Switching techniques in networking and uses

lochanraj1 23 views 31 slides Aug 11, 2024
Slide 1
Slide 1 of 31
Slide 1
1
Slide 2
2
Slide 3
3
Slide 4
4
Slide 5
5
Slide 6
6
Slide 7
7
Slide 8
8
Slide 9
9
Slide 10
10
Slide 11
11
Slide 12
12
Slide 13
13
Slide 14
14
Slide 15
15
Slide 16
16
Slide 17
17
Slide 18
18
Slide 19
19
Slide 20
20
Slide 21
21
Slide 22
22
Slide 23
23
Slide 24
24
Slide 25
25
Slide 26
26
Slide 27
27
Slide 28
28
Slide 29
29
Slide 30
30
Slide 31
31

About This Presentation

Switching techniques in networking and uses

Size: 2.36 MB
Language: en
Added: Aug 11, 2024
Slides: 31 pages

Slide Content

Class 1: Basic Switch Configuration Using Packet Tracer What to Cover. Hostname (hostname sw1) Line Console Password (line console 0, password 1234, login) Line VTY password (line vty 0 15, password 1234, login) Enable Passwords (enable password 1234) Banner Messages (banner motd #This is sw1 for HR#) Logging Synchronous (line console 0, logging synchronous) Exec Timeout (line console 0, exec-timeout 4 0) Disable IP Domain Lookup (no ip domain lookup) Domain name ( ip domain-name cisco.com) Username and password (username Admin password cisco) Encrypting all passwords (service password-encryption) Set current clock time and date (clock set 12:30:59 Feb 28 2023) Set management IP (int vlan 1, no shutdown, ip add 10.10.10.10 255.255.255.0) Configure default gateway ( ip default-gateway 10.10.10.1) Save the Configuration (write/ wr (privileged mode) or do write/ wr (config mode)) Show Saved and Running Configurations (show start/run(privileged mode) or do show start/run(config mode))

Class 2 : Basic Router Configuration Using Packet Tracer What to Cover. Hostname (hostname R 1) Line Console Password (line console 0, password 1234, login) Line VTY password (line vty 0 15, password 1234, login) Enable Passwords (enable password 1234) Banner Messages (banner motd #This is R1 for HR#) Logging Synchronous (line console 0, logging synchronous) Exec Timeout (line console 0, exec-timeout 4 0) Disable IP Domain Lookup (no ip domain lookup) Domain name ( ip domain-name cisco.com) Username and password (username Admin password cisco) Encrypting all passwords (service password-encryption) Set current clock time and date (clock set 12:30:59 Feb 29 2023) Prevent against brutforce -attack (login block-for 180 attempts 3 within 60) Save the Configuration (write/ wr (privileged mode) or do write/ wr (config mode)) Show Saved and Running Configurations (show start/run(privileged mode) or do show start/run(config mode))

How to Connect PC to a Switch Using Console Cable | Other Switch Ports What to Cover. Types of Switch Ports Port Cabling Function Devices Connecting Console Port Console Cable To configure the switch Computers Giga Port CAT cable To share data Routers, switches, PCs Ethernet Port CAT cable To share data Routers, switches, PCs

Connecting PC to Switch Using Console Cable. Requirements Hardware (PC, Switch and Console cable) Software (Putty or Tera Term or Secure CRT)

3.0: How to Configure Trunk and Access Switchport Modes What to Cover. Trunk and Access Switchport Modes A switch port can be in one of two modes:  access  and  trunk Access Link-   a port that can be assigned to a single VLAN. The frames that arrive on an access port are assumed to be part of the access VLAN. Trunk port  – a port that is connected to another switch. This port type can carry traffic of multiple VLANs, thus allowing you to extend VLANs across your entire network. S1(config)# interface fastethernet0/2 S1(config-if)# switchport mode trunk S1(config)# interface fastethernet0/1 S1(config-if)# switchport mode access

Class 3.1: What is VLAN and How to Configure VLANs on a Switch What to Cover. What is VLAN (Virtual Local Area Network)? It is a way of creating multiple broadcast domains in a switch. Then you logically group devices in the same broadcast domain. Each VLAN acts as a subgroup of the switch ports in an Ethernet LAN. A VLAN acts like a physical LAN, but it allows hosts to be grouped together in the same broadcast domain even if they are not connected to the same switch. By default, all switchports are in VLAN 1 By default, devices in different VLAN won’t communicate. Advantages of VLAN Less costly. Improves security. Improves performance. Separate LAN for each network.

How to configure VLAN on a Switch

Class 3.2: VLAN Configuration Expanded How to Configure VLAN Enable trunk to allow multiple VLANs Test Communication - Ping command e.g. ping 192.168.1.2 S1(config)# interface fastethernet0/2 S1(config-if)# switchport mode trunk

Class 4: VLAN Trunking Protocol (VTP) Configuration What to Cover. What is VTP? According to Cisco study website https://study-ccna.com/vtp-configuration/ Makes it is possible to make configuration changes on one or more switches and have those changes automatically advertised to all the other switches in the same VTP domain. It’s cisco proprietary. Automatically copies VLANs from one switch to another. Hence, makes work easier since you just need to configure VLANs on one switch and automatically the configs are copied to other switches. Some switches are configured as VTP servers and other switches are configured as VTP clients. A VLAN created on a VTP server switch is automatically advertised to all switches inside the same VTP domain. VTP Modes VTP client mode  – VTP client switch can’t change its VLAN configuration (cannot create or delete VLANs).But can process and forward vlans . VTP server mode  – VTP server switch mode can create and delete VLANs. This is the default mode for Cisco switches. Transparent mode-

How to configure VTP on a Switch Requirements 1. A switch has to be configured as either a VTP server or VTP client 2. The VTP domain name has to be the same on both switches 3. If present, the VTP domain password has to be the same 4. VTP versions have to match 5. The link between the switches has to be a trunk link

Class 5: Trunk Allowed/Denied VLANs Configuration What to Cover. This method allows or denies certain VLANs through the trunk interface . Thus prevent some unnecessary traffic from being circulated across the network. By default, all VLANs are allowed through the trunk interface. How to Configure VLAN allowed/deny

Class 6: Configure Native VLAN What to Cover. What is Native VLAN? In Default VLAN all switch ports turn into a member of the default VLAN 1 When frames traverse a Trunk port, a VLAN tag is added to distinguish which frames belong to which VLANs. Access ports do not require a VLAN tag, since all incoming and outgoing frames belong to a single VLAN. The Native VLAN is simply the one VLAN that traverses a Trunk port without a VLAN tag. We configure trunk port with a Native VLAN, and whatever traffic arrives on that port without an existing VLAN tag, gets associated with your Native VLAN.

7.0: Spanning Tree Protocol (STP) What to Cover. What is STP? According to Cisco study website https://study-ccna.com/what-is-stp/ Spanning Tree Protocol (STP) is a network protocol designed to prevent layer 2 loops. It is standardized as IEEE 802.1D protocol. STP blocks some ports on switches with redundant links to prevent broadcast storms and ensure loop-free topology. With STP in place, you can have redundant links between switches in order to provide redundancy.   STP prevents loops by placing one of the switch ports in blocking state, which will be enabled whenever the other link is down. In the topology above, STP has placed one port on SW3 in the blocking state. That port will no longer process any frames except the STP messages. If SW3 receives a broadcast frame from SW1, it will not forward it out the port connected to SW2.

How STP Works STP uses the Spanning-Tree Algorithm (SPA) to create a topology database of the network. To prevent loops, SPA places some interfaces in forwarding state and other interfaces in blocking state. Conditions in STP 1. All switches in a network elect a root switch. All working interfaces on the root switch are placed in forwarding state. 2. All other switches, called  nonroot switches, determine the best path to get to the root switch. The port used to reach the root switch (root port) is placed in forwarding state. 3. On the shared Ethernet segments, the switch with the best path to reach the root switch is placed in forwarding state. That switch is called the designated switch and its port is known as the designated port. 4. All other interfaces are placed in blocking state and will not forward frames. Let’s say that SW1 is elected as the root switch. All ports on SW1 are placed into forwarding state. SW2 and SW3 choose ports with the lowest cost to reach the root switch to be the root ports. These ports are also placed in forwarding state. On the shared Ethernet segment between SW2 and SW3, port Fa0/1 on SW2 has the lowest cost to reach the root switch. This port is placed in forwarding state. To prevent loops, port Fa0/1 on SW3 is placed in blocking state.

BPDU (Bridge Protocol Data Unit) BPDUs are messages used by switches to share STP information with each other in order to elect a root switch and detect loops. The most common messages are Hello BPDUs which include the following information: root switch ID, sender’s switch ID, sender’s root cost, and Hello, MaxAge , and forward delay timers Electing the Root Switch in STP The election is based on the bridge IDs (BIDs) sent in the BPDUs. Each switch that participates in STP will have a 8-byte switch ID that comprises of the following fields: 2-byte priority field – by default, all switches have the priority of 32768. This value can be changed using configuration commands. 6-byte system ID – a value based on the MAC address of each switch. A switch with the lowest BID will become a root switch, with lower number meaning better priority. Since by default all switches have the BID priority of 32768, the second comparison has to be made – the lowest MAC address. In our example SW1 has the lowest MAC address and becomes the root switch.

Selecting STP root port Remember all working interfaces on the root switch are placed in forwarding state. All other switches (called nonroot switches) determine the best path to get to the root switch and the port used to reach the root switch is placed in forwarding state. The best path is the one with the lowest cost to reach the root switch. The cost is calculated by adding the individual port costs along the path from the switch to the root. Consider the SW3’s perspective for choosing its root port. Two paths are available to reach the root switch, one direct path over Fa0/1 and the other going out Fa0/2 and through SW2. The direct path has a cost of 19, while the indirect path has the cost of 38 (19+19). That is why Fa0/1 will become the root port on SW3. In case the best root cost ties for two or more paths, the following tiebreakers are applied: the lowest neighbor bridge ID the lowest neighbor port priority the lowest neighbor internal port number

Selecting STP designated port (DP) On the shared Ethernet segments, the switch with the best path to reach the root switch is placed in forwarding state. That switch is called the designated switch and its port is known as the designated port. In order to avoid loops, the non-designated port on the other end of the link is placed in blocking state. The designated switch is determined based on the following criteria: the switch with the lowest cost to reach the root becomes the designated switch on that link. in case of a tie, the switch with the lowest BID becomes the designated switch. SW1 has the lowest BID and has been selected as the root switch. SW2 and SW3 have then determined their own root port to reach the root switch. On the shared network segment between SW2 and SW3 a designated port needs to be selected. Because SW3 has the lower cost to reach the root switch (4<19), its Fa0/2 port will be the designated port for the segment. The Fa0/2 port on SW2 will be placed in blocking state

Class 7.1: Rapid Spanning Tree Protocol (RSTP) What to Cover. What is RSTP? According to Cisco study website https://study-ccna.com/what-is-stp/ RSTP (Rapid Spanning Tree Protocol) is introduced to replace STP. Has IEEE standard of 802.1Q . D ifferences between STP and RSTP: RSTP enables faster convergence times than STP (usually within just a couple of seconds) STP ports states listening, blocking, and disabled are merged into a single state in RSTP – the discarding state STP features two port types – root and designated port. RSTP adds two additional port types – alternate and backup port. with STP, the root switch generates and sends Hellos to all other switches, which are then relayed by the non-root switches. With RSTP, each switch can generate its own Hellos. In order to avoid loops, RSTP has placed one port on SW3 in the alternate state. This port will not process or forward any frames except the RSTP messages. However, if the root port on SW3 fails, the alternate port will rapidly become the root port and start forwarding frames.

How RSTP Works Just like STP, RSTP creates a topology database of the network. To prevent loops, some interfaces on switches are placed in forwarding state and other interfaces in discarding state. How does RSTP decides in which state the port will be placed? A couple of criteria exist: All switches in a network elect a root switch. All working interfaces on the root switch are placed in forwarding state. All other switches, called nonroot switches, determine the best path to get to the root switch. The port used to reach the root switch (root port) is placed in forwarding state. On the shared Ethernet segments, the switch with the best path to reach the root switch is placed in forwarding state. That switch is called the designated switch and its port is known as the designated port. All other interfaces are placed in discarding state and will not forward frames. Let’s say that SW1 is elected as the root switch. All ports on SW1 are placed in forwarding state. SW2 and SW3 choose ports with the lowest cost to reach the root switch to be the root ports. These ports are also placed in forwarding state. On the shared Ethernet segment between SW2 and SW3, port Fa0/1 on SW2 has the lowest cost to reach the root switch. This port is placed in forwarding state. To prevent loops, port Fa0/1 on SW3 is placed in discarding state. If the root port on SW3 fails, this alternate port will quickly take over and become the root port.

RSTP Ports a nd Status Ports and Roles Root —Lowest cost path to forward packets to the Root Bridge. Designated —The interface through which the bridge is connected to the LAN, which provides the lowest cost path from the LAN to the Root Bridge. Alternate —Provides an alternate path to the Root Bridge from the root port. Backup —Provides a backup path to the designated port path toward the Spanning Tree leaves. This provides a configuration in which two ports are connected in a loop by a point-to-point link. Backup ports are also used when a LAN has two or more established connections to a shared segment. Disabled —The port is not participating in Spanning Tree. Port Status - Disabled —STP is currently disabled on the port. - Blocking —The port is currently blocked, and it cannot forward traffic or learn MAC addresses. - Listening —The port is in Listening mode. The port cannot forward traffic, and cannot learn MAC addresses. - Learning —The port is in Learning mode. The port cannot forward traffic, however it can learn new MAC addresses. - Forwarding —The port is in Forwarding mode. The port can forward traffic and learn new MAC addresses. HOW TO CONFIGURE

Class 7.3: How to Configure EtherChannel or Link Aggregation What to Cover. What is EtherChannel ? According to GeeksForGeeks website https://www.geeksforgeeks.org/etherchannel-in-computer-network/ Allows multiple physical Fast Ethernet links to combine into one logical channel. Maximum of 8 links can be aggregated to form a single logical link. This allows load sharing of traffic among the links in the channel as well as redundancy in the event that one or more links in the channel fail. No wastage of bandwidth, no loops, and there is redundancy. Criteria To form an EtherChannel, all ports should have: Same duplex Same speed Same VLAN configuration (i.e., native VLAN and allowed VLAN should be same) Switch port modes should be same (access or trunk mode)

EtherChannel Protocols PAgP and LACP 1. Port Aggregation Protocol ( PAgP ) Port Aggregation Protocol is a Cisco proprietary protocol used to form an EtherChannel. There are different modes in which you can configure your interface. These are namely: ON:  In this mode, the interface will be a part of EtherChannel but no negotiation takes place. Desirable:  In this mode, the interface will continuously attempt to convert other side interface into an EtherChannel. Auto:  In this mode, the interface will become a part of EtherChannel if and only of it is requested by the opposite interface. Off:  No EtherChannel configured on the interface. How to Configure PAgP

2. Link Aggregation Control Protocol (LACP) Link Aggregation Control Protocol is an IEEE protocol, originally defined in 802.3ad, used to form an EtherChannel. This protocol is almost similar to Cisco PAgP . There are different modes in which you can configure your interface. These are namely: ON:  In this mode, the interface will be a part of EtherChannel but no negotiation takes place Active:  In this mode, the interface will continuously attempt to convert other side interface into an EtherChannel. Passive:  In this mode, the interface will become a part of EtherChannel if and only of it is requested by the opposite interface. Off:  No EtherChannel configured on the interface. How to Configure LACP

3. Manual EtherChannel Configuration Using ON Mode When using an EtherChannel mode “ON”, EtherChannel will be created only when another interface group is in EtherChannel “on” mode. The interface will be part of EtherChannel in this mode, without any negotiation protocol (LACP or PAGP). There are different modes in which you can configure your interface. These are namely: ON:  In this mode, the interface will be a part of EtherChannel but no negotiation takes place Off:  No EtherChannel configured on the interface. How to Configure Manual EtherChannel

Class 8: STP Attacks Prevention | STP Portfast , BPDU Guard, Root Guard Configuration What to Cover. STP Portfast PortFast enables the switch to instantaneously transition from blocking state to forwarding state immediately through bypassing the listening and learning state. However, PortFast is highly recommended only on non- trunking access ports, such as edge ports, because these ports typically do not send nor receive BPDU. BPDU Guard Because PortFast can be enabled on non- trunking ports connecting two switches, spanning-tree loops can occur because Bridge Protocol Data Units (BPDUs) are still being transmitted and received on those ports. Therefore, PortFast BPDU Guard prevents the loop from happening by moving non- trunking switch ports into an errdisable state when the Bridge Protocol Data Unit (BPDU) is accepted on that port. Root Guard Root guard is an STP feature that is enabled on a port-by-port basis; it prevents a configured port from becoming a root port. Root guard prevents a downstream switch (often misconfigured or rogue) from becoming a root bridge in a topology. Root guard functions by placing a port in an ErrDisabled state if a superior BPDU is received on a configured port. This prevents the configured DP with root guard from becoming an RP

STP Portfast , BPDU Guard, Root Guard Configuration Portfast and BPDU Guard Root Guard

Class 9: VLAN Hoping Attacks Prevention | Switchport Nonegotiate , Disable CDP on Switches What to Cover. VLAN Hoping Attacks Virtual local area network hopping (VLAN hopping) is a method of attacking the network resources of the VLAN by sending packets to a port not usually accessible from an end system. The main goal of this form of attack is to gain access to other VLANs on the same network. Occurs through 1. Double tagging- attacks occur when threat actors add and modify tags on the Ethernet frame. This approach enables the sending of packets through any VLAN as the native untagged VLAN on the trunk and takes advantage of several switches that process tags. 2 . Switch spoofing occurs when the attacker sends Cisco's Dynamic Trunking Protocol (DTP) packets to negotiate a trunk with a switch. It is possible only when using the dynamic auto or dynamic desirable default switch modes. Once there is a trunk connected to the computer, the attacker gains access to all VLANs. This is a misconfiguration as interfaces should not be configured to use the dynamic switch port modes. Preventing double tagging includes three steps: Hosts should not be put on the default Ethernet VLAN, or VLAN 1. The native VLAN on every trunk port must be an unused VLAN ID. Explicit tagging of the native VLAN should be enabled for all trunk ports.

Class 10: DHCP Snooping Configuration What to Cover. DHCP Snooping is a security technology on a Layer 2 network switch that can prevent unauthorized DHCP servers from accessing your network. It is a protection from untrusted hosts that want to become DHCP servers. DHCP Snooping works as a protection from man-in-the-middle attacks. DHCP itself operates on Layer 3 of the OSI layer while DHCP snooping operates on Layer 2 devices to filter the traffic that is coming from DHCP clients. To protect the host within the organization’s network to establish a connection from unauthorized rogue DHCP servers, we need to configure DHCP snooping on the Layer 2 switch where the unauthorized hosts are connected. DCHP Snooping Trusted and Untrusted Ports In Cisco switches, DHCP snooping is enabled manually. Trusted ports should be manually configured and the rest unconfigured ports are considered untrusted ports. Most devices connected to trusted ports are routers, switches, and servers. DHCP clients like PC and laptops are commonly connected to an untrusted port.

Class 11: Dynamic ARP Inspection DAI + IP Source Guard Configuration What to Cover. Dynamic ARP inspection (DAI) is a security feature that rejects invalid and malicious ARP packets. The feature prevents a class of man-in-the-middle attacks, where an unfriendly station intercepts traffic for other stations by poisoning the ARP caches of its unsuspecting neighbors. DAI relies on DHCP snooping. DHCP snooping listens to DHCP message exchanges and builds a bindings database of valid tuples (MAC address, IP address, VLAN interface). The miscreant sends ARP requests or responses mapping another station’s IP address to its own MAC address. When DAI is enabled, the switch drops ARP packet if the sender MAC address and sender IP address do not match an entry in the DHCP snooping bindings database. However, it can be overcome through static mappings. Static mappings are useful when hosts configure static IP addresses, DHCP snooping cannot be run, or other switches in the network do not run dynamic ARP inspection. A static mapping associates an IP address to a MAC address on a VLAN. IP Source Guard prevents IP and/or MAC address spoofing attacks on untrusted layer two interfaces. When IP source guard is enabled, all traffic is blocked except for DHCP packets. Once the host gets an IP address through DHCP, only the DHCP-assigned source IP address is permitted. You can also configure a static binding instead of using DHCP. Source guard is not a standalone tool. It relies on the information in the DHCP snooping database to do its work. You can only use this on layer two (access and trunk) interfaces and it only works inbound.

Class 19: How to Configure Port Security in Switches | Port-Security Violation Modes What to Cover. What is Port-security ? By default, all interfaces in Cisco switch are turned on. Hence an attacker can connect to the network using these interfaces and may compromise the entire network. To prevent this, we implement port-security to prevent an unauthorized user to use these ports . Can happen through the two ways; Limiting the number of MAC addresses to a single switch port, i.e. if more than the limit, Mac addresses are learned from a single port then appropriate action will be taken. If an unauthorized access is observed, the traffic should be discarded by using any of the options or more appropriate, user should generate a log message so that unauthorized access can be easily observed. Switches learn MAC addresses when the frame is forwarded through a switch port. By using port security, user can limit the number of MAC addresses that can be learned to a port through the following two ways; S et static MAC addresses and set penalties for that port if it is used by an unauthorized user. User can either use restrict, shut down or protect port-security commands. Sticky –  By using sticky command, user provides static Mac address security without typing the absolute Mac address. For example, if user provides maximum limit of 2 then the first 2 Mac addresses learned on that port will be placed in running-configuration. After the 2nd learned Mac address, if 3rd user want to access then the appropriate action will be taken according to the violation mode applied.

Port-Security Violation Modes This is caused when; The maximum number of secure MAC addresses has been added to a switchport's address table and traffic from another MAC address is received on the switchport. An address that has been seen on a secure switchport has already been seen on another secure switchport in the same VLAN. How to Configure Port Security
Tags
Categories
General
Download
Download Slideshow Get the original presentation file
Quick Actions
Statistics
  • Views 23
  • Slides 31
  • Age 478 days
Related Slideshows
Pray For The Peace Of Jerusalem and You Will Prosper 22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
32 views
Don_t_Waste_Your_Life_God.....powerpoint 26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
33 views
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf 31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
31 views
Fertility awareness methods for women in the society 14
Fertility awareness methods for women in the society
Isaiah47
30 views
Chapter 5 Arithmetic Functions Computer Organisation and Architecture 35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
27 views
syakira bhasa inggris (1) (1).pptx....... 5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
29 views
View More in This Category