Học viện mạng Bach Khoa - Website: www.bkacad.com 156 Port security default Học viện mạng Bach Khoa - Website: www.bkacad.com 157 Config dynamic port security Học viện mạng Bach Khoa - Website: www.bkacad.com 158 Config port security sticky • Interface f0/1 • Switchport mode access • Switchport port-security • Switchport port-security maximum 2 • Switchport port-security mac-address sticky • switchport port-security violation {restrict| protect | shutdown} • Show port-security interface f0/1 • Show port-security address Học viện mạng Bach Khoa - Website: www.bkacad.com 159 Học viện mạng Bach Khoa - Website: www.bkacad.com 160 Verify Học viện mạng Bach Khoa - Website: www.bkacad.com 161 Verify Học viện mạng Bach Khoa - Website: www.bkacad.com 162 Should be Disable Unused Ports Học viện mạng Bach Khoa - Website: www.bkacad.com 163 Chapter summary