Switches are used to connect multiple
devices together on the same network.
Responsible for Directing and Controlling Data flow at the access layer to networked resources.
Cisco switches are self-configuring and no
additional configurations are necessary for them to function out of the box. However,
can be manually configured: adjusting port speed, bandwidth, and security
requirements. Managed locally and remotely (need IP address and gateway).
The access layer is the most vulnerable area
of the network because it is so exposed to the user.
Switches need to be configured to be
resilient to attacks of all types while they are protecting user data and
allowing for high speed connections. Port security is one of the security
features Cisco managed switches provide.
Configure
a Switch with Initial Settings
1.0 Switch boot sequence
Storage:
Program:
1.POST power-on self-test program stored in
ROM checks the CPU / DRAM / Portion of the flash.
2. The switch loads the boot loader
software(Stored in ROM).
3. The boot loader performs low-level CPU
initialization. It initializes the CPU registers, which control where physical
memory is mapped, the quantity of memory, and its speed.
4. The boot loader initializes the flash
file system on the system board.
5. Boot loader locates and loads a default
IOS operating system software image into memory RAM and hands control of the
switch over to the IOS. Interfaces are initialized this with this configuration.
Switch#show bootvar
Switch#show boot (older IOS)
Switch(Config)#boot system
|
Switch(Config)#
boot system file-url
no boot system
file-url
boot system
flash [flash-fs:][partition-number:][filename]
no boot system
flash [flash-fs:][partition-number:][filename]
boot system
mop filename [mac-address] [interface]
no boot system
mop filename [mac-address] [interface]
boot system
rom
no boot system
rom
boot system {rcp
| tftp | ftp} filename [ip-address]
no boot system {rcp
| tftp | ftp} filename [ip-address]
no boot system
|
1.1 Recovering from system crash
If IOS damaged or cannot be used boot loader provides access to the
switch.
Step 1.
Connect a PC by console cable to the switch console port. Configure terminal
emulation software
to connect to the switch.
Step 2. Unplug the switch power cord.
Step 3. Reconnect the power cord to the switch and, within 15 seconds,
press and hold down the Mode
button while the System LED is still flashing
green.
Step 4. Continue pressing the Mode button until the System LED turns
briefly amber and then solid
green; then release the Mode button.
Step 5. The boot loader switch: prompt appears in the terminal emulation
software on the PC
The boot loader command line supports commands to format
the flash file system, reinstall the operating system software, and recover
from a lost or forgotten password, dir content of the flash…
1.2 Switch Led indicators
|
|
|
-
System LED: Power On/off
-
Redundant Power System (RPS) LED: led
off No RPS/ Green OK / blinking green connected but is unavailable
-
Port Status LED: LED is off no link/ LED is green is link/ LED blinking green
activity/ LED alternating green-amber link fault/ LED is amber locked to ensure a
loop
-
Port Duplex LED: Green full-duples/ Amber Half-duplex
-
Port Speed LED: LED is off, the port is
operating at 10 Mb/s.
LED is
green, the port is operating at 100 Mb/s.
LED is
blinking green, the port is operating at 1000 Mb/s.
-
Power over Ethernet (PoE) Mode LED:
1.3 Preparing for Basic Switch Management
(SVI) most have and IP address and mask
(only management) and accessing from remote network a gateway are needed. SVI
is a concept related to VLANs. VLANs are numbered logical groups to which
physical ports can be assigned. Configurations and settings applied to a VLAN
are also applied to all the ports assigned to that VLAN. By default all port
are assigned to VLAN 1 that is used for management purpose.
1.4 Configuring Basic Switch Management
Access with IPv4
Configure a
VLAN:
S1#configure Terminal
S1(config)#interface vlan 22
S1(config-if)#ip address 192.168.1.100 255.255.255.0
S1(config-if)#description this is the test vlan
S1(config-if)#no shut
|
Associating
the interface to VLAN created:
S1(config)#interface fastethernet0/1
S1(config-if) # switchport access vlan vlan_id
|
Configuring IP
default gateway:
S1(config)# ip default-gateway A.B.C.D
|
Verify
configuration:
S1# show ip interface brief
|
2.0 Configure Switch ports
Full-duplex(dibirectional)=Performance and +effective bandwidth. This method requires
micro segmentation provided by a switch connected to a device with own domain
collision.
A micro-segmented LAN is collision free. In
this mod Collision detection circuit on the NIC is disabled.
Offers
100% percent efficiency result 200% potencial.
half-duplex(unidirectional)= Sending and receiving data does not occur at the
same time.
Performance issues example: Hub.
Offers 50% or 60% percent efficiency of the
stated bandwidth.
2.1 Duplex Communication
Manual
mode configuration: (Both side!!)
S1#conf t
S1(config)#interface
fastethernet0/1
S1(config-if)#duplex
full
S1(config-if)#speed
100
(fiber optic are
always full-duplex and work to the preset speed)
Note: Mismatched settings for the duplex mode and speed of switch
ports can cause connectivity issues. Auto negotiation failure creates
mismatched settings.
|
2.2 Configure Switch Ports at the Physical
Layer
2.3 Auto-MDIX (is enabled by default)
When auto-MDIX is enabled, the interface
automatically detects the required cable connection type (straight- through or
crossover) and configures the connection appropriately
S1(config)#interface
fastethernet0/1
S1(config)#mdix
auto
To examine the
auto-MDIX setting for a specific interface, use the
S1#show
controllers ethernet-controller fa 0/1 phy | include Auto-MDIX
2.4 Verifying Switch Port Configuration
2.5 Network Access Layer Issues
The output from the show interfaces command can be used to detect common media issues.
·
If the interface is up and the
line protocol is down: (could be)
- Encapsulation type mismatch
- The interface on the other end could be error-disabled
- Hardware problem.
·
If down, down :
- No cable or end
of the connection may be administratively down
- Interface problem exists.
Media errors are not severe enough to cause
the circuit to fail, but do cause network performance issues:
2.6 Troubleshooting Network Access Layer
Issues
Most issues that affect a switched network
are encountered during the original implementation. Theoretically, after it is
installed, a network continues to operate without problems. Show interface command will help to
issue the problem.
3.0 Security Management and implementation
3.1 Configuring SSH
Secure Shell (SSH tcp2 2) is a protocol
that provides a secure (encrypted) management connection to a remote device.
Telnet (tcp 23)is an older protocol that uses insecure plaintext transmission
of login and password. IOS filename that includes the combination “k9” supports
cryptographic (encrypted) features and capabilities.
To configure SSH must change before
the hostname of the switch.
|
Setp1. S1#show ip ssh - Verify
that the switch
supports SSH if not command is
unrecognized
Step2. S1(config)# ip domain-name
domain-name
Step3. S1(config)# crypto key generate
rsa
Step4. S1(config)# username xxxx password
yyyyy
|
Note: To delete the RSA key pair:
S1(config)#crypto key zeroize rsa
Verify
SSH:
S1#show ssh (connected client)
S1#show ip ssh (version and configuration)
|
Use the line vty global configuration mode
command and then the login local line configuration mode command to require
local authentication for SSH connections from the local username database.
S1(config)#line vty 0 15
S1(config-line)#transport input ssh
S1(config-line)#login local
S1(config-line)#exit
S1(config)#ip version ssh2 <- (Version 1 has known
vulnerabilities)
|
Enable password or secret most previously set in order to access to
Privileged mode with SSH.
And remove old telnet password if any.
|
3.2 Common security attacks.
- MAC
address table overflow attack(MAC flooding attacks)
- DHCP
starvation attacks: floods the DHCP server with DHCP requests to use up all
the available IP.
- DHCP
spoofing attacks(snooping): fake DHCP server on the network to issue DHCP
addresses to clients.
- Learning
CDP: CDP information is sent in periodic, unencrypted broadcasts.
Information for attackers.
(auto-configure,IP address, software version, platform, capabilities,
and the native VLAN)
3.3 Security Best Practices
3.4 Secure Unused Ports
The best method is to shutdown a port if
not used. To shutdown a large range of ports:
Switch(config)# interface range type
module/first-number – last-number
3.5 DHCP Snooping
Is a
Cisco Catalyst feature that determines which switch ports can respond to DHCP
requests.
- Untrusted ports can forward only DHCP
requests. If DHCP response is found the
port is shutdown.
- Trusted ports can send DHCP requests and
acknowledgments
|
|
Enable DHCP snooping
Enable DHCP snooping for specific VLANs
Define ports as trusted at the interface
(Optional) Limit the rate at which an
attacker can continually send bogus DHCP
|
3.6 Port Security: Operation
Port security limits the number of valid
MAC addresses allowed on a port.
-
Specify a single MAC address or
a group of valid MAC addresses allowed on a port.
-
Specify that a port
automatically shuts down if unauthorized MAC addresses are detected.
Secure MAC Address Types:
Static secure MAC addresses
|
MAC addresses that are manually
configured on a port by using the S1(config)#switchport port-security
mac-address mac-address
Stored in table and added to running
config
|
Dynamic secure MAC addresses
|
MAC addresses that are dynamically
learned and stored only in the address table.
Lost when switch restart.
|
Sticky secure MAC addresses
|
MAC addresses that can be dynamically
learned or manually configured, then stored in the address table and added to
the running configuration.
S1(config-if)# switchport port-security
mac-address sticky
|
3.7 Port Security: Violation Modes
When either of these situations
occurs:
-
A station with MAC address that
is not in the address table attempts to access the interface when the table is
full.
-
An address is being used on two
secure interfaces in the same VLAN.
An interface can be protected with these
tree violation modes:
·
Protect:
Mac address limited in the port, packets with unknown source addresses
are dropped until a sufficient number of secure MAC addresses are removed, or
the number of maximum allowable addresses is increased. There is no
notification that a security violation has occurred.
·
Restrict: When the number of secure MAC
addresses reaches the limit allowed on the port, packets with unknown source
addresses are dropped until a sufficient number of secure MAC addresses are
removed, or the number of maximum allowable addresses is increased. In this
mode, there is a notification that a security violation has occurred.
·
Shutdown: In this (default) violation
mode, a port security violation causes the interface to immediately become
error-disabled and turns off the port LED. It increments the violation counter.
When a secure port is in the error-disabled state, it can be brought out of this
state by entering the shutdown and no shutdown interface configuration mode
commands.
S1(config-if)#switchport port-security
violation {protect | restrict |shutdown}
3.7 Port Security Configuration
The default port security configuration
on a Cisco Catalyst switch.
|
|
Configuring dynamic port security
|
Configuring sticky port security
|
|
|
|
Port
Security: Verifying
S1#show port-security interface interface-id
S1# show port-security address
S1#show run | begin fastethernet 0/1
|
Ports
in Error Disabled State
A violation can cause the port to become
error
disabled is a shutdown and no traffic is sent or received on that port
(link: down protocol:
down).
|
3.8 Network Time Protocol (NTP)
Important. to accurately track network
events such as security violations.
R1#ntp server ip-address
R1#ntp server 2 (2=stratum number) ??










No hay comentarios:
Publicar un comentario