BPDU Filter Lab Tips

  • BPDU Filter at the Interface Level will stop BPDU from being received on that interface and sent out on that interface.
  • BPDU Filter at the Global Level will stop BDPUs from being sent out on all portfast enabled interfaces (it will send a few initially though to detect if the other device is running spanning tree). It should also be noted that it does not filter BPDU it if it is received on the interface, this is because if it is received the port will lose it’s portfast status anyways.
  • spanning-tree portfast default & spanning-tree bpdufilter default at the Global Level will allow the switch to automatically figure which interfaces should be edge ports by looking at interfaces where BPDUs are not coming in, which in turn means we will not send BPDUs out (BPDU filter). If we do recieve BPDU inbound, we will take this port out of portfast and disable the bpdufilter. Overall we figure out which interfaces should run portfast and which ones should not and then for the ones that are running portfast, we will kick in bdpufilter so that we do not send spanning tree information down the link (as there should be no reason too as these should be hosts etc and not switches on the other end of the link). running these two features together leaves you open to a layer 2 man-in-the-middle attack whereby the attacker becomes the root so that traffic is transit and can be sniffed.
The below URL is a link to an excellent video from INE describing the above.
Advertisements

Trunk Links Lab Tips

  • If the Lab requires that all traffic be tagged with a vlan header when sent over a trunk, they are talking about ISL, especially if they restrict you from issuing any global commands.
  • If global commands are not restricted then the above can be achieved with 802.1q by issuing the vlan dot1q tag native in global command mode.

Ether Channel Lab Tips

  • If configuring mode as on then you must configure the other end on within60 seconds! otherwise Spanning Tree will consider this as a loop. Better, shut down the interface and then configure and unshut once both sides are done.
  • show etherchannel load-balance will show the current load balancing algorithm.
  • From global command, port-channel load-balance will allow you to change the algorithm.
  • port-channel and etherchannel commands and sub-commands for link aggregation.
  • All interfaces in the port-channel will inherit the configuration. so just configure logical to save time as physical interfaces will inherit config i.e. configure port-channel 12 instead of fa0/16 etc

VLANS Crib Notes

These are my ‘crib notes’ that I’ve made to serve as a last minute refresher. Please forgive the grammer / spelling as I did not develop these notes with publishing in mind.

VLANS

***theory***

  • Best practice – 1 VLAN per IP
  • Broadcast – Routers can accept and generate broadcasts, but they cannot forward them
  • VLAN 1. 1002 – 1005 are shipped by default
  • Native VLAN – Default on Cisco is VLAN 1. All unassigned hosts are on Native Vlan
  • Static VLAN – Dependent on Host Port
  • Dynamic VLAN – Dependent on Host MAC Address, uses VLAN Membership Policy Server (VMPS – uses UDP). Host can most from port to port or switch to switch and vlan assignment is based on their MAC address. Uses TFTP server to map addresses. Port fast is enabled by default for dynamic vlans. Don’t use port security. Dynamic port cannot be a trunk port
  • VLAN.dat – VLANs kept in separate file. Most delete separately not done with erase
  • Vlan database – using CTRL+Z will not save the config. Must type apply
  • Dynamic Desirable Trunking – Port is actively trying to form a trunk
  • Troubleshooting – Check port speed/duplex and check MAC table
  • ISL – Cisco own trunk protocol. Places both header & trailer in frame, then encapsulates it = overhead. No native vlans = every frame is encapsulated = overhead
    • 26 byte header + 4 byte trailer CRC = 30BYTES. Too large for switch, considered as giant frames
    • 802.1Q – No encapsulation. Adds 4 byte header to frame
    • Trunk – Port must agree on duplex, speed and encapsulation
    • Giants are frame larger than 1518 or 1522 (802.3ac). Runts are frames smaller tan 64bytes. Baby Giants are 1500 < 2000 bytes
    • Dynamic Trunking Protocol – Attempts to negotiate a trunk with remote switch. Sends DTP frames every 30 sec (overhead)
    • VLAN Design – Keep broadcasts and multicast away from core
      • End to end (80/20) – 80% of local traffic stays local and 20% go to core. These vlans must be on every access-layer switch
      • Local (20/80) – 20% local, 80% core.
      • Port status
        • Trunk – Trunk port and no DTP negotiation.
        • Dynamic Desirable – Default. Responds to DTP and becomes a trunk, otherwise access.
        • Dynamic Auto – NOT actively negotiate a trunk, but will respond to DTP and become one if remote is trunk or dynamic desirable. Trunk will not form if both port are dynamic auto

***commands***

# Show vlan brief Shows VLAN, name, status and ports. Does not show trunk ports

# Show int trunk Shows trunk ports, mode, encapsulation, status and native vlan, allowed VLANS

# Show vlan id 5 Shows VLAN 5 ports etc

VTP Crib Notes

These are my ‘crib notes’ that I’ve made to serve as a last minute refresher. Please forgive the grammer / spelling as I did not develop these notes with publishing in mind.

VTP

*** Theory ***

  • VTP Domain – Switch can be in 1 domain only. All switches in that domain participate in VTP (case sensitive),
  • VTP Mode
    • Server – can create, delete, modify etc (default)
    • Client – Listen to VTP Advertisement
    • Transparent – Locally significant. Does not save only passes VTP advertisements
    • VTP Version for Transparent mode
      • V1 – Will forward VTP ad only if domain and version number is same as downstream
      • V2 – will forward VTP add over it trunk port regardless of domain name. Supports token ring vlan and switching
      • VTP Advertisements: are multicasts, sent over trunk ports only. Every server change increases the revision by 1. Switch ignores VTP advertisement with lower rev number than itself. Sent after every change and summary sent every 5 minutes
      • VTP Password – case password put in secure mode. Visible. Used to protect from intruder switch as some switches can pull the domain name from null status
      • New switches – Make sure it rev is 0, otherwise if it the highest, all switch will use this vlan database even if new sw is client or server!
      • Reset revision number – Change switch to transparent and back to server or change domain to a non existant name then back to the original
      • Clients – If VLAN database becomes corrupt, it sends client advertisement request. VTP server responds with summary and subsets
      • VTP Pruning – confines broadcast (&multicast treated as broadcast) over trunk ports as trunks are members of all vlans. If SW1 has vlan ports 2-11 and SW2 has vlan 10-19, they have 10 and 11 in common. No point switches receiving broadcasts for vlan members they do not have. Enable this on VTP server only
      • Vlan.dat – delete this IN FLASH  with write erase otherwise it wont delete it as it not in NVRAM

*** Commands ***

  • Show VTP status: Version, revision, no. Of vlans, operating mode

STP Crib Notes

These are my ‘crib notes’ that I’ve made to serve as a last minute refresher. Please forgive the grammer / spelling as I did not develop these notes with publishing in mind.

STP

*** Theory ***

  • BPDU – Sent every 2 sec to well known multicast address of 01-80-c2-00-00-00. 2 types of BPDU.
    • Topology change notification (TCN-BPDU) – Sent by any switch if their port goes into forwarding or goes from forwarding or learning mode to blocking mode. The switch sends TCN to root bridge and each switch on the way acknowledges it. Portfast ports can’t generate TCN
    • Configuration – used for actual STP calculation. Sent only by root bridge and fwd by other bridges. BDPU also does elections for root bridge. It the boss of STP timers & values
    • BID – Bridge ID priority value – made from default value and MAC address. MAC ties the break if all are default value of 32768. Can be prompted. Lowest BID wins
    • Root bridge – will always have it ports in designated forwarding state
    • Non bridge – will have one port in block. The root port is the port used to get to the root bridge
    • Root port – used by non root bridge to reach root bridge. This is selected by port cost (speed). BPDU carries root port cost & is locally significant
      • Selection: Lowest BID > Lowest root path cost > Lowest sender BID > Lowest Port
      • Post cost – E=100, FE=19, GE=4, 10GE=2. Can change this in interface config mode for specific spanning-tree vlans.
      • Port States
        • Disabled (Dis) – Administratively down
        • Blocking – Can only accept BPDU
        • Listening – Can accept and send BPDU only
        • Learning – learning MAC addresses
        • Forwarding – send / receive BPDU, Frames etc
        • Timers
          • Hello – Root bridge sends configuration BPDU, 2 seconds by default
          • Forwarding delay – 15 seconds, learning + listening
          • Maximum age – 20 seconds, how long it holds superior BPDU before discarding it
          • Load sharing – Can have vlans 1-5 go over one port and 6-10 over another. Do this by manipulating port priority under global spanning tree configuration
          • Port Fast – Used for host ports. Allows port to go blocking straight to forwarding mode
          • Uplink Fast – is group of ports, if one goes down a new port goes straight to forwarding for switch –to-switch etc – Use on access layer switches only! – takes 1 – 3 seconds. Cant be configured on root switch. Can’t be run on per vlan basis
          • Backbonefast – If SW1 is pri root bridge and SW2 is sec root bridge and both connect to SW3. If link between SW1 and SW2 fails, SW3 gets BPDU from SW1 and SW2 claiming to be the root. SW3 will compare priority and ignore the higher priority BPDU (Inferior BPDU). Once SW3 > SW2 max age reach 0. SW3 tells SW2 that SW1 is still the true root. Backbone fasts skips the MaxAge stage, so delay cut from 50 to 30 sec. Uses Root link query (RLQ) to see who the root bridge is for the local switch (used only in Backbone). Backbonefast need to be enabled on all switches .
          • Root Guard – Configured at the port level and disqualifies downstream switches in becoming the root. If it receives superior BPDU, it ignores it and put the port into root-inconsistent state.
          • BPDU Guard – Prevents other switch connecting. Places port in err-disable. Have to do no shutdown manually once it done. Runs with portfast only
          • BPDU Filtering – Globally, it disables portfast when BPDU is received. Interface, Quietly ignored/dropped
          • UDLD – Used to detect unidirectional links. E.g. fibre. Two modes, one is aggressive. Sends eight ‘pings’’ in 8 seconds, if no response then closes port. It waits for the first received frame then it starts the 8 second timer
          • Half duplex – Uses CSMA/CD rules (Listens to segment and sends frames)
          • Loop Guard – prevents port from going from block to forwarding e.e. if link between two switches go uni-directional.
          • BPDU Skew Detection – BPDU needs to propagate fast. If too slow, this will send a notification
          • RSTP (802.1W)-
            • Transition
              • STP: disabled > blocking > listening > learning > forwarding
                • Root bridge sends BPDU every 2 seconds. Non root forwards it
            • RSTP: discarding > learning > forwarding
              • All switches generate BPDU. Therefore all switch expects to see a BPDU from neighbour, if 3 are missed  the link is considered down. The switch then ages out which cuts the detection process in STP from 20 to 6 seconds in RSTP
  • Port states
    • Alternate – same as STP block port.
    • Backup – redundant path
    • Edge port – connect to single host / like portfast
    • P2P port – connected to another switch in full duplex
    • PVST – Cisco propriety. Runs STP per VLAN
    • PVST+ – PSVT does not work well with common spanning-tree. This one works with .1Q instead of ISL
    • MST – Multiple Spanning-Tree: Up to 16 instances in a region (0-15). 0 is for IST, which sends MST BPDU

*** Commands ***

  • Show spanning-tree interface: STP port state, handy for different port state for different vlans

Secure Switching Crib Notes

These are my ‘crib notes’ that I’ve made to serve as a last minute refresher. Please forgive the grammer / spelling as I did not develop these notes with publishing in mind.

Secure Switching        

*** Theory ****

  • Port Security – Secure port by MAC address.  Done on interface level. Does not work with TRUNK / Dynamic desire mode, ether channels, span ports or 802.1x ports 
    • Maximum – No. Of Mac-addresses allowed on this port
    • MAC-Addresses – What MAC addresses are allowed in conjunction to maximum value. Can be static or sticky
      • Sticky – Static MAC based on current device on port
      • Violation – What happens if port security is violated. Default is shutdown, port is put into err-disable state and admin will need to manually re-open it. It also sends SNMP. Protect mode drops the frames and restrict will drop the frame and generate SNMP and Syslog.
      • Err-disable-recovery: Allows you to state how long the ports stays in err-disable before restoring
      • Catches: Is you statically assign MAC and set the maximum more, then it will allow the static plus dynamics = no security!
      • Dot1x Port-Based Authentication – Auth with Radius. Need to configure PC/Host too For 802.1X EAPOL. Until user has authenticated, only EAPOL, STP and CDP can travel through port. Configure globally and then on port
      • SPAN – Mirror traffic. Destination port is known as monitor port, which is the port the network analyzer is connected to. Enable with Monitor Session. Source port is the ports you want to capture data Show Monitor. Destination port can’t be part of etherchannel but source ports can. Dst ports do not participate in STP, CDP, VTP, Link Agg, DTP
      • VSPAN – Like Span, but monitor VLAN traffics.
      • RSPAN – Remote Span, if you want to monitor a port not on the local switch. Can use VTP. All switches including and between Src and Dst will need to be RSPAN enabled. MAC address learning is disabled
      • VACL – Cant create access lists between hosts in a vlan, so we need VACL.
      • Private VLAN – Share common subnet. VTP needs to be in transparent mode.
        • Community –  Host can speak to other hosts in it secondary VLAN and Primary VLAN, but not with hosts in  other secondary VLANs.
        • Isolated – Can comms with Primary VLAN, but no other hosts even in it own vlan
        • Promiscuous – connect to gateway device, can talk to all primary and secondary VLAN
        • DHCP Snooping – Rogue DHCP servers can offer DHCP offers. DHCP snooping allows to set the interface of the switch that connects to the valid DHCP as trust. Any DHCP servers not on this interface is dropped and placed in err-disabled mode. All ports are untrust by default when enabling DHCP snooping
        • Dynamic Arp Inspection (DAI) – Prevents ARP man in the middle attacks. Listens to IP-Mac mapping and performs on ARP receive not sent. Issue running this on trunks and etherchannels. DHCP snooping must be enabled.
        • IP Source Guard – Prevents host on the network from using another host IP address. Works with DHCP snooping database.           
        • Mac Address flooding – Send multiple frames from different MAC. Overwhelm the CAM table so that it starts broadcasting rather than unicasting, then use wireshark etc to sniff.
        • VLAN Hopping –
          • Double –Tagging – Host must be attached to an access port & native vlan. PC tag frame as e.g. VLAN 100. So packet has VLAN 1 (Native) and VLAN 100. Switch removes Native vlan and packet is seen as VLAN 100. To combat, set the native vlan as a VLAN unused number (block hole)
          • Switch Spoofing – Cisco by default sends dynamic desirable DTP. A host can form a trunk and access all vlans, as trunks member of all vlans. Combat this by posting ports in access mode except for legitimate trunk ports

 

*** Commands ****

Show Port Security – Shows violations and port states etc.

Config# IP Arp Inspections VLAN 75 // Enables DAI

Vlan access-map

Config# vlan filter