CCENT Notes

Part 2 – LAN Switching

Ref : CCENT/CCNA ICND1 Official Exam Certification Guide, Second Edition

by Wendell Odom

It is highly recommended that you read at least once the above study guide to make full
use of this notes, it is expected that there may be minor errors in this notes, please
always refer the study guide for accurate information.

(Jojo Jacob - CCENT)

TABLE OF CONTENTS

Chapter 7 – Ethernet LAN Switching Concepts..................................................................3

Chapter 8 – Operating Cisco LAN Switches.....................................................................13
Chapter 9 – Ethernet Switch Configurations.....................................................................23
Chapter 10 – Ethernet Switch Troubleshooting.................................................................35
Chapter 11 – Wireless LANs.............................................................................................42

2
Chapter 7 – Ethernet LAN Switching Concepts

Hubs : Created one single collision domain, and bandwidth is shared in a 10 BASE T
network with a Hub.

Bridges : reduced the number of collision occurred in a network, by segmenting the

collision domains, and bridges add bandwidth to the network.

Switches (benefits of using switches) : Creates separate collision domain on each of its
interfaces, it can support full duplex if only one device is connected to an interface.
Switches multiply amount of available bandwidth in the network.

Ethernet MAC address…

Unicast Addresses: MAC address that identifies a single LAN interface card
Broadcast Addresses: A frame sent with a destination address of broadcast address
(FFFF.FFFF.FFFF) implies that all devices on the LAN should receive and process the
frame.
Multicast Addresses: Multicast MAC addresses are used to allow dynamic subset of
devices on a LAN to communicate.

IP multicast over Ethernet uses MAC address in the format 0100.5exx.xxxx where a
value between 00.0000 to 7f.ffff can be used for the second half.

Primary functions of a Switch…

1. Deciding when to forward a frame or when to filter (not forward) a frame based on
the destination MAC address.
2. Learning MAC address by examining the source MAC address of each frame
received
3. Creating a (layer 2) loop free environment with other switches by using Spanning
Tree Protocol (STP)

3
Sample switch forwarding and filtering decision.
(Fred forwards a frame to Barney)

Frame sent to 0200 .2222 .2222

came in Fa0/1
Forward out Fa 0/2
Filtered (not forwarded ) out Fa0/3 & Fa0/4
Dest. MAC Address : 0200 .2222.2222

Fa0/1 Fa0/3
Fred Wilma
0200.1111.1111 0200.3333.3333

Fa0/2 Fa0/4

Betty
Barney
0200.4444.4444
0200.2222.2222

MAC Address Table

0200 .1111 .1111 Fa0/1

0200.2222 .2222 Fa0/2
0200.3333 .3333 Fa0/3
0200.4444 .4444 Fa0/4

MAC address table is also called, Switching Table, Bridging Table or Content
Addressable Memory.

4
Sample switch filtering decision.
Note that the hub simply regenerates the electrical signals out each interface, so the hub
forwards the electrical signal send by Fred to both Barney and the switch, The switch
decides to filter out (not forward ) the frame noting that the MAC address table interface
for destination address 0200.2222.2222 (Fa0/1) is the same as the incoming interface.

Frame sent to 0200.2222 .2222

came in Fa0/1
Forward out Fa 0/1 as per the MAC table entry
Filtered (not forwarded ) out same interface Fa 0/1
that the frame came in
Dest. MAC Address : 0200 .2222.2222

Fa0/3
Fred Wilma
0200.1111.1111 0200.3333.3333

Fa0/1
Fa0/4

Hub

Betty
Barney
0200.4444.4444
0200.2222.2222

MAC Address Table

0200 .1111 .1111 Fa0/1

0200.2222 .2222 Fa0/1
0200.3333 .3333 Fa0/3
0200.4444 .4444 Fa0/4

How switch learn MAC address: Switches populate the MAC table by listening to the
frame, it adds the source MAC address and the interface it came from if an entry is not
already there in the MAC address table.

Flooding Frames: When a switch receives a frame with a destination address that is not in
its MAC address table, it forwards out all the interface except the one it came from.

Switches keeps a timer for each entry in the MAC address table, called inactivity timer.
Switch sets the timer to 0 for new entries, and resets it to zero each time it receives a
frame from a MAC address, this counter counts upwords, so at any point in time if the

5
switch memory runs out switch know which is the oldest inactive entry in the MAC
address table and it deletes it to free up memory.

Spanning Tree Protocol (STP): STP prevents loops by blocking some interfaces (ports)
from forwarding frames, so that only one active logical path exists in a physically
redundant network between two LANs. In STP a port can have one of two states
Blocking (cannot send and receive) and Forwarding (can send and receive).

Internal Processing on Cisco Switches

Store and Forward Processing : In this type of processing a switch must receive the
entire frame before it starts forwarding the first bits of the frame.

Cut through processing : With this type of processing a switch starts forwarding the
frame as soon as possible without waiting an entire frame to be received. This is possible
because the destination MAC address come in early in the Ethernet header, even though
this can reduce latency, it may cause erroneous frames to be forwarded as the FCS is
placed at the end of the frame and switch can’t determine the forwarded frame was in
error.

Fragment free processing : works very much similar to cut through processing, but it try
to reduces the number of errored frames that it forwards.

Switching Method Description

Store-and-Forward The switch fully receive all bits in the frame (store) before
forwarding the frame. This allows the switch to check the FCS
before forwarding the frame.
Cut-through The switch forward the frame as soon as it can. This reduces
latency but does not allow the switch to discard the frame that
fails the FCS check.
Fragment-free The switch forwards a frame after receiving first 64 bytes of
the frame, thereby avoiding forwarding of frames that were
errored due to collision.

LAN Switching Summary

LAN switches provide many additional features compared to Lan hubs and bridges, In
particular LAN switches provide the following benefits:-

• Switch port connected to a single device micro-segments the LAN, providing

dedicated bandwidth to that device
• Switches allow multiple simultaneous conversations between devices on different
ports

6
• Switch ports connected to a single device supports full duplex, in effect doubling the
available bandwidth to the device.
• Switches support rate adaptation, which means devices using different Ethernet
speeds can communicate through the switch (hubs cannot).

Switches use Layer 2 logic, examining the Ethernet data link header to choose how to
process frames. In particular switches makes decisions to forward and filter frames, learn
MAC addresses, and use STP to avoid loops as follows…

Step 1. Switches forward frame based on destination address

a) If the destination address is a broadcast, multicast, or unknown destination unicast

(address not found in the MAC table), then the switch floods the frame, sends out all
the other ports except the port it was received.

b) If the destination address is a known unicast address

1. If the outgoing interface listed in the MAC table is different to the interface it
came from, switch forwards the frame out the outgoing interface.

2. If the outgoing interface listed in the MAC table is same as the interface it came
from, switch filters the frame, or simply ignore the frame without forwarding it.

Step 2. Switches uses the following logic to learn MAC address table entries

a) For each received frame, examine the source MAC address and the interface from
which the frame was received

b) If they are not already in the table, add the address and interface, setting the inactivity
timer to 0

c) If it is already in the table, reset the inactivity timer to zero.

Step 3. Switches use STP to prevent loops by causing some interfaces to block, meaning
that they do not send or receive frames.

7
LAN Design Considerations

Collision Domain : A collision domain is a set of LAN interfaces whose frames could
collide with each other.

A broadcast domain is a set of devices where when one device sends a broadcast all other
devices receive a copy of the broadcast. A switch floods broadcast and multicast out all
ports, so a switch creates a single broadcast domain.

A collision domain is a set of network interface cards (NIC) for which a frame sent by on
NIC could collide with a frame sent by another NIC in the same collision domain.

A broadcast domain is a set of NICs for which broadcast frame sent by one NIC is
received by all other NICs in the same broadcast domain.

Switches are much preferred option in a network as it micro segments collision domain,
and devices does not have to share the bandwidth.

A very large network with multiple switches creates a single broadcast domain, this could
be split into multiple broadcast domains using a router.

Benefits of segments Ethernet Devices using Hubs, Switches and Routers

(LAN design features in comparison with hubs, switches and routers)
Feature Hub Switch Router
Greater cabling distance are allowed Yes Yes Yes
Creates multiple collision domains No Yes Yes
Increases bandwidth No Yes Yes
Creates multiple broadcast domain No No Yes

Virtual LAN (VLAN)

Without VLAN a switch considers all its interfaces to be in the same broadcast domain.
With VLAN a switch can put some interfaces to a broadcast domain and some into
another broadcast domain based on some simple configurations.

8
Sample network with two VLANS using one Switch

VLAN 1

VLAN 2

Motivations for using VLANs….

• To create more flexible network design that group by users by department, or by

groups that work together, instead of by physical location
• To segment devices into smaller LANs (broadcast domains) to reduce overhead
caused to each host in the VLAN
• To reduce workload for STP by limiting a VLAN to a single access switch
• To enforce better security by keeping hosts that work with sensitive data in a separate
VLAN
• To separate traffic send by IP phone from traffic sent by PCs connected to the phones

9
Campus LAN design terminology listed…

To other To other
Building Building
blocks blocks
Core Switches

Core links
Building Block
Core1 Core2

Distribution
Switches

Dist2
Dist1
Uplinks

Access
Switches

Access1 Access2 Access3 Access4

Access
Links

Access : Provides a connection point (access) for end user devices, does not forward
frames between two other access switches under normal circumstances.

Distribution : Provides an aggregation point for access switches, forwarding frames

between switches, but not connected directly to end user devices.

Core: Aggregates distribution switches in a very large LANs, providing very high
forwarding rates.

10
Ethernet Types, Media and Segment Lengths

Ethernet Type Media Maximum segment length

10BASE-T TIA/EIA CAT3 or better, 2 pair 100 m (328 feet)
100BASE-TX TIA/EIA CAT5 UTP or better, 2 pair 100 m (328 feet)
1000BASE-FX 62.5/125 micron multimode fiber 400 m (1312.3 feet)
1000BASE-CX STP (shielded twisted pair) 25m (82 feet)
1000BASE-T TIA/EIA CAT5e or better, 4 pair 100 m (328 feet)
1000BASE-SX Multimode fiber 275 m (853 feet) for 62.5
micron fiber

550 m (1804.5 feet) for 50

micron fiber

1000BASE-LX Multimode fiber 550 m (1804.5 feet) for 50

and 62.5 micron fiber
1000BASE-LX 9 micron single mode fiber 10 km (6.2 miles)

Broadcast domain: A set of devices that receive broadcast frame originated from any
device within the set. All devices in the same VLAN are in the same broadcast domain.

Broadcast frame: An Ethernet frame sent with a destination address FFFF.FFFF.FFFF

meaning that the frame should be delivered to all hosts in the LAN.

Collision Domain: A set of NICs for which a frame sent by a NIC could result in a
collision with a frame sent by any other NIC in the same collision domain.

Cut-through switching: One of the three options of internal processing in some models of
the cisco LAN switches in which the frame is forwarded as soon as possible, including
forwarding bits of the frame before the whole frame is received.

Flooding : is the process in which Switches forward Broadcast, unknown unicast and
multicast (some times) out all the other ports except the port where it came from.

Fragment-free-switching: One of the three processing options on some cisco LAN

switches in which first bits of the frame may be forwarded before the entire frame is
received, but not until first 64 bytes of the frame are received, in which case in a well
designed LAN collision fragments should not occur as a result of this forwarding logic.

Microsegmentation : The process in LAN design by which every switch port connects to
a single device creating a separate collision domain per interface.

11
Segmentation : The process of breaking large amount of data from an application into
pieces appropriate in size to be sent thorough the network.

Spanning Tree Protocol (STP): A bridge protocol that uses Spanning Tree Algorithm,
allowing switch to dynamically work around loops, in a network topology by creating a
spanning tree. Switches exchange Bridge Protocol Data Unit (BPDU) message with other
bridges to detect loops, and remove the loops by shutting down the selected bridge
interface.

Store-and-forward switching: One of the three processing options in some cisco LAN
switches in which Ethernet frame must be completely received before the switch can
begin forwarding the first bit of the fame.

Unknown-unicast-frame: An Ethenet frame whose destination MAC address is not listed

in the MAC address table of the switch, so the switch must flood the frame.

Virtual LAN : A group of devices connected to one of more switches with the devices
grouped in to a single broadcast domain through switch configurations. VLAN allow
switch administrators to separate devices connected to switches into separate VLANs
without requiring separate physical switches, gaining design advantage of separating
traffic without buying additional hardware.

Please go to ……Do I know this Already –QUIZ. – Chapter 7. :- Page 168.

12
Chapter 8 – Operating Cisco LAN Switches

CLI : Command Line Interface

Cisco positions the 2960 series (family) of switches as full-featured, low cost wiring
closet switches for enterprises.

Cisco refers to a switch’s physical connectors as either interface or ports. Each interface
has a number and a name for eg. Interface FastEthernet 0/1, Interface gigabitethernet 0/1.

Cisco supports two major operating systems…

Internetwork Operating System (IOS) and
Catalyst Operating System (Cat OS).

Cisco uses the term Hybrid to refer to the 6500 series core switches that uses Cat 0S, and
the term Native to refer to the 6500 series core switches that uses IOS.

Cisco 2960 Switch LEDs and a Mode button

SYST
RPS

PORTS
STAT

Duplex

Speed

MODE

LEDs and descriptions

NAME Description
SYST (System) Implies overall system status
Off : System is not powered on
On (green) : The switch is powered on and operational (Cisco
IOS has been loaded)
On (amber): The switches power on self test failed (POST) and
Cisco IOS did not load
RPS (Redundant Suggests the status of the redundant (extra) power supply

13
power supply)
STAT (Status) If ON (green) implies that each port LED implies that port’s
status.

Port LED

Off : The link is not working

Solid Green : The link is working but there is no current traffic
Flashing Green: The link is working and the traffic is currently
passing over the interface
Flashing Amber: The interface is administratively disabled or
dynamically disabled due to many reasons

DUPLX (Duplex) If on (green) each port LED implies that ports duplex

Port LED
On (green) : Full Duplex
Off : half duplex
SPPED If on (green) each port LED implies the Speed of that port.

Port LED

Off : 10 Mbps
Solid Green : 100 Mbps
Flashing Green : 1000 Mbps (1 Gbps)

Port Has different meanings, depending on the port mode as toggled

using the MODE button

Accessing Cisco IOS CLI

Console port allows a way to connect to a switch CLI even if the switch is not connected
to a network. Every cisco switch has a console port, which is physically an RJ-45 port. A
pc connects to a console port using a RJ-45 port.

Default Console Port setting on a Cisco Switch….

Baud Rate : 9600 bits/second

Flow control : none (no hardware flow control)
Data : 8 bit ASCII
Stop bit : none (No stop bits)
Parity : 1 bit (1 parity bit)

14
Accessing CLI using Telnet and SSH

The telnet client (pc) needs to have the terminal emulator software with telnet/ssh client
installed, the switch will run the telnet server software.

Telnet send all data including user name and password as clear text, which raises a
security threat.

SSH (Secure Sheel) does same basic things as that of the Telnet, but in a more secured
way by using encryption.

CLI Password configuration : Console and Telnet

Access From Password Type Sample Configuration
Console Console Password Line console 0
Login
Password faith
Telent Vty Password Line vty 0 15
Login
Password love

Switches support up to 16 (0-15) concurrent virtual terminal connections including telnet

and ssh.

Use and Privileged Modes

Router> enable
Password : xxxx
Router #
Console

Telnet
Enable (Priviledged)
Use Mode
Mode

SSH

Router# Disable
Router >

Preferred method for setting password for reaching the enable mode is the
“Enable Secret password” command.

15
Cisco IOS software command help
What you enter What help you get
? Help for all commands available in this mode
Help Text describing how to get help. No actual command help is given
Command ? Text help describing all the first parameter options for the command
Com? A list of commands that start with com
Command parm? Lists all parameters starting with parm
Command CLI autofills the rest of the parameter
parm<tab>
Command parm1 ? List all the next parameters with a brief description

Key sequences for command edit and recall

Keyboard Command What helps
Up arrow or Ctrl P Displays previously entered commands
Down arrow or Ctrl n Move down to more recent commands from the history list
Left arrow, Ctrl b Move the cursor backwords (left) in the currently displayed
command
Right arrow, Ctrl f Move cursor front (right)
Backspace Move back deleting
Ctrl a Move back to first char of the command
Ctrl e Move directly to end of the command
Ctrl r Redisplays the command
Ctrl d Deleted single char
Esc b Moves back one word
Esc f Moves forward one word

Debug and Show commands

SHOW command list the currently known facts about the switch’s operational status.
Debug command asks the switch to continue monitoring different process in the switch

Terminal Monitor command enable users to view the Debug log messages
Debug Spanning-tree (enable debug on spanning-tree process)
No debug spanning-tree (disables debug on spanning-tree process)
No debug all or
Undebug all (disable all the currently enabled debugs)

16
CLI Configuration Modes vs EXEC modes

Enable
USER Exec Mode Privileged Exec Mode

Ctrl Z or Config t
Exit

RAM Active Each Command

Config Configuration Mode
In succession

Navigation between different configuration modes

Switch# configure terminal

Switch (config) # hostname Fred
Fred (config) # line console 0
Fred (config-line )# password hope
Fred (config-line) # interface FastEthernet 0/1
Fred (config-if) # speed 100
Fred (config-if) # exit
Fred (Config) #

Text inside parenthesis in the command prompt identifies the configuration mode.

Common Switch configuration modes

Prompt Name of Mode Context -setting commands to reach this
mode
Hostname (config) # Global configuration None – first mode after the
mode ‘Configure Terminal’ command
Hostname (config- Line configuration Line console 0
line) # mode Line vty 0 15
Hostname (config-if) Interface Interface type number
# configuration mode
List of configuration mode prompts, name of the configuration mode, and the command
used to reach the mode.

17
Storing configuration files

Cisco Switch Memory Types

RAM
FLASH NVRAM
ROM
Working memory
Cisco IOS Startup
and Running Bootstrap Program
Software Configuration
configuration

**NVRAM – Non Volatile RAM

Names and purposes of two main Cisco IOS configuration files

Configuration Purpose Where it is stored

Filename
Startup-config Stores the initial configuration any time NVRAM
the switch reloads the cisco IOS
Running-config Stores the currently used configuration RAM
commands. This file changes dynamically
when some one enters commands in
configuration mode

Configuration commands changes only the running config, if you want to save the config,
the running config should be copied to NVRAM overwriting the startup-config, so that
the new/changed configurations will be included next time the switch is reloaded.

Locations for copying configuration files and results of copying

Copy tftp running -config Copy running -config startup -config

RAM
NVRAM

Copy running -config tftp Copy startup-config running -config

TUFTP

Copy tftp startup-config

Copy startup-config tftp

18
The copy command always replaces the existing file when configuration files are copied
to NRRAM or TFTP server, but when copied to RAM (running config) the file is always
merged, not replaced. If you change the running-config and wants to revert it back to the
startup-config a copy startup-config runnig-config not necessarily will make both
configs to match, instead you may have to issue a reload command which will reload,
reboot the switch, erasing the RAM and will copy the startup confing into RAM running-
config.

Command to erase NVRAM

Write erase
Erase startup-config
Erase NVRAM

Other names for config files

Nvram:startup-config
System:running-config

Initial Configuration - Setup Mode

Getting into Setup Mode

Turn ON the Switch

NO
Is NVRAM Copy Start-up Config to
Empty Running-Config

YES

NO
Do you want to
Complete IOS Initialization
enter setup Mode

YES

Answer the questions in Move new configurations

the SETUP Mode to NVRAM

19
Setup mode writes the configuration to both Startup and running config files, whereas the
configuration mode changes only the running config file.

CLI : Command Line Interface. An interface that enables the user to interact with the
operating system by entering commands and optional arguments.

Secure Shell (SSH) : An TCP/IP application layer protocol that supports terminal
emulation between client and a server, using dynamic key exchange and encryption to
keep the communication private and secure.

Enable Mode: A part of the Cisco CLI where a user can use the most powerful and
disruptive commands, on a router or on a switch, including the ability to then reach the
configuration mode and reconfigure the router.

User Mode: A mode of the user interface to Cisco router or switch where a user can only
type non disruptive EXEC commands, generally to look at the current status, but not to
change any operational settings.

Configuration Mode: A part of the Cisco IOS CLI where a user can enter the
configuration commands, that are then added to the devices currently used configuration
file (running-config).

Startup-config file: In Cisco IOS switches and routers, the name of the file that resides
in NVRAM memory, holding the devices configurations that will be loaded into the
RAM as running-config file when the device is next reloaded or powered on.

Running Config: In Cisco IOS switches and routers, name of the file that resides in the
RAM, holding devices’s currently used configurations.

Setup-Mode: An option on Cisco switches and routers that prompts the user for basic
configuration information, resulting in new running-config and startup-config files.

20
 Configuration Commands
Command Mode and Purpose
Line console 0 Global command that changes the context to console
configuration mode
Line vty 1st-vty 2nd-vty Global command that changes the context to line (vty)
configuration mode for the range of vty lines listed in the
command
login Line (console and vty) configuration mode. Tells IOS to
prompt for a password (no username)
Password pass-value Line (console, vty) configuration mode. Lists the
password required if the login command (with no other
command) is configured.
Interface type port-number Global command that changes the context to Interface
mode. Eg. Interface Fastethernet 0/1
Shutdown Interface subcommand that disables or enables the
No shutdown interface respectively
Hostname name Global command that sets the switch’s hostname, which is
also used as the first part of the switch’s command prompt
Enable secret pass-value Global command that sets the automatically encrypted
enable secret password. This password is used for any user
to reach enable mode.
Enable password pass-value Global command that sets the clear text enable password.
This is used only when the enable secret password is not
configured.
exit Moves back to the next higher mode in configuration
mode
end Exit configuration modes and goes back to enable mode
from any of the configuration sub modes
Ctrl Z Same as the end command

21
EXEC Command Reference…..

Command Purpose
No debug all Enable mode EXEC command to disable all the
Undebug all currently enabled debugs
Show process EXEC command that lists statistics of CPU utilization
Terminal monitor EXEC command that tells the Cisco IOS to send a
copy of all the syslog messages including debug
messages to the telnet or ssh user who issues the
command
Reload Enable mode EXEC command that reloads or reboots
the switch or router.
Copy from-location to-location Enable mode EXEC command that copies file from
one location to another, locations include startup-
config, running-config files, files on TFTP, RPC
servers and flash memory.
Copy running-config startup- Enable mode EXEC command that saves the active
config config, replacing the startup-config file used when the
switch initializes.
Copy startup-config running- Enable mode EXEC command that merges the startup
config config with the currently active config file in RAM
Show running-config Lists the contents of the running config
Write erase All three enable mode EXEC commands erase the
Erase startup-config startup-config file
Erase NVRAM:
Setup Enable mode EXEC command that places the user in
the setup mode, in which Cisco IOS prompts the user
for simple switch configurations
quit EXEC command that disconnects the user from CLI
sessions
Show system:running-config Same as show running-config command
Show startup-config List the contents of the startup-config (initial-config)
file
Show nvram:startup-config Same as show startup-config
Show nvram:
enable Moves the user from user mode to the
enable(privileged) mode and prompts the user for a
password if configured
disable Moves the user from enable mode to the user mode
Configure terminal Enable mode command that moves the user into a
configuration mode

Please go to ……Do I know this Already –QUIZ. – Chapter 8. :- Page 198.

22
Chapter 9 – Ethernet Switch Configurations
Configuring Basic Passwords and Hostname

Switch> enable
Switch# configure terminal

(EXEC command to move from enable mode to configuration mode)

Switch (config) # enable secret cisco

Switch (config) # hostname emma

In the global configuration mode user enters two global configuration commands that
add configuration to the whole switch (enable secret and hostname)
Enable secret sets the only password used to reach the enable mode so it is a global
command

Emma (config) # line console 0

Emma (config-line) # password faith
Emma (config-line) # login
Emma (config-line) # exit

The login command which tells the switch to ask for a text password but not a user name,
the password command which defines the required password are subcommands in the
respective line configuration sub modes.

Emma (config) # line vty 0 15

Emma (config-line) # password love
Emma (config-line) # login
Emma (config-line) # exit

Emma (config) # exit

Emma #

Emma # show running-config

Hostname emma

Enable secret 5 $90345824kosdfjsdfmld908v/m

Line console 0
Password faith
Login

Line vty 0 4

23
Password love
Login

Line vty 5 15
Password love
Login

Vty 05 15 (11 vty lines) were added later to the vty 0 – 4 (5 vty lines) making a total of
16 concurrent vty line available in a cisco switch.

SSH Configuration concepts…

Cisco Switch

Line vty 0 15

1 Login local
2 Transport input telnet ssh

3 Username wendell password hope

4 Ip domain-name example.com

5 Crypto key generate rsa

(switch generate keys)

SSH Client
6 Public key private key

Step 1 : Login local , changes the vty lines to use usernames (just login command does
not require usernames) with locally configured user names (other options is user names
configured in an AAA server). In this case login local subcommand defines the use of
local usernames, replacing the login subcommand in vty configuration mode

Step 2 : tells the switch to accept both telnet and ssh, (Transport input telnet ssh, vty line
configuration sub command) default is transport input telnet omitting ssh

Step 3 : add one or more username name password pass-value global configuration
commands to configure username/password pairs.

24
Step 4 : configure DNS domain name with the ip domain-name name global
configuration command

Step 5 : configure the switch to generate a matched public and private key pair as well as
a shared encryption key, using crypto key generate rsa (global configuration command).

Step 6. SSH clients need a copy of the switch’s public key before the client can connect

SSH Configuration Process….

Emma #
Emma# configure terminal

Emma (config) # line vty 0 15

Emma (config-line) # login local
Emma (config-line) # transport input telnet ssh
Emma (config-line) # exit

Emma (config) # username Wendell password hope

Emma (config) # ip domain-name example.com

Emma (config) # crypto key generate rsa

The name of the key will be: emma.example.com

Refer to pg. 241 for SSH key generation and public key listings

Password Encryption

‘Service password-encryption’ global configuration command encrypts the password.

• When service password-encryption command is configured, all existing console, vty

and username command passwords are immediately encrypted.

• If the service password-encryption command has already been configured, any future
changes to these passwords are encrypted

• If the no service password-encryption command is used later, the passwords remain

encrypted, until they are changed, at which point they show up in clear text.

25
Service password-encryption uses Type 7 encryption which is a weak encryption
algorithm which can be decrypted easily.

The two enable mode passwords

• If the global configuration command ‘enable password pass-value’ is used, it defines

the password required when using the enable EXEC command. This password is
listed as clear text in the configuration file by default.

• If the global configuration command ‘enable secret pass-value’ is used, it defines the
password required when using the enable EXEC command. This password is listed as
a hidden MD5 hash value in the configuration file by default.

• If both commands are used, the password set in the enable secret command defines
which password is required.

IOS applies a mathematical function called Message Digit 5 (MD5) hash, and the results
is stored in configuration file, and is considered to be a Type 5 encryption type.

Enable secret fred

Enable secret 0 fred (sets the enable secret password as Fred, 0 implies that the password following is clear text)
No enable secret (deletes the enable secret password)
Enable secret tom (changes the enable secret password to tom)

Banner Configurations

Banner is a Global configuration command

SW1 (Config) # banner #

Switch down for maintenance at 11 pm today #

(default banner is MOTD – Message of the day banner, shown before the login prompt, )

SW1 (Config) # banner login #

Unauthorized Access Denied #

(login banner, shown before the login prompt, after the MOTD banner)

SW1 (Config) # banner exec Z

Company picnic at the park on Saturday, don’t tell outsiders Z

(EXEC banner, shown after the login prompt, messages that should be hidden from
unauthorised users)

26
(the first non blank character after the banner (type) command is considered as the
delimiter and text between the delimiters are displayed)

Commands related to history buffer….

Command Description
Show history List the commands currently held in the history buffer
History size x From a console or vty lines config, sets the number of
commands saved in the history buffer
Terminal history size x EXEC command, sets the size of the history buffer just for
that user

Defining console inactivity timeouts and when to log messages…

Line console 0
Login
Password cisco
Exec-timeout 0 0
Router never times out
Login sysnchronous
Displays syslog messges at a convenient time, after a command output, and not in the
middle of a typing a command.

LAN Switch Configuration and Operation

Configuring Switch IP Address

IOS based switch configures its IP address and mask on a special virtual interface called
VLAN 1 interface.

Step 1. Enter VLAN 1 configuration mode by using the Interface vlan 1 global
configuration command

Step 2 : Assign IP address and mask using ip address ip-address mask interface
subcommand.

Step 3 : Enable VLAN interface using no shutdown interface subcommand

Step 4: Add the ip default-gateway ip-address global command to configure the default
gateway.

27
Switch static IP address configuration

Emma # configure terminal

Emma (config) # interface vlan 1
Emma (config-if) # ip address 192.168.1.200 255.255.255.0
Emma (config-if) # no shutdown
Emma (config-if) # exit
Emma (config) # ip default-gateway 192.168.1.1

(refer to page 249 for syslog messages)

Switch dynamic IP address configuration using DHCP

Emma # configure terminal

Emma (config) # interface vlan 1
Emma (config-if) # ip address dhcp
Emma (config-if) # no shutdown
Emma (config-if) ^Z

Emma # show dhcp lease

(to show the temporarily leased ip address, as dynamic ip addresses are not stored in the
running config file, but statically configured ip addresses are stored in running config))

Emma # show interface vlan 1

Vlan 1 is up, line protocol is up

(refer to page 250 for syslog messages)

Interface Configuration Commands….

Emma # configure terminal

Emma (config) # interface fastethernet 0/1
Emma (config-if) # speed 100
Emma (config-if) # duplex full
Emma (config-if) # description server 1 connects here
Emma (config-if) # exit
Emma (config) # interface range fastethernet 0/11 – 20
Emma (config-if-range) # description end-users connect here
Emma (config-if-range) # ^Z

28
Emma # show interface status
DUPLEX
Port Name Status VLAN SPEED TYPE
Fa0/1 Server 1 connects here notconnect 1 full 100 10/100Base TX
Fa0/2 notconnect 1 auto auto 10/100Base TX
Fa0/4 connected 1 a-full a-100 10/100Base TX
Fa0/11 end user connects connected 1 autol auto 10/100Base TX
|
|
Fa0/24

(please refer to page 252 for full listing….)

a-full, a-100 (line 3) means it was autonegotiated to full duplex and speed 100 Mbps with
the physically connected device.

Port Security

If a network engineer knows what devices should be cabled and connected to a particular
interface on a switch, the engineer can use port-security to restrict that interface so that
only the expected devices can use it.

Port Security Configuration Steps…

Step 1. Make the switch interface an access interface using the switchport mode access
interface subcommand

Step 2. Enable port security using switchport port-security interface subcommand

Step 3. (Optional) specify the maximum number of MAC addresses associated with the
interface using switchport port-security maximum number interface subcommand.
Default maximum number is 1.

Step 4. (Optional) Define the action to take when a frame is received from a MAC
address other than the defined addresses using
switchport port-security violation {protect | restrict | shutdown} interface
subcommand. Default action is shutdown the port.

Step 5A. Specify the MAC addresses allowed to send frames into the interface using
Switchport port-security mac-address mac-address command. Use command multiple
times to specify more MAC addresses.

Step 5B. Alternately use the sticky learning process to dynamically learn and configure
MAC address of currently connected host by configuring the
switchport port-security mac-address sticky interface subcommand.

29
Fred # show port-security interface fastethenet 0/1
Fred # show port-security interface fastethenet 0/2

Refer to page (255) for output listing

Note port status secure-shutdown (fa0/1) (port is shutdown because of a violation) and
secure-up (fa0/2)

Actions when port security violation occurs

Options on the switchport port-security Protect Restrict Shutdown

violation command (default)
Discard offending traffic YES YES YES
Send logs and SNMP Messages NO YES YES
Disable the interface, discarding all traffic NO NO YES

VLAN Configuration

Two types of cisco switch interfaces….

Access interfaces and Trunk Interfaces

By definition access interfaces send and receive frames only in a single VLAN, called the
access VLAN. Trunking interface send and receive in multiple VLANs.

One access port - one vlan (one vlan can have multiple access port, a subset of switches
access ports)
One trunk port – multiple vlan

By default switches have VLAN 1 configured and all interfaces assigned to it, however to
add another vlan and assign access ports to it follow the steps bellow…

Step 1 : To configure new VLAN

a) from configuration mode use the vlan vlan-id global configuration command to
create vlan and move the user into the vlan configuration mode

b) (optional) use the name vlan-name vlan subcommand to list the name of the vlan. If
not configured by default uses the name VLANzzzz, where zzzz is the four digit vlan-
id.

30
Step 2 : To configure VLAN for each access interface

a) user the interface command to move to the interface configuration mode for each
desired interface

b) use the switchport access vlan id-number interface subcommand to specify the VLAN
associated with that interface

c) c. (optional) to disable trunking, so that the switch will not dynamically decide to use
trunking on the interface, and it will remain an access interface, use the switchport
mode access interface subcommand.

Fa0/13 , Fa0/14
VLAN 2

Fa0/11 , Fa0/12
VLAN 1

SW1 # show vlan brief

Sw1 # configure terminal

Sw1 (config) # vlan 2
Sw1(config-vlan) # name fred-vlan
Sw1(config-vlan) # exit

Sw1(config) # interface range fastethernet 0/13 – 14

Sw1(config-if) # switchport access vlan 2
Sw1(config-if) # exit
Sw1(config) # show running-config
Sw1(config) # show vlan brief

Please refer to page 258 for command output listings

31
Note : name fred-vlan (vlan subcommand is case-sensitive)

Securing unused interfaces, recommendation to secure unused interfaces are….

• Administratively shutdown the interface using the shutdown interface subcommand

• Prevent VLAN trunking and Vlan Trunking Protocol (VTP) by making the port
nontrunking interface by using the interface subcommand switchport mode access

• Assign the port to an unused VLAN by using the switchport access vlan vlan-
number interface subcommand.

Access Interface: A LAN network design term that refers to a switch interface connected
to end-user devices.

Trunk Interface: On a LAN switch, an interface that is currently using either 802.1Q or
ISL trunking

Trunking : Also called VLAN trunking, A method using either cisco ISL protocol or
IEEE 802.1Q protocol to support multiple VLANs that have members on more than one
switch.

Configuration Command Reference…

Command Mode/Purpose/Description
Basic Password Configuration
Following four commands are related to basic password configuration
Line console 0 Changes the context to console configuration mode
Line vty 1st-vty 2nd-vty Changes the context to vty configuration mode for the
range of vty line listed
login Console and vty configuration mode, tells IOS to prompt
for a password
Password pass-value Console and vty configuration mode. Lists the password
required if login command (without any other
parameter) is configured
Username/password and SSH Configurations
Following four command are related to username/password and SSH configurations
Login local Console and vty config mode, tells IOS to prompt for
username and password, to be checked against locally
configured username global configuration command on
this switch or router.

32
Username name password Global command, defines possibly one of multiple
pass-value username and associated passwords, used for user
authentication. Used when login local line configuration
command has been used.
Crypto key generate rsa Global command, creates and stores in a hidden location
in flash memory the key required by SSH
Transport input }{telnet|ssh} Vty line configuration mode. Defines whether telnet
or/and SSH is allowed into this switch. Both values can
be configured in one command to allow both telnet and
SSH.
IP Address configuration
Following four commands are related to IP address configurations
Interface vlan number Changed the context to VLAN interface mode. For
VLAN 1 allows the configuration switch’s ip address
Ip address ip-address subnet- VLAN interface mode. Statically configures the switch’s
mask ip address and mask.
Ip address dhcp VLAN interface mode, configures the switch as a DHCP
client to discover its ip address, subnet mask and default
gateway.
Ip default-gateway address Global command. Configured the switch’s default
gateway ip address. Not required if the switch uses
DHCP.
Interface Configuration
Following six command are used for interface configuration
Interface type port-number Changes the context to interface mode
Eg. Interface fastethernet 0/1
Interface range type port- Changes the context to interface mode for the range of
range interfaces
Shutdown Interface mode, disable or enable the interface
No shutdown
Speed {10|100|1000|auto} Interface mode, manually sets the speed to the listed
speed, or with the auto setting, automatically negotiates
the speed.
Duplex {half|full|auto} Interface mode, manually sets the duplex to half, full or
to autonegotiate the duplex settings.
Description text Interface mode (description for the interface)
Miscellaneous
Miscellaneous configuration commands
Hostname name Global command, sets the switch’s host name, also used
as the first part of the switch’s command prompt
Enable secret pass-value Global command. Set the switch’s password that is
required for any user to reach switch’s enable mode
History size length Line config mode, defines the number of commands
held in the history
Switchport port-security Interface configuration command, that statically adds
mac-address mac-address allowed MAC address on that interface

33
Switchport port-security
mac-address sticky
Switchport port-security
maximum number
Switchport port-security
violation {protect|restrict|
shutdown}
EXEC command referece
Command
Show mac address-table
dynamic
Show dhcp lease
Show crypto key mypubkey rsa
Show interface status
Show interface vlan 1
Show port-security interface
type number
Please go to ……Do I know this Already –QUIZ. – Chapter 9. :- Page 232.
Interface sub-command that tells the switch to learn
MAC address on the interface, and add the MAC-
address as a secure address into its configuration
Interface sub-command that sets the maximum number
of static secure MAC-address that can be assigned to a
single interface
Interface subcommand, that tells the switch what to do if
an inappropriate MAC address tries to access the
network through a secure switch port
Purpose
Lists dynamically learned entries in the switch’s
address table
Lists any information the switch acquires as a dhcp
client, includes ip address, subnet mask and default
gateway
Lists public and shared key created for use with SSH
using the crypto key generate rsa global
configuration command
Lists on output line per interface, noting the
description, operating state, settings for duplex and
speed on each interface
Lists interface status, switch ip address, mask and
much more
Lists an interfaces’ port security configurations
settings and security operational status
34
Chapter 10 – Ethernet Switch Troubleshooting
Organized troubleshooting steps….

Step 1. Analyzing/predicting normal operation

Step 2. Problem isolation
Step 3. Root cause analysis

Verifying Network Topology using Cisco Discovery Protocol

The proprietary Cisco Discovery Protocol (CDP) discovers basic information about
neighbouring switches and routers, by listening to the CDP messages sent out by
neighbouring switches and routers on each of their interfaces.

CDP discovers several useful details from neighbouring Cisco Devices :

(information gathered by CDP)
Device Identifier : Typically the hostname
Address list : Network and Data-link addresses
Local Interfaces : The interface on the router or switch issuing the CDP show command
With which the neighbour was discovered
Port Identifier: Text that identifies the port that the neighbouring device used to send the
CDP message to the local device.
Capabilities List : Information on what type of device it is switch , router etc
Platform : The model and OS level running in the device

Show CDP command that list information about neighbouring devices

Command Description
Show cdp neighbours type number Lists one summary line of information on each
neighbour or just the neighbour found on the
specific interface if an interface was listed.
Show cdp neighbours detail Lists one large set of (15 lines) of information, one
set each for every neighbour
Show cdp entry name Lists the same information as the show cdp
(Show cdp entry R1) neighbour detail command, but only for the named
neighbour (case sensitive)

No cdp enable (Inteface subcommand to disable CDP per interface)

Cdp enable (Inteface subcommand to re-enable CDP per interface)
No cdp run (disable cdp globally on a switch)
Cdp run (re-enables cdp globally on a switch)

Please refer page 281 for CDP commands output listing

35
Commands used to verify CDP operation
Command Description
Show cdp States whether CDP is enabled globally, and lists the
default updates and hold time timers
Show cdp interface type number States whether CDP is enabled on each interface, or
on the interface listed, and states update and
holdtime timers on those interfaces
Show cdp traffic Lists global statistics for the number of CDP
advertisements sent and received

Analysing Layer 1 and 2 Interface Status

Two types of Interface status codes

1. two code or words : line status and protocol status, same as for routers and
2. one code or word status.

Following commands list the two code interface status

Show interfaces
Show interfaces description

Following command list the one word interface status

Show interfaces status

The show interfaces command lists the actual speed and duplex settings but does not
imply anything about how the settings were configured or auto-negotiated.
However the show interfaces status command list a prefix of a- to imply that the speed
and duplex setting were auto-negotiated, leaving the prefix if the settings were
configured.

LAN Switch Interface Status Codes

T W O W O R D ONE WORD
Line Status Protocol Status Interface Status Typical root cause
Administratively Down Disabled The interface is configured
Down with the shutdown command
Down Down Notconnect No cable, bad cable, wrong
cable pinouts, the speeds are
mismatched on the two
connected devices, the
device on the other end of
the device is powered off, or
the other interface is
shutdown.
Up Down Notconnect An interface up/down state
is not expected on LAN
switch interface

36
Down Down Err-disabled Port security has disabled
(Err-disabled) the interface
Up Up conenct Interface is working

Interface SPPED and DUPLEX issues

Interfaces can use auto negotiation, it can also use

SPEED {10|100|1000} and
DUPLEX {half|full| commands to set the speed and duplex settings which will disable
the auto negotiate.

Show interfaces and

Show interfaces status , both list speed and duplex settings

When IEEE auto negotiation process works on both devices, both devices agree on the
fastest speed supported by both devices, and full duplex if it is supported by both
devices otherwise half duplex. (Cisco 2960 switch supports full duplex). However
when one device disables auto negotiation (by manually setting speed and duplex) and
other device uses auto negotiation, the device using auto negotiation sets the default
duplex settings based on the current speed, the defaults are as follows….

• If the speed is not known, use 10 Mbps, half duplex

• If the speed is some how known to be 10 or 100 Mbps defaults to use half duplex
• If the speed is somehow known to be 1000 Mbps defaults to use full duplex

If the duplex setting do not match on the ends of an Ethernet segment, the switch
interface will still be in a up/up connect state. But the interface will work poorly.

To troubleshoot Duplex mismatch, check duplex settings on each end of the link,
or watch for increasing collision, and late collision counters.

Common Layer 1 problems on working interfaces

Interface counters for Layer 1 problems

Show interfaces fa0/13

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored

95226 packets output

0 output errors, 0 collisions, 1 interface resets
0 babbles, 0 later collisions, 0 deferred

Please refer to page 288 for a full listing

37
CRC counter – Cyclic redundancy Check counter, counter of frames discard by FCS.

Collision counter : counter of collision occurred in first 64 bytes of the frame

Later collision counters : counter of collusions occurred after the first 64 bytes of the
frame has already been sent.

Significant problem exists if more than .1 % of the total output packages have collided.

Incrementing late collision means two things…

• Interface is connected to collision domain, whose cabling exceeds Ethernet cabling
length standards .
• Interface is using half duplex and device on the other end of the cable is using full
duplex

Common LAN layer 1 problem indicators

Type of problem Counter values indicating this Common root cause
problem
Excessive noise Many input errors, few collision Wrong cable category (Cat
(interference) 5,5e,6), Damaged cables, EMI

Collisions More than roughly .1% all
frames are in collision
Late collisions Increasing late collisions
Duplex mismatch (seen on the
half duplex side); jabber; DoS
attack
Collision domain, or single
cable too long, Duplex
mismatches

Jabber : frames are sent by a device continuously without a break, not confirming to
Ethernet standards

Analysing the Layer 2 forwarding path with MAC address table

Show mac address-table

Show mac address-table dynamic , lists the contents of the switch’s MAC address table

The switch’s forwarding logic can be summarized as follows….

Step 1. Determine the VLAN in which the frame should be forwarded. On access
interfaces this is based on the access VLAN associated with the incoming interface.

38
Step 2. Look for the frame’s destination MAC address in the MAC address table, but
only for the entries for the VLAN identified in Step 1. If the destination MAC is …

A. Found (unicast) : forward the frame out only the interface listed in the matched
address table entry

B. Not found (unicast) :flood the frame out all other interface except the incoming
interface in that same VLAN.

C. Broadcast or multicast : flood the frame out all other interface except the incoming
interface in that same VLAN.

Fa0/9
Fred Gi0/1 Gi0/2
0200.1111.1111

Fa0/12

SW1 Fa0/13
SW2

Barney Fa0/1
0200.2222.2222

0200.5555.5555

R1

Barney forwards a frame to its default gateway router R1 and the following forwarding
steps occurs…

Step 1. SW1 receives the frame on its Fa0/12 interface and sees that it is assigned to
VLAN1.

Step 2. SW1 looks for its MAC table entry for 0200.5555.5555 in the incoming
interfaces VLAN (VLAN1), in its MAC address table.

a) SW1 finds an entry, associated with VLAN1, outgoing interface Gi0/1, and SW1
forwards the frame out only the interface Gi0/1.

Frame is now on its way to SW2. and below steps explains the SW2’s forwarding logic…

39
Step 1. SW2 receives the frame on its Gi0/2 interface and sees that it is assigned to
VLAN1.

Step 2. SW2 looks for its MAC table entry for 0200.2222.2222 in the incoming
interfaces VLAN (VLAN1), in its MAC address table.

a) SW2 finds an entry, associated with VLAN1, outgoing interface Fa0/13, and SW2
forwards the frame out only the interface Fa0/13.

At this point the frame should be on its way over the Ethernet cable between SW2 and
R1.

Port Security and Filtering

Switches and Routers can use ACL – Access Control List to filter traffic to a port.

Port-security violations status (protect, or restrict) the switch discards the frame, but
leaves the interface in a connect (up/up) status.

CDP Neighbour : A device on the other end of some communication cable that advertise
CDP updates

Up and Up : Jargon referring to two interface status on a cisco switch or router (line
status and protocol status)

Error disabled: An interface state on a cisco switch that is the results of one of may
security violations

Problem Isolation: Part of the troubleshooting process in which an engineer attempts to

rule out the possible causes of the problem until the root cause is identified.

Root Cause: A troubleshooting term, that refers to the reason why a problem exists,
especially a reason for which, if changed the problem could be either solved or changed
to a different problem.

Cisco Catalyst 2950 switch configuration commands

Command Description
Shutdown Interface subcommand, that administratively
No shutdown disables or enables the interface respectively
Switchport port-security violation Interface subcommand, that tells the switch what
{protect|restrict|shutdown| to do in the case of a violation, in which an
inappropriate MAC address tries to access the
network through a secure switch port
Cdp run Global command, that enables or disables the

40
No cdp run
Cdp enable
No cdp enable
Speed {10|100|1000|
Duplex {auto|half|full|
EXEC command reference….
Command
Show mac address-table [dynamic|
static] [address hw address]
[interface interface-id] [VLAN vlan-
id]
Show port-security [interface
interface-id] [address]
Show cdp neighbours [type number]
Show cdp neighbours detail
Show cdp entry name
Show cdp
Show cdp interface [type number]
Show cdp traffic
Show interfaces [type number]
Show interface status [type number]
Please go to ……Do I know this Already –QUIZ. – Chapter 10. :- Page 268.
CDP for the entire switch or router.
Interface subcommand, that enables or disables
cdp on a particular interface
Interface subcommand that manually sets the
interface speed
Interface subcommand that manually sets the
interface duplex
Description
Displays MAC address table. The security option
displays information about the restricted and
static settings
Displays information about security options
configured on an interface
List one summary line of information about each
neighbour, or just the neighbour found on the
specified interface
Lists one large set (15 lines) of information for
every neighbour
Displays same information as show cdp
neighbours details but only for the specified
neighbour
States whether cdp is enabled globally, and lists
the default update and holdtime timers
States whether CDP is enabled on each
interfaces, or on the interface if one is specified,
and lists the update and holdtime timers
Displays global statistics of CDP advertisements
send and received
Displays detailed information about interface
status, settings and counters
Displays summary information about interface
status and settings, including actual speed and
duplex and whether the interface was
autonegotiated
41
Chapter 11 – Wireless LANs

WLAN standards organization and their roles…

Organizations that sets or influence WLAN standards

Organization Standardisation Role
ITU-R Worldwide standardisation of communications that use radiated
energy, particularly managing the assignment of frequencies.
IEEE Standardisation of wireless LANs (802.11)
Wi-Fi Alliance An industry consortium that encourages interoperability of
products that implement WLAN standards through their Wi-Fi
certified program.
Federal The US government agency that regulated the usage of various
Communications communication frequencies in US
Commission (FCC)

WLAN Standards – Comparison between 802.11a, 802.11b and 802.11g

Feature 802.11a 802.11b 802.11g
Year ratified 1999 1999 2003
Maximum speed using DSSS - 11 Mbps 11 Mbps
(Direct Sequence Spread Spectrum)
Maximum speed using OFDM 54 Mbps - 54 Mbps
Frequency Band 5 GHz 2.4Ghz 2.4GHz
Channels *(non overlapped in bracket) 23(12) 11(3) 11(3)
Speed required by standard (Mbps) 6,12,24 1,2,5.5,11 6,12,24

Modes of 802.11 Wireless LANs – WLAN modes, their formal names and
description.

Mode Service Set Name Description

Ad hoc Independent Basic Allows two devices to communicate
Service Set (IBSS) directly, NO Access Point (AP) is
required.
Infrastructure (One Basic Service Set A single wireless LAN created with an
AP) (BSS) AP and all devices associated with that
AP.
Infrastructure (More Extended Service Set Multiple APs create one wireless LAN,
than one AP) (ESS) allowing roaming and larger coverage
area.

42
Unlicensed bands, their general names, and list of devices/standards to use each band
FCC unlicensed frequency bands of interest…
Frequency Range Name Sample Devices
900 KHz Industrial, Scientific, Older cordless telephones
Mechanical (ISM)
2.4 GHz ISM Newer cordless phones,
microwave owens, 802.11,
802.11b, 802.11g WLAN
standards.
5 GHz Unlicensed National Newer cordless phone and
Information Infrastructure 802.11a, 802.11n WLANs
(U-NII)

Licensed bands are used for FM/AM radios, Short ware radio for Police communications,
and Mobile phones.

Direct Sequence Spread Spectrum (DSSS) has a bandwidth of 82MHz , with a range
from 2.402 GHz to 2.483 GHz. As regulated by FCC this band can have 11 overlapping
DSSS channels.

Although many of the channels shown in the figure overlap, three of the channels
(channels at the far left, far right and centre) do not overlap enough to impact each other.
These channels (channels 1,6, and 11) can be used in the same space for WLAN
communication and they won’t interfere each other…

Eleven Overlapping DSSS Channels at 2.4 GHz

43
 RF Channels

1 2 3 4 5 6 7 8 9 10 11

2.4 GHz Frequency Spectrum

Using non-overlapping DSSS 2.4 GHz Channels in an ESS WLAN.

PC1

PC2

AP1 AP2 AP3

CHANNEL 1 CHANNEL 6 CHANNEL 11

DSSS frequencies showing three non-overlapping channels.

In this design devices in one BSS can send at the same time as the other two BSS without
interfering, because each uses slightly different frequencies of the non-overlapping
channels. PC1 and PC2 could sit next to each other and communicate with two different
APs using two different channels at the same time. This design is typical of 802.11b
WLANs , with each cell running at the rate of 11 Mbps. With non-overlapping channels,

44
each half duplex BSS can run at 11 Mbps, for a cumulative bandwidth of 33 Mbps. The
cumulative bandwidth is called the WLAN Capacity.

Name of encoding class What it is used by

Frequency Hopping Spread Spectrum (FHSS) 802.11
Direct Sequence Spread Spectrum (DSSS) 802.11b
Orthogonal Frequency Division Multiplexing (OFDM) 802.11a, 802.11g

The emerging 802.11n uses OFDM as well as MIMO (Multiple Input Multiple Output).

Wireless Interference

Walls, Floors, ceilings and matter that has lots of metal in it, can cause the radio signals
to reduce strength, scatter and create dead spots.

One key measurement of the interference is the Signal-to-Noise Ratio (SNR). This
calculation measures the WLAN signals as compared to the other undesired signals
(noise) in the same space. The higher the SNR, the better the WLAN can send data
successfully.

Coverage Area, Speed and Capacity

The power of an AP is measured based on the Effective Isotropic Radiated Power (EIRP)
calculation. It is the power of the signal as it leaves the antenna.

Coverage Area and Speed…..

45
 11 Mbps

AP1
5.5 Mbps

2 Mbps

1 Mbps

WLAN speed and frequency referece….

IEEE Maximum Other Speeds (Mbps) Frequency Non
Standard Speed overlapping
(Mbps) Channels
802.11b 11 Mbps 1, 2, 5.5 2.4 GHz 3
802.11a 54 Mbps 6,9,12,18,24,36,48 5 GHz 12
802.11g 54 Mbps 6,9,12,18,24,36,48 2.4 GHz 3

Media Access (Layer 2)

The solution to the media access problem with WLAN is to use the carrier sense multiple
access with collision avoidance (CSMA/CA) algorithm.

CSMA/CA algorithm…

46
Step 1. Listens to ensure that the medium (space) is not busy, no radio waves are
currently being received at the frequencies to be used.

Step 2. Sets a random timer before sending a frame, to statically reduce the chance of all
devices all trying to send at the same time

Step 3. When the random timer has passed, listen to ensure that the medium is not busy,
if it isn’t then send the frame.

Step 4. After the entire frame has been sent, wait for an acknowledgement

Step 5. If no acknowledgement is received, resend the frame using CSMA/CA logic, to

wait for the appropriate time to send again.

WLAN Implementation Checklist

Step 1. Verify that the existing wired network works, including DHCP services, VLANs
and Internet connectivity

By verifying the switch port access VLANs and by connecting a laptop to the switch port
and verifying that it acquires an IP address, mask and default gateway, and the pc can
communicate to other hosts in the network.

Step 2. Install and configure the AP, verify its connectivity to the wired network,
including its IP address, mask and default gateway

APs connects to the switch port using a straight through Ethernet cable

Step 3. Configure and verify APs wireless setting, including Service Set Identifier (SSID)
but no security

WLAN configuration features….

• IEEE Standard (a,b,g or multiple)

• Wireless channels
• Service Set Identifier (SSID, a 32 character text identifier for the WLAN)
• Transmit power

APs within a same ESS WLAN should be configured with the same SSID.

Step 4. Install and configure one wireless client (laptop) again with no security

47
WLAN NIC in the WLAN clients like a loptop can automatically detect a WLAN AP and
learn its SSID and connect to an AP with strongest signal.

Cisco Compatible Extension Programme (CCX) : Tests and Verify WLAN NIC by a
manufacturer works well with a Cisco AP.

Microsoft Zero Configuration Utility (ZCF) : A OS utility which allow PCs to

automatically discover SSIDs of all WLANs whose APs are within the range on the NIC.

Step 5. Verify WLAN works from the client laptop

Common WLAN installation problems and related work done in the Site survey…

• Is the AP at the centre of the area where the clients reside

• Is the AP or client right next to a lots of metal
• Is the AP or client next to a lots of interference like microwave oven, or gaming
system
• Is the AP coverage wide enough to reach client

Other common problems….

• Check to make sure AP and Client radio are enabled (radio switch are turned on)
• Check AP to ensure it has the latest firmware
• Check AP configuration – especially the channel configuration to ensure that it does
not use channels that overlaps with other AP in the same location.

Step 6. Configure WLAN security on AP and Client

Step 7. Verify WLAN works again in the presence of security features

WLAN Security Issues

WLAN vulnerabilities and solutions

Vulnerability Solution
War drivers Strong Authentication
(attacker who drives around and find a AP
with a weak or no security)
Hackers stealing information in a WLAN Strong encryption
Hackers gaining access to the rest of the Strong authentication
Network
Employee AP Installation Intrusion Detection System (IDS) including
Cisco Structured Wireless Aware Network
(SWAN)

48
Rogue AP Strong authentication, IDS SWAN
(attacks where a rouge AP is setup after
learning the SSID of an existing WLAN,
and get the enterprises clients to use it)

WLAN Security Standards

Name Year Who defined it
Wired Equivalent Privacy (WEP) 1997 IEEE
The interim CISCO solution while 2001 Cisco, IEEE 802.1x
waiting 802.11i Extensible Authentication
Protocol (EAP)
Wi-Fi Protected Access (WPA) 2003 Wi-Fi Alliance
802.11i (WPA2) 2005+ IEEE

Vendor introduced additional Security Features SSID Clocking and MAC Filtering

SSID Clocking : AP send out beacons with SSID only as a response to a probe request
from a WLAN Client.

MAC Filtering : AP configured with allowed WLAN MAC addresses.

Cisco Interim solution between WEP and 802.11i …..

• Dynamic key exchange (instead of static preshared key)
• User authentication using 802.1x
• A new encryption key for each packet

Wi-Fi Protected Access (WPA)

WPA includes the option to use dynamic key exchange, using the Temporal Key Integrity
Protocol. (TKIP). WPA allows for the use of either IEEE 802.1x user authentication or
simple device authentication using preshared keys.And the encryption algorithm uses the
Message Integrity Check (MIC) algorithm, similar to the process used in Cisco
proprietary solution.

49
IEEE 802.11i (WPA2) includes dynamic key exchange, much stronger encryption, and
user authentication. 802.11i uses Advanced Encryption Standard (AES)

Standard Key Device User Encryption

Distribution Authentication Authentication
WEP Static Yes (weak) None Yes (weak)
Cisco Dynamic Yes Yes (802.1x) Yes (TKIP)
WPA Both Yes Yes (802.1x) Yes (TKIP)
802.11i Both Yes Yes (802.1x) Yes (AES)
(WPA2)

Definitions….

802.11a : IEEE standard for wireless LANs using U-NII (Un licensed National
Information Infrastructure) (5 GHz) spectrum, OFDM encoding, at speed of upto 54
Mbps.

802.11b : IEEE standard for wireless LAN using ISM (2.4 GHz) spectrum, DSSS
encoding, and speeds upto 11 Mbps.

802.11g : IEEE standard for wireless LAN using ISM (2.4 GHz) spectrum, OFDM or
DSSS encoding, and speeds upto 54 Mbps.

802.11i : IEEE standard for wireless LAN security including authentication and
encryption.

Access Point : A wireless LAN device that provides a mean by which the wireless clients
can send data to each other and to the rest of the wired LAN, with Access Points
connecting both the wireless and wired Ethernet LAN.

Ad-hoc Mode : In wire less LAN a method or mode of operation in which the clients
sends data directly to each other without using the Access Points.

Basic Service Set (BSS) : A Wireless LAN with a single Access Point (AP)

CSMA / CA : Carrier Sense Multiple Access with Collision Avoidance, a Media Access
mechanism that defines how devices decide when to send, with a goal of avoiding
collision as much as possible, IEEE WLANs use CSMA/CA.

50
Direct Sequence Spread Spectrum (DSSS) : A method of encoding data for transmission
over a WLAN in which devices uses 1 of 11 nearby frequencies in the 2.4 GHz range.

Extended Service Set (ESS) : A wirelss LAN with multiple access points, to create on
WLAN and allowing roaming between APs.

Frequency Hoping Spread Spectrum: A method of encoding data in a WLAN in which

consecutive transmission occurs on different nearby frequency bands as compared with
the prior transmission. Not used in modern WLAN standards.

Infrastructure Mode : A mode of LAN (WLAN) operation in which WLAN clients send
and received data through APs, which allows the clients also to connect to the wired LAN
infrastructure. In Infrastructure mode WLAN clients does not send to each other directly.

Orthogonal Frequency Division Multiplexing (OFDM) : A method of encoding data in

the WLAN that allows higher data transmission rates than FHSS and DSSS encoding
methods.

Service Set Identifier (SSID) : A text value used in WLAN to uniquely identify a single
WLAN. (a 32 character text identifier).

Wi-Fi Alliance : An organization formed by many companies in the wireless industry for
the purpose of getting multi-vendor certified wireless product into the market in a more
timely fashion.

Wi-Fi Protected Access (WPA) : A trademark name of Wi-Fi Alliance, that represent a
set of security specification that predated the IEEE 802.11i security standard.

Wired Equivalent Privacy (WEP) : An early WLAN security specification, that used
relatively weak security mechanism, using only preshared keys and no encryption or a
weak encryption.

WLAN Client : A wireless device that wants to get access to a wireless access point for
the purpose of communicating with other wireless devices or devices connected to wired
LAN.

WPA2 : Wi-Fi Alliance’s trademark name for the same set of security standards as that of
the IEEE 802.11i.

Please go to ……Do I know this Already –QUIZ. – Chapter11. :- Page 300.

51
52