The switch performs three actions:
1) Decide forward or to filter (not forward) frame based on dest MAC (CAM in RAM)
2) Learns MACs by examining each frame source MAC (entries not refreshed will be removed after 300 sec, Cisco default)
3) Creates a L2 loop-free enviroment (STP)
Switching forwarding methods:
1) Store and forward - store received frame in buffer, analyze, CRC. If CRC passed-> frame is forwarded
2) Cut-through - read only first 14 bytes of frame (dest, source, MAC and type). CRC not permormed.
Ethernet signals are transmitted to every host connected to the LAN using a special set of rules to determine which station can access the network.
The set of rules that Ethernet uses is based on the IEEE carrier sense multiple access/collision detect (CSMA/CD) technology.
CSMA/CD is not used on full duplex connections.
Carrier Sense - In the CSMA/CD access method, all network devices that have messages to send must listen before transmitting. Collisions - result of 2 nodes transmitting simultaneously. (Frames are damages and discarted when they meet on physical media).
Multi-access - describes the fact that multiple stations send and receive on the medium. Transmissions by one node are generally received by all other stations using the medium.
Collision Detection - When a device is in listening mode, it can detect when a collision occurs on the shared media, because all devices can detect an increase in the amplitude of the signal above the normal level.
Jam Signal and Random Backoff - When a collision is detected, the transmitting devices send out a jamming signal. The jamming signal notifies the other devices of a collision, so that they invoke a backoff algorithm. This backoff algorithm causes all devices to stop transmitting for a random amount of time, which allows the collision signals to subside. After the delay has expired on a device, the device goes back into the "listening before transmit" mode. A random backoff period ensures that the devices that were involved in the collision do not try to send traffic again at the same time, which would cause the whole process to repeat. However, during the backoff period, a third device may transmit before either of the two involved in the collision have a chance to re-transmit.
Three forms of Ethernet communication.
• Unicast / from one host to one specific destination (ex: HTTP, SMTP, FTP, and Telnet)
• Broadcast / from one address to all other addresses (ex: ARP query)
• Multicast / to a specific group of devices (video and voice transmissions )
Switches use the Layer 2 PDU – Data Link – MAC address to determine the destination.
Organization Unique Identifier (OUI) – 24 bits, first 12 bits IEEE assigns vendor, 12 remainder bits are for vendor use.
Half Duplex - unidirectional data flow where sending and receiving data are not performed at the same time.
High potential for collision. Hub connectivity.Performance issues due to the constant waiting,
Full Duplex - data flow is bidirectional, so data can be sent and received at the same time.
Collision free.Enhanced performance by reducing the wait time between transmissions. Require a switch that supports full duplex or a direct connection between two nodes that each support full duplex
Shared hub-based Ethernet configuration efficiency is typically rated at ~ 60% of the 10-Mb/s bandwidth.
Full-duplex Fast Ethernet - offers 100 % efficiency in both directions (100 mbps transmit and 100mbps receive).
Switch uses MAC Address Table to make forwarding decisions.
Only a Layer 3 entity, such as a router, or a virtual LAN (VLAN), can stop a Layer 3 broadcast domain.
Switch Port Settings
The auto option sets autonegotiation of duplex mode. With autonegotiation enabled, the two ports communicate to decide the best mode of operation.Autonegotiation can produce unpredictable results. By default, when autonegotiation fails, the Catalyst switch sets the corresponding switch port to half-duplex mode.
The full option sets full-duplex mode.
The half option sets half-duplex mode.
For Fast Ethernet and 10/100/1000 ports, the default is auto.
For 100BASE-FX ports, the default is full.
1,000 Mb/s operate only in full-duplex mode.
Auto-MDIX - automatic medium-dependent interface crossover (auto-MDIX) feature.
Enabled by default on switches running Cisco IOS > 12.2(18)SE.
• Store-and-forward (now standard method used)/ recieve entire frame, compute/check CRC, forward,
• Cut-through – forward frame before it is entirely recieved (after reading dest MAC),without CRC:
- Fast-forward switching - immediately forwards a packet after reading the destination address.
( this technique reduces latency through the switch, but decreases reliability; corrupted frames are potentially forwarded.)
- Fragment free – immediately after stores the first 64 bytes of the frame before forwarding (collisions occur during the first 64 bytes)
(partially addresses this problem by assuring that collision fragments are not forwarded)
Asymmetric switching enables more bandwidth to be dedicated to a server switch port to prevent a bottleneck.
Symmetric switch all ports are of the same bandwidth.
Note: With asymmetric switching store-and-forward must be used.
Port-based memory buffering uses memory allocated to each individual port with it’s own queues.
Shared memory buffering uses one single queue that allows asymmetric switching to be successful.
Layer 2 / Layer 3 Switches
A Layer 2 switch performs switching and filtering based only on the OSI L2 MAC address.
A Layer 3 switch can also use IP address information, can also learn which IP addresses are associated with its interfaces, also capable of performing Layer 3 routing functions
Command Line Interface (CLI)
The Cisco Catalyst switches use a CLI very similar to the Cisco routers. The user levels are the same as are configuring switch host names and password.
line vty 0 4on the switch we use
line vty 0 15Commands
• show history – shows by default the last 10 commands you entered
• terminal no history – disables history
• terminal no history size – enables history of 10 commands
If POST fails on a switch the SYST LED turns amber, if it passes it blinks green.
1. Set passwords
2. Set hostname
3. Create Management VLAN
a. config t
b. int vlan 99
4. Assign IP address to allow remote configuration
a. (inside vlan 99)
b. ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
c. no shut
5. Configure Switchport to be member of management vlan
a. int fa0/1
b. switchport mode access
c. switchport access vlan 99
6. Assign Default Gateway
a. config t
b. ip default-gateway xxx.xxx.xxx.xxx
7. Save configuration
a. copy run start
Enable Password Recovery
1. Connect a terminal or PC with terminal-emulation software to the switch console port.
2. Set the line speed on the emulation software to 9600 baud.
3. Power off the switch. Reconnect the power cord to the switch and within 15 seconds, press the Mode button while the System LED is still flashing green. Continue pressing the Mode button until the System LED turns briefly amber and then solid green. Then release the Mode button.
4. Initialize the Flash file system using the flash_init command.
5. Load any helper files using the load_helper command.
6. Display the contents of Flash memory using the dir flash command
7. Rename the configuration file to config.text.old, which contains the password definition, using the rename flash:config.text flash:config.text.old command.
8. Boot the system with the boot command.
9. You are prompted to start the setup program. Enter N at the prompt, and then when the system prompts whether to continue with the configuration dialog, enter N.
10. At the switch prompt, enter privileged EXEC mode using the enable command.
11. Rename the configuration file to its original name using the rename flash:config.text.old flash:config.text command.
12. Copy the configuration file into memory using the copy flash:config.text system:running-config command
13. Change the password using the enable secret password command.
14. Write the running configuration to the startup configuration file using the copy running-config startup-config command, reload the switch using the reload command
Telnet vs SSH
Telnet - most common access method, insecure, send clear text message streams,
SSH - should be common, secure, ecrypted message streams.
(config-line)#transport input telnet
(config-line)#transport input all
#configure terminalSecurity Attacks
(config)#ip domain-name Domain_name
(config)#crypto key generate rsa
(config)#ip ssh version 2
(config)#line vty 0 15
(config-line)#transport input sh
show ip ssh
- MAC Address Flooding / MAC address table overflow
- Spoofing Attacks and DHCP starvation attack
- CDP Attacks / discovers other Cisco devices that are directly connected
- Telnet Attacks / Brute force, DoS attacks
To prevent DHCP attacks, use the
DHCP snooping (determines which switch ports can respond to DHCP requests) and port security (limit the number of secure MAC) features on the Cisco Catalyst switches.
To address this vulnerability, it is recommended that you disable the use of CDP on devices that do not need to use it.
Protecting against brute force - frequent change passwords, strong password, limit vty access.
Protecting against DoS - use newest version of Cisco IOS
To change switchport from auto to duplex / half or to a specific speed enter the interface and use duplex or speed to achieve your desired results.
show mac-address-table (default age 300s)Static assignment of MAC addresses can be used via:
address> vlan <1-4096, all> interface
To erase configuration file issue,
erase startTo erase flash (IOS) issue,
erase flash:Port Security
1. Static port assignment / MAC addresses are manually configured
2. Dynamic port assignment / MAC addresses are dynamically learned and stored only in the address table, removed when the switch restarts.
3. Sticky port assignment / dynamically learn MAC addresses and then save these MAC addresses to the running configuration
switchport port-security mac-addressSecurity Violation Modes
switchport port-security mac-address sticky
• shutdown (default) port is secured by shutting down, logging error, and sending SNMP trap
• restrict sends an SNMP trap and logging error, drops all non-accepted frames
• protect drops all non-accepted frames.
#show port-security [interface interface-id]Secure all unused ports by shutting them down.
#show port-security address
CAM table - is a system memory construct used by Ethernet switch logic to dereference Media Access Control (MAC) addresses of stations to the ports on which they connect to the switch itself. This allows switches to facilitate communications between connected stations at high speed and in full-duplex regardless of how many devices are connected to the switch. The CAM table is consulted to make the frame forwarding decision. On Ethernet networks that transmit IP, switches learn MAC addresses from the source address of Ethernet frames on the ports, such as Address Resolution Protocol (ARP) response packets.
Default VTY acces : telnet , ssh ?
Network administrator has decided to allow only Secure Shell conne
-vty lines that are configured to allow only Telnet
MOTD banner is shown first. Both are shown before login.
However, for login banner, you need to have the "login" command under the line. If you configure "no login" under the line config, then login banner never shows up.
A config like this:
banner login ^C
This is a login banner
banner motd ^C
This is a MOTD banner
line con 0Will give you the output when you connect to the console:
This is a MOTD banner
This is a login banner
User Access Verification