ccent notes part-2

8/9/2019 CCENT Notes Part-2

1/52

CCENT Notes

Part 2 LAN Switching

Ref : CCENT/CCNA ICND1 Official Exam Certification Guide, Second Edition

by Wendell Odom

It is highly recommended that you read at least once the above study guide to make full

use of this notes, it is expected that there may be minor errors in this notes, please

always refer the study guide for accurate information.

(Jojo Jacob - CCENT)


2/52

TABLE OF CONTENTS

Chapter 7 Ethernet LAN Switching Concepts ..................................................................3Chapter 8 Operating Cisco LAN Switches ..................................................................... 13Chapter 9 Ethernet Switch Configurations .....................................................................23Chapter 10 Ethernet Switch Troubleshooting .................................................................35Chapter 11 Wireless LANs ............................................................................................. 42

2


3/52

Chapter 7 Ethernet LAN Switching Concepts

Hubs : Created one single collision domain, and bandwidth is shared in a 10 BASE Tnetwork with a Hub.

Bridges : reduced the number of collision occurred in a network, by segmenting thecollision domains, and bridges add bandwidth to the network.

Switches (benefits of using switches) : Creates separate collision domain on each of itsinterfaces, it can support full duplex if only one device is connected to an interface.Switches multiply amount of available bandwidth in the network.

Ethernet MAC address

Unicast Addresses: MAC address that identifies a single LAN interface cardBroadcast Addresses: A frame sent with a destination address of broadcast address(FFFF.FFFF.FFFF) implies that all devices on the LAN should receive and process theframe.Multicast Addresses: Multicast MAC addresses are used to allow dynamic subset ofdevices on a LAN to communicate.

IP multicast over Ethernet uses MAC address in the format 0100.5exx.xxxx where avalue between 00.0000 to 7f.ffff can be used for the second half.

Primary functions of a Switch

1. Deciding when to forward a frame or when to filter (not forward) a frame based onthe destination MAC address.

2. Learning MAC address by examining the source MAC address of each framereceived

3. Creating a (layer 2) loop free environment with other switches by using SpanningTree Protocol (STP)

3


4/52

Sample switch forwarding and filtering decision.(Fred forwards a frame to Barney)

Fred

0200.1111.1111

Wilma

0200.3333.3333

Barney

0200.2222.2222

Betty0200.4444.4444

Fa0/1

Fa0/2

Fa0/3

Fa0/4

Dest. MAC Address : 0200.2222.2222

Frame sent to 0200 .2222 .2222

came in Fa0/1

Forward out Fa 0/2

Filtered (not forwarded ) out Fa0/3 & Fa0/4

MAC Address Table

0200.1111.1111 Fa0/1

0200.2222.2222 Fa0/2

0200.3333.3333 Fa0/3

0200.4444.4444 Fa0/4

MAC address table is also called, Switching Table, Bridging Table or ContentAddressable Memory.

4


5/52

Sample switch filtering decision.

Note that the hub simply regenerates the electrical signals out each interface, so the hubforwards the electrical signal send by Fred to both Barney and the switch, The switch

decides to filter out (not forward ) the frame noting that the MAC address table interfacefor destination address 0200.2222.2222 (Fa0/1) is the same as the incoming interface.

Fred

0200.1111.1111

Wilma

0200.3333.3333

Barney

0200.2222.2222

Betty0200.4444.4444

Fa0/1

Fa0/3

Fa0/4

Dest. MAC Address : 0200.2222.2222

Frame sent to 0200.2222 .2222

came in Fa0/1

Forward out Fa 0/1 as per the MAC table entry

Filtered (not forwarded) out same interface Fa0 /1

that the frame came in

MAC Address Table

0200.1111.1111 Fa0/1

0200.2222.2222 Fa0/10200.3333.3333 Fa0/3

0200.4444.4444 Fa0/4

Hub

How switch learn MAC address: Switches populate the MAC table by listening to theframe, it adds the source MAC address and the interface it came from if an entry is notalready there in the MAC address table.

Flooding Frames: When a switch receives a frame with a destination address that is not inits MAC address table, it forwards out all the interface except the one it came from.

Switches keeps a timer for each entry in the MAC address table, called inactivity timer.Switch sets the timer to 0 for new entries, and resets it to zero each time it receives aframe from a MAC address, this counter counts upwords, so at any point in time if the

5


6/52

switch memory runs out switch know which is the oldest inactive entry in the MACaddress table and it deletes it to free up memory.

Spanning Tree Protocol (STP): STP prevents loops by blocking some interfaces (ports)from forwarding frames, so that only one active logical path exists in a physically

redundant network between two LANs. In STP a port can have one of two statesBlocking (cannot send and receive) and Forwarding (can send and receive).

Internal Processing on Cisco Switches

Store and Forward Processing : In this type of processing a switch must receive theentire frame before it starts forwarding the first bits of the frame.

Cut through processing : With this type of processing a switch starts forwarding theframe as soon as possible without waiting an entire frame to be received. This is possible

because the destination MAC address come in early in the Ethernet header, even thoughthis can reduce latency, it may cause erroneous frames to be forwarded as the FCS isplaced at the end of the frame and switch cant determine the forwarded frame was inerror.

Fragment free processing : works very much similar to cut through processing, but it tryto reduces the number of errored frames that it forwards.

Switching Method Description

Store-and-Forward The switch fully receive all bits in the frame (store) beforeforwarding the frame. This allows the switch to check the FCS

before forwarding the frame.Cut-through The switch forward the frame as soon as it can. This reduceslatency but does not allow the switch to discard the frame thatfails the FCS check.

Fragment-free The switch forwards a frame after receiving first 64 bytes ofthe frame, thereby avoiding forwarding of frames that wereerrored due to collision.

LAN Switching Summary

LAN switches provide many additional features compared to Lan hubs and bridges, Inparticular LAN switches provide the following benefits:-

Switch port connected to a single device micro-segments the LAN, providingdedicated bandwidth to that device

Switches allow multiple simultaneous conversations between devices on differentports

6


7/52

Switch ports connected to a single device supports full duplex, in effect doubling theavailable bandwidth to the device.

Switches support rate adaptation, which means devices using different Ethernetspeeds can communicate through the switch (hubs cannot).

Switches use Layer 2 logic, examining the Ethernet data link header to choose how toprocess frames. In particular switches makes decisions to forward and filter frames, learnMAC addresses, and use STP to avoid loops as follows

Step 1. Switches forward frame based on destination address

a) If the destination address is a broadcast, multicast, or unknown destination unicast(address not found in the MAC table), then the switch floods the frame, sends out allthe other ports except the port it was received.

b) If the destination address is a known unicast address

1. If the outgoing interface listed in the MAC table is different to the interface itcame from, switch forwards the frame out the outgoing interface.

2. If the outgoing interface listed in the MAC table is same as the interface it camefrom, switch filters the frame, or simply ignore the frame without forwarding it.

Step 2. Switches uses the following logic to learn MAC address table entries

a) For each received frame, examine the source MAC address and the interface from

which the frame was received

b) If they are not already in the table, add the address and interface, setting the inactivitytimer to 0

c) If it is already in the table, reset the inactivity timer to zero.

Step 3. Switches use STP to prevent loops by causing some interfaces to block, meaningthat they do not send or receive frames.

7


8/52

LAN Design Considerations

Collision Domain : A collision domain is a set of LAN interfaces whose frames could

collide with each other.

A broadcast domain is a set of devices where when one device sends a broadcast all otherdevices receive a copy of the broadcast. A switch floods broadcast and multicast out allports, so a switch creates a single broadcast domain.

A collision domain is a set of network interface cards (NIC) for which a frame sent by onNIC could collide with a frame sent by another NIC in the same collision domain.

A broadcast domain is a set of NICs for which broadcast frame sent by one NIC isreceived by all other NICs in the same broadcast domain.

Switches are much preferred option in a network as it micro segments collision domain,and devices does not have to share the bandwidth.

A very large network with multiple switches creates a single broadcast domain, this couldbe split into multiple broadcast domains using a router.

Benefits of segments Ethernet Devices using Hubs, Switches and Routers(LAN design features in comparison with hubs, switches and routers)

Feature Hub Switch Router

Greater cabling distance are allowed Yes Yes Yes

Creates multiple collision domains No Yes YesIncreases bandwidth No Yes Yes

Creates multiple broadcast domain No No Yes

Virtual LAN (VLAN)

Without VLAN a switch considers all its interfaces to be in the same broadcast domain.With VLAN a switch can put some interfaces to a broadcast domain and some intoanother broadcast domain based on some simple configurations.

8


9/52

Sample network with two VLANS using one Switch

VLAN 2

VLAN 1

Motivations for using VLANs.

To create more flexible network design that group by users by department, or bygroups that work together, instead of by physical location

To segment devices into smaller LANs (broadcast domains) to reduce overheadcaused to each host in the VLAN

To reduce workload for STP by limiting a VLAN to a single access switch

To enforce better security by keeping hosts that work with sensitive data in a separateVLAN

To separate traffic send by IP phone from traffic sent by PCs connected to the phones

9


10/52

Campus LAN design terminology listed

Access1 Access2 Access3 Access4Access

Links

Access

Switches

Dist1Dist2

Uplinks

DistributionSwitches

Building BlockCore1 Core2

Core Switches

Core links

To otherBuildingblocks

To other

Building

blocks

Access : Provides a connection point (access) for end user devices, does not forwardframes between two other access switches under normal circumstances.

Distribution : Provides an aggregation point for access switches, forwarding framesbetween switches, but not connected directly to end user devices.

Core: Aggregates distribution switches in a very large LANs, providing very highforwarding rates.

10


11/52

Ethernet Types, Media and Segment Lengths

Ethernet Type Media Maximum segment length10BASE-T TIA/EIA CAT3 or better, 2 pair 100 m (328 feet)

100BASE-TX TIA/EIA CAT5 UTP or better, 2 pair 100 m (328 feet)

1000BASE-FX 62.5/125 micron multimode fiber 400 m (1312.3 feet)

1000BASE-CX STP (shielded twisted pair) 25m (82 feet)

1000BASE-T TIA/EIA CAT5e or better, 4 pair 100 m (328 feet)

1000BASE-SX Multimode fiber 275 m (853 feet) for 62.5micron fiber

550 m (1804.5 feet) for 50micron fiber

1000BASE-LX Multimode fiber 550 m (1804.5 feet) for 50and 62.5 micron fiber

1000BASE-LX 9 micron single mode fiber 10 km (6.2 miles)

Broadcast domain: A set of devices that receive broadcast frame originated from anydevice within the set. All devices in the same VLAN are in the same broadcast domain.

Broadcast frame: An Ethernet frame sent with a destination address FFFF.FFFF.FFFFmeaning that the frame should be delivered to all hosts in the LAN.

Collision Domain: A set of NICs for which a frame sent by a NIC could result in acollision with a frame sent by any other NIC in the same collision domain.

Cut-through switching: One of the three options of internal processing in some models ofthe cisco LAN switches in which the frame is forwarded as soon as possible, includingforwarding bits of the frame before the whole frame is received.

Flooding : is the process in which Switches forward Broadcast, unknown unicast andmulticast (some times) out all the other ports except the port where it came from.

Fragment-free-switching: One of the three processing options on some cisco LANswitches in which first bits of the frame may be forwarded before the entire frame isreceived, but not until first 64 bytes of the frame are received, in which case in a welldesigned LAN collision fragments should not occur as a result of this forwarding logic.

Microsegmentation : The process in LAN design by which every switch port connects toa single device creating a separate collision domain per interface.

11


12/52

Segmentation : The process of breaking large amount of data from an application intopieces appropriate in size to be sent thorough the network.

Spanning Tree Protocol (STP): A bridge protocol that uses Spanning Tree Algorithm,

allowing switch to dynamically work around loops, in a network topology by creating aspanning tree. Switches exchange Bridge Protocol Data Unit (BPDU) message with otherbridges to detect loops, and remove the loops by shutting down the selected bridgeinterface.

Store-and-forward switching: One of the three processing options in some cisco LANswitches in which Ethernet frame must be completely received before the switch canbegin forwarding the first bit of the fame.

Unknown-unicast-frame: An Ethenet frame whose destination MAC address is not listedin the MAC address table of the switch, so the switch must flood the frame.

Virtual LAN : A group of devices connected to one of more switches with the devicesgrouped in to a single broadcast domain through switch configurations. VLAN allowswitch administrators to separate devices connected to switches into separate VLANswithout requiring separate physical switches, gaining design advantage of separatingtraffic without buying additional hardware.

Please go to Do I know this Already QUIZ. Chapter 7. :- Page 168.

12


13/52

Chapter 8 Operating Cisco LAN Switches

CLI : Command Line Interface

Cisco positions the 2960 series (family) of switches as full-featured, low cost wiringcloset switches for enterprises.

Cisco refers to a switchs physical connectors as either interface or ports. Each interfacehas a number and a name for eg. Interface FastEthernet 0/1, Interface gigabitethernet 0/1.

Cisco supports two major operating systemsInternetwork Operating System (IOS) andCatalyst Operating System (Cat OS).

Cisco uses the term Hybrid to refer to the 6500 series core switches that uses Cat 0S, andthe term Native to refer to the 6500 series core switches that uses IOS.

Cisco 2960 Switch LEDs and a Mode button

SYST

RPS

STAT

Duplex

Speed

PORTS

MODE

LEDs and descriptions

NAME Description

SYST (System) Implies overall system statusOff : System is not powered onOn (green) : The switch is powered on and operational (CiscoIOS has been loaded)On (amber): The switches power on self test failed (POST) andCisco IOS did not load

RPS (Redundant Suggests the status of the redundant (extra) power supply

13


14/52

power supply)

STAT (Status) If ON (green) implies that each port LED implies that portsstatus.

Port LED

Off : The link is not workingSolid Green : The link is working but there is no current trafficFlashing Green: The link is working and the traffic is currentlypassing over the interfaceFlashing Amber: The interface is administratively disabled ordynamically disabled due to many reasons

DUPLX (Duplex) If on (green) each port LED implies that ports duplex

Port LED

On (green) : Full DuplexOff : half duplex

SPPED If on (green) each port LED implies the Speed of that port.

Port LED

Off : 10 MbpsSolid Green : 100 MbpsFlashing Green : 1000 Mbps (1 Gbps)

Port Has different meanings, depending on the port mode as toggled

using the MODE button

Accessing Cisco IOS CLI

Console port allows a way to connect to a switch CLI even if the switch is not connectedto a network. Every cisco switch has a console port, which is physically an RJ-45 port. Apc connects to a console port using a RJ-45 port.

Default Console Port setting on a Cisco Switch.

Baud Rate : 9600 bits/secondFlow control : none (no hardware flow control)Data : 8 bit ASCIIStop bit : none (No stop bits)Parity : 1 bit (1 parity bit)

14


15/52

Accessing CLI using Telnet and SSH

The telnet client (pc) needs to have the terminal emulator software with telnet/ssh client

installed, the switch will run the telnet server software.

Telnet send all data including user name and password as clear text, which raises asecurity threat.

SSH (Secure Sheel) does same basic things as that of the Telnet, but in a more securedway by using encryption.

CLI Password configuration : Console and Telnet

Access From Password Type Sample Configuration

Console Console Password Line console 0

LoginPassword faith

Telent Vty Password Line vty 0 15LoginPassword love

Switches support up to 16 (0-15) concurrent virtual terminal connections including telnetand ssh.

Use and Privileged Modes

Use ModeEnable (Priviledged)

Mode

Router> enablePassword : xxxx

Router #

Router# DisableRouter >

Console

Telnet

SSH

Preferred method for setting password for reaching the enable mode is theEnable Secretpassword command.

15


16/52

Cisco IOS software command help

What you enter What help you get

? Help for all commands available in this mode

Help Text describing how to get help. No actual command help is givenCommand ? Text help describing all the first parameter options for the command

Com? A list of commands that start with com

Command parm? Lists all parameters starting with parm

Commandparm

CLI autofills the rest of the parameter

Command parm1 ? List all the next parameters with a brief description

Key sequences for command edit and recall

Keyboard Command What helps

Up arrow or Ctrl P Displays previously entered commandsDown arrow or Ctrl n Move down to more recent commands from the history list

Left arrow, Ctrl b Move the cursor backwords (left) in the currently displayedcommand

Right arrow, Ctrl f Move cursor front (right)

Backspace Move back deleting

Ctrl a Move back to first char of the command

Ctrl e Move directly to end of the command

Ctrl r Redisplays the command

Ctrl d Deleted single char

Esc b Moves back one word

Esc f Moves forward one word

Debug and Show commands

SHOW command list the currently known facts about the switchs operational status.Debug command asks the switch to continue monitoring different process in the switch

Terminal Monitor command enable users to view the Debug log messagesDebug Spanning-tree (enable debug on spanning-tree process)

No debug spanning-tree (disables debug on spanning-tree process) No debug all orUndebug all (disable all the currently enabled debugs)

16


17/52

CLI Configuration Modes vs EXEC modes

USER Exec Mode

Configuration ModeRAM Active

Config

Privileged Exec Mode

Config tCtrl Z orExit

Enable

Each Command

In succession

Navigation between different configuration modes

Switch# configure terminalSwitch (config) # hostname FredFred (config) # line console 0Fred (config-line )# password hope

Fred (config-line) # interface FastEthernet 0/1Fred (config-if) # speed 100Fred (config-if) # exitFred (Config) #

Text inside parenthesis in the command prompt identifies the configuration mode.

Common Switch configuration modes

Prompt Name of Mode Context -setting commands to reach thismode

Hostname (config) # Global configurationmode None first mode after theConfigure Terminal command

Hostname (config-line) #

Line configurationmode

Line console 0Line vty 0 15

Hostname (config-if)#

Interfaceconfiguration mode

Interface type number

List of configuration mode prompts, name of the configuration mode, and the commandused to reach the mode.

17


18/52

Storing configuration files

Cisco Switch Memory Types

RAM

Working memoryand Running

configuration

FLASH

Cisco IOS

Software

ROM

Bootstrap Program

NVRAM

Startup

Configuration

**NVRAM Non Volatile RAM

Names and purposes of two main Cisco IOS configuration files

ConfigurationFilename

Purpose Where it is stored

Startup-config Stores the initial configuration any timethe switch reloads the cisco IOS

NVRAM

Running-config Stores the currently used configurationcommands. This file changes dynamicallywhen some one enters commands inconfiguration mode

RAM

Configuration commands changes only the running config, if you want to save the config,the running config should be copied to NVRAM overwriting the startup-config, so thatthe new/changed configurations will be included next time the switch is reloaded.

Locations for copying configuration files and results of copying

RAMNVRAM

TUFTP

Copy tftp running-config Copy running-config startup-config

Copy running -config tftp Copy startup-config running -config

Copy tftp startup-config

Copy startup-config tftp

18


19/52

The copy command always replaces the existing file when configuration files are copiedto NRRAM or TFTP server, but when copied to RAM (running config) the file is alwaysmerged, not replaced. If you change the running-config and wants to revert it back to thestartup-config a copy startup-config runnig-config not necessarily will make bothconfigs to match, instead you may have to issue a reload command which will reload,

reboot the switch, erasing the RAM and will copy the startup confing into RAM running-config.

Command to erase NVRAM

Write eraseErase startup-configErase NVRAM

Other names for config filesNvram:startup-config

System:running-config

Initial Configuration - Setup Mode

Getting into Setup Mode

Answer the questions inthe SETUP Mode

Is NVRAM

Empty

Do you want to

enter setup Mode

Turn ON the Switch

Copy Start-up Config to

Running-Config

NO

YES

Complete IOS Initialization

YES

Move new configurationsto NVRAM

NO

19


20/52

Setup mode writes the configuration to both Startup and running config files, whereas theconfiguration mode changes only the running config file.

CLI : Command Line Interface. An interface that enables the user to interact with theoperating system by entering commands and optional arguments.

Secure Shell (SSH) : An TCP/IP application layer protocol that supports terminalemulation between client and a server, using dynamic key exchange and encryption tokeep the communication private and secure.

Enable Mode: A part of the Cisco CLI where a user can use the most powerful anddisruptive commands, on a router or on a switch, including the ability to then reach the

configuration mode and reconfigure the router.

User Mode: A mode of the user interface to Cisco router or switch where a user can onlytype non disruptive EXEC commands, generally to look at the current status, but not tochange any operational settings.

Configuration Mode: A part of the Cisco IOS CLI where a user can enter theconfiguration commands, that are then added to the devices currently used configurationfile (running-config).

Startup-config file: In Cisco IOS switches and routers, the name of the file that residesin NVRAM memory, holding the devices configurations that will be loaded into theRAM as running-config file when the device is next reloaded or powered on.

Running Config: In Cisco IOS switches and routers, name of the file that resides in theRAM, holding devicess currently used configurations.

Setup-Mode: An option on Cisco switches and routers that prompts the user for basicconfiguration information, resulting in new running-config and startup-config files.

20


21/52

Configuration Commands

Command Mode and Purpose

Line console 0 Global command that changes the context to consoleconfiguration mode

Line vty 1st-vty 2nd-vty Global command that changes the context to line (vty)

configuration mode for the range of vty lines listed in thecommand

login Line (console and vty) configuration mode. Tells IOS toprompt for a password (no username)

Passwordpass-value Line (console, vty) configuration mode. Lists thepassword required if the login command (with no othercommand) is configured.

Interface type port-number Global command that changes the context to Interfacemode. Eg. Interface Fastethernet 0/1

ShutdownNo shutdown

Interface subcommand that disables or enables theinterface respectively

Hostname name Global command that sets the switchs hostname, which isalso used as the first part of the switchs command prompt

Enable secretpass-value Global command that sets the automatically encryptedenable secret password. This password is used for any userto reach enable mode.

Enable passwordpass-value Global command that sets the clear text enable password.This is used only when the enable secret password is notconfigured.

exit Moves back to the next higher mode in configurationmode

end Exit configuration modes and goes back to enable mode

from any of the configuration sub modesCtrl Z Same as the end command

21


22/52

EXEC Command Reference..

Command Purpose

No debug allUndebug all

Enable mode EXEC command to disable all thecurrently enabled debugs

Show process EXEC command that lists statistics of CPU utilizationTerminal monitor EXEC command that tells the Cisco IOS to send a

copy of all the syslog messages including debugmessages to the telnet or ssh user who issues thecommand

Reload Enable mode EXEC command that reloads or rebootsthe switch or router.

Copy from-location to-location Enable mode EXEC command that copies file fromone location to another, locations include startup-config, running-config files, files on TFTP, RPCservers and flash memory.

Copy running-config startup-config

Enable mode EXEC command that saves the activeconfig, replacing the startup-config file used when theswitch initializes.

Copy startup-config running-config

Enable mode EXEC command that merges the startupconfig with the currently active config file in RAM

Show running-config Lists the contents of the running config

Write eraseErase startup-configErase NVRAM:

All three enable mode EXEC commands erase thestartup-config file

Setup Enable mode EXEC command that places the user inthe setup mode, in which Cisco IOS prompts the user

for simple switch configurationsquit EXEC command that disconnects the user from CLI

sessions

Show system:running-config Same as show running-config command

Show startup-config List the contents of the startup-config (initial-config)file

Show nvram:startup-configShow nvram:

Same as show startup-config

enable Moves the user from user mode to theenable(privileged) mode and prompts the user for apassword if configured

disable Moves the user from enable mode to the user modeConfigure terminal Enable mode command that moves the user into a

configuration mode


22


23/52

Chapter 9 Ethernet Switch Configurations

Configuring Basic Passwords and Hostname

Switch> enable

Switch# configure terminal

(EXEC command to move from enable mode to configuration mode)

Switch (config) # enable secret ciscoSwitch (config) # hostname emma

In the global configuration mode user enters two global configuration commands that

add configuration to the whole switch (enable secret and hostname)Enable secret sets the only password used to reach the enable mode so it is a global

command

Emma (config) # line console 0Emma (config-line) # password faithEmma (config-line) # loginEmma (config-line) # exit

The login command which tells the switch to ask for a text password but not a user name,

the password command which defines the required password are subcommands in therespective line configuration sub modes.

Emma (config) # line vty 0 15

Emma (config-line) # password loveEmma (config-line) # loginEmma (config-line) # exit

Emma (config) # exitEmma #

Emma # show running-config

Hostname emma

Enable secret 5 $90345824kosdfjsdfmld908v/m

Line console 0Password faithLogin

Line vty 0 4

23


24/52

Password loveLogin

Line vty 5 15Password love

Login

Vty 05 15 (11 vty lines) were added later to the vty 0 4 (5 vty lines) making a total of16 concurrent vty line available in a cisco switch.

SSH Configuration concepts

Line vty 0 15

Login localTransport input telnet ssh

Username wendell password hope

Ip domain-name example.com

Crypto key generate rsa

(switch generate keys)

Public key private key

Cisco Switch

1

2

3

4

5

6SSH Client

Step 1 : Login local , changes the vty lines to use usernames (just login command doesnot require usernames) with locally configured user names (other options is user namesconfigured in an AAA server). In this case login local subcommand defines the use oflocal usernames, replacing the login subcommand in vty configuration mode

Step 2 : tells the switch to accept both telnet and ssh, (Transport input telnet ssh, vty lineconfiguration sub command) default is transport input telnet omitting ssh

Step 3 : add one or more username name passwordpass-value global configurationcommands to configure username/password pairs.

24


25/52

Step 4 : configure DNS domain name with the ip domain-name name globalconfiguration command

Step 5 : configure the switch to generate a matched public and private key pair as well asa shared encryption key, using crypto key generate rsa (global configuration command).

Step 6. SSH clients need a copy of the switchs public key before the client can connect

SSH Configuration Process.

Emma #Emma# configure terminal

Emma (config) # line vty 0 15Emma (config-line) # login local

Emma (config-line) # transport input telnet sshEmma (config-line) # exit

Emma (config) # username Wendell password hope

Emma (config) # ip domain-name example.com

Emma (config) # crypto key generate rsa

The name of the key will be: emma.example.com

Refer to pg. 241 for SSH key generation and public key listings

Password Encryption

Service password-encryption global configuration command encrypts the password.

When service password-encryption command is configured, all existing console, vtyand username command passwords are immediately encrypted.

If the service password-encryption command has already been configured, any futurechanges to these passwords are encrypted

If the no service password-encryption command is used later, the passwords remainencrypted, until they are changed, at which point they show up in clear text.

25


26/52

Service password-encryption uses Type 7 encryption which is a weak encryptionalgorithm which can be decrypted easily.

The two enable mode passwords

If the global configuration command enable passwordpass-valueis used, it definesthe password required when using the enable EXEC command. This password islisted as clear text in the configuration file by default.

If the global configuration command enable secret pass-value is used, it defines thepassword required when using the enable EXEC command. This password is listed asa hidden MD5 hash value in the configuration file by default.

If both commands are used, the password set in the enable secret command defineswhich password is required.

IOS applies a mathematical function called Message Digit 5 (MD5) hash, and the resultsis stored in configuration file, and is considered to be a Type 5 encryption type.

Enable secret fredEnable secret 0 fred (sets the enable secret password as Fred, 0 implies that the password following is clear text)No enable secret (deletes the enable secret password)Enable secret tom (changes the enable secret password to tom)

Banner Configurations

Banner is a Global configuration command

SW1 (Config) # banner #Switch down for maintenance at 11 pm today #

(default banner is MOTD Message of the day banner, shown before the login prompt, )

SW1 (Config) # banner login #Unauthorized Access Denied #

(login banner, shown before the login prompt, after the MOTD banner)

SW1 (Config) # banner exec ZCompany picnic at the park on Saturday, dont tell outsiders Z

(EXEC banner, shown after the login prompt, messages that should be hidden from

unauthorised users)

26


27/52

(the first non blank character after the banner (type) command is considered as thedelimiter and text between the delimiters are displayed)

Commands related to history buffer.Command Description

Show history List the commands currently held in the history buffer

History size x From a console or vty lines config, sets the number of commands saved in the history buffer

Terminal history size x EXEC command, sets the size of the history buffer just forthat user

Defining console inactivity timeouts and when to log messages

Line console 0LoginPassword ciscoExec-timeout 0 0Router never times out

Login sysnchronousDisplays syslog messges at a convenient time, after a command output, and not in the

middle of a typing a command.

LAN Switch Configuration and Operation

Configuring Switch IP Address

IOS based switch configures its IP address and mask on a special virtual interface calledVLAN 1 interface.

Step 1. Enter VLAN 1 configuration mode by using the Interface vlan 1 globalconfiguration command

Step 2 : Assign IP address and mask using ip address ip-address maskinterfacesubcommand.

Step 3 : Enable VLAN interface using no shutdown interface subcommand

Step 4: Add the ip default-gateway ip-address global command to configure the defaultgateway.

27


28/52

Switch static IP address configuration

Emma # configure terminalEmma (config) # interface vlan 1

Emma (config-if) # ip address 192.168.1.200 255.255.255.0Emma (config-if) # no shutdownEmma (config-if) # exitEmma (config) # ip default-gateway 192.168.1.1

(refer to page 249 for syslog messages)

Switch dynamic IP address configuration using DHCP

Emma # configure terminalEmma (config) # interface vlan 1Emma (config-if) # ip address dhcpEmma (config-if) # no shutdownEmma (config-if) ^Z

Emma # show dhcp lease

(to show the temporarily leased ip address, as dynamic ip addresses are not stored in the

running config file, but statically configured ip addresses are stored in running config))

Emma # show interface vlan 1

Vlan 1 is up, line protocol is up

(refer to page 250 for syslog messages)

Interface Configuration Commands.

Emma # configure terminalEmma (config) # interface fastethernet 0/1Emma (config-if) # speed 100Emma (config-if) # duplex fullEmma (config-if) # description server 1 connects hereEmma (config-if) # exitEmma (config) # interface range fastethernet 0/11 20Emma (config-if-range) # description end-users connect hereEmma (config-if-range) # ^Z

28


29/52

Emma # show interface statusDUPLEX

Port Name Status VLAN SPEED TYPEFa0/1 Server 1 connects here notconnect 1 full 100 10/100Base TXFa0/2 notconnect 1 auto auto 10/100Base TX

Fa0/4 connected 1 a-full a-100 10/100Base TXFa0/11 end user connects connected 1 autol auto 10/100Base TX||Fa0/24

(please refer to page 252 for full listing.)

a-full, a-100 (line 3) means it was autonegotiated to full duplex and speed 100 Mbps withthe physically connected device.

Port Security

If a network engineer knows what devices should be cabled and connected to a particularinterface on a switch, the engineer can use port-security to restrict that interface so thatonly the expected devices can use it.

Port Security Configuration Steps

Step 1. Make the switch interface an access interface using the switchport mode accessinterface subcommand

Step 2. Enable port security using switchport port-security interface subcommand

Step 3. (Optional) specify the maximum number of MAC addresses associated with theinterface using switchport port-security maximumnumberinterface subcommand.Default maximum number is 1.

Step 4. (Optional) Define the action to take when a frame is received from a MACaddress other than the defined addresses usingswitchport port-security violation {protect | restrict | shutdown} interfacesubcommand. Default action is shutdown the port.

Step 5A. Specify the MAC addresses allowed to send frames into the interface usingSwitchport port-security mac-addressmac-address command. Use command multipletimes to specify more MAC addresses.

Step 5B. Alternately use the sticky learning process to dynamically learn and configureMAC address of currently connected host by configuring theswitchport port-security mac-address sticky interface subcommand.

29


30/52

Fred # show port-security interface fastethenet 0/1Fred # show port-security interface fastethenet 0/2

Refer to page (255) for output listing

Note port status secure-shutdown (fa0/1) (port is shutdown because of a violation) andsecure-up (fa0/2)

Actions when port security violation occurs

Options on the switchport port-securityviolation command

Protect Restrict Shutdown(default)

Discard offending traffic YES YES YES

Send logs and SNMP Messages NO YES YES

Disable the interface, discarding all traffic NO NO YES

VLAN Configuration

Two types of cisco switch interfaces.Access interfaces and Trunk Interfaces

By definition access interfaces send and receive frames only in a single VLAN, called theaccess VLAN. Trunking interface send and receive in multiple VLANs.

One access port - one vlan (one vlan can have multiple access port, a subset of switchesaccess ports)One trunk port multiple vlan

By default switches have VLAN 1 configured and all interfaces assigned to it, however toadd another vlan and assign access ports to it follow the steps bellow

Step 1 : To configure new VLAN

a) from configuration mode use the vlanvlan-idglobal configuration command tocreate vlan and move the user into the vlan configuration mode

b) (optional) use the name vlan-name vlan subcommand to list the name of the vlan. Ifnot configured by default uses the name VLANzzzz, where zzzz is the four digit vlan-id.

30


31/52

Step 2 : To configure VLAN for each access interface

a) user the interface command to move to the interface configuration mode for eachdesired interface

b) use the switchport access vlan id-numberinterface subcommand to specify the VLANassociated with that interface

c) c. (optional) to disable trunking, so that the switch will not dynamically decide to usetrunking on the interface, and it will remain an access interface, use the switchportmode access interface subcommand.

VLAN 1

VLAN 2

Fa0/11 , Fa0/12

Fa0/13 , Fa0/14

SW1 # show vlan brief

Sw1 # configure terminalSw1 (config) # vlan 2Sw1(config-vlan) # name fred-vlanSw1(config-vlan) # exit

Sw1(config) # interface range fastethernet 0/13 14Sw1(config-if) # switchport access vlan 2Sw1(config-if) # exitSw1(config) # show running-configSw1(config) # show vlan brief

Please refer to page 258 for command output listings

31


32/52

Note : name fred-vlan (vlan subcommand is case-sensitive)

Securing unused interfaces, recommendation to secure unused interfaces are.

Administratively shutdown the interface using the shutdown interface subcommand

Prevent VLAN trunking and Vlan Trunking Protocol (VTP) by making the portnontrunking interface by using the interface subcommand switchport mode access

Assign the port to an unused VLAN by using the switchport access vlanvlan-numberinterface subcommand.

Access Interface: A LAN network design term that refers to a switch interface connectedto end-user devices.

Trunk Interface: On a LAN switch, an interface that is currently using either 802.1Q orISL trunking

Trunking : Also called VLAN trunking, A method using either cisco ISL protocol orIEEE 802.1Q protocol to support multiple VLANs that have members on more than oneswitch.

Configuration Command Reference

Command Mode/Purpose/Description

Basic Password ConfigurationFollowing four commands are related to basic password configuration

Line console 0 Changes the context to console configuration mode

Line vty 1st-vty 2nd-vty Changes the context to vty configuration mode for therange of vty line listed

login Console and vty configuration mode, tells IOS to promptfor a password

Passwordpass-value Console and vty configuration mode. Lists the password

required if login command (without any otherparameter) is configured

Username/password and SSH ConfigurationsFollowing four command are related to username/password and SSH configurations

Login local Console and vty config mode, tells IOS to prompt forusername and password, to be checked against locallyconfigured username global configuration command onthis switch or router.

32


33/52

Usernamenamepasswordpass-value

Global command, defines possibly one of multipleusername and associated passwords, used for userauthentication. Used when login local line configurationcommand has been used.

Crypto key generate rsa Global command, creates and stores in a hidden location

in flash memory the key required by SSHTransport input }{telnet|ssh} Vty line configuration mode. Defines whether telnet

or/and SSH is allowed into this switch. Both values canbe configured in one command to allow both telnet andSSH.

IP Address configurationFollowing four commands are related to IP address configurations

Interface vlannumber Changed the context to VLAN interface mode. ForVLAN 1 allows the configuration switchs ip address

Ip addressip-address subnet-mask

VLAN interface mode. Statically configures the switchsip address and mask.

Ip address dhcp VLAN interface mode, configures the switch as a DHCPclient to discover its ip address, subnet mask and defaultgateway.

Ip default-gatewayaddress Global command. Configured the switchs defaultgateway ip address. Not required if the switch usesDHCP.

Interface ConfigurationFollowing six command are used for interface configuration

Interfacetype port-number Changes the context to interface modeEg. Interface fastethernet 0/1

Interface rangetype port-

range

Changes the context to interface mode for the range of

interfacesShutdown

No shutdown

Interface mode, disable or enable the interface

Speed {10|100|1000|auto} Interface mode, manually sets the speed to the listedspeed, or with the auto setting, automatically negotiatesthe speed.

Duplex {half|full|auto} Interface mode, manually sets the duplex to half, full orto autonegotiate the duplex settings.

Descriptiontext Interface mode (description for the interface)

MiscellaneousMiscellaneous configuration commands

Hostnamename Global command, sets the switchs host name, also usedas the first part of the switchs command prompt

Enable secret pass-value Global command. Set the switchs password that isrequired for any user to reach switchs enable mode

History sizelength Line config mode, defines the number of commandsheld in the history

Switchport port-security

mac-addressmac-addressInterface configuration command, that statically addsallowed MAC address on that interface

33


34/52


mac-address sticky

Interface sub-command that tells the switch to learnMAC address on the interface, and add the MAC-address as a secure address into its configuration


maximumnumberInterface sub-command that sets the maximum numberof static secure MAC-address that can be assigned to a

single interfaceSwitchport port-security

violation {protect|restrict|

shutdown}

Interface subcommand, that tells the switch what to do ifan inappropriate MAC address tries to access thenetwork through a secure switch port

EXEC command referece

Command Purpose

Show mac address-table

dynamic

Lists dynamically learned entries in the switchsaddress table

Show dhcp lease Lists any information the switch acquires as a dhcpclient, includes ip address, subnet mask and defaultgateway

Show crypto key mypubkey rsa Lists public and shared key created for use with SSHusing the crypto key generate rsa globalconfiguration command

Show interface status Lists on output line per interface, noting thedescription, operating state, settings for duplex andspeed on each interface

Show interface vlan 1 Lists interface status, switch ip address, mask andmuch more

Show port-security interfacetype number

Lists an interfaces port security configurationssettings and security operational status


34


35/52

Chapter 10 Ethernet Switch Troubleshooting

Organized troubleshooting steps.

Step 1. Analyzing/predicting normal operation

Step 2. Problem isolationStep 3. Root cause analysis

Verifying Network Topology using Cisco Discovery Protocol

The proprietary Cisco Discovery Protocol (CDP) discovers basic information aboutneighbouring switches and routers, by listening to the CDP messages sent out byneighbouring switches and routers on each of their interfaces.

CDP discovers several useful details from neighbouring Cisco Devices :(information gathered by CDP)

Device Identifier : Typically the hostnameAddress list : Network and Data-link addressesLocal Interfaces : The interface on the router or switch issuing the CDP show commandWith which the neighbour was discoveredPort Identifier: Text that identifies the port that the neighbouring device used to send theCDP message to the local device.Capabilities List : Information on what type of device it is switch , router etcPlatform : The model and OS level running in the device

Show CDP command that list information about neighbouring devices

Command Description

Show cdp neighbourstype number Lists one summary line of information on eachneighbour or just the neighbour found on thespecific interface if an interface was listed.

Show cdp neighbours detail Lists one large set of (15 lines) of information, oneset each for every neighbour

Show cdp entryname(Show cdp entry R1)

Lists the same information as the show cdpneighbour detail command, but only for the namedneighbour (case sensitive)

No cdp enable (Inteface subcommand to disable CDP per interface)Cdp enable (Inteface subcommand to re-enable CDP per interface)No cdp run (disable cdp globally on a switch)Cdp run (re-enables cdp globally on a switch)

Please refer page 281 for CDP commands output listing

35


36/52

Commands used to verify CDP operation

Command Description

Show cdp States whether CDP is enabled globally, and lists thedefault updates and hold time timers

Show cdp interface type number States whether CDP is enabled on each interface, or

on the interface listed, and states update andholdtime timers on those interfaces

Show cdp traffic Lists global statistics for the number of CDPadvertisements sent and received

Analysing Layer 1 and 2 Interface Status

Two types of Interface status codes1. two code or words : line status and protocol status, same as for routers and2. one code or word status.

Following commands list the two code interface statusShow interfaces

Show interfaces description

Following command list the one word interface statusShow interfaces status

The show interfaces command lists the actual speed and duplex settings but does notimply anything about how the settings were configured or auto-negotiated.However the show interfaces status command list a prefix of a- to imply that the speedand duplex setting were auto-negotiated, leaving the prefix if the settings were

configured.

LAN Switch Interface Status CodesT W O W O R D ONE WORD

Line Status Protocol Status Interface Status Typical root cause

AdministrativelyDown

Down Disabled The interface is configuredwith the shutdown command

Down Down Notconnect No cable, bad cable, wrongcable pinouts, the speeds aremismatched on the two

connected devices, thedevice on the other end ofthe device is powered off, orthe other interface isshutdown.

Up Down Notconnect An interface up/down stateis not expected on LANswitch interface

36


37/52

Down Down(Err-disabled)

Err-disabled Port security has disabledthe interface

Up Up conenct Interface is working

Interface SPPED and DUPLEX issues

Interfaces can use auto negotiation, it can also useSPEED {10|100|1000} andDUPLEX {half|full| commands to set the speed and duplex settings which will disablethe auto negotiate.

Show interfaces andShow interfaces status , both list speed and duplex settingsWhen IEEE auto negotiation process works on both devices, both devices agree on the

fastest speed supported by both devices, and full duplex if it is supported by bothdevices otherwise half duplex. (Cisco 2960 switch supports full duplex). Howeverwhen one device disables auto negotiation (by manually setting speed and duplex) andother device uses auto negotiation, the device using auto negotiation sets the defaultduplex settings based on the current speed, the defaults are as follows.

If the speed is not known, use 10 Mbps, half duplex

If the speed is some how known to be 10 or 100 Mbps defaults to use half duplex

If the speed is somehow known to be 1000 Mbps defaults to use full duplex

If the duplex setting do not match on the ends of an Ethernet segment, the switch

interface will still be in a up/up connect state. But the interface will work poorly.

To troubleshoot Duplex mismatch, check duplex settings on each end of the link,or watch for increasing collision, and late collision counters.

Common Layer 1 problems on working interfaces

Interface counters for Layer 1 problems

Show interfaces fa0/13

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

95226 packets output0 output errors, 0 collisions, 1 interface resets0 babbles, 0 later collisions, 0 deferred

Please refer to page 288 for a full listing

37


38/52

CRC counter Cyclic redundancy Check counter, counter of frames discard by FCS.

Collision counter : counter of collision occurred in first 64 bytes of the frame

Later collision counters : counter of collusions occurred after the first 64 bytes of theframe has already been sent.

Significant problem exists if more than .1 % of the total output packages have collided.

Incrementing late collision means two things

Interface is connected to collision domain, whose cabling exceeds Ethernet cablinglength standards .

Interface is using half duplex and device on the other end of the cable is using fullduplex

Common LAN layer 1 problem indicatorsType of problem Counter values indicating this

problemCommon root cause

Excessive noise(interference)

Many input errors, few collision Wrong cable category (Cat5,5e,6), Damaged cables, EMI

Collisions More than roughly .1% allframes are in collision

Duplex mismatch (seen on thehalf duplex side); jabber; DoSattack

Late collisions Increasing late collisions Collision domain, or singlecable too long, Duplex

mismatches

Jabber : frames are sent by a device continuously without a break, not confirming toEthernet standards

Analysing the Layer 2 forwarding path with MAC address table

Show mac address-table

Show mac address-table dynamic , lists the contents of the switchs MAC address table

The switchs forwarding logic can be summarized as follows.

Step 1. Determine the VLAN in which the frame should be forwarded. On accessinterfaces this is based on the access VLAN associated with the incoming interface.

38


39/52

Step 2. Look for the frames destination MAC address in the MAC address table, butonly for the entries for the VLAN identified in Step 1. If the destination MAC is

A. Found (unicast) : forward the frame out only the interface listed in the matchedaddress table entry

B. Not found (unicast) :flood the frame out all other interface except the incominginterface in that same VLAN.

C. Broadcast or multicast : flood the frame out all other interface except the incominginterface in that same VLAN.

Fred

0200.1111.1111

SW1

Barney

0200.2222.2222

Fa0/9

Fa0/12

Gi0/2Gi0/1

SW2

R1

Fa0/13

Fa0/1

0200.5555.5555

Barney forwards a frame to its default gateway router R1 and the following forwardingsteps occurs

Step 1. SW1 receives the frame on its Fa0/12 interface and sees that it is assigned toVLAN1.

Step 2. SW1 looks for its MAC table entry for 0200.5555.5555 in the incominginterfaces VLAN (VLAN1), in its MAC address table.

a) SW1 finds an entry, associated with VLAN1, outgoing interface Gi0/1, and SW1forwards the frame out only the interface Gi0/1.

Frame is now on its way to SW2. and below steps explains the SW2s forwarding logic

39


40/52

Step 1. SW2 receives the frame on its Gi0/2 interface and sees that it is assigned toVLAN1.

Step 2. SW2 looks for its MAC table entry for 0200.2222.2222 in the incominginterfaces VLAN (VLAN1), in its MAC address table.

a) SW2 finds an entry, associated with VLAN1, outgoing interface Fa0/13, and SW2forwards the frame out only the interface Fa0/13.

At this point the frame should be on its way over the Ethernet cable between SW2 andR1.

Port Security and Filtering

Switches and Routers can use ACL Access Control List to filter traffic to a port.

Port-security violations status (protect, or restrict) the switch discards the frame, butleaves the interface in a connect (up/up) status.

CDP Neighbour : A device on the other end of some communication cable that advertiseCDP updates

Up and Up : Jargon referring to two interface status on a cisco switch or router (linestatus and protocol status)

Error disabled: An interface state on a cisco switch that is the results of one of maysecurity violations

Problem Isolation: Part of the troubleshooting process in which an engineer attempts torule out the possible causes of the problem until the root cause is identified.

Root Cause: A troubleshooting term, that refers to the reason why a problem exists,especially a reason for which, if changed the problem could be either solved or changedto a different problem.

Cisco Catalyst 2950 switch configuration commands

Command Description

ShutdownNo shutdown

Interface subcommand, that administrativelydisables or enables the interface respectively

Switchport port-security violation{protect|restrict|shutdown|

Interface subcommand, that tells the switch whatto do in the case of a violation, in which aninappropriate MAC address tries to access thenetwork through a secure switch port

Cdp run Global command, that enables or disables the

40


41/52

No cdp run CDP for the entire switch or router.

Cdp enableNo cdp enable

Interface subcommand, that enables or disablescdp on a particular interface

Speed {10|100|1000| Interface subcommand that manually sets theinterface speed

Duplex {auto|half|full| Interface subcommand that manually sets theinterface duplex

EXEC command reference.

Command Description

Show mac address-table [dynamic|static] [addresshw address][interface interface-id] [VLAN vlan-id]

Displays MAC address table. The security optiondisplays information about the restricted andstatic settings

Show port-security [interfaceinterface-id] [address]

Displays information about security optionsconfigured on an interface

Show cdp neighbours [type number] List one summary line of information about eachneighbour, or just the neighbour found on thespecified interface

Show cdp neighbours detail Lists one large set (15 lines) of information forevery neighbour

Show cdp entry name Displays same information as show cdpneighbours details but only for the specifiedneighbour

Show cdp States whether cdp is enabled globally, and liststhe default update and holdtime timers

Show cdp interface [type number] States whether CDP is enabled on each

interfaces, or on the interface if one is specified,and lists the update and holdtime timers

Show cdp traffic Displays global statistics of CDP advertisementssend and received

Show interfaces [type number] Displays detailed information about interfacestatus, settings and counters

Show interface status [type number] Displays summary information about interfacestatus and settings, including actual speed andduplex and whether the interface wasautonegotiated


41


42/52

Chapter 11 Wireless LANs

WLAN standards organization and their roles

Organizations that sets or influence WLAN standardsOrganization Standardisation Role

ITU-R Worldwide standardisation of communications that use radiatedenergy, particularly managing the assignment of frequencies.

IEEE Standardisation of wireless LANs (802.11)

Wi-Fi Alliance An industry consortium that encourages interoperability ofproducts that implement WLAN standards through their Wi-Ficertified program.

FederalCommunicationsCommission (FCC)

The US government agency that regulated the usage of variouscommunication frequencies in US

WLAN Standards Comparison between 802.11a, 802.11b and 802.11g

Feature 802.11a 802.11b 802.11g

Year ratified 1999 1999 2003

Maximum speed using DSSS(Direct Sequence Spread Spectrum)

- 11 Mbps 11 Mbps

Maximum speed using OFDM 54 Mbps - 54 Mbps

Frequency Band 5 GHz 2.4Ghz 2.4GHz

Channels *(non overlapped in bracket) 23(12) 11(3) 11(3)

Speed required by standard (Mbps) 6,12,24 1,2,5.5,11 6,12,24

Modes of 802.11 Wireless LANs WLAN modes, their formal names and

description.

Mode Service Set Name Description

Ad hoc Independent BasicService Set (IBSS)

Allows two devices to communicatedirectly, NO Access Point (AP) is

required.Infrastructure (OneAP)

Basic Service Set(BSS)

A single wireless LAN created with anAP and all devices associated with thatAP.

Infrastructure (Morethan one AP)

Extended Service Set(ESS)

Multiple APs create one wireless LAN,allowing roaming and larger coveragearea.

42


43/52

Unlicensed bands, their general names, and list of devices/standards to use each band

FCC unlicensed frequency bands of interestFrequency Range Name Sample Devices

900 KHz Industrial, Scientific,Mechanical (ISM)

Older cordless telephones

2.4 GHz ISM Newer cordless phones,microwave owens, 802.11,802.11b, 802.11g WLANstandards.

5 GHz Unlicensed NationalInformation Infrastructure(U-NII)

Newer cordless phone and802.11a, 802.11n WLANs

Licensed bands are used for FM/AM radios, Short ware radio for Police communications,and Mobile phones.

Direct Sequence Spread Spectrum (DSSS) has a bandwidth of 82MHz , with a rangefrom 2.402 GHz to 2.483 GHz. As regulated by FCC this band can have 11 overlappingDSSS channels.Although many of the channels shown in the figure overlap, three of the channels(channels at the far left, far right and centre) do not overlap enough to impact each other.

These channels (channels 1,6, and 11) can be used in the same space for WLANcommunication and they wont interfere each other

Eleven Overlapping DSSS Channels at 2.4 GHz

43


44/52

1 2 3 4 5 6 7 8 9 10 11

2.4 GHz Frequency Spectrum

RF Channels

Using non-overlapping DSSS 2.4 GHz Channels in an ESS WLAN.

AP1 AP2 AP3

CHANNEL 1 CHANNEL 6 CHANNEL 11

PC1

PC2

DSSS frequencies showing three non-overlapping channels.

In this design devices in one BSS can send at the same time as the other two BSS withoutinterfering, because each uses slightly different frequencies of the non-overlappingchannels. PC1 and PC2 could sit next to each other and communicate with two differentAPs using two different channels at the same time. This design is typical of 802.11bWLANs , with each cell running at the rate of 11 Mbps. With non-overlapping channels,

44


45/52

each half duplex BSS can run at 11 Mbps, for a cumulative bandwidth of 33 Mbps. Thecumulative bandwidth is called the WLAN Capacity.

Name of encoding class What it is used by

Frequency Hopping Spread Spectrum (FHSS) 802.11Direct Sequence Spread Spectrum (DSSS) 802.11b

Orthogonal Frequency Division Multiplexing (OFDM) 802.11a, 802.11g

The emerging 802.11n uses OFDM as well as MIMO (Multiple Input Multiple Output).

Wireless Interference

Walls, Floors, ceilings and matter that has lots of metal in it, can cause the radio signalsto reduce strength, scatter and create dead spots.

One key measurement of the interference is the Signal-to-Noise Ratio (SNR). Thiscalculation measures the WLAN signals as compared to the other undesired signals(noise) in the same space. The higher the SNR, the better the WLAN can send datasuccessfully.

Coverage Area, Speed and Capacity

The power of an AP is measured based on the Effective Isotropic Radiated Power (EIRP)calculation. It is the power of the signal as it leaves the antenna.

Coverage Area and Speed..

45


46/52

AP1

11 Mbps

5.5 Mbps

2 Mbps

1 Mbps

WLAN speed and frequency referece.

IEEEStandard

MaximumSpeed(Mbps)

Other Speeds (Mbps) Frequency NonoverlappingChannels

802.11b 11 Mbps 1, 2, 5.5 2.4 GHz 3

802.11a 54 Mbps 6,9,12,18,24,36,48 5 GHz 12

802.11g 54 Mbps 6,9,12,18,24,36,48 2.4 GHz 3

Media Access (Layer 2)

The solution to the media access problem with WLAN is to use the carrier sense multipleaccess with collision avoidance (CSMA/CA) algorithm.

CSMA/CA algorithm

46


47/52

Step 1. Listens to ensure that the medium (space) is not busy, no radio waves arecurrently being received at the frequencies to be used.

Step 2. Sets a random timer before sending a frame, to statically reduce the chance of all

devices all trying to send at the same time

Step 3. When the random timer has passed, listen to ensure that the medium is not busy,if it isnt then send the frame.

Step 4. After the entire frame has been sent, wait for an acknowledgement

Step 5. If no acknowledgement is received, resend the frame using CSMA/CA logic, towait for the appropriate time to send again.

WLAN Implementation Checklist

Step 1. Verify that the existing wired network works, including DHCP services, VLANsand Internet connectivity

By verifying the switch port access VLANs and by connecting a laptop to the switch portand verifying that it acquires an IP address, mask and default gateway, and the pc cancommunicate to other hosts in the network.

Step 2. Install and configure the AP, verify its connectivity to the wired network,including its IP address, mask and default gateway

APs connects to the switch port using a straight through Ethernet cable

Step 3. Configure and verify APs wireless setting, including Service Set Identifier (SSID)but no security

WLAN configuration features.

IEEE Standard (a,b,g or multiple)

Wireless channels

Service Set Identifier (SSID, a 32 character text identifier for the WLAN) Transmit power

APs within a same ESS WLAN should be configured with the same SSID.

Step 4. Install and configure one wireless client (laptop) again with no security

47


48/52

WLAN NIC in the WLAN clients like a loptop can automatically detect a WLAN AP andlearn its SSID and connect to an AP with strongest signal.

Cisco Compatible Extension Programme (CCX) : Tests and Verify WLAN NIC by amanufacturer works well with a Cisco AP.

Microsoft Zero Configuration Utility (ZCF) : A OS utility which allow PCs toautomatically discover SSIDs of all WLANs whose APs are within the range on the NIC.

Step 5. Verify WLAN works from the client laptop

Common WLAN installation problems and related work done in the Site survey

Is the AP at the centre of the area where the clients reside

Is the AP or client right next to a lots of metal Is the AP or client next to a lots of interference like microwave oven, or gaming

system

Is the AP coverage wide enough to reach client

Other common problems.

Check to make sure AP and Client radio are enabled (radio switch are turned on)

Check AP to ensure it has the latest firmware

Check AP configuration especially the channel configuration to ensure that it doesnot use channels that overlaps with other AP in the same location.

Step 6. Configure WLAN security on AP and Client

Step 7. Verify WLAN works again in the presence of security features

WLAN Security Issues

WLAN vulnerabilities and solutions

Vulnerability Solution

War drivers

(attacker who drives around and find a APwith a weak or no security)

Strong Authentication

Hackers stealing information in a WLAN Strong encryption

Hackers gaining access to the rest of theNetwork

Strong authentication

Employee AP Installation Intrusion Detection System (IDS) includingCisco Structured Wireless Aware Network(SWAN)

48


49/52

Rogue AP(attacks where a rouge AP is setup afterlearning the SSID of an existing WLAN,and get the enterprises clients to use it)

Strong authentication, IDS SWAN

WLAN Security Standards

Name Year Who defined it

Wired Equivalent Privacy (WEP) 1997 IEEE

The interim CISCO solution whilewaiting 802.11i

2001 Cisco, IEEE 802.1xExtensible AuthenticationProtocol (EAP)

Wi-Fi Protected Access (WPA) 2003 Wi-Fi Alliance

802.11i (WPA2) 2005+ IEEE

Vendor introduced additional Security Features SSID Clocking and MAC Filtering

SSID Clocking : AP send out beacons with SSID only as a response to a probe requestfrom a WLAN Client.

MAC Filtering : AP configured with allowed WLAN MAC addresses.

Cisco Interim solution between WEP and 802.11i ..

Dynamic key exchange (instead of static preshared key) User authentication using 802.1x

A new encryption key for each packet

Wi-Fi Protected Access (WPA)

WPA includes the option to use dynamic key exchange, using the Temporal Key IntegrityProtocol. (TKIP). WPA allows for the use of either IEEE 802.1x user authentication orsimple device authentication using preshared keys.And the encryption algorithm uses theMessage Integrity Check (MIC) algorithm, similar to the process used in Cisco

proprietary solution.

49


50/52

IEEE 802.11i (WPA2) includes dynamic key exchange, much stronger encryption, anduser authentication. 802.11i uses Advanced Encryption Standard (AES)

Standard KeyDistribution

DeviceAuthentication

UserAuthentication

Encryption

WEP Static Yes (weak) None Yes (weak)

Cisco Dynamic Yes Yes (802.1x) Yes (TKIP)

WPA Both Yes Yes (802.1x) Yes (TKIP)

802.11i(WPA2)

Both Yes Yes (802.1x) Yes (AES)

Definitions.

802.11a : IEEE standard for wireless LANs using U-NII (Un licensed NationalInformation Infrastructure) (5 GHz) spectrum, OFDM encoding, at speed of upto 54Mbps.

802.11b : IEEE standard for wireless LAN using ISM (2.4 GHz) spectrum, DSSSencoding, and speeds upto 11 Mbps.

802.11g : IEEE standard for wireless LAN using ISM (2.4 GHz) spectrum, OFDM or

DSSS encoding, and speeds upto 54 Mbps.

802.11i : IEEE standard for wireless LAN security including authentication andencryption.

Access Point : A wireless LAN device that provides a mean by which the wireless clientscan send data to each other and to the rest of the wired LAN, with Access Pointsconnecting both the wireless and wired Ethernet LAN.

Ad-hoc Mode : In wire less LAN a method or mode of operation in which the clientssends data directly to each other without using the Access Points.

Basic Service Set (BSS) : A Wireless LAN with a single Access Point (AP)

CSMA / CA : Carrier Sense Multiple Access with Collision Avoidance, a Media Accessmechanism that defines how devices decide when to send, with a goal of avoidingcollision as much as possible, IEEE WLANs use CSMA/CA.

50


51/52

Direct Sequence Spread Spectrum (DSSS) : A method of encoding data for transmissionover a WLAN in which devices uses 1 of 11 nearby frequencies in the 2.4 GHz range.

Extended Service Set (ESS) : A wirelss LAN with multiple access points, to create onWLAN and allowing roaming between APs.

Frequency Hoping Spread Spectrum: A method of encoding data in a WLAN in whichconsecutive transmission occurs on different nearby frequency bands as compared withthe prior transmission. Not used in modern WLAN standards.

Infrastructure Mode : A mode of LAN (WLAN) operation in which WLAN clients sendand received data through APs, which allows the clients also to connect to the wired LANinfrastructure. In Infrastructure mode WLAN clients does not send to each other directly.

Orthogonal Frequency Division Multiplexing (OFDM) : A method of encoding data inthe WLAN that allows higher data transmission rates than FHSS and DSSS encodingmethods.

Service Set Identifier (SSID) : A text value used in WLAN to uniquely identify a singleWLAN. (a 32 character text identifier).

Wi-Fi Alliance : An organization formed by many companies in the wireless industry forthe purpose of getting multi-vendor certified wireless product into the market in a moretimely fashion.

Wi-Fi Protected Access (WPA) : A trademark name of Wi-Fi Alliance, that represent aset of security specification that predated the IEEE 802.11i security standard.

Wired Equivalent Privacy (WEP) : An early WLAN security specification, that usedrelatively weak security mechanism, using only preshared keys and no encryption or aweak encryption.

WLAN Client : A wireless device that wants to get access to a wireless access point forthe purpose of communicating with other wireless devices or devices connected to wiredLAN.

WPA2 : Wi-Fi Alliances trademark name for the same set of security standards as that ofthe IEEE 802.11i.

Please go to Do I know this Already QUIZ. Chapter11. :- Page 300.

51


52/52

ccent notes part-2

Documents