Secure Switching Crib Notes

These are my ‘crib notes’ that I’ve made to serve as a last minute refresher. Please forgive the grammer / spelling as I did not develop these notes with publishing in mind.

Secure Switching        

*** Theory ****

  • Port Security – Secure port by MAC address.  Done on interface level. Does not work with TRUNK / Dynamic desire mode, ether channels, span ports or 802.1x ports 
    • Maximum – No. Of Mac-addresses allowed on this port
    • MAC-Addresses – What MAC addresses are allowed in conjunction to maximum value. Can be static or sticky
      • Sticky – Static MAC based on current device on port
      • Violation – What happens if port security is violated. Default is shutdown, port is put into err-disable state and admin will need to manually re-open it. It also sends SNMP. Protect mode drops the frames and restrict will drop the frame and generate SNMP and Syslog.
      • Err-disable-recovery: Allows you to state how long the ports stays in err-disable before restoring
      • Catches: Is you statically assign MAC and set the maximum more, then it will allow the static plus dynamics = no security!
      • Dot1x Port-Based Authentication – Auth with Radius. Need to configure PC/Host too For 802.1X EAPOL. Until user has authenticated, only EAPOL, STP and CDP can travel through port. Configure globally and then on port
      • SPAN – Mirror traffic. Destination port is known as monitor port, which is the port the network analyzer is connected to. Enable with Monitor Session. Source port is the ports you want to capture data Show Monitor. Destination port can’t be part of etherchannel but source ports can. Dst ports do not participate in STP, CDP, VTP, Link Agg, DTP
      • VSPAN – Like Span, but monitor VLAN traffics.
      • RSPAN – Remote Span, if you want to monitor a port not on the local switch. Can use VTP. All switches including and between Src and Dst will need to be RSPAN enabled. MAC address learning is disabled
      • VACL – Cant create access lists between hosts in a vlan, so we need VACL.
      • Private VLAN – Share common subnet. VTP needs to be in transparent mode.
        • Community –  Host can speak to other hosts in it secondary VLAN and Primary VLAN, but not with hosts in  other secondary VLANs.
        • Isolated – Can comms with Primary VLAN, but no other hosts even in it own vlan
        • Promiscuous – connect to gateway device, can talk to all primary and secondary VLAN
        • DHCP Snooping – Rogue DHCP servers can offer DHCP offers. DHCP snooping allows to set the interface of the switch that connects to the valid DHCP as trust. Any DHCP servers not on this interface is dropped and placed in err-disabled mode. All ports are untrust by default when enabling DHCP snooping
        • Dynamic Arp Inspection (DAI) – Prevents ARP man in the middle attacks. Listens to IP-Mac mapping and performs on ARP receive not sent. Issue running this on trunks and etherchannels. DHCP snooping must be enabled.
        • IP Source Guard – Prevents host on the network from using another host IP address. Works with DHCP snooping database.           
        • Mac Address flooding – Send multiple frames from different MAC. Overwhelm the CAM table so that it starts broadcasting rather than unicasting, then use wireshark etc to sniff.
        • VLAN Hopping –
          • Double –Tagging – Host must be attached to an access port & native vlan. PC tag frame as e.g. VLAN 100. So packet has VLAN 1 (Native) and VLAN 100. Switch removes Native vlan and packet is seen as VLAN 100. To combat, set the native vlan as a VLAN unused number (block hole)
          • Switch Spoofing – Cisco by default sends dynamic desirable DTP. A host can form a trunk and access all vlans, as trunks member of all vlans. Combat this by posting ports in access mode except for legitimate trunk ports

 

*** Commands ****

Show Port Security – Shows violations and port states etc.

Config# IP Arp Inspections VLAN 75 // Enables DAI

Vlan access-map

Config# vlan filter

Advertisements

Redundancy Crib Notes

These are my ‘crib notes’ that I’ve made to serve as a last minute refresher. Please forgive the grammer / spelling as I did not develop these notes with publishing in mind.

Redundancy

*** Theory ****

  • ICMP Router Discovery Protocol (IRDP) – Generates Router Advertisement heard by host on that segment. If a host hears more than one IRDP router, it will choose 1 as it primary and failover to second if need be. Host uses real IP and MAC. Hosts can send RS, requesting for RA.
  • Hot Standby Routing Protocol (HSRP) – Cisco. 1 router is primary. Host uses virtual MAC/IP. (pseudorouter).  Hello timers etc can be changed. Highest priority determines primary router (pre-empt is disabled by default , so changing priority will not take immediate effect)
    • 00-00-0c-070ac0xx = HSRP well known MAC. Xx is group number, e.g. 05 or 17 = 11 (16 + 1)
    • States
      • Disabled
      • Initial (init) – interface is up but HSRP not running
      • Learn – Learn about the active router etc
      • Listen – knows the VMAC and listening for Hellos
      • Speak – Sending hellos
      • Standby  – Sends hello and is candidate for active
      • Active – Router is forwarding to VIP
  • HSRP Interface tracking – Monitor additional interface e.g. (WAN). If WAN goes down, the router priority goes down allowing the other router to be high priority and takeover (pre-empt enabled) – config-if#standby 1 track serial 0 decrement
  • VRRP – Same as HSRP, but Active router is known as the master router, standby is backup. Multicast is 224.0.0.18. MAC is 00-00-52-00-01-xx (xx is group number in hex). VRRP has pre-empt by default.
  • GLBP – Cisco only. Does load balancing.  Lets routers work on the load via round-robin. Host sees on gateway, but really there is multiple gateway. Host gets real MAC of router but  IP is VIP.
    • AVG – Active Virtual Gateway is the router with the HIGHEST GLBP priority (highest IP if tied).  It sends virtual MAC as ARP response, which is the same layer 3 address and is how load balance is achieved. There a stand by AVG and AVF
    • Algorithms – Round robin, host-dependent load balancing (Same MAC everytime), weighted – Percentage of traffic per Router

 

*** Commands ****

Config-if# ip irdp // enables IRDP

Config-if# (SHOW) standby 5 ip x.x.x.x// enables HSRP

Queuing Crib Notes

These are my ‘crib notes’ that I’ve made to serve as a last minute refresher. Please forgive the grammer / spelling as I did not develop these notes with publishing in mind.

Queueing                                                                                                                                                           

*** Theory ****

  • FIFO – not ideal for time sensitive traffic
  • WFQ – Weighted Fair Queuing – Allows flow/stream to go through. Runs default on serial connections with E1 or less.
  • CBWFQ – Class Based – Allows admin to decide what flows are transmitted first. Manual. Cant assign more than 75% of interface bandwidth as 25% is reserved for network control and routing
    • WFQ and CBWFQ can’t be running together
    • Tail drop – packet drop due to tail drop results in TCP senders reducing transmission rate., congestion is reduced, then transmission increases from all senders which means congestion again. This problem is known as  tcp global synchronisation
    • Weighted (WRED) / Random Early Detection (RED) – Helps combat TCP global synchronisation by using this instead of tail drop. RED uses IP Prec or DSCP to drop packets early before queue is full. WRED drops packet from other queues before priority queue. Ineffective against UDP!
    • Low Latency Queuing (LLQ) – Adds to CBWFQ. Allows to avoid Jitter. Used for VoIP
      • WRED and LLQ can’t work together
      • LLQ Policy = create extended access list > create a class-map and match access-list > create policy-map and assign the class-map to it > assign policy-map to interface
      • Priority Queuing – High, Med, Normal, Low.  

 

*** Commands ****