CCNA5-S2 Chapter 2: Basic Switching Concepts and Configuration

Basic Switching Concepts and Configuration

Switches are used to connect multiple devices together on the same network. In a properly designed network, LAN switches are responsible for directing and controlling the data flow at the access layer to networked resources.
Cisco switches are self-configuring and no additional configurations are necessary for them to function out of the box. However, Cisco switches run Cisco IOS, and can be manually configured to better meet the needs of the network. This includes adjusting port speed, bandwidth, and security requirements.
Additionally, Cisco switches can be managed both locally and remotely. To remotely manage a switch it needs to have an IP address and default gateway configured.

Switches operate at the access layer where client network devices connect directly to the network and IT departments want uncomplicated network access for the users. It is one of the most vulnerable areas of the network because it is so exposed to the user. Switches need to be configured to be resilient to attacks of all types while they are protecting user data and allowing for high speed connections. Port security is one of the security features Cisco managed switches provide.

Configure a Switch with Initial Settings
1. Boot sequence

After a Cisco switch is powered on, it goes through the following boot sequence:
1. First, the switch loads a power-on self-test (POST) program stored in ROM. POST checks the CPU subsystem. It tests the CPU, DRAM, and the portion of the flash device that makes up the flash file system.
2. Next, the switch loads the boot loader software. The boot loader is a small program stored in ROM and is run immediately after POST successfully completes.
3. The boot loader performs low-level CPU initialization. It initializes the CPU registers, which control where physical memory is mapped, the quantity of memory, and its speed.
4. The boot loader initializes the flash file system on the system board.
5. Finally, the boot loader locates and loads a default IOS operating system software image into memory and hands control of the switch over to the IOS.

The boot loader finds the Cisco IOS image on the switch as follows: the switch attempts to automatically boot by using information in the BOOT environment variable. If this variable is not set, the switch attempts to load and execute the first executable file it can by performing a recursive, depth-first search throughout the flash file system. In a depth-first search of a directory, each encountered subdirectory is completely searched before continuing the search in the original directory. On Catalyst 2960 Series switches, the image file is normally contained in a directory that has the same name as the image file (excluding the .bin file extension).
The IOS operating system then initializes the interfaces using the Cisco IOS commands found in the configuration file, startup configuration, which is stored in NVRAM.
In the figure, the BOOT environment variable is set using the boot system global configuration mode command. Use the show bootvar command (show boot in older IOS versions) to see what the current IOS boot file is set to.
SW-1(config)# boot system flash:/c2960-lanbasek9-mz.150-2.SE/c2960-lanbasek9-mz.150-2.SE.bin   
1. command
2. stoage device
3. filename of IOS
4. path to location
2. Recovering From a System Crash 
The boot loader provides access into the switch if the operating system cannot be used because of missing or damaged system files. The boot loader has a command-line that provides access to the files stored in flash memory.
The boot loader can be accessed through a console connection following these steps:
Step 1. Connect a PC by console cable to the switch console port. Configure terminal emulation software to connect to the switch.
Step 2. Unplug the switch power cord.
Step 3. Reconnect the power cord to the switch and, within 15 seconds, press and hold down the Mode button while the System LED is still flashing green.
Step 4. Continue pressing the Mode button until the System LED turns briefly amber and then solid green; then release the Mode button.
Step 5. The boot loader switch: prompt appears in the terminal emulation software on the PC.
The boot loader command line supports commands to format the flash file system, reinstall the operating system software, and recover from a lost or forgotten password. For example, the dir command can be used to view a list of files within a specified directory as shown in the figure.
Note: Notice that in this example, the IOS is located in the root of the flash folder.

3. Switch LED Indicators
Cisco Catalyst switches have several status LED indicator lights. You can use the switch LEDs to quickly monitor switch activity and its performance. Switches of different models and feature sets will have different LEDs and their placement on the front panel of the switch may also vary.
The figure shows the switch LEDs and the Mode button for a Cisco Catalyst 2960 switch. The Mode button is used to toggle through port status, port duplex, port speed, and PoE (if supported) status of the port LEDs. The following describes the purpose of the LED indicators, and the meaning of their colors:

  • Redundant Power System (RPS) LED - Shows the RPS status. If the LED is off, the RPS is off or not properly connected. If the LED is green, the RPS is connected and ready to provide back-up power. If the LED is blinking green, the RPS is connected but is unavailable because it is providing power to another device. If the LED is amber, the RPS is in standby mode or in a fault condition. If the LED is blinking amber, the internal power supply in the switch has failed, and the RPS is providing power.
  • Port Status LED - Indicates that the port status mode is selected when the LED is green. This is the default mode. When selected, the port LEDs will display colors with different meanings. If the LED is off, there is no link, or the port was administratively shut down. If the LED is green, a link is present. If the LED is blinking green, there is activity and the port is sending or receiving data. If the LED is alternating green-amber, there is a link fault. If the LED is amber, the port is blocked to ensure a loop does not exist in the forwarding domain and is not forwarding data (typically, ports will remain in this state for the first 30 seconds after being activated). If the LED is blinking amber, the port is blocked to prevent a possible loop in the forwarding domain.
  • Port Duplex LED - Indicates the port duplex mode is selected when the LED is green. When selected, port LEDs that are off are in half-duplex mode. If the port LED is green, the port is in full-duplex mode.
  • Port Speed LED - Indicates the port speed mode is selected. When selected, the port LEDs will display colors with different meanings. If the LED is off, the port is operating at 10 Mb/s. If the LED is green, the port is operating at 100 Mb/s. If the LED is blinking green, the port is operating at 1000 Mb/s.
  • Power over Ethernet (PoE) Mode LED - If PoE is supported; a PoE mode LED will be present. If the LED is off, it indicates the PoE mode is not selected and that none of the ports have been denied power or placed in a fault condition. If the LED is blinking amber, the PoE mode is not selected but at least one of the ports has been denied power, or has a PoE fault. If the LED is green, it indicates the PoE mode is selected and the port LEDs will display colors with different meanings. If the port LED is off, the PoE is off. If the port LED is green, the PoE is on. If the port LED is alternating green-amber, PoE is denied because providing power to the powered device will exceed the switch power capacity. If the LED is blinking amber, PoE is off due to a fault. If the LED is amber, PoE for the port has been disabled. 
4. Preparing for Basic Switch Management
To prepare a switch for remote management access, the switch must be configured with an IP address and a subnet mask. Keep in mind, that to manage the switch from a remote network, the switch must be configured with a default gateway.
1. A console cable is used to connect a PC to the console port of a switch for configuration.
2. To remotely manage the switch, the switch must be initially configured through the console port.
1. Initialize and reload the switch
show flash
delete vlan.dat
erase startup-config

2. Configure switch
1) Assign the switch hostname.
Switch(config)#hostname S1
2) Configure password encryption.
S1(config)# service password-encryption
3) Assign 'class' as the secret password for privileged EXEC mode access.
S1(config)# enable secret class
4) Prevent unwanted DNS lookups.
S1(config)# no ip domain-lookup
5) Configure a MOTD banner.
S1(config)# banner motd #
Enter Text message. End with the character ‘#’.
Unauthorized access is strictly prohibited. #

The default configuration is to allow all console connections with no password needed.
To prevent console messages from interrupting commands, use the 'logging synchronous' option
S1(config)# line con 0
S1(config-line)#password cisco
S1(config-line)#logging synchronous

Configure the virtual terminal (vty) lines for the switch to allow Telnet access. If you do not configure a vty password , you are unable to telnet to the switch
S1(config)# line vty 0 15
S1(config-line)# password cisco
S1(config-line)# login

S1(config)# vlan vlan_id
S1(config-vlan)# name vlan_name
S1(config)# interface interface_id
S1(config-if)# switchport access vlan vlan_id
S1(config)#  ip default-gateway <IP-nexthop>
S1# copy running-config startup-config

configure optional SSH
! check if SSH if available
show ip ssh
! configure domain name

ip domain-name domain-name
! Generate RSA key pairs.
crypto key generate rsa
! Note: To delete the RSA key pair, use the crypto key zeroize rsa
! configure user
username username secret password
! Configure the vty lines.
line vty 0 4
   transport input ssh

   login local
Enable SSH version 2. By default, SSH supports both versions 1 and 2. Version 1 has known vulnerabilities.
ip ssh version 2

3. Verify commands
Note: If you are using Windows 7, the administrator may need to enable the Telnet protocol. To install the Telnet client
C:\Users\User1> pkgmgr /iu:”TelnetClient”
show run
show star
show flash
show mac address-table   OR show mac-address-table
clear mac address-table dynamic
show interface vlan 1
show ip interface brief
show version
show history
show ip ssh
show ssh
5. Configure Switch Ports
Most Ethernet and Fast Ethernet NICs sold today offer full-duplex capability. Gigabit Ethernet and 10Gb NICs require full-duplex connections to operate. In full-duplex mode, the collision detection circuit on the NIC is disabled. Frames that are sent by the two connected devices cannot collide because the devices use two separate circuits in the network cable. Full-duplex connections require a switch that supports full-duplex configuration, or a direct connection using an Ethernet cable between two devices.
Note: Mismatched settings for the duplex mode and speed of switch ports can cause connectivity issues. Auto negotiation failure creates mismatched settings.

All fiber optic ports, such as 100BASE-FX ports, operate only at one preset speed and are always full-duplex
Sample config
interface fa 0/0
duplex full
speed 100
Until recently, certain cable types (straight-through or crossover) were required when connecting devices. Switch-to-switch or switch-to-router connections required using different Ethernet cables. Using the automatic medium-dependent interface crossover (auto-MDIX) feature on an interface eliminates this problem. When auto-MDIX is enabled, the interface automatically detects the required cable connection type (straight- through or crossover) and configures the connection appropriately. When connecting to switches without the auto-MDIX feature, straight-through cables must be used to connect to devices such as servers, workstations, or routers and crossover cables must be used to connect to other switches or repeaters.

On newer Cisco routers and switches, the mdix auto interface configuration mode command enables the feature. When using auto-MDIX on an interface, the interface speed and duplex must be set to auto so that the feature operates correctly.

Note: The auto-MDIX feature is enabled by default on Catalyst 2960 and Catalyst 3560 switches, but is not available on the older Catalyst 2950 and Catalyst 3550 switches.

To examine the auto-MDIX setting for a specific interface, use the show controllers ethernet-controller command with the phy keyword. To limit the output to lines referencing auto-MDIX, use the include Auto-MDIX filter.
show controllers ethernet-controller [interface-id] phy
(Optional) Display the status of the internal registers on the switch physical layer device (PHY) for the device or the interface. This display includes the operational state of the automatic medium-dependent interface crossover (auto-MDIX) feature on an interface.

Network Access Layer Issues
The output from the show interface command can be used to detect common media issues. One of the most important parts of this output is the display of the line and data link protocol status.
  • If the interface is up and the line protocol is down, a problem exists. There could be an encapsulation type mismatch, the interface on the other end could be error-disabled, or there could be a hardware problem.
  • If the line protocol and the interface are both down, a cable is not attached or some other interface problem exists. For example, in a back-to-back connection, the other end of the connection may be administratively down.
  • If the interface is administratively down, it has been manually disabled (the shutdown command has been issued) in the active configuration.
show interface command include the following:
  • Runt Frames - Ethernet frames that are shorter than the 64-byte minimum allowed length are called runts. Malfunctioning NICs are the usual cause of excessive runt frames, but they can be caused by the same issues as excessive collisions.
  • Giants - Ethernet frames that are longer than the maximum allowed length are called giants. Giants are caused by the same issues as those that cause runts.
  • CRC errors - On Ethernet and serial interfaces, CRC errors usually indicate a media or cable error. Common causes include electrical interference, loose or damaged connections, or using the incorrect cabling type. If you see many CRC errors, there is too much noise on the link and you should inspect the cable for damage and length. You should also search for and eliminate noise sources, if possible.
“Output errors” is the sum of all errors that prevented the final transmission of datagrams out of the interface that is being examined. The reported output errors from the show interface command include the following:

  • Collisions - Collisions in half-duplex operations are completely normal and you should not worry about them, as long as you are pleased with half-duplex operations. However, you should never see collisions in a properly designed and configured network that uses full-duplex communication. It is highly recommended that you use full-duplex unless you have older or legacy equipment that requires half-duplex.
  • Late collisions - A late collision refers to a collision that occurs after 512 bits of the frame (the preamble) have been transmitted. Excessive cable lengths are the most common cause of late collisions. Another common cause is duplex misconfiguration. For example, you could have one end of a connection configured for full-duplex and the other for half-duplex. You would see late collisions on the interface that is configured for half-duplex. In that case, you must configure the same duplex setting on both ends. A properly designed and configured network should never have late collisions.

Security in LAN
Common Security Attacks: MAC Address Flooding

- MAC Address Flooding  (MAC Address table overflow)
The MAC address table in a switch contains the MAC addresses associated with each physical port and the associated VLAN for each port. When a Layer 2 switch receives a frame, the switch looks in the MAC address table for the destination MAC address. All Catalyst switch models use a MAC address table for Layer 2 switching. As frames arrive on switch ports, the source MAC addresses are recorded in the MAC address table. If an entry exists for the MAC address, the switch forwards the frame to the correct port. If the MAC address does not exist in the MAC address table, the switch floods the frame out of every port on the switch, except the port where the frame was received.
MAC address tables are limited in size. MAC flooding attacks make use of this limitation to overwhelm the switch with fake source MAC addresses until the switch MAC address table is full. 
One way to mitigate MAC address table overflow attacks is to configure port security.

- DHCP Spoofing
Two types of DHCP attacks can be performed against a switched network: DHCP starvation attacks and DHCP spoofing.
In DHCP starvation attacks, an attacker floods the DHCP server with DHCP requests to use up all the available IP addresses that the DHCP server can issue.
In DHCP spoofing attacks, an attacker configures a fake DHCP server on the network to issue DHCP addresses to clients. The normal reason for this attack is to force the clients to use false Domain Name System (DNS) or Windows Internet Naming Service (WINS) servers and to make the clients use the attacker, or a machine under the control of the attacker, as their default gateway.
To mitigate DHCP attacks, use the DHCP snooping and port security features on the Cisco Catalyst switches.

-  Leveraging CDP
The Cisco Discovery Protocol (CDP) is a proprietary protocol that all Cisco devices can be configured to use. CDP discovers other Cisco devices that are directly connected, which allows the devices to auto-configure their connection. In some cases, this simplifies configuration and connectivity.

By default, most Cisco routers and switches have CDP-enabled on all ports. CDP information is sent in periodic, unencrypted broadcasts. This information is updated locally in the CDP database of each device. Because CDP is a Layer 2 protocol, CDP messages are not propagated by routers.
It is recommended that you disable the use of CDP on devices or ports that do not need to use it by using the no cdp run global configuration mode command. CDP can be disabled on a per port basis.
Telnet Attacks - launch a brute force password-cracking attack against the vty lines on the switch.
Telnet DoS Attack - the attacker exploits a flaw in the Telnet server software running on the switch that renders the Telnet service unavailable. This sort of attack prevents an administrator from remotely accessing switch management functions.
Vulnerabilities in the Telnet service that permit DoS attacks to occur are usually addressed in security patches that are included in newer Cisco IOS revisions.
Note: It is a best practice to use SSH, rather than Telnet for remote management connections.

Security Best Practices
Defending your network against attack requires vigilance and education. The following are best practices for securing a network:
 - Develop a written security policy for the organization.
 - Shut down unused services and ports.
 - Use strong passwords and change them often.
 - Control physical access to devices.
 - Avoid using standard insecure HTTP websites, especially for login screens; instead use the more secure HTTPS.
 - Perform backups and test the backed up files on a regular basis.
 - Educate employees about social engineering attacks, and develop policies to validate identities over the phone, via email, and in person.
 - Encrypt and password-protect sensitive data.
 - Implement security hardware and software, such as firewalls.
 - Keep software up-to-date by installing security patches weekly or daily, if possible.

Network security tools help a network administrator test a network for weaknesses.
Network security testing techniques may be manually initiated by the administrator. Other tests are highly automated.

Security testing should have extensive security and networking knowledge. This includes expertise in the following areas:
 - Network security
 - Firewalls
 - Intrusion prevention systems
 - Operating systems
 - Programming
 - Networking protocols (such as TCP/IP)

Network security tools allow a network administrator to perform a security audit of a network. A security audit reveals the type of information an attacker can gather simply by monitoring network traffic. 

Network security auditing tools allow an administrator to flood the MAC address table with fictitious MAC addresses.
Network security tools can also be used for penetration testing against a network.

Disable Unused Ports
A simple method that many administrators use to help secure the network from unauthorized access is to disable all unused ports on a switch. For example, if a Catalyst 2960 switch has 24 ports and there are three Fast Ethernet connections in use, it is good practice to disable the 21 unused ports. Navigate to each unused port and issue the Cisco IOS shutdown command.

DHCP snooping allows the configuration of ports as trusted or untrusted:
 - Trusted ports can send DHCP requests and acknowledgments.
 - Untrusted ports can forward only DHCP requests.
* DHCP snooping enables the switch to build a DHCP binding table that maps a client MAC address, IP address, VLAN, and port ID.
* DHCP snooping is a Cisco Catalyst feature that determines which switch ports can respond to DHCP requests.
* Trusted ports host a DHCP server or can be an uplink toward the DHCP server.

Configure DHCP snooping on a Catalyst 2960 switch:
Step 1. Enable DHCP snooping using the ip dhcp snooping global configuration mode command.
Step 2. Enable DHCP snooping for specific VLANs using the ip dhcp snooping vlan number command.
Step 3. Define ports as trusted at the interface level by defining the trusted ports using the ip dhcp snooping trust command.
Step 4. (Optional) Limit the rate at which an attacker can continually send bogus DHCP requests through untrusted ports to the DHCP server using the ip dhcp snooping limit rate rate command.
SW(config)# ip dhcp snooping 
SW(config)# ip dhcp snooping vlan 10, 30
SW(config)# int giga 0/0
SW(config-if)# ip dhcp snooping trust
SW(config)# int fa 0/0
SW(config-if)# ip dhcp snooping limit rate 5
Port Security
All switch ports (interfaces) should be secured before the switch is deployed for production use. One way to secure ports is by implementing a feature called port security. Port security limits the number of valid MAC addresses allowed on a port. The MAC addresses of legitimate devices are allowed access, while other MAC addresses are denied.

Note that port security feature will not work until port security is enabled on the interface using the switchport port-security command.

Secure MAC Address Types
There are a number of ways to configure port security. The type of secure address is based on the configuration and includes:
- Static secure MAC addresses - MAC addresses that are manually configured on a port by using the switchport port-security mac-address mac-address interface configuration mode command. MAC addresses configured in this way are stored in the address table and are added to the running configuration on the switch.
- Dynamic secure MAC addresses - MAC addresses that are dynamically learned and stored only in the address table. MAC addresses configured in this way are removed when the switch restarts.
- Sticky secure MAC addresses - MAC addresses that can be dynamically learned or manually configured, then stored in the address table and added to the running configuration.

Sticky Secure MAC addresses
To configure an interface to convert dynamically learned MAC addresses to sticky secure MAC addresses and add them to the running configuration, you must enable sticky learning.
Sticky learning is enabled on an interface by using the switchport port-security mac-address sticky interface configuration mode command.
Sticky secure MAC addresses can also be manually defined. When sticky secure MAC addresses are configured by using the switchport port-security mac-address sticky mac-address

Port Security: Violation Modes
It is a security violation when either of these situations occurs:
 - The maximum number of secure MAC addresses have been added to the address table for that interface, and a station whose MAC address is not in the address table attempts to access the interface.
 - An address learned or configured on one secure interface is seen on another secure interface in the same VLAN.

An interface can be configured for one of three violation modes, specifying the action to be taken if a violation occurs. The figure presents which kinds of data traffic are forwarded when one of the following security violation modes are configured on a port:
 - Protect - When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until a sufficient number of secure MAC addresses are removed, or the number of maximum allowable addresses is increased. There is no notification that a security violation has occurred.
 - Restrict - When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until a sufficient number of secure MAC addresses are removed, or the number of maximum allowable addresses is increased. In this mode, there is a notification that a security violation has occurred.
 - Shutdown - In this (default) violation mode, a port security violation causes the interface to immediately become error-disabled and turns off the port LED. It increments the violation counter. When a secure port is in the error-disabled state, it can be brought out of this state by entering the shutdown and no shutdown interface configuration mode commands.

To change the violation mode on a switch port, use the switchport port-security violation {protect | restrict |shutdown} interface configuration mode command

show port-security [interface interface-id]
show port-security address  
show interface  / show interface fa 0/0 status - command identifies the port status as err-disabled  

Network Time Protocol (NTP)
Having the correct time within networks is important. Correct time stamps are required to accurately track network events such as security violations. Additionally, clock synchronization is critical for the correct interpretation of events within syslog data files as well as for digital certificates.
Network Time Protocol (NTP) is a protocol that is used to synchronize the clocks of computer systems over packet-switched, variable-latency data networks. NTP allows network devices to synchronize their time settings with an NTP server. A group of NTP clients that obtain time and date information from a single source will have more consistent time settings.

A secure method of providing clocking for the network is for network administrators to implement their own private network master clocks, synchronized to UTC, using satellite or radio. However, if network administrators do not wish to implement their own master clocks because of cost or other reasons, other clock sources are available on the Internet. NTP can get the correct time from an internal or external time source including the following:
 - Local master clock
 - Master clock on the Internet
 - GPS or atomic clock

A network device can be configured as either an NTP server or an NTP client. To allow the software clock to be synchronized by an NTP time server, use the 
Router configured as an NTP client
ntp server
To configure a device as having an NTP master clock to which peers can synchronize themselves, use the 
! Router serves as an authoritative NTP server.
ntp master [
The stratum value is a number from 1 to 15 and indicates the NTP stratum number that the system will claim. If the system is configured as an NTP master and no stratum number is specified, it will default to stratum 8. If the NTP master cannot reach any clock with a lower stratum number, the system will claim to be synchronized at the configured stratum number, and other systems will be willing to synchronize to it using NTP. 
show ntp associations 
show ntp status