Wednesday, November 4, 2009

CCNA3 Chap 1-3 Note

Chapter 1 LAN Design

In smaller networks, it is not unusual to implement a collapsed core model, where the distribution layer and core layer are combined into one layer.

Access layer switches can be configured with various port security options that provide control over which devices are allowed to connect to the network

Network diameter is the number of devices that a packet has to cross before it reaches its destination.

Link aggregation allows multiple switch port links to be combined so as to achieve higher throughput between switches.

Convergence is the process of combining voice and video communications on a data network.

User community analysis is the process of identifying various groupings of users and their impact on network performance.

Modular switches typically come with different sized chassis that allow for the installation of different numbers of modular line cards.

StackWise allows you to interconnect up to nine switches using fully redundant backplane connections.

Stackable switches are desirable where fault tolerance and bandwidth availability are critical and a modular switch is too costly to implement.

Forwarding rates define the processing capabilities of a switch by rating how much data the switch can process per second.

Link aggregation helps to reduce these bottlenecks of traffic by allowing up to eight switch ports to be bound together for data communications, providing up to 8 Gb/s of data throughput when Gigabit Ethernet ports are used.

Power over Ethernet (PoE) allows the switch to deliver power to a device over the existing Ethernet cabling.

Layer 3 switches are also known as multilayer switches.

PoE dramatically increases the overall price of the switch across all Cisco Catalyst switch product lines, so it should only be considered when voice convergence is required or wireless access points are being implemented, and power is difficult or expensive to run to the desired location.

Distribution layer switches are typically implemented in pairs to ensure availability. It is also recommended that distribution layer switches support multiple, hot swapable power supplies. Having more than one power supply allows the switch to continue operating even if one of the power supplies failed during operation


Chap 2 Basic switch


collision --> detect increase amplitude --> jamming signal --> backoff algorithm invoked -->stop transmitting for random time

An Ethernet MAC address is a two-part 48-bit binary value expressed as 12 hexadecimal digits. The address formats might be similar to 00-05-9A-3C-78-00,

auto - autonegotiation
full - full duplex
half - halp duplex

For Fast Ethernet and 10/100/1000 ports, the default is auto. For 100BASE-FX ports, the default is full.

Instead, you can now use the mdix auto interface configuration command in the CLI to enable the automatic medium-dependent interface crossover (auto-MDIX) feature.

For example, if a 12-port switch has a device connected to each port, 12 collision domains are created.

Since Layer 2 data is present earlier in the frame structure than the Layer 3 data, switches can process the frame more quickly.

Even though the LAN switch reduces the size of collision domains, all hosts connected to the switch are still in the same broadcast domain.

The use of higher layer devices can also increase latency on a network

Cut-through switching
Because the switch does not have to wait for the entire frame to be completely buffered, and because the switch does not perform any error checking, cut-through switching is faster than store-and-forward switching. switching
2.fragment-free switching
the switch stores the first 64 bytes of the frame before is a compromise between the high latency and high integrity of store-and-forward switching,

Asymmetric switching enables more bandwidth to be dedicated to a server switch port to prevent a bottleneck. - smoother network
-memory buffering

Routers are also capable of performing packet forwarding tasks not found on Layer 3 switches, such as establishing remote access connections to remote networks and devices.

AAA and TACACS are authentication protocols that can be used in networks to validate user credentials

You can change the aging time setting for MAC addresses. The default time is 300 seconds.

To create a static mapping in the MAC address table, use the mac-address-table static vlan {1-4096, ALL} interfaceinterface-id command.

If you want to remove the requirement to store all system passwords in an encrypted format, enter the no service password-encryption command from global configuration mode. Removing password encryption does not convert currently encrypted passwords back into readable text. However, all newly set passwords are stored in clear text format.

enable password recovery
-dir flash
-rename flash:config.text flash:config.text.old
-rename flash:config.text.old flash:config.text
-copy flash:config.text system:running-config
-configure terminal
-enable secret password
-copy running-config startup-config

The MOTD banner displays on all connected terminals at login and is useful for sending messages that affect all network users (such as impending system shutdowns). The MOTD banner displays before the login banner if it is configured.

To delete the RSA key pair, use the crypto key zeroize rsa global configuration command. After the RSA key pair is deleted, the SSH server is automatically disabled.

By default, up to five simultaneous, encrypted SSH connections for multiple CLI-based sessions over the network are available (session 0 to session 4).

the CLI-based session time-out value returns to the default of 10 minutes.

Specify the number of times that a client can re-authenticate to the server. The default is 3

//MAC flooding
MAC flooding can be performed using a network attack tool. The network intruder uses the attack tool to flood the switch with a large number of invalid source MAC addresses until the MAC address table fills up.

When the MAC address table is full, the switch floods all ports with incoming traffic because it cannot find the port number for a particular MAC address in the MAC address table. The switch, in essence, acts like a hub.

//DHCP starvation attack
causes all of the leases on the real DHCP server to be allocated, thus preventing the real users (DHCP clients) from obtaining an IP address.

to prevent DHCP attacks, use the DHCP snooping
Ports are identified as trusted and untrusted. Trusted ports can source all DHCP messages; untrusted ports can source requests only. Trusted ports host a DHCP server or can be an uplink toward the DHCP server. If a rogue device on an untrusted port attempts to send a DHCP response packet into the network, the port is shut down.

Static secure MAC addresses
Dynamic secure MAC addresses:
Sticky secure MAC addresses:

If you save the sticky secure MAC addresses in the configuration file, when the switch restarts or the interface shuts down, the interface does not need to relearn these addresses. If you do not save the sticky secure addresses, they are lost.

security violation modes
protect - drop packet, no notification
restrict - drop packet, got notification
shutdown - turn off port, default mode


Chap 3 - VLANs

A VLAN is a logically separate IP subnetwork. VLANs allow multiple IP networks and subnets to exist on the same switched network.

All switch ports become a member of the default VLAN after the initial boot up of the switch.

The Scavenger class is intended to provide less-than best-effort services to certain applications. . These include peer-to-peer media-sharing applications, gaming.

A dynamic port VLAN membership is configured using a special server called a VLAN Membership Policy Server (VMPS). With the VMPS, you assign switch ports to VLANs dynamically, based on the source MAC address of the device connected to the port.

The configuration command mls qos trust cos ensures that voice traffic is identified as priority traffic.

switchport voice VLAN 150

The default VLAN for Cisco switches is VLAN 1. VLAN 1 has all the features of any VLAN, except that you cannot rename it and you can not delete it.

It is a security best practice to change the default VLAN to a VLAN other than VLAN 1;

A native VLAN is assigned to an 802.1Q trunk port. An 802.1Q trunk port supports traffic coming from many VLANs (tagged traffic) as well as traffic that does not come from a VLAN (untagged traffic).

SVI is a logical interface configured for a specific VLAN. By default, an SVI is created for the default VLAN (VLAN 1) to permit remote switch administration.You need to configure an SVI for a VLAN if you want to route between VLANs

A trunk is a point-to-point link between one or more Ethernet switch interfaces and another networking device, such as a router or a switch

Dynamic Trunking Protocol (DTP) is a Cisco proprietary protocol

DTP manages trunk negotiation only if the port on the other switch is configured in a trunk mode that supports DTP.

Trunking modes
switchport mode trunk.
-Dynamic auto
switchport mode dynamic auto.
-Dynamic desirable
switchport mode dynamic desirable
-turn off DTP
switchport nonegotiate.

Note: Before deleting a VLAN, be sure to first reassign all member ports to a different VLAN. Any ports that are not moved to an active VLAN are unable to communicate with other stations after you delete the VLAN.

Alternatively, the entire vlan.dat file can be deleted using the command delete flash:vlan.dat from privileged EXEC mode. After the switch is reloaded, the previously configured VLANs will no longer be present.

Common problem with trunks
-native VLAN mistmatches
the native VLAN set wrong
-trunk mode mismatches
ex. dynamic auto + dynamic auto = access
-allowed vlans on trunks

VLANs are used to segment broadcast domains in a switched LAN. This improves the performance and manageability of LANs. VLANs provides network administrators flexible control over traffic associated with devices in the LAN.

Routers or Layer 3 switches are required for inter-VLAN communication

IEEE802.1Q is standard trunkng protocol. It does not tag native VLAN traffic,which can result in problems when trunking is misconfigured.

One IP subnet to one VLAN

No comments:

Post a Comment