It is highly recommended that you read at least once the above study guide to make full
use of this notes, it is expected that there may be minor errors in this notes, please
always refer the study guide for accurate information.
2
Chapter 7 – Ethernet LAN Switching Concepts
Hubs : Created one single collision domain, and bandwidth is shared in a 10 BASE T
network with a Hub.
Switches (benefits of using switches) : Creates separate collision domain on each of its
interfaces, it can support full duplex if only one device is connected to an interface.
Switches multiply amount of available bandwidth in the network.
Unicast Addresses: MAC address that identifies a single LAN interface card
Broadcast Addresses: A frame sent with a destination address of broadcast address
(FFFF.FFFF.FFFF) implies that all devices on the LAN should receive and process the
frame.
Multicast Addresses: Multicast MAC addresses are used to allow dynamic subset of
devices on a LAN to communicate.
IP multicast over Ethernet uses MAC address in the format 0100.5exx.xxxx where a
value between 00.0000 to 7f.ffff can be used for the second half.
1. Deciding when to forward a frame or when to filter (not forward) a frame based on
the destination MAC address.
2. Learning MAC address by examining the source MAC address of each frame
received
3. Creating a (layer 2) loop free environment with other switches by using Spanning
Tree Protocol (STP)
3
Sample switch forwarding and filtering decision.
(Fred forwards a frame to Barney)
Fa0/1 Fa0/3
Fred Wilma
0200.1111.1111 0200.3333.3333
Fa0/2 Fa0/4
Betty
Barney
0200.4444.4444
0200.2222.2222
MAC address table is also called, Switching Table, Bridging Table or Content
Addressable Memory.
4
Sample switch filtering decision.
Note that the hub simply regenerates the electrical signals out each interface, so the hub
forwards the electrical signal send by Fred to both Barney and the switch, The switch
decides to filter out (not forward ) the frame noting that the MAC address table interface
for destination address 0200.2222.2222 (Fa0/1) is the same as the incoming interface.
Fa0/3
Fred Wilma
0200.1111.1111 0200.3333.3333
Fa0/1
Fa0/4
Hub
Betty
Barney
0200.4444.4444
0200.2222.2222
How switch learn MAC address: Switches populate the MAC table by listening to the
frame, it adds the source MAC address and the interface it came from if an entry is not
already there in the MAC address table.
Flooding Frames: When a switch receives a frame with a destination address that is not in
its MAC address table, it forwards out all the interface except the one it came from.
Switches keeps a timer for each entry in the MAC address table, called inactivity timer.
Switch sets the timer to 0 for new entries, and resets it to zero each time it receives a
frame from a MAC address, this counter counts upwords, so at any point in time if the
5
switch memory runs out switch know which is the oldest inactive entry in the MAC
address table and it deletes it to free up memory.
Spanning Tree Protocol (STP): STP prevents loops by blocking some interfaces (ports)
from forwarding frames, so that only one active logical path exists in a physically
redundant network between two LANs. In STP a port can have one of two states
Blocking (cannot send and receive) and Forwarding (can send and receive).
Store and Forward Processing : In this type of processing a switch must receive the
entire frame before it starts forwarding the first bits of the frame.
Cut through processing : With this type of processing a switch starts forwarding the
frame as soon as possible without waiting an entire frame to be received. This is possible
because the destination MAC address come in early in the Ethernet header, even though
this can reduce latency, it may cause erroneous frames to be forwarded as the FCS is
placed at the end of the frame and switch can’t determine the forwarded frame was in
error.
Fragment free processing : works very much similar to cut through processing, but it try
to reduces the number of errored frames that it forwards.
LAN switches provide many additional features compared to Lan hubs and bridges, In
particular LAN switches provide the following benefits:-
6
• Switch ports connected to a single device supports full duplex, in effect doubling the
available bandwidth to the device.
• Switches support rate adaptation, which means devices using different Ethernet
speeds can communicate through the switch (hubs cannot).
Switches use Layer 2 logic, examining the Ethernet data link header to choose how to
process frames. In particular switches makes decisions to forward and filter frames, learn
MAC addresses, and use STP to avoid loops as follows…
1. If the outgoing interface listed in the MAC table is different to the interface it
came from, switch forwards the frame out the outgoing interface.
2. If the outgoing interface listed in the MAC table is same as the interface it came
from, switch filters the frame, or simply ignore the frame without forwarding it.
Step 2. Switches uses the following logic to learn MAC address table entries
a) For each received frame, examine the source MAC address and the interface from
which the frame was received
b) If they are not already in the table, add the address and interface, setting the inactivity
timer to 0
Step 3. Switches use STP to prevent loops by causing some interfaces to block, meaning
that they do not send or receive frames.
7
LAN Design Considerations
Collision Domain : A collision domain is a set of LAN interfaces whose frames could
collide with each other.
A broadcast domain is a set of devices where when one device sends a broadcast all other
devices receive a copy of the broadcast. A switch floods broadcast and multicast out all
ports, so a switch creates a single broadcast domain.
A collision domain is a set of network interface cards (NIC) for which a frame sent by on
NIC could collide with a frame sent by another NIC in the same collision domain.
A broadcast domain is a set of NICs for which broadcast frame sent by one NIC is
received by all other NICs in the same broadcast domain.
Switches are much preferred option in a network as it micro segments collision domain,
and devices does not have to share the bandwidth.
A very large network with multiple switches creates a single broadcast domain, this could
be split into multiple broadcast domains using a router.
Without VLAN a switch considers all its interfaces to be in the same broadcast domain.
With VLAN a switch can put some interfaces to a broadcast domain and some into
another broadcast domain based on some simple configurations.
8
Sample network with two VLANS using one Switch
VLAN 1
VLAN 2
9
Campus LAN design terminology listed…
To other To other
Building Building
blocks blocks
Core Switches
Core links
Building Block
Core1 Core2
Distribution
Switches
Dist2
Dist1
Uplinks
Access
Switches
Access : Provides a connection point (access) for end user devices, does not forward
frames between two other access switches under normal circumstances.
Core: Aggregates distribution switches in a very large LANs, providing very high
forwarding rates.
10
Ethernet Types, Media and Segment Lengths
Broadcast domain: A set of devices that receive broadcast frame originated from any
device within the set. All devices in the same VLAN are in the same broadcast domain.
Collision Domain: A set of NICs for which a frame sent by a NIC could result in a
collision with a frame sent by any other NIC in the same collision domain.
Cut-through switching: One of the three options of internal processing in some models of
the cisco LAN switches in which the frame is forwarded as soon as possible, including
forwarding bits of the frame before the whole frame is received.
Flooding : is the process in which Switches forward Broadcast, unknown unicast and
multicast (some times) out all the other ports except the port where it came from.
Microsegmentation : The process in LAN design by which every switch port connects to
a single device creating a separate collision domain per interface.
11
Segmentation : The process of breaking large amount of data from an application into
pieces appropriate in size to be sent thorough the network.
Spanning Tree Protocol (STP): A bridge protocol that uses Spanning Tree Algorithm,
allowing switch to dynamically work around loops, in a network topology by creating a
spanning tree. Switches exchange Bridge Protocol Data Unit (BPDU) message with other
bridges to detect loops, and remove the loops by shutting down the selected bridge
interface.
Store-and-forward switching: One of the three processing options in some cisco LAN
switches in which Ethernet frame must be completely received before the switch can
begin forwarding the first bit of the fame.
Virtual LAN : A group of devices connected to one of more switches with the devices
grouped in to a single broadcast domain through switch configurations. VLAN allow
switch administrators to separate devices connected to switches into separate VLANs
without requiring separate physical switches, gaining design advantage of separating
traffic without buying additional hardware.
12
Chapter 8 – Operating Cisco LAN Switches
Cisco positions the 2960 series (family) of switches as full-featured, low cost wiring
closet switches for enterprises.
Cisco refers to a switch’s physical connectors as either interface or ports. Each interface
has a number and a name for eg. Interface FastEthernet 0/1, Interface gigabitethernet 0/1.
Cisco uses the term Hybrid to refer to the 6500 series core switches that uses Cat 0S, and
the term Native to refer to the 6500 series core switches that uses IOS.
SYST
RPS
PORTS
STAT
Duplex
Speed
MODE
NAME Description
SYST (System) Implies overall system status
Off : System is not powered on
On (green) : The switch is powered on and operational (Cisco
IOS has been loaded)
On (amber): The switches power on self test failed (POST) and
Cisco IOS did not load
RPS (Redundant Suggests the status of the redundant (extra) power supply
13
power supply)
STAT (Status) If ON (green) implies that each port LED implies that port’s
status.
Port LED
DUPLX (Duplex) If on (green) each port LED implies that ports duplex
Port LED
On (green) : Full Duplex
Off : half duplex
SPPED If on (green) each port LED implies the Speed of that port.
Port LED
Off : 10 Mbps
Solid Green : 100 Mbps
Flashing Green : 1000 Mbps (1 Gbps)
Console port allows a way to connect to a switch CLI even if the switch is not connected
to a network. Every cisco switch has a console port, which is physically an RJ-45 port. A
pc connects to a console port using a RJ-45 port.
14
Accessing CLI using Telnet and SSH
The telnet client (pc) needs to have the terminal emulator software with telnet/ssh client
installed, the switch will run the telnet server software.
Telnet send all data including user name and password as clear text, which raises a
security threat.
SSH (Secure Sheel) does same basic things as that of the Telnet, but in a more secured
way by using encryption.
Router> enable
Password : xxxx
Router #
Console
Telnet
Enable (Priviledged)
Use Mode
Mode
SSH
Router# Disable
Router >
Preferred method for setting password for reaching the enable mode is the
“Enable Secret password” command.
15
Cisco IOS software command help
What you enter What help you get
? Help for all commands available in this mode
Help Text describing how to get help. No actual command help is given
Command ? Text help describing all the first parameter options for the command
Com? A list of commands that start with com
Command parm? Lists all parameters starting with parm
Command CLI autofills the rest of the parameter
parm<tab>
Command parm1 ? List all the next parameters with a brief description
SHOW command list the currently known facts about the switch’s operational status.
Debug command asks the switch to continue monitoring different process in the switch
Terminal Monitor command enable users to view the Debug log messages
Debug Spanning-tree (enable debug on spanning-tree process)
No debug spanning-tree (disables debug on spanning-tree process)
No debug all or
Undebug all (disable all the currently enabled debugs)
16
CLI Configuration Modes vs EXEC modes
Enable
USER Exec Mode Privileged Exec Mode
Ctrl Z or Config t
Exit
Text inside parenthesis in the command prompt identifies the configuration mode.
17
Storing configuration files
RAM
FLASH NVRAM
ROM
Working memory
Cisco IOS Startup
and Running Bootstrap Program
Software Configuration
configuration
Configuration commands changes only the running config, if you want to save the config,
the running config should be copied to NVRAM overwriting the startup-config, so that
the new/changed configurations will be included next time the switch is reloaded.
RAM
NVRAM
18
The copy command always replaces the existing file when configuration files are copied
to NRRAM or TFTP server, but when copied to RAM (running config) the file is always
merged, not replaced. If you change the running-config and wants to revert it back to the
startup-config a copy startup-config runnig-config not necessarily will make both
configs to match, instead you may have to issue a reload command which will reload,
reboot the switch, erasing the RAM and will copy the startup confing into RAM running-
config.
Write erase
Erase startup-config
Erase NVRAM
NO
Is NVRAM Copy Start-up Config to
Empty Running-Config
YES
NO
Do you want to
Complete IOS Initialization
enter setup Mode
YES
19
Setup mode writes the configuration to both Startup and running config files, whereas the
configuration mode changes only the running config file.
CLI : Command Line Interface. An interface that enables the user to interact with the
operating system by entering commands and optional arguments.
Secure Shell (SSH) : An TCP/IP application layer protocol that supports terminal
emulation between client and a server, using dynamic key exchange and encryption to
keep the communication private and secure.
Enable Mode: A part of the Cisco CLI where a user can use the most powerful and
disruptive commands, on a router or on a switch, including the ability to then reach the
configuration mode and reconfigure the router.
User Mode: A mode of the user interface to Cisco router or switch where a user can only
type non disruptive EXEC commands, generally to look at the current status, but not to
change any operational settings.
Configuration Mode: A part of the Cisco IOS CLI where a user can enter the
configuration commands, that are then added to the devices currently used configuration
file (running-config).
Startup-config file: In Cisco IOS switches and routers, the name of the file that resides
in NVRAM memory, holding the devices configurations that will be loaded into the
RAM as running-config file when the device is next reloaded or powered on.
Running Config: In Cisco IOS switches and routers, name of the file that resides in the
RAM, holding devices’s currently used configurations.
Setup-Mode: An option on Cisco switches and routers that prompts the user for basic
configuration information, resulting in new running-config and startup-config files.
20
Configuration Commands
Command Mode and Purpose
Line console 0 Global command that changes the context to console
configuration mode
Line vty 1st-vty 2nd-vty Global command that changes the context to line (vty)
configuration mode for the range of vty lines listed in the
command
login Line (console and vty) configuration mode. Tells IOS to
prompt for a password (no username)
Password pass-value Line (console, vty) configuration mode. Lists the
password required if the login command (with no other
command) is configured.
Interface type port-number Global command that changes the context to Interface
mode. Eg. Interface Fastethernet 0/1
Shutdown Interface subcommand that disables or enables the
No shutdown interface respectively
Hostname name Global command that sets the switch’s hostname, which is
also used as the first part of the switch’s command prompt
Enable secret pass-value Global command that sets the automatically encrypted
enable secret password. This password is used for any user
to reach enable mode.
Enable password pass-value Global command that sets the clear text enable password.
This is used only when the enable secret password is not
configured.
exit Moves back to the next higher mode in configuration
mode
end Exit configuration modes and goes back to enable mode
from any of the configuration sub modes
Ctrl Z Same as the end command
21
EXEC Command Reference…..
Command Purpose
No debug all Enable mode EXEC command to disable all the
Undebug all currently enabled debugs
Show process EXEC command that lists statistics of CPU utilization
Terminal monitor EXEC command that tells the Cisco IOS to send a
copy of all the syslog messages including debug
messages to the telnet or ssh user who issues the
command
Reload Enable mode EXEC command that reloads or reboots
the switch or router.
Copy from-location to-location Enable mode EXEC command that copies file from
one location to another, locations include startup-
config, running-config files, files on TFTP, RPC
servers and flash memory.
Copy running-config startup- Enable mode EXEC command that saves the active
config config, replacing the startup-config file used when the
switch initializes.
Copy startup-config running- Enable mode EXEC command that merges the startup
config config with the currently active config file in RAM
Show running-config Lists the contents of the running config
Write erase All three enable mode EXEC commands erase the
Erase startup-config startup-config file
Erase NVRAM:
Setup Enable mode EXEC command that places the user in
the setup mode, in which Cisco IOS prompts the user
for simple switch configurations
quit EXEC command that disconnects the user from CLI
sessions
Show system:running-config Same as show running-config command
Show startup-config List the contents of the startup-config (initial-config)
file
Show nvram:startup-config Same as show startup-config
Show nvram:
enable Moves the user from user mode to the
enable(privileged) mode and prompts the user for a
password if configured
disable Moves the user from enable mode to the user mode
Configure terminal Enable mode command that moves the user into a
configuration mode
22
Chapter 9 – Ethernet Switch Configurations
Configuring Basic Passwords and Hostname
Switch> enable
Switch# configure terminal
In the global configuration mode user enters two global configuration commands that
add configuration to the whole switch (enable secret and hostname)
Enable secret sets the only password used to reach the enable mode so it is a global
command
The login command which tells the switch to ask for a text password but not a user name,
the password command which defines the required password are subcommands in the
respective line configuration sub modes.
Hostname emma
Line console 0
Password faith
Login
Line vty 0 4
23
Password love
Login
Line vty 5 15
Password love
Login
Vty 05 15 (11 vty lines) were added later to the vty 0 – 4 (5 vty lines) making a total of
16 concurrent vty line available in a cisco switch.
Cisco Switch
Line vty 0 15
1 Login local
2 Transport input telnet ssh
4 Ip domain-name example.com
SSH Client
6 Public key private key
Step 1 : Login local , changes the vty lines to use usernames (just login command does
not require usernames) with locally configured user names (other options is user names
configured in an AAA server). In this case login local subcommand defines the use of
local usernames, replacing the login subcommand in vty configuration mode
Step 2 : tells the switch to accept both telnet and ssh, (Transport input telnet ssh, vty line
configuration sub command) default is transport input telnet omitting ssh
Step 3 : add one or more username name password pass-value global configuration
commands to configure username/password pairs.
24
Step 4 : configure DNS domain name with the ip domain-name name global
configuration command
Step 5 : configure the switch to generate a matched public and private key pair as well as
a shared encryption key, using crypto key generate rsa (global configuration command).
Step 6. SSH clients need a copy of the switch’s public key before the client can connect
Emma #
Emma# configure terminal
Refer to pg. 241 for SSH key generation and public key listings
Password Encryption
• If the service password-encryption command has already been configured, any future
changes to these passwords are encrypted
25
Service password-encryption uses Type 7 encryption which is a weak encryption
algorithm which can be decrypted easily.
• If the global configuration command ‘enable secret pass-value’ is used, it defines the
password required when using the enable EXEC command. This password is listed as
a hidden MD5 hash value in the configuration file by default.
• If both commands are used, the password set in the enable secret command defines
which password is required.
IOS applies a mathematical function called Message Digit 5 (MD5) hash, and the results
is stored in configuration file, and is considered to be a Type 5 encryption type.
Banner Configurations
(default banner is MOTD – Message of the day banner, shown before the login prompt, )
(login banner, shown before the login prompt, after the MOTD banner)
(EXEC banner, shown after the login prompt, messages that should be hidden from
unauthorised users)
26
(the first non blank character after the banner (type) command is considered as the
delimiter and text between the delimiters are displayed)
Line console 0
Login
Password cisco
Exec-timeout 0 0
Router never times out
Login sysnchronous
Displays syslog messges at a convenient time, after a command output, and not in the
middle of a typing a command.
IOS based switch configures its IP address and mask on a special virtual interface called
VLAN 1 interface.
Step 1. Enter VLAN 1 configuration mode by using the Interface vlan 1 global
configuration command
Step 2 : Assign IP address and mask using ip address ip-address mask interface
subcommand.
Step 4: Add the ip default-gateway ip-address global command to configure the default
gateway.
27
Switch static IP address configuration
(to show the temporarily leased ip address, as dynamic ip addresses are not stored in the
running config file, but statically configured ip addresses are stored in running config))
28
Emma # show interface status
DUPLEX
Port Name Status VLAN SPEED TYPE
Fa0/1 Server 1 connects here notconnect 1 full 100 10/100Base TX
Fa0/2 notconnect 1 auto auto 10/100Base TX
Fa0/4 connected 1 a-full a-100 10/100Base TX
Fa0/11 end user connects connected 1 autol auto 10/100Base TX
|
|
Fa0/24
a-full, a-100 (line 3) means it was autonegotiated to full duplex and speed 100 Mbps with
the physically connected device.
Port Security
If a network engineer knows what devices should be cabled and connected to a particular
interface on a switch, the engineer can use port-security to restrict that interface so that
only the expected devices can use it.
Step 1. Make the switch interface an access interface using the switchport mode access
interface subcommand
Step 3. (Optional) specify the maximum number of MAC addresses associated with the
interface using switchport port-security maximum number interface subcommand.
Default maximum number is 1.
Step 4. (Optional) Define the action to take when a frame is received from a MAC
address other than the defined addresses using
switchport port-security violation {protect | restrict | shutdown} interface
subcommand. Default action is shutdown the port.
Step 5A. Specify the MAC addresses allowed to send frames into the interface using
Switchport port-security mac-address mac-address command. Use command multiple
times to specify more MAC addresses.
Step 5B. Alternately use the sticky learning process to dynamically learn and configure
MAC address of currently connected host by configuring the
switchport port-security mac-address sticky interface subcommand.
29
Fred # show port-security interface fastethenet 0/1
Fred # show port-security interface fastethenet 0/2
Note port status secure-shutdown (fa0/1) (port is shutdown because of a violation) and
secure-up (fa0/2)
VLAN Configuration
By definition access interfaces send and receive frames only in a single VLAN, called the
access VLAN. Trunking interface send and receive in multiple VLANs.
One access port - one vlan (one vlan can have multiple access port, a subset of switches
access ports)
One trunk port – multiple vlan
By default switches have VLAN 1 configured and all interfaces assigned to it, however to
add another vlan and assign access ports to it follow the steps bellow…
a) from configuration mode use the vlan vlan-id global configuration command to
create vlan and move the user into the vlan configuration mode
b) (optional) use the name vlan-name vlan subcommand to list the name of the vlan. If
not configured by default uses the name VLANzzzz, where zzzz is the four digit vlan-
id.
30
Step 2 : To configure VLAN for each access interface
a) user the interface command to move to the interface configuration mode for each
desired interface
b) use the switchport access vlan id-number interface subcommand to specify the VLAN
associated with that interface
c) c. (optional) to disable trunking, so that the switch will not dynamically decide to use
trunking on the interface, and it will remain an access interface, use the switchport
mode access interface subcommand.
Fa0/13 , Fa0/14
VLAN 2
Fa0/11 , Fa0/12
VLAN 1
31
Note : name fred-vlan (vlan subcommand is case-sensitive)
• Prevent VLAN trunking and Vlan Trunking Protocol (VTP) by making the port
nontrunking interface by using the interface subcommand switchport mode access
• Assign the port to an unused VLAN by using the switchport access vlan vlan-
number interface subcommand.
Access Interface: A LAN network design term that refers to a switch interface connected
to end-user devices.
Trunk Interface: On a LAN switch, an interface that is currently using either 802.1Q or
ISL trunking
Trunking : Also called VLAN trunking, A method using either cisco ISL protocol or
IEEE 802.1Q protocol to support multiple VLANs that have members on more than one
switch.
32
Username name password Global command, defines possibly one of multiple
pass-value username and associated passwords, used for user
authentication. Used when login local line configuration
command has been used.
Crypto key generate rsa Global command, creates and stores in a hidden location
in flash memory the key required by SSH
Transport input }{telnet|ssh} Vty line configuration mode. Defines whether telnet
or/and SSH is allowed into this switch. Both values can
be configured in one command to allow both telnet and
SSH.
IP Address configuration
Following four commands are related to IP address configurations
Interface vlan number Changed the context to VLAN interface mode. For
VLAN 1 allows the configuration switch’s ip address
Ip address ip-address subnet- VLAN interface mode. Statically configures the switch’s
mask ip address and mask.
Ip address dhcp VLAN interface mode, configures the switch as a DHCP
client to discover its ip address, subnet mask and default
gateway.
Ip default-gateway address Global command. Configured the switch’s default
gateway ip address. Not required if the switch uses
DHCP.
Interface Configuration
Following six command are used for interface configuration
Interface type port-number Changes the context to interface mode
Eg. Interface fastethernet 0/1
Interface range type port- Changes the context to interface mode for the range of
range interfaces
Shutdown Interface mode, disable or enable the interface
No shutdown
Speed {10|100|1000|auto} Interface mode, manually sets the speed to the listed
speed, or with the auto setting, automatically negotiates
the speed.
Duplex {half|full|auto} Interface mode, manually sets the duplex to half, full or
to autonegotiate the duplex settings.
Description text Interface mode (description for the interface)
Miscellaneous
Miscellaneous configuration commands
Hostname name Global command, sets the switch’s host name, also used
as the first part of the switch’s command prompt
Enable secret pass-value Global command. Set the switch’s password that is
required for any user to reach switch’s enable mode
History size length Line config mode, defines the number of commands
held in the history
Switchport port-security Interface configuration command, that statically adds
mac-address mac-address allowed MAC address on that interface
33
Switchport port-security Interface sub-command that tells the switch to learn
mac-address sticky MAC address on the interface, and add the MAC-
address as a secure address into its configuration
Switchport port-security Interface sub-command that sets the maximum number
maximum number of static secure MAC-address that can be assigned to a
single interface
Switchport port-security Interface subcommand, that tells the switch what to do if
violation {protect|restrict| an inappropriate MAC address tries to access the
shutdown} network through a secure switch port
34
Chapter 10 – Ethernet Switch Troubleshooting
Organized troubleshooting steps….
The proprietary Cisco Discovery Protocol (CDP) discovers basic information about
neighbouring switches and routers, by listening to the CDP messages sent out by
neighbouring switches and routers on each of their interfaces.
Command Description
Show cdp neighbours type number Lists one summary line of information on each
neighbour or just the neighbour found on the
specific interface if an interface was listed.
Show cdp neighbours detail Lists one large set of (15 lines) of information, one
set each for every neighbour
Show cdp entry name Lists the same information as the show cdp
(Show cdp entry R1) neighbour detail command, but only for the named
neighbour (case sensitive)
35
Commands used to verify CDP operation
Command Description
Show cdp States whether CDP is enabled globally, and lists the
default updates and hold time timers
Show cdp interface type number States whether CDP is enabled on each interface, or
on the interface listed, and states update and
holdtime timers on those interfaces
Show cdp traffic Lists global statistics for the number of CDP
advertisements sent and received
The show interfaces command lists the actual speed and duplex settings but does not
imply anything about how the settings were configured or auto-negotiated.
However the show interfaces status command list a prefix of a- to imply that the speed
and duplex setting were auto-negotiated, leaving the prefix if the settings were
configured.
36
Down Down Err-disabled Port security has disabled
(Err-disabled) the interface
Up Up conenct Interface is working
When IEEE auto negotiation process works on both devices, both devices agree on the
fastest speed supported by both devices, and full duplex if it is supported by both
devices otherwise half duplex. (Cisco 2960 switch supports full duplex). However
when one device disables auto negotiation (by manually setting speed and duplex) and
other device uses auto negotiation, the device using auto negotiation sets the default
duplex settings based on the current speed, the defaults are as follows….
If the duplex setting do not match on the ends of an Ethernet segment, the switch
interface will still be in a up/up connect state. But the interface will work poorly.
To troubleshoot Duplex mismatch, check duplex settings on each end of the link,
or watch for increasing collision, and late collision counters.
37
CRC counter – Cyclic redundancy Check counter, counter of frames discard by FCS.
Significant problem exists if more than .1 % of the total output packages have collided.
Collisions More than roughly .1% all Duplex mismatch (seen on the
frames are in collision half duplex side); jabber; DoS
attack
Late collisions Increasing late collisions Collision domain, or single
cable too long, Duplex
mismatches
Jabber : frames are sent by a device continuously without a break, not confirming to
Ethernet standards
Step 1. Determine the VLAN in which the frame should be forwarded. On access
interfaces this is based on the access VLAN associated with the incoming interface.
38
Step 2. Look for the frame’s destination MAC address in the MAC address table, but
only for the entries for the VLAN identified in Step 1. If the destination MAC is …
A. Found (unicast) : forward the frame out only the interface listed in the matched
address table entry
B. Not found (unicast) :flood the frame out all other interface except the incoming
interface in that same VLAN.
C. Broadcast or multicast : flood the frame out all other interface except the incoming
interface in that same VLAN.
Fa0/9
Fred Gi0/1 Gi0/2
0200.1111.1111
Fa0/12
SW1 Fa0/13
SW2
Barney Fa0/1
0200.2222.2222
0200.5555.5555
R1
Barney forwards a frame to its default gateway router R1 and the following forwarding
steps occurs…
Step 1. SW1 receives the frame on its Fa0/12 interface and sees that it is assigned to
VLAN1.
Step 2. SW1 looks for its MAC table entry for 0200.5555.5555 in the incoming
interfaces VLAN (VLAN1), in its MAC address table.
a) SW1 finds an entry, associated with VLAN1, outgoing interface Gi0/1, and SW1
forwards the frame out only the interface Gi0/1.
Frame is now on its way to SW2. and below steps explains the SW2’s forwarding logic…
39
Step 1. SW2 receives the frame on its Gi0/2 interface and sees that it is assigned to
VLAN1.
Step 2. SW2 looks for its MAC table entry for 0200.2222.2222 in the incoming
interfaces VLAN (VLAN1), in its MAC address table.
a) SW2 finds an entry, associated with VLAN1, outgoing interface Fa0/13, and SW2
forwards the frame out only the interface Fa0/13.
At this point the frame should be on its way over the Ethernet cable between SW2 and
R1.
Switches and Routers can use ACL – Access Control List to filter traffic to a port.
Port-security violations status (protect, or restrict) the switch discards the frame, but
leaves the interface in a connect (up/up) status.
CDP Neighbour : A device on the other end of some communication cable that advertise
CDP updates
Up and Up : Jargon referring to two interface status on a cisco switch or router (line
status and protocol status)
Error disabled: An interface state on a cisco switch that is the results of one of may
security violations
Root Cause: A troubleshooting term, that refers to the reason why a problem exists,
especially a reason for which, if changed the problem could be either solved or changed
to a different problem.
40
No cdp run CDP for the entire switch or router.
Cdp enable Interface subcommand, that enables or disables
No cdp enable cdp on a particular interface
Speed {10|100|1000| Interface subcommand that manually sets the
interface speed
Duplex {auto|half|full| Interface subcommand that manually sets the
interface duplex
Please go to ……Do I know this Already –QUIZ. – Chapter 10. :- Page 268.
41
Chapter 11 – Wireless LANs
Modes of 802.11 Wireless LANs – WLAN modes, their formal names and
description.
42
Unlicensed bands, their general names, and list of devices/standards to use each band
FCC unlicensed frequency bands of interest…
Frequency Range Name Sample Devices
900 KHz Industrial, Scientific, Older cordless telephones
Mechanical (ISM)
2.4 GHz ISM Newer cordless phones,
microwave owens, 802.11,
802.11b, 802.11g WLAN
standards.
5 GHz Unlicensed National Newer cordless phone and
Information Infrastructure 802.11a, 802.11n WLANs
(U-NII)
Licensed bands are used for FM/AM radios, Short ware radio for Police communications,
and Mobile phones.
Direct Sequence Spread Spectrum (DSSS) has a bandwidth of 82MHz , with a range
from 2.402 GHz to 2.483 GHz. As regulated by FCC this band can have 11 overlapping
DSSS channels.
Although many of the channels shown in the figure overlap, three of the channels
(channels at the far left, far right and centre) do not overlap enough to impact each other.
These channels (channels 1,6, and 11) can be used in the same space for WLAN
communication and they won’t interfere each other…
43
RF Channels
1 2 3 4 5 6 7 8 9 10 11
PC1
PC2
In this design devices in one BSS can send at the same time as the other two BSS without
interfering, because each uses slightly different frequencies of the non-overlapping
channels. PC1 and PC2 could sit next to each other and communicate with two different
APs using two different channels at the same time. This design is typical of 802.11b
WLANs , with each cell running at the rate of 11 Mbps. With non-overlapping channels,
44
each half duplex BSS can run at 11 Mbps, for a cumulative bandwidth of 33 Mbps. The
cumulative bandwidth is called the WLAN Capacity.
The emerging 802.11n uses OFDM as well as MIMO (Multiple Input Multiple Output).
Wireless Interference
Walls, Floors, ceilings and matter that has lots of metal in it, can cause the radio signals
to reduce strength, scatter and create dead spots.
One key measurement of the interference is the Signal-to-Noise Ratio (SNR). This
calculation measures the WLAN signals as compared to the other undesired signals
(noise) in the same space. The higher the SNR, the better the WLAN can send data
successfully.
The power of an AP is measured based on the Effective Isotropic Radiated Power (EIRP)
calculation. It is the power of the signal as it leaves the antenna.
45
11 Mbps
AP1
5.5 Mbps
2 Mbps
1 Mbps
The solution to the media access problem with WLAN is to use the carrier sense multiple
access with collision avoidance (CSMA/CA) algorithm.
CSMA/CA algorithm…
46
Step 1. Listens to ensure that the medium (space) is not busy, no radio waves are
currently being received at the frequencies to be used.
Step 2. Sets a random timer before sending a frame, to statically reduce the chance of all
devices all trying to send at the same time
Step 3. When the random timer has passed, listen to ensure that the medium is not busy,
if it isn’t then send the frame.
Step 4. After the entire frame has been sent, wait for an acknowledgement
Step 1. Verify that the existing wired network works, including DHCP services, VLANs
and Internet connectivity
By verifying the switch port access VLANs and by connecting a laptop to the switch port
and verifying that it acquires an IP address, mask and default gateway, and the pc can
communicate to other hosts in the network.
Step 2. Install and configure the AP, verify its connectivity to the wired network,
including its IP address, mask and default gateway
APs connects to the switch port using a straight through Ethernet cable
Step 3. Configure and verify APs wireless setting, including Service Set Identifier (SSID)
but no security
APs within a same ESS WLAN should be configured with the same SSID.
Step 4. Install and configure one wireless client (laptop) again with no security
47
WLAN NIC in the WLAN clients like a loptop can automatically detect a WLAN AP and
learn its SSID and connect to an AP with strongest signal.
Cisco Compatible Extension Programme (CCX) : Tests and Verify WLAN NIC by a
manufacturer works well with a Cisco AP.
Common WLAN installation problems and related work done in the Site survey…
• Check to make sure AP and Client radio are enabled (radio switch are turned on)
• Check AP to ensure it has the latest firmware
• Check AP configuration – especially the channel configuration to ensure that it does
not use channels that overlaps with other AP in the same location.
48
Rogue AP Strong authentication, IDS SWAN
(attacks where a rouge AP is setup after
learning the SSID of an existing WLAN,
and get the enterprises clients to use it)
Vendor introduced additional Security Features SSID Clocking and MAC Filtering
SSID Clocking : AP send out beacons with SSID only as a response to a probe request
from a WLAN Client.
WPA includes the option to use dynamic key exchange, using the Temporal Key Integrity
Protocol. (TKIP). WPA allows for the use of either IEEE 802.1x user authentication or
simple device authentication using preshared keys.And the encryption algorithm uses the
Message Integrity Check (MIC) algorithm, similar to the process used in Cisco
proprietary solution.
49
IEEE 802.11i (WPA2) includes dynamic key exchange, much stronger encryption, and
user authentication. 802.11i uses Advanced Encryption Standard (AES)
Definitions….
802.11a : IEEE standard for wireless LANs using U-NII (Un licensed National
Information Infrastructure) (5 GHz) spectrum, OFDM encoding, at speed of upto 54
Mbps.
802.11b : IEEE standard for wireless LAN using ISM (2.4 GHz) spectrum, DSSS
encoding, and speeds upto 11 Mbps.
802.11g : IEEE standard for wireless LAN using ISM (2.4 GHz) spectrum, OFDM or
DSSS encoding, and speeds upto 54 Mbps.
802.11i : IEEE standard for wireless LAN security including authentication and
encryption.
Access Point : A wireless LAN device that provides a mean by which the wireless clients
can send data to each other and to the rest of the wired LAN, with Access Points
connecting both the wireless and wired Ethernet LAN.
Ad-hoc Mode : In wire less LAN a method or mode of operation in which the clients
sends data directly to each other without using the Access Points.
Basic Service Set (BSS) : A Wireless LAN with a single Access Point (AP)
CSMA / CA : Carrier Sense Multiple Access with Collision Avoidance, a Media Access
mechanism that defines how devices decide when to send, with a goal of avoiding
collision as much as possible, IEEE WLANs use CSMA/CA.
50
Direct Sequence Spread Spectrum (DSSS) : A method of encoding data for transmission
over a WLAN in which devices uses 1 of 11 nearby frequencies in the 2.4 GHz range.
Extended Service Set (ESS) : A wirelss LAN with multiple access points, to create on
WLAN and allowing roaming between APs.
Infrastructure Mode : A mode of LAN (WLAN) operation in which WLAN clients send
and received data through APs, which allows the clients also to connect to the wired LAN
infrastructure. In Infrastructure mode WLAN clients does not send to each other directly.
Service Set Identifier (SSID) : A text value used in WLAN to uniquely identify a single
WLAN. (a 32 character text identifier).
Wi-Fi Alliance : An organization formed by many companies in the wireless industry for
the purpose of getting multi-vendor certified wireless product into the market in a more
timely fashion.
Wi-Fi Protected Access (WPA) : A trademark name of Wi-Fi Alliance, that represent a
set of security specification that predated the IEEE 802.11i security standard.
Wired Equivalent Privacy (WEP) : An early WLAN security specification, that used
relatively weak security mechanism, using only preshared keys and no encryption or a
weak encryption.
WLAN Client : A wireless device that wants to get access to a wireless access point for
the purpose of communicating with other wireless devices or devices connected to wired
LAN.
WPA2 : Wi-Fi Alliance’s trademark name for the same set of security standards as that of
the IEEE 802.11i.
51
52