Chapter 2: Basic Switching Concepts and Configuration
Chapter 2: Basic Switching Concepts and Configuration
Chapter 2: Basic Switching Concepts and Configuration
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1
Configuring Switch Ports
Duplex Communication
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2
Configuring Switch Ports
Configuring Switch Ports at the Physical
Layer
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3
Configuring Switch Ports
Auto-MDIX Feature
Certain cable types (straight-through or crossover) were
historically required when connecting devices.
The automatic medium-dependent interface crossover (auto-
MDIX) feature eliminates this problem.
When auto-MDIX is enabled, the interface automatically detects
and appropriately configures the connection.
When using auto-MDIX on an interface, the interface speed and
duplex must be set to auto.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4
Configuring Switch Ports
Verifying Switch Port Configuration
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5
Configuring Switch Ports
Network Access Layer Issues
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6
Configuring Switch Ports
Network Access Layer Issues (cont.)
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7
Basic Switch Configuration
Preparing for Basic Switch Management
To remotely manage a Cisco switch, it must be configured to
access the network.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8
Basic Switch Configuration
Preparing for Basic Switch Management
(cont.)
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9
Basic Switch Configuration
Preparing for Basic Switch Management
(cont.)
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10
Secure Remote Access
SSH Operation
Because its strong encryption features, SSH should replace Telnet
for management connections.
SSH uses TCP port 22, by default. Telnet uses TCP port 23.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11
Secure Remote Access
SSH Operation (cont.)
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12
Secure Remote Access
Configuring SSH
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13
Security Concerns in LANs
MAC Address Flooding
Switches automatically populate their CAM tables by watching
traffic entering their ports.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14
Security Concerns in LANs
MAC Address Flooding (cont.)
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15
Security Concerns in LANs
DHCP Spoofing
DHCP is a network protocol used to automatically assign IP
information.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 16
Security Best Practices
10 Best Practices
Develop a written security policy for the organization.
Shut down unused services and ports.
Use strong passwords and change them often.
Control physical access to devices.
Use HTTPS instead of HTTP.
Perform backup operations on a regular basis.
Educate employees about social engineering attacks.
Encrypt and password-protect sensitive data.
Implement firewalls.
Keep software up-to-date.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 17
Switch Port Security
Secure Unused Ports
Disabling unused ports is a simple, yet efficient security guideline.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 18
Switch Port Security
DHCP Snooping
DHCP Snooping specifies which switch ports can respond to
DHCP requests
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 19
Switch Port Security
Port Security: Operation
Port security limits the number of valid MAC addresses allowed on
a port.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 20
Switch Port Security
Port Security: Violation Modes
There are three possible actions to take when a violation is
detected:
• Protect
• Restrict
• Shutdown
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 21
Switch Port Security
Dynamic Port Security Defaults
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 22
Switch Port Security
Configuring Dynamic Port Security
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 23
Switch Port Security
Configuring Port Security Sticky
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 24
Switch Port Security
Verifying Port Security Sticky
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 25
Switch Port Security
Verifying Port Security Stick – Running
Configuration
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 26
Switch Port Security
Ports in Error Disabled State
A port security violation can put a switch in error disabled state.
A port in error disabled is effectively shutdown.
The switch communicates these events through console
messages.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 27
Switch Port Security
Ports in Error Disabled State (cont.)
The show interface command also reveals a switch port on
error disabled state.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 28
Switch Port Security
Ports in Error Disabled State (cont.)
A shutdown or no shutdown interface configuration mode
command must be issued to re-enable the port.
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 29
Switch Port Security
Network Time Protocol
The Network Time Protocol (NTP) is used to synchronize the
clocks of computer systems data networks.
Time sources can be:
• Local master clock
• Master clock on the Internet
• GPS or atomic clock
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 30
Switch Port Security
Configuring NTP
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 31
Switch Port Security
Verifying NTP
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 32
Presentation_ID © 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 33