Lecture 10:

Basic Switch Concepts

and Configuration
 Lecture 10: Objectives
Upon completion of this lecture, you will be able to:
• Explain the advantages and disadvantages of static routing.
• Configure initial settings on a Cisco switch.
• Configure switch ports to meet network requirements.
• Configure the management switch virtual interface.
• Describe basic security attacks in a switched environment.
• Describe security best practices in a switched environment.
• Configure the port security feature to restrict network access.
 Basic Switch Configuration

Switch Boot Sequence

1. Power-on self test (POST).
2. Run boot loader software.
3. Boot loader performs low-level CPU initialization.
4. Boot loader initializes the flash file system
5. Boot loader locates and loads a default IOS operating system software
image into memory and passes control of the switch over to the IOS.
 Basic Switch Configuration

Switch Boot Sequence (cont.)

To find a suitable Cisco IOS image, the switch goes through the following steps:
Step 1. It attempts to automatically boot by using information in the BOOT
environment variable.
Step 2. If this variable is not set, the switch performs a top-to-bottom search
through the flash file system. It loads and executes the first
executable file, if it can.
Step 3. The IOS software then initializes the interfaces using the Cisco IOS
commands found in the configuration file and startup configuration,
which is stored in NVRAM.
Note: The boot system command can be used to set the BOOT
environment variable.
 Basic Switch Configuration

Recovering from a System Crash

• The boot loader can also be used to manage the switch if the IOS cannot be loaded.
• The boot loader can be accessed through a console connection by:
1. Connecting a PC by console cable to the switch console
port. Unplug the switch power cord.
2. Reconnecting the power cord to the switch and press
and hold the Mode button.
3. The System LED turns briefly amber and then solid green.
Release the Mode button.
• The boot loader switch:prompt appears in the terminal emulation software
on the PC.
 Basic Switch Configuration

Switch LED Indicators

• Each port on Cisco Catalyst switches have status LED indicator lights.
• By default, these LED lights reflect port activity, but they can also provide other
information about the switch through the Mode button.
• The following modes are available on Cisco Catalyst 2960 switches:
• System LED
• Redundant Power System (RPS) LED
• Port Status LED
• Port Duplex LED
• Port Speed LED
• Power over Ethernet (PoE) Mode LED
 Basic Switch Configuration

Cisco Catalyst 2960 Switch Modes

 Basic Switch Configuration

Preparing for Basic Switch Management

• To remotely manage a Cisco switch, it must be configured to access the

network.
• An IP address and a subnet mask must be configured.
• If managing the switch from a remote network, a default gateway must
also be configured.
• The IP information (address, subnet mask, gateway) is to be assigned to
a switch switch virtual interface (SVI).
• Although these IP settings allow remote management and remote
access to the switch, they do not allow the switch to route Layer 3
packets.
 Basic Switch Configuration

Preparing for Basic Switch Management (cont.)

 Basic Switch Configuration

Preparing for Basic Switch Management (cont.)

 Configuring Switch Ports

Duplex Communication
 Configuring Switch Ports

Configuring Switch Ports at the Physical Layer

 Configuring Switch Ports

Auto-MDIX Feature
• Certain cable types (straight-through or crossover) were historically
required when connecting devices.
• The automatic medium-dependent interface crossover (auto-MDIX)
feature eliminates this problem.
• When auto-MDIX is enabled, the interface automatically detects and
appropriately configures the connection.
• When using auto-MDIX on an interface, the interface speed and duplex
must be set to auto.
 Configuring Switch Ports

Auto-MDIX Feature (cont.)

 Configuring Switch Ports

Auto-MDIX Feature (cont.)

 Configuring Switch Ports

Verifying Switch Port Configuration

 Configuring Switch Ports

Network Access Layer Issues

 Configuring Switch Ports

Network Access Layer Issues (cont.)

 Configuring Switch Ports
Troubleshooting Switch Media (Connection) Issues
 Secure Remote Access

SSH Operation
• Secure Shell (SSH) is a protocol that provides a secure (encrypted),
command-line based connection to a remote device.
• SSH is commonly used in UNIX-based systems.
• The Cisco IOS software also supports SSH.
• A version of the IOS software, including cryptographic (encrypted)
features and capabilities, is required to enable SSH on Catalyst 2960
switches.
• Because its strong encryption features, SSH should replace Telnet for
management connections.
• SSH uses TCP port 22, by default. Telnet uses TCP port 23.
 Secure Remote Access

SSH Operation (cont.)

 Secure Remote Access

Configuring SSH
 Secure Remote Access

Verifying SSH
 Security Concerns in LANs

MAC Address Flooding

 Switches automatically populate their CAM tables by watching traffic
entering their ports.
 Switches forward traffic trough all ports if it cannot find the destination
MAC in its CAM table.
 Under such circumstances, the switch acts as a hub. Unicast traffic can
be seen by all devices connected to the switch.
 An attacker could exploit this behavior to gain access to traffic normally
controlled by the switch by using a PC to run a MAC flooding tool.
 Such tool is a program created to generate and send out frames with
bogus source MAC addresses to the switch port.
 As these frames reach the switch, it adds the bogus MAC address to its
CAM table, taking note of the port the frames arrived.
 Security Concerns in LANs

MAC Address Flooding (cont.)

 Eventually the CAM table fills out with bogus MAC addresses.
 The CAM table now has no room for legit devices present in the network
and, therefore, never finds their MAC addresses in the CAM table.
 All frames are now forwarded to all ports, allowing the attacker to access
traffic to other hosts.
 Security Concerns in LANs

MAC Address Flooding (cont.)

An attacker flooding the CAM table with bogus entries.
 Security Concerns in LANs

MAC Address Flooding (cont.)

The switch now behaves as a hub.
 Security Concerns in LANs

DHCP Spoofing
 DHCP is a network protocol used to automatically assign IP information.
 Two types of DHCP attacks are:
• DHCP spoofing
• DHCP starvation
 In DHCP spoofing attacks, a fake DHCP server is placed in the network to
issue DHCP addresses to clients.
 DHCP starvation is often used before a DHCP spoofing attack to deny
service to the legitimate DHCP server.
 Security Concerns in LANs

DHCP Spoof Attack

 Security Concerns in LANs

Leveraging Cisco Discovery Protocol

 The Cisco Discovery Protocol is a Layer 2 Cisco proprietary protocol used
to discover other directly connected Cisco devices.
 The Cisco Discovery Protocol is designed to allow the devices to auto-
configure their connections.
 If an attacker is listening to Cisco Discovery Protocol messages, it could
learn important information about the device model and running
software version.
Note: Cisco recommends disabling CDP when not in use.
 Security Concerns in LANs

Leveraging Telnet
 The Telnet protocol is insecure and should be replaced by SSH.
 An attacker can use Telnet as part of other attacks:
• Brute force password attack
• Telnet DOS attack
 When passwords cannot be captured, attackers will try as many
combinations of characters as possible. This attempt to guess the password
is known as brute force password attack.
 Telnet can be used to test the guessed password against the system.
 Security Concerns in LANs

Leveraging Telnet (cont.)

 In a Telnet DoS attack, the attacker exploits a flaw in the Telnet server
software running on the switch that renders the Telnet service
unavailable.
 This sort of attack prevents an administrator from remotely accessing
switch management functions.
 This can be combined with other direct attacks on the network as part of
a coordinated attempt to prevent the network administrator from
accessing core devices during the breach.
 Vulnerabilities in the Telnet service that permit DoS attacks to occur are
usually addressed in security patches that are included in newer Cisco
IOS revisions.
 Switch Port Security

Secure Unused Ports

Disabling unused ports is a simple, yet efficient security guideline.
 Switch Port Security

DHCP Snooping
DHCP Snooping specifies which switch ports can respond to DHCP requests
 Switch Port Security

Network Time Protocol

 The Network Time Protocol (NTP) is used to synchronize the clocks of
computer systems data networks.
 NTP can get the correct time from an internal or external time source.
 Time sources can be:
• Local master clock
• Master clock on the Internet
• GPS or atomic clock
 A network device can be configured as either an NTP server or an NTP
client.
 See slide notes for more information on NTP.
 Switch Port Security

Configuring NTP
 Switch Port Security

Verifying NTP
 Lecture 10: Summary
In this lecture, you learned:
• Cisco LAN switch boot sequence.
• Cisco LAN switch LED modes.
• How to remotely access and manage a Cisco LAN switch through a secure
connection.
• Cisco LAN switch port duplex modes.
• Cisco LAN switch port security, violation modes, and actions.
• Best practices for switched networks.

References
Routing and Switching Essentials v6 Companion Guide
Published Dec 7, 2016 by Cisco Press

Computer Networks and Internets

By Douglas E. Comer, 2015, 6th Edition Pearson