CCENT Notes Part 2 LAN Switching

Ref : CCENT/CCNA ICND1 Official Exam Certification Guide, Second Edition by Wendell Odom

It is highly recommended that you read at least once the above study guide to make full use of this notes, it is expected that there may be minor errors in this notes, please always refer the study guide for accurate information.

(Jojo Jacob - CCENT)

TABLE OF CONTENTS
Chapter 7 Ethernet LAN Switching Concepts..................................................................3 Chapter 8 Operating Cisco LAN Switches.....................................................................13 Chapter 9 Ethernet Switch Configurations.....................................................................23 Chapter 10 Ethernet Switch Troubleshooting.................................................................35 Chapter 11 Wireless LANs.............................................................................................42

Chapter 7 Ethernet LAN Switching Concepts

Hubs : Created one single collision domain, and bandwidth is shared in a 10 BASE T network with a Hub. Bridges : reduced the number of collision occurred in a network, by segmenting the collision domains, and bridges add bandwidth to the network. Switches (benefits of using switches) : Creates separate collision domain on each of its interfaces, it can support full duplex if only one device is connected to an interface. Switches multiply amount of available bandwidth in the network. Ethernet MAC address Unicast Addresses: MAC address that identifies a single LAN interface card Broadcast Addresses: A frame sent with a destination address of broadcast address (FFFF.FFFF.FFFF) implies that all devices on the LAN should receive and process the frame. Multicast Addresses: Multicast MAC addresses are used to allow dynamic subset of devices on a LAN to communicate. IP multicast over Ethernet uses MAC address in the format 0100.5exx.xxxx where a value between 00.0000 to 7f.ffff can be used for the second half. Primary functions of a Switch 1. Deciding when to forward a frame or when to filter (not forward) a frame based on the destination MAC address. 2. Learning MAC address by examining the source MAC address of each frame received 3. Creating a (layer 2) loop free environment with other switches by using Spanning Tree Protocol (STP)

Sample switch forwarding and filtering decision. (Fred forwards a frame to Barney)

Frame sent to 0200 .2222 .2222 came in Fa0/1 Forward out Fa 0/2 Filtered (not forwarded ) out Fa0/3 & Fa0/4 Dest. MAC Address : 0200 .2222.2222

Fred 0200.1111.1111

Fa0/1

Fa0/3

Wilma 0200.3333.3333
Fa0/4

Fa0/2

Barney 0200.2222.2222

Betty 0200.4444.4444

MAC Address Table 0200 .1111 .1111 0200.2222 .2222 0200.3333 .3333 0200.4444 .4444 Fa0/1 Fa0/2 Fa0/3 Fa0/4

MAC address table is also called, Switching Table, Bridging Table or Content Addressable Memory.

Sample switch filtering decision. Note that the hub simply regenerates the electrical signals out each interface, so the hub forwards the electrical signal send by Fred to both Barney and the switch, The switch decides to filter out (not forward ) the frame noting that the MAC address table interface for destination address 0200.2222.2222 (Fa0/1) is the same as the incoming interface.

Dest. MAC Address : 0200 .2222.2222

Frame sent to 0200.2222 .2222 came in Fa0/1 Forward out Fa 0/1 as per the MAC table entry Filtered (not forwarded ) out same interface Fa 0/1 that the frame came in

Fa0/3

Fred 0200.1111.1111
Fa0/1 Fa0/4

Wilma 0200.3333.3333

Hub Betty 0200.4444.4444

Barney 0200.2222.2222

MAC Address Table 0200 .1111 .1111 0200.2222 .2222 0200.3333 .3333 0200.4444 .4444 Fa0/1 Fa0/1 Fa0/3 Fa0/4

How switch learn MAC address: Switches populate the MAC table by listening to the frame, it adds the source MAC address and the interface it came from if an entry is not already there in the MAC address table. Flooding Frames: When a switch receives a frame with a destination address that is not in its MAC address table, it forwards out all the interface except the one it came from. Switches keeps a timer for each entry in the MAC address table, called inactivity timer. Switch sets the timer to 0 for new entries, and resets it to zero each time it receives a frame from a MAC address, this counter counts upwords, so at any point in time if the

switch memory runs out switch know which is the oldest inactive entry in the MAC address table and it deletes it to free up memory. Spanning Tree Protocol (STP): STP prevents loops by blocking some interfaces (ports) from forwarding frames, so that only one active logical path exists in a physically redundant network between two LANs. In STP a port can have one of two states Blocking (cannot send and receive) and Forwarding (can send and receive). Internal Processing on Cisco Switches Store and Forward Processing : In this type of processing a switch must receive the entire frame before it starts forwarding the first bits of the frame. Cut through processing : With this type of processing a switch starts forwarding the frame as soon as possible without waiting an entire frame to be received. This is possible because the destination MAC address come in early in the Ethernet header, even though this can reduce latency, it may cause erroneous frames to be forwarded as the FCS is placed at the end of the frame and switch cant determine the forwarded frame was in error. Fragment free processing : works very much similar to cut through processing, but it try to reduces the number of errored frames that it forwards. Switching Method Store-and-Forward Cut-through Fragment-free Description The switch fully receive all bits in the frame (store) before forwarding the frame. This allows the switch to check the FCS before forwarding the frame. The switch forward the frame as soon as it can. This reduces latency but does not allow the switch to discard the frame that fails the FCS check. The switch forwards a frame after receiving first 64 bytes of the frame, thereby avoiding forwarding of frames that were errored due to collision.

LAN Switching Summary LAN switches provide many additional features compared to Lan hubs and bridges, In particular LAN switches provide the following benefits: Switch port connected to a single device micro-segments the LAN, providing dedicated bandwidth to that device Switches allow multiple simultaneous conversations between devices on different ports

Switch ports connected to a single device supports full duplex, in effect doubling the available bandwidth to the device. Switches support rate adaptation, which means devices using different Ethernet speeds can communicate through the switch (hubs cannot).

Switches use Layer 2 logic, examining the Ethernet data link header to choose how to process frames. In particular switches makes decisions to forward and filter frames, learn MAC addresses, and use STP to avoid loops as follows Step 1. Switches forward frame based on destination address a) If the destination address is a broadcast, multicast, or unknown destination unicast (address not found in the MAC table), then the switch floods the frame, sends out all the other ports except the port it was received. b) If the destination address is a known unicast address 1. If the outgoing interface listed in the MAC table is different to the interface it came from, switch forwards the frame out the outgoing interface. 2. If the outgoing interface listed in the MAC table is same as the interface it came from, switch filters the frame, or simply ignore the frame without forwarding it. Step 2. Switches uses the following logic to learn MAC address table entries a) For each received frame, examine the source MAC address and the interface from which the frame was received b) If they are not already in the table, add the address and interface, setting the inactivity timer to 0 c) If it is already in the table, reset the inactivity timer to zero. Step 3. Switches use STP to prevent loops by causing some interfaces to block, meaning that they do not send or receive frames.

LAN Design Considerations Collision Domain : A collision domain is a set of LAN interfaces whose frames could collide with each other. A broadcast domain is a set of devices where when one device sends a broadcast all other devices receive a copy of the broadcast. A switch floods broadcast and multicast out all ports, so a switch creates a single broadcast domain. A collision domain is a set of network interface cards (NIC) for which a frame sent by on NIC could collide with a frame sent by another NIC in the same collision domain. A broadcast domain is a set of NICs for which broadcast frame sent by one NIC is received by all other NICs in the same broadcast domain. Switches are much preferred option in a network as it micro segments collision domain, and devices does not have to share the bandwidth. A very large network with multiple switches creates a single broadcast domain, this could be split into multiple broadcast domains using a router. Benefits of segments Ethernet Devices using Hubs, Switches and Routers (LAN design features in comparison with hubs, switches and routers) Feature Hub Switch Greater cabling distance are allowed Yes Yes Creates multiple collision domains No Yes Increases bandwidth No Yes Creates multiple broadcast domain No No Virtual LAN (VLAN) Without VLAN a switch considers all its interfaces to be in the same broadcast domain. With VLAN a switch can put some interfaces to a broadcast domain and some into another broadcast domain based on some simple configurations.

Router Yes Yes Yes Yes

Sample network with two VLANS using one Switch

VLAN 1

VLAN 2

Motivations for using VLANs. To create more flexible network design that group by users by department, or by groups that work together, instead of by physical location To segment devices into smaller LANs (broadcast domains) to reduce overhead caused to each host in the VLAN To reduce workload for STP by limiting a VLAN to a single access switch To enforce better security by keeping hosts that work with sensitive data in a separate VLAN To separate traffic send by IP phone from traffic sent by PCs connected to the phones

Campus LAN design terminology listed

To other Building blocks Core Switches

To other Building blocks

Building Block

Core links Core1 Core2

Distribution Switches

Dist1 Uplinks

Dist2

Access Switches

Access Links

Access1

Access2

Access3

Access4

Access : Provides a connection point (access) for end user devices, does not forward frames between two other access switches under normal circumstances. Distribution : Provides an aggregation point for access switches, forwarding frames between switches, but not connected directly to end user devices. Core: Aggregates distribution switches in a very large LANs, providing very high forwarding rates.

10

Ethernet Types, Media and Segment Lengths Ethernet Type 10BASE-T 100BASE-TX 1000BASE-FX 1000BASE-CX 1000BASE-T 1000BASE-SX Media TIA/EIA CAT3 or better, 2 pair TIA/EIA CAT5 UTP or better, 2 pair 62.5/125 micron multimode fiber STP (shielded twisted pair) TIA/EIA CAT5e or better, 4 pair Multimode fiber Maximum segment length 100 m (328 feet) 100 m (328 feet) 400 m (1312.3 feet) 25m (82 feet) 100 m (328 feet) 275 m (853 feet) for 62.5 micron fiber 550 m (1804.5 feet) for 50 micron fiber 1000BASE-LX 1000BASE-LX Multimode fiber 9 micron single mode fiber 550 m (1804.5 feet) for 50 and 62.5 micron fiber 10 km (6.2 miles)

Broadcast domain: A set of devices that receive broadcast frame originated from any device within the set. All devices in the same VLAN are in the same broadcast domain. Broadcast frame: An Ethernet frame sent with a destination address FFFF.FFFF.FFFF meaning that the frame should be delivered to all hosts in the LAN. Collision Domain: A set of NICs for which a frame sent by a NIC could result in a collision with a frame sent by any other NIC in the same collision domain. Cut-through switching: One of the three options of internal processing in some models of the cisco LAN switches in which the frame is forwarded as soon as possible, including forwarding bits of the frame before the whole frame is received. Flooding : is the process in which Switches forward Broadcast, unknown unicast and multicast (some times) out all the other ports except the port where it came from. Fragment-free-switching: One of the three processing options on some cisco LAN switches in which first bits of the frame may be forwarded before the entire frame is received, but not until first 64 bytes of the frame are received, in which case in a well designed LAN collision fragments should not occur as a result of this forwarding logic. Microsegmentation : The process in LAN design by which every switch port connects to a single device creating a separate collision domain per interface.

11

Segmentation : The process of breaking large amount of data from an application into pieces appropriate in size to be sent thorough the network. Spanning Tree Protocol (STP): A bridge protocol that uses Spanning Tree Algorithm, allowing switch to dynamically work around loops, in a network topology by creating a spanning tree. Switches exchange Bridge Protocol Data Unit (BPDU) message with other bridges to detect loops, and remove the loops by shutting down the selected bridge interface. Store-and-forward switching: One of the three processing options in some cisco LAN switches in which Ethernet frame must be completely received before the switch can begin forwarding the first bit of the fame. Unknown-unicast-frame: An Ethenet frame whose destination MAC address is not listed in the MAC address table of the switch, so the switch must flood the frame. Virtual LAN : A group of devices connected to one of more switches with the devices grouped in to a single broadcast domain through switch configurations. VLAN allow switch administrators to separate devices connected to switches into separate VLANs without requiring separate physical switches, gaining design advantage of separating traffic without buying additional hardware.

Please go to Do I know this Already QUIZ. Chapter 7. :- Page 168.

12

Chapter 8 Operating Cisco LAN Switches

CLI : Command Line Interface Cisco positions the 2960 series (family) of switches as full-featured, low cost wiring closet switches for enterprises. Cisco refers to a switchs physical connectors as either interface or ports. Each interface has a number and a name for eg. Interface FastEthernet 0/1, Interface gigabitethernet 0/1. Cisco supports two major operating systems Internetwork Operating System (IOS) and Catalyst Operating System (Cat OS). Cisco uses the term Hybrid to refer to the 6500 series core switches that uses Cat 0S, and the term Native to refer to the 6500 series core switches that uses IOS. Cisco 2960 Switch LEDs and a Mode button
SYST RPS STAT Duplex Speed MODE PORTS

LEDs and descriptions NAME SYST (System) Description Implies overall system status Off : System is not powered on On (green) : The switch is powered on and operational (Cisco IOS has been loaded) On (amber): The switches power on self test failed (POST) and Cisco IOS did not load Suggests the status of the redundant (extra) power supply

RPS (Redundant

13

power supply) STAT (Status)

If ON (green) implies that each port LED implies that ports status. Port LED Off : The link is not working Solid Green : The link is working but there is no current traffic Flashing Green: The link is working and the traffic is currently passing over the interface Flashing Amber: The interface is administratively disabled or dynamically disabled due to many reasons

DUPLX (Duplex)

If on (green) each port LED implies that ports duplex Port LED On (green) : Full Duplex Off : half duplex If on (green) each port LED implies the Speed of that port. Port LED Off : 10 Mbps Solid Green : 100 Mbps Flashing Green : 1000 Mbps (1 Gbps)

SPPED

Port

Has different meanings, depending on the port mode as toggled using the MODE button

Accessing Cisco IOS CLI Console port allows a way to connect to a switch CLI even if the switch is not connected to a network. Every cisco switch has a console port, which is physically an RJ-45 port. A pc connects to a console port using a RJ-45 port. Default Console Port setting on a Cisco Switch. Baud Rate : 9600 bits/second Flow control : none (no hardware flow control) Data : 8 bit ASCII Stop bit : none (No stop bits) Parity : 1 bit (1 parity bit)

14

Accessing CLI using Telnet and SSH The telnet client (pc) needs to have the terminal emulator software with telnet/ssh client installed, the switch will run the telnet server software. Telnet send all data including user name and password as clear text, which raises a security threat. SSH (Secure Sheel) does same basic things as that of the Telnet, but in a more secured way by using encryption. CLI Password configuration : Console and Telnet Access From Password Type Console Console Password Telent Vty Password Sample Configuration Line console 0 Login Password faith Line vty 0 15 Login Password love

Switches support up to 16 (0-15) concurrent virtual terminal connections including telnet and ssh. Use and Privileged Modes

Console

Router> enable Password : xxxx Router #

Telnet Use Mode

Enable (Priviledged) Mode

SSH Router# Disable Router >

Preferred method for setting password for reaching the enable mode is the Enable Secret password command.

15

Cisco IOS software command help What you enter What help you get ? Help for all commands available in this mode Help Text describing how to get help. No actual command help is given Command ? Text help describing all the first parameter options for the command Com? A list of commands that start with com Command parm? Lists all parameters starting with parm Command CLI autofills the rest of the parameter parm<tab> Command parm1 ? List all the next parameters with a brief description Key sequences for command edit and recall Keyboard Command What helps Up arrow or Ctrl P Displays previously entered commands Down arrow or Ctrl n Move down to more recent commands from the history list Left arrow, Ctrl b Move the cursor backwords (left) in the currently displayed command Right arrow, Ctrl f Move cursor front (right) Backspace Move back deleting Ctrl a Move back to first char of the command Ctrl e Move directly to end of the command Ctrl r Redisplays the command Ctrl d Deleted single char Esc b Moves back one word Esc f Moves forward one word

Debug and Show commands SHOW command list the currently known facts about the switchs operational status. Debug command asks the switch to continue monitoring different process in the switch Terminal Monitor command enable users to view the Debug log messages Debug Spanning-tree (enable debug on spanning-tree process) No debug spanning-tree (disables debug on spanning-tree process) No debug all or Undebug all (disable all the currently enabled debugs)

16

CLI Configuration Modes vs EXEC modes

Enable USER Exec Mode Privileged Exec Mode

Ctrl Z or Exit

Config t

RAM Active Config

Each Command Configuration Mode In succession

Navigation between different configuration modes Switch# configure terminal Switch (config) # hostname Fred Fred (config) # line console 0 Fred (config-line )# password hope Fred (config-line) # interface FastEthernet 0/1 Fred (config-if) # speed 100 Fred (config-if) # exit Fred (Config) # Text inside parenthesis in the command prompt identifies the configuration mode. Common Switch configuration modes Prompt Name of Mode Hostname (config) #

Global configuration mode Hostname (configLine configuration line) # mode Hostname (config-if) Interface # configuration mode List of configuration mode prompts, name of the configuration mode, and the command used to reach the mode.

Context -setting commands to reach this mode None first mode after the Configure Terminal command Line console 0 Line vty 0 15 Interface type number

17

Storing configuration files Cisco Switch Memory Types

RAM Working memory and Running configuration FLASH Cisco IOS Software ROM Bootstrap Program NVRAM Startup Configuration

**NVRAM Non Volatile RAM

Names and purposes of two main Cisco IOS configuration files Configuration Filename Startup-config Running-config Purpose Stores the initial configuration any time the switch reloads the cisco IOS Stores the currently used configuration commands. This file changes dynamically when some one enters commands in configuration mode Where it is stored NVRAM RAM

Configuration commands changes only the running config, if you want to save the config, the running config should be copied to NVRAM overwriting the startup-config, so that the new/changed configurations will be included next time the switch is reloaded.

Locations for copying configuration files and results of copying

Copy tftp running -config Copy running -config startup -config

RAM TUFTP
Copy running -config tftp Copy startup-config running -config

NVRAM

Copy tftp startup-config

Copy startup-config tftp

18

The copy command always replaces the existing file when configuration files are copied to NRRAM or TFTP server, but when copied to RAM (running config) the file is always merged, not replaced. If you change the running-config and wants to revert it back to the startup-config a copy startup-config runnig-config not necessarily will make both configs to match, instead you may have to issue a reload command which will reload, reboot the switch, erasing the RAM and will copy the startup confing into RAM runningconfig. Command to erase NVRAM Write erase Erase startup-config Erase NVRAM Other names for config files Nvram:startup-config System:running-config Initial Configuration - Setup Mode Getting into Setup Mode
Turn ON the Switch

Is NVRAM Empty

NO Copy Start-up Config to Running-Config

YES

NO Do you want to enter setup Mode Complete IOS Initialization

YES Answer the questions in the SETUP Mode Move new configurations to NVRAM

19

Setup mode writes the configuration to both Startup and running config files, whereas the configuration mode changes only the running config file.

CLI : Command Line Interface. An interface that enables the user to interact with the operating system by entering commands and optional arguments. Secure Shell (SSH) : An TCP/IP application layer protocol that supports terminal emulation between client and a server, using dynamic key exchange and encryption to keep the communication private and secure. Enable Mode: A part of the Cisco CLI where a user can use the most powerful and disruptive commands, on a router or on a switch, including the ability to then reach the configuration mode and reconfigure the router. User Mode: A mode of the user interface to Cisco router or switch where a user can only type non disruptive EXEC commands, generally to look at the current status, but not to change any operational settings. Configuration Mode: A part of the Cisco IOS CLI where a user can enter the configuration commands, that are then added to the devices currently used configuration file (running-config). Startup-config file: In Cisco IOS switches and routers, the name of the file that resides in NVRAM memory, holding the devices configurations that will be loaded into the RAM as running-config file when the device is next reloaded or powered on. Running Config: In Cisco IOS switches and routers, name of the file that resides in the RAM, holding devicess currently used configurations. Setup-Mode: An option on Cisco switches and routers that prompts the user for basic configuration information, resulting in new running-config and startup-config files.

20

Configuration Commands Command Mode and Purpose Line console 0 Global command that changes the context to console configuration mode Line vty 1st-vty 2nd-vty Global command that changes the context to line (vty) configuration mode for the range of vty lines listed in the command login Line (console and vty) configuration mode. Tells IOS to prompt for a password (no username) Password pass-value Line (console, vty) configuration mode. Lists the password required if the login command (with no other command) is configured. Interface type port-number Global command that changes the context to Interface mode. Eg. Interface Fastethernet 0/1 Shutdown Interface subcommand that disables or enables the No shutdown interface respectively Hostname name Global command that sets the switchs hostname, which is also used as the first part of the switchs command prompt Enable secret pass-value Global command that sets the automatically encrypted enable secret password. This password is used for any user to reach enable mode. Enable password pass-value Global command that sets the clear text enable password. This is used only when the enable secret password is not configured. exit Moves back to the next higher mode in configuration mode end Exit configuration modes and goes back to enable mode from any of the configuration sub modes Ctrl Z Same as the end command

21

EXEC Command Reference.. Command No debug all Undebug all Show process Terminal monitor Purpose Enable mode EXEC command to disable all the currently enabled debugs EXEC command that lists statistics of CPU utilization EXEC command that tells the Cisco IOS to send a copy of all the syslog messages including debug messages to the telnet or ssh user who issues the command Enable mode EXEC command that reloads or reboots the switch or router. Enable mode EXEC command that copies file from one location to another, locations include startupconfig, running-config files, files on TFTP, RPC servers and flash memory. Enable mode EXEC command that saves the active config, replacing the startup-config file used when the switch initializes. Enable mode EXEC command that merges the startup config with the currently active config file in RAM Lists the contents of the running config All three enable mode EXEC commands erase the startup-config file Enable mode EXEC command that places the user in the setup mode, in which Cisco IOS prompts the user for simple switch configurations EXEC command that disconnects the user from CLI sessions Same as show running-config command List the contents of the startup-config (initial-config) file Same as show startup-config Moves the user from user mode to the enable(privileged) mode and prompts the user for a password if configured Moves the user from enable mode to the user mode Enable mode command that moves the user into a configuration mode

Reload Copy from-location to-location

Copy running-config startupconfig Copy startup-config runningconfig Show running-config Write erase Erase startup-config Erase NVRAM: Setup quit Show system:running-config Show startup-config Show nvram:startup-config Show nvram: enable disable Configure terminal

Please go to Do I know this Already QUIZ. Chapter 8. :- Page 198.

22

Chapter 9 Ethernet Switch Configurations

Configuring Basic Passwords and Hostname Switch> enable Switch# configure terminal (EXEC command to move from enable mode to configuration mode) Switch (config) # enable secret cisco Switch (config) # hostname emma In the global configuration mode user enters two global configuration commands that add configuration to the whole switch (enable secret and hostname) Enable secret sets the only password used to reach the enable mode so it is a global command Emma (config) # line console 0 Emma (config-line) # password faith Emma (config-line) # login Emma (config-line) # exit The login command which tells the switch to ask for a text password but not a user name, the password command which defines the required password are subcommands in the respective line configuration sub modes. Emma (config) # line vty 0 15 Emma (config-line) # password love Emma (config-line) # login Emma (config-line) # exit Emma (config) # exit Emma # Emma # show running-config Hostname emma Enable secret 5 $90345824kosdfjsdfmld908v/m Line console 0 Password faith Login Line vty 0 4 23

Password love Login Line vty 5 15 Password love Login

Vty 05 15 (11 vty lines) were added later to the vty 0 4 (5 vty lines) making a total of 16 concurrent vty line available in a cisco switch. SSH Configuration concepts
Cisco Switch Line vty 0 15 2 3 4 1 Login local Transport input telnet ssh

Username wendell password hope Ip domain-name example.com 5 Crypto key generate rsa (switch generate keys)

SSH Client

Public key

private key

Step 1 : Login local , changes the vty lines to use usernames (just login command does not require usernames) with locally configured user names (other options is user names configured in an AAA server). In this case login local subcommand defines the use of local usernames, replacing the login subcommand in vty configuration mode Step 2 : tells the switch to accept both telnet and ssh, (Transport input telnet ssh, vty line configuration sub command) default is transport input telnet omitting ssh Step 3 : add one or more username name password pass-value global configuration commands to configure username/password pairs.

24

Step 4 : configure DNS domain name with the ip domain-name name global configuration command Step 5 : configure the switch to generate a matched public and private key pair as well as a shared encryption key, using crypto key generate rsa (global configuration command). Step 6. SSH clients need a copy of the switchs public key before the client can connect SSH Configuration Process. Emma # Emma# configure terminal Emma (config) # line vty 0 15 Emma (config-line) # login local Emma (config-line) # transport input telnet ssh Emma (config-line) # exit Emma (config) # username Wendell password hope Emma (config) # ip domain-name example.com Emma (config) # crypto key generate rsa The name of the key will be: emma.example.com Refer to pg. 241 for SSH key generation and public key listings

Password Encryption Service password-encryption global configuration command encrypts the password. When service password-encryption command is configured, all existing console, vty and username command passwords are immediately encrypted. If the service password-encryption command has already been configured, any future changes to these passwords are encrypted If the no service password-encryption command is used later, the passwords remain encrypted, until they are changed, at which point they show up in clear text.

25

Service password-encryption uses Type 7 encryption which is a weak encryption algorithm which can be decrypted easily. The two enable mode passwords If the global configuration command enable password pass-value is used, it defines the password required when using the enable EXEC command. This password is listed as clear text in the configuration file by default. If the global configuration command enable secret pass-value is used, it defines the password required when using the enable EXEC command. This password is listed as a hidden MD5 hash value in the configuration file by default. If both commands are used, the password set in the enable secret command defines which password is required.

IOS applies a mathematical function called Message Digit 5 (MD5) hash, and the results is stored in configuration file, and is considered to be a Type 5 encryption type. Enable secret fred Enable secret 0 fred (sets the enable secret password as Fred, 0 implies that the password following is clear text) No enable secret (deletes the enable secret password) Enable secret tom (changes the enable secret password to tom) Banner Configurations Banner is a Global configuration command SW1 (Config) # banner # Switch down for maintenance at 11 pm today # (default banner is MOTD Message of the day banner, shown before the login prompt, ) SW1 (Config) # banner login # Unauthorized Access Denied # (login banner, shown before the login prompt, after the MOTD banner) SW1 (Config) # banner exec Z Company picnic at the park on Saturday, dont tell outsiders Z (EXEC banner, shown after the login prompt, messages that should be hidden from unauthorised users)

26

(the first non blank character after the banner (type) command is considered as the delimiter and text between the delimiters are displayed) Commands related to history buffer. Command Description Show history List the commands currently held in the history buffer History size x From a console or vty lines config, sets the number of commands saved in the history buffer Terminal history size x EXEC command, sets the size of the history buffer just for that user

Defining console inactivity timeouts and when to log messages Line console 0 Login Password cisco Exec-timeout 0 0 Router never times out Login sysnchronous Displays syslog messges at a convenient time, after a command output, and not in the middle of a typing a command. LAN Switch Configuration and Operation Configuring Switch IP Address IOS based switch configures its IP address and mask on a special virtual interface called VLAN 1 interface. Step 1. Enter VLAN 1 configuration mode by using the Interface vlan 1 global configuration command Step 2 : Assign IP address and mask using ip address ip-address mask interface subcommand. Step 3 : Enable VLAN interface using no shutdown interface subcommand Step 4: Add the ip default-gateway ip-address global command to configure the default gateway.

27

Switch static IP address configuration Emma # configure terminal Emma (config) # interface vlan 1 Emma (config-if) # ip address 192.168.1.200 255.255.255.0 Emma (config-if) # no shutdown Emma (config-if) # exit Emma (config) # ip default-gateway 192.168.1.1 (refer to page 249 for syslog messages)

Switch dynamic IP address configuration using DHCP Emma # configure terminal Emma (config) # interface vlan 1 Emma (config-if) # ip address dhcp Emma (config-if) # no shutdown Emma (config-if) ^Z Emma # show dhcp lease (to show the temporarily leased ip address, as dynamic ip addresses are not stored in the running config file, but statically configured ip addresses are stored in running config)) Emma # show interface vlan 1 Vlan 1 is up, line protocol is up (refer to page 250 for syslog messages) Interface Configuration Commands. Emma # configure terminal Emma (config) # interface fastethernet 0/1 Emma (config-if) # speed 100 Emma (config-if) # duplex full Emma (config-if) # description server 1 connects here Emma (config-if) # exit Emma (config) # interface range fastethernet 0/11 20 Emma (config-if-range) # description end-users connect here Emma (config-if-range) # ^Z

28

Emma # show interface status Port Name Fa0/1 Server 1 connects here Fa0/2 Fa0/4 Fa0/11 end user connects | | Fa0/24 DUPLEX Status VLAN SPEED TYPE notconnect 1 full 100 10/100Base TX notconnect 1 auto auto 10/100Base TX connected 1 a-full a-100 10/100Base TX connected 1 autol auto 10/100Base TX

(please refer to page 252 for full listing.) a-full, a-100 (line 3) means it was autonegotiated to full duplex and speed 100 Mbps with the physically connected device. Port Security If a network engineer knows what devices should be cabled and connected to a particular interface on a switch, the engineer can use port-security to restrict that interface so that only the expected devices can use it. Port Security Configuration Steps Step 1. Make the switch interface an access interface using the switchport mode access interface subcommand Step 2. Enable port security using switchport port-security interface subcommand Step 3. (Optional) specify the maximum number of MAC addresses associated with the interface using switchport port-security maximum number interface subcommand. Default maximum number is 1. Step 4. (Optional) Define the action to take when a frame is received from a MAC address other than the defined addresses using switchport port-security violation {protect | restrict | shutdown} interface subcommand. Default action is shutdown the port. Step 5A. Specify the MAC addresses allowed to send frames into the interface using Switchport port-security mac-address mac-address command. Use command multiple times to specify more MAC addresses. Step 5B. Alternately use the sticky learning process to dynamically learn and configure MAC address of currently connected host by configuring the switchport port-security mac-address sticky interface subcommand.

29

Fred # show port-security interface fastethenet 0/1 Fred # show port-security interface fastethenet 0/2 Refer to page (255) for output listing Note port status secure-shutdown (fa0/1) (port is shutdown because of a violation) and secure-up (fa0/2) Actions when port security violation occurs Options on the switchport port-security violation command Discard offending traffic Send logs and SNMP Messages Disable the interface, discarding all traffic Protect YES NO NO Restrict YES YES NO Shutdown (default) YES YES YES

VLAN Configuration Two types of cisco switch interfaces. Access interfaces and Trunk Interfaces By definition access interfaces send and receive frames only in a single VLAN, called the access VLAN. Trunking interface send and receive in multiple VLANs. One access port - one vlan (one vlan can have multiple access port, a subset of switches access ports) One trunk port multiple vlan By default switches have VLAN 1 configured and all interfaces assigned to it, however to add another vlan and assign access ports to it follow the steps bellow Step 1 : To configure new VLAN a) from configuration mode use the vlan vlan-id global configuration command to create vlan and move the user into the vlan configuration mode b) (optional) use the name vlan-name vlan subcommand to list the name of the vlan. If not configured by default uses the name VLANzzzz, where zzzz is the four digit vlanid.

30

Step 2 : To configure VLAN for each access interface a) user the interface command to move to the interface configuration mode for each desired interface b) use the switchport access vlan id-number interface subcommand to specify the VLAN associated with that interface c) c. (optional) to disable trunking, so that the switch will not dynamically decide to use trunking on the interface, and it will remain an access interface, use the switchport mode access interface subcommand.

Fa0/13 , Fa0/14

VLAN 2

Fa0/11 , Fa0/12

VLAN 1

SW1 # show vlan brief Sw1 # configure terminal Sw1 (config) # vlan 2 Sw1(config-vlan) # name fred-vlan Sw1(config-vlan) # exit Sw1(config) # interface range fastethernet 0/13 14 Sw1(config-if) # switchport access vlan 2 Sw1(config-if) # exit Sw1(config) # show running-config Sw1(config) # show vlan brief Please refer to page 258 for command output listings

31

Note : name fred-vlan (vlan subcommand is case-sensitive) Securing unused interfaces, recommendation to secure unused interfaces are. Administratively shutdown the interface using the shutdown interface subcommand Prevent VLAN trunking and Vlan Trunking Protocol (VTP) by making the port nontrunking interface by using the interface subcommand switchport mode access Assign the port to an unused VLAN by using the switchport access vlan vlannumber interface subcommand.

Access Interface: A LAN network design term that refers to a switch interface connected to end-user devices. Trunk Interface: On a LAN switch, an interface that is currently using either 802.1Q or ISL trunking Trunking : Also called VLAN trunking, A method using either cisco ISL protocol or IEEE 802.1Q protocol to support multiple VLANs that have members on more than one switch. Configuration Command Reference Command Mode/Purpose/Description Basic Password Configuration Following four commands are related to basic password configuration Line console 0 Changes the context to console configuration mode Line vty 1st-vty 2nd-vty Changes the context to vty configuration mode for the range of vty line listed login Console and vty configuration mode, tells IOS to prompt for a password Password pass-value Console and vty configuration mode. Lists the password required if login command (without any other parameter) is configured Username/password and SSH Configurations Following four command are related to username/password and SSH configurations Login local Console and vty config mode, tells IOS to prompt for username and password, to be checked against locally configured username global configuration command on this switch or router. 32

Username name password pass-value

Global command, defines possibly one of multiple username and associated passwords, used for user authentication. Used when login local line configuration command has been used. Crypto key generate rsa Global command, creates and stores in a hidden location in flash memory the key required by SSH Transport input }{telnet|ssh} Vty line configuration mode. Defines whether telnet or/and SSH is allowed into this switch. Both values can be configured in one command to allow both telnet and SSH. IP Address configuration Following four commands are related to IP address configurations Interface vlan number Changed the context to VLAN interface mode. For VLAN 1 allows the configuration switchs ip address Ip address ip-address subnet- VLAN interface mode. Statically configures the switchs mask ip address and mask. Ip address dhcp VLAN interface mode, configures the switch as a DHCP client to discover its ip address, subnet mask and default gateway. Ip default-gateway address Global command. Configured the switchs default gateway ip address. Not required if the switch uses DHCP. Interface Configuration Following six command are used for interface configuration Interface type port-number Changes the context to interface mode Eg. Interface fastethernet 0/1 Interface range type portChanges the context to interface mode for the range of range interfaces Shutdown Interface mode, disable or enable the interface No shutdown Speed {10|100|1000|auto} Interface mode, manually sets the speed to the listed speed, or with the auto setting, automatically negotiates the speed. Duplex {half|full|auto} Interface mode, manually sets the duplex to half, full or to autonegotiate the duplex settings. Description text Interface mode (description for the interface) Miscellaneous Miscellaneous configuration commands Hostname name Global command, sets the switchs host name, also used as the first part of the switchs command prompt Enable secret pass-value Global command. Set the switchs password that is required for any user to reach switchs enable mode History size length Line config mode, defines the number of commands held in the history Switchport port-security Interface configuration command, that statically adds mac-address mac-address allowed MAC address on that interface 33

Switchport port-security mac-address sticky Switchport port-security maximum number Switchport port-security violation {protect|restrict| shutdown}

Interface sub-command that tells the switch to learn MAC address on the interface, and add the MACaddress as a secure address into its configuration Interface sub-command that sets the maximum number of static secure MAC-address that can be assigned to a single interface Interface subcommand, that tells the switch what to do if an inappropriate MAC address tries to access the network through a secure switch port

EXEC command referece Command Show mac address-table dynamic Show dhcp lease Show crypto key mypubkey rsa Show interface status Show interface vlan 1 Show port-security interface type number

Purpose Lists dynamically learned entries in the switchs address table Lists any information the switch acquires as a dhcp client, includes ip address, subnet mask and default gateway Lists public and shared key created for use with SSH using the crypto key generate rsa global configuration command Lists on output line per interface, noting the description, operating state, settings for duplex and speed on each interface Lists interface status, switch ip address, mask and much more Lists an interfaces port security configurations settings and security operational status

Please go to Do I know this Already QUIZ. Chapter 9. :- Page 232.

34

Chapter 10 Ethernet Switch Troubleshooting

Organized troubleshooting steps. Step 1. Analyzing/predicting normal operation Step 2. Problem isolation Step 3. Root cause analysis Verifying Network Topology using Cisco Discovery Protocol The proprietary Cisco Discovery Protocol (CDP) discovers basic information about neighbouring switches and routers, by listening to the CDP messages sent out by neighbouring switches and routers on each of their interfaces. CDP discovers several useful details from neighbouring Cisco Devices : (information gathered by CDP) Device Identifier : Typically the hostname Address list : Network and Data-link addresses Local Interfaces : The interface on the router or switch issuing the CDP show command With which the neighbour was discovered Port Identifier: Text that identifies the port that the neighbouring device used to send the CDP message to the local device. Capabilities List : Information on what type of device it is switch , router etc Platform : The model and OS level running in the device

Show CDP command that list information about neighbouring devices Command Show cdp neighbours type number Show cdp neighbours detail Show cdp entry name (Show cdp entry R1) Description Lists one summary line of information on each neighbour or just the neighbour found on the specific interface if an interface was listed. Lists one large set of (15 lines) of information, one set each for every neighbour Lists the same information as the show cdp neighbour detail command, but only for the named neighbour (case sensitive)

No cdp enable (Inteface subcommand to disable CDP per interface) Cdp enable (Inteface subcommand to re-enable CDP per interface) No cdp run (disable cdp globally on a switch) Cdp run (re-enables cdp globally on a switch) Please refer page 281 for CDP commands output listing

35

Commands used to verify CDP operation Command Description Show cdp States whether CDP is enabled globally, and lists the default updates and hold time timers Show cdp interface type number States whether CDP is enabled on each interface, or on the interface listed, and states update and holdtime timers on those interfaces Show cdp traffic Lists global statistics for the number of CDP advertisements sent and received Analysing Layer 1 and 2 Interface Status Two types of Interface status codes 1. two code or words : line status and protocol status, same as for routers and 2. one code or word status. Following commands list the two code interface status Show interfaces Show interfaces description Following command list the one word interface status Show interfaces status The show interfaces command lists the actual speed and duplex settings but does not imply anything about how the settings were configured or auto-negotiated. However the show interfaces status command list a prefix of a- to imply that the speed and duplex setting were auto-negotiated, leaving the prefix if the settings were configured. LAN Switch Interface Status Codes T W O W O R D Line Status Protocol Status Administratively Down Down Down Down

Up

Down

ONE WORD Interface Status Typical root cause Disabled The interface is configured with the shutdown command Notconnect No cable, bad cable, wrong cable pinouts, the speeds are mismatched on the two connected devices, the device on the other end of the device is powered off, or the other interface is shutdown. Notconnect An interface up/down state is not expected on LAN switch interface

36

Down Up

Down (Err-disabled) Up

Err-disabled conenct

Port security has disabled the interface Interface is working

Interface SPPED and DUPLEX issues Interfaces can use auto negotiation, it can also use SPEED {10|100|1000} and DUPLEX {half|full| commands to set the speed and duplex settings which will disable the auto negotiate. Show interfaces and Show interfaces status , both list speed and duplex settings When IEEE auto negotiation process works on both devices, both devices agree on the fastest speed supported by both devices, and full duplex if it is supported by both devices otherwise half duplex. (Cisco 2960 switch supports full duplex). However when one device disables auto negotiation (by manually setting speed and duplex) and other device uses auto negotiation, the device using auto negotiation sets the default duplex settings based on the current speed, the defaults are as follows. If the speed is not known, use 10 Mbps, half duplex If the speed is some how known to be 10 or 100 Mbps defaults to use half duplex If the speed is somehow known to be 1000 Mbps defaults to use full duplex

If the duplex setting do not match on the ends of an Ethernet segment, the switch interface will still be in a up/up connect state. But the interface will work poorly. To troubleshoot Duplex mismatch, check duplex settings on each end of the link, or watch for increasing collision, and late collision counters. Common Layer 1 problems on working interfaces Interface counters for Layer 1 problems Show interfaces fa0/13 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 95226 packets output 0 output errors, 0 collisions, 1 interface resets 0 babbles, 0 later collisions, 0 deferred Please refer to page 288 for a full listing

37

CRC counter Cyclic redundancy Check counter, counter of frames discard by FCS. Collision counter : counter of collision occurred in first 64 bytes of the frame Later collision counters : counter of collusions occurred after the first 64 bytes of the frame has already been sent. Significant problem exists if more than .1 % of the total output packages have collided. Incrementing late collision means two things Interface is connected to collision domain, whose cabling exceeds Ethernet cabling length standards . Interface is using half duplex and device on the other end of the cable is using full duplex Common LAN layer 1 problem indicators Type of problem Counter values indicating this problem Excessive noise Many input errors, few collision (interference) Collisions Late collisions More than roughly .1% all frames are in collision Increasing late collisions Common root cause Wrong cable category (Cat 5,5e,6), Damaged cables, EMI Duplex mismatch (seen on the half duplex side); jabber; DoS attack Collision domain, or single cable too long, Duplex mismatches

Jabber : frames are sent by a device continuously without a break, not confirming to Ethernet standards

Analysing the Layer 2 forwarding path with MAC address table Show mac address-table Show mac address-table dynamic , lists the contents of the switchs MAC address table The switchs forwarding logic can be summarized as follows. Step 1. Determine the VLAN in which the frame should be forwarded. On access interfaces this is based on the access VLAN associated with the incoming interface.

38

Step 2. Look for the frames destination MAC address in the MAC address table, but only for the entries for the VLAN identified in Step 1. If the destination MAC is A. Found (unicast) : forward the frame out only the interface listed in the matched address table entry B. Not found (unicast) :flood the frame out all other interface except the incoming interface in that same VLAN. C. Broadcast or multicast : flood the frame out all other interface except the incoming interface in that same VLAN.

Fa0/9

Fred 0200.1111.1111
Fa0/12

Gi0/1

Gi0/2

SW1

SW2

Fa0/13

Barney 0200.2222.2222

Fa0/1

0200.5555.5555

R1

Barney forwards a frame to its default gateway router R1 and the following forwarding steps occurs Step 1. SW1 receives the frame on its Fa0/12 interface and sees that it is assigned to VLAN1. Step 2. SW1 looks for its MAC table entry for 0200.5555.5555 in the incoming interfaces VLAN (VLAN1), in its MAC address table. a) SW1 finds an entry, associated with VLAN1, outgoing interface Gi0/1, and SW1 forwards the frame out only the interface Gi0/1. Frame is now on its way to SW2. and below steps explains the SW2s forwarding logic

39

Step 1. SW2 receives the frame on its Gi0/2 interface and sees that it is assigned to VLAN1. Step 2. SW2 looks for its MAC table entry for 0200.2222.2222 in the incoming interfaces VLAN (VLAN1), in its MAC address table. a) SW2 finds an entry, associated with VLAN1, outgoing interface Fa0/13, and SW2 forwards the frame out only the interface Fa0/13. At this point the frame should be on its way over the Ethernet cable between SW2 and R1. Port Security and Filtering Switches and Routers can use ACL Access Control List to filter traffic to a port. Port-security violations status (protect, or restrict) the switch discards the frame, but leaves the interface in a connect (up/up) status. CDP Neighbour : A device on the other end of some communication cable that advertise CDP updates Up and Up : Jargon referring to two interface status on a cisco switch or router (line status and protocol status) Error disabled: An interface state on a cisco switch that is the results of one of may security violations Problem Isolation: Part of the troubleshooting process in which an engineer attempts to rule out the possible causes of the problem until the root cause is identified. Root Cause: A troubleshooting term, that refers to the reason why a problem exists, especially a reason for which, if changed the problem could be either solved or changed to a different problem. Cisco Catalyst 2950 switch configuration commands Command Description Shutdown Interface subcommand, that administratively No shutdown disables or enables the interface respectively Switchport port-security violation Interface subcommand, that tells the switch what {protect|restrict|shutdown| to do in the case of a violation, in which an inappropriate MAC address tries to access the network through a secure switch port Cdp run Global command, that enables or disables the

40

No cdp run Cdp enable No cdp enable Speed {10|100|1000| Duplex {auto|half|full| EXEC command reference. Command Show mac address-table [dynamic| static] [address hw address] [interface interface-id] [VLAN vlanid] Show port-security [interface interface-id] [address] Show cdp neighbours [type number] Show cdp neighbours detail Show cdp entry name Show cdp Show cdp interface [type number] Show cdp traffic Show interfaces [type number] Show interface status [type number]

CDP for the entire switch or router. Interface subcommand, that enables or disables cdp on a particular interface Interface subcommand that manually sets the interface speed Interface subcommand that manually sets the interface duplex Description Displays MAC address table. The security option displays information about the restricted and static settings Displays information about security options configured on an interface List one summary line of information about each neighbour, or just the neighbour found on the specified interface Lists one large set (15 lines) of information for every neighbour Displays same information as show cdp neighbours details but only for the specified neighbour States whether cdp is enabled globally, and lists the default update and holdtime timers States whether CDP is enabled on each interfaces, or on the interface if one is specified, and lists the update and holdtime timers Displays global statistics of CDP advertisements send and received Displays detailed information about interface status, settings and counters Displays summary information about interface status and settings, including actual speed and duplex and whether the interface was autonegotiated

Please go to Do I know this Already QUIZ. Chapter 10. :- Page 268.

41

Chapter 11 Wireless LANs

WLAN standards organization and their roles Organizations that sets or influence WLAN standards Organization Standardisation Role ITU-R Worldwide standardisation of communications that use radiated energy, particularly managing the assignment of frequencies. IEEE Standardisation of wireless LANs (802.11) Wi-Fi Alliance An industry consortium that encourages interoperability of products that implement WLAN standards through their Wi-Fi certified program. Federal The US government agency that regulated the usage of various Communications communication frequencies in US Commission (FCC)

WLAN Standards Comparison between 802.11a, 802.11b and 802.11g Feature 802.11a 802.11b Year ratified 1999 1999 Maximum speed using DSSS 11 Mbps (Direct Sequence Spread Spectrum) Maximum speed using OFDM 54 Mbps Frequency Band 5 GHz 2.4Ghz Channels *(non overlapped in bracket) 23(12) 11(3) Speed required by standard (Mbps) 6,12,24 1,2,5.5,11

802.11g 2003 11 Mbps 54 Mbps 2.4GHz 11(3) 6,12,24

Modes of 802.11 Wireless LANs WLAN modes, their formal names and description. Mode Ad hoc Infrastructure (One AP) Infrastructure (More than one AP) Service Set Name Independent Basic Service Set (IBSS) Basic Service Set (BSS) Extended Service Set (ESS) Description Allows two devices to communicate directly, NO Access Point (AP) is required. A single wireless LAN created with an AP and all devices associated with that AP. Multiple APs create one wireless LAN, allowing roaming and larger coverage area.

42

Unlicensed bands, their general names, and list of devices/standards to use each band FCC unlicensed frequency bands of interest Frequency Range Name Sample Devices 900 KHz Industrial, Scientific, Older cordless telephones Mechanical (ISM) 2.4 GHz ISM Newer cordless phones, microwave owens, 802.11, 802.11b, 802.11g WLAN standards. 5 GHz Unlicensed National Newer cordless phone and Information Infrastructure 802.11a, 802.11n WLANs (U-NII) Licensed bands are used for FM/AM radios, Short ware radio for Police communications, and Mobile phones. Direct Sequence Spread Spectrum (DSSS) has a bandwidth of 82MHz , with a range from 2.402 GHz to 2.483 GHz. As regulated by FCC this band can have 11 overlapping DSSS channels. Although many of the channels shown in the figure overlap, three of the channels (channels at the far left, far right and centre) do not overlap enough to impact each other. These channels (channels 1,6, and 11) can be used in the same space for WLAN communication and they wont interfere each other

Eleven Overlapping DSSS Channels at 2.4 GHz

43

RF Channels

10

11

2.4 GHz Frequency Spectrum

Using non-overlapping DSSS 2.4 GHz Channels in an ESS WLAN.

PC1

PC2 AP1 CHANNEL 1 AP2 CHANNEL 6 AP3 CHANNEL 11

DSSS frequencies showing three non-overlapping channels. In this design devices in one BSS can send at the same time as the other two BSS without interfering, because each uses slightly different frequencies of the non-overlapping channels. PC1 and PC2 could sit next to each other and communicate with two different APs using two different channels at the same time. This design is typical of 802.11b WLANs , with each cell running at the rate of 11 Mbps. With non-overlapping channels,

44

each half duplex BSS can run at 11 Mbps, for a cumulative bandwidth of 33 Mbps. The cumulative bandwidth is called the WLAN Capacity. Name of encoding class Frequency Hopping Spread Spectrum (FHSS) Direct Sequence Spread Spectrum (DSSS) Orthogonal Frequency Division Multiplexing (OFDM) What it is used by 802.11 802.11b 802.11a, 802.11g

The emerging 802.11n uses OFDM as well as MIMO (Multiple Input Multiple Output). Wireless Interference Walls, Floors, ceilings and matter that has lots of metal in it, can cause the radio signals to reduce strength, scatter and create dead spots. One key measurement of the interference is the Signal-to-Noise Ratio (SNR). This calculation measures the WLAN signals as compared to the other undesired signals (noise) in the same space. The higher the SNR, the better the WLAN can send data successfully. Coverage Area, Speed and Capacity The power of an AP is measured based on the Effective Isotropic Radiated Power (EIRP) calculation. It is the power of the signal as it leaves the antenna.

Coverage Area and Speed..

45

11 Mbps AP1

5.5 Mbps 2 Mbps 1 Mbps

WLAN speed and frequency referece. IEEE Maximum Other Speeds (Mbps) Standard Speed (Mbps) 802.11b 11 Mbps 1, 2, 5.5 802.11a 54 Mbps 6,9,12,18,24,36,48 802.11g 54 Mbps 6,9,12,18,24,36,48

Frequency 2.4 GHz 5 GHz 2.4 GHz

Non overlapping Channels 3 12 3

Media Access (Layer 2) The solution to the media access problem with WLAN is to use the carrier sense multiple access with collision avoidance (CSMA/CA) algorithm. CSMA/CA algorithm

46

Step 1. Listens to ensure that the medium (space) is not busy, no radio waves are currently being received at the frequencies to be used. Step 2. Sets a random timer before sending a frame, to statically reduce the chance of all devices all trying to send at the same time Step 3. When the random timer has passed, listen to ensure that the medium is not busy, if it isnt then send the frame. Step 4. After the entire frame has been sent, wait for an acknowledgement Step 5. If no acknowledgement is received, resend the frame using CSMA/CA logic, to wait for the appropriate time to send again. WLAN Implementation Checklist Step 1. Verify that the existing wired network works, including DHCP services, VLANs and Internet connectivity By verifying the switch port access VLANs and by connecting a laptop to the switch port and verifying that it acquires an IP address, mask and default gateway, and the pc can communicate to other hosts in the network. Step 2. Install and configure the AP, verify its connectivity to the wired network, including its IP address, mask and default gateway APs connects to the switch port using a straight through Ethernet cable Step 3. Configure and verify APs wireless setting, including Service Set Identifier (SSID) but no security WLAN configuration features. IEEE Standard (a,b,g or multiple) Wireless channels Service Set Identifier (SSID, a 32 character text identifier for the WLAN) Transmit power

APs within a same ESS WLAN should be configured with the same SSID. Step 4. Install and configure one wireless client (laptop) again with no security

47

WLAN NIC in the WLAN clients like a loptop can automatically detect a WLAN AP and learn its SSID and connect to an AP with strongest signal. Cisco Compatible Extension Programme (CCX) : Tests and Verify WLAN NIC by a manufacturer works well with a Cisco AP. Microsoft Zero Configuration Utility (ZCF) : A OS utility which allow PCs to automatically discover SSIDs of all WLANs whose APs are within the range on the NIC. Step 5. Verify WLAN works from the client laptop Common WLAN installation problems and related work done in the Site survey Is the AP at the centre of the area where the clients reside Is the AP or client right next to a lots of metal Is the AP or client next to a lots of interference like microwave oven, or gaming system Is the AP coverage wide enough to reach client

Other common problems. Check to make sure AP and Client radio are enabled (radio switch are turned on) Check AP to ensure it has the latest firmware Check AP configuration especially the channel configuration to ensure that it does not use channels that overlaps with other AP in the same location.

Step 6. Configure WLAN security on AP and Client Step 7. Verify WLAN works again in the presence of security features WLAN Security Issues WLAN vulnerabilities and solutions Vulnerability War drivers (attacker who drives around and find a AP with a weak or no security) Hackers stealing information in a WLAN Hackers gaining access to the rest of the Network Employee AP Installation Solution Strong Authentication Strong encryption Strong authentication Intrusion Detection System (IDS) including Cisco Structured Wireless Aware Network (SWAN) 48

Rogue AP (attacks where a rouge AP is setup after learning the SSID of an existing WLAN, and get the enterprises clients to use it)

Strong authentication, IDS SWAN

WLAN Security Standards Name Wired Equivalent Privacy (WEP) The interim CISCO solution while waiting 802.11i Wi-Fi Protected Access (WPA) 802.11i (WPA2)

Year 1997 2001 2003 2005+

Who defined it IEEE Cisco, IEEE 802.1x Extensible Authentication Protocol (EAP) Wi-Fi Alliance IEEE

Vendor introduced additional Security Features SSID Clocking and MAC Filtering SSID Clocking : AP send out beacons with SSID only as a response to a probe request from a WLAN Client. MAC Filtering : AP configured with allowed WLAN MAC addresses. Cisco Interim solution between WEP and 802.11i .. Dynamic key exchange (instead of static preshared key) User authentication using 802.1x A new encryption key for each packet Wi-Fi Protected Access (WPA) WPA includes the option to use dynamic key exchange, using the Temporal Key Integrity Protocol. (TKIP). WPA allows for the use of either IEEE 802.1x user authentication or simple device authentication using preshared keys.And the encryption algorithm uses the Message Integrity Check (MIC) algorithm, similar to the process used in Cisco proprietary solution.

49

IEEE 802.11i (WPA2) includes dynamic key exchange, much stronger encryption, and user authentication. 802.11i uses Advanced Encryption Standard (AES)

Standard WEP Cisco WPA 802.11i (WPA2) Definitions.

Key Distribution Static Dynamic Both Both

Device Authentication Yes (weak) Yes Yes Yes

User Authentication None Yes (802.1x) Yes (802.1x) Yes (802.1x)

Encryption Yes (weak) Yes (TKIP) Yes (TKIP) Yes (AES)

802.11a : IEEE standard for wireless LANs using U-NII (Un licensed National Information Infrastructure) (5 GHz) spectrum, OFDM encoding, at speed of upto 54 Mbps. 802.11b : IEEE standard for wireless LAN using ISM (2.4 GHz) spectrum, DSSS encoding, and speeds upto 11 Mbps. 802.11g : IEEE standard for wireless LAN using ISM (2.4 GHz) spectrum, OFDM or DSSS encoding, and speeds upto 54 Mbps. 802.11i : IEEE standard for wireless LAN security including authentication and encryption. Access Point : A wireless LAN device that provides a mean by which the wireless clients can send data to each other and to the rest of the wired LAN, with Access Points connecting both the wireless and wired Ethernet LAN. Ad-hoc Mode : In wire less LAN a method or mode of operation in which the clients sends data directly to each other without using the Access Points. Basic Service Set (BSS) : A Wireless LAN with a single Access Point (AP) CSMA / CA : Carrier Sense Multiple Access with Collision Avoidance, a Media Access mechanism that defines how devices decide when to send, with a goal of avoiding collision as much as possible, IEEE WLANs use CSMA/CA.

50

Direct Sequence Spread Spectrum (DSSS) : A method of encoding data for transmission over a WLAN in which devices uses 1 of 11 nearby frequencies in the 2.4 GHz range. Extended Service Set (ESS) : A wirelss LAN with multiple access points, to create on WLAN and allowing roaming between APs. Frequency Hoping Spread Spectrum: A method of encoding data in a WLAN in which consecutive transmission occurs on different nearby frequency bands as compared with the prior transmission. Not used in modern WLAN standards. Infrastructure Mode : A mode of LAN (WLAN) operation in which WLAN clients send and received data through APs, which allows the clients also to connect to the wired LAN infrastructure. In Infrastructure mode WLAN clients does not send to each other directly. Orthogonal Frequency Division Multiplexing (OFDM) : A method of encoding data in the WLAN that allows higher data transmission rates than FHSS and DSSS encoding methods. Service Set Identifier (SSID) : A text value used in WLAN to uniquely identify a single WLAN. (a 32 character text identifier). Wi-Fi Alliance : An organization formed by many companies in the wireless industry for the purpose of getting multi-vendor certified wireless product into the market in a more timely fashion. Wi-Fi Protected Access (WPA) : A trademark name of Wi-Fi Alliance, that represent a set of security specification that predated the IEEE 802.11i security standard. Wired Equivalent Privacy (WEP) : An early WLAN security specification, that used relatively weak security mechanism, using only preshared keys and no encryption or a weak encryption. WLAN Client : A wireless device that wants to get access to a wireless access point for the purpose of communicating with other wireless devices or devices connected to wired LAN. WPA2 : Wi-Fi Alliances trademark name for the same set of security standards as that of the IEEE 802.11i.

Please go to Do I know this Already QUIZ. Chapter11. :- Page 300.

51

52