jueves, 12 de junio de 2014

CCNA v5.0 modul 2 Chapter: 2 - Basic Switching Concepts and Configuration

Switches are used to connect multiple devices together on the same network.
Responsible for Directing and Controlling Data flow  at the access layer to networked resources.

Cisco switches are self-configuring and no additional configurations are necessary for them to function out of the box. However, can be manually configured: adjusting port speed, bandwidth, and security requirements. Managed locally and remotely (need IP address and gateway).
The access layer is the most vulnerable area of the network because it is so exposed to the user.
Switches need to be configured to be resilient to attacks of all types while they are protecting user data and allowing for high speed connections. Port security is one of the security features Cisco managed switches provide.

Configure a Switch with Initial Settings
1.0 Switch boot sequence

                                      Storage:                       Program:


1.POST power-on self-test program stored in ROM checks the CPU / DRAM / Portion of the flash.
2. The switch loads the boot loader software(Stored in ROM).
3. The boot loader performs low-level CPU initialization. It initializes the CPU registers, which control where physical memory is mapped, the quantity of memory, and its speed. 
4. The boot loader initializes the flash file system on the system board. 
5. Boot loader locates and loads a default IOS operating system software image into memory RAM and hands control of the switch over to the IOS. Interfaces are initialized this with this configuration.


Switch#show bootvar
Switch#show boot (older IOS)
Switch(Config)#boot system

Switch(Config)#
boot system file-url
no boot system file-url
boot system flash [flash-fs:][partition-number:][filename]
no boot system flash [flash-fs:][partition-number:][filename]
boot system mop filename [mac-address] [interface]
no boot system mop filename [mac-address] [interface]
boot system rom
no boot system rom
boot system {rcp | tftp | ftp} filename [ip-address]
no boot system {rcp | tftp | ftp} filename [ip-address]
no boot system



1.1 Recovering from system crash

If IOS damaged or cannot be used boot loader provides access to the switch.
      Step 1. Connect a PC by console cable to the switch console port. Configure terminal emulation software
               to connect to the switch. 
Step 2. Unplug the switch power cord. 
Step 3. Reconnect the power cord to the switch and, within 15 seconds, press and hold down the Mode
               button while the System LED is still flashing green. 
Step 4. Continue pressing the Mode button until the System LED turns briefly amber and then solid
               green; then release the Mode button. 
Step 5. The boot loader switch: prompt appears in the terminal emulation software on the PC

The boot loader command line supports commands to format the flash file system, reinstall the operating system software, and recover from a lost or forgotten password, dir content of the flash…

1.2 Switch Led indicators



-       System LED: Power On/off
-       Redundant Power System (RPS) LED: led off No RPS/ Green OK / blinking green connected but is unavailable
-       Port Status LED: LED is off no link/ LED is green is link/ LED blinking green activity/ LED alternating green-amber link fault/ LED is amber locked to ensure a loop
-       Port Duplex LED:  Green full-duples/ Amber Half-duplex
-       Port Speed LED: LED is off, the port is operating at 10 Mb/s.
                                         LED is green, the port is operating at 100 Mb/s.
                                         LED is blinking green, the port is operating at 1000 Mb/s.
-       Power over Ethernet (PoE) Mode LED:
                               
1.3 Preparing for Basic Switch Management

(SVI) most have and IP address and mask (only management) and accessing from remote network a gateway are needed. SVI is a concept related to VLANs. VLANs are numbered logical groups to which physical ports can be assigned. Configurations and settings applied to a VLAN are also applied to all the ports assigned to that VLAN. By default all port are assigned to VLAN 1 that is used for management purpose.

1.4 Configuring Basic Switch Management Access with IPv4
Configure a VLAN:
S1#configure Terminal
S1(config)#interface vlan 22
S1(config-if)#ip address 192.168.1.100 255.255.255.0
S1(config-if)#description this is the test vlan
S1(config-if)#no shut

Associating the interface to VLAN created:
S1(config)#interface fastethernet0/1
S1(config-if) # switchport access vlan vlan_id

Configuring IP default gateway:
S1(config)# ip default-gateway A.B.C.D

Verify configuration:
S1# show ip interface brief


2.0 Configure Switch ports
Full-duplex(dibirectional)=Performance and +effective bandwidth. This method requires micro segmentation provided by a switch connected to a device with own domain collision.
A micro-segmented LAN is collision free. In this mod Collision detection circuit on the NIC is disabled.
Offers 100% percent efficiency result 200% potencial.

half-duplex(unidirectional)= Sending and receiving data does not occur at the same time.
Performance issues example: Hub.
Offers 50% or 60% percent efficiency of the stated bandwidth.


2.1 Duplex Communication
Manual mode configuration: (Both side!!)
S1#conf t
S1(config)#interface fastethernet0/1
S1(config-if)#duplex full
S1(config-if)#speed 100

(fiber optic are always full-duplex and work to the preset speed)

Note: Mismatched settings for the duplex mode and speed of switch ports can cause connectivity issues. Auto negotiation failure creates mismatched settings.

2.2 Configure Switch Ports at the Physical Layer


2.3 Auto-MDIX (is enabled by default)
When auto-MDIX is enabled, the interface automatically detects the required cable connection type (straight- through or crossover) and configures the connection appropriately

S1(config)#interface fastethernet0/1
S1(config)#mdix auto

To examine the auto-MDIX setting for a specific interface, use the
S1#show controllers ethernet-controller fa 0/1 phy | include Auto-MDIX


2.4 Verifying Switch Port Configuration




2.5 Network Access Layer Issues
The output from the show interfaces command can be used to detect common media issues.

·      If the interface is up and the line protocol is down: (could be)
- Encapsulation type mismatch
- The interface on the other end could be error-disabled
- Hardware problem.
·      If down, down :
- No cable or end of the connection may be administratively down
              - Interface problem exists.

Media errors are not severe enough to cause the circuit to fail, but do cause network performance issues:


2.6 Troubleshooting Network Access Layer Issues
Most issues that affect a switched network are encountered during the original implementation. Theoretically, after it is installed, a network continues to operate without problems. Show interface command will help to issue the problem.

3.0 Security Management and implementation

3.1 Configuring SSH
Secure Shell (SSH tcp2 2) is a protocol that provides a secure (encrypted) management connection to a remote device. Telnet (tcp 23)is an older protocol that uses insecure plaintext transmission of login and password. IOS filename that includes the combination “k9” supports cryptographic (encrypted) features and capabilities.

To configure SSH must change before the  hostname of the switch.

Setp1. S1#show ip ssh   - Verify that the switch
          supports SSH if not command is unrecognized
Step2. S1(config)# ip domain-name domain-name
Step3. S1(config)# crypto key generate rsa
Step4. S1(config)# username xxxx password yyyyy

Note: To delete the RSA key pair:
S1(config)#crypto key zeroize rsa

Verify SSH:
S1#show ssh         (connected client)
S1#show ip ssh    (version and configuration)
Use the line vty global configuration mode command and then the login local line configuration mode command to require local authentication for SSH connections from the local username database.

S1(config)#line vty 0 15
S1(config-line)#transport input ssh
S1(config-line)#login local
S1(config-line)#exit
S1(config)#ip version ssh2     <- (Version 1 has known vulnerabilities)
Enable password or secret most previously set in order to access to Privileged mode with SSH.
And remove old telnet password if any.
3.2 Common security attacks.
- MAC address table overflow attack(MAC flooding attacks)
- DHCP starvation attacks: floods the DHCP server with DHCP requests to use up all the available IP.
- DHCP spoofing attacks(snooping): fake DHCP server on the network to issue DHCP addresses to clients.
- Learning CDP: CDP information is sent in periodic, unencrypted broadcasts. Information for attackers.
                                 (auto-configure,IP address, software version, platform, capabilities, and the native VLAN)

3.3 Security Best Practices


3.4 Secure Unused Ports
The best method is to shutdown a port if not used. To shutdown a large range of ports:

Switch(config)# interface range type module/first-number – last-number

3.5 DHCP Snooping
Is  a Cisco Catalyst feature that determines which switch ports can respond to DHCP requests.
- Untrusted ports can forward only DHCP requests.  If DHCP response is found the port is shutdown.
- Trusted ports can send DHCP requests and acknowledgments

Enable DHCP snooping
Enable DHCP snooping for specific VLANs
Define ports as trusted at the interface
(Optional) Limit the rate at which an attacker can continually send bogus DHCP



3.6 Port Security: Operation
Port security limits the number of valid MAC addresses allowed on a port.
-       Specify a single MAC address or a group of valid MAC addresses allowed on a port.
-       Specify that a port automatically shuts down if unauthorized MAC addresses are detected.


Secure MAC Address Types:
Static secure MAC addresses
MAC addresses that are manually configured on a port by using the S1(config)#switchport port-security mac-address mac-address
Stored in table and added to running config
Dynamic secure MAC addresses
MAC addresses that are dynamically learned and stored only in the address table.  Lost when switch restart.
Sticky secure MAC addresses
MAC addresses that can be dynamically learned or manually configured, then stored in the address table and added to the running configuration.
S1(config-if)# switchport port-security mac-address sticky





3.7 Port Security: Violation Modes
When either of these situations occurs:     
-       A station with MAC address that is not in the address table attempts to access the interface when the table is full.
-       An address is being used on two secure interfaces in the same VLAN.  

An interface can be protected with these tree violation modes:
·      Protect:  Mac address limited in the port, packets with unknown source addresses are dropped until a sufficient number of secure MAC addresses are removed, or the number of maximum allowable addresses is increased. There is no notification that a security violation has occurred.
·      Restrict: When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until a sufficient number of secure MAC addresses are removed, or the number of maximum allowable addresses is increased. In this mode, there is a notification that a security violation has occurred.
·      Shutdown: In this (default) violation mode, a port security violation causes the interface to immediately become error-disabled and turns off the port LED. It increments the violation counter. When a secure port is in the error-disabled state, it can be brought out of this state by entering the shutdown and no shutdown interface configuration mode commands.

S1(config-if)#switchport port-security violation {protect | restrict |shutdown}

3.7 Port Security Configuration

The default port security configuration on a Cisco Catalyst switch.



Configuring dynamic port security
Configuring sticky port security



Port Security: Verifying

S1#show port-security interface interface-id
S1# show port-security address
S1#show run | begin fastethernet 0/1

Ports in Error Disabled State
A violation can cause the port to become error
disabled is a shutdown and no traffic is sent or received on that port (link: down protocol: 
down).




3.8 Network Time Protocol (NTP)
Important. to accurately track network events such as security violations.

R1#ntp server ip-address

R1#ntp server 2  (2=stratum number) ??

No hay comentarios:

Publicar un comentario