Scribd
Upload
8 views

Lessons 1 Switching Fundamentals Part2

Chapter 2 discusses the fundamental concepts of switched networks, including the switch boot sequence, configuration, and security measures. It outlines how to manage Cisco switches remotely, configure switch ports, and implement security best practices. The chapter emphasizes the importance of port security and provides guidelines for maintaining network integrity.

Uploaded by

Hoàng Fan
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
8 views

Lessons 1 Switching Fundamentals Part2

Chapter 2 discusses the fundamental concepts of switched networks, including the switch boot sequence, configuration, and security measures. It outlines how to manage Cisco switches remotely, configure switch ports, and implement security best practices. The chapter emphasizes the importance of port security and provides guidelines for maintaining network integrity.

Uploaded by

Hoàng Fan
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 40

Chapter 2: Basic

Switching Concepts
and Configuration

Switched Networks

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1
Chapter 2
2.0 Introduction
2.1 Switched Environment
2.2 Basic Switch Configuration
2.3 Switch Security: Management and Implementation
2.4 Summary

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2
Chapter 2: Objectives
 Explain the basic concepts of a switched environment.
 Configure initial settings on a Cisco switch.
 Configure switch ports to meet network requirements.
 Configure the management switch virtual interface.
 Describe basic security attacks in a switched environment.
 Describe security best practices in a switched environment.
 Configure the port security feature to restrict network access.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3
2.1 Basic Switch Configuration

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4
Basic Switch Configuration
Switch Boot Sequence
1. POST (Power On Self Test).
2. Run the boot loader software.
3. Boot loader performs low-level CPU initialization.
4. Boot loader initializes the flash file system.
5. Boot loader locates and loads a default Cisco IOS software
image into memory and passes the switch control to the IOS.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5
Basic Switch Configuration
Switch Boot Sequence
To find a suitable IOS image, the switch performs the following:
1. It attempts to automatically boot by using information in the
BOOT environment variable.
2. If this variable is not set, the switch performs a top-to-bottom
search through the flash file system. If possible, it loads and
executes the first executable file.
3. The IOS software then initializes the interfaces using the IOS
commands found in the configuration file, startup configuration,
which is stored in NVRAM.
Note: You can use the boot system command to set the BOOT environment variable.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6
Basic Switch Configuration
Recovering from a System Crash
 The boot loader can also be used to manage the switch if the IOS
cannot be loaded.
 Access the boot loader through a console connection:
1. Connect a PC by console cable to the switch console port.
Unplug the switch power cord.
2. Reconnect the power cord to the switch and press and hold
down the Mode button.
3. The System LED turns briefly amber and then solid green.
Release the Mode button.
 The boot loader switch: prompt appears in the terminal emulation
software on the PC.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7
Basic Switch Configuration
Switch LED Indicators
 Each port on the Cisco Catalyst switches have status LED
indicator lights.
 By default, these LED lights reflect port activity, but they can also
provide other information about the switch through the Mode
button.
 The following modes are available on Cisco Catalyst 2960
switches:
• System LED
• Redundant Power System (RPS) LED
• Port Status LED
• Port Duplex LED
• Port Speed LED
• Power over Ethernet (PoE) Mode LED

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8
Basic Switch Configuration
Switch LED Indicators
Cisco Catalyst 2960 Switch Modes

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9
Basic Switch Configuration
Preparing for Basic Switch Management
 To remotely manage a Cisco switch, it must be configured to
access the network.
 An IP address and a subnet mask must be configured.
 If managing the switch from a remote network, a default gateway
must also be configured.
 The IP information (address, subnet mask, gateway) must be
assigned to a switch virtual interface (SVI).
 Although these IP settings allow remote management and remote
access to the switch, they do not allow the switch to route Layer 3
packets.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10
Basic Switch Configuration
Configuring Basic Switch Management Access

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11
Configure Switch Ports
Duplex Communication

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12
Configure Switch Ports
Configure Switch Ports at the Physical Layer

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13
Configure Switch Ports
Verifying Switch Port Configuration

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14
Configure Switch Ports
Display Interface Status and Statistics
 Output of a show interfaces command

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15
2.2 Switch Security:
Management and Implementation

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 16
Secure Remote Access
SSH Operation
 Secure Shell (SSH) is a protocol that provides a secure
(encrypted) command-line based connection to a remote device.
 SSH is commonly used in UNIX-based systems.
 The IOS software also supports SSH.
 A version of the IOS software, including cryptographic (encrypted)
features and capabilities, is required to enable SSH on Catalyst
2960 switches.
 Because of its strong encryption features, SSH should replace
Telnet for management connections.
 By default, SSH uses TCP port 22 and Telnet uses TCP port 23.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 17
Secure Remote Access
SSH Operation (cont.)

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 18
Secure Remote Access
Configuring SSH

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 19
Secure Remote Access
Verifying SSH

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 20
Security Best Practices
10 Best Practices
1. Develop a written security policy for the organization.
2. Shut down unused services and ports.
3. Use strong passwords and change them often.
4. Control physical access to devices.
5. Use HTTPS instead of HTTP.
6. Perform backup operations on a regular basis.
7. Educate employees about social engineering attacks.
8. Encrypt and password-protect sensitive data.
9. Implement firewalls.
10. Keep software up to date.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 21
Security Best Practices
Network Security Tools And Testing
 Network security tools are very important to network
administrators, because they allow an administrator to test the
strength of the security measures implemented.
 An administrator can launch an attack against the network and
analyze those results.
 This technique is also to determine how to adjust security policies
to mitigate those types of attacks.
 Security auditing and penetration testing are two basic functions
that network security tools perform.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 22
Security Best Practices
Network Security Audits
 Network security tools can be used to audit the network.
 By monitoring the network, an administrator can assess what type
of information an attacker would be able to gather.
 For example, by attacking and flooding the CAM table of a switch,
an administrator would learn which switch ports are vulnerable to
MAC flooding and correct the issue.
 Network security tools can also be used for penetration testing
against a network.
 Pentration Testing (or pentesting) is a simulated attack against the
network to determine how vulnerable it would be under a real
attack.
 Penetration tests can have adverse effects on the network and
should be carried out under very controlled conditions.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 23
Switch Port Security
Secure Unused Ports
Disabling unused ports is a simple, yet efficient security
practice.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 24
Switch Port Security
Port Security: Operation
 Port security limits the number of valid MAC addresses allowed on
a port.
 MAC addresses of legitimate devices are allowed access, while
other MAC addresses are denied.
 Any additional attempts to connect by unknown MAC addresses
generate a security violation.
 Secure MAC addresses can be configured in a number of ways:
• Static secure MAC addresses
• Dynamic secure MAC addresses
• Sticky secure MAC addresses

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 25
Switch Port Security
Port Security: Violation Modes
 The IOS software considers a security violation when either of
these situations occurs:
• The maximum number of secure MAC addresses for that
interface have been added to the CAM, and a station whose
MAC address is not in the address table attempts to access
the interface.
• An address learned or configured on one secure interface is
seen on another secure interface in the same VLAN.
 There are three possible actions to be taken when a violation is
detected:
• Protect
• Restrict
• Shutdown

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 26
Switch Port Security
Port Security: Configuring
Dynamic Port Security Defaults

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 27
Switch Port Security
Port Security: Configuring (cont.)
Configuring Dynamic Port Security

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 28
Switch Port Security
Port Security: Configuring (cont.)
Configuring Port Security Sticky

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 29
Switch Port Security
Port Security: Verifying
Verifying Port Security Sticky

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 30
Switch Port Security
Port Security: Verifying (cont.)
Verifying Port Security Sticky – Running Configuration

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 31
Switch Port Security
Port Security: Verifying (cont.)
Verifying Port Security Secure MAC Addresses

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 32
Switch Port Security
Ports in Error-Disabled State
 A port security violation can put a switch in error-
disabled state.
 A port in error-disabled state is effectively shutdown.
 The switch communicates these events through
console messages.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 33
Switch Port Security
Ports In Error Disabled State (cont.)
The show interface command also reveals a switch
port on the error-disabled state.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 34
Switch Port Security
Ports In Error Disabled State (cont.)
A shutdown (or no shutdown) interface command must be
issued to re-enable the port.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 35
Switch Port Security
Network Time Protocol (NTP)
 Having the correct time within networks is important.
 Correct time stamps are required to accurately track
network events such as security violations.
 Clock synchronization is also critical for the
interpretation of events within syslog data files as well
as for digital certificates
 Network Time Protocol (NTP) is a protocol that is used
to synchronize the clocks of computer systems over the
network
 NTP allows network devices to synchronize their time
settings with an NTP server.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 36
Switch Port Security
Network Time Protocol (NTP) (cont.)
 Some administrator prefer to maintain their own time
source for increased security. However, public time
sources are available on the Internet for general use.

 A network device can be configured as either an NTP


server or an NTP client.
 To allow the software clock to be synchronized by an
NTP time server, use the ntp server ip-
address command in global configuration mode.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 37
Switch Port Security
Network Time Protocol (NTP) (cont.)
 R2 is configured as a NTP client, receiving time
updates from the server, R1.

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 38
Chapter 2: Summary
This chapter covered:
 Cisco LAN switch boot sequence
 Cisco LAN switch LED modes
 How to remotely access and manage a Cisco LAN switch through a
secure connection
 Cisco LAN switch port duplex modes
 Cisco LAN switch port security, violation modes, and actions
 Best practices for switched networks

Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 39
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 40

You might also like