Please enable JavaScript.
Coggle requires JavaScript to display documents.
R&S C2 : Basic Switching Concepts and Configuration (2.2 Switch…
R&S C2 : Basic Switching Concepts and Configuration
2.0 Basic Switching Concepts and Configuration
2.1 Basic Switch Configuration
2.1.1 Configure a switch with initial settings
2.1.1.1 switch boot sequence
POST
ROM
low-level CPU initialization
bootloader
flash file system
load IOS
configure BOOT
Environment Variable
boot system
flash:
/c2960-lanbasek9-mz.150-2.SE/
c2960-lanbasek9-mz.150-2.SE.bin
command : boot system
storage device : flash:
Path to location in file system :
/c2960-lanbasek9-mz.150-2.SE/
Filename of IOS :
c2960-lanbasek9-mz.150-2.SE.bin
2.1.1.2 Recovering from a system crash
/
2.1.1.3 Switch LED indicators
System LED
led off :system off
led green : OK
led amber : receiving power, not function properly
Redundant Power System
(RPS) LED
led green : rps connected ,
ready to provide back-up power
led blinking green : connected, unavailable because providing power to another device
LED amber
RPS in standby mode OR fault condition
LED blinking amber
internal power supply switch has failed
Port Status LED
Port Duplex LED
Port Speed LED
Power over Ethernet (PoE) Mode LED
2.1.1.4 Preparing for Basic Switch Management
SVI
related to VLANs
not able to route layer 3 packets
remote management access to the switch
2.1.1.5 Configuraing basic switch
management Access with IPv4
step 1 : SVI VLAN 99 will not appear until device is connected to the switch port
step 2 : default gateway
step 3 : veirfy configuration
2.1.2 Configure Switch Ports
2.1.2.1 Duplex Communication
2.1.2.2 Configure Switch Ports
at the Physical Layer
auto-negotiation
when speed/ duplex unknown
2.1.2.3 Auto-MDIX
automatic medium-dependent
interface crossover
automatically detects required
cable connection type
crossover to switches and repeaters
straight-through must be used to connect to servers, workstations , routers
2.1.2.4 Verifying Switch
Port Configuration
2.1.2.5 Network Access Layer Issues
input errors
giants
longer than maximum
allowed length
CRC errors
media/ cable error
electrical interference
loose/ damaged connections
incorrect cabling type
runt frames
ethernet frame
shorter than 64-byte
excessive collisions
malfunctioning NIC
output errors
Collisions
collisions in half-duplex are normal
collisiosn in full-duplex not normal
Late collisions
occurs after 512bits of
the frame been transmitted
to large cables
duplex misconfiguration
2.1.2.6 Troubleshooting Network
Access Layer Issues
interface down
interface up , but issues
2.2 Switch security : Management and Implementation
2.2.1 Secure Remote Access
2.2.1.1 SSH Operation
2.2.1.2 Configuring
SSH
Step 1 Verify SSH support
Step 2 Configure IP domain
Step 3. Generate RSA key pairs
Step 4. Configure user authentication
Step 5. Configure the vty lines
Step 6. Enable SSH version 2
2.2.1.3 Verifying SSH
2.2.1.4 PT
2.2.2 Security Concerns in LANs
2.2.2.1 Common Security Attakcs :
MAC Address Flooding
MAC address table
overflow attack
keep sending, at certain point port gets open and broadcasts everything to everyone
2.2.2.2 Common Security Attacks :
DHCP Spoofing
DHCP starvation attacks
attacker floods DHCP server with DHCP requests
to use all available IP addresses
that the DHCP can issue
DoS is created
DHCP spoofing
attacker configures fake DHCP server on
the network to issue IP addresses to clients
clients use false Domain Name System (DNS) or Windows Internet Naming Service (WINS)
2.2.2.4 Activity - Identify Common Security Attacks
2.2.2.3 Common Security Attacks
: Leveraging CDP
Cisco Discovery Protocol
detect other cisco devices ,
allows devices to auto-configure
contains info about the cisco
device like ip address
can be used by attacker to attack
network most likely DoS
Telnet Attacks
gain remote access to
Cisco network device
Brute Force Password Attack
change pw frequently
Telnet Dos Attack
better use SSH
2.2.3 Security Best Practices
written security policy for the organization
shutdown unused port
strong pw
control physical access to devices
use HTTPS
perform backups
encrypt and pw sensitive data
2.2.3.3. Network Security Audits
reveals type of info
attacker can gather
by monitoring network traffic
offline test bed network mimics the actual production network is ideal
2.2.4 Switch Port Security
2.2.4.1 Secure Unused Ports
Disable unused ports
2.2.4.2 DHCP Snooping
ports trusted or untrusted
Trusted ports can send DHCP
requests and acknowledgments
Untrusted ports can forward only SHCP requests
DHCP snooping enables the switch to build a DHCP binding table that maps a client MC address, IP address, VLAN, and port ID
2.2.4.3 Port Security : Operation
Port Security
ability to make valid mac addresses on port only 1 , so only one port with that mac address can connect
Secure MAC Address Types
static secure MAC addresses
addresses manually added
switchport port-security mac-address
Dynamic secure MAC addresses
only stored in the address table
removed when switch restarts,
Sticky secure MAC addresses
addresses that can be dynamically learned or manually configured, then stored in address table + added to running configuration
enable sticky learning
switchport port-security mac-address sticky
sticky learning disabled, sticky secure MAC addresses remain part of the adress table
but removed form the running configuration
no switchport port-security mac-address sticky
Sticky Secure MAC addresses
configure interface to convert dynamically learned mac address to sticky secure mac addresses
2.2.4.4 Port Security : Violation Modes
INCOMPLETE !!!!!!!!!!!!!!!!!!!!!!
station with MAC address
that is not in the address table attempts
to access the interface when the table is full
address is being used on
two secure interfaces in the same VLAN
modes
protect
restrict
shutdown
2.2.4.5 Port Security : Configuring
2.2.4.6 Port Security: Veriifying
2.2.4.7 Ports in Error Disabled State
2.2.4.8 Network Time Protocol (NTP)
2.2.4.9 - 2.2.4.11 PT
2.3 Summary