8/9/2019 CCENT Notes Part-2
1/52
CCENT Notes
Part 2 LAN Switching
Ref : CCENT/CCNA ICND1 Official Exam Certification Guide, Second Edition
by Wendell Odom
It is highly recommended that you read at least once the above study guide to make full
use of this notes, it is expected that there may be minor errors in this notes, please
always refer the study guide for accurate information.
(Jojo Jacob - CCENT)
8/9/2019 CCENT Notes Part-2
2/52
TABLE OF CONTENTS
Chapter 7 Ethernet LAN Switching Concepts ..................................................................3Chapter 8 Operating Cisco LAN Switches ..................................................................... 13Chapter 9 Ethernet Switch Configurations .....................................................................23Chapter 10 Ethernet Switch Troubleshooting .................................................................35Chapter 11 Wireless LANs ............................................................................................. 42
2
8/9/2019 CCENT Notes Part-2
3/52
Chapter 7 Ethernet LAN Switching Concepts
Hubs : Created one single collision domain, and bandwidth is shared in a 10 BASE Tnetwork with a Hub.
Bridges : reduced the number of collision occurred in a network, by segmenting thecollision domains, and bridges add bandwidth to the network.
Switches (benefits of using switches) : Creates separate collision domain on each of itsinterfaces, it can support full duplex if only one device is connected to an interface.Switches multiply amount of available bandwidth in the network.
Ethernet MAC address
Unicast Addresses: MAC address that identifies a single LAN interface cardBroadcast Addresses: A frame sent with a destination address of broadcast address(FFFF.FFFF.FFFF) implies that all devices on the LAN should receive and process theframe.Multicast Addresses: Multicast MAC addresses are used to allow dynamic subset ofdevices on a LAN to communicate.
IP multicast over Ethernet uses MAC address in the format 0100.5exx.xxxx where avalue between 00.0000 to 7f.ffff can be used for the second half.
Primary functions of a Switch
1. Deciding when to forward a frame or when to filter (not forward) a frame based onthe destination MAC address.
2. Learning MAC address by examining the source MAC address of each framereceived
3. Creating a (layer 2) loop free environment with other switches by using SpanningTree Protocol (STP)
3
8/9/2019 CCENT Notes Part-2
4/52
Sample switch forwarding and filtering decision.(Fred forwards a frame to Barney)
Fred
0200.1111.1111
Wilma
0200.3333.3333
Barney
0200.2222.2222
Betty0200.4444.4444
Fa0/1
Fa0/2
Fa0/3
Fa0/4
Dest. MAC Address : 0200.2222.2222
Frame sent to 0200 .2222 .2222
came in Fa0/1
Forward out Fa 0/2
Filtered (not forwarded ) out Fa0/3 & Fa0/4
MAC Address Table
0200.1111.1111 Fa0/1
0200.2222.2222 Fa0/2
0200.3333.3333 Fa0/3
0200.4444.4444 Fa0/4
MAC address table is also called, Switching Table, Bridging Table or ContentAddressable Memory.
4
8/9/2019 CCENT Notes Part-2
5/52
Sample switch filtering decision.
Note that the hub simply regenerates the electrical signals out each interface, so the hubforwards the electrical signal send by Fred to both Barney and the switch, The switch
decides to filter out (not forward ) the frame noting that the MAC address table interfacefor destination address 0200.2222.2222 (Fa0/1) is the same as the incoming interface.
Fred
0200.1111.1111
Wilma
0200.3333.3333
Barney
0200.2222.2222
Betty0200.4444.4444
Fa0/1
Fa0/3
Fa0/4
Dest. MAC Address : 0200.2222.2222
Frame sent to 0200.2222 .2222
came in Fa0/1
Forward out Fa 0/1 as per the MAC table entry
Filtered (not forwarded) out same interface Fa0 /1
that the frame came in
MAC Address Table
0200.1111.1111 Fa0/1
0200.2222.2222 Fa0/10200.3333.3333 Fa0/3
0200.4444.4444 Fa0/4
Hub
How switch learn MAC address: Switches populate the MAC table by listening to theframe, it adds the source MAC address and the interface it came from if an entry is notalready there in the MAC address table.
Flooding Frames: When a switch receives a frame with a destination address that is not inits MAC address table, it forwards out all the interface except the one it came from.
Switches keeps a timer for each entry in the MAC address table, called inactivity timer.Switch sets the timer to 0 for new entries, and resets it to zero each time it receives aframe from a MAC address, this counter counts upwords, so at any point in time if the
5
8/9/2019 CCENT Notes Part-2
6/52
switch memory runs out switch know which is the oldest inactive entry in the MACaddress table and it deletes it to free up memory.
Spanning Tree Protocol (STP): STP prevents loops by blocking some interfaces (ports)from forwarding frames, so that only one active logical path exists in a physically
redundant network between two LANs. In STP a port can have one of two statesBlocking (cannot send and receive) and Forwarding (can send and receive).
Internal Processing on Cisco Switches
Store and Forward Processing : In this type of processing a switch must receive theentire frame before it starts forwarding the first bits of the frame.
Cut through processing : With this type of processing a switch starts forwarding theframe as soon as possible without waiting an entire frame to be received. This is possible
because the destination MAC address come in early in the Ethernet header, even thoughthis can reduce latency, it may cause erroneous frames to be forwarded as the FCS isplaced at the end of the frame and switch cant determine the forwarded frame was inerror.
Fragment free processing : works very much similar to cut through processing, but it tryto reduces the number of errored frames that it forwards.
Switching Method Description
Store-and-Forward The switch fully receive all bits in the frame (store) beforeforwarding the frame. This allows the switch to check the FCS
before forwarding the frame.Cut-through The switch forward the frame as soon as it can. This reduceslatency but does not allow the switch to discard the frame thatfails the FCS check.
Fragment-free The switch forwards a frame after receiving first 64 bytes ofthe frame, thereby avoiding forwarding of frames that wereerrored due to collision.
LAN Switching Summary
LAN switches provide many additional features compared to Lan hubs and bridges, Inparticular LAN switches provide the following benefits:-
Switch port connected to a single device micro-segments the LAN, providingdedicated bandwidth to that device
Switches allow multiple simultaneous conversations between devices on differentports
6
8/9/2019 CCENT Notes Part-2
7/52
Switch ports connected to a single device supports full duplex, in effect doubling theavailable bandwidth to the device.
Switches support rate adaptation, which means devices using different Ethernetspeeds can communicate through the switch (hubs cannot).
Switches use Layer 2 logic, examining the Ethernet data link header to choose how toprocess frames. In particular switches makes decisions to forward and filter frames, learnMAC addresses, and use STP to avoid loops as follows
Step 1. Switches forward frame based on destination address
a) If the destination address is a broadcast, multicast, or unknown destination unicast(address not found in the MAC table), then the switch floods the frame, sends out allthe other ports except the port it was received.
b) If the destination address is a known unicast address
1. If the outgoing interface listed in the MAC table is different to the interface itcame from, switch forwards the frame out the outgoing interface.
2. If the outgoing interface listed in the MAC table is same as the interface it camefrom, switch filters the frame, or simply ignore the frame without forwarding it.
Step 2. Switches uses the following logic to learn MAC address table entries
a) For each received frame, examine the source MAC address and the interface from
which the frame was received
b) If they are not already in the table, add the address and interface, setting the inactivitytimer to 0
c) If it is already in the table, reset the inactivity timer to zero.
Step 3. Switches use STP to prevent loops by causing some interfaces to block, meaningthat they do not send or receive frames.
7
8/9/2019 CCENT Notes Part-2
8/52
LAN Design Considerations
Collision Domain : A collision domain is a set of LAN interfaces whose frames could
collide with each other.
A broadcast domain is a set of devices where when one device sends a broadcast all otherdevices receive a copy of the broadcast. A switch floods broadcast and multicast out allports, so a switch creates a single broadcast domain.
A collision domain is a set of network interface cards (NIC) for which a frame sent by onNIC could collide with a frame sent by another NIC in the same collision domain.
A broadcast domain is a set of NICs for which broadcast frame sent by one NIC isreceived by all other NICs in the same broadcast domain.
Switches are much preferred option in a network as it micro segments collision domain,and devices does not have to share the bandwidth.
A very large network with multiple switches creates a single broadcast domain, this couldbe split into multiple broadcast domains using a router.
Benefits of segments Ethernet Devices using Hubs, Switches and Routers(LAN design features in comparison with hubs, switches and routers)
Feature Hub Switch Router
Greater cabling distance are allowed Yes Yes Yes
Creates multiple collision domains No Yes YesIncreases bandwidth No Yes Yes
Creates multiple broadcast domain No No Yes
Virtual LAN (VLAN)
Without VLAN a switch considers all its interfaces to be in the same broadcast domain.With VLAN a switch can put some interfaces to a broadcast domain and some intoanother broadcast domain based on some simple configurations.
8
8/9/2019 CCENT Notes Part-2
9/52
Sample network with two VLANS using one Switch
VLAN 2
VLAN 1
Motivations for using VLANs.
To create more flexible network design that group by users by department, or bygroups that work together, instead of by physical location
To segment devices into smaller LANs (broadcast domains) to reduce overheadcaused to each host in the VLAN
To reduce workload for STP by limiting a VLAN to a single access switch
To enforce better security by keeping hosts that work with sensitive data in a separateVLAN
To separate traffic send by IP phone from traffic sent by PCs connected to the phones
9
8/9/2019 CCENT Notes Part-2
10/52
Campus LAN design terminology listed
Access1 Access2 Access3 Access4Access
Links
Access
Switches
Dist1Dist2
Uplinks
DistributionSwitches
Building BlockCore1 Core2
Core Switches
Core links
To otherBuildingblocks
To other
Building
blocks
Access : Provides a connection point (access) for end user devices, does not forwardframes between two other access switches under normal circumstances.
Distribution : Provides an aggregation point for access switches, forwarding framesbetween switches, but not connected directly to end user devices.
Core: Aggregates distribution switches in a very large LANs, providing very highforwarding rates.
10
8/9/2019 CCENT Notes Part-2
11/52
Ethernet Types, Media and Segment Lengths
Ethernet Type Media Maximum segment length10BASE-T TIA/EIA CAT3 or better, 2 pair 100 m (328 feet)
100BASE-TX TIA/EIA CAT5 UTP or better, 2 pair 100 m (328 feet)
1000BASE-FX 62.5/125 micron multimode fiber 400 m (1312.3 feet)
1000BASE-CX STP (shielded twisted pair) 25m (82 feet)
1000BASE-T TIA/EIA CAT5e or better, 4 pair 100 m (328 feet)
1000BASE-SX Multimode fiber 275 m (853 feet) for 62.5micron fiber
550 m (1804.5 feet) for 50micron fiber
1000BASE-LX Multimode fiber 550 m (1804.5 feet) for 50and 62.5 micron fiber
1000BASE-LX 9 micron single mode fiber 10 km (6.2 miles)
Broadcast domain: A set of devices that receive broadcast frame originated from anydevice within the set. All devices in the same VLAN are in the same broadcast domain.
Broadcast frame: An Ethernet frame sent with a destination address FFFF.FFFF.FFFFmeaning that the frame should be delivered to all hosts in the LAN.
Collision Domain: A set of NICs for which a frame sent by a NIC could result in acollision with a frame sent by any other NIC in the same collision domain.
Cut-through switching: One of the three options of internal processing in some models ofthe cisco LAN switches in which the frame is forwarded as soon as possible, includingforwarding bits of the frame before the whole frame is received.
Flooding : is the process in which Switches forward Broadcast, unknown unicast andmulticast (some times) out all the other ports except the port where it came from.
Fragment-free-switching: One of the three processing options on some cisco LANswitches in which first bits of the frame may be forwarded before the entire frame isreceived, but not until first 64 bytes of the frame are received, in which case in a welldesigned LAN collision fragments should not occur as a result of this forwarding logic.
Microsegmentation : The process in LAN design by which every switch port connects toa single device creating a separate collision domain per interface.
11
8/9/2019 CCENT Notes Part-2
12/52
Segmentation : The process of breaking large amount of data from an application intopieces appropriate in size to be sent thorough the network.
Spanning Tree Protocol (STP): A bridge protocol that uses Spanning Tree Algorithm,
allowing switch to dynamically work around loops, in a network topology by creating aspanning tree. Switches exchange Bridge Protocol Data Unit (BPDU) message with otherbridges to detect loops, and remove the loops by shutting down the selected bridgeinterface.
Store-and-forward switching: One of the three processing options in some cisco LANswitches in which Ethernet frame must be completely received before the switch canbegin forwarding the first bit of the fame.
Unknown-unicast-frame: An Ethenet frame whose destination MAC address is not listedin the MAC address table of the switch, so the switch must flood the frame.
Virtual LAN : A group of devices connected to one of more switches with the devicesgrouped in to a single broadcast domain through switch configurations. VLAN allowswitch administrators to separate devices connected to switches into separate VLANswithout requiring separate physical switches, gaining design advantage of separatingtraffic without buying additional hardware.
Please go to Do I know this Already QUIZ. Chapter 7. :- Page 168.
12
8/9/2019 CCENT Notes Part-2
13/52
Chapter 8 Operating Cisco LAN Switches
CLI : Command Line Interface
Cisco positions the 2960 series (family) of switches as full-featured, low cost wiringcloset switches for enterprises.
Cisco refers to a switchs physical connectors as either interface or ports. Each interfacehas a number and a name for eg. Interface FastEthernet 0/1, Interface gigabitethernet 0/1.
Cisco supports two major operating systemsInternetwork Operating System (IOS) andCatalyst Operating System (Cat OS).
Cisco uses the term Hybrid to refer to the 6500 series core switches that uses Cat 0S, andthe term Native to refer to the 6500 series core switches that uses IOS.
Cisco 2960 Switch LEDs and a Mode button
SYST
RPS
STAT
Duplex
Speed
PORTS
MODE
LEDs and descriptions
NAME Description
SYST (System) Implies overall system statusOff : System is not powered onOn (green) : The switch is powered on and operational (CiscoIOS has been loaded)On (amber): The switches power on self test failed (POST) andCisco IOS did not load
RPS (Redundant Suggests the status of the redundant (extra) power supply
13
8/9/2019 CCENT Notes Part-2
14/52
power supply)
STAT (Status) If ON (green) implies that each port LED implies that portsstatus.
Port LED
Off : The link is not workingSolid Green : The link is working but there is no current trafficFlashing Green: The link is working and the traffic is currentlypassing over the interfaceFlashing Amber: The interface is administratively disabled ordynamically disabled due to many reasons
DUPLX (Duplex) If on (green) each port LED implies that ports duplex
Port LED
On (green) : Full DuplexOff : half duplex
SPPED If on (green) each port LED implies the Speed of that port.
Port LED
Off : 10 MbpsSolid Green : 100 MbpsFlashing Green : 1000 Mbps (1 Gbps)
Port Has different meanings, depending on the port mode as toggled
using the MODE button
Accessing Cisco IOS CLI
Console port allows a way to connect to a switch CLI even if the switch is not connectedto a network. Every cisco switch has a console port, which is physically an RJ-45 port. Apc connects to a console port using a RJ-45 port.
Default Console Port setting on a Cisco Switch.
Baud Rate : 9600 bits/secondFlow control : none (no hardware flow control)Data : 8 bit ASCIIStop bit : none (No stop bits)Parity : 1 bit (1 parity bit)
14
8/9/2019 CCENT Notes Part-2
15/52
Accessing CLI using Telnet and SSH
The telnet client (pc) needs to have the terminal emulator software with telnet/ssh client
installed, the switch will run the telnet server software.
Telnet send all data including user name and password as clear text, which raises asecurity threat.
SSH (Secure Sheel) does same basic things as that of the Telnet, but in a more securedway by using encryption.
CLI Password configuration : Console and Telnet
Access From Password Type Sample Configuration
Console Console Password Line console 0
LoginPassword faith
Telent Vty Password Line vty 0 15LoginPassword love
Switches support up to 16 (0-15) concurrent virtual terminal connections including telnetand ssh.
Use and Privileged Modes
Use ModeEnable (Priviledged)
Mode
Router> enablePassword : xxxx
Router #
Router# DisableRouter >
Console
Telnet
SSH
Preferred method for setting password for reaching the enable mode is theEnable Secretpassword command.
15
8/9/2019 CCENT Notes Part-2
16/52
Cisco IOS software command help
What you enter What help you get
? Help for all commands available in this mode
Help Text describing how to get help. No actual command help is givenCommand ? Text help describing all the first parameter options for the command
Com? A list of commands that start with com
Command parm? Lists all parameters starting with parm
Commandparm
CLI autofills the rest of the parameter
Command parm1 ? List all the next parameters with a brief description
Key sequences for command edit and recall
Keyboard Command What helps
Up arrow or Ctrl P Displays previously entered commandsDown arrow or Ctrl n Move down to more recent commands from the history list
Left arrow, Ctrl b Move the cursor backwords (left) in the currently displayedcommand
Right arrow, Ctrl f Move cursor front (right)
Backspace Move back deleting
Ctrl a Move back to first char of the command
Ctrl e Move directly to end of the command
Ctrl r Redisplays the command
Ctrl d Deleted single char
Esc b Moves back one word
Esc f Moves forward one word
Debug and Show commands
SHOW command list the currently known facts about the switchs operational status.Debug command asks the switch to continue monitoring different process in the switch
Terminal Monitor command enable users to view the Debug log messagesDebug Spanning-tree (enable debug on spanning-tree process)
No debug spanning-tree (disables debug on spanning-tree process) No debug all orUndebug all (disable all the currently enabled debugs)
16
8/9/2019 CCENT Notes Part-2
17/52
CLI Configuration Modes vs EXEC modes
USER Exec Mode
Configuration ModeRAM Active
Config
Privileged Exec Mode
Config tCtrl Z orExit
Enable
Each Command
In succession
Navigation between different configuration modes
Switch# configure terminalSwitch (config) # hostname FredFred (config) # line console 0Fred (config-line )# password hope
Fred (config-line) # interface FastEthernet 0/1Fred (config-if) # speed 100Fred (config-if) # exitFred (Config) #
Text inside parenthesis in the command prompt identifies the configuration mode.
Common Switch configuration modes
Prompt Name of Mode Context -setting commands to reach thismode
Hostname (config) # Global configurationmode None first mode after theConfigure Terminal command
Hostname (config-line) #
Line configurationmode
Line console 0Line vty 0 15
Hostname (config-if)#
Interfaceconfiguration mode
Interface type number
List of configuration mode prompts, name of the configuration mode, and the commandused to reach the mode.
17
8/9/2019 CCENT Notes Part-2
18/52
Storing configuration files
Cisco Switch Memory Types
RAM
Working memoryand Running
configuration
FLASH
Cisco IOS
Software
ROM
Bootstrap Program
NVRAM
Startup
Configuration
**NVRAM Non Volatile RAM
Names and purposes of two main Cisco IOS configuration files
ConfigurationFilename
Purpose Where it is stored
Startup-config Stores the initial configuration any timethe switch reloads the cisco IOS
NVRAM
Running-config Stores the currently used configurationcommands. This file changes dynamicallywhen some one enters commands inconfiguration mode
RAM
Configuration commands changes only the running config, if you want to save the config,the running config should be copied to NVRAM overwriting the startup-config, so thatthe new/changed configurations will be included next time the switch is reloaded.
Locations for copying configuration files and results of copying
RAMNVRAM
TUFTP
Copy tftp running-config Copy running-config startup-config
Copy running -config tftp Copy startup-config running -config
Copy tftp startup-config
Copy startup-config tftp
18
8/9/2019 CCENT Notes Part-2
19/52
The copy command always replaces the existing file when configuration files are copiedto NRRAM or TFTP server, but when copied to RAM (running config) the file is alwaysmerged, not replaced. If you change the running-config and wants to revert it back to thestartup-config a copy startup-config runnig-config not necessarily will make bothconfigs to match, instead you may have to issue a reload command which will reload,
reboot the switch, erasing the RAM and will copy the startup confing into RAM running-config.
Command to erase NVRAM
Write eraseErase startup-configErase NVRAM
Other names for config filesNvram:startup-config
System:running-config
Initial Configuration - Setup Mode
Getting into Setup Mode
Answer the questions inthe SETUP Mode
Is NVRAM
Empty
Do you want to
enter setup Mode
Turn ON the Switch
Copy Start-up Config to
Running-Config
NO
YES
Complete IOS Initialization
YES
Move new configurationsto NVRAM
NO
19
8/9/2019 CCENT Notes Part-2
20/52
Setup mode writes the configuration to both Startup and running config files, whereas theconfiguration mode changes only the running config file.
CLI : Command Line Interface. An interface that enables the user to interact with theoperating system by entering commands and optional arguments.
Secure Shell (SSH) : An TCP/IP application layer protocol that supports terminalemulation between client and a server, using dynamic key exchange and encryption tokeep the communication private and secure.
Enable Mode: A part of the Cisco CLI where a user can use the most powerful anddisruptive commands, on a router or on a switch, including the ability to then reach the
configuration mode and reconfigure the router.
User Mode: A mode of the user interface to Cisco router or switch where a user can onlytype non disruptive EXEC commands, generally to look at the current status, but not tochange any operational settings.
Configuration Mode: A part of the Cisco IOS CLI where a user can enter theconfiguration commands, that are then added to the devices currently used configurationfile (running-config).
Startup-config file: In Cisco IOS switches and routers, the name of the file that residesin NVRAM memory, holding the devices configurations that will be loaded into theRAM as running-config file when the device is next reloaded or powered on.
Running Config: In Cisco IOS switches and routers, name of the file that resides in theRAM, holding devicess currently used configurations.
Setup-Mode: An option on Cisco switches and routers that prompts the user for basicconfiguration information, resulting in new running-config and startup-config files.
20
8/9/2019 CCENT Notes Part-2
21/52
Configuration Commands
Command Mode and Purpose
Line console 0 Global command that changes the context to consoleconfiguration mode
Line vty 1st-vty 2nd-vty Global command that changes the context to line (vty)
configuration mode for the range of vty lines listed in thecommand
login Line (console and vty) configuration mode. Tells IOS toprompt for a password (no username)
Passwordpass-value Line (console, vty) configuration mode. Lists thepassword required if the login command (with no othercommand) is configured.
Interface type port-number Global command that changes the context to Interfacemode. Eg. Interface Fastethernet 0/1
ShutdownNo shutdown
Interface subcommand that disables or enables theinterface respectively
Hostname name Global command that sets the switchs hostname, which isalso used as the first part of the switchs command prompt
Enable secretpass-value Global command that sets the automatically encryptedenable secret password. This password is used for any userto reach enable mode.
Enable passwordpass-value Global command that sets the clear text enable password.This is used only when the enable secret password is notconfigured.
exit Moves back to the next higher mode in configurationmode
end Exit configuration modes and goes back to enable mode
from any of the configuration sub modesCtrl Z Same as the end command
21
8/9/2019 CCENT Notes Part-2
22/52
EXEC Command Reference..
Command Purpose
No debug allUndebug all
Enable mode EXEC command to disable all thecurrently enabled debugs
Show process EXEC command that lists statistics of CPU utilizationTerminal monitor EXEC command that tells the Cisco IOS to send a
copy of all the syslog messages including debugmessages to the telnet or ssh user who issues thecommand
Reload Enable mode EXEC command that reloads or rebootsthe switch or router.
Copy from-location to-location Enable mode EXEC command that copies file fromone location to another, locations include startup-config, running-config files, files on TFTP, RPCservers and flash memory.
Copy running-config startup-config
Enable mode EXEC command that saves the activeconfig, replacing the startup-config file used when theswitch initializes.
Copy startup-config running-config
Enable mode EXEC command that merges the startupconfig with the currently active config file in RAM
Show running-config Lists the contents of the running config
Write eraseErase startup-configErase NVRAM:
All three enable mode EXEC commands erase thestartup-config file
Setup Enable mode EXEC command that places the user inthe setup mode, in which Cisco IOS prompts the user
for simple switch configurationsquit EXEC command that disconnects the user from CLI
sessions
Show system:running-config Same as show running-config command
Show startup-config List the contents of the startup-config (initial-config)file
Show nvram:startup-configShow nvram:
Same as show startup-config
enable Moves the user from user mode to theenable(privileged) mode and prompts the user for apassword if configured
disable Moves the user from enable mode to the user modeConfigure terminal Enable mode command that moves the user into a
configuration mode
Please go to Do I know this Already QUIZ. Chapter 8. :- Page 198.
22
8/9/2019 CCENT Notes Part-2
23/52
Chapter 9 Ethernet Switch Configurations
Configuring Basic Passwords and Hostname
Switch> enable
Switch# configure terminal
(EXEC command to move from enable mode to configuration mode)
Switch (config) # enable secret ciscoSwitch (config) # hostname emma
In the global configuration mode user enters two global configuration commands that
add configuration to the whole switch (enable secret and hostname)Enable secret sets the only password used to reach the enable mode so it is a global
command
Emma (config) # line console 0Emma (config-line) # password faithEmma (config-line) # loginEmma (config-line) # exit
The login command which tells the switch to ask for a text password but not a user name,
the password command which defines the required password are subcommands in therespective line configuration sub modes.
Emma (config) # line vty 0 15
Emma (config-line) # password loveEmma (config-line) # loginEmma (config-line) # exit
Emma (config) # exitEmma #
Emma # show running-config
Hostname emma
Enable secret 5 $90345824kosdfjsdfmld908v/m
Line console 0Password faithLogin
Line vty 0 4
23
8/9/2019 CCENT Notes Part-2
24/52
Password loveLogin
Line vty 5 15Password love
Login
Vty 05 15 (11 vty lines) were added later to the vty 0 4 (5 vty lines) making a total of16 concurrent vty line available in a cisco switch.
SSH Configuration concepts
Line vty 0 15
Login localTransport input telnet ssh
Username wendell password hope
Ip domain-name example.com
Crypto key generate rsa
(switch generate keys)
Public key private key
Cisco Switch
1
2
3
4
5
6SSH Client
Step 1 : Login local , changes the vty lines to use usernames (just login command doesnot require usernames) with locally configured user names (other options is user namesconfigured in an AAA server). In this case login local subcommand defines the use oflocal usernames, replacing the login subcommand in vty configuration mode
Step 2 : tells the switch to accept both telnet and ssh, (Transport input telnet ssh, vty lineconfiguration sub command) default is transport input telnet omitting ssh
Step 3 : add one or more username name passwordpass-value global configurationcommands to configure username/password pairs.
24
8/9/2019 CCENT Notes Part-2
25/52
Step 4 : configure DNS domain name with the ip domain-name name globalconfiguration command
Step 5 : configure the switch to generate a matched public and private key pair as well asa shared encryption key, using crypto key generate rsa (global configuration command).
Step 6. SSH clients need a copy of the switchs public key before the client can connect
SSH Configuration Process.
Emma #Emma# configure terminal
Emma (config) # line vty 0 15Emma (config-line) # login local
Emma (config-line) # transport input telnet sshEmma (config-line) # exit
Emma (config) # username Wendell password hope
Emma (config) # ip domain-name example.com
Emma (config) # crypto key generate rsa
The name of the key will be: emma.example.com
Refer to pg. 241 for SSH key generation and public key listings
Password Encryption
Service password-encryption global configuration command encrypts the password.
When service password-encryption command is configured, all existing console, vtyand username command passwords are immediately encrypted.
If the service password-encryption command has already been configured, any futurechanges to these passwords are encrypted
If the no service password-encryption command is used later, the passwords remainencrypted, until they are changed, at which point they show up in clear text.
25
8/9/2019 CCENT Notes Part-2
26/52
Service password-encryption uses Type 7 encryption which is a weak encryptionalgorithm which can be decrypted easily.
The two enable mode passwords
If the global configuration command enable passwordpass-valueis used, it definesthe password required when using the enable EXEC command. This password islisted as clear text in the configuration file by default.
If the global configuration command enable secret pass-value is used, it defines thepassword required when using the enable EXEC command. This password is listed asa hidden MD5 hash value in the configuration file by default.
If both commands are used, the password set in the enable secret command defineswhich password is required.
IOS applies a mathematical function called Message Digit 5 (MD5) hash, and the resultsis stored in configuration file, and is considered to be a Type 5 encryption type.
Enable secret fredEnable secret 0 fred (sets the enable secret password as Fred, 0 implies that the password following is clear text)No enable secret (deletes the enable secret password)Enable secret tom (changes the enable secret password to tom)
Banner Configurations
Banner is a Global configuration command
SW1 (Config) # banner #Switch down for maintenance at 11 pm today #
(default banner is MOTD Message of the day banner, shown before the login prompt, )
SW1 (Config) # banner login #Unauthorized Access Denied #
(login banner, shown before the login prompt, after the MOTD banner)
SW1 (Config) # banner exec ZCompany picnic at the park on Saturday, dont tell outsiders Z
(EXEC banner, shown after the login prompt, messages that should be hidden from
unauthorised users)
26
8/9/2019 CCENT Notes Part-2
27/52
(the first non blank character after the banner (type) command is considered as thedelimiter and text between the delimiters are displayed)
Commands related to history buffer.Command Description
Show history List the commands currently held in the history buffer
History size x From a console or vty lines config, sets the number of commands saved in the history buffer
Terminal history size x EXEC command, sets the size of the history buffer just forthat user
Defining console inactivity timeouts and when to log messages
Line console 0LoginPassword ciscoExec-timeout 0 0Router never times out
Login sysnchronousDisplays syslog messges at a convenient time, after a command output, and not in the
middle of a typing a command.
LAN Switch Configuration and Operation
Configuring Switch IP Address
IOS based switch configures its IP address and mask on a special virtual interface calledVLAN 1 interface.
Step 1. Enter VLAN 1 configuration mode by using the Interface vlan 1 globalconfiguration command
Step 2 : Assign IP address and mask using ip address ip-address maskinterfacesubcommand.
Step 3 : Enable VLAN interface using no shutdown interface subcommand
Step 4: Add the ip default-gateway ip-address global command to configure the defaultgateway.
27
8/9/2019 CCENT Notes Part-2
28/52
Switch static IP address configuration
Emma # configure terminalEmma (config) # interface vlan 1
Emma (config-if) # ip address 192.168.1.200 255.255.255.0Emma (config-if) # no shutdownEmma (config-if) # exitEmma (config) # ip default-gateway 192.168.1.1
(refer to page 249 for syslog messages)
Switch dynamic IP address configuration using DHCP
Emma # configure terminalEmma (config) # interface vlan 1Emma (config-if) # ip address dhcpEmma (config-if) # no shutdownEmma (config-if) ^Z
Emma # show dhcp lease
(to show the temporarily leased ip address, as dynamic ip addresses are not stored in the
running config file, but statically configured ip addresses are stored in running config))
Emma # show interface vlan 1
Vlan 1 is up, line protocol is up
(refer to page 250 for syslog messages)
Interface Configuration Commands.
Emma # configure terminalEmma (config) # interface fastethernet 0/1Emma (config-if) # speed 100Emma (config-if) # duplex fullEmma (config-if) # description server 1 connects hereEmma (config-if) # exitEmma (config) # interface range fastethernet 0/11 20Emma (config-if-range) # description end-users connect hereEmma (config-if-range) # ^Z
28
8/9/2019 CCENT Notes Part-2
29/52
Emma # show interface statusDUPLEX
Port Name Status VLAN SPEED TYPEFa0/1 Server 1 connects here notconnect 1 full 100 10/100Base TXFa0/2 notconnect 1 auto auto 10/100Base TX
Fa0/4 connected 1 a-full a-100 10/100Base TXFa0/11 end user connects connected 1 autol auto 10/100Base TX||Fa0/24
(please refer to page 252 for full listing.)
a-full, a-100 (line 3) means it was autonegotiated to full duplex and speed 100 Mbps withthe physically connected device.
Port Security
If a network engineer knows what devices should be cabled and connected to a particularinterface on a switch, the engineer can use port-security to restrict that interface so thatonly the expected devices can use it.
Port Security Configuration Steps
Step 1. Make the switch interface an access interface using the switchport mode accessinterface subcommand
Step 2. Enable port security using switchport port-security interface subcommand
Step 3. (Optional) specify the maximum number of MAC addresses associated with theinterface using switchport port-security maximumnumberinterface subcommand.Default maximum number is 1.
Step 4. (Optional) Define the action to take when a frame is received from a MACaddress other than the defined addresses usingswitchport port-security violation {protect | restrict | shutdown} interfacesubcommand. Default action is shutdown the port.
Step 5A. Specify the MAC addresses allowed to send frames into the interface usingSwitchport port-security mac-addressmac-address command. Use command multipletimes to specify more MAC addresses.
Step 5B. Alternately use the sticky learning process to dynamically learn and configureMAC address of currently connected host by configuring theswitchport port-security mac-address sticky interface subcommand.
29
8/9/2019 CCENT Notes Part-2
30/52
Fred # show port-security interface fastethenet 0/1Fred # show port-security interface fastethenet 0/2
Refer to page (255) for output listing
Note port status secure-shutdown (fa0/1) (port is shutdown because of a violation) andsecure-up (fa0/2)
Actions when port security violation occurs
Options on the switchport port-securityviolation command
Protect Restrict Shutdown(default)
Discard offending traffic YES YES YES
Send logs and SNMP Messages NO YES YES
Disable the interface, discarding all traffic NO NO YES
VLAN Configuration
Two types of cisco switch interfaces.Access interfaces and Trunk Interfaces
By definition access interfaces send and receive frames only in a single VLAN, called theaccess VLAN. Trunking interface send and receive in multiple VLANs.
One access port - one vlan (one vlan can have multiple access port, a subset of switchesaccess ports)One trunk port multiple vlan
By default switches have VLAN 1 configured and all interfaces assigned to it, however toadd another vlan and assign access ports to it follow the steps bellow
Step 1 : To configure new VLAN
a) from configuration mode use the vlanvlan-idglobal configuration command tocreate vlan and move the user into the vlan configuration mode
b) (optional) use the name vlan-name vlan subcommand to list the name of the vlan. Ifnot configured by default uses the name VLANzzzz, where zzzz is the four digit vlan-id.
30
8/9/2019 CCENT Notes Part-2
31/52
Step 2 : To configure VLAN for each access interface
a) user the interface command to move to the interface configuration mode for eachdesired interface
b) use the switchport access vlan id-numberinterface subcommand to specify the VLANassociated with that interface
c) c. (optional) to disable trunking, so that the switch will not dynamically decide to usetrunking on the interface, and it will remain an access interface, use the switchportmode access interface subcommand.
VLAN 1
VLAN 2
Fa0/11 , Fa0/12
Fa0/13 , Fa0/14
SW1 # show vlan brief
Sw1 # configure terminalSw1 (config) # vlan 2Sw1(config-vlan) # name fred-vlanSw1(config-vlan) # exit
Sw1(config) # interface range fastethernet 0/13 14Sw1(config-if) # switchport access vlan 2Sw1(config-if) # exitSw1(config) # show running-configSw1(config) # show vlan brief
Please refer to page 258 for command output listings
31
8/9/2019 CCENT Notes Part-2
32/52
Note : name fred-vlan (vlan subcommand is case-sensitive)
Securing unused interfaces, recommendation to secure unused interfaces are.
Administratively shutdown the interface using the shutdown interface subcommand
Prevent VLAN trunking and Vlan Trunking Protocol (VTP) by making the portnontrunking interface by using the interface subcommand switchport mode access
Assign the port to an unused VLAN by using the switchport access vlanvlan-numberinterface subcommand.
Access Interface: A LAN network design term that refers to a switch interface connectedto end-user devices.
Trunk Interface: On a LAN switch, an interface that is currently using either 802.1Q orISL trunking
Trunking : Also called VLAN trunking, A method using either cisco ISL protocol orIEEE 802.1Q protocol to support multiple VLANs that have members on more than oneswitch.
Configuration Command Reference
Command Mode/Purpose/Description
Basic Password ConfigurationFollowing four commands are related to basic password configuration
Line console 0 Changes the context to console configuration mode
Line vty 1st-vty 2nd-vty Changes the context to vty configuration mode for therange of vty line listed
login Console and vty configuration mode, tells IOS to promptfor a password
Passwordpass-value Console and vty configuration mode. Lists the password
required if login command (without any otherparameter) is configured
Username/password and SSH ConfigurationsFollowing four command are related to username/password and SSH configurations
Login local Console and vty config mode, tells IOS to prompt forusername and password, to be checked against locallyconfigured username global configuration command onthis switch or router.
32
8/9/2019 CCENT Notes Part-2
33/52
Usernamenamepasswordpass-value
Global command, defines possibly one of multipleusername and associated passwords, used for userauthentication. Used when login local line configurationcommand has been used.
Crypto key generate rsa Global command, creates and stores in a hidden location
in flash memory the key required by SSHTransport input }{telnet|ssh} Vty line configuration mode. Defines whether telnet
or/and SSH is allowed into this switch. Both values canbe configured in one command to allow both telnet andSSH.
IP Address configurationFollowing four commands are related to IP address configurations
Interface vlannumber Changed the context to VLAN interface mode. ForVLAN 1 allows the configuration switchs ip address
Ip addressip-address subnet-mask
VLAN interface mode. Statically configures the switchsip address and mask.
Ip address dhcp VLAN interface mode, configures the switch as a DHCPclient to discover its ip address, subnet mask and defaultgateway.
Ip default-gatewayaddress Global command. Configured the switchs defaultgateway ip address. Not required if the switch usesDHCP.
Interface ConfigurationFollowing six command are used for interface configuration
Interfacetype port-number Changes the context to interface modeEg. Interface fastethernet 0/1
Interface rangetype port-
range
Changes the context to interface mode for the range of
interfacesShutdown
No shutdown
Interface mode, disable or enable the interface
Speed {10|100|1000|auto} Interface mode, manually sets the speed to the listedspeed, or with the auto setting, automatically negotiatesthe speed.
Duplex {half|full|auto} Interface mode, manually sets the duplex to half, full orto autonegotiate the duplex settings.
Descriptiontext Interface mode (description for the interface)
MiscellaneousMiscellaneous configuration commands
Hostnamename Global command, sets the switchs host name, also usedas the first part of the switchs command prompt
Enable secret pass-value Global command. Set the switchs password that isrequired for any user to reach switchs enable mode
History sizelength Line config mode, defines the number of commandsheld in the history
Switchport port-security
mac-addressmac-addressInterface configuration command, that statically addsallowed MAC address on that interface
33
8/9/2019 CCENT Notes Part-2
34/52
Switchport port-security
mac-address sticky
Interface sub-command that tells the switch to learnMAC address on the interface, and add the MAC-address as a secure address into its configuration
Switchport port-security
maximumnumberInterface sub-command that sets the maximum numberof static secure MAC-address that can be assigned to a
single interfaceSwitchport port-security
violation {protect|restrict|
shutdown}
Interface subcommand, that tells the switch what to do ifan inappropriate MAC address tries to access thenetwork through a secure switch port
EXEC command referece
Command Purpose
Show mac address-table
dynamic
Lists dynamically learned entries in the switchsaddress table
Show dhcp lease Lists any information the switch acquires as a dhcpclient, includes ip address, subnet mask and defaultgateway
Show crypto key mypubkey rsa Lists public and shared key created for use with SSHusing the crypto key generate rsa globalconfiguration command
Show interface status Lists on output line per interface, noting thedescription, operating state, settings for duplex andspeed on each interface
Show interface vlan 1 Lists interface status, switch ip address, mask andmuch more
Show port-security interfacetype number
Lists an interfaces port security configurationssettings and security operational status
Please go to Do I know this Already QUIZ. Chapter 9. :- Page 232.
34
8/9/2019 CCENT Notes Part-2
35/52
Chapter 10 Ethernet Switch Troubleshooting
Organized troubleshooting steps.
Step 1. Analyzing/predicting normal operation
Step 2. Problem isolationStep 3. Root cause analysis
Verifying Network Topology using Cisco Discovery Protocol
The proprietary Cisco Discovery Protocol (CDP) discovers basic information aboutneighbouring switches and routers, by listening to the CDP messages sent out byneighbouring switches and routers on each of their interfaces.
CDP discovers several useful details from neighbouring Cisco Devices :(information gathered by CDP)
Device Identifier : Typically the hostnameAddress list : Network and Data-link addressesLocal Interfaces : The interface on the router or switch issuing the CDP show commandWith which the neighbour was discoveredPort Identifier: Text that identifies the port that the neighbouring device used to send theCDP message to the local device.Capabilities List : Information on what type of device it is switch , router etcPlatform : The model and OS level running in the device
Show CDP command that list information about neighbouring devices
Command Description
Show cdp neighbourstype number Lists one summary line of information on eachneighbour or just the neighbour found on thespecific interface if an interface was listed.
Show cdp neighbours detail Lists one large set of (15 lines) of information, oneset each for every neighbour
Show cdp entryname(Show cdp entry R1)
Lists the same information as the show cdpneighbour detail command, but only for the namedneighbour (case sensitive)
No cdp enable (Inteface subcommand to disable CDP per interface)Cdp enable (Inteface subcommand to re-enable CDP per interface)No cdp run (disable cdp globally on a switch)Cdp run (re-enables cdp globally on a switch)
Please refer page 281 for CDP commands output listing
35
8/9/2019 CCENT Notes Part-2
36/52
Commands used to verify CDP operation
Command Description
Show cdp States whether CDP is enabled globally, and lists thedefault updates and hold time timers
Show cdp interface type number States whether CDP is enabled on each interface, or
on the interface listed, and states update andholdtime timers on those interfaces
Show cdp traffic Lists global statistics for the number of CDPadvertisements sent and received
Analysing Layer 1 and 2 Interface Status
Two types of Interface status codes1. two code or words : line status and protocol status, same as for routers and2. one code or word status.
Following commands list the two code interface statusShow interfaces
Show interfaces description
Following command list the one word interface statusShow interfaces status
The show interfaces command lists the actual speed and duplex settings but does notimply anything about how the settings were configured or auto-negotiated.However the show interfaces status command list a prefix of a- to imply that the speedand duplex setting were auto-negotiated, leaving the prefix if the settings were
configured.
LAN Switch Interface Status CodesT W O W O R D ONE WORD
Line Status Protocol Status Interface Status Typical root cause
AdministrativelyDown
Down Disabled The interface is configuredwith the shutdown command
Down Down Notconnect No cable, bad cable, wrongcable pinouts, the speeds aremismatched on the two
connected devices, thedevice on the other end ofthe device is powered off, orthe other interface isshutdown.
Up Down Notconnect An interface up/down stateis not expected on LANswitch interface
36
8/9/2019 CCENT Notes Part-2
37/52
Down Down(Err-disabled)
Err-disabled Port security has disabledthe interface
Up Up conenct Interface is working
Interface SPPED and DUPLEX issues
Interfaces can use auto negotiation, it can also useSPEED {10|100|1000} andDUPLEX {half|full| commands to set the speed and duplex settings which will disablethe auto negotiate.
Show interfaces andShow interfaces status , both list speed and duplex settingsWhen IEEE auto negotiation process works on both devices, both devices agree on the
fastest speed supported by both devices, and full duplex if it is supported by bothdevices otherwise half duplex. (Cisco 2960 switch supports full duplex). Howeverwhen one device disables auto negotiation (by manually setting speed and duplex) andother device uses auto negotiation, the device using auto negotiation sets the defaultduplex settings based on the current speed, the defaults are as follows.
If the speed is not known, use 10 Mbps, half duplex
If the speed is some how known to be 10 or 100 Mbps defaults to use half duplex
If the speed is somehow known to be 1000 Mbps defaults to use full duplex
If the duplex setting do not match on the ends of an Ethernet segment, the switch
interface will still be in a up/up connect state. But the interface will work poorly.
To troubleshoot Duplex mismatch, check duplex settings on each end of the link,or watch for increasing collision, and late collision counters.
Common Layer 1 problems on working interfaces
Interface counters for Layer 1 problems
Show interfaces fa0/13
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
95226 packets output0 output errors, 0 collisions, 1 interface resets0 babbles, 0 later collisions, 0 deferred
Please refer to page 288 for a full listing
37
8/9/2019 CCENT Notes Part-2
38/52
CRC counter Cyclic redundancy Check counter, counter of frames discard by FCS.
Collision counter : counter of collision occurred in first 64 bytes of the frame
Later collision counters : counter of collusions occurred after the first 64 bytes of theframe has already been sent.
Significant problem exists if more than .1 % of the total output packages have collided.
Incrementing late collision means two things
Interface is connected to collision domain, whose cabling exceeds Ethernet cablinglength standards .
Interface is using half duplex and device on the other end of the cable is using fullduplex
Common LAN layer 1 problem indicatorsType of problem Counter values indicating this
problemCommon root cause
Excessive noise(interference)
Many input errors, few collision Wrong cable category (Cat5,5e,6), Damaged cables, EMI
Collisions More than roughly .1% allframes are in collision
Duplex mismatch (seen on thehalf duplex side); jabber; DoSattack
Late collisions Increasing late collisions Collision domain, or singlecable too long, Duplex
mismatches
Jabber : frames are sent by a device continuously without a break, not confirming toEthernet standards
Analysing the Layer 2 forwarding path with MAC address table
Show mac address-table
Show mac address-table dynamic , lists the contents of the switchs MAC address table
The switchs forwarding logic can be summarized as follows.
Step 1. Determine the VLAN in which the frame should be forwarded. On accessinterfaces this is based on the access VLAN associated with the incoming interface.
38
8/9/2019 CCENT Notes Part-2
39/52
Step 2. Look for the frames destination MAC address in the MAC address table, butonly for the entries for the VLAN identified in Step 1. If the destination MAC is
A. Found (unicast) : forward the frame out only the interface listed in the matchedaddress table entry
B. Not found (unicast) :flood the frame out all other interface except the incominginterface in that same VLAN.
C. Broadcast or multicast : flood the frame out all other interface except the incominginterface in that same VLAN.
Fred
0200.1111.1111
SW1
Barney
0200.2222.2222
Fa0/9
Fa0/12
Gi0/2Gi0/1
SW2
R1
Fa0/13
Fa0/1
0200.5555.5555
Barney forwards a frame to its default gateway router R1 and the following forwardingsteps occurs
Step 1. SW1 receives the frame on its Fa0/12 interface and sees that it is assigned toVLAN1.
Step 2. SW1 looks for its MAC table entry for 0200.5555.5555 in the incominginterfaces VLAN (VLAN1), in its MAC address table.
a) SW1 finds an entry, associated with VLAN1, outgoing interface Gi0/1, and SW1forwards the frame out only the interface Gi0/1.
Frame is now on its way to SW2. and below steps explains the SW2s forwarding logic
39
8/9/2019 CCENT Notes Part-2
40/52
Step 1. SW2 receives the frame on its Gi0/2 interface and sees that it is assigned toVLAN1.
Step 2. SW2 looks for its MAC table entry for 0200.2222.2222 in the incominginterfaces VLAN (VLAN1), in its MAC address table.
a) SW2 finds an entry, associated with VLAN1, outgoing interface Fa0/13, and SW2forwards the frame out only the interface Fa0/13.
At this point the frame should be on its way over the Ethernet cable between SW2 andR1.
Port Security and Filtering
Switches and Routers can use ACL Access Control List to filter traffic to a port.
Port-security violations status (protect, or restrict) the switch discards the frame, butleaves the interface in a connect (up/up) status.
CDP Neighbour : A device on the other end of some communication cable that advertiseCDP updates
Up and Up : Jargon referring to two interface status on a cisco switch or router (linestatus and protocol status)
Error disabled: An interface state on a cisco switch that is the results of one of maysecurity violations
Problem Isolation: Part of the troubleshooting process in which an engineer attempts torule out the possible causes of the problem until the root cause is identified.
Root Cause: A troubleshooting term, that refers to the reason why a problem exists,especially a reason for which, if changed the problem could be either solved or changedto a different problem.
Cisco Catalyst 2950 switch configuration commands
Command Description
ShutdownNo shutdown
Interface subcommand, that administrativelydisables or enables the interface respectively
Switchport port-security violation{protect|restrict|shutdown|
Interface subcommand, that tells the switch whatto do in the case of a violation, in which aninappropriate MAC address tries to access thenetwork through a secure switch port
Cdp run Global command, that enables or disables the
40
8/9/2019 CCENT Notes Part-2
41/52
No cdp run CDP for the entire switch or router.
Cdp enableNo cdp enable
Interface subcommand, that enables or disablescdp on a particular interface
Speed {10|100|1000| Interface subcommand that manually sets theinterface speed
Duplex {auto|half|full| Interface subcommand that manually sets theinterface duplex
EXEC command reference.
Command Description
Show mac address-table [dynamic|static] [addresshw address][interface interface-id] [VLAN vlan-id]
Displays MAC address table. The security optiondisplays information about the restricted andstatic settings
Show port-security [interfaceinterface-id] [address]
Displays information about security optionsconfigured on an interface
Show cdp neighbours [type number] List one summary line of information about eachneighbour, or just the neighbour found on thespecified interface
Show cdp neighbours detail Lists one large set (15 lines) of information forevery neighbour
Show cdp entry name Displays same information as show cdpneighbours details but only for the specifiedneighbour
Show cdp States whether cdp is enabled globally, and liststhe default update and holdtime timers
Show cdp interface [type number] States whether CDP is enabled on each
interfaces, or on the interface if one is specified,and lists the update and holdtime timers
Show cdp traffic Displays global statistics of CDP advertisementssend and received
Show interfaces [type number] Displays detailed information about interfacestatus, settings and counters
Show interface status [type number] Displays summary information about interfacestatus and settings, including actual speed andduplex and whether the interface wasautonegotiated
Please go to Do I know this Already QUIZ. Chapter 10. :- Page 268.
41
8/9/2019 CCENT Notes Part-2
42/52
Chapter 11 Wireless LANs
WLAN standards organization and their roles
Organizations that sets or influence WLAN standardsOrganization Standardisation Role
ITU-R Worldwide standardisation of communications that use radiatedenergy, particularly managing the assignment of frequencies.
IEEE Standardisation of wireless LANs (802.11)
Wi-Fi Alliance An industry consortium that encourages interoperability ofproducts that implement WLAN standards through their Wi-Ficertified program.
FederalCommunicationsCommission (FCC)
The US government agency that regulated the usage of variouscommunication frequencies in US
WLAN Standards Comparison between 802.11a, 802.11b and 802.11g
Feature 802.11a 802.11b 802.11g
Year ratified 1999 1999 2003
Maximum speed using DSSS(Direct Sequence Spread Spectrum)
- 11 Mbps 11 Mbps
Maximum speed using OFDM 54 Mbps - 54 Mbps
Frequency Band 5 GHz 2.4Ghz 2.4GHz
Channels *(non overlapped in bracket) 23(12) 11(3) 11(3)
Speed required by standard (Mbps) 6,12,24 1,2,5.5,11 6,12,24
Modes of 802.11 Wireless LANs WLAN modes, their formal names and
description.
Mode Service Set Name Description
Ad hoc Independent BasicService Set (IBSS)
Allows two devices to communicatedirectly, NO Access Point (AP) is
required.Infrastructure (OneAP)
Basic Service Set(BSS)
A single wireless LAN created with anAP and all devices associated with thatAP.
Infrastructure (Morethan one AP)
Extended Service Set(ESS)
Multiple APs create one wireless LAN,allowing roaming and larger coveragearea.
42
8/9/2019 CCENT Notes Part-2
43/52
Unlicensed bands, their general names, and list of devices/standards to use each band
FCC unlicensed frequency bands of interestFrequency Range Name Sample Devices
900 KHz Industrial, Scientific,Mechanical (ISM)
Older cordless telephones
2.4 GHz ISM Newer cordless phones,microwave owens, 802.11,802.11b, 802.11g WLANstandards.
5 GHz Unlicensed NationalInformation Infrastructure(U-NII)
Newer cordless phone and802.11a, 802.11n WLANs
Licensed bands are used for FM/AM radios, Short ware radio for Police communications,and Mobile phones.
Direct Sequence Spread Spectrum (DSSS) has a bandwidth of 82MHz , with a rangefrom 2.402 GHz to 2.483 GHz. As regulated by FCC this band can have 11 overlappingDSSS channels.Although many of the channels shown in the figure overlap, three of the channels(channels at the far left, far right and centre) do not overlap enough to impact each other.
These channels (channels 1,6, and 11) can be used in the same space for WLANcommunication and they wont interfere each other
Eleven Overlapping DSSS Channels at 2.4 GHz
43
8/9/2019 CCENT Notes Part-2
44/52
1 2 3 4 5 6 7 8 9 10 11
2.4 GHz Frequency Spectrum
RF Channels
Using non-overlapping DSSS 2.4 GHz Channels in an ESS WLAN.
AP1 AP2 AP3
CHANNEL 1 CHANNEL 6 CHANNEL 11
PC1
PC2
DSSS frequencies showing three non-overlapping channels.
In this design devices in one BSS can send at the same time as the other two BSS withoutinterfering, because each uses slightly different frequencies of the non-overlappingchannels. PC1 and PC2 could sit next to each other and communicate with two differentAPs using two different channels at the same time. This design is typical of 802.11bWLANs , with each cell running at the rate of 11 Mbps. With non-overlapping channels,
44
8/9/2019 CCENT Notes Part-2
45/52
each half duplex BSS can run at 11 Mbps, for a cumulative bandwidth of 33 Mbps. Thecumulative bandwidth is called the WLAN Capacity.
Name of encoding class What it is used by
Frequency Hopping Spread Spectrum (FHSS) 802.11Direct Sequence Spread Spectrum (DSSS) 802.11b
Orthogonal Frequency Division Multiplexing (OFDM) 802.11a, 802.11g
The emerging 802.11n uses OFDM as well as MIMO (Multiple Input Multiple Output).
Wireless Interference
Walls, Floors, ceilings and matter that has lots of metal in it, can cause the radio signalsto reduce strength, scatter and create dead spots.
One key measurement of the interference is the Signal-to-Noise Ratio (SNR). Thiscalculation measures the WLAN signals as compared to the other undesired signals(noise) in the same space. The higher the SNR, the better the WLAN can send datasuccessfully.
Coverage Area, Speed and Capacity
The power of an AP is measured based on the Effective Isotropic Radiated Power (EIRP)calculation. It is the power of the signal as it leaves the antenna.
Coverage Area and Speed..
45
8/9/2019 CCENT Notes Part-2
46/52
AP1
11 Mbps
5.5 Mbps
2 Mbps
1 Mbps
WLAN speed and frequency referece.
IEEEStandard
MaximumSpeed(Mbps)
Other Speeds (Mbps) Frequency NonoverlappingChannels
802.11b 11 Mbps 1, 2, 5.5 2.4 GHz 3
802.11a 54 Mbps 6,9,12,18,24,36,48 5 GHz 12
802.11g 54 Mbps 6,9,12,18,24,36,48 2.4 GHz 3
Media Access (Layer 2)
The solution to the media access problem with WLAN is to use the carrier sense multipleaccess with collision avoidance (CSMA/CA) algorithm.
CSMA/CA algorithm
46
8/9/2019 CCENT Notes Part-2
47/52
Step 1. Listens to ensure that the medium (space) is not busy, no radio waves arecurrently being received at the frequencies to be used.
Step 2. Sets a random timer before sending a frame, to statically reduce the chance of all
devices all trying to send at the same time
Step 3. When the random timer has passed, listen to ensure that the medium is not busy,if it isnt then send the frame.
Step 4. After the entire frame has been sent, wait for an acknowledgement
Step 5. If no acknowledgement is received, resend the frame using CSMA/CA logic, towait for the appropriate time to send again.
WLAN Implementation Checklist
Step 1. Verify that the existing wired network works, including DHCP services, VLANsand Internet connectivity
By verifying the switch port access VLANs and by connecting a laptop to the switch portand verifying that it acquires an IP address, mask and default gateway, and the pc cancommunicate to other hosts in the network.
Step 2. Install and configure the AP, verify its connectivity to the wired network,including its IP address, mask and default gateway
APs connects to the switch port using a straight through Ethernet cable
Step 3. Configure and verify APs wireless setting, including Service Set Identifier (SSID)but no security
WLAN configuration features.
IEEE Standard (a,b,g or multiple)
Wireless channels
Service Set Identifier (SSID, a 32 character text identifier for the WLAN) Transmit power
APs within a same ESS WLAN should be configured with the same SSID.
Step 4. Install and configure one wireless client (laptop) again with no security
47
8/9/2019 CCENT Notes Part-2
48/52
WLAN NIC in the WLAN clients like a loptop can automatically detect a WLAN AP andlearn its SSID and connect to an AP with strongest signal.
Cisco Compatible Extension Programme (CCX) : Tests and Verify WLAN NIC by amanufacturer works well with a Cisco AP.
Microsoft Zero Configuration Utility (ZCF) : A OS utility which allow PCs toautomatically discover SSIDs of all WLANs whose APs are within the range on the NIC.
Step 5. Verify WLAN works from the client laptop
Common WLAN installation problems and related work done in the Site survey
Is the AP at the centre of the area where the clients reside
Is the AP or client right next to a lots of metal Is the AP or client next to a lots of interference like microwave oven, or gaming
system
Is the AP coverage wide enough to reach client
Other common problems.
Check to make sure AP and Client radio are enabled (radio switch are turned on)
Check AP to ensure it has the latest firmware
Check AP configuration especially the channel configuration to ensure that it doesnot use channels that overlaps with other AP in the same location.
Step 6. Configure WLAN security on AP and Client
Step 7. Verify WLAN works again in the presence of security features
WLAN Security Issues
WLAN vulnerabilities and solutions
Vulnerability Solution
War drivers
(attacker who drives around and find a APwith a weak or no security)
Strong Authentication
Hackers stealing information in a WLAN Strong encryption
Hackers gaining access to the rest of theNetwork
Strong authentication
Employee AP Installation Intrusion Detection System (IDS) includingCisco Structured Wireless Aware Network(SWAN)
48
8/9/2019 CCENT Notes Part-2
49/52
Rogue AP(attacks where a rouge AP is setup afterlearning the SSID of an existing WLAN,and get the enterprises clients to use it)
Strong authentication, IDS SWAN
WLAN Security Standards
Name Year Who defined it
Wired Equivalent Privacy (WEP) 1997 IEEE
The interim CISCO solution whilewaiting 802.11i
2001 Cisco, IEEE 802.1xExtensible AuthenticationProtocol (EAP)
Wi-Fi Protected Access (WPA) 2003 Wi-Fi Alliance
802.11i (WPA2) 2005+ IEEE
Vendor introduced additional Security Features SSID Clocking and MAC Filtering
SSID Clocking : AP send out beacons with SSID only as a response to a probe requestfrom a WLAN Client.
MAC Filtering : AP configured with allowed WLAN MAC addresses.
Cisco Interim solution between WEP and 802.11i ..
Dynamic key exchange (instead of static preshared key) User authentication using 802.1x
A new encryption key for each packet
Wi-Fi Protected Access (WPA)
WPA includes the option to use dynamic key exchange, using the Temporal Key IntegrityProtocol. (TKIP). WPA allows for the use of either IEEE 802.1x user authentication orsimple device authentication using preshared keys.And the encryption algorithm uses theMessage Integrity Check (MIC) algorithm, similar to the process used in Cisco
proprietary solution.
49
8/9/2019 CCENT Notes Part-2
50/52
IEEE 802.11i (WPA2) includes dynamic key exchange, much stronger encryption, anduser authentication. 802.11i uses Advanced Encryption Standard (AES)
Standard KeyDistribution
DeviceAuthentication
UserAuthentication
Encryption
WEP Static Yes (weak) None Yes (weak)
Cisco Dynamic Yes Yes (802.1x) Yes (TKIP)
WPA Both Yes Yes (802.1x) Yes (TKIP)
802.11i(WPA2)
Both Yes Yes (802.1x) Yes (AES)
Definitions.
802.11a : IEEE standard for wireless LANs using U-NII (Un licensed NationalInformation Infrastructure) (5 GHz) spectrum, OFDM encoding, at speed of upto 54Mbps.
802.11b : IEEE standard for wireless LAN using ISM (2.4 GHz) spectrum, DSSSencoding, and speeds upto 11 Mbps.
802.11g : IEEE standard for wireless LAN using ISM (2.4 GHz) spectrum, OFDM or
DSSS encoding, and speeds upto 54 Mbps.
802.11i : IEEE standard for wireless LAN security including authentication andencryption.
Access Point : A wireless LAN device that provides a mean by which the wireless clientscan send data to each other and to the rest of the wired LAN, with Access Pointsconnecting both the wireless and wired Ethernet LAN.
Ad-hoc Mode : In wire less LAN a method or mode of operation in which the clientssends data directly to each other without using the Access Points.
Basic Service Set (BSS) : A Wireless LAN with a single Access Point (AP)
CSMA / CA : Carrier Sense Multiple Access with Collision Avoidance, a Media Accessmechanism that defines how devices decide when to send, with a goal of avoidingcollision as much as possible, IEEE WLANs use CSMA/CA.
50
8/9/2019 CCENT Notes Part-2
51/52
Direct Sequence Spread Spectrum (DSSS) : A method of encoding data for transmissionover a WLAN in which devices uses 1 of 11 nearby frequencies in the 2.4 GHz range.
Extended Service Set (ESS) : A wirelss LAN with multiple access points, to create onWLAN and allowing roaming between APs.
Frequency Hoping Spread Spectrum: A method of encoding data in a WLAN in whichconsecutive transmission occurs on different nearby frequency bands as compared withthe prior transmission. Not used in modern WLAN standards.
Infrastructure Mode : A mode of LAN (WLAN) operation in which WLAN clients sendand received data through APs, which allows the clients also to connect to the wired LANinfrastructure. In Infrastructure mode WLAN clients does not send to each other directly.
Orthogonal Frequency Division Multiplexing (OFDM) : A method of encoding data inthe WLAN that allows higher data transmission rates than FHSS and DSSS encodingmethods.
Service Set Identifier (SSID) : A text value used in WLAN to uniquely identify a singleWLAN. (a 32 character text identifier).
Wi-Fi Alliance : An organization formed by many companies in the wireless industry forthe purpose of getting multi-vendor certified wireless product into the market in a moretimely fashion.
Wi-Fi Protected Access (WPA) : A trademark name of Wi-Fi Alliance, that represent aset of security specification that predated the IEEE 802.11i security standard.
Wired Equivalent Privacy (WEP) : An early WLAN security specification, that usedrelatively weak security mechanism, using only preshared keys and no encryption or aweak encryption.
WLAN Client : A wireless device that wants to get access to a wireless access point forthe purpose of communicating with other wireless devices or devices connected to wiredLAN.
WPA2 : Wi-Fi Alliances trademark name for the same set of security standards as that ofthe IEEE 802.11i.
Please go to Do I know this Already QUIZ. Chapter11. :- Page 300.
51
8/9/2019 CCENT Notes Part-2
52/52
Top Related