Redes

de Computadora II
4861
Conguracin de Switches

Converged Networks

Growing Complexity of Networks

Our digital world is
changing
InformaEon must be
accessed from anywhere
in the world
Networks must be
secure, reliable, and
highly available

Converged Networks

Elements Of A Converged Network

CollaboraEon is a requirement
To support collaboraEon,
networks employ converged
soluEons
Data services such as voice
systems, IP phones, voice
gateways, video support, and
video conferencing
Call control, voice messaging,
mobility and automated
aNendant are also common
features

Converged Networks

Borderless Switched Networks

Cisco Borderless Network is a network
architecture that allow organizaEons to
connect anyone, anywhere, anyEme, and
on any device securely, reliably, and
seamlessly
It is designed to address IT and business
challenges, such as supporEng the
converged network and changing work
paNerns

Converged Networks

Hierarchy in the Borderless Switched Network

Borderless switched
network design
guidelines are built
upon the following
principles:
Hierarchical
Modularity
Resiliency
Flexibility

Converged Networks

Core, DistribuEon, Access

Switched Networks

Role of Switched Networks

The role of switched networks has evolved

A switched LAN allows more exibility, trac
management
It also support features such as quality of
service, addiEonal security, support for
wireless, support for IP telephony and
mobility services

Switched Networks

Form Factor

Fixed

Switched Networks

Form Factor

Modular

Switched Networks

Form Factor

Stackable

Frame Forwarding

Switching as a General Concept

A Switch makes a decision based on
ingress and desEnaEon port
A LAN switch keeps a table that it uses to
determine how to forward trac through
the switch
Cisco LAN switches forward Ethernet
frames based on the desEnaEon MAC
address of the frames.

Frame Forwarding

Switch Forwarding Methods

Store-and-Forward Switching
Store-and-Forwarding allows the switch to:
Check for errors (via FCS check)
Perform AutomaEc Buering

Slower forwarding

Cut-Through Switching
Cut-Through allows the switch to start
forwarding in about 10 microseconds
No FCS check
No AutomaEc Buering

Switching Domains

Collision Domains
Collision domain is the segment where
devices must compete to communicate
All ports of a hub belong to the same collision
domain
Every port of a switch is a collision domain on
its own
A switch break the segment into smaller
collision domains, easing device compeEEon.

Switching Domains

Broadcast Domains
Broadcast domain is the extend of the network
where a broadcast frame can be heard.
Switches forward broadcast frames to all ports.
Therefore switches dont break broadcast domains.
All ports of a switch (with its default conguraEon)
belong to the same broadcast domain
If two or more switches are connected, broadcasts
will be forward to all ports of all switches (except for
the port that originally received the broadcast)

Basic Switch ConguraEon

Switch Boot Sequence

1. POST
2. Run boot loader so`ware
3. Boot loader does low-level CPU iniEalizaEon
4. Boot loader iniEalizes the ash lesystem
5. Boot loader locates and loads a default IOS
operaEng system so`ware image into
memory and hands control of the switch
over to the IOS.

Basic Switch ConguraEon

Switch LED Indicators

Each port on Cisco Catalyst switches have status LED

indicator lights.
By default these LED lights reect port acEvity but they
can also provide other informaEon about the switch
through the Mode buNon
The following modes are available on Cisco Catalyst
2960 switches:

System LED
Redundant Power System (RPS) LED
Port Status LED
Port Duplex LED
Port Speed LED
Power over Ethernet (PoE) Mode LED

Basic Switch ConguraEon

Switch LED Indicators

Cisco Catalyst 2960 switch modes

Preparing for Basic Switch Management

In order to remotely manage a Cisco switch, it needs to
be congured to access the network
An IP address and a subnet mask must be congured
If managing the switch from a remote network, a
default gateway must also be congured
The IP informaEon (address, subnet mask, gateway) is
to be assigned to a switch SVI (switch virtual interface)
Although these IP sefngs allow remote management
and remote access to the switch, they do not allow the
switch to route Layer 3 packets.

Preparing for Basic Switch Management

Congure Switch Ports

Duplex CommunicaEon

Congure Switch Ports

Congure Switch Ports at the Physical Layer

Congure Switch Ports

MDIX Auto Feature

Certain cable types (straight-through or crossover)

were required when connecEng devices
The automaEc medium-dependent interface
crossover (auto-MDIX) feature eliminates this
problem
When auto-MDIX is enabled, the interface
automaEcally detects and congures the
connecEon appropriately
When using auto-MDIX on an interface, the
interface speed and duplex must be set to auto

Congure Switch Ports

MDIX Auto Feature

Verifying Switch Port ConguraEon

Congure Switch Ports

Network Access Layer Issues

Congure Switch Ports

Network Access Layer Issues

Secure Remote Access

SSH OperaEon

Secure Shell (SSH) is a protocol that provides a secure

(encrypted) command-line based connecEon to a
remote device
SSH is commonly used in UNIX-based systems
Cisco IOS also supports SSH
A version of the IOS so`ware including cryptographic
(encrypted) features and capabiliEes is required in
order to enable SSH on Catalyst 2960 switches
Because its strong encrypEon features, SSH should
replace Telnet for management connecEons
SSH uses TCP port 22 by default. Telnet uses TCP port
23

Secure Remote Access

SSH OperaEon

Secure Remote Access

Conguring SSH

Secure Remote Access

Verifying SSH

Security Best PracEces

10 Best PracEces

Develop a wriNen security policy for the organizaEon

Shut down unused services and ports

Use strong passwords and change them o`en

Control physical access to devices
Use HTTPS instead of HTTP
Perform backups operaEons on a regular basis.
Educate employees about social engineering aNacks
Encrypt and password-protect sensiEve data
Implement rewalls.
Keep so`ware up-to-date

Switch Port Security

Secure Unused Ports

Disable Unused Ports is a simple yet ecient security

guideline

Switch Port Security

DHCP Snooping

DHCP Snooping species which switch ports can respond to

DHCP requests

Switch Port Security

Port Security: OperaEon

Port security limits the number of valid MAC addresses

allowed on a port

The MAC addresses of legiEmate devices are allowed access,

while other MAC addresses are denied
Any addiEonal aNempts to connect by unknown MAC
addresses will generate a security violaEon
Secure MAC addresses can be congured in a number of
ways:
StaEc secure MAC addresses
Dynamic secure MAC addresses
SEcky secure MAC addresses

Switch Port Security

Port Security: ViolaEon Modes

IOS considers a security violaEon when either of these

situaEons occurs:

The maximum number of secure MAC addresses for that interface

have been added to the CAM, and a staEon whose MAC address is
not in the address table aNempts to access the interface.
An address learned or congured on one secure interface is seen
on another secure interface in the same VLAN.

There are three possible acEon to be taken when a violaEon

is detected:
Protect
Restrict
Shutdown

Switch Port Security

Port Security: Conguring

Dynamic Port Security Defaults

Switch Port Security

Port Security: Conguring

Conguring Dynamic Port Security

Switch Port Security

Port Security: Conguring

Conguring Port Security SEcky

Switch Port Security

Port Security: Verifying

Verifying Port Security SEcky

Switch Port Security

Port Security: Verifying

Verifying Port Security SEcky Running Cong

Switch Port Security

Port Security: Verifying

Verifying Port Security Secure MAC Addresses