Carrier Sense : before transmitting, each device sense the media if there's another data being transmitted.
Multiple Access : in ethernet, the distance between devices maybe too long that one device couldn't detect the data sent from another and both device may transmit data at the same time.
Collision Detection : when a collision is detected, by unnormal amlitude. devices run a random backoff time and start transmitting again.
Full-duplex switches do not use CSMA/CD, because full-duplex communication has their own Tx and Rx line. this is not the case if the line is half-duplex (see autonegotiation).
Ethernet uses CRC as its checksum
Auto-MDIX
with auto-MDIX enabled, you can use either straight-through or crossover to connect devices to the switch.
The auto-MDIX feature is enabled by default on switches running Cisco IOS Release 12.2(18)SE or later. For releases between Cisco IOS Release 12.1(14)EA1 and 12.2(18)SE, the auto-MDIX feature is disabled by default.
propagation delay => the time needed for a packet to travel through the media from the source to the destination. (about 0.556 microseconds per 100 m for Cat 5 UTP.)
latency => the overall time needed for a packet to travel from its source to the destination. source of latency can come from three sources, 1. the time the NIC needs to put voltage pulses on the wire, 2. the propagation delay, 3. the time for the devices on the way to process the packets.
Switch Packet Forwarding methods
Store-and-Forward : the switch first store the data in the buffer until the full frame receive before forwarding it. (Cisco switches use this mechanism). when the frame is in the buffer, the switch will check for error with CRC. store-and-forward is needed for QoS analysis where frame classification for traffic prioritization is necessary.
Cut-through : the switch acts upon the data as soon as the data is received. the switch only buffers the destination address for CAM table lookup and then forward the packets. this mehcanism doesn't do error checking. there are two types of cut-through, fast-forward -> forward the frame only by seeing the first 6 bytes (Destination address) and fragment-free -> stores the first 64 bytes, The reason fragment-free switching stores only the first 64 bytes of the frame is that most network errors and collisions occur during the first 64 bytes.
layer 3 switching : as layer 2 lan performs switching by analyzing the MAC address correspondends to which port, layer 3 switching analyze the IP address is associated to which interface.
Routers perform additional Layer 3 services that Layer 3 switches are not capable of performing. Routers are also capable of performing packet forwarding tasks not found on Layer 3 switches, such as establishing remote access connections to remote networks and devices. Dedicated routers are more flexible in their support of WAN interface cards (WIC), making them the preferred, and sometimes only, choice for connecting to a WAN. Layer 3 switches can provide basic routing functions in a LAN and reduce the need for dedicated routers.
*******
Booting
*******
The boot loader finds the Cisco IOS image on the switch by first looking in a directory that has the same name as the image file (excluding the .bin extension). If it does not find it there, the boot loader software searches each subdirectory before continuing the search in the original directory.
IOS initializes the interface using the Cisco IOS commands found in the operating system configuration file named config.text, stored in the switch flash memory
The boot loader also provides access into the switch if the operating system cannot be used. The boot loader has a command-line facility that provides access to the files stored on Flash memory before the operating system is loaded. From the boot loader command line you can enter commands to format the flash file system, reinstall the operating system software image, or recover from a lost or forgotten password.
When the switch is on, the POST begins. During POST, the LEDs blink while a series of tests determine that the switch is functioning properly. When the POST has completed, the SYST LED rapidly blinks green. If the switch fails POST, the SYST LED turns amber. When a switch fails the POST test, it is necessary to repair the switch.
you can show the last 10 command that you've entered by entering the command "show history". you can change the size of history commands by entering "terminal history size 50" at the privileEXEC mode.
********************
Configuring a switch
********************
to remotely access a switch you must assign the switch an IP address.
good practice is not to use VLAN 1 as the management vlan.
you need to configure a default-gateway to the switch, so it can forward packets to other LAN from the command prompt of the switch. to do this enter the command
ip default-gateway gateway-address
gateway-address : the ip address of the router
configure duplex and speed
duplex auto
speed auto
network adminstrator can manage the CAM table. enter "show mac-address-tabe" to see what's inside the CAM table. you can configure the aging time of the MAC address learned from receiving port (default is 300secs) and you can also assign a static MAC address to a specific port (static MAC addresses don't aged out by time) by entering
mac-address-table static
(1-4096, ALL) : vlan number
interface-id : interface type and number
you can copy your running-configuration to the flash (as a backup, so that you can save more than one configuration by entering the command
copy running-configuration flash:filename
filename : the name of the file you wish. example, config.bak1
then you can delete the files saved in flash by entering the following command
delete flash:filename
you can also erase the startup-configuration in nvram by entering
erase nvram
erase startup-configuration
***************
Switch security
***************
you can set password to line connection (console, vty) on a switch by entering "password the-password" at the line level configuration and by entering "login" you enable the authentication process. (however the password can be seen by vewing the running-configuration file)
you can set password needed to access the privilegeEXEC mode by entering one of the two commands
enable password password
enable secret password
but, if you use the "enable password" command, the password is not encrypted and can be viewed in the running-configuration file. when you enter both command the password from "enable secret" is the one that's used.
you can apply access-list to the line connection similar applying access-list to interfaces by entering "access-class". the difference is that interface use the "access-group" command.
vty lines (you may have up to 16 vty lines, 0 - 15) are telnet by default you can change it to SSH (there are some version of SSH, use SSHv2 because it use stronger encryption than SSHv1) enter "transport input ssh" at the line configuration level. you can also enter "transport input all" to enable telnet and ssh connection.
SSH communication use DES, 3DES (algorithm used usually specified by client). and needs RSA keys which involve public key and private key. SSH server should provide public key to make a switch serves a public key enter "crpyto key generate rsa" at global configuration level
to overcome the issue of viewing the password in the configuration file. you can use the encrypted password service by entering "service password-encryption" at global configuration level. the encryption that's used is called type 7, this is a weak encryption and there are tools to crack password encrypted with this encryption.
to recover password (if you accidentally happen to forget your password) you need to get access to the switch from console, actually the step is booting the switch and enter the helper mode, rename the config.text file so the switch doesn't load the configuration, after you're inside rename the config.text back. and change your old password.
you can set banner on line connection, "banner login" will be shown before the username and password prompt is presented.
***********************
Common Security Attacks
***********************
-MAC flooding
-fake DHCP server (spoofed gateway)
-CDP attack, from CDP attacker can inspect the version of the device and search for vulnerabilities.
-Telnet attacks - Brute force, DoS (vulnerability at telnet server).
*************
Port Security
*************
allow you to strict which MAC addresses are able to connect using the port to the switch.
3 ways to configure port security
- static secure MAC addresses: you specify the MAC addresses allowed to connect to the port. mac addresses configured this way are stored in the address table and the running-configuration on the switch. enter the command "switchport port-securit mac-address theAddress" at the interface configuration level.
- dynamic secure MAC addresses: MAC addresses are learned dynamically and stored only in the address table. MAC addresses are removed when the switch restarts. enter the command "switchport port-security" at the interface configuration level.
- Sticky secure MAC addresses: MAC addresses are learned dynamically and saved in the running-configuration. enter "switchport port-security mac-address sticky" at the interface configuration level.
enter "switchport port-security maximum number" at the interface configuration level to set the maximum number of MAC address learned to the interface.
violation occurs when
-maximum MAC addresses (default maximum mac address learned is 1) learned is reached and new MAC address attempts to access the interface.
-the same MAC address has been learned / configured on a secure interface and is seen on another secure interface in the same VLAN.
change violation modes by entering "switchport port-security violation [protect | restrict | shutdown]"
security violation modes
- protect: frames from unknown source addresses are dropped. you're not notified of the violations occured.
- restrict: frames are dropped, syslog message is logged, violation counter increments.
- shutdown: frames are dropped, syslog message created, port is shutdowned, violation counter increments. (this is the default mode)
"show port-security interface interface-id" to see port security status on that interface
"show port-security address" to see the secure MAC addresses table
a good practice is to shutdown unused port. you can use the "interface range" command to shutdown a range of ports.
0 comments:
Post a Comment