VLANS Crib Notes

These are my ‘crib notes’ that I’ve made to serve as a last minute refresher. Please forgive the grammer / spelling as I did not develop these notes with publishing in mind.

VLANS

***theory***

  • Best practice – 1 VLAN per IP
  • Broadcast – Routers can accept and generate broadcasts, but they cannot forward them
  • VLAN 1. 1002 – 1005 are shipped by default
  • Native VLAN – Default on Cisco is VLAN 1. All unassigned hosts are on Native Vlan
  • Static VLAN – Dependent on Host Port
  • Dynamic VLAN – Dependent on Host MAC Address, uses VLAN Membership Policy Server (VMPS – uses UDP). Host can most from port to port or switch to switch and vlan assignment is based on their MAC address. Uses TFTP server to map addresses. Port fast is enabled by default for dynamic vlans. Don’t use port security. Dynamic port cannot be a trunk port
  • VLAN.dat – VLANs kept in separate file. Most delete separately not done with erase
  • Vlan database – using CTRL+Z will not save the config. Must type apply
  • Dynamic Desirable Trunking – Port is actively trying to form a trunk
  • Troubleshooting – Check port speed/duplex and check MAC table
  • ISL – Cisco own trunk protocol. Places both header & trailer in frame, then encapsulates it = overhead. No native vlans = every frame is encapsulated = overhead
    • 26 byte header + 4 byte trailer CRC = 30BYTES. Too large for switch, considered as giant frames
    • 802.1Q – No encapsulation. Adds 4 byte header to frame
    • Trunk – Port must agree on duplex, speed and encapsulation
    • Giants are frame larger than 1518 or 1522 (802.3ac). Runts are frames smaller tan 64bytes. Baby Giants are 1500 < 2000 bytes
    • Dynamic Trunking Protocol – Attempts to negotiate a trunk with remote switch. Sends DTP frames every 30 sec (overhead)
    • VLAN Design – Keep broadcasts and multicast away from core
      • End to end (80/20) – 80% of local traffic stays local and 20% go to core. These vlans must be on every access-layer switch
      • Local (20/80) – 20% local, 80% core.
      • Port status
        • Trunk – Trunk port and no DTP negotiation.
        • Dynamic Desirable – Default. Responds to DTP and becomes a trunk, otherwise access.
        • Dynamic Auto – NOT actively negotiate a trunk, but will respond to DTP and become one if remote is trunk or dynamic desirable. Trunk will not form if both port are dynamic auto

***commands***

# Show vlan brief Shows VLAN, name, status and ports. Does not show trunk ports

# Show int trunk Shows trunk ports, mode, encapsulation, status and native vlan, allowed VLANS

# Show vlan id 5 Shows VLAN 5 ports etc

Advertisements

Wireless Crib Notes

These are my ‘crib notes’ that I’ve made to serve as a last minute refresher. Please forgive the grammer / spelling as I did not develop these notes with publishing in mind.

Wireless                                                                                                                                                              23/06/09

*** Theory ****

  • WLAN – Is called a Basic Service Set BSS (Hub and Spoke). Area of coverage is called a Cell. Device associate with the wireless device. They are half duplex so uses CSMA/CA.
  • SSID – Service set identifier is case sensitive and up to 32 char.
  • AP – Access point aka WAP. Client can use to find AP;
    • Active scanning – Client sends probe request frames & wait for response
    • Passive scanning – Listens for beacons frames from AP. No probes sent
    • Authentication
      • Open system
      • Shared key  – like WEP, WEP can be hacked easily.
        • EAP/LEAP – EAP or LEAP. Leap is cisco only. It has 2-way auth between AP and client, AP uses RADIUS to auth client, Keys are dynamic (generated per authentication), not static. Better than WEP
        • WPA/WPA2 –
        • AD HOC WLAN – aka IBSS
        • Ranges
          • 802.11a – 25MBPS but can reach 54MBPS. Indoor range 100 ft. 5GHZ
          • 802.11b – 6.5MBPS upto 11MBPS. 100 ft. 2.4GHZ
          • 802.11g – 25MBPS to 11 MBPS. 100 ft. 2.4GHZ. Compatible with g hence b/g
          • 802.11n – 200MBPS upto 540MPS, 160 ft. 2.4 or 5 GHZ
          • Microwave can cause issue as it uses 2.4 GHZ band
          • Antenna
            • Yagi Antenna – Sends signal in a single direction only. (P2P) BETWEEN AP
            • Omni – Sends signal to all directions (P2M) BETWEEN AP AND HOSTS
            • Cisco Unified Wireless Network – WLAN Contoller. Talks to LAP (Lightweight Access Point) via LWAPP (Lightweight Access Point Protocol) to make policy consistent. It a centralised Authority.
            • Aironet tray utility

VTP Crib Notes

These are my ‘crib notes’ that I’ve made to serve as a last minute refresher. Please forgive the grammer / spelling as I did not develop these notes with publishing in mind.

VTP

*** Theory ***

  • VTP Domain – Switch can be in 1 domain only. All switches in that domain participate in VTP (case sensitive),
  • VTP Mode
    • Server – can create, delete, modify etc (default)
    • Client – Listen to VTP Advertisement
    • Transparent – Locally significant. Does not save only passes VTP advertisements
    • VTP Version for Transparent mode
      • V1 – Will forward VTP ad only if domain and version number is same as downstream
      • V2 – will forward VTP add over it trunk port regardless of domain name. Supports token ring vlan and switching
      • VTP Advertisements: are multicasts, sent over trunk ports only. Every server change increases the revision by 1. Switch ignores VTP advertisement with lower rev number than itself. Sent after every change and summary sent every 5 minutes
      • VTP Password – case password put in secure mode. Visible. Used to protect from intruder switch as some switches can pull the domain name from null status
      • New switches – Make sure it rev is 0, otherwise if it the highest, all switch will use this vlan database even if new sw is client or server!
      • Reset revision number – Change switch to transparent and back to server or change domain to a non existant name then back to the original
      • Clients – If VLAN database becomes corrupt, it sends client advertisement request. VTP server responds with summary and subsets
      • VTP Pruning – confines broadcast (&multicast treated as broadcast) over trunk ports as trunks are members of all vlans. If SW1 has vlan ports 2-11 and SW2 has vlan 10-19, they have 10 and 11 in common. No point switches receiving broadcasts for vlan members they do not have. Enable this on VTP server only
      • Vlan.dat – delete this IN FLASH  with write erase otherwise it wont delete it as it not in NVRAM

*** Commands ***

  • Show VTP status: Version, revision, no. Of vlans, operating mode

VoIP Crib Notes

These are my ‘crib notes’ that I’ve made to serve as a last minute refresher. Please forgive the grammer / spelling as I did not develop these notes with publishing in mind.

VoIP

*** Theory ****

  • Link – Trunk or Access. Trunk to create voice vlan for highest QoS. Use config-if# switchport voice vlan
    • Dot1p – voice is sent via native voice vlan (0) with high priority
    • Voice VLAN – Port fast is enabled. If you remove voice vlan, portfast is not disabled. Set IP phone ports to trust incoming CoS values (mls qos (global), mls qos trust cos (interface))
      • Can run on port security and 802.1X ports, though select more than 1 MAC in port security.
      • CDP must be running on IP Phone (globally enabled on switch).
        • CDP Spoofing – Hacker can trick switch & think it an IP phone
  • Only supports L2 access ports
  • Total overall traffic should NOT exceed 75% of bandwidth. Voive & Vid should not be more than 33% of total link. (help prevent jitter)
  • QoS– Jitter, Delay and Packet loss. Combat with QoS. If there no QoS, the default is best-effort delivery. Works fine for UDP but not voice traffic.
    • IntServ – better than best effort. It uses RSVP (Resource Reservation Protocol). It creates high priority paths in advance for voice traffic. The sender does not send until a reserved path exists from SRC to DST, aka GRS – Guaranteed Rate Service
      • Cons – Not scalable. Lot of voice traffic would be reserved which is not scalable as it takes bandwidth
  • DiffServ – IntServ reserves an entire path in advance for the entire voice packet flow to use. DiffServ does not reserve bandwidth for the flow. Instead, DiffServ makes it QoS decision on a per hop basis. Each switch will either trust values from sending switch or configure it own values. Inside is usually trusted. (trust boundary).
    • Nutshell – DiffServ allows each hop to make separate decisions how to best forward (PHB – Per-Hop Behaviour). It uses QoS Marking and Classification
    • QoS Marking – Tags data with a value. Marks close to the source (at access layer). Tagging only occurs when switch forwards to another switch.
    • QoS Classification – Queueing and transmitting the data based on value
    • CoS (Code of Service) – Tagged to frame just where VLAN ID is tagged. It use to determine what QoS the frame should receive.
      • ISL – 4 bit user field. Last 3 bits = CoS value. (0-7)
      • Dot1q – User field has 3 802.1ppriority bits = CoS value (0-7)
      • ToS (Type of Service) – TCP header option, used to mark traffic at layer 3 for DiffServ. IP ToS byte has 3 bit (IP Prec), ToS value (4 bit) & 0 (1 bit). DiffSev uses this 8 bit field aswell, but refers to this as Differentiated Services (DS) field. The DS byte has a DSCP (6 bit) and ECN (2 bit). The DCSP has a class selector value of 3 bits and a Drop Prec value of 3 bit (6 bits total)
        • Class Selector Values –
          • Class 7 (111) –Network Control (STP, Routing protocol etc)
          • Class 6 (110) – Internetwork Control (Same as above)
          • Class 5 (101) – Expedited Forwarding (EF – Reserved for voice traffic + time critical data, guaranteed not to be dropped)
          • Class 1 – 4 (001-100) – Assured Forwarding (AF, Manual QoS for time critical traffic like class 5)
          • Class 0 – Best effort forwarding (default)
      • IP Phone – trust phone but don’t trust PC as it may have apps that overwrite QoS.
      • RTP Header – Compress IP/UDP/RTP header from 40 bytes to 2-4 bytes to improve voice traffic config-if#ip rtp header-compression. Use Passive, to compress outgoing packet if remote device is compressing
      • POE (802.3AF)

*** Commands ****

Config# mls qos // enabled QoS

Config-if#mls qos trust cos // trust cos values

Config-if# mls qos trust device cisco-phone// with above, trust if it a cisco IP phone  (check trust state to determine it is a phone).

Config-if# switchport priority extend cos 2 // PC data is trusted but set to 2 (below VoIP)

Config-if# power inline auto // auto POE

STP Crib Notes

These are my ‘crib notes’ that I’ve made to serve as a last minute refresher. Please forgive the grammer / spelling as I did not develop these notes with publishing in mind.

STP

*** Theory ***

  • BPDU – Sent every 2 sec to well known multicast address of 01-80-c2-00-00-00. 2 types of BPDU.
    • Topology change notification (TCN-BPDU) – Sent by any switch if their port goes into forwarding or goes from forwarding or learning mode to blocking mode. The switch sends TCN to root bridge and each switch on the way acknowledges it. Portfast ports can’t generate TCN
    • Configuration – used for actual STP calculation. Sent only by root bridge and fwd by other bridges. BDPU also does elections for root bridge. It the boss of STP timers & values
    • BID – Bridge ID priority value – made from default value and MAC address. MAC ties the break if all are default value of 32768. Can be prompted. Lowest BID wins
    • Root bridge – will always have it ports in designated forwarding state
    • Non bridge – will have one port in block. The root port is the port used to get to the root bridge
    • Root port – used by non root bridge to reach root bridge. This is selected by port cost (speed). BPDU carries root port cost & is locally significant
      • Selection: Lowest BID > Lowest root path cost > Lowest sender BID > Lowest Port
      • Post cost – E=100, FE=19, GE=4, 10GE=2. Can change this in interface config mode for specific spanning-tree vlans.
      • Port States
        • Disabled (Dis) – Administratively down
        • Blocking – Can only accept BPDU
        • Listening – Can accept and send BPDU only
        • Learning – learning MAC addresses
        • Forwarding – send / receive BPDU, Frames etc
        • Timers
          • Hello – Root bridge sends configuration BPDU, 2 seconds by default
          • Forwarding delay – 15 seconds, learning + listening
          • Maximum age – 20 seconds, how long it holds superior BPDU before discarding it
          • Load sharing – Can have vlans 1-5 go over one port and 6-10 over another. Do this by manipulating port priority under global spanning tree configuration
          • Port Fast – Used for host ports. Allows port to go blocking straight to forwarding mode
          • Uplink Fast – is group of ports, if one goes down a new port goes straight to forwarding for switch –to-switch etc – Use on access layer switches only! – takes 1 – 3 seconds. Cant be configured on root switch. Can’t be run on per vlan basis
          • Backbonefast – If SW1 is pri root bridge and SW2 is sec root bridge and both connect to SW3. If link between SW1 and SW2 fails, SW3 gets BPDU from SW1 and SW2 claiming to be the root. SW3 will compare priority and ignore the higher priority BPDU (Inferior BPDU). Once SW3 > SW2 max age reach 0. SW3 tells SW2 that SW1 is still the true root. Backbone fasts skips the MaxAge stage, so delay cut from 50 to 30 sec. Uses Root link query (RLQ) to see who the root bridge is for the local switch (used only in Backbone). Backbonefast need to be enabled on all switches .
          • Root Guard – Configured at the port level and disqualifies downstream switches in becoming the root. If it receives superior BPDU, it ignores it and put the port into root-inconsistent state.
          • BPDU Guard – Prevents other switch connecting. Places port in err-disable. Have to do no shutdown manually once it done. Runs with portfast only
          • BPDU Filtering – Globally, it disables portfast when BPDU is received. Interface, Quietly ignored/dropped
          • UDLD – Used to detect unidirectional links. E.g. fibre. Two modes, one is aggressive. Sends eight ‘pings’’ in 8 seconds, if no response then closes port. It waits for the first received frame then it starts the 8 second timer
          • Half duplex – Uses CSMA/CD rules (Listens to segment and sends frames)
          • Loop Guard – prevents port from going from block to forwarding e.e. if link between two switches go uni-directional.
          • BPDU Skew Detection – BPDU needs to propagate fast. If too slow, this will send a notification
          • RSTP (802.1W)-
            • Transition
              • STP: disabled > blocking > listening > learning > forwarding
                • Root bridge sends BPDU every 2 seconds. Non root forwards it
            • RSTP: discarding > learning > forwarding
              • All switches generate BPDU. Therefore all switch expects to see a BPDU from neighbour, if 3 are missed  the link is considered down. The switch then ages out which cuts the detection process in STP from 20 to 6 seconds in RSTP
  • Port states
    • Alternate – same as STP block port.
    • Backup – redundant path
    • Edge port – connect to single host / like portfast
    • P2P port – connected to another switch in full duplex
    • PVST – Cisco propriety. Runs STP per VLAN
    • PVST+ – PSVT does not work well with common spanning-tree. This one works with .1Q instead of ISL
    • MST – Multiple Spanning-Tree: Up to 16 instances in a region (0-15). 0 is for IST, which sends MST BPDU

*** Commands ***

  • Show spanning-tree interface: STP port state, handy for different port state for different vlans

Secure Switching Crib Notes

These are my ‘crib notes’ that I’ve made to serve as a last minute refresher. Please forgive the grammer / spelling as I did not develop these notes with publishing in mind.

Secure Switching        

*** Theory ****

  • Port Security – Secure port by MAC address.  Done on interface level. Does not work with TRUNK / Dynamic desire mode, ether channels, span ports or 802.1x ports 
    • Maximum – No. Of Mac-addresses allowed on this port
    • MAC-Addresses – What MAC addresses are allowed in conjunction to maximum value. Can be static or sticky
      • Sticky – Static MAC based on current device on port
      • Violation – What happens if port security is violated. Default is shutdown, port is put into err-disable state and admin will need to manually re-open it. It also sends SNMP. Protect mode drops the frames and restrict will drop the frame and generate SNMP and Syslog.
      • Err-disable-recovery: Allows you to state how long the ports stays in err-disable before restoring
      • Catches: Is you statically assign MAC and set the maximum more, then it will allow the static plus dynamics = no security!
      • Dot1x Port-Based Authentication – Auth with Radius. Need to configure PC/Host too For 802.1X EAPOL. Until user has authenticated, only EAPOL, STP and CDP can travel through port. Configure globally and then on port
      • SPAN – Mirror traffic. Destination port is known as monitor port, which is the port the network analyzer is connected to. Enable with Monitor Session. Source port is the ports you want to capture data Show Monitor. Destination port can’t be part of etherchannel but source ports can. Dst ports do not participate in STP, CDP, VTP, Link Agg, DTP
      • VSPAN – Like Span, but monitor VLAN traffics.
      • RSPAN – Remote Span, if you want to monitor a port not on the local switch. Can use VTP. All switches including and between Src and Dst will need to be RSPAN enabled. MAC address learning is disabled
      • VACL – Cant create access lists between hosts in a vlan, so we need VACL.
      • Private VLAN – Share common subnet. VTP needs to be in transparent mode.
        • Community –  Host can speak to other hosts in it secondary VLAN and Primary VLAN, but not with hosts in  other secondary VLANs.
        • Isolated – Can comms with Primary VLAN, but no other hosts even in it own vlan
        • Promiscuous – connect to gateway device, can talk to all primary and secondary VLAN
        • DHCP Snooping – Rogue DHCP servers can offer DHCP offers. DHCP snooping allows to set the interface of the switch that connects to the valid DHCP as trust. Any DHCP servers not on this interface is dropped and placed in err-disabled mode. All ports are untrust by default when enabling DHCP snooping
        • Dynamic Arp Inspection (DAI) – Prevents ARP man in the middle attacks. Listens to IP-Mac mapping and performs on ARP receive not sent. Issue running this on trunks and etherchannels. DHCP snooping must be enabled.
        • IP Source Guard – Prevents host on the network from using another host IP address. Works with DHCP snooping database.           
        • Mac Address flooding – Send multiple frames from different MAC. Overwhelm the CAM table so that it starts broadcasting rather than unicasting, then use wireshark etc to sniff.
        • VLAN Hopping –
          • Double –Tagging – Host must be attached to an access port & native vlan. PC tag frame as e.g. VLAN 100. So packet has VLAN 1 (Native) and VLAN 100. Switch removes Native vlan and packet is seen as VLAN 100. To combat, set the native vlan as a VLAN unused number (block hole)
          • Switch Spoofing – Cisco by default sends dynamic desirable DTP. A host can form a trunk and access all vlans, as trunks member of all vlans. Combat this by posting ports in access mode except for legitimate trunk ports

 

*** Commands ****

Show Port Security – Shows violations and port states etc.

Config# IP Arp Inspections VLAN 75 // Enables DAI

Vlan access-map

Config# vlan filter

Redundancy Crib Notes

These are my ‘crib notes’ that I’ve made to serve as a last minute refresher. Please forgive the grammer / spelling as I did not develop these notes with publishing in mind.

Redundancy

*** Theory ****

  • ICMP Router Discovery Protocol (IRDP) – Generates Router Advertisement heard by host on that segment. If a host hears more than one IRDP router, it will choose 1 as it primary and failover to second if need be. Host uses real IP and MAC. Hosts can send RS, requesting for RA.
  • Hot Standby Routing Protocol (HSRP) – Cisco. 1 router is primary. Host uses virtual MAC/IP. (pseudorouter).  Hello timers etc can be changed. Highest priority determines primary router (pre-empt is disabled by default , so changing priority will not take immediate effect)
    • 00-00-0c-070ac0xx = HSRP well known MAC. Xx is group number, e.g. 05 or 17 = 11 (16 + 1)
    • States
      • Disabled
      • Initial (init) – interface is up but HSRP not running
      • Learn – Learn about the active router etc
      • Listen – knows the VMAC and listening for Hellos
      • Speak – Sending hellos
      • Standby  – Sends hello and is candidate for active
      • Active – Router is forwarding to VIP
  • HSRP Interface tracking – Monitor additional interface e.g. (WAN). If WAN goes down, the router priority goes down allowing the other router to be high priority and takeover (pre-empt enabled) – config-if#standby 1 track serial 0 decrement
  • VRRP – Same as HSRP, but Active router is known as the master router, standby is backup. Multicast is 224.0.0.18. MAC is 00-00-52-00-01-xx (xx is group number in hex). VRRP has pre-empt by default.
  • GLBP – Cisco only. Does load balancing.  Lets routers work on the load via round-robin. Host sees on gateway, but really there is multiple gateway. Host gets real MAC of router but  IP is VIP.
    • AVG – Active Virtual Gateway is the router with the HIGHEST GLBP priority (highest IP if tied).  It sends virtual MAC as ARP response, which is the same layer 3 address and is how load balance is achieved. There a stand by AVG and AVF
    • Algorithms – Round robin, host-dependent load balancing (Same MAC everytime), weighted – Percentage of traffic per Router

 

*** Commands ****

Config-if# ip irdp // enables IRDP

Config-if# (SHOW) standby 5 ip x.x.x.x// enables HSRP