Richard L. Holladay, JNCIA-Junos, CCNA, Ph.D.

Routing and Switching Essentials Chapter 2

Basic Switching Concepts and Configuration

Topics Introduction

Basic Switch Configuration Configure a Switch With Initial Settings Configure Switch Ports

Switch Security: Management and Implementation Secure Remote Access Security Concerns in LANs Security Best Practices Switch Port Security

Summary

2

Objectives

Configure initial settings on a Cisco switch. Configure switch ports to meet network requirements. Configure the management switch virtual interface (SVI). Describe basic security attacks in a switched network. Describe security best practices in a switched environment. Configure the port security feature to restrict network access.

3

4

Switches are used to connect devices together on the same network. Cisco switches are self-configuring and no additional configurations are

necessary for them to function out of the box. However, Cisco switches run Cisco IOS, and can be manually configured. This includes adjusting port speed, bandwidth and security requirements.

Cisco switches can be managed locally and remotely. Local management requires a console connection and terminal emulator. Remote management requires configuring an IP address and default gateway and

connecting through telnet, ssh, or other network management software.

Switches connect users directly to the network and are therefore one of the most vulnerable areas of the network.

They need to be configured to be resilient to attacks of all types. Port security is one of the security features Cisco managed switches provide.

We will examine basic switch configuration and security settings.

5

6

After powering on, a switch goes through the following boot sequence: 1) Power-On Self Test (POST) 2) Run boot loader software

Initialize CPU registers Initialize flash file system Locate and load IOS Transfer control to IOS

3) To find IOS it uses the BOOT environment variable If not set, the switch tries to load the first executable file it can find in Flash by

performing a recursive, depth-first search Each lower-level subdirectory is completely searched before continuing the search in

the original directory On Catalyst 2960s, IOS is normally contained in a directory that has the same name

as the image file (excluding the .bin file extension) 4) IOS then initializes the switch using the startup config stored in NVRAM, if

found

7

The boot loader can also be used to manage the switch if the IOS cant be loaded. The boot loader can be accessed through a console connection by:

1) Connect a PC by console cable to the switch console port. Unplug the switch power cord.

2) Reconnect the power cord to the switch and press and hold down the Mode button.

The System LED turns briefly amber and then solid green. Release the Mode button.

3) The boot loader switch: prompt appears. 4) In switch: you can (among other things):

Browse Flash using Unix commands, like dir Format flash Reinstall a missing IOS image

8

Each port on Cisco Catalyst switches have status LED indicator lights. By default these LED lights reflect port activity but they can also

provide other information about the switch through the Mode button

The following modes are available on Cisco Catalyst 2960 switches: System LED RPS (Redundant Power System) LED Status (port) LED Duplex LED Speed LED PoE (Power over Ethernet) Mode LED

9

To remotely manage a Cisco switch, it needs to be configured to access the network It must have an IP address and subnet mask If managing the switch from a remote network, a default gateway must also

be configured

The IP information (address, subnet mask, gateway) is assigned to a switch SVI (switch virtual interface) The SVI is a virtual interface, not a physical port on the switch. SVIs are related to VLANs, numbered logical groups to which physical ports

can be assigned. By default, switch management occurs through VLAN 1. For security purposes, it is considered a best practice to use a VLAN other

than VLAN 1 for the management VLAN.

These IP settings are only used for remote management and remote access to the switch, they do not allow the switch to route Layer 3 packets.

10

. Preparing for Remote Management

11

Use interface vlan 99 to enter interface configuration mode ip address address and mask no shutdown Note that the SVI for VLAN 99 will not be "up/up" until VLAN 99 is created and there is a device connected to a switch port associated with VLAN 99.

S1(config)# vlan vlan_id S1(config-vlan)# name vlan_name S1(config)# end S1(config)# interface interface_id S1(config-if)# switchport access vlan vlan_id

255.255.0.0

The default gateway is the router the switch is connected to. The switch will forward IP packets with destination IP addresses outside

the local network to the default gateway. As shown above, R1 is the default gateway for S1.

The interface on R1 connected to the switch has IP address 172.17.99.1. This address is the default gateway address for S1.

Use the ip default-gateway command. The default gateway is the IP address of the router interface to which the switch is

connected.

12

Use show ip interface brief to check the status of both physical and virtual interfaces.

13

Full-duplex communication improves the performance of a switched LAN by allowing a connection to transmit and receive data simultaneously.

Because there is only one device connected, a micro-segmented LAN is collision free.

In full-duplex mode, the collision detection circuit on the NIC is disabled. Frames cannot collide because the devices use two separate circuits in

the network cable. Full-duplex connections require a switch that supports full-duplex

configuration, or a direct connection using an Ethernet cable between two devices.

14

Half-duplex is unidirectional. Half-duplex communication creates performance issues because data can

flow in only one direction at a time, often resulting in collisions. Half-duplex connections are typically seen in older hardware, such as

hubs. Full-duplex communication has replaced half-duplex in most hardware. Shared hub-based half-duplex efficiency is typically rated at 50 to 60

percent of the stated bandwidth. Full-duplex offers 100 percent efficiency in both directions (transmitting

and receiving). This results in a 200 percent

potential of the stated bandwidth.

15

The default for duplex and speed on 2960s and 3560s is auto.

10/100/1000 ports operate in either half- or full-duplex when set to 10 or 100 Mb/s,

But when they are set to 1000 Mb/s (1 Gb/s), they operate only in full-duplex mode. Cisco recommends only using auto for duplex and speed to avoid connection

issues between devices. Check duplex and speed when troubleshooting switch port issues.

16

Until recently, crossover cables were required when connecting two devices of the same type.

Switch-to-switch or router-to-router connections required using cross-over cables. Auto-MDIX on an interface automatically detects the required cable connection

type (straight- through or crossover) and configures the connection appropriately When using auto-MDIX on an interface, speed and duplex must be set to auto so

that the feature operates correctly.

17

Automatic Medium-Dependent Interface Crossover (auto-MDIX)

Use the show controllers ethernet-controller command with the phy keyword.

To limit the output to lines referencing auto-MDIX, use the use the Unix pipe command | with the include Auto-MDIX filter.

The output indicates either On or Off.

18

Switchport Verification Commands:

19

The show interface command can detect common media issues. If the interface is up and the line protocol is down, there could be an encapsulation

type mismatch, the interface on the other end could be error-disabled, or there could be a hardware problem.

If the line protocol and the interface are both down, a cable is not attached or there is some other problem.

For example, in a back-to-back connection, the other end of the connection may be administratively down.

If the interface is administratively down, it is manually disabled (the shutdown command is in effect.

20

21

22

Secure Shell (SSH) is a protocol that provides a secure (encrypted) command-line based connection to a remote device

SSH is commonly used in UNIX-based systems They use different shells as command-line interfaces

Because its strong encryption features, SSH should replace Telnet for management connections

Telnet uses insecure plaintext transmission of both the login username and password and the data transmitted

SSH provides security by providing strong encryption when a device is authenticated (username and password) and also for the transmitted data between the communicating devices.

SSH uses TCP port 22 by default. Telnet uses TCP port 23 Cisco IOS also supports SSH A cryptographic version of IOS is required in order to enable SSH on Catalyst

2960 switches Use show version command to see which IOS the switch is running. A filename that includes k9 supports cryptographic features.

23

Before configuring SSH, the switch must be configured with a unique hostname and the correct network connectivity settings.

Step 1. Verify SSH support. Use show ip ssh to verify that the switch supports SSH. Step 2. Configure the IP domain. Use ip domain-name domain-name in global config (usually cisco.com in Labs). Step 3. Generate RSA key pairs. Use crypto key generate rsa in global config to enable the SSH server on the switch and

generate an RSA key pair. When generating RSA keys, the administrator is prompted to enter a modulus length. Cisco recommends a

modulus size of 1,024 bits. A longer modulus length is more secure, but takes longer to generate and to use. Note: To delete the RSA key pair, use crypto key zeroize rsa After the RSA key pair is deleted, the SSH server is automatically disabled.

Step 4. Configure user authentication. The SSH server can authenticate users locally or by authentication server.

To use the local authentication method, create a username and password using username username password password.

Step 5. Configure the vty lines. Use transport input ssh in vty line config. Vty lines range from 0 to 15. This command

limits the switch to only SSH connections. Use line vty and login local to require local authentication for SSH connections from the

local username database.

24

25

Configure IP domain Generate RSA key pairs

Configure user authentication Configure the vty lines

Configure hostname

On a PC, an SSH client, such as PuTTY, is used to connect to an SSH server. The PC initiates an SSH connection to the SVI VLAN IP address of S1.

26

After entering the username and password, the user is connected via SSH to the CLI on the switch.

To display the version and configuration data for SSH on the device that you configured as an SSH server, use the show ip ssh command.

To check the SSH connections to the device, use the show ssh command:

27

Basic switch security does not stop malicious attacks. Security is a layered process that is essentially never complete. The more aware you are regarding security attacks, the better. Some security attacks are described here, but the details are beyond the scope of this course. More detailed information is found in the CCNA WAN Protocols course and the CCNA Security

course.

MAC Address Flooding The MAC address flooding behavior of a switch for unknown addresses can be

used to attack a switch. This type of attack is called a MAC address table overflow attack. MAC address table overflow attacks are sometimes referred to as MAC flooding attacks, and

CAM table overflow attacks.

MAC address tables are limited in size. MAC flooding attacks make use of this limitation to overwhelm the switch with fake source

MAC addresses until the switch MAC address table is full. The switch enters into fail-open mode where the switch broadcasts all frames to all machines

on the network. As a result, the attacker can see all of the frames.

28

DHCP is used to assign a host a valid IP address out of a DHCP pool on a DHCP Server.

Two types of DHCP attacks can be performed against a switch: DHCP starvation attacks and DHCP spoofing.

DHCP Starvation: An attacker floods the DHCP server with DHCP requests to use up all the

available IP addresses that the DHCP server can issue. After these IP addresses are issued, the server cannot issue any more

addresses, and this produces a denial-of-service (DoS) attack as clients cannot get network access.

A DoS attack is any attack that is used to overload specific devices and network services with illegitimate traffic, thereby preventing legitimate traffic from reaching those resources.

29

DHCP Spoofing: An attacker configures a fake DHCP server on the network to issue DHCP addresses to

clients. This attack forces clients to use false Domain Name System (DNS) or Windows Internet

Naming Service (WINS) servers making them use a machine under the control of the attacker as their default gateway.

DHCP starvation is often used before a DHCP spoofing attack to deny service to the legitimate DHCP server, making it easier to introduce a fake DHCP server into the network.

To mitigate DHCP attacks, use the DHCP snooping and port security features on the Cisco switches.

30

CDP is a layer 2 Cisco proprietary protocol used to discover other Cisco devices that are directly connected

It is designed to allow the devices to auto-configure their connections If an attacker is listening to CDP messages, it could learn important information

such as device model, version of software running CDP contains information about the device, such as the IP address, software

version, platform, capabilities, and the native VLAN. This information can be used by an attacker to find ways to attack the network,

typically in the form of a denial-of-service (DoS) attack. It is recommended that you disable the use of CDP on devices or ports that do

not need to use it by using the no cdp run global configuration mode command. CDP can be disabled on a per port basis.

31

As mentioned the Telnet protocol is insecure and should be replaced by SSH. However, an attacker can use Telnet as part of other attacks.

Two of these attacks are Brute Force Password Attacks and Telnet DoS Attacks.

When passwords cant be captured, attackers will try as many combinations of characters as possible. This is known as a Brute Force password attack.

To mitigate against brute force password attacks use strong passwords that are changed frequently.

Access to the vty lines can also be limited using an access control list (ACL). In a Telnet DoS attack, the attacker exploits a flaw in the Telnet server software

running on the switch that renders the Telnet service unavailable. This sort of attack prevents an administrator from remotely accessing switch

management functions. This can be combined with other direct attacks on the network as part of a

coordinated attempt to prevent the network administrator from accessing core devices during the breach.

Vulnerabilities in Telnet that permit DoS attacks are usually addressed in security patches that are included in newer Cisco IOS revisions.

32

Defending your network against attack requires vigilance and education. The following are best practices for securing a network:

Develop a written security policy for the organization Shut down unused services and ports Use strong passwords and change them often Control physical access to devices Use HTTPS instead of HTTP Perform backups operations on a regular basis. Educate employees about social engineering attacks Encrypt and password-protect sensitive data Implement firewalls. Keep software up-to-date

33

Network security tools help a network administrator test a network for weaknesses.

Some tools allow an administrator to assume the role of an attacker. Security auditing and penetration testing are two basic functions that

network security tools perform. Network security testing techniques may be manually initiated by the

administrator or automated. Regardless of the type of testing, the security staff should have extensive

security and networking knowledge. This includes expertise in the following areas:

Network security Firewalls Intrusion prevention systems Operating systems Programming Networking protocols (such as TCP/IP)

34

Network Security Tools can also be used to audit the network. By monitoring the network, an administrator can assess what type of

information an attacker would be able to gather. For example, by attacking and flooding the CAM table of a switch, an administrator

would learn which switch ports are vulnerable to MAC flooding and correct the issue.

Network Security Tools can also be used as penetration test tools. Penetration testing is a simulated attack

This helps determine how vulnerable the network is when under a real attack.

Weaknesses within the configuration of networking devices can be identified based on test results

Changes can be made to make the devices more resilient to attacks However, such tests can damage the network and should be carried out

under very controlled conditions. An off-line test bed network that mimics the actual production network is the ideal.

35

A simple method to help secure the network from unauthorized access is to disable all unused ports on a switch.

It is simple to make

configuration changes to multiple ports on a switch.

If a range of ports must be configured, use the interface range command

Switch(config)# interface range type module/first-number last-number S1(config)#int range fa0/1 15

The process of enabling and disabling ports can be time-consuming, but it enhances security on the network and is well worth the effort

36

DHCP snooping is a Cisco feature that determines which switch ports can respond to DHCP requests.

Ports are identified as trusted and untrusted. Trusted ports can source all DHCP messages; untrusted ports can source requests

only. Trusted ports host a DHCP server or can be an uplink toward the DHCP server.

If a rogue device on an untrusted port attempts to send a DHCP response packet into the network, the port is shut down.

This feature can be coupled with DHCP options in which switch information, such as the port ID of the DHCP request, can be inserted into the DHCP request packet.

37

38

Step 1. Enable DHCP snooping using ip dhcp snooping Step 2. Enable DHCP snooping for specific VLANs with ip dhcp snooping vlan number Step 3. Define ports as trusted at the interface level by defining the trusted ports using ip dhcp snooping trust Step 4. (Optional) Limit the rate at which an attacker can send bogus DHCP requests through untrusted ports to the DHCP server using ip dhcp snooping limit rate rate command.

All switch ports should be secured before the switch is deployed for production use.

One way to secure ports is by implementing a feature called port security. Port security limits the number of valid MAC addresses allowed on a port

The MAC addresses of legitimate devices are allowed access, while other MAC addresses are denied

Any additional attempts to connect by unknown MAC addresses will generate a security violation

Secure MAC addresses can be configured in a number of ways: Static secure MAC addresses Dynamic secure MAC addresses Sticky secure MAC addresses

39

IOS considers a security violation when either of these situations occurs: The maximum number of secure MAC addresses for that interface have been added

to the CAM, and a station whose MAC address is not in the address table attempts to access the interface.

An address learned or configured on one secure interface is seen on another secure interface in the same VLAN.

An interface can be configured for one of three violation modes, specifying the action to be taken if a violation occurs.

There are three possible action to be taken when a violation is detected: Protect Restrict Shutdown

40

Port Security Default Settings

41

Configuring Dynamic Port Security

42

This example does not specify a violation mode so it uses the default, shutdown mode.

Configuring Sticky Port Security

43

Verify that the port security is set correctly, and check to ensure that the static MAC addresses have been configured correctly.

The output for the dynamic port security configuration is here. By default, there is only one MAC address allowed on this port.

44

45

This display sticky port security settings. Sticky MAC addresses are added to the MAC address table and to the

running configuration.

This shows that the sticky MAC for PC2 has been added to the running configuration for S1.

46

To display all secure MAC addresses configured on all switch interfaces, or on a specified interface with aging information for each.

Here the secure MAC addresses are listed along with the types.

A port security violation can put a switch in error disabled state, shutting down the port.

The port LED will change to orange. Because the port security violation mode is set to shutdown, the port with

the security violation goes to the error disabled state. Console messages on the switch confirm this:

47

The show interface command identifies the port status as err-disabled. the show port-security interface command now shows the port status as

secure-shutdown. Because the port security violation mode is set to shutdown, the port with

the security violation goes to the error disabled state.

48

You must determine what caused the security violation before re-enabling the port. If an unauthorized device is connected to a secure port, the port should not

be re-enabled until the security threat is eliminated.

To re-enable the port and make it operational, use shutdown then no shutdown:

49

Correct time stamps are required to accurately track network events such as security violations.

Additionally, clock synchronization is critical for the correct interpretation of events within syslog data files as well as for digital certificates.

NTP is a protocol used to synchronize the clocks of computer systems data networks

NTP can get the correct time from an internal or external time source Time sources can be:

Local master clock Master clock on the Internet GPS or atomic clock

A network device can be configured as either an NTP server or an NTP client

50

To configure a device as an NTP master clock to which peers can synchronize, use the ntp master [stratum] command.

The stratum value is a number from 1 to 15. If configured as NTP master with no stratum, it defaults to stratum 8. If the NTP master cannot reach any clock with a lower stratum number, the

system will synchronize at the configured stratum number, and other systems using NTP will synchronize to it.

51

R1

R2

Error in curricula!

X

X

To display the status of NTP associations, use show ntp associations. This indicates IP addresses of peer devices synchronized to this peer, statically

configured peers, and stratum number.

show ntp status displays NTP synchronization status, the peer that the device is synchronized to, and the NTP strata.

52

The NTP is designed to time-synchronize a network of devices. NTP runs over UDP), which runs over IP and is documented in RFC 1305.

An NTP network usually gets its time from an authoritative time source, such as a radio clock or an atomic clock attached to a time server.

NTP then distributes this time across the network. NTP is extremely efficient; no more than one packet per minute is necessary to

synchronize two devices to within a millisecond of one another. Ciscos implementation of NTP does not support stratum 1 service; it is not

possible to connect to a radio or atomic clock. Cisco recommend that the time service for your network be derived from the

public NTP servers available on the IP Internet. For more information on NTP, and setting the time and date manually on a 2960

switch see the documents Ive added in the Chapter 2 Module section of Netspace.

53

54

This chapter covered: Cisco LAN Switch Boot Sequence The operational status of the switch is displayed by a series of LEDs on

the front panel which display such things as port status, duplex, and speed To remotely access switch remotely, an IP address is configured on the

management VLAN SVI A default gateway must also be configured.

SSH should be used for secure access rather than the unsecure telnet. Speed and duplex settings of a switch interface switch be set to auto to

avoid errors. Switch ports should be configured to allow only frames with specific source

MAC addresses to enter. Frames from unknown source MAC addresses should be denied and

cause the port to shut down to prevent further attacks. Best practices for switched networks

55

Port security is just one defense and only a starting point. There are 10 best practices that represent the best insurance for a

network, but are only a starting point for security management: Develop a written security policy for the organization. Shut down unused services and ports. Use strong passwords and change them often. Control physical access to devices. Avoid using standard insecure HTTP websites, especially for login screens.

Instead use the more secure HTTPS. Perform backups and test the backed up files on a regular basis. Educate employees about social engineering attacks, and develop policies

to validate identities over the phone, via email, and in person. Encrypt sensitive data and protect it with a strong password. Implement security hardware and software, such as firewalls. Keep IOS software up-to-date by installing security patches weekly or daily,

if possible.

56

Basic Switching Concepts and ConfigurationTopicsObjectivesSlide Number 4Slide Number 5Slide Number 6Slide Number 7Slide Number 8Slide Number 9Slide Number 10Slide Number 11Slide Number 12Slide Number 13Slide Number 14Slide Number 15Slide Number 16Slide Number 17Slide Number 18Slide Number 19Slide Number 20Slide Number 21Slide Number 22Slide Number 23Slide Number 24Slide Number 25Slide Number 26Slide Number 27Slide Number 28Slide Number 29Slide Number 30Slide Number 31Slide Number 32Slide Number 33Slide Number 34Slide Number 35Slide Number 36Slide Number 37Slide Number 38Slide Number 39Slide Number 40Slide Number 41Slide Number 42Slide Number 43Slide Number 44Slide Number 45Slide Number 46Slide Number 47Slide Number 48Slide Number 49Slide Number 50Slide Number 51Slide Number 52Slide Number 53Slide Number 54Slide Number 55Slide Number 56Slide Number 57Slide Number 58