SEMESTER 3
SWITCHING BASIC AND INTERMEDIATE ROUTING
Chapter 1
LAN Design - Hierarchical Network
1. Core Layer : backbone path to the internet
- Layer 3 Support (packet)
- Very High Forwarding Rate
- Gigabit Ethernet / 10 Gigabit Ethernet
- Redundant Components
- Link Aggregation
- Quality of Services (QoS)
- Layer 3 Support (packet)
- High Forwarding Rate
- Gigabit Ethernet / 10 Gigabit Ethernet
- Redundant Components
- Security Polices / Access Control List (for filtering traffic)
- Link Aggregation (ether channel)
- Quality of Services (QoS)
- Integrating VLAN
- Port Security
- VLAN's (layer 2 network division)
- Fast Ethernet / Gigabit Ethernet
- Power over Ethernet
- Link Aggregation
- Quality of Services (QoS)
Advantages using Hierarchical Design :
- Scalability : easy to add user
- Redudancy : several connected link to prevent loss connection on the network
- Performance : Link aggregation (2 or more physical cable in one logical view) double speed
- Security : standard switch don't have security, but switch can be managed to have a security mechanism
- Manageability
- Maintainability
Principles to Design a Network :
- Network Diameter : the number of device / switch that passed by packet must not be more than 7, because it will affect to delay / latency
- Bandwidth Aggregation : connect more than one port to one logical port (increase throughput) / etherchannel
- Redundant Links : Backup Path
Type of Cisco's Switch :
- Fixed configuration switch : permanent port, port cannot be modified
- Modular switches : port can be modified (add, remove)
- Stackable switches : switch can be stacked and become a one logical using backplane cable (stackwise technology)
Switch Features :
- Port Density : the number of port (24, 48, or up to 1000+ of ports)
- Forwarding rates : capable of switch when transmitting the data
- Link Aggregation : to prevent bottleneck
- PoE (Power over Ethernet) : Device don't need a power cable (expensive device)
- Layer 3 (Multilayer)
- there are a lot of real time transaction at Finance Network, so reduce the network diameter to decrease latency (as closely as possible with logical view, not physical view)
Chapter 2
Basic Switch Concept and Configuration
- Autonegotiation : duplex's negotiation on switch
switch(config-if)#duplex [full | half | auto]
when switch 1 using half duplex and switch 2 using full duplex, error will occur in switch 1
Switch Forwarding Method :
- Autonegotiation : duplex's negotiation on switch
switch(config-if)#duplex [full | half | auto]
when switch 1 using half duplex and switch 2 using full duplex, error will occur in switch 1
Switch Forwarding Method :
- Store and forward : save all frame and check FCS before forwarding the packet (QoS)
- Cut Through :
- Fragment Free : only read 64 byte first before forwarded
- Fast Forward : save and read 6 byte(destination MAC) first before forwarded (broken packet is not used)
Memory Buffer on switch :
- Port-based memory buffering : each interface has their own memory buffer (there is a memory in every interface)
- Shared memory buffering : one switch only has one buffer that used for all interface (flexible, memory list for all interface)
command history :
Switch#show history (see last command, default 10 command)
Switch#terminal history size 50 (save 50 command)
Switch#terminal no history size (reset to default)
Switch#terminal no history (disable command history)
Switch Boot Sequence :
1. Load boot loader from ROM :
- Boot Loader :
- perform low-level CPU initialization
- perform post
- flash initialization
- load IOS
- IOS running config-text (configuration file) that stored in flash
Switch Password Recovery :
- connect PC to switch via console port
- open terminal software
- turn off and then turn on the switch, press "mode" button and hold until green and orange are blinking then stoped (enter to boot loader)
- write "flash_init"
- write "load_helper"
- write "dir flash" and file content in flash will be shown
- write "rename flash:config.text:config.text.old"
- write "boot"
- switch will boot-up usually and configuration is empty
- enter to privilege mode
- write "rename flash:config.text.old flash:config.text"
- write "copy flash:config.text system:running-config"
- enter global config mode and change password
- write "copy running-config startup config"
SSH settings :
Switch(config)#ip domain-name [name] ex : mydomain.com
Switch(config)#hostname [name]
Switch(config)#username [username] secret [password]
Switch(config)#crypto key generate rsa
Switch(config)#ip ssh version 2
Switch(config)#line vty 0 4
Switch(config-line)#transport input ssh (only ssh permited)
Switch(config-line)#login local (authentification using username and password before)
Common security attack :
- MAC address flooding : flooding MAC table to switch then switch will work like a hub(downgrade) and all frame can be captured with sniffing tool software, so use port security to prevent.
- DHCP Spoofing : pretending to become a default gateway with give a wrong information about DHCP, to prevent that case, port can be marked with "trusted" (port can offer and give ACK) and "untrusted" (port can discover and forward only)
- CDP Attack : read a CDP packet with sniffing tool software, to prevent that write no cdp run
- Telnet Attack : consist of bruteforce attack (algorithm to break the password) and DOS attack (flooding a tons of ping packet)
so, to prevent that common security attack, change password regularly and upgrade to newest IOS
Port Security : a switch feature to filter MAC address
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security maximum [1-132]
Switch(config-if)#switchport port-security mac-address [X.X.X.X | sticky]
Switch(config-if)#switchport port-security violation [protect | restrict | shutdown]
note :
- Maximum : the number of MAC address that allowed to connecting to the network
- Mac address : switch's method to learn MAC address that allowed to connecting to the network
- static : input MAC address manualy
- dynamic : learn automatically from connection at the first time, when interface is turned off, stored MAC address will be lost
- sticky : learn automatically from connection at the first time, when interface is turned off, stored MAC address is still exist because MAC address stored in running-config
- Violation : if there is a MAC address that violate the rules, so the punishment automatically run. type of violation :
- protect : data will be DROPED
- restrict : like protect, but there are notification and violation counter, switch#show port-security [interface slot/port]
- shutdown : interface will be shutdown, to turn on write shutdown and no shutdown on interface.
by default, port security is disabled, but with the parameter default :
maximum : 1
mac-address ; dynamic
violation : shutdown
Chapter 3
VLAN (Virtual LAN) : technology that dividing broadcast domain / network at layer 2. Switch will give VLAN ID (label) to each frame in order to distinguish the VLAN traffic.
Advantages using VLAN :
VTP (VLAN Trunking Protocol)
VTP is a cisco proprietary protocol which propagate VLAN information dynamically
VLAN range that can be propagated 1-1005
VTP run in trunk mode interface
VTP Advertisement :
Advantages using VLAN :
- Security : only one affected by sniffing tools
- Cost Reduction : reduce the use of router to divide broadcast domain
- Higher Performance
- Broadcast Storm Mitigation : reduce broadcast, only 1 VLAN receive
- Improved IT staff efficieny
- Simpler project or application management
Range VLAN :
- Normal Range ID : 1-1005
- stored at flash : vlan.dat
- 1002-1005 reserved for token ring and FDDI
- VLAN 1 (default), 1002-1005 created automatically and cannot be removed
- Extended Range : 1006-4096
- stored at running-config
- less feature compared with normal range (like not advertised by VTP)
VLAN Type :
- Data VLAN : carry traffic from user
- Default VLAN : by default, all port is VLAN 1 / one network, it's intended to connecting all device into one VLAN, so all device can communicate each other
- Native VLAN : untagged frame will be marked with VLAN ID that has been configured on it's native VLAN. usually, it used between hub(unmanageable switch) and switch. by default Native VLAN : 1
- Management VLAN : traffic for configured the device, usually VLAN 1 used for management VLAN
- Voice VLAN : carry voice traffic
VLAN mode divided into 2 :
- Access : one port can be passed for passing 1 VLAN, usually it used to connect an end device
- Trunk : one port can be passed for some VLAN, usually it used to connect to other switch or router.
Additional VLAN mode :
- Dynamic Auto (default) : more toward to access
- Dynamic Desirable : mode toward to trunk
Encapsulation on trunk links divided into 2 :
- ISL (Inter Switch Link) : not support Native VLAN, cisco proprietary
- 802.1Q : support native VLAN, open standard
The way of a switch in labeling a frame :
-----------------
Native VLAN mechanism :
if there is a frame with VLAN ID = 99 from outside area to trunk line then that frame will be DROPED.
Native VLAN settings will be same in every switch (if not syslog message error will be shown)
Native VLAN Settings :
Switch(config-if)#switchport mode trunk
Switch(config-if)#switchport trunk native vlan [vlan id]
DTP (Dynamic Trunking Protocol) : protocol that used for negotiation on an interface, it negotiating the mode of path, access or trunk. DTP is cisco proprietary, default : ON
Dynamic Auto & Dynamic Auto : Access
Dynamic Auto & Dynamic Desirable : Trunk
Dynamic Desirable & Dynamic Desirable : Trunk
Access & Dynamic Auto / Desirable : Access
Trunk & Dynamic Auto / Desirable : Trunk
Disable Dynamic Trunking Protocol (DTP) :
Switch(config-if)#switchport nonegotiable
Setting IP address to switch :
Switch(config)#interface vlan [vlan id] ->default : 1
Switch(config-if)#ip address [IP] [SM]
Switch(config-if)#no shutdown
Switch(config-if)#ip default-gateway [IP]
Create & Naming VLAN :
Switch(config)#vlan [vlan id]
Switch(config-if)#name [vlan name]
Setting Interface to access mode :
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan [vlan id]
Setting Interface to trunk mode :
Switch(config-if)#switchport trunk encapsulation [dot1Q | ISL | negotiable]
Switch(config-if)#switchport mode trunk
Switch(config-if)#switchport trunk allowed vlan [vlan id | add | all | except | none | remove] (optional to manage vlan that allowed)
Troubleshooting :
Switch#show vlan
Switch#show ip interface brief
Switch#show interface trunk
Switch#show dtp
Switch#show run
Switch#show interface [interface slot/port] switchport
Chapter 6
Inter VLAN Routing : connecting between VLAN network, required Layer 3 device/router.
3 Method of Inter VLAN Routing :
- Traditional : an interface only used for one VLAN
- Router on a Stick : using subinterface for distinguish each VLAN on a router
- Multilayer Switch : using Layer 3 switch.
Subinterface : logical interface on one physical interface, the functions is to divide network on one physical interface.
Switch :
Switch(config)#interface f0/1
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 10
Switch(config)#interface f0/2
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 20
Switch(config)#interface f0/10
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 10
Switch(config)#interface f0/11
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 20
Router :
Router(config)#interface f0/0
Router(config-if)#ip address 192.168.10.1 255.255.255.0
Router(config-if)#no shutdown
Router(config)#interface f0/1
Router(config-if)#ip address 192.168.20.1 255.255.255.0
Router(config-if)#no shutdown
2. Router on a stick :
Switch :
Switch(config)#interface f0/1
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 10
Switch(config)#interface f0/2
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 20
Switch(config)#interface f0/24
Switch(config-if)#switchport trunk encapsulation DOT1Q
Switch(config-if)#switchport mode trunk
Router :
Router(config)#interface f0/0
Router(config-if)#no shutdown
Router(config)#interface f0/0.10
Router(config-subif)#encapsulation dot1q 10
Router(config-subif)#ip address 192.168.10.1 255.255.255.0
Router(config)#interface f0/0.20
Router(config-subif)#encapsulation dot1q 20
Router(config-subif)#ip address 192.168.20.1 255.255.255.0
note :
Router(config-subif)#encapsulation dot1q 99 native
used for native vlan on trunk link
Multilayer Switch :
Switch :
Switch(config)#ip routing
Switch(config)#interface f0/1
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 10
Switch(config)#interface f0/2
Switch(config-if)#switchport mode access
Switch(config-if)#switchport access vlan 20
Switch(config-if)#exit
Switch(config)#interface vlan 10
Switch(config-if)#ip address 192.168.10.1 255.255.255.0
Switch(config-if)#no shutdown
Switch(config)#interface vlan 20
Switch(config-if)#ip address 192.168.20.1 255.255.255.0
Switch(config-if)#no shutdown
VTP (VLAN Trunking Protocol)
VTP is a cisco proprietary protocol which propagate VLAN information dynamically
VLAN range that can be propagated 1-1005
VTP run in trunk mode interface
VTP Advertisement :
- Summary Advertisement : contains domain name, config revision number, and will be send every 5 minutes or topology changes
- Subset Advertisement : contains of VLAN informations
- Request Advertisement : When request is sent to VTP, VTP Server will send summary and subset advertisement, and Config Revision change.
Things that cause a switch send request :
- VTP domain changes
- switch receive higher config revision
- switch reboots
Paramater on VTP (show vtp status) :
1. VTP version : VTP version must be same to exchange VLAN information
2. VTP domain name : VTP domain name must be same to exchange VLAN information
- VTP mode
- config revision : the number of VLAN information changes, the highest will be selected. (default = 0)
- VLAN's : the number of VLAN
3. VTP password : password must be same.
Default VTP parameter :
- VTP version = 1
- VTP domain = null
- VTP mode = server
- config revision = 0 (transparent mode always 0)
- VLAN's = 5 (1, 1002, 1003, 1004, 1005)
VTP mode :
- VTP Server : can create, delete, and rename VLAN, and apply VTP advertisement.
- VTP Client : cannot create, delete, and rename VLAN, and apply VTP advertisement.
- VTP Transparent : can create, delete, and rename Local VLAN, this mode only forward VTP advertisement from other switch (config revision = 0)
VTP domain-name propagation : if switch's domain name is still 'null' and the switch receive VTP advertisement, switch's domain name will be change appropriate with the contain of VTP advertisement.
VTP Pruning : VTP will block an inactive port in trunk mode dynamically.
- Setting VTP mode :
switch(config)#vtp mode [server | client | transparent]
- Setting domain name :
switch(config)#vtp domain [name]
- Setting VTP password :
switch(config)#vtp password [password]
- VTP version :
switch(config)#vtp version [1 | 2]
- Setting VTP Pruning
switch(config)#vtp pruning
switch(config-if)#switchport trunk pruning vlan [no vlan | add | except | none | remove]
- Reset configuration revision
- change domain name
- change into transparent mode, and return the mode.
- Troubleshooting VTP :
switch#show vtp status
switch#show run
switch#show vtp password
Revision number will be change if :
- create and delete VLAN
- change the domain name
- change into transparent mode
Chapter 5
Spaning Tree Protocol (STP) running on Layer 2, prevent layer 2 loop that caused by redundancy path, STP run in trunk mode. (802.1D)
Trouble on Redundant path :
- Layer 2 loop : frame looping process without reaching the destination
- Broadcast Storm : occurs because there are many broadcast frame which trapped on layer 2 loop, and causing a traffic between switch.
- Duplicate Unicast Frame : destination host receive more than 1 same frame.
The Way STP work is ensure only one active path with block the redundant path. when the main path is down, redundant path will active.
STP use STA(Spanning Tree Algorithm) to determine port that will be blocked. STA determine a switch to become a ROOT BRIDGE per VLAN instance with exchange BPDU (Bridge Protocol Data Unit), BPDU is a kind of Hello protocol on STP (to exhange root bridge, root id, cost) between switch every 2 seconds
Port Roles :
- Root Port : port that has the shortest distance to the root bridge, and not permitted to forward the frame
- Designed Port : allowed port to forward the frame
- Non-Designed Port : port on a 'blocking state' not permitted to forward the frame
- Disabled Port : port that has a 'administratively down' status
STP Algorithm :
on first boot, every switch consider themselves as root bridge (in one broadcast domain) and every switch exchange BPDU to determine the root bridge.
Root Bridge election :
- Lowest bridge ID / BID [64 bit] :
- Lowest priority (bridge priority [4 bit], extend system ID / VLAN no [12 bit], 1-65536 [multiples of 4096], default 32768 (bridge priority + vlan number)
- Lowest MAC address [48 bit]
- All interface on Root Bridge switch are "Designated Port"
- All switch except Root Bridge must choose one "Root Port", Root Port is a port with lowest cost to root bridge, criteria :
- Lowest cost x lowest neighbor BID
- Lowest neighbor port ID :
- Port Priority (default 128)
- Port ID (port number)
- All port except "Root Port" will be a designated port / non-designated port
- on one segment can only exist one designated port
- if there are two designated port in one segment, switch must determine blocked port or non-designated port with condition :
- lowest BID will not be blocked
- lowest cost root port to root bridge will not be blocked
- Root ID = BID on Root Bridge
Port States :
- Blocking : blocked port / non-designated port, cannot forward frame but can receive BPDU frame (20 seconds)
- Listening : send and receive BPDU but cannot forward data (15 seconds) [STA]
- Learning : port learn and store the source MAC address in MAC table (15 seconds)
- Forwarding : send and receive BPDU and can forward data
- Disabled : shutdown port / administratively down
BPDU Timers :
- Hello time : BPDU's interval that are sent from an interface, range 1-10 seconds (default : 2 seconds)
- Forward Delay : require time before an interface can forward the data (default 30 seconds, listening 15 seconds, learning 15 seconds, can be change to 4-30 seconds)
- Maximum Age : maximal time a switch to store the BPDU information (default 20 seconds, can be change to 6-40 seconds)
STP Variants :
- Cisco Proprietary :
PVST (PER VLAN SPANNING TREE)
- use ISL encapsulation
- every VLAN has its own instance
- load balancing on layer 2
- backbone fast, uplink fast, port fast feature
PVST+
- support ISL & DOT.1Q encapsulation
- support cisco proprietary STP extensions
- BPDU guard and Root guard feature
Rapit PVST ->(must use port fast)
- 802.1W encapsulation (must use port fast)
- fast convergence than PVST+
- IEEE Standard
RSTP (Rapid STP) -> (must use port fast)
- a substitute for STP / 802.1D become 802.1W
- fast convergence than STP
- edge port feature
MSTP (Multiple STP)
- many VLAN can be combined into a one instance
- 802.1S
Maximum Network Diameter on spanning-tree = 7
to change manualy :
switch(config)#spanning-tree vlan [vlan ID] root primary diameter [no(2-7)]
Setting cost to root bridge :
switch(config-if)#spanning-tree cost [1 - 200.000.000]
switch(config-if)#no spanning-tree cost (reset cost)
Configure BID Priority :
switch(config)#spanning-tree vlan [vlan no] priority [0-65536] (multiple of 4096)
switch(config)#spanning-tree vlan [vlan no] root primary
switch(config)#spanning-tree vlan [vlan no] root secondary
Configure Port Priority :
switch(config-if)#spanning-tree port-priority [0 - 240] (multiple of 16)
Configure STP mode :
switch(config)#spanning-tree model [pvst | rapid-pvst | mstp]
- Backbone Fast : if there are topology changes on indirect link, blocking state will become a listening state (skip max age timer)
convergence total time approximately 30 seconds (default 50 seconds, maximum delay + listening & learning)
switch>set spantree backbone fast enable
- Uplink Fast : if there are topology changes on direct link, blocking state will become a forwarding state (skip listening & learning state)
convergence time approximately 1-5 seconds, used on trunk link
switch>set spantree uplink fast enable [rate station _update_rate] [all_protocols <on | off>]
- Port Fast : when connecting the port, the status will be forwarding (skip listening & learning state) / green light on switch, used on non-trunking mode port (addressed to single host). if port-fast used on trunk mode, layer 2 loop will occur a moment.
switch(config-if)#switchport mode access
switch(config-if)#spanning-tree portfast [trunk]
switch(config-if)#spanning-tree portfast [trunk]
- BPDU Guard : if a port configured port-fast & BPDU guard, and then that port receive BPDU, port will shutdown (error disabled), BPDU guard ussualy used to prevent an attack like computer replaced with switch by the hacker
switch(config-if)#spanning-tree bpduguard [enable | disable]
- Root Guard : if a port configured port-fast & root guard receive a superior BPDU (BPDU with lower BID than Root ID) so port will entered "inconsistent / blocked" state.
switch(config-if)#spanning-tree guard root
- Edge Port : when port connected, state will become forwarding (like port-fast), but when that port receive BPDU, the port will become normal spanning-tree port (on RSTP), the configuration same with port-fast
Troubleshooting STP :
- show spanning-tree
- show run
Tidak ada komentar:
Posting Komentar