Basic Switching Concepts and

Configuration
Routing and Switching Essentials
Chapter 2

Richard L. Holladay,
JNCIA-Junos, CCNA, Ph.D.

Topics
Introduction
Basic Switch Configuration
Configure a Switch With Initial Settings
Configure Switch Ports

Switch Security: Management and Implementation

Secure Remote Access
Security Concerns in LANs
Security Best Practices
Switch Port Security

Summary

Objectives

Configure initial settings on a Cisco switch.

Configure switch ports to meet network requirements.
Configure the management switch virtual interface (SVI).
Describe basic security attacks in a switched network.
Describe security best practices in a switched environment.
Configure the port security feature to restrict network access.

 Switches are used to connect devices together on the same network.

Cisco switches are self-configuring and no additional configurations are
necessary for them to function out of the box.

However, Cisco switches run Cisco IOS, and can be manually configured.
This includes adjusting port speed, bandwidth and security requirements.

Cisco switches can be managed locally and remotely.

Local management requires a console connection and terminal emulator.

Remote management requires configuring an IP address and default gateway and
connecting through telnet, ssh, or other network management software.

Switches connect users directly to the network and are therefore one of
the most vulnerable areas of the network.
They need to be configured to be resilient to attacks of all types.

Port security is one of the security features Cisco managed switches provide.

We will examine basic switch configuration and security settings.

After powering on, a switch goes through the following boot sequence:
1)
2)

Power-On Self Test (POST)

Run boot loader software
Initialize CPU registers
Initialize flash file system
Locate and load IOS
Transfer control to IOS
3) To find IOS it uses the BOOT environment variable
If not set, the switch tries to load the first executable file it can find in Flash by
performing a recursive, depth-first search
Each lower-level subdirectory is completely searched before continuing the search in
the original directory
On Catalyst 2960s, IOS is normally contained in a directory that has the same name
as the image file (excluding the .bin file extension)

4)

IOS then initializes the switch using the startup config stored in NVRAM, if
found

The boot loader can also be used to manage the switch if the IOS cant be
loaded.
The boot loader can be accessed through a console connection by:
1) Connect a PC by console cable to the switch console port. Unplug the switch
power cord.
2) Reconnect the power cord to the switch and press and hold down the
Mode button.

The System LED turns briefly amber and then solid green.
Release the Mode button.

3) The boot loader switch: prompt appears.

4) In switch: you can (among other things):
Browse Flash using Unix commands, like dir
Format flash
Reinstall a missing IOS image

Each port on Cisco Catalyst switches have status LED indicator lights.
By default these LED lights reflect port activity but they can also
provide other information about the switch through the Mode
button
The following modes are available on Cisco Catalyst 2960
switches:

System LED
RPS (Redundant Power System) LED
Status (port) LED
Duplex LED
Speed LED
PoE (Power over Ethernet) Mode LED

 To remotely manage a Cisco switch, it needs to be configured to

access the network

It must have an IP address and subnet mask

If managing the switch from a remote network, a default gateway must also
be configured

The IP information (address, subnet mask, gateway) is assigned to

a switch SVI (switch virtual interface)

The SVI is a virtual interface, not a physical port on the switch.

SVIs are related to VLANs, numbered logical groups to which physical ports
can be assigned.
By default, switch management occurs through VLAN 1.
For security purposes, it is considered a best practice to use a VLAN other
than VLAN 1 for the management VLAN.

These IP settings are only used for remote management and

remote access to the switch, they do not allow the switch to route
Layer 3 packets.
10

. Preparing for Remote Management

255.255.0.0

Use interface vlan 99 to enter interface configuration mode

ip address address and mask
no shutdown
Note that the SVI for VLAN 99 will not be "up/up" until VLAN 99 is created and there is a
device connected to a switch port associated with VLAN 99.
S1(config)# vlan vlan_id
S1(config-vlan)# name vlan_name
S1(config)# end
S1(config)# interface interface_id
S1(config-if)# switchport access vlan vlan_id
11

The default gateway is the router the switch is connected to.

The switch will forward IP packets with destination IP addresses outside
the local network to the default gateway. As shown above, R1 is the
default gateway for S1.

The interface on R1 connected to the switch has IP address 172.17.99.1.

This address is the default gateway address for S1.

Use the ip default-gateway command.

The default gateway is the IP address of the router interface to which the switch is
connected.
12

Use show ip interface brief to check the status of both physical and
virtual interfaces.

13

Full-duplex communication improves the performance of a switched LAN

by allowing a connection to transmit and receive data simultaneously.
Because there is only one device connected, a micro-segmented LAN is
collision free.
In full-duplex mode, the collision detection circuit on the NIC is disabled.
Frames cannot collide because the devices use two separate circuits in
the network cable.
Full-duplex connections require a switch that supports full-duplex
configuration, or a direct connection using an Ethernet cable between two
devices.

14

Half-duplex is unidirectional.
Half-duplex communication creates performance issues because data can
flow in only one direction at a time, often resulting in collisions.
Half-duplex connections are typically seen in older hardware, such as
hubs.
Full-duplex communication has replaced half-duplex in most hardware.
Shared hub-based half-duplex efficiency is typically rated at 50 to 60
percent of the stated bandwidth.
Full-duplex offers 100 percent efficiency in both directions (transmitting
and receiving).
This results in a 200 percent
potential of the stated bandwidth.

15

The default for duplex and speed

on 2960s and 3560s is auto.
10/100/1000 ports operate in either half- or full-duplex when set to 10 or 100
Mb/s,

But when they are set to 1000 Mb/s (1 Gb/s), they operate only in full-duplex mode.

Cisco recommends only using auto for duplex and speed to avoid connection
issues between devices.
Check duplex and speed when troubleshooting switch port issues.
16

Automatic Medium-Dependent
Interface Crossover (auto-MDIX)

Until recently, crossover cables were required when connecting two devices of
the same type.

Switch-to-switch or router-to-router connections required using cross-over cables.

Auto-MDIX on an interface automatically detects the required cable connection

type (straight- through or crossover) and configures the connection appropriately
When using auto-MDIX on an interface, speed and duplex must be set to auto so
that the feature operates correctly.
17

 Use the show controllers ethernet-controller command with the phy

keyword.
To limit the output to lines referencing auto-MDIX, use the use the Unix pipe
command | with the include Auto-MDIX filter.
The output indicates either On or Off.

18

 Switchport Verification Commands:

19

 The show interface command can detect common media issues.

If the interface is up and the line protocol is down, there could be an encapsulation
type mismatch, the interface on the other end could be error-disabled, or there
could be a hardware problem.
If the line protocol and the interface are both down, a cable is not attached or there
is some other problem.

For example, in a back-to-back connection, the other end of the connection may be
administratively down.

If the interface is administratively down, it is manually disabled (the shutdown

command is in effect.
20

21

22

Secure Shell (SSH) is a protocol that provides a secure (encrypted)

command-line based connection to a remote device
SSH is commonly used in UNIX-based systems

They use different shells as command-line interfaces

Because its strong encryption features, SSH should replace Telnet for
management connections
Telnet uses insecure plaintext transmission of both the login username and
password and the data transmitted
SSH provides security by providing strong encryption when a device is
authenticated (username and password) and also for the transmitted data
between the communicating devices.
SSH uses TCP port 22 by default. Telnet uses TCP port 23
Cisco IOS also supports SSH
A cryptographic version of IOS is required in order to enable SSH on Catalyst
2960 switches

Use show version command to see which IOS the switch is running.
A filename that includes k9 supports cryptographic features.
23

Before configuring SSH, the switch must be configured with a unique hostname and the correct
network connectivity settings.

Step 1. Verify SSH support.

Use show ip ssh to verify that the switch supports SSH.
Step 2. Configure the IP domain.
Use ip domain-name domain-name in global config (usually cisco.com in Labs).
Step 3. Generate RSA key pairs.
Use crypto key generate rsa in global config to enable the SSH server on the switch and
generate an RSA key pair.

When generating RSA keys, the administrator is prompted to enter a modulus length. Cisco recommends a
modulus size of 1,024 bits. A longer modulus length is more secure, but takes longer to generate and to use.
Note: To delete the RSA key pair, use crypto key zeroize rsa
After the RSA key pair is deleted, the SSH server is automatically disabled.

Step 4. Configure user authentication.

The SSH server can authenticate users locally or by authentication server.

To use the local authentication method, create a username and password using username username
password password.

Step 5. Configure the vty lines.

Use transport input ssh in vty line config. Vty lines range from 0 to 15. This command
limits the switch to only SSH connections.
Use line vty and login local to require local authentication for SSH connections from the
local username database.
24

Configure hostname
Configure IP domain
Generate RSA key pairs

Configure user authentication

Configure the vty lines

25

On a PC, an SSH client, such as PuTTY, is used to connect to an SSH server.

The PC initiates an SSH connection to the SVI VLAN IP address of S1.

After entering the username and

password, the user is connected
via SSH to the CLI on the switch.

26

To display the version and configuration data for SSH on the device that you
configured as an SSH server, use the show ip ssh command.
To check the SSH connections to the device, use the show ssh command:

27

Basic switch security does not stop malicious attacks.

Security is a layered process that is essentially never complete.

The more aware you are regarding security attacks, the better.
Some security attacks are described here, but the details are beyond the scope of this course.
More detailed information is found in the CCNA WAN Protocols course and the CCNA Security
course.

MAC Address Flooding

The MAC address flooding behavior of a switch for unknown addresses can be
used to attack a switch.

This type of attack is called a MAC address table overflow attack.

MAC address table overflow attacks are sometimes referred to as MAC flooding attacks, and
CAM table overflow attacks.

MAC address tables are limited in size.

MAC flooding attacks make use of this limitation to overwhelm the switch with fake source
MAC addresses until the switch MAC address table is full.
The switch enters into fail-open mode where the switch broadcasts all frames to all machines
on the network. As a result, the attacker can see all of the frames.
28

 DHCP is used to assign a host a valid IP address out of a DHCP pool on

a DHCP Server.
Two types of DHCP attacks can be performed against a switch:
DHCP starvation attacks and DHCP spoofing.
DHCP Starvation:
An attacker floods the DHCP server with DHCP requests to use up all the
available IP addresses that the DHCP server can issue.
After these IP addresses are issued, the server cannot issue any more
addresses, and this produces a denial-of-service (DoS) attack as clients
cannot get network access.
A DoS attack is any attack that is used to overload specific devices and
network services with illegitimate traffic, thereby preventing legitimate
traffic from reaching those resources.

29

DHCP Spoofing:
An attacker configures a fake DHCP server on the network to issue DHCP addresses to
clients.
This attack forces clients to use false Domain Name System (DNS) or Windows Internet
Naming Service (WINS)
servers making them use
a machine under the control
of the attacker as their default
gateway.
DHCP starvation is often used
before a DHCP spoofing attack
to deny service to the legitimate
DHCP server, making it easier
to introduce a fake DHCP server into the network.
To mitigate DHCP attacks, use the DHCP snooping
and port security features on the Cisco switches.

30

CDP is a layer 2 Cisco proprietary protocol used to discover other Cisco devices
that are directly connected
It is designed to allow the devices to auto-configure their connections
If an attacker is listening to CDP messages, it could learn important information
such as device model, version of software running
CDP contains information about the device, such as the IP address, software
version, platform, capabilities, and the native VLAN.
This information can be used by an attacker to find ways to attack the network,
typically in the form of a denial-of-service (DoS) attack.
It is recommended that you disable the use of CDP on devices or ports that do
not need to use it by using the no cdp run global configuration mode command.
CDP can be disabled on a per port basis.

31

 As mentioned the Telnet protocol is insecure and should be replaced by SSH.

However, an attacker can use Telnet as part of other attacks.

Two of these attacks are Brute Force Password Attacks and Telnet DoS
Attacks.
When passwords cant be captured, attackers will try as many combinations of
characters as possible. This is known as a Brute Force password attack.

To mitigate against brute force password attacks use strong passwords that are changed
frequently.
Access to the vty lines can also be limited using an access control list (ACL).

In a Telnet DoS attack, the attacker exploits a flaw in the Telnet server software
running on the switch that renders the Telnet service unavailable.
This sort of attack prevents an administrator from remotely accessing switch
management functions.
This can be combined with other direct attacks on the network as part of a
coordinated attempt to prevent the network administrator from accessing core
devices during the breach.
Vulnerabilities in Telnet that permit DoS attacks are usually addressed in security
patches that are included in newer Cisco IOS revisions.
32

Defending your network against attack requires vigilance and education.

The following are best practices for securing a network:

Develop a written security policy for the organization

Shut down unused services and ports
Use strong passwords and change them often
Control physical access to devices
Use HTTPS instead of HTTP
Perform backups operations on a regular basis.
Educate employees about social engineering attacks
Encrypt and password-protect sensitive data
Implement firewalls.
Keep software up-to-date

33

Network security tools help a network administrator test a network for

weaknesses.

Some tools allow an administrator to assume the role of an attacker.

Security auditing and penetration testing are two basic functions that
network security tools perform.

Network security testing techniques may be manually initiated by the

administrator or automated.
Regardless of the type of testing, the security staff should have extensive
security and networking knowledge. This includes expertise in the
following areas:

Network security
Firewalls
Intrusion prevention systems
Operating systems
Programming
Networking protocols (such as TCP/IP)
34

Network Security Tools can also be used to audit the network.

By monitoring the network, an administrator can assess what type of
information an attacker would be able to gather.

Network Security Tools can also be used as penetration test tools.

For example, by attacking and flooding the CAM table of a switch, an administrator
would learn which switch ports are vulnerable to MAC flooding and correct the issue.
Penetration testing is a simulated attack

This helps determine how vulnerable the network is when under a real
attack.
Weaknesses within the configuration of networking devices can be
identified based on test results
Changes can be made to make the devices more resilient to attacks
However, such tests can damage the network and should be carried out
under very controlled conditions.

An off-line test bed network that mimics the actual production network is the ideal.

35

A simple method to help

secure the network from
unauthorized access is
to disable all unused
ports on a switch.

It is simple to make
configuration changes to
multiple ports on a switch.
If a range of ports must be
configured, use the
interface range command

Switch(config)# interface range type module/first-number last-number

S1(config)#int range fa0/1 15

The process of enabling and disabling ports can be time-consuming, but it

enhances security on the network and is well worth the effort
36

DHCP snooping is a Cisco feature that determines which switch ports

can respond to DHCP requests.
Ports are identified as trusted and untrusted.

Trusted ports can source all DHCP messages; untrusted ports can source requests
only.
Trusted ports host a DHCP server or can be an uplink toward the DHCP server.

If a rogue device on an untrusted port attempts to send a DHCP response

packet into the network, the port is shut down.
This feature can be coupled with DHCP options in which switch
information, such as the port ID of the DHCP request, can be inserted into
the DHCP request packet.

37

Step 1. Enable DHCP snooping

using ip dhcp snooping
Step 2. Enable DHCP snooping
for specific VLANs with
ip dhcp snooping vlan number
Step 3. Define ports as trusted at the interface level by defining the trusted ports
using ip dhcp snooping trust
Step 4. (Optional) Limit the rate at which an attacker
can send bogus DHCP requests through untrusted
ports to the DHCP server using ip dhcp snooping
limit rate rate command.

38

 All switch ports should be secured before the switch is deployed

for production use.
One way to secure ports is by implementing a feature called port
security.

Port security limits the number of valid MAC addresses allowed on a port

The MAC addresses of legitimate devices are allowed access,

while other MAC addresses are denied
Any additional attempts to connect by unknown MAC addresses
will generate a security violation
Secure MAC addresses can be configured in a number of ways:

Static secure MAC addresses

Dynamic secure MAC addresses
Sticky secure MAC addresses

39

IOS considers a security violation when either of these situations occurs:

The maximum number of secure MAC addresses for that interface have been added
to the CAM, and a station whose MAC address is not in the address table attempts to
access the interface.
An address learned or configured on one secure interface is seen on another secure
interface in the same VLAN.

An interface can be configured for one of three violation modes, specifying

the action to be taken if a violation occurs.
There are three possible action to be taken when a violation is detected:

Protect
Restrict
Shutdown

40

Port Security Default Settings

41

Configuring Dynamic Port Security

This example does not specify a violation mode so it uses the default,
shutdown mode.

42

Configuring Sticky Port Security

43

Verify that the port security is set correctly, and check to ensure that the
static MAC addresses have been configured correctly.

The output for the dynamic port security configuration is here.

By default, there is only one MAC address allowed on this port.

44

 This display sticky port security settings.

Sticky MAC addresses are added to the MAC address table and to the
running configuration.

This shows that the sticky MAC for PC2 has been added to the running
configuration for S1.

45

 To display all secure MAC addresses configured on all switch interfaces, or

on a specified interface with aging information for each.
Here the secure MAC addresses are listed along with the types.

46

A port security violation can put a switch in error disabled state, shutting
down the port.
The port LED will change to orange.
Because the port security violation mode is set to shutdown, the port with
the security violation goes to the error disabled state.
Console messages on the switch confirm this:

47

The show interface command identifies the port status as err-disabled.

the show port-security interface command now shows the port status as
secure-shutdown.
Because the port security violation mode is set to shutdown, the port with
the security violation goes to the error disabled state.

48

 You must determine what caused the security violation before reenabling the port.

If an unauthorized device is connected to a secure port, the port should not

be re-enabled until the security threat is eliminated.

To re-enable the port and make it operational, use shutdown

then no shutdown:

49

Correct time stamps are required to accurately track network events such
as security violations.
Additionally, clock synchronization is critical for the correct interpretation of
events within syslog data files as well as for digital certificates.
NTP is a protocol used to synchronize the clocks of computer systems
data networks
NTP can get the correct time from an internal or external time source
Time sources can be:

Local master clock

Master clock on the Internet
GPS or atomic clock

A network device can be configured as either an NTP server or an NTP

client

50

To configure a device as an NTP master clock to which peers can synchronize,

use the ntp master [stratum] command.

The stratum value is a number from 1 to 15.

If configured as NTP master with no stratum, it defaults to stratum 8.

If the NTP master cannot reach any clock with a lower stratum number, the
system will synchronize at the configured stratum number, and other systems
using NTP will synchronize to it.

Error in curricula!
R1
X
R2
X

51

To display the status of NTP associations, use show ntp associations.

This indicates IP addresses of peer devices synchronized to this peer, statically
configured peers, and stratum number.

show ntp status displays NTP synchronization status, the peer that the device
is synchronized to, and the NTP strata.

52

 The NTP is designed to time-synchronize a network of devices. NTP runs over

UDP), which runs over IP and is documented in RFC 1305.
An NTP network usually gets its time from an authoritative time source, such as
a radio clock or an atomic clock attached to a time server.
NTP then distributes this time across the network.
NTP is extremely efficient; no more than one packet per minute is necessary to
synchronize two devices to within a millisecond of one another.
Ciscos implementation of NTP does not support stratum 1 service; it is not
possible to connect to a radio or atomic clock.
Cisco recommend that the time service for your network be derived from the
public NTP servers available on the IP Internet.
For more information on NTP, and setting the time and date manually on a 2960
switch see the documents Ive added in the Chapter 2 Module section of
Netspace.

53

54

This chapter covered:

Cisco LAN Switch Boot Sequence
The operational status of the switch is displayed by a series of LEDs on
the front panel which display such things as port status, duplex, and speed
To remotely access switch remotely, an IP address is configured on the
management VLAN SVI

A default gateway must also be configured.

SSH should be used for secure access rather than the unsecure telnet.
Speed and duplex settings of a switch interface switch be set to auto to
avoid errors.
Switch ports should be configured to allow only frames with specific source
MAC addresses to enter.
Frames from unknown source MAC addresses should be denied and
cause the port to shut down to prevent further attacks.
Best practices for switched networks

55

 Port security is just one defense and only a starting point.

There are 10 best practices that represent the best insurance for a
network, but are only a starting point for security management:
Develop a written security policy for the organization.
Shut down unused services and ports.
Use strong passwords and change them often.
Control physical access to devices.
Avoid using standard insecure HTTP websites, especially for login screens.
Instead use the more secure HTTPS.
Perform backups and test the backed up files on a regular basis.
Educate employees about social engineering attacks, and develop policies
to validate identities over the phone, via email, and in person.
Encrypt sensitive data and protect it with a strong password.
Implement security hardware and software, such as firewalls.
Keep IOS software up-to-date by installing security patches weekly or daily,
if possible.
56