ITE PC v4.0 Chapter 1

Chapter 2: Basic Switching Concepts and ConfigurationSwitched Networks 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID#Presentation_ID# 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential1Cisco Networking Academy programSwitched NetworksChapter 2: Basic Switching Concepts and Configuration 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scrChapter 22.0 Introduction2.1 Switched Environment2.2 Basic Switch Configuration2.3 Switch Security: Management and Implementation2.4 SummaryPresentation_ID# 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential2Chapter 2 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scrChapter 2: ObjectivesExplain the basic concepts of a switched environment.Configure initial settings on a Cisco switch.Configure switch ports to meet network requirements.Configure the management switch virtual interface.Describe basic security attacks in a switched environment.Describe security best practices in a switched environment.Configure the port security feature to restrict network access.Presentation_ID# 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential3Chapter 2 Objectives 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr2.1 Basic Switch Configuration 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID#Presentation_ID# 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential4Cisco Networking Academy programSwitched NetworksChapter 2: Basic Switching Concepts and Configuration 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scrBasic Switch ConfigurationSwitch Boot SequencePOST (Power On Self Test).Run the boot loader software.Boot loader performs low-level CPU initialization.Boot loader initializes the flash file system.Boot loader locates and loads a default Cisco IOS software image into memory and passes the switch control to the IOS.Presentation_ID# 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential52.1.1.1 Switch Boot Sequence

2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scrBasic Switch ConfigurationSwitch Boot SequenceTo find a suitable IOS image, the switch performs the following:It attempts to automatically boot by using information in the BOOT environment variable.If this variable is not set, the switch performs a top-to-bottom search through the flash file system. If possible, it loads and executes the first executable file.The IOS software then initializes the interfaces using the IOS commands found in the configuration file, startup configuration, which is stored in NVRAM.Note: You can use the boot system command to set the BOOT environment variable.Presentation_ID# 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential62.1.1.1 Switch Boot Sequence

Note: the BOOT environment variable is set using theboot systemglobal configuration mode command. Use the show bootvarcommand to see to what the current IOS boot file is set.

2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scrBasic Switch ConfigurationRecovering from a System CrashThe boot loader can also be used to manage the switch if the IOS cannot be loaded.Access the boot loader through a console connection:Connect a PC by console cable to the switch console port. Unplug the switch power cord.Reconnect the power cord to the switch and press and hold down theModebutton.The System LED turns briefly amber and then solid green. Release the Modebutton.The boot loader switch: prompt appears in the terminal emulation software on the PC.

Presentation_ID# 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential72.1.1.2 Recovering From a System Crash

2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scrBasic Switch ConfigurationSwitch LED IndicatorsEach port on the Cisco Catalyst switches have status LED indicator lights. By default, these LED lights reflect port activity, but they can also provide other information about the switch through the Mode button.The following modes are available on Cisco Catalyst 2960 switches:System LEDRedundant Power System (RPS) LEDPort Status LEDPort Duplex LEDPort Speed LEDPower over Ethernet (PoE) Mode LEDPresentation_ID# 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential82.1.1.3 Switch LED Indicators

2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scrBasic Switch ConfigurationSwitch LED IndicatorsCisco Catalyst 2960 Switch Modes

Presentation_ID# 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential92.1.1.3 Switch LED Indicators

2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scrBasic Switch ConfigurationPreparing for Basic Switch ManagementTo remotely manage a Cisco switch, it must be configured to access the network.An IP address and a subnet mask must be configured.If managing the switch from a remote network, a default gateway must also be configured.The IP information (address, subnet mask, gateway) must be assigned to a switch virtual interface (SVI).Although these IP settings allow remote management and remote access to the switch, they do not allow the switch to route Layer 3 packets.Presentation_ID# 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential102.1.1.4 Preparing for Basic Switch Management 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scrBasic Switch ConfigurationConfiguring Basic Switch Management Access

Presentation_ID# 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential112.1.1.5 Configuring Basic Switch Management Access with IPv4 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scrConfigure Switch PortsDuplex Communication

Presentation_ID# 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential122.1.2.1 Duplex Communication 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scrConfigure Switch PortsConfigure Switch Ports at the Physical Layer

Presentation_ID# 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential132.1.2.2 Configure Switch Ports at the Physical Layer 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scrConfigure Switch PortsAuto-MDIX FeatureCertain cable types (straight-through or crossover) were required when connecting devices.The automatic medium dependent interface crossover (auto-MDIX) feature eliminates this problem.When auto-MDIX is enabled, the interface automatically detects and configures the connection appropriately.When using auto-MDIX on an interface, the interface speed and duplex must be set to auto.Presentation_ID# 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential142.1.2.3 MDIX Auto Feature 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scrConfigure Switch PortsAuto-MDIX Feature (cont.)

Presentation_ID# 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential152.1.2.3 MDIX Auto Feature (cont.) 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scrConfigure Switch PortsAuto-MDIX Feature (cont.)

Presentation_ID# 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential162.1.2.3 MDIX Auto Feature 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scrConfigure Switch PortsVerifying Switch Port Configuration

Presentation_ID# 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential172.1.2.4 Verifying Switch Port Configuration 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scrConfigure Switch PortsDisplay Interface Status and Statistics

Output of a show interfaces commandPresentation_ID# 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential182.1.2.5 Network Access Layer Issues 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scrConfigure Switch PortsTroubleshooting Switch Media Issues

Presentation_ID# 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential192.1.2.6 Troubleshooting Switch Media Issues 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr2.2 Switch Security:Management and Implementation 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID#Presentation_ID# 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential20Cisco Networking Academy programSwitched NetworksChapter 2: Basic Switching Concepts and Configuration 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scrSecure Remote AccessSSH OperationSecure Shell (SSH) is a protocol that provides a secure (encrypted) command-line based connection to a remote device.SSH is commonly used in UNIX-based systems.The IOS software also supports SSH.A version of the IOS software, including cryptographic (encrypted) features and capabilities, is required to enable SSH on Catalyst 2960 switches.Because of its strong encryption features, SSH should replace Telnet for management connections.By default, SSH uses TCP port 22 and Telnet uses TCP port 23.Presentation_ID# 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential212.2.1.1 SSH Operation 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scrSecure Remote AccessSSH Operation (cont.)

Presentation_ID# 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential222.2.1.1 SSH Operation (cont.) 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scrSecure Remote AccessConfiguring SSH

Presentation_ID# 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential232.2.1.2 Configuring SSH 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scrSecure Remote AccessVerifying SSH

Presentation_ID# 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential242.2.1.3 Verifying SSH 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scrSecurity Concerns in LANsMAC Address Flooding Switches automatically populate their CAM tables by watching traffic entering their ports.Switches forward traffic through all ports if it cannot find the destination MAC in its CAM table.Under such circumstances, the switch acts as a hub. Unicast traffic can be seen by all devices connected to the switch.An attacker could exploit this behavior to gain access to traffic normally controlled by the switch by using a PC to run a MAC flooding tool.

Presentation_ID# 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential252.2.2.1 Common Security Attacks: MAC Address Flooding 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scrSecurity Concerns in LANsMAC Address Flooding (cont.) The MAC flooding tool is a program created to generate and send out frames with bogus source MAC addresses to the switch port.As these frames reach the switch, it adds the bogus MAC address to its CAM table, taking note of the port the frames arrived.Eventually the CAM table fills in with bogus MAC addresses.The CAM table no longer has room for legit devices present in the network and, therefore, will never find their MAC addresses in the CAM table.All frames are now forwarded to all ports, allowing the attacker to access traffic to other hosts.Presentation_ID# 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential262.2.2.1 Common Security Attacks: MAC Address Flooding (cont.) 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scrSecurity Concerns in LANsMAC Address Flooding (cont.) An attacker flooding the CAM table with bogus entries.

Presentation_ID# 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential272.2.2.1 Common Security Attacks: MAC Address Flooding (cont.) 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scrSecurity Concerns in LANsMAC Address Flooding (cont.) The switch now behaves as a hub.

Presentation_ID# 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential282.2.2.1 Common Security Attacks: MAC Address Flooding (cont.) 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scrSecurity Concerns in LANsDHCP Spoofing DHCP is a network protocol used to automatically assign IP information.Two types of DHCP attacks are: DHCP spoofing DHCP starvationIn DHCP spoofing attacks, a fake DHCP server is placed in the network to issue DHCP addresses to clients.DHCP starvation is often used before a DHCP spoofing attack to deny service to the legitimate DHCP server.Presentation_ID# 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential292.2.2.2 Common Security Attacks: DHCP Spoofing 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr

Security Concerns in LANsDHCP Spoofing (cont.) DHCP Spoof AttackPresentation_ID# 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential302.2.2.2 Common Security Attacks: DHCP Spoofing (cont.) 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scrSecurity Concerns in LANsLeveraging the Cisco Discovery Protocol The Cisco Discovery Protocol is a Layer 2 Cisco proprietary protocol used to discover other directly connected Cisco devices.It is designed to allow the devices to autoconfigure their connections.If an attacker is listening to Cisco Discovery Protocol messages, it could learn important information, such as the device model or the running software version.Note: Cisco recommends disabling the Cisco Discovery Protocol when it is not in use.

Presentation_ID# 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential312.2.2.3 Common Security Attacks: Leveraging CDP 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scrSecurity Best Practices10 Best Practices Develop a written security policy for the organization.Shut down unused services and ports.Use strong passwords and change them often.Control physical access to devices.Use HTTPS instead of HTTP.Perform backup operations on a regular basis.Educate employees about social engineering attacks.Encrypt and password-protect sensitive data.Implement firewalls.Keep software up to date.

Presentation_ID# 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential322.2.3.1 Best Practices 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scrSecurity Best PracticesNetwork Security Tools And Testing Network security tools are very important to network administrators, because they allow an administrator to test the strength of the security measures implemented.An administrator can launch an attack against the network and analyze those results.This technique is also to determine how to adjust security policies to mitigate those types of attacks.Security auditing and penetration testing are two basic functions that network security tools perform.Presentation_ID# 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential332.2.3.2 Network Security Tools And Testing 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scrSecurity Best PracticesNetwork Security AuditsNetwork security tools can be used to audit the network.By monitoring the network, an administrator can assess what type of information an attacker would be able to gather.For example, by attacking and flooding the CAM table of a switch, an administrator would learn which switch ports are vulnerable to MAC flooding and correct the issue.Network security tools can also be used for penetration testing against a network.Pentration Testing (or pentesting) is a simulated attack against the network to determine how vulnerable it would be under a real attack.Penetration tests can have adverse effects on the network and should be carried out under very controlled conditions.Presentation_ID# 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential342.2.3.3 Network Security Audits 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr

Switch Port SecuritySecure Unused Ports Disabling unused ports is a simple, yet efficient security practice.Presentation_ID# 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential352.2.4.1 Secure Unused Ports 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr

Switch Port SecurityDHCP Snooping DHCP Snooping specifies which switch ports can respond to DHCP requests.

Presentation_ID# 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential362.2.4.2 DHCP Snooping 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scrSwitch Port SecurityPort Security: Operation Port security limits the number of valid MAC addresses allowed on a port.MAC addresses of legitimate devices are allowed access, while other MAC addresses are denied.Any additional attempts to connect by unknown MAC addresses generate a security violation.Secure MAC addresses can be configured in a number of ways:Static secure MAC addressesDynamic secure MAC addressesSticky secure MAC addressesPresentation_ID# 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential372.2.4.3 Port Security: Operation 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scrSwitch Port SecurityPort Security: Violation Modes The IOS software considers a security violation when either of these situations occurs:The maximum number of secure MAC addresses for that interface have been added to the CAM, and a station whose MAC address is not in the address table attempts to access the interface.An address learned or configured on one secure interface is seen on another secure interface in the same VLAN.There are three possible actions to be taken when a violation is detected:ProtectRestrictShutdownPresentation_ID# 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential382.2.4.4 Port Security: Violation Modes 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scrSwitch Port SecurityPort Security: Configuring Dynamic Port Security Defaults

Presentation_ID# 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential392.2.4.5 Port Security: Configuring 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scrSwitch Port SecurityPort Security: Configuring (cont.) Configuring Dynamic Port Security

Presentation_ID# 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential402.2.4.5 Port Security: Configuring (cont.) 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr

Switch Port SecurityPort Security: Configuring (cont.) Configuring Port Security StickyPresentation_ID# 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential412.2.4.5 Port Security: Configuring (cont.) 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr

Switch Port SecurityPort Security: Verifying Verifying Port Security StickyPresentation_ID# 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential422.2.4.6 Port Security: Verifying 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr

Switch Port SecurityPort Security: Verifying (cont.) Verifying Port Security Sticky Running ConfigurationPresentation_ID# 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential432.2.4.6 Port Security: Verifying (cont.) 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr

Switch Port SecurityPort Security: Verifying (cont.) Verifying Port Security Secure MAC AddressesPresentation_ID# 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential442.2.4.6 Port Security: Verifying (cont.) 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr

Switch Port SecurityPorts in Error-Disabled State A port security violation can put a switch in error-disabled state.A port in error-disabled state is effectively shutdown.The switch communicates these events through console messages.Presentation_ID# 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential452.2.4.7 Ports In Error Disabled State 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr

Switch Port SecurityPorts In Error Disabled State (cont.) The show interface command also reveals a switch port on the error-disabled state.Presentation_ID# 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential462.2.4.7 Ports In Error Disabled State (cont.) 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr

Switch Port SecurityPorts In Error Disabled State (cont.) A shutdown (or no shutdown) interface command must be issued to re-enable the port.Presentation_ID# 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential472.2.4.7 Ports In Error Disabled State (cont.) 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scrSwitch Port SecurityNetwork Time Protocol (NTP) Having the correct time within networks is important.Correct time stamps are required to accurately track network events such as security violations.Clock synchronization is also critical for the interpretation of events within syslog data files as well as for digital certificatesNetwork Time Protocol (NTP) is a protocol that is used to synchronize the clocks of computer systems over the networkNTP allows network devices to synchronize their time settings with an NTP server.Presentation_ID# 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential482.2.4.8 Network Time Protocol (NTP) 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scrSwitch Port SecurityNetwork Time Protocol (NTP) (cont.) Some administrator prefer to maintain their own time source for increased security. However, public time sources are available on the Internet for general use.

A network device can be configured as either an NTP server or an NTP client.To allow the software clock to be synchronized by an NTP time server, use thentp serverip-addresscommand in global configuration mode.Presentation_ID# 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential492.2.4.8 Network Time Protocol (NTP) (cont.) 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scrSwitch Port SecurityNetwork Time Protocol (NTP) (cont.)

R2 is configured as a NTP client, receiving time updates from the server, R1.Presentation_ID# 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential502.2.4.8 Network Time Protocol (NTP) (cont.) 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scrChapter 2: SummaryThis chapter covered: Cisco LAN switch boot sequenceCisco LAN switch LED modesHow to remotely access and manage a Cisco LAN switch through a secure connectionCisco LAN switch port duplex modesCisco LAN switch port security, violation modes, and actionsBest practices for switched networks

Presentation_ID# 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential51Chapter 2 Summary 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr

Presentation_ID# 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential