Chapter 5: Switch Configuration PDF
Document Details
Uploaded by HappierHarpy
Cnam
2016
CCNA
Tags
Summary
This document provides instructor materials for Chapter 5 on switch configuration. It covers basic switch configurations, device configurations, switch security using best practices, and details SSH operations.
Full Transcript
Chapter 5: Switch Configuration Instructor Materials CCNA Routing and Switching Routing and Switching Essentials v6.0 Chapter 5 - Sections & Objectives 5.1 Basic Switch Configuration Configure basic switch settings to meet network requirements. Configure initial settings on a Cisc...
Chapter 5: Switch Configuration Instructor Materials CCNA Routing and Switching Routing and Switching Essentials v6.0 Chapter 5 - Sections & Objectives 5.1 Basic Switch Configuration Configure basic switch settings to meet network requirements. Configure initial settings on a Cisco switch. Configure switch ports to meet network requirements. 5.2 Basic Device Configuration Configure a switch using security best practices in a small to medium-sized business network. Configure the management virtual interface on a switch. Configure the port security feature to restrict network access. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 5.2 Switch Security © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 >telnet 192.168.99.11 >ssh –l kassem 192.168.99.11 Secure Remote Access Open connection: Open connection: SSH Operation Pass: telpass S1>enable Pass: sshpass S1>enable Pass:enpass Pass:enpass Secure Shell (SSH) S1# S1# An alternative protocol to Telnet. Telnet uses unsecure plaintext of the username and password as well as the data transmitted. SSH is more secure because it provides an encrypted management connection. Wireshark Capture of Telnet Wireshark Capture of SSH © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 Secure Remote Access SSH Operation (Cont.) A switch must have an IOS version (k9 at the end of the IOS file name) that includes cryptographic capabilities in order to configure and use SSH. Use the show version command to see the IOS version. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 Secure Remote Access Commonly forgotten Configuring SSH command that is used in key generation 1. Verify SSH support. 2. Configure the IP domain name. 3. Generate RSA key pairs. 4. Configure user authentication. 5. Configure the vty lines. 6. Enable SSH version 2. Default is to accept both Telnet The login local command and SSH (transport input all) forces the use of the local database for username/ password. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 Secure Remote Access Verifying SSH On the PC, connect to the switch using SSH. ss h IP addre Switc The PC is using SSH to communicate and issue commands on the switch. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7 Secure Remote Access Packet Tracer – Configuring SSH © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 Security Concerns in LANs MAC Address Flooding (cont.) An attacker flooding the CAM table with bogus entries. 3- 1- 2- MAC address tables are limited in size. MAC flooding makes use of this limitation to send to the switch a whole bunch of fake source MAC addresses until the switch MAC address table is fully loaded and can not save any more MAC address – Port © 2016 Cisco and/or mapping entries. its affiliates. All rights reserved. Cisco Confidential 9 Security Concerns in LANs MAC Address Flooding (cont.) The switch now behaves as a hub. The switch then enters into a fail-open mode that means that it starts acting as a hub. In this situation switch will broadcasts all received framses to all the machines on the network. As a result, the attacker (in our case “PC C”) can see all the frames sent from a victim host to © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10 another host without a MAC address table entry. Switch Port Security Secure Unused Ports The interface range command can be used to apply a configuration to several switch ports at one time. S1(config)#interface range fa0/4-7 S1(config-if)#shutdown © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 Switch Port Security Port Security: Operation Port security limits the number of valid MAC addresses allowed on a port. Switchport Security The MAC addresses of legitimate devices are allowed Switch(config)#interface FastEthernet0/10 access, while other MAC addresses are denied. Switch(config-if)# switchport mode access Switch(config-if)# switchport port-security Any additional attempts to connect by unknown MAC Switch(config-if)# switchport port-security mac-address sticky addresses generate a security violation. Switch(config-if)# switchport port-security maximum 1 Secure MAC addresses can be configured in a Switch(config-if)# switchport port-security violation shutdown number of ways: Switch#Show port-security interface fa0/10 Static secure MAC addresses Switch#Show interfaces fa0/1 switchport Dynamic secure MAC addresses Switch#show running-config Switch#show port-security address //to see how MAC addresses w Sticky secure MAC addresses learned on a port (static, dynamic or sticky) © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12 Switch Port Security Port Security: Operation Port security limits the number of valid MAC addresses allowed to transmit data through a switch port. If a port has port security enabled and an unknown MAC address sends data, the switch presents a security violation. Default number of secure MAC addresses allowed is 1. Methods use to configure MAC addresses within port security: Static secure MAC addresses – manually configure switchport port-security mac-address mac-address Dynamic secure MAC addresses – dynamically learned and removed if the switch restarts Sticky secure MAC addresses – dynamically learned and added to the running configuration (which can later be saved to the startup-config to permanently retain the MAC addresses) switchport port-security mac-address sticky Note: Disabling sticky learning converts sticky MAC addresses to dynamic secure addresses and removes them from the running-config. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13 Switch Port Security Port Security: Violation Modes Protect – data from unknown source MAC addresses are dropped; a security notification IS NOT presented by the switch Restrict - data from unknown source MAC addresses are dropped; a security notification IS presented by the switch and the violation counter increments. Shutdown – (default mode) interface becomes error-disabled and port LED turns off. The violation counter increments. Issues the shutdown and then the no shutdown command on the interface to bring it out of the error-disabled state. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 Switch Port Security Port Security: Configuring © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15 Switch Port Security Port Security: Configuring (Cont.) Before configuring port-security features, place the port in access mode and use the switchport port-security interface configuration command to enable port security on an interface. or Dynamic rr i o ne ! r at n d figu m a n m n co s co o th i om m r g et c st o fo Mo is t © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16 Switch Port Security Port Security: Configuring (Cont.) rr or i o ne ! t d g ura man nfi m n c o s co m o thi m et t co forg s o Mo is t © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17 Switch Port Security Port Security: Verifying Use the show port-security interface command to verify the maximum number of MAC addresses allowed on a particular port and how many of those addresses were learned dynamically using sticky. Dynamic Sticky © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18 Switch Port Security Port Security: Verifying (Cont.) Use the show running-config command to see learned MAC addresses added to the configuration. The show port-security address command shows how MAC addresses were learned on a particular port. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19 Switch Port Security Ports in Error Disabled State Switch console messages display when a port security violation occurs. Notice the port link status changes to down. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20 Switch Port Security Ports in Error Disabled State (Cont.) Check the port status and the port security Do not re-enable a port until the security settings. threat is investigated and eliminated. Notice that you must first shut the port down and then issue the no shutdown command in order to use the particular port again after a security violation has occurred. © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21 Secure Remote Access Packet Tracer – Configuring Switch Port Security © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22 Secure Remote Access Packet Tracer – Troubleshooting Switch Port Security © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23 Secure Remote Access Packet Tracer – Configuring Switch Security Features © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24 5.3 Chapter Summary © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
