LAN Design
Access
Layer Switch Features:
°
Port
security,
°
VLANs,
°
Fast
Ethernet/Gigabit Ethernet,
°
PoE,
and
°
link
aggregation.
°
QoS
Distribution Layer Switch Features:
- Layer
3 Support
- High
forwarding rate
- Gigabit
Ethernet/10Gigabit Ethernet
- Redundant
components
- Security
Policies/ACLs
- Link
Aggregation
- QoS
Core Layer Switch Features
- Layer
3 Support
- Very
High forwarding rate
- Gigabit
Ethernet/10Gigabit Ethernet
- Redundant
components – Hot-swappable hardware
- Link
Aggregation
- QoS
Auto-MDIX
Enable automatic medium-dependent interface
(cross-over or straight-through).
CMD History buffer
S# terminal history //Enable
history
S# terminal history size [0 256] //configure
size
S# terminal no history size //reset
to default (10cmds)
S# terminal no history //disable
history
Configure Management Interface
S(config)# interface vlan 99
S(config-if)# ip address
172.17.99.11 252.255.0.0
S(config-if)# no shutdown
S(config-if)# end
S(config)# interface fa0/18
S(config-if)# switchport mode
access // Define the VLAN membership mode for the port
S(config-if)# switchport access
vlan 99
S(config-if)# end
Configure Default Gateway
S(config)# ip default-gateway
172.17.99.1
Verify Configuration
S# show running-config
S# show ip interface brief
Configure Duplex and Speed
S(config)# interface fa0/1
S(config-if)# duplex auto
S(config-if)# speed auto
Configure a Web Interface
S(config)# ip http authentication
enable //configure HTTP server interface (authentication)
S(config)# ip http server //enabled
HTTP server
NOTE: [enable – enable pwd, Local
– AAA, Tacacs – Tacacs server]
Configure
the Switch for Local Authentication and Authorization (AAA)
S(config)#
aaa new-model //Enable AAA
S(config)#
aaa authentication login default local //Local username database
S(config)#
aaa authorization exec local //allow suer EXEC
S(config)#
aaa authorization network local //authorization network
S(config)#
username xxx [privilege level] password encryption-type pwd //create
Local database
Manage the MAC Address Table
S# show mac-address-table
S(config)# mac-address-table
static <MAC Add> Vlan {1-4096, ALL} Interface int-id //set
static MAC
Backup and Restore Switch Configuration
S# copy system:running-config
flash:startup-config //formal
S# copy running-config
startup-config //informal
S#copy startup-config
flash:config.bak1 //backup to NVRAM with a filename config.bak1
S# copy flash:config.bak1
startup-config //restore
S# copy system:running-config
tftp://location/dri/Fname //backup to tftp, or
S# copy nvram:startup-config
tftp://loca/dir/Fname
S# copy tftp://loca/dir/Fname
system:running-config //restore from tftp, or
S# copy tftp://loca/dir/Fname
nvram:startup-config
Clear Configuration Files
S# erase nvram: |
erase startup-config
S# delete flash:Fname //delete
a file from flash
Configure boot system
S# show flash //Check
IOS image in flash
S(config)# boot system
flash:/image-name.bin
Configure Console
S(config)# line con 0
S(config-line)# password XXXXX
S(config-line)# login
+ Remove Console Password
S(config)# line con 0
S(config-line)# no password XXXXX
S(config-line)# no login
Configure VTY
S(config)# line vty 0 4
S(config-line)# password cisco
S(config-line)# login
** Use “NO” to remove VTY pwd
Configure EXEC Mode Passoword
S(config)# enable password xxxxxxx
S(config)# enable secret xxxxxx //encrypted
pwd
** To remove EXEC pwd, you can
use the “no enable password”, and “no enable secret”
Configure Encrypted Passwords
S(config)# service
password-encryption
Enable Password Recovery
+
cisco 2960
1.
Connect PC to console SW
2.
Line speed 9600 baud
3.
Power off SW and ON, hold Mode button (within 15 seconds) till Sys LED
solid green, then release the Mode button
4.
Flash_init //initialize
the flash
5.
Load_helper //load
help
6.
Dir flash: //display
contents of flash
Directory
of flash:
13 drwx
192 Mar 01 1993 22:30:48 c2960-lanbase-mz.122-25.FX
11 -rwx
5825 Mar 01 1993 22:31:59 config.text
18 -rwx
720 Mar 01 1993 02:21:30 vlan.dat
16128000
bytes total (10003456 bytes free)
7.
Rename flash:config.text flash:config.text.old //rename
configuration file
8.
Boot
9.
Enter “N” (setup) – “N”
10.
Enable
11.
Rename flash:config.text.old flash:config.text //rename
back to original
12.
Copy flash:config.text system:running-config
13.
Configure terminal
14.
Enable secret xxxxxx
15.
Exit
16.
Copy running-config startup-config
17.
Reload
Configure Login Banner
S(config)# banner login
“Authorized Personnel Only!”
Configure a MOTD (Message Of The Day) Banner
S(config)# banner motd “Device
maintenance will be occurring on Friday!”
Configure Telnet
S(config)# line vty 0 15
S(config-line)# transport input
telnet
** Telnet is the default
vty-supported protocol on cisco switch.
Configure SSH
S(config)# hostname XXX
S(config)# ip domain-name YYYY //Host
domain
S(config)# crypto key generate rsa //generate
RSA keys [min 1024]
S(config)# ip ssh version [1 | 2]
S(config)# ip ssh {timeoute seconds
| authentication-retries number}
S(config)# line vty 0 15
S(config-line)# transport input
SSH //reject non-SSH
** Show status by “show ip ssh
| show ssh”
** To delete the RSA key pair use “crypto
key zeroize rsa”. After the RSA key pair is deleted, the SSH server is
automatically disabled.
Common Security Attacks
+ MAC Address Flooding
+ Spoofing Attacks (DHCP spoof,
DHCP attack called DHCP starvation)
** To
prevent DHCP attacks, use the DHCP snooping and port security
features on the Cisco Catalyst switches.
Configure
DHCP snooping
1.
Ip dhcp snooping //enable
2.
Ip dhcp snooping vlan number [num] //specific VLan
3.
Ip dhcp snooping trust //define
ports as trusted
4.
Ip dhcp snooping limit rate rate //[Optional]
limit the rate, attacker send bogus
+ CDP Attacks
Ethereal capture (DoS) attack
+ Telnet Attacks
+ Brute force password attacks
+ DoS attacks
+ Brute
Protect again a brute force
password attack:
- Change
password frequently
- Use
strong password
- Limit
who can communicate with VTY lines
Protect again a DoS attack:
- Update
to newest version of cisco IOS
Security Tools
+ Security auditing
- Monitor
network traffic
- MAC
table
+ Network Penetration
- Weakness
configuration
- Attack
network
- Network
performance
Network Security Tools feature
Common features of a modern
network security tool include:
- Service
identification
- Support
of SSL services
- Non-destructive
and destructive testing
- Database
of vulnerabilities
You can use network security tools
to:
- Capture
chat messages
- Capture
files from NFS traffic
- Capture
HTTP requests in Common Log Format
- Capture
mail messages in Berkeley mbox format
- Capture
passwords
- Display
captured URLs in browser in real time
- Flood
a switched LAN with random MAC addresses
- Forge
replies to DNS address / pointer queries
- Intercept
packets on a switched LAN
Configure Port Security
- Specify
MAC address to allow
- Allow
only one MAC address to access the port
- If
unauthorized MAC address, then automatically shutdowns
+ Static Secure MAC Address:
# switchport
port-security mac-address mac-address
+ Dynamic Secure MAC Address:
S(config)#
interface Fa0/20
(config-if)#
switchport mode access
(config-if)#
switchport port-security
+ Sticky secure MAC Address:
# switchport
port-seuciryt mac-address sticky //add MAC-add to
running-conf
# switchport
port-security mac-address sticky mac-add //add mac-add to
table & run-c
(config)#
interface fa0/18 //specific
port
(config-if)#
switchport mode access //enable access
mode
(config-if)#
switchport port-security //enable port
security
(config-if)#
switchport port-seucrity max 50 //Set max of secure add
to 50
(config-if)#
switchport port-security mac-add sticky //enable sticky learning
+ Security Violation Modes
|
Violation Mode
|
Forwards traffic
|
Sends Syslog Smg
|
Displays Error Msg
|
Increases Violation Counter
|
Shutdown Port
|
|
Restrict
|
No
|
No
|
No
|
No
|
No
|
|
Protect
|
No
|
Yes
|
No
|
Yes
|
No
|
|
Shutdown
|
No
|
Yes
|
No
|
Yes
|
Yes
|
+ Verify Port Security
# Show
port-security Int Fa0/1 | Show port-security address
+ Securing Unused Ports : Disable
all unused ports
# Shutdown
interface range
Lab:
Configure Switch Security
S1(config)#enable secret class
S1(config)#line console 0
S1(config-line)#password cisco
S1(config-line)#login
S1(config-line)#line vty 0 15
S1(config-line)#password cisco
S1(config-line)#login
S1(config-line)#exit
S1(config)#
S1(config)#banner motd &Authorized Access Only&
Configure Dynamic Port Security
S1(config)#interface vlan 99
S1(config-if)#no shutdown
S1(config-if)#interface fa0/18
S1(config-if)#switchport port-security
S1(config-if)#switchport port-security maximum 1 //max MAC
S1(config-if)#switchport port-security mac-address stick //stick to Run-C
S1(config-if)#switchport port-security violation shutdown
Remove VLAN database information file
Delete flash:vlan.dat
Remove startup-config
Erase startup-config
VLAN
Create VLAN
(config)# vlan 20,23, 25-30 //create
VLAN 20, 23, 25-30
(config-vlan)# name Student //name
VLAN
# show vlan brief
# no vlan 23 //remove
vlan 23
Configure Static VLAN
(config)# interface fa0/18
(config-if)# switchport mode
access
(config-if)# switchport access
vlan 20
Configure Voice Mode
(config)# interface fa0/18
(config-if)# mls qos trust cos //identify
priority traffic
(config-if)# switchport voice
VLAN 150 //identify voice VLAN
(config-if)# switchport access
VLAN 20 //config data VLAN
VLAN Trunks
+ Native VLAN Configuration
(config)# int fa0/1
(config-if)# switchport mode
trunk //define F0/1 as 802.1q trunk
(config-if)# switchport trunk
native vlan 99 //config vlan 99 to be the native VLAN
NOTE: Verify #show interface
f0/1 switchport
Trunking Modes: 802.1Q & Inter-Switch Link (ISL)
# switchport mode trunk //default
# switchport mode dynamic auto //Dynamic
auto
# switchport mode dynamic
desirable //dynamic desirable
# switchport nonegotiate //turn
off DTP
# show DTP interface //determine
current setting
Verify VLAN and Port Memberships
# show vlan brief
# show vlan name XXX
# show vlan summary
# show Interface trunk
(config-if)# no switchport
access vlan //remove vlan to default (vlan1)
Configure a Trunk 802.1Q
(config)# inter fa0/1
(config-if)# switchport mode
trunk //set int to
trunk link
(config-if)# switchport trunk
native vlan 99 //native vlan for
untagged
(config-if)# switchport trunk
allowed vlan add 10,20,30 //vlans allow to trunk
# show interface fa0/1
switchport //verify
Managing a Trunk Configuration
(config-if)# no switchport trunk
allowed vlan //remove trunk link
(config-if)# no switchport trunk
native vlan //reset native trunk to default
(config-if)# switchport mode
access //reset int to static
access mode
Common Problems with Trunks
- Native
VLAN mismatches: different native vlans
- Trunk
mode mismatches: one trunk port set trunk mode off, and other one set on
- Allowed
VLAN on trunks: VLANs are not allowed to a trunk
- VLAN
and IP Subnets: different IP subnet
VLAN Trunking
Protocol
Configure VTP server
# show vtp status //confirm
Revision No.0
(config)# vtp mode server //configure
vtp server
(config)# vtp domain xxxxx //configure
domain name
(config)# vtp password pwd //set
vtp pwd
(config)# vtp versiuon 1 //set
version
Add VLANs
Configure VTP client
(config)# vtp mode client //configure
vtp client
# show int 0/1 switchport //verify
# show vtp status //verify
Confirm VTP Operation
# sh vtp counters //show
statistic
Troubleshooting VTP configurations
+ Incompatible VTP Versions
+ VTP password: all the switches
must use the same pwd.
+ Incorrect VTP Domain name: Only
set VTP domain name on VTP server.
+ set secondary VTP server
+ Incorrect Revision Number
- Reset
Revision Number
(config)# vtp
domain test
(config)# vtp
domain cisco
Spanning Tree Protocol (STP)
Configure Port Cost
(config)# int fa0/1
(config-if)# Spanning-tree cost value //value
{1 - 200.000.000}
Verify Port & Path cost
# show spanning-tree
# show spanning-tree detail
Configure Bridge Priority (BID)
+ Method 1:
(config)# spanning-tree vlan ID
root primary //set primary BID
(config)# spanning-tree vlan ID
root secondary //set secondary BID
+ Method 2:
(config)# spanning-tree vlan ID
priority value //set value {0-65536}
Configure Port Priority
(config)# int fa0/1
(config-if)# spanning-tree
port-priority 112 //default 128, range {0-240}
Configure Network Diameter
(config)# spanning-tree vlan 1
root primary diameter 5 //adjust spanning tree diameter to 5 sw (default 7
switches)
Configure PortFast
(config)# int Fa0/1
(config-if)# spanning-tree
portfast
# show run //verify
Configure Spanning-Tree PortFast BPDU Guard
(config) # spanning-tree portfast
bpduguard
(config)# errdisable recovery
cause bpduguard //enable errdisable, default disable
(config)# errdisable recovery
interval 400 //set interval to 400, default 300
# show spanning-gree summary
totals //monitor status
Configure PVST+ (Per-Vlan Spanning-Tree protocol Plus)
Make sure the SW hasn’t configure STP, and in the default
configuration.
S3(config)# spanning-tree vlan 20
root primary // Vlan 20 is the primary root for S3
S3(config)# spanning-tree vlan 10
root secondary //Vlan 10 is the secondary root for S3
S1(config)# spanning-tree vlan 10
root primary // Vlan 10 is the Primary root for S1
S1(config)# spanning-tree vlan 20
root secondary //Vlan20 is the secondary root for S1
S3(config)# spanning-tree vlan 20
priority 4096 //set the lowest priority to Vlan20 for S3
S1(config)# spanning-tree vlan 10
priority 4096 //set the lowest priority to Vlan10 for S1
# show spanning-tree active //verify
Configure RPVST+ (Rapid Per-Vlan Spanning-Tree protocol)
(config)# spanning-tree mode
rapid-pvst //enable RPVST
(config)# interface f0/1 //specify
an interface
(config-if)# spanning-tree
link-type point-to-point //specify link type
# clear spanning-tree
detected-protocols //clear all detected STP
# show spanning-tree vlan 10 //verify
Inter-VLAN Routing
Configure Sub-Interfaces
(config)# int fa0/0.10 //create
sub-int f0/0.10
(config-if)# encapsulation dot1q
10 //assign int to VLAN 10
(config)# int fa0/0
(config-if)# no shutdown //enable
sub-int
# show ip route //verify
Wireless
LAN
Secure WLAN
1. SSID
cloaking
2.
MAC address filtering
3. WPA
or WPA2
Netstumbler:
tools to discover wireless signal
No comments:
Post a Comment