Beruflich Dokumente
Kultur Dokumente
Overview
MAC refers to protocols that determine which computer on a shared-medium environment, or collision domain, is allowed to transmit the data. MAC, with LLC, comprises the IEEE version of the OSI Layer 2 There are two broad categories of Media Access Control, deterministic (taking turns) and non-deterministic (first come, first served)
CSMA/CD
CSMA/CD used with Ethernet performs three functions: 1. Transmitting and receiving data packets 2. Decoding data packets and checking them for valid addresses before passing them to the upper layers of the OSI model 3. Detecting errors within data packets or on the network
listen-before-transmit
Transmitting& listening.
CSMA/CD
Backoff
After a collision occurs and all stations allow the cable to become idle (each waits the full inter-frame spacing) The stations that collided must wait an additional and potentially progressively longer period of time before attempting to retransmit the collided frame The waiting period is intentionally designed to be random If the MAC layer is unable to send the frame after 16 attempts, it gives up and generates an error to the network layer
H c vi n m ng Bach Khoa - Website: www.bkacad.com 7
Extra: Backoff
The stations involved in transmitting frames at the time of the collision must then reschedule their frames for retransmission. The transmitting stations do this by generating a period of time to wait before retransmission, which is based on a random number chosen by each station and used in that station's backoff calculations.
k= min(n,10) ; n= the number of transmission attempts 0<= r <2^k The backoff delay= r* slot time
H c vi n m ng Bach Khoa - Website: www.bkacad.com 8
10
Ethernet Communications
11
Remind
12
Naming on Ethernet
MAC ADDRESS
Ethernet uses MAC addresses that are 48 bits in length and expressed as 12 hexadecimal digits Sometimes referred to as burned-in addresses (BIA) because they are burned into read-only memory (ROM) and are copied into random-access memory (RAM) when the NIC initializes
H c vi n m ng Bach Khoa - Website: www.bkacad.com 16
OUI
17
Full-duplex
If the attached station is operating in full duplex then the station may send and receive simultaneously and collisions should not occur. Full-duplex operation also changes the timing considerations and eliminates the concept of slot time In half-duplex, if no collision, the sending station will transmit 64 bits (timing synchronization) preamble, DA, SA, certain other header information, actual data payload, FCS
H c vi n m ng Bach Khoa - Website: www.bkacad.com 18
19
20
21
Note
Fast Ethernet and 10/100/1000 ports: default is auto. 100BASE-FX ports: default is full. 10/100/1000 ports operate in either half- or full-duplex mode when they are set to 10 or 100 Mb/s, but when set to 1,000 Mb/s, they operate only in full-duplex mode. Default: when autonegotiation fails Catalyst switch sets the corresponding switch port to half-duplex mode. This type of failure happens when an attached device does not support autonegotiation.
22
auto-MDIX
auto-MDIX is enabled
can use
24
25
26
27
28
29
30
Bandwidth is defined as the amount of information that can flow through a network connection in a given period of time. Throughput refers to actual measured bandwidth, at a specific time of day, using specific Internet routes, and while a specific set of data is transmitted on the network.
H c vi n m ng Bach Khoa - Website: www.bkacad.com 31
Collision Domains
32
Collision Domains
33
Broadcast Domains
34
When a switch receives a broadcast frame, it forwards the frame to each of its ports, except the incoming port where the switch received the broadcast frame. Each attached device recognizes the broadcast frame and processes it.
35
36
Network Latency
37
Network Congestion
38
LAN Segmentation
LAN Segmentation
40
LAN Segmentation
41
LAN Segmentation
42
43
44
Activity 2.1.3.2
45
46
47
analysis on converged networks where frame classification for traffic prioritization is necessary.
H c vi n m ng Bach Khoa - Website: www.bkacad.com 48
Most current switches are asymmetric switches because this type of switch offers the greatest flexibility.
H c vi n m ng Bach Khoa - Website: www.bkacad.com 51
Memory Buffering
Port-based Memory Buffering A frame is transmitted to the outgoing port only when all the frames ahead of it in the queue have been successfully transmitted. Shared Memory Buffering The frames in the buffer are linked dynamically to the destination port. This allows the packet to be received on one port and then transmitted on another port, without moving it to a different queue.
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
Step 1
73
Step 2
74
Step 3
75
config.text
show version
76
config.text
77
config.text
Change the size of NVRAM Change the name of config.text
78
79
80
81
1. Assign an IP address
SW(config)# interface vlan 1 ip address A.B.C.D subnetmask no shutdown 2. SW(config)# line vty 0 4 password cisco login 3. SW(config)# enable secret class 4. Configure the default gateway: SW(config)#ip default-gateway A.B.C.D
H c vi n m ng Bach Khoa - Website: www.bkacad.com 82
83
84
85
86
username student privilege 15 password cisco Ip http server Ip http authentication local
87
show mac-address-table
The MAC address entry is automatically discarded or aged out after 300 seconds.
H c vi n m ng Bach Khoa - Website: www.bkacad.com 88
89
The 0x0100.0cdd.dddd is multicast MAC address that used by Cisco Group Management Protocol (CGMP)
H c vi n m ng Bach Khoa - Website: www.bkacad.com 90
sw(config)#mac-address-table ?
aging-time Set MAC address table entry maximum age notification Enable/Disable MAC Notification on the switch static static keyword sw(config)#mac-address-table aging-time ? <0-0> Enter 0 to disable aging <10-1000000> Aging time in seconds Rather than wait for a dynamic entry to age out, the administrator has the option to use the privileged EXEC command:
sw(config)#mac-address-table static <macaddress of host> interface FastEthernet <Ethernet numer> vlan <vlan-id>
92
Show Commands
93
Show running-config
94
Show interfaces
95
96
97
98
99
The following steps will ensure that a new configuration will completely overwrite any existing configuration: 1. Remove any existing VLAN information by deleting the VLAN database file vlan.dat from the flash directory 2. Erase the back up configuration file startup-config 3. Reload the switch
H c vi n m ng Bach Khoa - Website: www.bkacad.com 100
101
102
103
104
Before
105
106
utilization
107
108
Password Recovery
Step 1. Connect a terminal or PC with terminal-emulation software to
the switch console port.
Step 2. Set the line speed on the emulation software to 9600 baud. Step 3. Power off the switch. Reconnect the power cord to the switch
and within 15 seconds, press the Mode button while the System LED is still flashing green. Continue pressing the Mode button until the System LED turns briefly amber and then solid green. Then release the Mode button. OR: enter reload command and then to press the Mode button until the System LED turns briefly amber and then solid green. Step 4. Initialize the Flash file system using the flash_init command.
109
Password Recovery
Step 6. Display the contents of Flash memory using the dir flash:
command:
contains the password definition, using the rename flash:config.text flash:config.text.old command.
110
Password Recovery
Step 9. You are prompted to start the setup program. Enter N at the prompt, and then when the system prompts whether to continue with the configuration dialog, enter N. Step 10. At the switch prompt, enter privileged EXEC mode using the enable command. Step 11. Rename the configuration file to its original name using the rename flash:config.text.old flash:config.text command. Step 12. Copy the configuration file into memory using the copy flash:config.text system:running-config command. After this command has been entered, the follow is displayed on the console: Source filename [config.text]? Destination filename [running-config]? Press Return in response to the confirmation prompts. The configuration file is now reloaded, and you can change the password.
111
Password Recovery
Step 13. Enter global configuration mode using the configure terminal
command.
Step 14. Change the password using the enable secret password
command.
Step 15. Return to privileged EXEC mode using the exit command. Step 16. Write the running configuration to the startup configuration file
using the copy running-config startup-config command.
Step 17. Reload the switch using the reload command. Note: The password recovery procedure can be different depending on
the Cisco switch series, so you should refer to the product documentation before you attempt a password recovery.
H c vi n m ng Bach Khoa - Website: www.bkacad.com 112
Create the local database: sw(config)# username student password student Enable authentication for the console line: sw(config)# line console 0 sw(config-line)# login local sw(config)# banner login "Authorized Personnel Only ! sw# exit
113
Login Banner
Create the local database: sw(config)# username student password student Enable authentication for the console line: sw(config)# line console 0 sw(config-line)# login local sw(config)# banner login "Authorized Personnel Only ! Sw# exit
114
Login Banner
Create the local database: sw(config)# username student password student Enable authentication for the VTY line: sw(config)# line vty 0 4 sw(config-line)# login local sw(config)# banner login "Authorized Personnel Only ! Sw# exit
H c vi n m ng Bach Khoa - Website: www.bkacad.com 115
116
Configuring Telnet
118
Configuring SSH
119
Configuring SSH
The switch supports SSHv1 or SSHv2 for the server component. The switch supports only SSHv1 for the client component. To implement SSH, you need to generate RSA keys. Step 1. Enter global configuration mode using the configure terminal command. Step 2. Configure a hostname for your switch using the hostname hostname command. Step 3. Configure a host domain for your switch using the ip domainname domain_name command. Step 4. Enable the SSH server for local and remote authentication on the switch and generate an RSA key pair using the crypto key generate rsa command. Step 5. Return to privileged EXEC mode using the end command. Step 6. Show the status of the SSH server on the switch using the show ip ssh or show ssh command. To delete the RSA key pair, use the crypto key zeroize rsa global configuration command. After the RSA key pair is deleted, the SSH server is automatically disabled.
120
If you do not enter this command or do not specify a keyword, the SSH server selects the latest SSH version supported by the SSH client. For example, if the SSH client supports SSHv1 and SSHv2, the SSH server selects SSHv2.
121
122
123
124
125
126
show ssh
127
128
129
130
131
132
133
Spoofing Attacks
134
Solution:
Cisco Catalyst DHCP Snooping Port Security Features (later in this module)
136
137
Step 2. Enable DHCP snooping for specific VLANs using the ip dhcp
snooping vlan number [number] command.
138
CDP Attacks
Solution: Disable the use of CDP on devices that do not need to use
it. (config)# no cdp run (config-if)# no cdp enable
H c vi n m ng Bach Khoa - Website: www.bkacad.com 139
Telnet Attacks
140
Passwords should be as long and as complicated as possible. Most security experts believe a password of 10 characters is the minimum that should be used if security is a real concern. use only the lowercase letters of the alphabet: have 26 characters. add the numeric values (0 9): get another 10 characters. add the uppercase letters: have an additional 26 characters giving you a total of 62 characters with which to construct a password. If you used a 4 character password, this would be 626262 62, or approximately 14 million password possibilities. If you used 5 characters in your password, this would give you 62 to the fifth power, or approximately 92 million password possibilities. If you used a 10-character password, this would give you 64 to the tenth power (a very big number) possibilities. The 4 digit password could probably be broken in a day, while the 10 digit password would take a millennium to break given current processing power.
H c vi n m ng Bach Khoa - Website: www.bkacad.com 141
143
144
Cisco CatOS is susceptible to a TCP-ACK Denial of Service (DoS) attack on the Telnet, HTTP and SSH service. If exploited, the vulnerability causes the Cisco CatOS running device to stop functioning and reload.
145
Security tools
146
147
148
149
Violation types
150
151
152
153
154
Interface f0/1 Switchport mode access Switchport port-security Switchport port-security maximum 2 Switchport port-security mac-address sticky switchport port-security violation {restrict| protect | shutdown} Show port-security interface f0/1 Show port-security address
H c vi n m ng Bach Khoa - Website: www.bkacad.com 155
Verify
156
Verify
157
158
Chapter summary
159