четверг, 3 мая 2012 г.

Expl 3.Chapter 2. Resume. Basic Switch Concepts and Configuration

CCNA Exploration 3. 
LAN Switching and Wireless
Chapter 2. Resume. Basic Switch Concepts and Configuration
Key components of the Ethernet standard 
        ~CSMA/CD

The set of rules that Ethernet uses is based on the IEEE carrier sense multiple access/collision detect (CSMA/CD) technology. 

CSMA/CD is only used with half-duplex communication typically found in hubs. 

Full-duplex switches do not use CSMA/CD. 

     ~ Carrier Sense
In the CSMA/CD access method, all network devices that have messages to send must listen before transmitting. 


If a device detects a signal from another device, it waits for a specified amount of time before attempting to transmit. 

When there is no traffic detected, a device transmits its message. While this transmission is occurring, the device continues to listen for traffic or collisions on the LAN. After the message is sent, the device returns to its default listening mode
   ~ Multi-access

If the distance between devices is such that the latency of the signals of one device means that signals are not detected by a second device, the second device may also start to transmit. The media now has two devices transmitting signals at the same time. The messages propagate across the media until they encounter each other. At that point, the signals mix and the messages are destroyed, a collision has occurred. Although the messages are corrupted, the jumble of remaining signals continues to propagate across the media.

    ~ Collision Detection
When a device is in listening mode, it can detect when a collision occurs on the shared media, because all devices can detect an increase in the amplitude of the signal above the normal level.
    ~ Jam Signal and Random Backoff
When a collision is detected, the transmitting devices send out a jamming signal. The jamming signal notifies the other devices of a collision, so that they invoke a backoff algorithm. This backoff algorithm causes all devices to stop transmitting for a random amount of time, which allows the collision signals to subside. 


After the delay has expired on a device, the device goes back into the "listening before transmit" mode.

    ~ Ethernet Communications
    ~ Ethernet Frame

The Ethernet frame structure adds headers and trailers around the Layer 3 PDU to encapsulate the message being sent. 


Preamble, Start Frame Delimiter Fields are used for synchronization between the sending and receiving devices. 

Destination MAC Address Field
Source MAC Address Field
 Length/Type Field
Data and Pad Fields
Frame Check Sequence Field

    ~ MAC Address
Organizational Unique Identifier

The OUI is the first part of a MAC address. It is 24 bits long and identifies the manufacturer of the NIC card. 


Vendor Assignment Number

The vendor-assigned part of the MAC address is 24 bits long and uniquely identifies the Ethernet hardware.
    ~ Duplex Settings
    ~ Switch Port Settings


The auto option sets autonegotiation (автосогласование) of duplex mode. With autonegotiation enabled, the two ports communicate to decide the best mode of operation.

The full option sets full-duplex mode.

The half option sets half-duplex mode.



  •     ~ Auto-MDIX

  • Connections between specific devices, such as switch-to-switch or switch-to-router, once required the use of certain cable types (cross-over, straight-through). Instead, you can now use the mdix auto interface configuration command in the CLI to enable the automatic medium-dependent interface crossover (auto-MDIX) feature. 
    Switches use MAC addresses to direct network communications through their switch fabric to the appropriate port toward the destination node. 
    Once a MAC address for a specific node on a specific port is recorded in the address table, the switch then knows to send traffic destined for that specific node out the port mapped to that node for subsequent transmissions.




    Step 1. The switch receives a broadcast frame from PC 1 on Port 1.

    Step 2. The switch enters the source MAC address and the switch port that received the frame into the address table.

    Step 3. Because the destination address is a broadcast, the switch floods the frame to all ports, except the port on which it received the frame.
    Step 4. The destination device replies to the broadcast with a unicast frame addressed to PC 1.
    Step 5. The switch enters the source MAC address of PC 2 and the port number of the switch port that received the frame into the address table. The destination address of the frame and its associated port is found in the MAC address table.
    Step 6. The switch can now forward frames between source and destination devices without flooding, because it has entries in the address table that identify the associated ports.
        ~ Bandwidth and Throughput
    As more devices are added to the shared media the likelihood of collisions increases.Because of this, it is important to understand that when stating the bandwidth of the Ethernet network is 10 Mb/s, full bandwidth for transmission is available only after any collisions have been resolved. The net throughput of the port (the average data that is effectively transmitted) will be considerably reduced as a function of how many other nodes want to use the network.
        ~ Broadcast Domains
    Although switches filter most frames based on MAC addresses, they do not filter broadcast frames. For other switches on the LAN to get broadcasted frames, broadcast frames must be forwarded by switches. A collection of interconnected switches forms a single broadcast domain. 
    When two switches are connected, the broadcast domain is increased. 
        ~ Network Latency

    Latency is the time a frame or a packet takes to travel from the source station to the final destination.Additional switch features such as port-based memory buffering, port level QoS, and congestion management, also help to reduce network latency.

    Latency has at least three sources.

    NIC delay is the time it takes the source NIC to place voltage pulses on the wire, and the time it takes the destination NIC to interpret these pulses. 

    Propagation delay as the signal takes time to travel through the cable.
    Third, latency is added based on network devices that are in the path between two devices.
        ~ Network Congestion. Перегрузки сети.

    These are the most common causes of network congestion:

    1. Increasingly powerful computer and network technologies. 

    2. Increasing volume of network traffic. 

    3. High-bandwidth applications. 
        ~ LAN Segmentation
        ~  Removing Bottlenecks.  Устранение узких мест

    Bottlenecks on a network are places where high network congestion results in slow performance.

    Higher capacity links and using multiple links leveraging link aggregation technologies (for example, combining two links as if they were one to double a connection's capacity) can help to reduce the bottlenecks created by inter-switch links and router links. 



    Switch Packet Forwarding Methods
    Store-and-Forward Switching
    In store-and-forward switching, when the switch receives the frame, it stores the data in buffers until the complete frame has been received. During the storage process, the switch analyzes the frame for information about its destination. In this process, the switch also performs an error check using the Cyclic Redundancy Check (CRC) trailer portion of the Ethernet frame. 
    After confirming the integrity of the frame, the frame is forwarded out the appropriate port toward its destination. When an error is detected in a frame, the switch discards the frame. Discarding frames with errors reduces the amount of bandwidth consumed by corrupt data. Store-and-forward switching is required for Quality of Service (QoS) analysis on converged networks where frame classification for traffic prioritization is necessary.
    Cut-through Switching
    In cut-through switching, the switch acts upon the data as soon as it is received, even if the transmission is not complete. The switch buffers just enough of the frame to read the destination MAC address so that it can determine to which port to forward the data. The destination MAC address is located in the first 6 bytes of the frame following the preamble. The switch looks up the destination MAC address in its switching table, determines the outgoing interface port, and forwards the frame onto its destination through the designated switch port
    +is faster
    -it forwards corrupt frames throughout the network, consume bandwidth

    Fast-forward switching
    Fragment-free switching
    - offers the lowest level of latency.
    - immediately forwards a packet after reading the destination address.
    - Because fast-forward switching starts forwarding before the entire packet has been received, there may be times when packets are relayed with errors.
    - the switch stores the first 64 bytes of the frame before forwarding.
    - a compromise between store-and-forward switching and cut-through switching.
    The reason: stores only the first 64 bytes of the frame is that most network errors and collisions occur during the first 64 bytes.
    - a compromise between the high latency and high integrity of store-and-forward switching, and the low latency and reduced integrity of cut-through switching.

    Symmetric switching provides switched connections between ports with the same bandwidth, such as all 100 Mb/s ports or all 1000 Mb/s ports. An asymmetric LAN switch provides switched connections between ports of unlike bandwidth, such as a combination of 10 Mb/s, 100 Mb/s, and 1000 Mb/s ports. 
    There are two methods of memory buffering:
    1. In port-based memory buffering, frames are stored in queues that are linked to specific incoming and outgoing ports. A frame is transmitted to the outgoing port only when all the frames ahead of it in the queue have been successfully transmitted. 
    2. Shared memory buffering deposits all frames into a common memory buffer that all the ports on the switch share. The amount of buffer memory required by a port is dynamically allocated. The frames in the buffer are linked dynamically to the destination port. 
    1. Зададим пароль на enable режим 
    S> enable
    S# conf t
    S(config)# enable password my-secret-password
     
    2. Установим пароль для входа по telnet 
    S(config)# line vty 0 15
    S(config-line)#password my-telnet-password
    3. Просмотр истории команд(By default, the system records the last 10 command lines)
    S#show history
    Включаем создание истории команд
    S# terminal history 
    Задаем размер  
    S# terminal history size ___ (1-256)
    Выкл. создание истории команд
    S# terminal no history 
    Сбрасываем размер по  default
    S# terminal no history size

    The switch loads the boot loader software. The boot loader is a small program stored in ROM and is run when the switch is first turned on.
    The boot loader:
    Performs low-level CPU initialization. It initializes the CPU registers, which control where physical memory is mapped, the quantity of memory, and its speed.
    Performs power-on self-test (POST) for the CPU subsystem. It tests the CPU DRAM and the portion of the flash device that makes up the flash file system.
    Initializes the flash file system on the system board.
    Loads a default operating system software image into memory and boots the switch. The boot loader finds the Cisco IOS image on the switch by first looking in a directory that has the same name as the image file (excluding the .bin extension). If it does not find it there, the boot loader software searches each subdirectory before continuing the search in the original directory.

    Management Interface Considerations
    An access layer switch is much like a PC in that you need to configure an IP address, a subnet mask, and a default gateway. To manage a switch remotely using TCP/IP, you need to assign the switch an IP address. In the figure, you want to manage S1 from PC1, a computer used for managing the network. To do this, you need to assign switch S1 an IP address. This IP address is assigned to a virtual interface called a virtual LAN (VLAN), and then it is necessary to ensure the VLAN is assigned to a specific port or ports on the switch. 
    Входим в режим конфигурирования интерфеса VLAN
    S(config)interface vlan 99
    Задаем выбранный ip
    S(config-if)#ip address 10.1.1.1 255.255.255.0
    Вкл. интерфейс, по ум. он м. б. выключен
    S(config-if)#no shutdown
    Входим на физ. инт-с
    S(config)#interface Fa 0/18
    Задаем режим инт-су
    S(config-if)#switchport mode access
    Определяем режим соотв-му vlan
    S(config-if)#switchport access vlan 99
    Задаем default-gateway
    S(config)#ip default-gateway 132.123.123.123
    режим duplex, скорость. Switches must have the same duplex settings and speeds.
    S(config)#interface Fa 0/18
    S(config-if)#duplex auto
    S(config-if)#speed auto

    Managing the MAC Address Table
            Switches use MAC address tables (dynamic + static addresses) to determine how to forward traffic between ports.
             Dynamic addresses are source MAC addresses that the switch learns and then ages when they are not in use. Aging time setting for MAC addresses by default  - 300 seconds.
           The switch provides dynamic addressing by learning the source MAC address of each frame that it receives on each port, and then adding the source MAC address and its associated port number to the MAC address table. As computers are added or removed from the network, the switch updates the MAC address table, adding new entries and aging out those that are currently not in use.
            Static addresses are not aged out, and the switch always knows which port to send out traffic destined for that specific MAC address. As a result, there is no need to relearn or refresh which port the MAC address is connected to. One reason to implement static MAC addresses is to provide the network administrator complete control over access to the network.

    Configuring the switch as an SSH server. 
    Beginning in privileged EXEC mode, follow these steps to configure a hostname and an IP domain name and to generate an RSA key pair.
    Step 1. Enter global configuration mode using the configure terminal command.
    Step 2. Configure a hostname for your switch using the hostname  command.
    Step 3. Configure a host domain for your switch using the ip domain-name domain_name command.
    Step 4. Enable the SSH server for local and remote authentication on the switch and generate an RSA key pair using the crypto key generate rsa command.
    When you generate RSA keys, you are prompted to enter a modulus length. Cisco recommends using a modulus size of 1024 bits. A longer modulus length might be more secure, but it takes longer to generate and to use.
    Step 5. Return to privileged EXEC mode using the end command.
    Step 6. Show the status of the SSH server on the switch using the show ip ssh or show ssh command.

    Security Attacks
    ~ MAC Address Flooding
    ~ Spoofing Attacks
    ~ CDP Attacks
    ~ Telnet Attacks
    ~ Brute Force Password Attack 
    ~ DoS Attack

    Common features of a modern network security tool include:

     - Service identification
     - Support of SSL services: Testing services that use SSL level security, including HTTPS, SMTPS, IMAPS, and security certificate
     - Non-destructive and destructive testing
     - Database of vulnerabilities
    You can use network security tools to:

    Capture chat messages
    Capture files from NFS traffic
    Capture HTTP requests in Common Log Format
    Capture mail messages in Berkeley mbox format
    Capture passwords
    Display captured URLs in browser in real time
    Flood a switched LAN with random MAC addresses
    Forge replies to DNS address / pointer queries
    Intercept packets on a switched LAN
    Port Security
    Коммутатор поддерживает такие типы безопасных MAC-адресов:
         ~ Статические MAC-адреса:
    задаются статически командой switchport port-security mac-address mac-address в режиме  настройки интерфейса,
    хранятся в таблице адресов,
    добавляются в текущую конфигурацию коммутатора;
          ~ Динамические MAC-адреса:
    динамически выучиваются,
    хранятся только в таблице адресов,
    удаляются при перезагрузке коммутатора;
         ~ Sticky MAC-адреса:
    могут быть статически настроены или динамически выучены,
    хранятся в таблице адресов,
    добавляются в текущую конфигурацию коммутатора. Если эти адреса сохранены в конфигурационном файле, после перезагрузки коммутатора, их не надо заново перенастраивать.
    Режимы реагирования на нарушения безопасности
    Нарушением безопасности для port security считаются ситуации:
    1. макс. кол-во безопасных MAC-адресов было добавлено в таблицу адресов и хост, чей MAC-адрес не записан в таблице адресов пытается получить доступ через интерфейс,
    2. адрес, выученный или настроенный как безопасный на одном интерфейсе, появился на другом безопасном интерфейсе в том же VLAN'е.

    На интерфейсе могут быть настроены такие режимы реагирования на нарушения безопасности:
    protect — когда количество безопасных MAC-адресов достигает максимального ограничения настроенного на порту, пакеты с неизвестным MAC-адресом отправителя отбрасываются до тех пор, пока не будет удалено достаточное количество безопасных MAC-адресов, чтобы их количество было меньше максимального значения, или увеличено максимальное количество разрешенных адресов. Оповещения о нарушении безопасности нет.
    restrict — когда количество безопасных MAC-адресов достигает максимального ограничения настроенного на порту, пакеты с неизвестным MAC-адресом отправителя отбрасываются до тех пор, пока не будет удалено достаточное количество безопасных MAC-адресов, чтобы их количество было меньше максимального значения, или увеличено максимальное количество разрешенных адресов. В этом режиме при нарушении безопасности отправляется оповещение — отправляется SNMP trap, сообщение syslog и увеличивается счетчик нарушений (violation counter).
    shutdown — нарушение безопасности приводит к тому, что интерфейс переводится в состояние error-disabled и выключается немедленно, и выключается LED порта. Отправляется SNMP trap, сообщение syslog и увеличивается счетчик нарушений (violation counter). Когда порт в состоянии error-disabled, вывести из этого состояния его можно введя команду errdisable recovery cause psecure-violation или вручную включить интерфейс введя в режиме настройки интерфейса shutdown и no shutdown. Это режим по умолчанию.
    Настройка port security

    Включение port security на интерфейсе
    Макс.кол-во безопасных MAC. ad на инт-се или в VLAN:
    информация
    Включение sticky запоминания адресов:
    Режим реагирования на нарушения безопасности
    S(config)# interface Fa 0/18
    S(config-if)# switchport mode <access | trunk>
    S(config-if)# switchport port-security

    S(config-if)# switchport port-security maximum <value> [vlan <vlan-list>]


    S# show port-security vlan 7
    S(config-if)# switchport port-security mac-address sticky
    S(config-if)# switchport port-security mac-address sticky [mac-address|vlan <vlan-id |<access|voice>>]
    S(config-if)# switchport port-security violation <protect | restrict | shutdown>
    Если порт был настроен (или оставлен по умолчанию) режиме реагирования shutdown, то при нарушении порт перейдет в состояние error-disabled.
    Посмотреть, что порт перешел в состояние error-disabled:
    S# show interfaces <interface-number> status
    Очистить таблицу MAC-адресов, для подключения других устройств:
    S# clear port-security [all|configured|dynamic|sticky] [address <mac>|interface <int-id>]

    Комментариев нет:

    Отправить комментарий