Cisco Networking Academy's Introduction To Basic Switching Concepts and Configuration - Objectives

3/5/2017 CiscoNetworkingAcademy'sIntroductiontoBasicSwitchingConceptsandConfiguration|Objectives
CiscoNetworkingAcademy'sIntroductionto
BasicSwitchingConceptsandConfiguration
Date:Mar31,2014ByCiscoNetworkingAcademy.SampleChapterisprovidedcourtesyof
CiscoPress.
Thischapterexaminessomeofthebasicswitchconfigurationsettingsrequiredtomaintain
asecure,available,switchedLANenvironment.
Objectives
Uponcompletionofthischapter,youwillbeabletoanswerthefollowingquestions:
Whatarethestepsaswitchtakesafterpowerisapplied?
Whatisthefunctionofthebootloaderiftheoperatingsystemiscorruptormissing?
HowmighttheswitchLEDshelpwithtroubleshooting?
WhatarethestepstakentoconfigureaCiscoswitchwithanIPaddress,subnetmask,
anddefaultgateway?
WhatinterfaceisusedtoapplyanIPaddresstoaCiscoswitch?
WhatfunctionalityisavailableonceaswitchhasanIPaddressanddefaultgateway?
Whattypeofcustomizationcanbeappliedtoaswitchport?
WhattoolscanbeusedtotroubleshootaLayer1or2problem?
WhatstepsarerequiredtoconfigureaswitchforSSHaccess?
Whataresomecommonsecurityattacksthataffectswitches?
WhatmitigationtoolscouldbeusedonaCiscoswitchtopreventorreacttoasecurity
attack?
Whatarebestpracticesforswitchsecurity?
Whatstepsarerequiredtoconfigureswitchsecurity?
WhatisthepurposeofNTP?
KeyTerms
Thischapterusesthefollowingkeyterms.YoucanfindthedefinitionsintheGlossary.
bootloaderpage36
switchvirtualinterface(SVI)page40
automaticmediumdependentinterfacecrossover(autoMDIX)page46
runtpage51
giantpage51
CRCerrorpage52
latecollisionpage52
SecureShell(SSH)page55
MACaddresstableoverflowattackpage60
MACfloodingattackpage60
DHCPstarvationattackpage63
denialofservice(DoS)attackpage63
DHCPspoofingattackspage63
CiscoDiscoveryProtocol(CDP)page64
bruteforcepasswordattackpage65
TelnetDoSattackpage65
securityauditpage67
penetrationtestingpage67
DHCPsnoopingpage69
trustedportpage69
untrustedportpage69
portsecuritypage71
staticsecureMACaddresspage71
dynamicsecureMACaddresspage72
stickysecureMACaddresspage72
NetworkTimeProtocol(NTP)page78
Introduction(2.0.1.1)
http://www.ciscopress.com/articles/printerfriendly/2181836 1/37
Switchesareusedtoconnectmultipledevicesonthesamenetwork.Inaproperlydesigned
network,LANswitchesareresponsiblefordirectingandcontrollingthedataflowatthe
accesslayertonetworkedresources.
Ciscoswitchesareselfconfiguringandnoadditionalconfigurationsarenecessaryforthem
tofunctionoutofthebox.However,CiscoswitchesrunCiscoIOS,andcanbemanually
configuredtobettermeettheneedsofthenetwork.Thisincludesadjustingportspeedand
bandwidth,aswellasimplementingsecurityrequirements.
Additionally,Ciscoswitchescanbemanagedbothlocallyandremotely.Toremotelymanage
aswitch,itneedstohaveanIPaddressanddefaultgatewayconfigured.Thesearejusttwoof
theconfigurationsdiscussedinthischapter.
Switchesoperateattheaccesslayerwhereclientnetworkdevicesconnectdirectlytothe
networkandITdepartmentswantuncomplicatednetworkaccessfortheusers.Theaccess
layerisoneofthemostvulnerableareasofthenetworkbecauseitissoexposedtotheuser.
Switchesneedtobeconfiguredtoberesilienttoattacksofalltypeswhiletheyareprotecting
userdataandallowingforhighspeedconnections.Portsecurityisoneofthesecurity
featuresCiscomanagedswitchesprovide.
Thischapterexaminessomeofthebasicswitchconfigurationsettingsrequiredtomaintaina
secure,available,switchedLANenvironment.
ClassActivity2.0.1.2:StandbyMe
Scenario
Whenyouarrivedtoclasstoday,youweregivenanumberbyyourinstructortouseforthis
introductoryclassactivity.
Whenclassbegins,yourinstructorwillaskcertainstudentswithspecificnumberstostand.
Yourjobistorecordthestandingstudentsnumbersforeachscenario.
Scenario1:Studentswithnumbersstartingwiththenumber5shouldstand.Recordthe
numbersofthestandingstudents.
Scenario2:StudentswithnumbersendinginBshouldstand.Recordthenumbersofthe
standingstudents.
Scenario3:Studentswiththenumber504Cshouldstand.Recordthenumberofthestanding
student.
Attheendofthisactivity,divideintosmallgroupsandrecordanswerstotheReflection
questionsonthePDFcontainedintheonlinecourse.
Saveyourworkandbepreparedtoshareitwithanotherstudentortheentireclass.
BasicSwitchConfiguration(2.1)
Switchesareoneofthemostnumerousdevicesinstalledontothecorporatenetwork
infrastructure.Configuringthemcanbefunandchallenging.Knowinghowswitchesnormally
bootandloadanoperatingsystemisalsoimportant.
SwitchBootSequence(2.1.1.1)
AfteraCiscoswitchispoweredon,itgoesthroughthefollowingbootsequence:
Step1.First,theswitchloadsapoweronselftest(POST)programstoredinROM.POST
checkstheCPUsubsystem.ItteststheCPU,DRAM,andtheportionoftheflashdevicethat
makesuptheflashfilesystem.
Step2.Next,theswitchloadsthebootloadersoftware.Thebootloaderisasmallprogram
storedinROMandisrunimmediatelyafterPOSTsuccessfullycompletes.
Step3.ThebootloaderperformslowlevelCPUinitialization.ItinitializestheCPUregisters
thatcontrolwherephysicalmemoryismapped,thequantityofmemory,andmemoryspeed.
Step4.Thebootloaderinitializestheflashfilesystemonthesystemboard.
Step5.Finally,thebootloaderlocatesandloadsadefaultIOSoperatingsystemsoftware
imageintomemoryandhandscontroloftheswitchovertotheIOS.
ThebootloaderfindstheCiscoIOSimageontheswitchusingthefollowingprocess:The
switchattemptstoautomaticallybootbyusinginformationintheBOOTenvironmentvariable.
Ifthisvariableisnotset,theswitchattemptstoloadandexecutethefirstexecutablefileitcan
byperformingarecursive,depthfirstsearchthroughouttheflashfilesystem.Inadepthfirst
searchofadirectory,eachencounteredsubdirectoryiscompletelysearchedbefore
continuingthesearchintheoriginaldirectory.OnCatalyst2960Seriesswitches,theimage
fileisnormallycontainedinadirectorythathasthesamenameastheimagefile(excluding
the.binfileextension).
TheIOSoperatingsystemtheninitializestheinterfacesusingtheCiscoIOScommandsfound
intheconfigurationfile,startupconfiguration,whichisstoredinNVRAM.
InFigure21,theBOOTenvironmentvariableissetusingthebootsystemglobal
configurationmodecommand.Usetheshowbootvarcommand(showbootinolderIOS
versions)toseethecurrentIOSbootfileversion.
Figure21ConfigureBOOTEnvironmentVariable
RecoveringfromaSystemCrash(2.1.1.2)
Thebootloaderprovidesaccessintotheswitchiftheoperatingsystemcannotbeused
becauseofmissingordamagedsystemfiles.Thebootloaderhasacommandlinethat
providesaccesstofilesstoredinflashmemory.
Thebootloadercanbeaccessedthroughaconsoleconnectionusingthesesteps:
Step1.ConnectaconsolecablefromthePCtotheswitchconsoleport.Configureterminal
emulationsoftwaretoconnecttotheswitch.
Step2.Unplugtheswitchpowercord.
Step3.Reconnectthepowercordtotheswitchandwithin15secondspressandholddown
theModebuttonwhiletheSystemLEDisstillflashinggreen.
Step4.ContinuepressingtheModebuttonuntiltheSystemLEDturnsbrieflyamberandthen
solidgreenthenreleasetheModebutton.
Step5.Thebootloaderswitch:promptappearsintheterminalemulationsoftwareonthePC.
Thebootloadercommandlinesupportscommandstoformattheflashfilesystem,reinstall
theoperatingsystemsoftware,andrecoverfromalostorforgottenpassword.Forexample,
thedircommandcanbeusedtoviewalistoffileswithinaspecifieddirectoryasshownin
Figure22.
Figure22DirectoryListinginBootLoader
SwitchLEDIndicators(2.1.1.3)
CiscoCatalystswitcheshaveseveralstatusLEDindicatorlights.Youcanusetheswitch
LEDstoquicklymonitorswitchactivityanditsperformance.Switchesofdifferentmodelsand
featuresetswillhavedifferentLEDs,andtheirplacementonthefrontpaneloftheswitchmay
alsovary.
Figure23showstheswitchLEDsandtheModebuttonforaCiscoCatalyst2960switch.The
Modebuttonisusedtotogglethroughportstatus,portduplex,portspeed,andPoE(if
supported)statusoftheportLEDs.
Figure23Cisco2960SwitchLEDs
Table21containsthepurposeoftheCisco2960switchLEDindicators,andthemeaningof
theircolors.
Table21PurposeofCiscoSwitchLEDs
System Showswhetherthesystemisreceivingpowerandis
LED functioningproperly.IftheLEDisoff,itmeansthesystem
isnotpowered.IftheLEDisgreen,thesystemis
operatingnormally.IftheLEDisamber,thesystemis
receivingpowerbutisnotfunctioningproperly.
Redundant ShowstheRPSstatus.IftheLEDisoff,theRPSisoffor
Power notproperlyconnected.IftheLEDisgreen,theRPSis
System connectedandreadytoprovidebackuppower.IftheLED
(RPS) isblinkinggreen,theRPSisconnectedbutisunavailable
LED becauseitisprovidingpowertoanotherdevice.IftheLED
isamber,theRPSisinstandbymodeorinafault
condition.IftheLEDisblinkingamber,theinternalpower
supplyintheswitchhasfailed,andtheRPSisproviding
power.
Port Indicatesthattheportstatusmodeisselectedwhenthe
Status LEDisgreen.Thisisthedefaultmode.Whenselected,the
LED portLEDswilldisplaycolorswithdifferentmeanings.Ifthe
LEDisoff,thereisnolink,ortheportwasadministratively
shutdown.IftheLEDisgreen,alinkispresent.IftheLED
isblinkinggreen,thereisactivityandtheportissendingor
receivingdata.IftheLEDisalternatinggreenamber,there
isalinkfault.IftheLEDisamber,theportisblockedto
ensurealoopdoesnotexistintheforwardingdomainand
isnotforwardingdata(typically,portswillremaininthis
stateforthefirst30secondsafterbeingactivated).Ifthe
LEDisblinkingamber,theportisblockedtopreventa
possibleloopintheforwardingdomain.
Port IndicatestheportduplexmodeisselectedwhentheLED
Duplex isgreen.Whenselected,portLEDsthatareoffareinhalf
LED duplexmode.IftheportLEDisgreen,theportisinfull
duplexmode.
Port Indicatestheportspeedmodeisselected.Whenselected,
Speed theportLEDswilldisplaycolorswithdifferentmeanings.If
LED theLEDisoff,theportisoperatingat10Mb/s.IftheLED
isgreen,theportisoperatingat100Mb/s.IftheLEDis
blinkinggreen,theportisoperatingat1000Mb/s.
Power IfPoEissupported,aPoEmodeLEDwillbepresent.If
over theLEDisoff,itindicatesthePoEmodeisnotselected
Ethernet andnoneoftheportshavebeendeniedpowerorplaced
(PoE) inafaultcondition.IftheLEDisblinkingamber,thePoE
ModeLED modeisnotselectedbutatleastoneoftheportshasbeen
deniedpower,orhasaPoEfault.IftheLEDisgreen,it
indicatesthePoEmodeisselectedandtheportLEDswill
displaycolorswithdifferentmeanings.IftheportLEDis
off,PoEisoff.IftheportLEDisgreen,PoEisbeing
providedtoadevice.IftheportLEDisalternatinggreen
amber,PoEisdeniedbecauseprovidingpowertothe
powereddevicewillexceedtheswitchpowercapacity.If
theLEDisblinkingamber,PoEisoffduetoafault.Ifthe
LEDisamber,PoEfortheporthasbeendisabled.
PreparingforBasicSwitchManagement(2.1.1.4)
Toprepareaswitchforremotemanagementaccess,theswitchmustbeconfiguredwithanIP
addressandasubnetmask.Keepinmindthattomanagetheswitchfromaremotenetwork,
theswitchmustbeconfiguredwithadefaultgateway.ThisisverysimilartoconfiguringtheIP
addressinformationonhostdevices.InFigure24,theswitchvirtualinterface(SVI)onS1
shouldbeassignedanIPaddress.TheSVIisavirtualinterface,notaphysicalportonthe
switch.
Figure24PreparingforRemoteSwitchManagement
SVIisaconceptrelatedtoVLANs.VLANsarenumberedlogicalgroupstowhichphysical
portscanbeassigned.ConfigurationsandsettingsappliedtoaVLANarealsoappliedtoall
theportsassignedtothatVLAN.
Bydefault,theswitchisconfiguredtohavethemanagementoftheswitchcontrolledthrough
VLAN1.AllportsareassignedtoVLAN1bydefault.Forsecuritypurposes,itisconsidereda
bestpracticetouseaVLANotherthanVLAN1forthemanagementVLAN.Furthermore,itis
alsoabestpracticetouseaVLANthatisnotusedbyenddevicessuchasusersandprinters.
NOTE
TheseIPsettingsareonlyforremotemanagementaccesstotheswitchassigninganIP
addresstotheswitchdoesnotallowtheswitchtorouteLayer3packets.
ConfiguringBasicSwitchManagementAccesswithIPv4
(2.1.1.5)
Step1.ConfiguretheManagementInterface.
AnIPaddressandsubnetmaskisconfiguredonthemanagementSVIoftheswitch
fromVLANinterfaceconfigurationmode.AsshowninTable22,theinterfacevlan99
commandisusedtoenterinterfaceconfigurationmode.Theipaddresscommandis
usedtoconfiguretheIPaddress.Thenoshutdowncommandenablestheinterface.
Table22ConfiguretheSwitchManagementInterface
Enterglobalconfigurationmode. S1#configureterminal
Enterinterfaceconfiguration S1(config)#interfacevlan99
modefortheSVI.
Configurethemanagement S1(configif)#ipaddress
interfaceIPaddress. 172.17.99.11255.255.0.0
Enablethemanagement S1(configif)#noshutdown
interface.
ReturntoprivilegedEXECmode. S1(configif)#end
Savetherunningconfigtothe S1#copyrunningconfigstartup
startupconfig. config
Inthisexample,VLAN99isconfiguredwiththeIPaddressandmaskof172.17.99.11.
TocreateaVLANwiththevlan_idof99andassociateittoaninterface,usethe
followingcommands:
S1(config)#vlanvlan_id
S1(configvlan)#namevlan_name
S1(config)#end
S1(config)#configterminal
S1(config)#interfaceinterface_id
S1(configif)#switchportmodeaccess
S1(configif)#switchportaccessvlanvlan_id
NOTE
TheSVIforVLAN99willnotappearasup/upuntilVLAN99iscreated,theIPaddress
assignedtotheSVI,thenoshutdowncommandentered,andeither(1)adeviceisconnected
toanaccessportassociatedwithVLAN99(notabestpractice)or(2)atrunklink(coveredin
theVLANchapter)connectstoanothernetworkdevicesuchasaswitch.
Step2.ConfiguretheDefaultGateway.
Theswitchshouldbeconfiguredwithadefaultgatewayiftheswitchwillbemanaged
remotelyfromnetworksnotdirectlyconnected.ThedefaultgatewayisthefirstLayer3
device(suchasarouter)onthesamemanagementVLANnetworktowhichtheswitch
connects.TheswitchwillforwardIPpacketswithdestinationIPaddressesoutsidethe
localnetworktothedefaultgateway.AsshowninTable23andFigure25,R1isthe
defaultgatewayforS1.TheinterfaceonR1connectedtotheswitchhasIPaddress
172.17.99.1.ThisaddressisthedefaultgatewayaddressforS1.
Table23CommandstoConfigureaSwitchDefaultGateway
Configuretheswitchdefault S1(config)#ipdefaultgateway
gateway. 172.17.99.1
ReturntoprivilegedEXECmode. S1(config)#end
Savetherunningconfigtothe S1#copyrunningconfigstartup
startupconfig. config
Figure25ConfiguringtheSwitchDefaultGateway
Toconfigurethedefaultgatewayfortheswitch,usetheipdefaultgatewaycommand.
EntertheIPaddressofthedefaultgateway.ThedefaultgatewayistheIPaddressof
therouterinterfacetowhichtheswitchconnects.Usethefollowingcommandto
backuptheconfiguration:copyrunningconfigstartupconfig.
Step3.VerifytheConfiguration.
AsshowninFigure26,theshowipinterfacebriefcommandisusefulwhen
determiningthestatusofbothphysicalandvirtualinterfaces.Theoutputshownin
Figure26confirmsthatinterfaceVLAN99hasbeenconfiguredwithanIPaddress
andasubnetmask,andthatFastEthernetportFa0/18hasbeenassignedtotheVLAN
99managementinterface.Bothinterfacesarenowup/upandoperational.
Figure26VerifyingtheSwitchManagementInterfaceConfiguration
Lab2.1.1.6:BasicSwitchConfiguration
Inthislab,youwillcompletethefollowingobjectives:
Part1:CabletheNetworkandVerifytheDefaultSwitchConfiguration
Part2:ConfigureBasicNetworkDeviceSettings
Part3:VerifyandTestNetworkConnectivity
Part4:ManagetheMACAddressTable
ConfigureSwitchPorts(2.1.2)
Portconfigurationstartswiththebasicsofduplexandspeed.Sometimesswitchportsmust
manuallyhavetheirduplexmodeandspeedmanuallyconfigured.Mostofthetimethe
techniciansimplyconnectsacableandletsthenetworkdeviceandswitchautomatically
negotiatetheseparameters.Therearealsotimeswhenthingsgoawryandthereareissues.
Thissectionhelpsyouwiththesebasicconcepts.
DuplexCommunication(2.1.2.1)
Figure27illustratesfullduplexandhalfduplexcommunication.
Figure27DuplexModes
FullduplexcommunicationimprovestheperformanceofaswitchedLAN.Fullduplex
communicationincreaseseffectivebandwidthbyallowingbothendsofaconnectionto
transmitandreceivedatasimultaneously.Thisisalsoknownasbidirectionalcommunication.
Thismethodofoptimizingnetworkperformancerequiresmicrosegmentation.Amicro
segmentedLANiscreatedwhenaswitchporthasonlyonedeviceconnectedandis
operatingatfullduplex.Thisresultsinamicrosizecollisiondomainofasingledevice.
Becausethereisonlyonedeviceconnected,amicrosegmentedLANiscollisionfree.
Unlikefullduplexcommunication,halfduplexcommunicationisunidirectional.Sendingand
receivingdatadoesnotoccuratthesametime.Halfduplexcommunicationcreates
performanceissuesbecausedatacanflowinonlyonedirectionatatime,oftenresultingin
collisions.Halfduplexconnectionsaretypicallyseeninolderhardware,suchashubs.Full
duplexcommunicationhasreplacedhalfduplexinmosthardware.
MostEthernetandFastEthernetNICssoldtodayofferfullduplexcapability.GigabitEthernet
and10GbNICsrequirefullduplexconnectionstooperate.Infullduplexmode,thecollision
detectioncircuitontheNICisdisabled.Framesthataresentbythetwoconnecteddevices
cannotcollidebecausethedevicesusetwoseparatecircuitsinthenetworkcable.Full
duplexconnectionsrequireaswitchthatsupportsfullduplexconfiguration,oradirect
connectionusinganEthernetcablebetweentwodevices.
Standard,sharedhubbasedEthernetconfigurationefficiencyistypicallyratedat50to60
percentofthestatedbandwidth.Fullduplexoffers100percentefficiencyinbothdirections
(transmittingandreceiving).Thisresultsina200percentpotentialuseofthestated
bandwidth.
ConfigureSwitchPortsatthePhysicalLayer(2.1.2.2)
JustasanetworkcardinaPCcanhavespecificconditionssuchasduplexandspeedset,so
toocanaswitchport.ThissectionexamineshowtoconfigurespecificparametersonaCisco
switchportandintroducesautoMDIX.
DuplexandSpeed
Switchportscanbemanuallyconfiguredwithspecificduplexandspeedsettings.Usethe
duplexinterfaceconfigurationmodecommandtomanuallyspecifytheduplexmodefora
switchport.Usethespeedinterfaceconfigurationmodecommandtomanuallyspecifythe
speedforaswitchport.InFigure28andTable24,portF0/1onswitchS1andS2are
manuallyconfiguredwiththefullkeywordfortheduplexcommandandthe100keywordfor
thespeedcommand.
Figure28ManuallyConfigureDuplexandSpeed
Table24CiscoSwitchPortConfiguration
Enterinterfaceconfigurationmode. S1(config)#interface
fastethernet0/1
Configuretheinterfaceduplexmode. S1(configif)#duplexfull
Configuretheinterfacespeed. S1(configif)#speed100
Savetherunningconfigtothestartup S1#copyrunningconfigstartup
config. config
ThedefaultsettingforbothduplexandspeedforswitchportsonCiscoCatalyst2960and
3560switchesisauto.The10/100/1000portsoperateineitherhalforfullduplexmodewhen
theyaresetto10or100Mb/s,butwhentheyaresetto1000Mb/s(1Gb/s),theyoperateonly
infullduplexmode.Whentroubleshootingswitchportissues,theduplexandspeedsettings
shouldbechecked.
NOTE
Mismatchedsettingsfortheduplexmodeandspeedofswitchportscancauseconnectivity
issues.Autonegotiationfailurecreatesmismatchedsettings.Ciscorecommendsusingthe
autocommandforduplexandmanuallyconfiguringinterfacespeedusingthespeed
commandinordertoavoidconnectivityissuesbetweendevices.
Allfiberopticports,suchas100BASEFXports,operateonlyatonepresetspeedandare
alwaysfullduplex.
Activity2.1.2.2:ConfigureSwitchPortDuplexandSpeed
AccessthesecondfigureintheonlinecoursetousetheSyntaxCheckertopractice
configuringportFa0/1ofswitchS1.
Note
Thevideoandinteractivecontentdescribedinthischapterareonlyavailabletostudents
enrolledinrelatedCiscoNetworkingAcademycoursesandnotinthissample.
AutoMDIX(2.1.2.3)
Untilrecently,certaincabletypes(straightthroughorcrossover)wererequiredwhen
connectingdevices.Switchtoswitchorswitchtorouterconnectionsrequiredusingdifferent
Ethernetcables.Usingtheautomaticmediumdependentinterfacecrossover(autoMDIX)
featureonaninterfaceeliminatesthisproblem.WhenautoMDIXisenabled,theinterface
automaticallydetectstherequiredcableconnectiontype(straightthroughorcrossover)and
configurestheconnectionappropriately.WhenconnectingtoswitcheswithouttheautoMDIX
feature,straightthroughcablesmustbeusedtoconnecttodevicessuchasservers,
workstations,orrouters.Crossovercablesmustbeusedtoconnectaswitchtoanotherswitch
orrepeater.
WithautoMDIXenabled,eithertypeofcablecanbeusedtoconnecttootherdevices,and
theinterfaceautomaticallycorrectsforanyincorrectcabling.OnnewerCiscoroutersand
switches,themdixautointerfaceconfigurationmodecommandenablesthefeature.When
usingautoMDIXonaninterface,theinterfacespeedandduplexmustbesettoautosothat
thefeatureoperatescorrectly.
Figure29showsthetopology,andTable25showsthecommandstoenableautoMDIX.
Figure29ConfigureAutoMDIX
Table25CiscoSwitchAutoMDIXCommands
Enterglobalconfigurationmode. S1#configure
terminal
Enterinterfaceconfigurationmode. S1(config)#
interface
fastethernet0/1
Configuretheinterfacetoautomaticallynegotiate S1(configif)#
theduplexmodewiththeconnecteddevice. duplexauto
Configuretheinterfacetoautomaticallynegotiate S1(configif)#speed
speedwiththeconnecteddevice. auto
EnableautoMDIXontheinterface. S1(configif)#mdix
auto
Savetherunningconfigtothestartupconfig. S1#copyrunning
configstartup
config
NOTE
TheautoMDIXfeatureisenabledbydefaultonCatalyst2960andCatalyst3560switchesbut
isnotavailableontheolderCatalyst2950andCatalyst3550switches.
ToexaminetheautoMDIXsettingforaspecificinterface,usetheshowcontrollersethernet
controllercommandwiththeargumentinterfaceidandthephykeyword.Tolimittheoutput
tolinesreferencingautoMDIX,usetheincludeAutoMDIXfilter.AsshowninFigure210,the
outputindicatesOnorOffforthefeature.
Figure210VerifyAutoMDIX
Activity2.1.2.3:EnableAutoMDIX
GototheonlinecourseandselectthethirdgraphictousetheSyntaxCheckertopractice
configuringtheFastEthernet0/1interfaceonS2forautoMDIX.
VerifyingSwitchPortConfiguration(2.1.2.4)
Table26describessomeoftheoptionsfortheshowcommandthatarehelpfulinverifying
commonconfigurableswitchfeatures.
Table26SwitchVerificationCommands
Displayinterfacestatusand S1#show
configuration. interfaces[interfaceid]
Displaycurrentstartupconfiguration. S1#showstartupconfig
Displaycurrentoperatingconfiguration. S1#showrunningconfig
Displayinformationabouttheflashfile S1#showflash:
system.
Displaystatusofsystemhardwareand S1#showversion
software.
Displayahistoryofcommandsentered. S1#showhistory
DisplayIPinformationaboutaninterface. S1#showip[interfaceid]
DisplaytheMACaddresstable. S1#showmacaddresstable
or
S1#showmacaddresstable
Lookatthesampleabbreviatedoutputfromtheshowrunningconfigcommand.Usethis
commandtoverifythattheswitchhasbeencorrectlyconfigured.AsseenintheoutputforS1,
somekeyinformationisshown:
FastEthernet0/18interfaceconfiguredwiththemanagementVLAN99
VLAN99configuredwithanIPaddressof172.17.99.11255.255.0.0
Defaultgatewaysetto172.17.99.1
S1#showrunningconfig
Buildingconfiguration...

Currentconfiguration:1664bytes
!
<outputomitted>
!
interfaceFastEthernet0/18
switchportaccessvlan99
switchportmodeaccess
!
<outputomitted>
!
interfaceVlan99
ipaddress172.17.99.11255.255.0.0
!
<outputomitted>
!
ipdefaultgateway172.17.99.1
!
<outputomitted>
Theshowinterfacescommandisanothercommonlyusedcommand,whichdisplaysstatus
andstatisticsinformationonthenetworkinterfacesoftheswitch.Theshowinterfaces
commandisfrequentlyusedwhenconfiguringandmonitoringnetworkdevices.
Lookattheoutputfromtheshowinterfacesfastethernet0/18command.Thefirstlineinthe
outputindicatesthattheFastEthernet0/18interfaceisup/upmeaningthatitisoperational.
Furtherdowntheoutputshowsthattheduplexisfullandthespeedis100Mb/s.
S1#showinterfacesfastethernet0/18
FastEthernet0/18isup,lineprotocolisup(connected)
HardwareisFastEthernet,addressis0cd9.96e8.8a01(bia0cd9.96e8.8a01)
MTU1500bytes,BW100000Kbit/sec,DLY100usec,
reliability255/255,txload1/255,rxload1/255
EncapsulationARPA,loopbacknotset
Keepaliveset(10sec)
Fullduplex,100Mb/s,mediatypeis10/100BaseTX
inputflowcontrolisoff,outputflowcontrolisunsupported
ARPtype:ARPA,ARPTimeout04:00:00
Lastinput00:00:01,output00:00:06,outputhangnever
Lastclearingof"showinterface"countersnever
Inputqueue:0/75/0/0(size/max/drops/flushes);
Totaloutputdrops:0
Queueingstrategy:fifo
Outputqueue:0/40(size/max)
5minuteinputrate0bits/sec,0packets/sec
5minuteoutputrate0bits/sec,0packets/sec
25994packetsinput,2013962bytes,0nobuffer
Received22213broadcasts(21934multicasts)
0runts,0giants,0throttles
0inputerrors,0CRC,0frame,0overrun,0ignored
0watchdog,21934multicast,0pauseinput
0inputpacketswithdribbleconditiondetected
7203packetsoutput,771291bytes,0underruns
<outputomitted>
NetworkAccessLayerIssues(2.1.2.5)
Theoutputfromtheshowinterfacescommandcanbeusedtodetectcommonmediaissues.
Oneofthemostimportantpartsofthisoutputisthedisplayofthelineanddatalinkprotocol
status.ThefollowingoutputandTable27indicatethesummarylinetocheckthestatusofan
interface.
FastEthernet0/18isup,lineprotocolisup(connected)
HardwareisFastEthernet,addressis0022.91c4.0301(bia0022.91c4.0e01)
MTU1500bytes,BW100000Kbit/sec,DLY100usec,
<outputomitted>
Table27VerifytheStatusofaSwitchInterface
InterfaceStatus LineProtocolStatus LinkState

Up Up Operational
Down Down Interfaceproblem
Thefirstparameter(FastEthernet0/1isup)referstothehardwarelayerand,essentially,
reflectswhethertheinterfaceisreceivingthecarrierdetectsignalfromtheotherend.The
secondparameter(lineprotocolisup)referstothedatalinklayerandreflectswhetherthe
datalinklayerprotocolkeepalivesarebeingreceived.
Basedontheoutputoftheshowinterfacescommand,possibleproblemscanbefixedas
follows:
Iftheinterfaceisupandthelineprotocolisdown,aproblemexists.Therecouldbean
encapsulationtypemismatch,theinterfaceontheotherendcouldbeerrordisabled,
ortherecouldbeahardwareproblem.
Ifthelineprotocolandtheinterfacearebothdown,acableisnotattachedorsome
otherinterfaceproblemexists.Forexample,inabacktobackconnection(a
connectionwherethetransmitterofonedeviceconnectsdirectlytothereceiverof
anotherdevicewithoutatransmissionmediabetweenthetwodevices),oneendof
theconnectionmaybeadministrativelydown.
Iftheinterfaceisadministrativelydown,ithasbeenmanuallydisabled(theshutdown
commandhasbeenissued)intheactiveconfiguration.
Thefollowingoutputshowsanexampleofshowinterfacescommand.Theexampleshows
countersandstatisticsfortheFastEthernet0/1interface.
FastEthernet0/1isup,lineprotocolisup
HardwareisFastEthernet,addressis0022.91c4.0e01(bia
0022.91c4.0e01)MTU1500bytes,BW100000Kbit,DLY100usec,
<outputomitted>
2295197packetsinput,305539992bytes,0nobuffer
Received1925500broadcasts,0runts,0giants,0throttles
3inputerrors,3CRC,0frame,0overrun,0ignored
0watchdog,68multicast,0pauseinput
0inputpacketswithdribbleconditiondetected
3594664packetsoutput,436549843bytes,0underruns
8outputerrors,1790collisions,10interfaceresets
0unknownprotocoldrops
0babbles,235latecollision,0deferred
<outputomitted>
Somemediaerrorsarenotsevereenoughtocausethecircuittofailbutdocausenetwork
performanceissues.Table28explainssomeofthesecommonerrorsthatcanbedetected
usingtheshowinterfacescommand.
Table28NetworkAccessLayerIssues
Input Totalnumberoferrors.Itincludesrunts,giants,nobuffer,
Errors CRC,frame,overrun,andignoredcounts.
Runts Packetsthatarediscardedbecausetheyaresmallerthan
theminimumpacketsizeforthemedium.Forinstance,any
Ethernetpackthatislessthan64bytesisconsidereda
runt.
Giants Packetsthatarediscardedbecausetheyexceedthe
maximumpacketsizeforthemedium.Forexample,any
Ethernetpacketthatisgreaterthan1,518bytesis
consideredagiant.
CRC CRCerrorsaregeneratedwhenthecalculatedchecksum
errors isnotthesameasthechecksumreceived.
Output Thesumofallerrorsthatpreventedthefinaltransmission
Errors ofdatagramsoutoftheinterfacethatisbeingexamined.
Collisions Thenumberofmessagesretransmittedbecauseofan
Ethernetcollision.
Late Acollisionthatoccursafter512bitsoftheframehave
Collisions beentransmitted.
Inputerrorsisthesumofallerrorsindatagramsthatwerereceivedontheinterfacebeing
examined.Thisincludesrunts,giants,CRC,nobuffer,frame,overrun,andignoredcounts.
Thereportedinputerrorsfromtheshowinterfacescommandincludethefollowing:
RuntFrames:Ethernetframesthatareshorterthanthe64byteminimumallowed
lengtharecalledrunts.MalfunctioningNICsaretheusualcauseofexcessiverunt
frames,buttheycanbecausedbyimproperlyorunterminatedcableswhichcanalso
causeexcessivecollisions.
Giants:Ethernetframesthatarelongerthanthemaximumallowedlengtharecalled
giants.Giantsarecausedbythesameissuesasthosethatcauserunts.
CRCerrors:OnEthernetandserialinterfaces,CRCerrorsusuallyindicateamedia
orcableerror.Commoncausesincludeelectricalinterference,looseordamaged
connections,orusingtheincorrectcablingtype.IfyouseemanyCRCerrors,thereis
toomuchnoiseonthelinkandyoushouldinspectthecablefordamageandlength.
Youshouldalsosearchforandeliminatenoisesources,ifpossible.
Outputerrorsisthesumofallerrorsthatpreventedthefinaltransmissionofdatagramsout
ofaninterfacethatisbeingexamined.Thereportedoutputerrorsfromtheshowinterfaces
commandincludethefollowing:
Collisions:Collisionsinhalfduplexoperationsarecompletelynormal,andyou
shouldnotworryaboutthem,aslongasyoucantoleratetheperformancewhenhalf
duplexmodeisused.However,youshouldneverseecollisionsinaproperly
designedandconfigurednetworkthatusesfullduplexcommunication.Itishighly
recommendedthatyouusefullduplexunlessyouhaveolderorlegacyequipment
thatrequireshalfduplex.
Latecollisions:Alatecollisionreferstoacollisionthatoccursafter512bitsofthe
frame(thepreamble)havebeentransmitted.Excessivecablelengthsarethemost
commoncauseoflatecollisions.Anothercommoncauseisduplexmisconfiguration.
Forexample,youcouldhaveoneendofaconnectionconfiguredforfullduplexand
theotherforhalfduplex.Youwouldseelatecollisionsontheinterfacethatis
configuredforhalfduplex.Inthatcase,youmustconfigurethesameduplexsettingon
bothends.Aproperlydesignedandconfigurednetworkshouldneverhavelate
collisions.
TroubleshootingNetworkAccessLayerIssues(2.1.2.6)
Mostissuesthataffectaswitchednetworkareencounteredduringtheoriginal
implementation.Theoretically,afteritisinstalled,anetworkcontinuestooperatewithout
problems.However,cablinggetsdamaged,configurationschange,andnewdevicesare
connectedtotheswitchthatrequireswitchconfigurationchanges.Ongoingmaintenanceand
troubleshootingofthenetworkinfrastructureisrequired.
Totroubleshoottheseissueswhenyouhavenoconnectionorabadconnectionbetweena
switchandanotherdevice,followthisgeneralprocess,asshowninFigure211,and
explainedthereafter.
Figure211TroubleshootingSwitchMediaIssues
Usetheshowinterfacescommandtochecktheinterfacestatus.
Iftheinterfaceisdown:
Checktomakesurethatthepropercablesarebeingused.Additionally,checkthe
cableandconnectorsfordamage.Ifabadorincorrectcableissuspected,replacethe
cable.
Iftheinterfaceisstilldown,theproblemmaybeduetoamismatchinspeedsetting.
Thespeedofaninterfaceistypicallyautonegotiatedtherefore,evenifspeedis
manuallyconfiguredononeinterface,theconnectinginterfaceshouldautonegotiate
accordingly.Ifaspeedmismatchdoesoccurthroughmisconfigurationorahardware
orsoftwareissue,thenthatmayresultintheinterfacegoingdown.Manuallysetthe
samespeedonbothconnectionendsifanautonegotiationproblemissuspected.
Iftheinterfaceisup,butissueswithconnectivityarestillpresent:
Usingtheshowinterfacescommand,checkforindicationsofexcessivenoise.
Indicationsmayincludeanincreaseinthecountersforrunts,giants,andCRCerrors.
Ifthereisexcessivenoise,firstfindandremovethesourceofthenoise,ifpossible.
Also,verifythatthecabledoesnotexceedthemaximumcablelengthandcheckthe
typeofcablethatisused.Forcoppercable,itisrecommendedthatyouuseatleast
Category5.
Ifnoiseisnotanissue,checkforexcessivecollisions.Iftherearecollisionsorlate
collisions,verifytheduplexsettingsonbothendsoftheconnection.Muchlikethe
speedsetting,theduplexsettingisusuallyautonegotiated.Iftheredoesappeartobe
aduplexmismatch,manuallysettheduplexonbothconnectionends.Itis
recommendedtousefullduplexifbothsidessupportit.
SwitchSecurity:ManagementandImplementation(2.2)
Whenyoutakeanewswitchoutofthebox,thefirstthingthenetworkengineerdoesissecure
theswitchandassignitanIPaddress,subnetmask,anddefaultgatewaysotheswitchcan
bemanagedfromaremotelocation.Learningthedifferentmethodsusedtosecureaswitch
isimportant.Alsoimportantislearningthetypesofattacksthatcanbelaunchedon,toward,
orthroughaswitch.Byunderstandingtheattacksandtheavailabletoolsand
countermeasures,atechniciancanbebetterpreparedtosecuretheswitchandmakeuseof
thetoolsandsecuritycommands.
SecureRemoteAccess(2.2.1)
TherearedifferentmethodsthatcanbeusedtosecureaswitchincludingTelnetandSSH.
Telnethasalreadybeencovered,butSSHisamuchbettermethodusedtosecurelymanage
theswitchfromaremotelocation.
SSHOperation(2.2.1.1)
SecureShell(SSH)isaprotocolthatprovidesasecure(encrypted)managementconnection
toaremotedevice.SSHshouldreplaceTelnetformanagementconnections.Telnetisan
olderprotocolthatusesinsecureplaintexttransmissionofboththeloginauthentication
(usernameandpassword)andthedatatransmittedbetweenthecommunicatingdevices.
SSHprovidessecurityforremoteconnectionsbyprovidingstrongencryptionwhenadevice
isauthenticated(usernameandpassword)andalsoforthetransmitteddatabetweenthe
communicatingdevices.SSHisassignedtoTCPport22.TelnetisassignedtoTCPport23.
Lookattheonlinecourse,andselectthefirstgraphictoseehowanattackercanmonitor
packetsusingaproductsuchasWireshark.ATelnetstreamcanbetargetedtocapturethe
usernameandpassword.
Inthefollowingoutput,youcanseehowtheattackercancapturetheusernameand
passwordoftheadministratorfromtheplaintextTelnetsession.
...........
UserAccessverification
username:..................P.........vt100..BBoobb
.
Password:cisco
.
R1>eenn
.
Password:class
.
R1#
ClickonthethirdgraphicintheonlinecoursetoseeaWiresharkviewofanSSHsession.
TheattackercantrackthesessionusingtheIPaddressoftheadministratordevice.
However,ifaWiresharkcaptureismadeontheSSHsession,thefourthgraphicintheonline
courseshowshowtheusernameandpasswordareencrypted.
ToenableSSHonaCatalyst2960switch,theswitchmustbeusingaversionoftheIOS
softwareincludingcryptographic(encrypted)featuresandcapabilities.Inthefollowingoutput,
usetheshowversioncommandontheswitchtoseewhichIOStheswitchiscurrently
running,andIOSfilenamethatincludesthecombinationk9supportscryptographic
(encrypted)featuresandcapabilities.
S1>showversion
CiscoIOSSoftware,C2960Software(C2960LANBASEK9M),
Version15.0(@)SE,RELEASESOFTWARE(fc1)

<outputomitted>
ConfiguringSSH(2.2.1.2)
BeforeconfiguringSSH,theswitchmustbeminimallyconfiguredwithauniquehostname
andthecorrectnetworkconnectivitysettings.
VerifySSHsupport:Usetheshowipsshcommandtoverifythattheswitchsupports
SSH.IftheswitchisnotrunninganIOSthatsupportscryptographicfeatures,this
commandisunrecognized.
ConfiguretheIPdomain:ConfiguretheIPdomainnameofthenetworkusingtheip
domainnamedomainnameglobalconfigurationmodecommand.InFigure212,the
domainnamevalueiscisco.com.
Figure212ConfigureSSHforRemoteManagement
GenerateRSAkeypairs:GeneratinganRSAkeypairautomaticallyenablesSSH.
Usethecryptokeygeneratersaglobalconfigurationmodecommandtoenablethe
SSHserverontheswitchandgenerateanRSAkeypair.WhengeneratingRSAkeys,
theadministratorispromptedtoenteramoduluslength.Ciscorecommendsa
minimummodulussizeof1024bits(refertothesampleconfigurationinFigure212).
Alongermoduluslengthismoresecure,butittakeslongertogenerateanduse.
NOTE
TodeletetheRSAkeypair,usethecryptokeyzeroizersaglobalconfigurationmode
command.AftertheRSAkeypairisdeleted,theSSHserverisautomaticallydisabled.
Configureuserauthentication:TheSSHservercanauthenticateuserslocallyor
usinganauthenticationserver.Tousethelocalauthenticationmethod,createa
usernameandpasswordpairusingtheusernameusernamepasswordpasswordglobal
configurationmodecommand.Intheexample,theuseradminisassignedthe
passwordccna.
Configurethevtylines:EnabletheSSHprotocolonthevtylinesusingthetransport
inputsshlineconfigurationmodecommand.TheCatalyst2960hasvtylinesranging
from0to15.ThisconfigurationpreventsnonSSH(suchasTelnet)connectionsand
limitstheswitchtoacceptonlySSHconnections.Usethelinevtyglobalconfiguration
modecommandandthentheloginlocallineconfigurationmodecommandtorequire
localauthenticationforSSHconnectionsfromthelocalusernamedatabase.
Activity2.2.1.2:ConfigureSSH
GototheonlinecourseandselectthesecondgraphictousetheSyntaxCheckertoconfigure
SSHonswitchS1.
VerifyingSSH(2.2.1.3)
OnaPC,anSSHclient,suchasPuTTY,isusedtoconnecttoanSSHserver.Forthe
examplesinFigures216to218,thefollowinghavebeenconfigured:
SSHenabledonswitchS1
InterfaceVLAN99(SVI)withIPaddress172.17.99.11onswitchS1
PC1withIPaddress172.17.99.21
InFigure213,thePCinitiatesanSSHconnectiontotheSVIVLANIPaddressofS1.
Figure213ConfigurePuTTYwithSSHClientConnectionParameters
InFigure214,theuserhasbeenpromptedforausernameandpassword.Usingthe
configurationfromthepreviousexample,theusernameadminandpasswordccnaare
entered.Afterenteringthecorrectcombination,theuserisconnectedviaSSHtotheCLIon
theCatalyst2960switch.
Figure214RemoteManagementSSHConnection
TodisplaytheversionandconfigurationdataforSSHonthedevicethatyouconfiguredasan
SSHserver,usetheshowipsshcommand.Intheexample,SSHversion2isenabled.To
checktheSSHconnectionstothedevice,usetheshowsshcommand(seeFigure215).
Figure215VerifySSHStatusandSettings
PacketTracerActivity2.2.1.4:ConfiguringSSH
SSHshouldreplaceTelnetformanagementconnections.Telnetusesinsecureplaintext
communications.SSHprovidessecurityforremoteconnectionsbyprovidingstrong
encryptionofalltransmitteddatabetweendevices.Inthisactivity,youwillsecurearemote
switchwithpasswordencryptionandSSH.
SecurityConcernsinLANs(2.2.2)
WiredLANsareacommonsourceofattackbecausesomuchinformationcanbegained
aboutthewirednetworkusingfreedownloadabletools.Byexaminingdownloadedframes,
attackerscandetermineIPaddressesofnetworkdevices,protocolsbeingused,validserver
namesandIPaddresses,etc.Withthisinformationanattackercanlaunchfurtherattacksor
eveninsertaroguedevice.Thissectionintroducesthetypesofattacksandcountermeasures
tobeperformedonawiredLAN.
CommonSecurityAttacks:MACAddressFlooding(2.2.2.1)
Basicswitchsecuritydoesnotstopmaliciousattacks.Securityisalayeredprocessthatis
essentiallynevercomplete.Themoreawarenetworkingprofessionalswithinanorganization
areregardingsecurityattacksandthedangerstheypose,thebetter.Sometypesofsecurity
attacksaredescribedhere,butthedetailsofhowsomeoftheseattacksworkarebeyondthe
scopeofthiscourse.MoredetailedinformationisfoundintheCCNAWANProtocolscourse
andtheCCNASecuritycourse.
MACAddressFlooding
AllCatalystswitchmodelsuseaMACaddresstableforLayer2switching.TheMACaddress
tableinaswitchcontainstheMACaddressesassociatedwitheachphysicalportandthe
associatedVLANforeachport.Asaframearrivesonaswitchport,thesourceMACaddress
isrecordedintheMACaddresstable.Theswitchthenexaminesthereceiveddestination
MACaddressandlooksintheMACaddresstabletoseeifitcontainsthedestinationMAC
address.IfanentryalreadyexistsforthedestinationMACaddress,theswitchforwardsthe
frametothecorrectport.IfthedestinationMACaddressdoesnotexistintheMACaddress
table,theswitchfloodstheframeoutofeveryportontheswitch,excepttheportwherethe
framewasreceived.
TheMACaddressfloodingbehaviorofaswitchforunknownaddressescanbeusedtoattack
aswitch.ThistypeofattackiscalledaMACaddresstableoverflowattack.MACaddress
tableoverflowattacksaresometimesreferredtoasMACfloodingattacksandCAMtable
overflowattacks.Thefollowingfiguresshowhowthistypeofattackworks.
InFigure216,hostAsendstraffictohostB.Theswitchreceivestheframesandlooksupthe
destinationMACaddressinitsMACaddresstable.Iftheswitchcannotfindthedestination
MACintheMACaddresstable,theswitchthencopiestheframeandfloods(broadcasts)it
outofeveryswitchport,excepttheportwhereitwasreceived.
Figure216MACAddressFloodingSwitchFloodsFrameforUnknownMAC
InFigure217,hostBreceivestheframeandsendsareplytohostA.Theswitchthenlearns
thattheMACaddressforhostBislocatedonport2andrecordsthatinformationintotheMAC
addresstable.
HostCalsoreceivestheframefromhostAtohostB,butbecausethedestinationMAC
addressofthatframeishostB,hostCdropsthatframe.
Figure217MACAddressFloodingSwitchRecordsMACAddress
AsshowninFigure218,anyframesentbyhostA(oranyotherhost)tohostBisforwardedto
port2oftheswitchandnotbroadcastedouteveryport.
Figure218MACAddressFloodingSwitchUsesMACAddressTabletoForwardTraffic
MACaddresstablesarelimitedinsize.MACfloodingattacksmakeuseofthislimitationto
overwhelmtheswitchwithfakesourceMACaddressesuntiltheswitchMACaddresstableis
full.
AsshowninFigure219,anattackerathostCcansendframeswithfake,randomly
generatedsourceanddestinationMACaddressestotheswitch.TheswitchupdatestheMAC
addresstablewiththeinformationinthefakeframes.WhentheMACaddresstableisfullof
fakeMACaddresses,theswitchentersintowhatisknownasfailopenmode.Inthismode,
theswitchbroadcastsallframestoallmachinesonthenetwork.Asaresult,theattackercan
seealloftheframes.
Figure219MACAddressFloodingAttackAttackerLaunchesAttack
Somenetworkattacktoolscangenerateupto155,000MACentriesonaswitchperminute.
ThemaximumMACaddresstablesizeisswitchmodeldependent.
AsshowninFigure220,aslongastheMACaddresstableontheswitchremainsfull,the
switchbroadcastsallreceivedframesoutofeveryportexcepttheingressport.Inthis
example,framessentfromhostAtohostBarealsobroadcastoutofport3ontheswitchand
seenbytheattackerathostC.
Figure220MACAddressFloodingAttackAttackerSeesBroadcasts
OnewaytomitigateMACaddresstableoverflowattacksistoconfigureportsecurity.
CommonSecurityAttacks:DHCPSpoofing(2.2.2.2)
DHCPistheprotocolthatautomaticallyassignsahostavalidIPaddressoutofaDHCPpool.
DHCPhasalwaysbeenthemainprotocolusedwithinindustryforallocatingclientsIP
addresses.TwotypesofDHCPattackscanbeperformedagainstaswitchednetwork:DHCP
starvationattacksandDHCPspoofing,asshowninFigure221.
Figure221DHCPSpoofingandStarvationAttack
InDHCPstarvationattacks,anattackerfloodstheDHCPserverwithDHCPrequeststouse
alltheavailableIPaddressesthattheDHCPservercanissue.AftertheseIPaddressesare
issued,theservercannotissueanymoreaddresses,andthissituationproducesadenialof
service(DoS)attackasnewclientscannotobtainnetworkaccess.ADoSattackisany
attackthatisusedtooverloadspecificdevicesandnetworkserviceswithillegitimatetraffic,
therebypreventinglegitimatetrafficfromreachingthoseresources.
InDHCPspoofingattacks,anattackerconfiguresafakeDHCPserveronthenetworkto
issueDHCPaddressestoclients.Thenormalreasonforthisattackistoforcetheclientsto
usefalseDomainNameSystem(DNS)orWindowsInternetNamingService(WINS)servers
andtomaketheclientsusetheattacker,oramachineunderthecontroloftheattacker,as
theirdefaultgateway.
DHCPstarvationisoftenusedbeforeaDHCPspoofingattacktodenyservicetothe
legitimateDHCPserver,makingiteasiertointroduceafakeDHCPserverintothenetwork.
TomitigateDHCPattacks,usetheDHCPsnoopingandportsecurityfeaturesontheCisco
Catalystswitches.Thesefeaturesarecoveredinalatertopic.
CommonSecurityAttacks:LeveragingCDP(2.2.2.3)
TheCiscoDiscoveryProtocol(CDP)isaproprietaryprotocolthatallCiscodevicescanbe
configuredtouse.CDPdiscoversotherCiscodevicesthataredirectlyconnected,which
allowsthedevicestoautoconfiguretheirconnection.Insomecases,thissimplifies
configurationandconnectivity.
Bydefault,mostCiscoroutersandswitcheshaveCDPenabledonallports.CDPinformation
issentinperiodic,unencryptedbroadcasts.ThisinformationisupdatedlocallyintheCDP
databaseofeachdevice.EventhoughCDPisaLayer2protocol,allCiscodevicescanuse
CDPtocommunicateandsharedeviceinformationwithanadjacentCiscodevicehowever,
thisinformationcannotbesharedbeyondasingle,adjacentCiscodevice.
CDPcontainsinformationaboutthedevice,suchastheIPaddress,softwareversion,
platform,capabilities,andthenativeVLAN.Thisinformationcanbeusedbyanattackerto
findwaystoattackthenetwork,typicallyintheformofaDoSattack.
Figure222showsaportionofaWiresharkcaptureshowingthecontentsofaCDPpacket.
TheCiscoIOSsoftwareversiondiscoveredviaCDP,inparticular,wouldallowtheattackerto
determinewhethertherewereanysecurityvulnerabilitiesspecifictothatparticularversionof
IOS.Also,becauseCDPisnotauthenticated,anattackercouldcraftbogusCDPpacketsand
sendthemtoadirectlyconnectedCiscodevice.
Figure222WiresharkCDPPacketCapture
NOTE
ItisrecommendedthatyoudisabletheuseofCDPondevicesorportsthatdonotneedto
useitbyusingthenocdprunglobalconfigurationmodecommand.CDPcanbedisabledon
aperportbasis.
TelnetAttacks
TheTelnetprotocolisinsecureandcanbeusedbyanattackertogainremoteaccesstoa
Cisconetworkdevice.Therearetoolsavailablethatallowanattackertolaunchabruteforce
passwordcrackingattackagainstthevtylinesontheswitch.
BruteForcePasswordAttack
Abruteforcepasswordattacktriestocrackapasswordonanotherdevice.Thefirstphase
ofabruteforcepasswordattackstartswiththeattackerusingalistofcommonpasswordsand
aprogramdesignedtotrytoestablishaTelnetsessionusingeachwordonthedictionarylist.
Ifthepasswordisnotdiscoveredbythefirstphase,asecondphasebegins.Inthesecond
phaseofabruteforceattack,theattackerusesaprogramthatcreatessequentialcharacter
combinationsinanattempttoguessthepassword.Givenenoughtime,abruteforce
passwordattackcancrackalmostallpasswordsused.
Tomitigateagainstbruteforcepasswordattacks,usestrongpasswordsthatarechanged
frequently.Astrongpasswordshouldhaveamixofuppercaseandlowercaselettersand
shouldincludenumeralsandsymbols(specialcharacters).Accesstothevtylinescanalso
belimitedusinganaccesscontrollist(ACL)thatdesignateswhatIPaddress(es)areallowed
accesstothevtylines.
TelnetDoSAttack
TelnetcanalsobeusedtolaunchaDoSattack.InaTelnetDoSattack,theattackerexploits
aflawintheTelnetserversoftwarerunningontheswitchthatrenderstheTelnetservice
unavailable.Thissortofattackpreventsanadministratorfromremotelyaccessingswitch
managementfunctions.Thiscanbecombinedwithotherdirectattacksonthenetworkaspart
ofacoordinatedattempttopreventthenetworkadministratorfromaccessingcoredevices
duringthebreach.
VulnerabilitiesintheTelnetservicethatpermitDoSattackstooccurareusuallyaddressedin
securitypatchesthatareincludedinnewerCiscoIOSrevisions.
NOTE
ItisabestpracticetouseSSH,ratherthanTelnetforremotemanagementconnections.
Activity2.2.2.4:CommonSecurityAttacks
Gototheonlinecoursetoperformthepracticeactivitywhereyoumatchthetypeofattackto
thedescription.
SecurityBestPractices(2.2.3)
Withsomanydevicesbeingattachedtothewirednetwork,networksecurityisevenmore
importanttoday.Securitystartsthemomentyoutakeanetworkdevice,suchasaswitch,out
oftheboxforthefirsttime.Nowthatsomeofthecommonattackshavebeencovered,nextis
whatanetworkadministratorcandotoprotectandcounteractthoseattacks.
BestPractices(2.2.3.1)
Defendingyournetworkagainstattackrequiresvigilanceandeducation.Thefollowingare
bestpracticesforsecuringanetwork:
Developawrittensecuritypolicyfortheorganization.
Shutdownunusedservicesandports.
Usestrongpasswordsandchangethemoften.
Controlphysicalaccesstodevices.
AvoidusingstandardinsecureHTTPwebsites,especiallyforloginscreensinstead
usethemoresecureHTTPS.
Performbackupsandtestthebackedupfilesonaregularbasis.
Educateemployeesaboutsocialengineeringattacks,anddeveloppoliciestovalidate
identitiesoverthephone,viaemail,andinperson.
Encryptandpasswordprotectsensitivedata.
Implementsecurityhardwareandsoftware,suchasfirewalls.
Keepsoftwareuptodatebyinstallingsecuritypatchesweeklyordaily,ifpossible.
Thesemethodsareonlyastartingpointforsecuritymanagement.Organizationsmustremain
vigilantatalltimestodefendagainstcontinuallyevolvingthreats.Usenetworksecuritytools
tomeasurethevulnerabilityofthecurrentnetwork.
NetworkSecurityToolsandTesting(2.2.3.2)
Networksecuritytoolshelpanetworkadministratortestanetworkforweaknesses.Some
toolsallowanadministratortoassumetheroleofanattacker.Usingoneofthesetools,an
administratorcanlaunchanattackagainstthenetworkandaudittheresultstodeterminehow
toadjustsecuritypoliciestomitigatethosetypesofattacks.Securityauditingandpenetration
testingaretwobasicfunctionsthatnetworksecuritytoolsperform.
Networksecuritytestingtechniquesmaybemanuallyinitiatedbytheadministrator.Other
testsarehighlyautomated.Regardlessofthetypeoftesting,thestaffthatsetsupand
conductsthesecuritytestingshouldhaveextensivesecurityandnetworkingknowledge.This
includesexpertiseinthefollowingareas:
Networksecurity
Firewalls
Intrusionpreventionsystems
Operatingsystems
Programming
Networkingprotocols(suchasTCP/IP)
NetworkSecurityAudits(2.2.3.3)
Networksecuritytoolsallowanetworkadministratortoperformasecurityauditofanetwork.
Asecurityauditrevealsthetypeofinformationanattackercangathersimplybymonitoring
networktraffic.
Forexample,networksecurityauditingtoolsallowanadministratortofloodtheMACaddress
tablewithfictitiousMACaddresses.Thisisfollowedbyanauditoftheswitchportsasthe
switchstartsfloodingtrafficoutofallports.Duringtheaudit,thelegitimateMACaddress
mappingsareagedoutandreplacedwithfictitiousMACaddressmappings.Thisdetermines
whichportsarecompromisedandnotcorrectlyconfiguredtopreventthistypeofattack.
Timingisanimportantfactorinperformingtheauditsuccessfully.Differentswitchessupport
varyingnumbersofMACaddressesintheirMACtable.Itcanbedifficulttodeterminethe
idealamountofspoofedMACaddressestosendtotheswitch.Anetworkadministratoralso
hastocontendwiththeageoutperiodoftheMACaddresstable.IfthespoofedMAC
addressesstarttoageoutwhileperforminganetworkaudit,validMACaddressesstartto
populatetheMACaddresstable,andlimitingthedatathatcanbemonitoredwithanetwork
auditingtool.
Networksecuritytoolscanalsobeusedforpenetrationtestingagainstanetwork.
Penetrationtestingisasimulatedattackagainstthenetworktodeterminehowvulnerableit
wouldbeinarealattack.Thisallowsanetworkadministratortoidentifyweaknesseswithin
theconfigurationofnetworkingdevicesandmakechangestomakethedevicesmore
resilienttoattacks.Therearenumerousattacksthatanadministratorcanperform,andmost
toolsuitescomewithextensivedocumentationdetailingthesyntaxneededtoexecutethe
desiredattack.
Becausepenetrationtestscanhaveadverseeffectsonthenetwork,theyarecarriedout
underverycontrolledconditions,followingdocumentedproceduresdetailedina
comprehensivenetworksecuritypolicy.Anofflinetestbednetworkthatmimicstheactual
productionnetworkistheideal.Thetestbednetworkcanbeusedbynetworkingstaffto
performnetworkpenetrationtests.
SwitchPortSecurity(2.2.4)
Portsecurityistheprocessofenablingspecificcommandsonswitchportstoprotectagainst
unauthorizedwireddevicesbeingattachedtothenetwork.Aneasywayforanintruderto
gainaccesstoacorporatenetworkistoplugintoanunusedEthernetjackortounplugan
authorizeddeviceandusethatconnector.Ciscoprovideswaystoprotectagainstsuch
behavior.
SecureUnusedPorts(2.2.4.1)
Thefirststepinportsecurityistobeawareofportsthatarenotcurrentlybeingusedonthe
switch.
DisableUnusedPorts
Asimplemethodthatmanyadministratorsusetohelpsecurethenetworkfromunauthorized
accessistodisableallunusedportsonaswitch.Forexample,ifaCatalyst2960switchhas
24portsandtherearethreeFastEthernetconnectionsinuse,itisgoodpracticetodisable
the21unusedports.NavigatetoeachunusedportandissuetheCiscoIOSshutdown
command.Ifaportlateronneedstobereactivated,itcanbeenabledwiththenoshutdown
command.Figure223showspartialoutputforthisconfiguration.
Figure223DisableUnusedSwitchPorts
Itissimpletomakeconfigurationchangestomultipleportsonaswitch.Ifarangeofports
mustbeconfigured,usetheinterfacerangecommand.
Switch(config)#interfacerangetypemodule/firstnumberlastnumber
Theprocessofenablinganddisablingportscanbetimeconsuming,butitenhancessecurity
onthenetworkandiswellworththeeffort.
DHCPSnooping(2.2.4.2)
DHCPsnoopingisaCiscoCatalystfeaturethatdetermineswhichdevicesattachedtoswitch
portscanrespondtoDHCPrequests.DHCPsnoopingcanbeusedtopreventunauthorized
DHCPmessagesthatcontaininformationsuchasIPaddressrelateddatabeingprovidedto
legitimatenetworkdevices.
AspartoftheDHCPconfigurationprocess,switchportscanbeidentifiedastrustedand
untrusted.TrustedportscansourceanytypeofDHCPmessageuntrustedportscan
sourceDHCPrequestsonly.Thisconfigurationprotectsthenetworkfromsomeoneattacking
adevicebyactingasarogueDHCPserver.TrustedportshostaDHCPserverorcanbean
uplinktowardtheDHCPserver.Ifaroguedeviceonanuntrustedportattemptstosenda
DHCPresponsepacketintothenetwork,theportisshutdown.Thisfeaturecanbecoupled
withDHCPoptionsinwhichswitchinformation,suchastheportIDoftheDHCPrequest,can
beinsertedintotheDHCPrequestpacket.
AsshowninFigures224and225,untrustedportsarethosenotexplicitlyconfiguredas
trusted.ADHCPbindingtableisbuiltforuntrustedports.EachentrycontainsaclientMAC
address,IPaddress,leasetime,bindingtype,VLANnumber,andportIDrecordedasclients
makeDHCPrequests.ThetableisthenusedtofiltersubsequentDHCPtraffic.FromaDHCP
snoopingperspective,untrustedaccessportsshouldnotsendanyDHCPserverresponses.
Figure224DHCPSnoopingOperation
Figure225DHCPSnoopingConfiguration
ThesestepsillustratehowtoconfigureDHCPsnoopingonaCatalyst2960switch:
Step1.EnableDHCPsnoopingusingtheipdhcpsnoopingglobalconfigurationmode
command.
Step2.EnableDHCPsnoopingforspecificVLANsusingtheipdhcpsnoopingvlannumber
command.
Step3.Defineportsastrustedattheinterfacelevelbydefiningthetrustedportsusingtheip
dhcpsnoopingtrustcommand.
OptionalLimittherateatwhichanattackercancontinuallysendbogusDHCP
Step4.requeststhroughuntrustedportstotheDHCPserverusingtheipdhcpsnoopinglimit
rateratecommand.
PortSecurity:Operation(2.2.4.3)
Allswitchports(interfaces)shouldbesecuredbeforetheswitchisdeployedforproduction
use.Onewaytosecureportsisbyimplementingafeaturecalledportsecurity.Ciscoport
securitylimitsthenumberofvalidMACaddressesallowedonaport.TheMACaddressesof
legitimatedevicesareallowedaccess,whileotherMACaddressesaredenied.
PortSecurity
PortsecuritycanbeconfiguredtoallowoneormoreMACaddresses.IfthenumberofMAC
addressesallowedontheportislimitedtoone,thenonlythedevicewiththatspecificMAC
addresscansuccessfullyconnecttotheport.
IfaportisconfiguredasasecureportandthemaximumnumberofMACaddressesis
reached,anyadditionalattemptstoconnectbyunknownMACaddresseswillgeneratea
securityviolation.
NOTE
Rememberthatwhenimplementingportsecurityonaswitchportto:
Turnportsecurityonbeforedoinganyothercommands.
SpecifyasingleMACaddressoragroupofvalidMACaddressesallowedontheport.
SpecifythataportautomaticallyshutsdownifunauthorizedMACaddressesare
detected.
SecureMACAddressTypes
Thereareanumberofwaystoconfigureportsecurity.Thetypeofsecureaddressisbasedon
theconfigurationandincludes:
StaticsecureMACaddresses:MACaddressesthataremanuallyconfiguredona
portbyusingtheswitchportportsecuritymacaddressmacaddressinterface
configurationmodecommand.MACaddressesconfiguredinthiswayarestoredin
theaddresstableandareaddedtotherunningconfigurationontheswitch.
DynamicsecureMACaddresses:MACaddressesthataredynamicallylearnedand
storedonlyintheaddresstable.MACaddressesconfiguredinthiswayareremoved
whentheswitchrestarts.
StickysecureMACaddresses:MACaddressesthatcanbedynamicallylearnedor
manuallyconfiguredstoredintheaddresstable,andaddedtotherunning
configuration.
StickySecureMACaddresses
ToconfigureaninterfacetoconvertdynamicallylearnedMACaddressestostickysecure
MACaddressesandaddthemtotherunningconfiguration,youmustenablestickylearning.
Stickylearningisenabledonaninterfacebyusingtheswitchportportsecuritymac
addressstickyinterfaceconfigurationmodecommand.
Whenthiscommandisentered,theswitchconvertsalldynamicallylearnedMACaddresses,
includingthosethatweredynamicallylearnedbeforestickylearningwasenabled,tosticky
secureMACaddresses.AllstickysecureMACaddressesareaddedtotheaddresstableand
totherunningconfiguration.
StickysecureMACaddressescanalsobemanuallydefined.WhenstickysecureMAC
addressesareconfiguredbyusingtheswitchportportsecuritymacaddressstickymac
addressinterfaceconfigurationmodecommand,allspecifiedaddressesareaddedtothe
addresstableandtherunningconfiguration.
IfthestickysecureMACaddressesaresavedtothestartupconfigurationfile,thenwhenthe
switchrestartsortheinterfaceshutsdown,theinterfacedoesnotneedtorelearnthe
addresses.Ifthestickysecureaddressesarenotsaved,theywillbelost.
Ifstickylearningisdisabledbyusingthenoswitchportportsecuritymacaddresssticky
interfaceconfigurationmodecommand,thestickysecureMACaddressesremainpartofthe
addresstablebutareremovedfromtherunningconfiguration.
ThefollowinglistshowsthecharacteristicsofstickysecureMACaddresses.
NOTE
Onaswitchport,switchportportsecuritycommandswillnotfunctionuntilportsecurityis
enabled.
Learneddynamically,convertedtostickysecureMACaddressesstoredinthe
runningconfig.
Removedfromtherunningconfigifportsecurityisdisabled.
Lostwhentheswitchreboots(powercycled).
SavingstickysecureMACaddressesinthestartupconfigmakesthempermanent,
andtheswitchretainsthemafterareboot.
DisablingstickylearningconvertsstickyMACaddressestodynamicsecure
addressesandremovesthemfromtherunningconfig.
PortSecurity:ViolationModes(2.2.4.4)
Itisasecurityviolationwheneitherofthesesituationsoccurs:
ThemaximumnumberofsecureMACaddresseshavebeenaddedtotheaddress
tableforthatinterface,andastationwhoseMACaddressisnotintheaddresstable
attemptstoaccesstheinterface.
Anaddresslearnedorconfiguredononesecureinterfaceisseenonanothersecure
interfaceinthesameVLAN.
Aninterfacecanbeconfiguredforoneofthreeviolationmodes,specifyingtheactiontobe
takenifaviolationoccurs.Table29presentswhichkindsofdatatrafficareforwardedwhen
oneofthefollowingsecurityviolationmodesareconfiguredonaport:
Protect:WhenthenumberofsecureMACaddressesreachesthelimitallowedonthe
port,packetswithunknownsourceaddressesaredroppeduntilasufficientnumberof
secureMACaddressesareremovedorthenumberofmaximumallowableaddresses
isincreased.Thereisnonotificationthatasecurityviolationhasoccurred.
Restrict:WhenthenumberofsecureMACaddressesreachesthelimitallowedon
theport,packetswithunknownsourceaddressesaredroppeduntilasufficient
numberofsecureMACaddressesareremovedorthenumberofmaximumallowable
addressesisincreased.Inthismode,thereisanotificationthatasecurityviolationhas
occurred.
Shutdown:Inthis(default)violationmode,aportsecurityviolationcausesthe
interfacetoimmediatelybecomeerrordisabledandturnsofftheportLED.It
incrementstheviolationcounter.Whenasecureportisintheerrordisabledstate,it
canbebroughtoutofthisstatebyenteringtheshutdownandnoshutdowninterface
configurationmodecommands.
Table29SecurityViolationsModes
Violation Forwards Sends Displays Increases Shuts

Mode Traffic Syslog Error Violation Down
Message Message Counter Port
Protect No No No No No
Restrict No Yes No Yes No
Violation Forwards Sends Displays Increases Shuts

Mode Traffic Syslog Error Violation Down
Message Message Counter Port
Shutdown No No No Yes Yes
Securityviolationsoccurinthesesituations:
AstationwithMACaddressthatisnotintheaddresstableattemptstoaccessthe
interfacewhenthetableisfull.
AnaddressisbeingusedontwosecureinterfacesinthesameVLAN.
Tochangetheviolationmodeonaswitchport,usetheswitchportportsecurityviolation
{protect|restrict|shutdown}interfaceconfigurationmodecommand.
PortSecurity:Configuring(2.2.4.5)
Table210summarizesthedefaultportsecurityconfigurationonaCiscoCatalystswitch.
Table210PortSecurityDefaultSettings
Feature DefaultSetting
Portsecurity Disabledonaport
Maximumnumberof 1
secureMAC
addresses
Violationmode Shutdown.Theportshutsdownwhenthe
maximumnumberofsecureMACaddressesis
exceeded.
Stickyaddress Disabled
learning
Figure226showsthetopologyusedwhenconfiguringF0/18ontheS1switch.Table211
showstheCiscoIOSCLIcommandsneededtoconfigureportsecurityontheFastEthernet
F0/18portontheS1switch.Noticethattheexampledoesnotspecifyaviolationmode.Inthis
example,theviolationmodeisthedefaultmodeofshutdown.
Figure226PortSecurityConfigurationTopology
Table211CiscoSwitchIOSCLICommandsforDynamicPortSecurity
Specifytheinterfacetobeconfigured S1(config)#interface
forportsecurity. fastethernet0/18
Settheinterfacemodetoaccess. S1(configif)#switchport
modeaccess
Enableportsecurityontheinterface. S1(configif)#switchport
portsecurity
Table212showsthecommandsneededtoenablestickysecureMACaddressesforport
securityonFastEthernetport0/19ofswitchS1.Asstatedearlier,aspecificmaximumnumber
ofsecureMACaddressescanbemanuallyconfigured.Inthisexample,theCiscoIOS
commandsyntaxisusedtosetthemaximumnumberofMACaddressesto50forport0/19.
Theviolationmodeissettothedefaultmodeofshutdown.
Table212CiscoSwitchIOSCLICommandsforStickyPortSecurity
Specifytheinterfacetobeconfigured S1(config)#interface
forportsecurity. fastethernet0/19
Settheinterfacemodetoaccess. S1(configif)#switchportmode
access
Enableportsecurityontheinterface. S1(configif)#switchportport
security
Setthemaximumnumberofsecure S1(configif)#switchportport
addressesallowedontheport. securitymaximum50
Enablestickylearning. S1(configif)#switchportport
securitymacaddresssticky
PortSecurity:Verifying(2.2.4.6)
Manystudentsmakethemistakeofforgettingtoenableportsecuritybeforedoingthespecific
portsecurityoptions.Foranyconfigurationstep,verificationisimportant.Itisespecially
importantwhenconfiguringportsecurity.
VerifyPortSecurity
Afterconfiguringportsecurityonaswitch,checkeachinterfacetoverifythattheportsecurity
issetcorrectly,andchecktoensurethatthestaticMACaddresseshavebeenconfigured
correctly.
VerifyPortSecuritySettings
Todisplayportsecuritysettingsfortheswitchorforthespecifiedinterface,usetheshowport
security[interfaceinterfaceid]command.Theoutputforthedynamicportsecurity
configurationisshownasfollows.Bydefault,thereisoneMACaddressallowedonthisport.
S1#showportsecurityinterfacefastethernet0/18
PortSecurity:Enabled
PortStatus:Secureup
ViolationMode:Shutdown
AgingTime:0mins
AgingType:Absolute
SecureStaticAddressAging:Disabled
MaximumMACAddresses:1
TotalMACAddresses:1
ConfiguredMACAddresses:0
StickyMACAddresses:0
LastSourceAddress:Vlan:0025.83e6.4b01:1
SecurityViolationCount:0
Takingalookattheportaftertheconfigurationhasbeenappliedshowsthevaluesforthe
stickyportsecuritysettings.Themaximumnumberofaddressesissetto50asconfigured.
PortStatus:Secureup
AgingTime:0mins
AgingType:Absolute
TotalMACAddresses:1
LastSourceAddress:Vlan:0025.83e6.4b02:1
NOTE
TheMACaddressinthepreviousoutputas0025.83e6.4b02:1isidentifiedasastickyMAC
address.
StickyMACaddressesareaddedtotheMACaddresstableandtotherunningconfiguration.
Asshownintheoutput,thestickyMACaddressforPC2hasbeenautomaticallyaddedtothe
runningconfigurationforS1.
S1#showrun|beginFastEthernet0/19
interfaceFastEthernet0/19
switchportmodeaccess
switchportportsecurity
switchportportsecuritymaximum50
switchportportsecuritymacaddresssticky
switchportportsecuritysticky0025.83e6.4b02
VerifySecureMACAddresses
TodisplayallsecureMACaddressesconfiguredonallswitchinterfaces,oronaspecified
interfacewithaginginformationforeach,usetheshowportsecurityaddresscommand.As
shownintheoutput,thesecureMACaddressesarelistedalongwiththetypes.
S1#showportsecurityaddress
SecureMacAddressTable

VlanMacAddressTypePortsRemainingAge
(mins)

10025.83e6.4b01SecureDynamicFa0/18
10025.83e6.4b02SecureStickyFa0/19

PortsinErrorDisabledState(2.2.4.7)
Whenaportisconfiguredwithportsecurity,aviolationcancausetheporttobecomeerror
disabled.Whenaportiserrordisabled,itiseffectivelyshutdownandnotrafficissentor
receivedonthatport.Aseriesofportsecurityrelatedmessagesdisplayontheconsoleas
shown.
Sep2006:44:54.966:%PM4ERR_DISABLE:psecureviolation
errordetectedonFa0/18,puttingFa0/18inerrdisablestate
Sep2006:44:54.966:%PORT_SECURITY2PSECURE_VIOLATION:
Securityviolationoccurred,causedbyMACaddress
000c.292b.4c75onportFastEthernet0/18.
Sep2006:44:53.973:%LINEPROTO5PPDOWN:Lineprotocolon
InterfaceFastEthernet0/18,changedstatetodown
Sep2006:44:56.971:%LINK3UPDOWN:Interface
FastEthernet0/18,changedstatetodown
NOTE
Noticeintheoutputhowtheportprotocolandlinkstatuschangedtodown.
AnotherindicationthataportsecurityviolationhasoccurredisthattheswitchportLEDwill
changetoorange.Theshowinterfacescommandidentifiestheportstatusaserrdisabledas
showninthefollowingoutput.Theoutputoftheshowportsecurityinterfacecommandnow
showstheportstatusassecureshutdown.Becausetheportsecurityviolationmodeissetto
shutdown,theportwiththesecurityviolationgoestotheerrordisabledstate.
S1#showinterfacesfastethernet0/18status
PortNameStatusVlanDuplexSpeedType
Fa0/18errdisabled1autoauto10/100BaseTX

PortStatus:Secureshutdown
AgingTime:0mins
AgingType:Absolute
TotalMACAddresses:0
LastSourceAddress:Vlan:000c.292b.4c75:1
Theadministratorshoulddeterminewhatcausedthesecurityviolationbeforereenablingthe
port.Ifanunauthorizeddeviceisconnectedtoasecureport,theportshouldnotbere
enableduntilthesecuritythreatiseliminated.Toreenabletheport,usetheshutdown
interfaceconfigurationmodecommand.Then,usethenoshutdowninterfaceconfiguration
commandtomaketheportoperational,asshowninthefollowingoutput.
S1(config)#interfaceFastEthernet0/18
S1(configif)#shutdown
Sep2006:57:28.532:%LINK5CHANGED:Interface
FastEthernet0/18,changedstatetoadministrativelydown
S1(configif)#noshutdown
Sep2006:57:48.186:%LINK3UPDOWN:Interface
FastEthernet0/18,changedstatetoup
Sep2006:57:49.193:%LINEPROTO5UPDOWN:Lineprotocolon
InterfaceFastEthernet0/18,changedstatetoup
NetworkTimeProtocol(NTP)(2.2.4.8)
Havingthecorrecttimewithinnetworksisimportant.Correcttimestampsarerequiredto
accuratelytracknetworkeventssuchassecurityviolations.Additionally,clock
synchronizationiscriticalforthecorrectinterpretationofeventswithinsyslogdatafilesaswell
asfordigitalcertificates.
NetworkTimeProtocol(NTP)isaprotocolthatisusedtosynchronizetheclocksofcomputer
systemsoverpacketswitched,variablelatencydatanetworks.NTPallowsnetworkdevicesto
synchronizetheirtimesettingswithanNTPserver.AgroupofNTPclientsthatobtaintime
anddateinformationfromasinglesourcewillhavemoreconsistenttimesettings.
Asecuremethodofprovidingclockingforthenetworkisfornetworkadministratorsto
implementtheirownprivatenetworkmasterclocks,synchronizedtoUTC,usingsatelliteor
radio.However,ifnetworkadministratorsdonotwanttoimplementtheirownmasterclocks
becauseofcostorotherreasons,otherclocksourcesareavailableontheInternet.NTPcan
getthecorrecttimefromaninternalorexternaltimesourceincludingthefollowing:
Localmasterclock
MasterclockontheInternet
GPSoratomicclock
AnetworkdevicecanbeconfiguredaseitheranNTPserveroranNTPclient.Toallowthe
softwareclocktobesynchronizedbyanNTPtimeserver,usethentpserveripaddress
commandinglobalconfigurationmode.AsampleconfigurationisshowninFigure227.
RouterR2isconfiguredasanNTPclient,whilerouterR1servesasanauthoritativeNTP
server.
Figure227ConfiguringNTP
ToconfigureadeviceashavinganNTPmasterclocktowhichpeerscansynchronize
themselves,usethentpmaster[stratum]commandinglobalconfigurationmode.The
stratumvalueisanumberfrom1to15andindicatestheNTPstratumnumberthatthesystem
willclaim.IfthesystemisconfiguredasanNTPmasterandnostratumnumberisspecified,it
willdefaulttostratum8.IftheNTPmastercannotreachanyclockwithalowerstratum
number,thesystemwillclaimtobesynchronizedattheconfiguredstratumnumber,andother
systemswillbewillingtosynchronizetoitusingNTP.
Figure228displaystheverificationofNTP.TodisplaythestatusofNTPassociations,usethe
showntpassociationscommandinprivilegedEXECmode.Thiscommandwillindicatethe
IPaddressofanypeerdevicesthataresynchronizedtothispeer,staticallyconfiguredpeers,
andstratumnumber.TheshowntpstatususerEXECcommandcanbeusedtodisplaysuch
informationastheNTPsynchronizationstatus,thepeerthatthedeviceissynchronizedto,
andinwhichNTPstratathedeviceisfunctioning.
Figure228VerifyingNTP
PacketTracerActivity2.2.4.9:ConfiguringSwitchPortSecurity
Inthisactivity,youwillconfigureandverifyportsecurityonaswitch.Portsecurityallowsyou
torestrictingresstrafficonaswitchportbylimitingtheMACaddressesthatareallowedto
sendtrafficintotheport.
PacketTracerActivity2.2.4.10:TroubleshootingSwitchPortSecurity
TheemployeewhonormallyusesPC1broughthislaptopfromhome,disconnectedPC1,and
connectedthelaptoptothetelecommunicationoutlet.Afterremindinghimofthesecurity
policythatdoesnotallowpersonaldevicesonthenetwork,younowmustreconnectPC1and
reenabletheport.
Lab2.2.4.11:ConfiguringSwitchSecurityFeatures
Inthislab,youwillcompletethefollowingobjectives:
Part1:SetUptheTopologyandInitializeDevices
Part2:ConfigureBasicDeviceSettingsandVerifyConnectivity
Part3:ConfigureandVerifySSHAccessonS1
Part4:ConfigureandVerifySecurityFeaturesonS1
Summary(2.3)
Nowthatyouaregettingthesenseofwhatnetworkadministratorsdotoconfigurebasic
featuresandsecurityfeaturesonaswitch,youarereadytolookbackandreviewallyouhave
learned.Thenperformtheactivityandskillsintegrationchallengetoprovetoyourselfyouare
readytomovetothenextchapter.
ClassActivity2.3.1.1:SwitchTrio
Scenario
Youarethenetworkadministratorforasmalltomediumsizedbusiness.Corporate
headquartersforyourbusinesshasmandatedthatonallswitchesinalloffices,securitymust
beimplemented.Thememorandumdeliveredtoyouthismorningstates:
ByMonday,April18,20xx,thefirstthreeportsofallconfigurableswitcheslocatedinall
officesmustbesecuredwithMACaddressesoneaddresswillbereservedforthePC,one
addresswillbereservedforthelaptopintheoffice,andoneaddresswillbereservedforthe
officeserver.
Ifsecurityisbreached,weaskyoutoshuttheaffectedportdownuntilthereasonforthe
breachcanbecertified.
Pleaseimplementthispolicynolaterthanthedatestatedinthismemorandum.Forquestions,
call1.800.555.1212.Thankyou.TheNetworkManagementTeam.
WorkwithapartnerintheclassandcreateaPacketTracerexampletotestthisnewsecurity
policy.Afteryouhavecreatedyourfile,testitwithatleastonedevicetoensureitis
operationalorvalidated.
Saveyourworkandbepreparedtoshareitwiththeentireclass.
PacketTracerActivity2.3.1.2:SkillsIntegrationChallenge
Thenetworkadministratoraskedyoutoconfigureanewswitch.Inthisactivity,youwillusea
listofrequirementstoconfigurethenewswitchwithinitialsettings,SSH,andportsecurity.
WhenaCiscoLANswitchisfirstpoweredon,itgoesthroughthefollowingbootsequence:
Step1.First,theswitchloadsapoweronselftest(POST)programstoredinROM.POST
checkstheCPUsubsystem.ItteststheCPU,DRAM,andtheportionoftheflashdevicethat
makesuptheflashfilesystem.
Step2.Next,theswitchloadsthebootloadersoftware.Thebootloaderisasmallprogram
storedinROMandisrunimmediatelyafterPOSTsuccessfullycompletes.
Step3.ThebootloaderperformslowlevelCPUinitialization.ItinitializestheCPUregisters,
whichcontrolwherephysicalmemoryismapped,thequantityofmemory,anditsspeed.
Step4.Thebootloaderinitializestheflashfilesystemonthesystemboard.
Step5.Finally,thebootloaderlocatesandloadsadefaultIOSoperatingsystemsoftware
imageintomemoryandhandscontroloftheswitchovertotheIOS.
ThespecificCiscoIOSfilethatisloadedisspecifiedbytheBOOTenvironmentalvariable.
AftertheCiscoIOSisloadeditusesthecommandsfoundinthestartupconfigfiletoinitialize
andconfiguretheinterfaces.IftheCiscoIOSfilesaremissingordamaged,thebootloader
programcanbeusedtoreloadorrecoverfromtheproblem.
TheoperationalstatusoftheswitchisdisplayedbyaseriesofLEDsonthefrontpanel.These
LEDsdisplaysuchthingsasportstatus,duplex,andspeed.
AnIPaddressisconfiguredontheSVIofthemanagementVLANtoallowforremote
configurationofthedevice.AdefaultgatewaybelongingtothemanagementVLANmustbe
configuredontheswitchusingtheipdefaultgatewaycommand.Ifthedefaultgatewayisnot
properlyconfigured,remotemanagementisnotpossible.ItisrecommendedthatSecure
Shell(SSH)beusedtoprovideasecure(encrypted)managementconnectiontoaremote
devicetopreventthesniffingofunencryptedusernamesandpasswordswhichispossible
whenusingprotocolssuchasTelnet.
Oneoftheadvantagesofaswitchisthatitallowsfullduplexcommunicationbetweendevices
effectivelydoublingthecommunicationrate.Althoughitispossibletospecifythespeedand
duplexsettingsofaswitchinterface,itisrecommendedthattheswitchbeallowedtosetthese
parametersautomaticallytoavoiderrors.
SwitchportsecurityisarequirementtopreventsuchattacksasMACAddressFloodingand
DHCPSpoofing.Switchportsshouldbeconfiguredtoallowonlyframeswithspecificsource
MACaddressestoenter.FramesfromunknownsourceMACaddressesshouldbedenied
andcausetheporttoshutdowntopreventfurtherattacks.
Portsecurityisonlyonedefenseagainstnetworkcompromise.Thereare10bestpractices
thatrepresentthebestinsuranceforanetwork:
Developawrittensecuritypolicyfortheorganization.
Shutdownunusedservicesandports.
Usestrongpasswordsandchangethemoften.
Controlphysicalaccesstodevices.
AvoidusingstandardinsecureHTTPwebsites,especiallyforloginscreens.Instead
usethemoresecureHTTPS.
Performbackupsandtestthebackedupfilesonaregularbasis.
Educateemployeesaboutsocialengineeringattacks,anddeveloppoliciestovalidate
identitiesoverthephone,viaemail,andinperson.
Encryptsensitivedataandprotectitwithastrongpassword.
Implementsecurityhardwareandsoftware,suchasfirewalls.
KeepIOSsoftwareuptodatebyinstallingsecuritypatchesweeklyordaily,ifpossible.
Thesemethodsareonlyastartingpointforsecuritymanagement.Organizationsmustremain
vigilantatalltimestodefendagainstcontinuallyevolvingthreats.
NTPisusedtosynchronizethedateandtimeamongnetworkdevices.NTPclientscan
synchronizetheirtimesettingswithanNTPserver.Clocksynchronizationisimportantwhen
usingsystemlogmessagesforverificationandtroubleshooting.
Practice
Thefollowingactivitiesprovidepracticewiththetopicsintroducedinthischapter.TheLabs
andClassActivitiesareavailableinthecompanionRoutingandSwitchingEssentialsLab
Manual(9781587133206).YoucanfindthePacketTracerActivitiesPKAfilesintheonline
course.
ClassActivities
ClassActivity2.0.1.2:StandbyMe
ClassActivity2.3.1.1:SwitchTrio
Labs
Lab2.1.1.6:BasicSwitchConfiguration
Lab2.2.4.11:ConfiguringSwitchSecurityFeatures
PacketTracerActivities
PacketTracerActivity2.2.1.4:ConfiguringSSH
PacketTracerActivity2.2.4.9:ConfiguringSwitchPortSecurity
PacketTracerActivity2.2.4.10:TroubleshootingSwitchPortSecurity
PacketTracerActivity2.3.1.2:SkillsIntegrationChallenge
CheckYourUnderstandingQuestions
Completeallthereviewquestionslistedheretotestyourunderstandingofthetopicsand
conceptsinthischapter.Theappendix,AnswerstotheCheckYourUnderstanding
Questions,liststheanswers.
1.Whichthreeoptionscorrectlyassociatethecommandwiththepairedbehavior?
(Choosethree.)
A.switchportportsecurityviolationprotect:Frameswithunknownsource
addressesaredroppedandanotificationissent.
B.switchportportsecurityviolationrestrict:Frameswithunknownsource
addressesaredroppedandnonotificationissent.
C.switchportportsecurityviolationshutdown:Frameswithunknownsource
addressesresultintheportbecomingerrordisabled,andanotificationissent.
D.switchportportsecuritymacaddresssticky:Allowsdynamicallylearned
MACaddressestobestoredintherunningconfiguration.
E.switchportportsecuritymaximum:DefinesthenumberofMACaddresses
associatedwithaport.
2.WhatistheeffectofenteringthefollowingcommandonaFastEthernetswitchport?
SW1(configif)#duplexfull
A.Theconnecteddevicecommunicatesintwodirections,butonlyonedirection
atatime.
B.Theswitchportreturnstoitsdefaultconfiguration.
C.Ifthedeviceconnectedtothisportisalsosetforfullduplex,thedevice
participatesincollisionfreecommunication.
D.Theefficiencyofthisconfigurationistypicallyratedat50to60percent.
E.Theconnecteddeviceshouldbeconfiguredashalfduplex.
3.WhichtwotasksdoesautonegotiationinanEthernetnetworkaccomplish?(Choose
two.)
A.Setsthelinkspeed
B.SetstheIPaddress
C.Setsthelinkduplexmode
D.SetsMACaddressassignmentsonswitchport
E.Setstheringspeed
4.Whyshouldadefaultgatewaybeassignedtoaswitch?
A.Sothattherecanberemoteconnectivitytotheswitchviasuchprogramsas
Telnetandping
B.Sothatframescanbesentthroughtheswitchtotherouter
C.Sothatframesgeneratedfromworkstationsanddestinedforremotenetworks
canpasstoahigherlevel
D.Sothatothernetworkscanbeaccessedfromthecommandpromptofthe
switch
5.ThenetworkadministratorwantstoconfigureanIPaddressonaCiscoswitch.How
doesthenetworkadministratorassigntheIPaddress?
A.InprivilegedEXECmode
B.OntheswitchinterfaceFastEthernet0/0
C.OnthemanagementVLAN
D.Onthephysicalinterfaceconnectedtotherouterornexthopdevice
6.WhichoptioncorrectlyassociatestheLayer2securityattackwiththedescription?
A.MACaddressflooding:BroadcastrequestsforIPaddresseswithspoofedMAC
addresses.
B.DHCPstarvation:UsingproprietaryCiscoprotocolstogaininformationabouta
switch.
C.CDPattack:TheattackerfillstheswitchMACaddresstablewithinvalidMAC
addresses.
D.Telnetattack:Usingbruteforcepasswordattackstogainaccesstoaswitch.
7.WhatisanadvantageofusingSSHoverTelnetwhenremotelyconnectingtoa
switch?
A.Encryption
B.Moreconnectionlines
C.Connectionorientedservices
D.Usernameandpasswordauthentication
8.Considertheconfiguration.Whichtwocommandsarenotneededontheswitchin
orderforaremotenetworkadministratortoaccesstheswitchusingSSH?
A.Switch(config)#ipdomainnamemydomain.com
B.Switch(config)#cryptokeygeneratersa
C.Switch(config)#ipsshversion2
D.Switch(config)#linevty015
E.Switch(configif)#transportinputssh
9.Whatisanadvantageofhavingthecorrectdateandtimeonanetworkdevice?
A.Networkadministratorsareprovidedwithcorrecttimestampsonlogmessages.
B.Whenworkingattheconsoleprompt,thenetworkadministratorhasagood
ideahowlongtheconfigurationortroubleshootingprocessistaking.
C.OtherdevicescanuseCDPtodiscoverneighbordeviceinformationifthetime
anddatearesynchronizedbetweenthetwodevices.
D.Secureremoteconnectivitycanbeaccomplishedifthedateandtimeare
accurate.
10.WhatisthepurposeofDHCPsnooping?
A.EnsuresdevicesareconfiguredforautomaticIPaddressassignment
B.PreventsunauthorizedDHCPservers
C.PreventsDHCPmessagesfromgoingacrossatrunk
D.PreventsDHCPmessagesfrombeingsenttoanothernetwork
11.WhatisaCiscobestpracticefordeployingswitches?
A.Whenaserverconnectstoaswitch,theswitchportshouldhavetheportspeed
manuallyconfigured,buttheautonegotiationfeatureusedforduplex.
B.Acompoundwordshouldbeusedasapasswordonaninfrastructurenetwork
devicesuchasaswitch.
C.Telnetshouldbeusedwheneverpossibleontheswitchvtylines.
D.Theenablesecretpasswordshouldbeusedwhenconfiguringaswitchtouse
SSHonthevtylines.
12.WhenwouldautoMDIXbebesttouse?
A.Whenaswitchconnectstoarouter
B.Whenaswitchconnectstoanotherswitch
C.Whenanydeviceconnectstoanaccesslayerswitch
D.Whenthecabletypeisunknown
2017PearsonEducation,CiscoPress.Allrightsreserved.
800East96thStreet,Indianapolis,Indiana46240

Cisco Networking Academy's Introduction To Basic Switching Concepts and Configuration - Objectives

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Cisco Networking Academy's Introduction To Basic Switching Concepts and Configuration - Objectives

Caricato da

Copyright:

Formati disponibili

3/5/2017 CiscoNetworkingAcademy'sIntroductiontoBasicSwitchingConceptsandConfiguration|Objectives

InterfaceStatus LineProtocolStatus LinkState

Violation Forwards Sends Displays Increases Shuts

Violation Forwards Sends Displays Increases Shuts

Potrebbero piacerti anche